Edit tour

Windows Analysis Report
EBAbsk8ydv.exe

Overview

General Information

Sample name:	EBAbsk8ydv.exe renamed because original name is a hash value
Original sample name:	4fdb0465d2a66e1d810e072b8e205bf7445566a8e9a97c4cd3da0a7b4dc991a4.exe
Analysis ID:	1488510
MD5:	e546e832f5762cbf8f28b6558c012b8d
SHA1:	ad6368dbb616f9a1a56ec1d3ac9026887928ad63
SHA256:	4fdb0465d2a66e1d810e072b8e205bf7445566a8e9a97c4cd3da0a7b4dc991a4
Tags:	dssdhome-xyzexe
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Contains functionality to infect the boot sector

Performs DNS queries to domains with low reputation

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Queries disk information (often used to detect virtual machines)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

EBAbsk8ydv.exe (PID: 6552 cmdline: "C:\Users\user\Desktop\EBAbsk8ydv.exe" MD5: E546E832F5762CBF8F28B6558C012B8D)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: EBAbsk8ydv.exe	ReversingLabs: Detection: 13%
Source: EBAbsk8ydv.exe	Virustotal: Detection: 12%			Perma Link

Source: EBAbsk8ydv.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: E:\F1_proj_trunk\f1\src\features\qbroker\Release\qbroker64.pdb; source: EBAbsk8ydv.exe
Source:	Binary string: E:\F1_proj_trunk\f1\src\features\qbroker\Release\qbroker64.pdb source: EBAbsk8ydv.exe

Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: 0_2_00007FF61BD614C0 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_wfullpath,_errno,_errno,_errno,_wfullpath,IsRootUNCName,GetDriveTypeW,free,__loctotime64_t,free,_wsopen_s,_fstat64,_close,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,__loctotime64_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,__loctotime64_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,__loctotime64_t,FindClose,__wdtoxmode,GetLastError,_dosmaperr,FindClose,GetLastError,_dosmaperr,FindClose,		0_2_00007FF61BD614C0
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: 0_2_00007FF61BD58C4C FindFirstFileW,FindClose,		0_2_00007FF61BD58C4C

Networking

Performs DNS queries to domains with low reputation

Source:

DNS query: xn--ypd.dssdhome.xyz

Source: Joe Sandbox View

IP Address: 169.150.247.38 169.150.247.38

Source: global traffic	HTTP traffic detected: GET /11/ip.bin HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2Host: xn--ypd.dssdhome.xyz
Source: global traffic	HTTP traffic detected: GET /11/ip.bin HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2Host: xn--ypd.dssdhome.xyz
Source: global traffic	HTTP traffic detected: GET /11/ip.bin HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2Host: xn--ypd.dssdhome.xyz
Source: global traffic	HTTP traffic detected: GET /11/ip.bin HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2Host: xn--ypd.dssdhome.xyz
Source: global traffic	HTTP traffic detected: GET /11/ip.bin HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2Host: xn--ypd.dssdhome.xyz
Source: global traffic	HTTP traffic detected: GET /11/ip.bin HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2Host: xn--ypd.dssdhome.xyz
Source: global traffic	HTTP traffic detected: GET /11/ip.bin HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2Host: xn--ypd.dssdhome.xyz
Source: global traffic	HTTP traffic detected: GET /11/ip.bin HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2Host: xn--ypd.dssdhome.xyz
Source: global traffic	HTTP traffic detected: GET /11/ip.bin HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2Host: xn--ypd.dssdhome.xyz
Source: global traffic	HTTP traffic detected: GET /11/ip.bin HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2Host: xn--ypd.dssdhome.xyz
Source: global traffic	HTTP traffic detected: GET /11/ip.bin HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2Host: xn--ypd.dssdhome.xyz
Source: global traffic	HTTP traffic detected: GET /11/ip.bin HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2Host: xn--ypd.dssdhome.xyz

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /11/ip.bin HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2Host: xn--ypd.dssdhome.xyz
Source: global traffic	HTTP traffic detected: GET /11/ip.bin HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2Host: xn--ypd.dssdhome.xyz
Source: global traffic	HTTP traffic detected: GET /11/ip.bin HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2Host: xn--ypd.dssdhome.xyz
Source: global traffic	HTTP traffic detected: GET /11/ip.bin HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2Host: xn--ypd.dssdhome.xyz
Source: global traffic	HTTP traffic detected: GET /11/ip.bin HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2Host: xn--ypd.dssdhome.xyz
Source: global traffic	HTTP traffic detected: GET /11/ip.bin HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2Host: xn--ypd.dssdhome.xyz
Source: global traffic	HTTP traffic detected: GET /11/ip.bin HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2Host: xn--ypd.dssdhome.xyz
Source: global traffic	HTTP traffic detected: GET /11/ip.bin HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2Host: xn--ypd.dssdhome.xyz
Source: global traffic	HTTP traffic detected: GET /11/ip.bin HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2Host: xn--ypd.dssdhome.xyz
Source: global traffic	HTTP traffic detected: GET /11/ip.bin HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2Host: xn--ypd.dssdhome.xyz
Source: global traffic	HTTP traffic detected: GET /11/ip.bin HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2Host: xn--ypd.dssdhome.xyz
Source: global traffic	HTTP traffic detected: GET /11/ip.bin HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2Host: xn--ypd.dssdhome.xyz

Source: global traffic

DNS traffic detected: DNS query: xn--ypd.dssdhome.xyz

Source: EBAbsk8ydv.exe, 00000000.00000002.3273555261.000000EF41CFA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://11.dssdhome.xyz/11/ip.bin
Source: EBAbsk8ydv.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: EBAbsk8ydv.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: EBAbsk8ydv.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: EBAbsk8ydv.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: EBAbsk8ydv.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: EBAbsk8ydv.exe, 00000000.00000003.3261373186.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xn--ypd.dssdhome.xyz/
Source: EBAbsk8ydv.exe, 00000000.00000002.3273716612.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3261373186.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xn--ypd.dssdhome.xyz/.2
Source: EBAbsk8ydv.exe, 00000000.00000002.3273716612.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xn--ypd.dssdhome.xyz/.2&aGV
Source: EBAbsk8ydv.exe, 00000000.00000003.3261373186.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xn--ypd.dssdhome.xyz/.2refox/70.2
Source: EBAbsk8ydv.exe, 00000000.00000002.3273716612.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000002.3273716612.0000025CDA189000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000002.3273716612.0000025CDA148000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3261373186.0000025CDA180000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3261373186.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xn--ypd.dssdhome.xyz/11/ip.bin
Source: EBAbsk8ydv.exe, 00000000.00000002.3273716612.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3261373186.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xn--ypd.dssdhome.xyz/11/ip.bin.
Source: EBAbsk8ydv.exe, 00000000.00000002.3273716612.0000025CDA189000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xn--ypd.dssdhome.xyz/11/ip.binI
Source: EBAbsk8ydv.exe, 00000000.00000002.3273716612.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3261373186.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xn--ypd.dssdhome.xyz/11/ip.binx
Source: EBAbsk8ydv.exe, 00000000.00000002.3273716612.0000025CDA189000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3261373186.0000025CDA180000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xn--ypd.dssdhome.xyz/11/ip.binz
Source: EBAbsk8ydv.exe, 00000000.00000002.3273716612.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3261373186.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xn--ypd.dssdhome.xyz/ll
Source: EBAbsk8ydv.exe, 00000000.00000003.3261373186.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xn--ypd.dssdhome.xyz/lla
Source: EBAbsk8ydv.exe, 00000000.00000002.3273716612.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xn--ypd.dssdhome.xyz/xa
Source: EBAbsk8ydv.exe, 00000000.00000002.3273716612.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000002.3273716612.0000025CDA148000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3261373186.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xn--ypd.dssdhome.xyz:80/11/ip.bin
Source: EBAbsk8ydv.exe, 00000000.00000002.3273716612.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xn--ypd.dssdhome.xyz:80/11/ip.binP&o9V
Source: EBAbsk8ydv.exe, 00000000.00000003.3261373186.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xn--ypd.dssdhome.xyz:80/11/ip.binPf
Source: EBAbsk8ydv.exe, 00000000.00000002.3273716612.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xn--ypd.dssdhome.xyz:80/11/ip.biny
Source: EBAbsk8ydv.exe, 00000000.00000003.3261373186.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xn--ypd.dssdhome.xyz/11/ip.bin
Source: EBAbsk8ydv.exe, 00000000.00000002.3273716612.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3261373186.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xn--ypd.dssdhome.xyz/11/ip.binE
Source: EBAbsk8ydv.exe, 00000000.00000002.3273716612.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3261373186.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xn--ypd.dssdhome.xyz/11/ip.bino

Source: C:\Users\user\Desktop\EBAbsk8ydv.exe

Code function: 0_2_00007FF61BD5DD00: CreateFileW,DeviceIoControl,FindCloseChangeNotification,

0_2_00007FF61BD5DD00

Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: 0_2_00007FF61BD5D434	0_2_00007FF61BD5D434
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: 0_2_00007FF61BD5D9A0	0_2_00007FF61BD5D9A0
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: 0_2_00007FF61BD41848	0_2_00007FF61BD41848
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: 0_2_00007FF61BD56FB1	0_2_00007FF61BD56FB1
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: 0_2_00007FF61BD714E0	0_2_00007FF61BD714E0
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: 0_2_00007FF61BD614C0	0_2_00007FF61BD614C0
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: 0_2_00007FF61BD72454	0_2_00007FF61BD72454
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: 0_2_00007FF61BD7442C	0_2_00007FF61BD7442C
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: 0_2_00007FF61BD64C2C	0_2_00007FF61BD64C2C
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: 0_2_00007FF61BD62B78	0_2_00007FF61BD62B78
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: 0_2_00007FF61BD77B2C	0_2_00007FF61BD77B2C
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: 0_2_00007FF61BD772C8	0_2_00007FF61BD772C8
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: 0_2_00007FF61BD50AAC	0_2_00007FF61BD50AAC
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: 0_2_00007FF61BD66AAC	0_2_00007FF61BD66AAC
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: 0_2_00007FF61BD6A278	0_2_00007FF61BD6A278
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: 0_2_00007FF61BD4EA00	0_2_00007FF61BD4EA00
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: 0_2_00007FF61BD529E4	0_2_00007FF61BD529E4
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: 0_2_00007FF61BD5E1E8	0_2_00007FF61BD5E1E8
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: 0_2_00007FF61BD47144	0_2_00007FF61BD47144
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: 0_2_00007FF61BD74890	0_2_00007FF61BD74890
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: 0_2_00007FF61BD6AFF0	0_2_00007FF61BD6AFF0
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: 0_2_00007FF61BD43FD4	0_2_00007FF61BD43FD4
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: 0_2_00007FF61BD6C7B4	0_2_00007FF61BD6C7B4
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: 0_2_00007FF61BD70EBC	0_2_00007FF61BD70EBC
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: 0_2_00007FF61BD69EC8	0_2_00007FF61BD69EC8
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: 0_2_00007FF61BD64EA0	0_2_00007FF61BD64EA0
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: 0_2_00007FF61BD6B6AC	0_2_00007FF61BD6B6AC
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: 0_2_00007FF61BD62E90	0_2_00007FF61BD62E90
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: 0_2_00007FF61BD7A660	0_2_00007FF61BD7A660
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: 0_2_00007FF61BD57670	0_2_00007FF61BD57670
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: 0_2_00007FF61BD78D8C	0_2_00007FF61BD78D8C
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: 0_2_00007FF61BD65D54	0_2_00007FF61BD65D54

Source: EBAbsk8ydv.exe

Static PE information: invalid certificate

Source: EBAbsk8ydv.exe	Binary or memory string: OriginalFilename vs EBAbsk8ydv.exe
Source: EBAbsk8ydv.exe, 00000000.00000000.2018453175.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameqbroker.exe, vs EBAbsk8ydv.exe
Source: EBAbsk8ydv.exe	Binary or memory string: OriginalFilenameqbroker.exe, vs EBAbsk8ydv.exe

Source: classification engine

Classification label: mal56.troj.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\EBAbsk8ydv.exe

Code function: 0_2_00007FF61BD4EFA0 GetCurrentThreadId,PostThreadMessageW,Sleep,ShellExecuteW,CoCreateInstance,CoCreateInstance,

0_2_00007FF61BD4EFA0

Source: EBAbsk8ydv.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\EBAbsk8ydv.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: EBAbsk8ydv.exe	ReversingLabs: Detection: 13%
Source: EBAbsk8ydv.exe	Virustotal: Detection: 12%

Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: EBAbsk8ydv.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: EBAbsk8ydv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: EBAbsk8ydv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: EBAbsk8ydv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: EBAbsk8ydv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: EBAbsk8ydv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: EBAbsk8ydv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: EBAbsk8ydv.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: EBAbsk8ydv.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: E:\F1_proj_trunk\f1\src\features\qbroker\Release\qbroker64.pdb; source: EBAbsk8ydv.exe
Source:	Binary string: E:\F1_proj_trunk\f1\src\features\qbroker\Release\qbroker64.pdb source: EBAbsk8ydv.exe

Source: EBAbsk8ydv.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: EBAbsk8ydv.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: EBAbsk8ydv.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: EBAbsk8ydv.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: EBAbsk8ydv.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\EBAbsk8ydv.exe

Code function: 0_2_00007FF61BD5CF60 GetSystemDirectoryW,LoadLibraryW,GetProcAddress,GetAdaptersInfo,FreeLibrary,

0_2_00007FF61BD5CF60

Source: EBAbsk8ydv.exe

Static PE information: real checksum: 0x63c9a should be: 0x61a23

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	0_2_00007FF61BD5D434
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: CreateFileW,DeviceIoControl,isalnum,isalnum,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive%d	0_2_00007FF61BD5D9A0
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: CreateFileW,DeviceIoControl,malloc,DeviceIoControl,free,CloseHandle, \\.\PhysicalDrive%d	0_2_00007FF61BD5D748

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	0_2_00007FF61BD5D434
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: CreateFileW,DeviceIoControl,isalnum,isalnum,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive%d	0_2_00007FF61BD5D9A0
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: CreateFileW,DeviceIoControl,malloc,DeviceIoControl,free,CloseHandle, \\.\PhysicalDrive%d	0_2_00007FF61BD5D748

Source: C:\Users\user\Desktop\EBAbsk8ydv.exe

Code function: 0_2_00007FF61BD62B78 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00007FF61BD62B78

Source: C:\Users\user\Desktop\EBAbsk8ydv.exe

Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\EBAbsk8ydv.exe

Code function: GetSystemDirectoryW,LoadLibraryW,GetProcAddress,GetAdaptersInfo,FreeLibrary,

0_2_00007FF61BD5CF60

Source: C:\Users\user\Desktop\EBAbsk8ydv.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-22258

Source: C:\Users\user\Desktop\EBAbsk8ydv.exe TID: 4760

Thread sleep time: -150000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\EBAbsk8ydv.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\Desktop\EBAbsk8ydv.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: 0_2_00007FF61BD614C0 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_wfullpath,_errno,_errno,_errno,_wfullpath,IsRootUNCName,GetDriveTypeW,free,__loctotime64_t,free,_wsopen_s,_fstat64,_close,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,__loctotime64_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,__loctotime64_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,__loctotime64_t,FindClose,__wdtoxmode,GetLastError,_dosmaperr,FindClose,GetLastError,_dosmaperr,FindClose,		0_2_00007FF61BD614C0
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: 0_2_00007FF61BD58C4C FindFirstFileW,FindClose,		0_2_00007FF61BD58C4C

Source: C:\Users\user\Desktop\EBAbsk8ydv.exe

Code function: 0_2_00007FF61BD506C4 GetSystemTimeAsFileTime,GetModuleHandleW,GetProcAddress,GetSystemInfo,GetSystemDefaultLangID,InternetOpenA,InternetSetOptionW,InternetConnectW,

0_2_00007FF61BD506C4

Source: EBAbsk8ydv.exe, 00000000.00000002.3273716612.0000025CDA148000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: EBAbsk8ydv.exe, 00000000.00000002.3273716612.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3261373186.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: EBAbsk8ydv.exe, 00000000.00000002.3273716612.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3261373186.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\EBAbsk8ydv.exe

API call chain: ExitProcess graph end node

graph_0-22196

Source: C:\Users\user\Desktop\EBAbsk8ydv.exe

Code function: 0_2_00007FF61BD5ECDC GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_00007FF61BD5ECDC

Source: C:\Users\user\Desktop\EBAbsk8ydv.exe

Code function: 0_2_00007FF61BD5ECDC GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_00007FF61BD5ECDC

Source: C:\Users\user\Desktop\EBAbsk8ydv.exe

Code function: 0_2_00007FF61BD5CF60 GetSystemDirectoryW,LoadLibraryW,GetProcAddress,GetAdaptersInfo,FreeLibrary,

0_2_00007FF61BD5CF60

Source: C:\Users\user\Desktop\EBAbsk8ydv.exe

Code function: 0_2_00007FF61BD74D00 _lseeki64_nolock,_lseeki64_nolock,GetProcessHeap,HeapAlloc,_errno,_errno,_setmode_nolock,_write_nolock,__doserrno,_errno,_setmode_nolock,GetProcessHeap,HeapFree,_lseeki64_nolock,_get_osfhandle,SetEndOfFile,_errno,__doserrno,GetLastError,_lseeki64_nolock,

0_2_00007FF61BD74D00

Source: C:\Users\user\Desktop\EBAbsk8ydv.exe

Code function: 0_2_00007FF61BD687D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF61BD687D8

Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00007FF61BD71D1C
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: __crtGetLocaleInfoEx,malloc,__crtGetLocaleInfoEx,WideCharToMultiByte,free,	0_2_00007FF61BD6E4DC
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,IsValidCodePage,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,wcschr,wcschr,__crtGetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage,__crtGetUserDefaultLocaleName,_invoke_watson,_invoke_watson,_getptd,_getptd,LcidFromHexString,GetLocaleInfoW,	0_2_00007FF61BD714E0
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: __crtGetLocaleInfoEx,	0_2_00007FF61BD713DC
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: _getptd,_getptd,LcidFromHexString,GetLocaleInfoW,TestDefaultLanguage,	0_2_00007FF61BD71BD0
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: __crtGetLocaleInfoEx,__crtGetLocaleInfoEx,GetACP,	0_2_00007FF61BD71328
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: _getptd,_getptd,LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,TestDefaultLanguage,	0_2_00007FF61BD719A0
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: __crtDownlevelLocaleNameToLCID,GetLocaleInfoW,	0_2_00007FF61BD6E944
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: EnumSystemLocalesW,	0_2_00007FF61BD6E900
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: _getptd,EnumSystemLocalesW,	0_2_00007FF61BD7190C
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: _getptd,EnumSystemLocalesW,	0_2_00007FF61BD71858
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: _getptd,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,TestDefaultCountry,__crtGetLocaleInfoEx,TestDefaultCountry,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_getptd,__crtGetLocaleInfoEx,_invoke_watson,	0_2_00007FF61BD70EBC
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: _getptd,__lc_wcstolc,__get_qualified_locale_downlevel,__get_qualified_locale,__lc_lctowcs,__crtGetLocaleInfoEx,GetACP,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,	0_2_00007FF61BD64EA0
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: _getptd,_getptd,TranslateName,GetLcidFromLangCountry,GetLcidFromLanguage,TranslateName,GetLcidFromLangCountry,GetLcidFromLanguage,_getptd,EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,__crtDownlevelLCIDToLocaleName,__crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,_itow_s,	0_2_00007FF61BD71E74
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_00007FF61BD6E648
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: _getptd,GetLocaleInfoW,	0_2_00007FF61BD71DCC
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe	Code function: __crtGetLocaleInfoA,GetLastError,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,free,free,__crtGetLocaleInfoEx,_calloc_crt,__crtGetLocaleInfoEx,free,__crtGetLocaleInfoEx,_invoke_watson,	0_2_00007FF61BD63598

Source: C:\Users\user\Desktop\EBAbsk8ydv.exe

Code function: 0_2_00007FF61BD506C4 GetSystemTimeAsFileTime,GetModuleHandleW,GetProcAddress,GetSystemInfo,GetSystemDefaultLangID,InternetOpenA,InternetSetOptionW,InternetConnectW,

0_2_00007FF61BD506C4

Source: C:\Users\user\Desktop\EBAbsk8ydv.exe

Code function: 0_2_00007FF61BD7442C _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,_getenv_helper_nolock,free,_malloc_crt,_invoke_watson,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,

0_2_00007FF61BD7442C

Source: C:\Users\user\Desktop\EBAbsk8ydv.exe

Code function: 0_2_00007FF61BD5DF34 GetVersionExW,

0_2_00007FF61BD5DF34

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 Bootkit	1 DLL Side-Loading	2 Virtualization/Sandbox Evasion	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	Boot or Logon Initialization Scripts	1 Bootkit	LSASS Memory	41 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	2 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
EBAbsk8ydv.exe	14%	ReversingLabs
EBAbsk8ydv.exe	12%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://xn--ypd.dssdhome.xyz/ll	0%	Avira URL Cloud	safe
http://11.dssdhome.xyz/11/ip.bin	0%	Avira URL Cloud	safe
http://xn--ypd.dssdhome.xyz/11/ip.bin	0%	Avira URL Cloud	safe
http://xn--ypd.dssdhome.xyz/	0%	Avira URL Cloud	safe
http://xn--ypd.dssdhome.xyz/11/ip.binI	0%	Avira URL Cloud	safe
http://xn--ypd.dssdhome.xyz/.2&aGV	0%	Avira URL Cloud	safe
https://xn--ypd.dssdhome.xyz/11/ip.bin	0%	Avira URL Cloud	safe
http://xn--ypd.dssdhome.xyz/.2refox/70.2	0%	Avira URL Cloud	safe
http://xn--ypd.dssdhome.xyz/11/ip.bin.	0%	Avira URL Cloud	safe
http://xn--ypd.dssdhome.xyz:80/11/ip.bin	0%	Avira URL Cloud	safe
http://xn--ypd.dssdhome.xyz/11/ip.bin	0%	Virustotal		Browse
http://xn--ypd.dssdhome.xyz/11/ip.binz	0%	Avira URL Cloud	safe
http://xn--ypd.dssdhome.xyz:80/11/ip.biny	0%	Avira URL Cloud	safe
http://xn--ypd.dssdhome.xyz:80/11/ip.bin	0%	Virustotal		Browse
https://xn--ypd.dssdhome.xyz/11/ip.binE	0%	Avira URL Cloud	safe
http://xn--ypd.dssdhome.xyz/11/ip.binx	0%	Avira URL Cloud	safe
http://xn--ypd.dssdhome.xyz:80/11/ip.binP&o9V	0%	Avira URL Cloud	safe
http://xn--ypd.dssdhome.xyz/lla	0%	Avira URL Cloud	safe
https://xn--ypd.dssdhome.xyz/11/ip.bino	0%	Avira URL Cloud	safe
http://xn--ypd.dssdhome.xyz/.2	0%	Avira URL Cloud	safe
http://xn--ypd.dssdhome.xyz/xa	0%	Avira URL Cloud	safe
http://xn--ypd.dssdhome.xyz:80/11/ip.binPf	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mooscc.b-cdn.net	169.150.247.38	true	false		unknown
xn--ypd.dssdhome.xyz	unknown	unknown	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://xn--ypd.dssdhome.xyz/11/ip.binI	EBAbsk8ydv.exe, 00000000.00000002.3273716612.0000025CDA189000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://xn--ypd.dssdhome.xyz/	EBAbsk8ydv.exe, 00000000.00000003.3261373186.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://xn--ypd.dssdhome.xyz/11/ip.bin	EBAbsk8ydv.exe, 00000000.00000002.3273716612.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000002.3273716612.0000025CDA189000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000002.3273716612.0000025CDA148000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3261373186.0000025CDA180000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3261373186.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://11.dssdhome.xyz/11/ip.bin	EBAbsk8ydv.exe, 00000000.00000002.3273555261.000000EF41CFA000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	EBAbsk8ydv.exe	false	URL Reputation: safe	unknown
http://xn--ypd.dssdhome.xyz/ll	EBAbsk8ydv.exe, 00000000.00000002.3273716612.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3261373186.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.thawte.com0	EBAbsk8ydv.exe	false	URL Reputation: safe	unknown
http://xn--ypd.dssdhome.xyz/.2&aGV	EBAbsk8ydv.exe, 00000000.00000002.3273716612.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://xn--ypd.dssdhome.xyz/11/ip.bin	EBAbsk8ydv.exe, 00000000.00000003.3261373186.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://xn--ypd.dssdhome.xyz/.2refox/70.2	EBAbsk8ydv.exe, 00000000.00000003.3261373186.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://xn--ypd.dssdhome.xyz/11/ip.bin.	EBAbsk8ydv.exe, 00000000.00000002.3273716612.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3261373186.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://xn--ypd.dssdhome.xyz:80/11/ip.bin	EBAbsk8ydv.exe, 00000000.00000002.3273716612.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000002.3273716612.0000025CDA148000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3261373186.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://xn--ypd.dssdhome.xyz/11/ip.binz	EBAbsk8ydv.exe, 00000000.00000002.3273716612.0000025CDA189000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3261373186.0000025CDA180000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://xn--ypd.dssdhome.xyz:80/11/ip.biny	EBAbsk8ydv.exe, 00000000.00000002.3273716612.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://xn--ypd.dssdhome.xyz/11/ip.binE	EBAbsk8ydv.exe, 00000000.00000002.3273716612.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3261373186.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://xn--ypd.dssdhome.xyz/11/ip.binx	EBAbsk8ydv.exe, 00000000.00000002.3273716612.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3261373186.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://xn--ypd.dssdhome.xyz:80/11/ip.binP&o9V	EBAbsk8ydv.exe, 00000000.00000002.3273716612.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://xn--ypd.dssdhome.xyz/lla	EBAbsk8ydv.exe, 00000000.00000003.3261373186.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://xn--ypd.dssdhome.xyz/11/ip.bino	EBAbsk8ydv.exe, 00000000.00000002.3273716612.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3261373186.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://xn--ypd.dssdhome.xyz/.2	EBAbsk8ydv.exe, 00000000.00000002.3273716612.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3261373186.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://xn--ypd.dssdhome.xyz/xa	EBAbsk8ydv.exe, 00000000.00000002.3273716612.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://xn--ypd.dssdhome.xyz:80/11/ip.binPf	EBAbsk8ydv.exe, 00000000.00000003.3261373186.0000025CDA1B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
169.150.247.38	mooscc.b-cdn.net	United States		2711	SPIRITTEL-ASUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1488510
Start date and time:	2024-08-06 06:47:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	EBAbsk8ydv.exe renamed because original name is a hash value
Original Sample Name:	4fdb0465d2a66e1d810e072b8e205bf7445566a8e9a97c4cd3da0a7b4dc991a4.exe
Detection:	MAL
Classification:	mal56.troj.winEXE@1/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 13 Number of non-executed functions: 55
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com

Simulations

Behavior and APIs

Time	Type	Description
00:49:57	API Interceptor	22x Sleep call for process: EBAbsk8ydv.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
169.150.247.38	https://softworldinc.wpengine.com	Get hash	malicious	Unknown	Browse	cdn.rawgit.com/michalsnik/aos/2.1.1/dist/aos.js
169.150.247.38	rPRESSUREREDUCINGVALVE_pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.openlend.lat/aw8o/?-wkb=JwP18BaQn2gAMbwzAk/tzHq1rHqPkgowxzXz/N2AVg5llpqPoDBUT4Fbw9qJesVKC8w5QoNuWE8SYi183Rf2cdVRH8sDFcjA1Q==&_-=axSpBNXszGs9cCrW

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SPIRITTEL-ASUS	https://mato-camp-v4.b-cdn.net/kesty	Get hash	malicious	Unknown	Browse	169.150.247.33
	https://forms.office.com/Pages/ResponsePage.aspx?id=mZB7T0Dtr0mx-Js9AsqUvjkKVGExcKpLpLje28x2_kZUOVA4UU9WT0pSQUFPSTZPUlhWTElINUNETy4u	Get hash	malicious	HTMLPhisher	Browse	169.150.247.37
	https://16784846511.cloud/	Get hash	malicious	Unknown	Browse	169.150.247.36
	jQ0zXV2d1X.elf	Get hash	malicious	Mirai	Browse	165.167.232.23
	https://ipfs.io/ipfs/QmVLJJWuJ1bT38BeLkxSKLDMhVADeV6vmCtQ5cAqW3qdoR	Get hash	malicious	HTMLPhisher	Browse	169.150.247.36
	IISz6QDXkY.elf	Get hash	malicious	Mirai	Browse	207.146.102.5
	https://markeertrafficservicebv6t3etwyghdsbn.dorik.io/	Get hash	malicious	Unknown	Browse	169.150.247.36
	https://link.storjshare.io/s/jvktcsf5ypoak5aucs6fn6noqgga/crowdstrikesupport/update.zip?download=1	Get hash	malicious	Unknown	Browse	169.150.247.39
	https://www.globalepic.co.kr/view.php?ud=202408011057515744edd3030223_29	Get hash	malicious	Unknown	Browse	169.150.236.104

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.219147275536416
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	EBAbsk8ydv.exe
File size:	352'608 bytes
MD5:	e546e832f5762cbf8f28b6558c012b8d
SHA1:	ad6368dbb616f9a1a56ec1d3ac9026887928ad63
SHA256:	4fdb0465d2a66e1d810e072b8e205bf7445566a8e9a97c4cd3da0a7b4dc991a4
SHA512:	f68c9286765cca89fc63020b2573ddc88cff745e5502fd5cf97c1160ce8f46a6bd08227be335d3a2022a1ac179eddddbd52d05c7a9c32332cffcc1dbd7de21c7
SSDEEP:	6144:rEdue2soURTO6e6FMCnIpXsuJr79LLKFdLEH5Z:rm2soUQR+nIhLKFd4Z
TLSH:	94747E69F2E455F8C46BC63689964642D3F27C261A7ADF4F13A0472B2F332909F2D712
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B....p...p...p..@!F..p..@!x.Jp..@!y..p....W..p....R..p...p...p..{.\|..p..."B..p...p...p..{.G..p..Rich.p.........................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x140020618
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5626F46B [Wed Oct 21 02:11:55 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	b330d810ce52a718c58fc0a72cbb426c

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	16/01/2013 19:00:00 16/02/2016 18:59:59
Subject Chain	CN=Tencent Technology(Shenzhen) Company Limited, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Tencent Technology(Shenzhen) Company Limited, L=shenzhen, S=guangdong, C=CN
Version:	3
Thumbprint MD5:	242913A2A31BAD3BC7F08E547E0BBFAD
Thumbprint SHA-1:	2FDD445591CD2EEDBEF8B8A281896A59C08B3DC9
Thumbprint SHA-256:	16DB61B6F85E044F6DE44775EC093BEFDA52C35C4AB1424E9463C01B5E11E386
Serial:	7170BD93CF3F189AE6452B514C49340E

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FD3257F8BE8h
dec eax
add esp, 28h
jmp 00007FD3257F102Bh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
mov eax, ecx
dec eax
neg ecx
dec eax
test eax, 00000007h
je 00007FD3257F1201h
nop
mov dl, byte ptr [eax]
dec eax
inc eax
test dl, dl
je 00007FD3257F1251h
test al, 07h
jne 00007FD3257F11E5h
dec ecx
mov eax, FEFEFEFFh

Rich Headers

Programming Language:

[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4da38	0xf0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x58000	0x6e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x55000	0x2a54	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x54800	0x1960
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x59000	0xbf4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3c610	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x481f0	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3c000	0x538	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3affc	0x3b000	043d7a8a7762ce240ee30b0e264bf052	False	0.4893198821504237	data	6.43588709572288	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x3c000	0x12bca	0x12c00	b8c697b4fe8eae5f35d8658801eb1c54	False	0.3447395833333333	data	4.4036530103672185	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x4f000	0x5238	0x2800	752715e664679c0b2c6de2e3dfe40a72	False	0.24716796875	data	3.448216610884499	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x55000	0x2a54	0x2c00	c883e64b3fad00cc2dfa25ec2d2587a5	False	0.4665305397727273	data	5.31766570768096	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x58000	0x6e8	0x800	dfea87dd18bd72fb2394ad0ec611cfd5	False	0.40478515625	data	4.374395563555661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x59000	0xbf4	0xc00	e2b726280567b8e93f7147381710dc80	False	0.4895833333333333	data	5.420233678628129	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x580a0	0x2dc	data	Chinese	China	0.47950819672131145
RT_MANIFEST	0x58380	0x365	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (809), with CRLF line terminators	English	United States	0.4890678941311853

Imports

DLL	Import
KERNEL32.dll	GetLastError, HeapSize, EnterCriticalSection, CreateEventW, DecodePointer, WaitForMultipleObjects, CreateWaitableTimerW, DeleteCriticalSection, GetCurrentThreadId, CloseHandle, CreateThread, RaiseException, Sleep, GetCurrentProcess, GetModuleHandleW, OpenProcess, LoadLibraryW, GetProcAddress, OpenThread, GetModuleHandleA, LocalFree, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, InitializeCriticalSection, GetProcessHeap, SetEvent, WaitForSingleObject, HeapFree, SetWaitableTimer, HeapAlloc, SetErrorMode, GetModuleFileNameW, HeapReAlloc, SetEnvironmentVariableA, FlushFileBuffers, WriteConsoleW, ReadConsoleW, SetEndOfFile, GetTimeZoneInformation, SetStdHandle, SetFilePointerEx, GetConsoleMode, GetConsoleCP, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, CompareStringW, LoadLibraryExW, GetCurrentDirectoryW, GetFullPathNameW, PeekNamedPipe, GetFileInformationByHandle, FileTimeToLocalFileTime, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, TerminateProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlVirtualUnwind, RtlCaptureContext, FreeEnvironmentStringsW, IsDebuggerPresent, OutputDebugStringW, MultiByteToWideChar, WideCharToMultiByte, GetSystemDefaultLangID, GetSystemTimeAsFileTime, GetSystemInfo, GetVersionExW, CreateFileW, CopyFileW, DeleteFileW, GetFileSize, ReadFile, WriteFile, FindFirstFileW, FindClose, ExpandEnvironmentStringsW, GetSystemDirectoryW, FreeLibrary, DeviceIoControl, EncodePointer, GetCommandLineW, RtlPcToFileHeader, RtlLookupFunctionEntry, RtlUnwindEx, FindFirstFileExW, GetDriveTypeW, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, CreateDirectoryW, IsProcessorFeaturePresent, ExitProcess, GetModuleHandleExW, GetStdHandle, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, GetStringTypeW, GetFileType, GetStartupInfoW, QueryPerformanceCounter, GetCurrentProcessId, GetEnvironmentStringsW
USER32.dll	PostThreadMessageW, PostQuitMessage, GetMessageW, DispatchMessageW
ADVAPI32.dll	RegSetValueExW, RegCloseKey, RegOpenKeyExW, RegQueryValueExW, RegCreateKeyExW, RegOpenKeyExA, RegQueryValueExA
SHELL32.dll	CommandLineToArgvW, ShellExecuteW, SHGetSpecialFolderPathW
ole32.dll	CoUninitialize, StringFromGUID2, CoInitializeEx, CoRevokeClassObject, CoRegisterClassObject, CoCreateInstance, CoInitialize, CoCreateGuid, CoRegisterMessageFilter
OLEAUT32.dll	SysAllocString, SysFreeString, SysStringLen, VariantClear, VariantInit, SysAllocStringLen, VariantChangeType
SHLWAPI.dll	PathAppendW, PathFileExistsW, PathFindFileNameW
VERSION.dll	GetFileVersionInfoW, VerQueryValueW
WS2_32.dll	htonl, htons
WININET.dll	HttpSendRequestA, HttpOpenRequestW, InternetConnectW, InternetSetOptionW, InternetOpenA, InternetCloseHandle
NETAPI32.dll	Netbios, NetApiBufferFree, NetWkstaTransportEnum

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 6, 2024 06:49:57.262454987 CEST	49717	80	192.168.2.5	169.150.247.38
Aug 6, 2024 06:49:57.269674063 CEST	80	49717	169.150.247.38	192.168.2.5
Aug 6, 2024 06:49:57.269773006 CEST	49717	80	192.168.2.5	169.150.247.38
Aug 6, 2024 06:49:57.269931078 CEST	49717	80	192.168.2.5	169.150.247.38
Aug 6, 2024 06:49:57.281670094 CEST	80	49717	169.150.247.38	192.168.2.5
Aug 6, 2024 06:49:57.911437988 CEST	80	49717	169.150.247.38	192.168.2.5
Aug 6, 2024 06:49:57.952321053 CEST	49717	80	192.168.2.5	169.150.247.38
Aug 6, 2024 06:49:58.017133951 CEST	49717	80	192.168.2.5	169.150.247.38
Aug 6, 2024 06:49:58.024327993 CEST	80	49717	169.150.247.38	192.168.2.5
Aug 6, 2024 06:49:58.205720901 CEST	80	49717	169.150.247.38	192.168.2.5
Aug 6, 2024 06:49:58.249180079 CEST	49717	80	192.168.2.5	169.150.247.38
Aug 6, 2024 06:49:58.313817978 CEST	49717	80	192.168.2.5	169.150.247.38
Aug 6, 2024 06:49:58.318697929 CEST	80	49717	169.150.247.38	192.168.2.5
Aug 6, 2024 06:49:58.499335051 CEST	80	49717	169.150.247.38	192.168.2.5
Aug 6, 2024 06:49:58.546098948 CEST	49717	80	192.168.2.5	169.150.247.38
Aug 6, 2024 06:49:58.610755920 CEST	49717	80	192.168.2.5	169.150.247.38
Aug 6, 2024 06:49:58.617762089 CEST	80	49717	169.150.247.38	192.168.2.5
Aug 6, 2024 06:49:58.798878908 CEST	80	49717	169.150.247.38	192.168.2.5
Aug 6, 2024 06:49:58.842983007 CEST	49717	80	192.168.2.5	169.150.247.38
Aug 6, 2024 06:49:58.921405077 CEST	49717	80	192.168.2.5	169.150.247.38
Aug 6, 2024 06:49:58.927308083 CEST	80	49717	169.150.247.38	192.168.2.5
Aug 6, 2024 06:49:59.108037949 CEST	80	49717	169.150.247.38	192.168.2.5
Aug 6, 2024 06:49:59.155453920 CEST	49717	80	192.168.2.5	169.150.247.38
Aug 6, 2024 06:49:59.244649887 CEST	49717	80	192.168.2.5	169.150.247.38
Aug 6, 2024 06:49:59.250206947 CEST	80	49717	169.150.247.38	192.168.2.5
Aug 6, 2024 06:49:59.429970980 CEST	80	49717	169.150.247.38	192.168.2.5
Aug 6, 2024 06:49:59.433697939 CEST	49717	80	192.168.2.5	169.150.247.38
Aug 6, 2024 06:49:59.439074039 CEST	80	49717	169.150.247.38	192.168.2.5
Aug 6, 2024 06:49:59.441411018 CEST	49717	80	192.168.2.5	169.150.247.38
Aug 6, 2024 06:49:59.555691004 CEST	49718	80	192.168.2.5	169.150.247.38
Aug 6, 2024 06:49:59.560662031 CEST	80	49718	169.150.247.38	192.168.2.5
Aug 6, 2024 06:49:59.560744047 CEST	49718	80	192.168.2.5	169.150.247.38
Aug 6, 2024 06:49:59.560867071 CEST	49718	80	192.168.2.5	169.150.247.38
Aug 6, 2024 06:49:59.565654039 CEST	80	49718	169.150.247.38	192.168.2.5
Aug 6, 2024 06:50:00.197655916 CEST	80	49718	169.150.247.38	192.168.2.5
Aug 6, 2024 06:50:00.249172926 CEST	49718	80	192.168.2.5	169.150.247.38
Aug 6, 2024 06:50:00.313848972 CEST	49718	80	192.168.2.5	169.150.247.38
Aug 6, 2024 06:50:00.318672895 CEST	80	49718	169.150.247.38	192.168.2.5
Aug 6, 2024 06:50:00.508359909 CEST	80	49718	169.150.247.38	192.168.2.5
Aug 6, 2024 06:50:00.561811924 CEST	49718	80	192.168.2.5	169.150.247.38
Aug 6, 2024 06:50:00.626308918 CEST	49718	80	192.168.2.5	169.150.247.38
Aug 6, 2024 06:50:00.631752968 CEST	80	49718	169.150.247.38	192.168.2.5
Aug 6, 2024 06:50:00.813179970 CEST	80	49718	169.150.247.38	192.168.2.5
Aug 6, 2024 06:50:00.858572960 CEST	49718	80	192.168.2.5	169.150.247.38
Aug 6, 2024 06:50:00.938793898 CEST	49718	80	192.168.2.5	169.150.247.38
Aug 6, 2024 06:50:00.943757057 CEST	80	49718	169.150.247.38	192.168.2.5
Aug 6, 2024 06:50:01.275109053 CEST	80	49718	169.150.247.38	192.168.2.5
Aug 6, 2024 06:50:01.327472925 CEST	49718	80	192.168.2.5	169.150.247.38
Aug 6, 2024 06:50:01.392329931 CEST	49718	80	192.168.2.5	169.150.247.38
Aug 6, 2024 06:50:01.397145033 CEST	80	49718	169.150.247.38	192.168.2.5
Aug 6, 2024 06:50:01.876283884 CEST	80	49718	169.150.247.38	192.168.2.5
Aug 6, 2024 06:50:01.883272886 CEST	80	49718	169.150.247.38	192.168.2.5
Aug 6, 2024 06:50:01.883409977 CEST	49718	80	192.168.2.5	169.150.247.38
Aug 6, 2024 06:50:01.986604929 CEST	49718	80	192.168.2.5	169.150.247.38
Aug 6, 2024 06:50:01.991575003 CEST	80	49718	169.150.247.38	192.168.2.5
Aug 6, 2024 06:50:02.173449039 CEST	80	49718	169.150.247.38	192.168.2.5
Aug 6, 2024 06:50:02.173610926 CEST	49718	80	192.168.2.5	169.150.247.38
Aug 6, 2024 06:50:02.179132938 CEST	80	49718	169.150.247.38	192.168.2.5
Aug 6, 2024 06:50:02.179198980 CEST	49718	80	192.168.2.5	169.150.247.38

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 6, 2024 06:49:56.622706890 CEST	50117	53	192.168.2.5	1.1.1.1
Aug 6, 2024 06:49:57.257381916 CEST	53	50117	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 6, 2024 06:49:56.622706890 CEST	192.168.2.5	1.1.1.1	0x657	Standard query (0)	xn--ypd.dssdhome.xyz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 6, 2024 06:49:57.257381916 CEST	1.1.1.1	192.168.2.5	0x657	No error (0)	xn--ypd.dssdhome.xyz	mooscc.b-cdn.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 6, 2024 06:49:57.257381916 CEST	1.1.1.1	192.168.2.5	0x657	No error (0)	mooscc.b-cdn.net		169.150.247.38	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

xn--ypd.dssdhome.xyz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49717	169.150.247.38	80	6552	C:\Users\user\Desktop\EBAbsk8ydv.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 06:49:57.269931078 CEST	153	OUT	GET /11/ip.bin HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2 Host: xn--ypd.dssdhome.xyz
Aug 6, 2024 06:49:57.911437988 CEST	527	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 06 Aug 2024 04:49:57 GMT Content-Type: text/html Content-Length: 162 Connection: keep-alive Server: BunnyCDN-DE1-1081 CDN-PullZone: 2373567 CDN-Uid: 95780366-96cb-4089-af63-a08b2db1368d CDN-RequestCountryCode: US Location: https://xn--ypd.dssdhome.xyz/11/ip.bin CDN-RequestId: be5099dc7c01a47d3576d8fe9662bb0c Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>
Aug 6, 2024 06:49:58.017133951 CEST	153	OUT	GET /11/ip.bin HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2 Host: xn--ypd.dssdhome.xyz
Aug 6, 2024 06:49:58.205720901 CEST	527	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 06 Aug 2024 04:49:58 GMT Content-Type: text/html Content-Length: 162 Connection: keep-alive Server: BunnyCDN-DE1-1081 CDN-PullZone: 2373567 CDN-Uid: 95780366-96cb-4089-af63-a08b2db1368d CDN-RequestCountryCode: US Location: https://xn--ypd.dssdhome.xyz/11/ip.bin CDN-RequestId: db31078d8f4a0473029c445575f28c60 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>
Aug 6, 2024 06:49:58.313817978 CEST	153	OUT	GET /11/ip.bin HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2 Host: xn--ypd.dssdhome.xyz
Aug 6, 2024 06:49:58.499335051 CEST	527	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 06 Aug 2024 04:49:58 GMT Content-Type: text/html Content-Length: 162 Connection: keep-alive Server: BunnyCDN-DE1-1081 CDN-PullZone: 2373567 CDN-Uid: 95780366-96cb-4089-af63-a08b2db1368d CDN-RequestCountryCode: US Location: https://xn--ypd.dssdhome.xyz/11/ip.bin CDN-RequestId: 919c7f4aa01a857db9b31b9676a4d09d Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>
Aug 6, 2024 06:49:58.610755920 CEST	153	OUT	GET /11/ip.bin HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2 Host: xn--ypd.dssdhome.xyz
Aug 6, 2024 06:49:58.798878908 CEST	527	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 06 Aug 2024 04:49:58 GMT Content-Type: text/html Content-Length: 162 Connection: keep-alive Server: BunnyCDN-DE1-1081 CDN-PullZone: 2373567 CDN-Uid: 95780366-96cb-4089-af63-a08b2db1368d CDN-RequestCountryCode: US Location: https://xn--ypd.dssdhome.xyz/11/ip.bin CDN-RequestId: eb82b29bb83d8361dade02913e264979 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>
Aug 6, 2024 06:49:58.921405077 CEST	153	OUT	GET /11/ip.bin HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2 Host: xn--ypd.dssdhome.xyz
Aug 6, 2024 06:49:59.108037949 CEST	527	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 06 Aug 2024 04:49:59 GMT Content-Type: text/html Content-Length: 162 Connection: keep-alive Server: BunnyCDN-DE1-1081 CDN-PullZone: 2373567 CDN-Uid: 95780366-96cb-4089-af63-a08b2db1368d CDN-RequestCountryCode: US Location: https://xn--ypd.dssdhome.xyz/11/ip.bin CDN-RequestId: 19299e6d228007cd2048ba7fbbf47e3e Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>
Aug 6, 2024 06:49:59.244649887 CEST	153	OUT	GET /11/ip.bin HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2 Host: xn--ypd.dssdhome.xyz
Aug 6, 2024 06:49:59.429970980 CEST	365	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 06 Aug 2024 04:49:59 GMT Content-Type: text/html Content-Length: 162 Connection: keep-alive Server: BunnyCDN-DE1-1081 CDN-PullZone: 2373567 CDN-Uid: 95780366-96cb-4089-af63-a08b2db1368d CDN-RequestCountryCode: US Location: https://xn--ypd.dssdhome.xyz/11/ip.bin CDN-RequestId: 063dc64c3d2f58b861d1c2df423c7e0e

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49718	169.150.247.38	80	6552	C:\Users\user\Desktop\EBAbsk8ydv.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 06:49:59.560867071 CEST	153	OUT	GET /11/ip.bin HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2 Host: xn--ypd.dssdhome.xyz
Aug 6, 2024 06:50:00.197655916 CEST	527	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 06 Aug 2024 04:50:00 GMT Content-Type: text/html Content-Length: 162 Connection: keep-alive Server: BunnyCDN-DE1-1081 CDN-PullZone: 2373567 CDN-Uid: 95780366-96cb-4089-af63-a08b2db1368d CDN-RequestCountryCode: US Location: https://xn--ypd.dssdhome.xyz/11/ip.bin CDN-RequestId: 444c8b2556c6243f928a428bd494d13e Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>
Aug 6, 2024 06:50:00.313848972 CEST	153	OUT	GET /11/ip.bin HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2 Host: xn--ypd.dssdhome.xyz
Aug 6, 2024 06:50:00.508359909 CEST	527	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 06 Aug 2024 04:50:00 GMT Content-Type: text/html Content-Length: 162 Connection: keep-alive Server: BunnyCDN-DE1-1081 CDN-PullZone: 2373567 CDN-Uid: 95780366-96cb-4089-af63-a08b2db1368d CDN-RequestCountryCode: US Location: https://xn--ypd.dssdhome.xyz/11/ip.bin CDN-RequestId: 92bddefdfde33dde9fccea1296c538c3 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>
Aug 6, 2024 06:50:00.626308918 CEST	153	OUT	GET /11/ip.bin HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2 Host: xn--ypd.dssdhome.xyz
Aug 6, 2024 06:50:00.813179970 CEST	527	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 06 Aug 2024 04:50:00 GMT Content-Type: text/html Content-Length: 162 Connection: keep-alive Server: BunnyCDN-DE1-1081 CDN-PullZone: 2373567 CDN-Uid: 95780366-96cb-4089-af63-a08b2db1368d CDN-RequestCountryCode: US Location: https://xn--ypd.dssdhome.xyz/11/ip.bin CDN-RequestId: d58f0122d3cbf739407a5e2f5fefa92a Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>
Aug 6, 2024 06:50:00.938793898 CEST	153	OUT	GET /11/ip.bin HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2 Host: xn--ypd.dssdhome.xyz
Aug 6, 2024 06:50:01.275109053 CEST	527	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 06 Aug 2024 04:50:01 GMT Content-Type: text/html Content-Length: 162 Connection: keep-alive Server: BunnyCDN-DE1-1081 CDN-PullZone: 2373567 CDN-Uid: 95780366-96cb-4089-af63-a08b2db1368d CDN-RequestCountryCode: US Location: https://xn--ypd.dssdhome.xyz/11/ip.bin CDN-RequestId: b4ef89284b08063718fefbfed938fef8 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>
Aug 6, 2024 06:50:01.392329931 CEST	153	OUT	GET /11/ip.bin HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2 Host: xn--ypd.dssdhome.xyz
Aug 6, 2024 06:50:01.876283884 CEST	527	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 06 Aug 2024 04:50:01 GMT Content-Type: text/html Content-Length: 162 Connection: keep-alive Server: BunnyCDN-DE1-1081 CDN-PullZone: 2373567 CDN-Uid: 95780366-96cb-4089-af63-a08b2db1368d CDN-RequestCountryCode: US Location: https://xn--ypd.dssdhome.xyz/11/ip.bin CDN-RequestId: ac17ea3ad375b53926edfbba60d34fa0 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>
Aug 6, 2024 06:50:01.883272886 CEST	527	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 06 Aug 2024 04:50:01 GMT Content-Type: text/html Content-Length: 162 Connection: keep-alive Server: BunnyCDN-DE1-1081 CDN-PullZone: 2373567 CDN-Uid: 95780366-96cb-4089-af63-a08b2db1368d CDN-RequestCountryCode: US Location: https://xn--ypd.dssdhome.xyz/11/ip.bin CDN-RequestId: ac17ea3ad375b53926edfbba60d34fa0 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>
Aug 6, 2024 06:50:01.986604929 CEST	153	OUT	GET /11/ip.bin HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2 Host: xn--ypd.dssdhome.xyz
Aug 6, 2024 06:50:02.173449039 CEST	365	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 06 Aug 2024 04:50:02 GMT Content-Type: text/html Content-Length: 162 Connection: keep-alive Server: BunnyCDN-DE1-1081 CDN-PullZone: 2373567 CDN-Uid: 95780366-96cb-4089-af63-a08b2db1368d CDN-RequestCountryCode: US Location: https://xn--ypd.dssdhome.xyz/11/ip.bin CDN-RequestId: e551df1544ada1b6d4bd5a7798d56dcd

Target ID:	0
Start time:	00:47:55
Start date:	06/08/2024
Path:	C:\Users\user\Desktop\EBAbsk8ydv.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\EBAbsk8ydv.exe"
Imagebase:	0x7ff61bd40000
File size:	352'608 bytes
MD5 hash:	E546E832F5762CBF8F28B6558C012B8D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	28.9%
Total number of Nodes:	391
Total number of Limit Nodes:	12

Executed Functions

Function 00007FF61BD41848 Relevance: 51.0, APIs: 27, Strings: 2, Instructions: 227
threadwindowsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 00007FF61BD4187C
CoInitializeEx.OLE32 ref: 00007FF61BD41889

Part of subcall function 00007FF61BD4FDAC: InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF61BD4FE18

Part of subcall function 00007FF61BD506C4: GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF61BD50715
Part of subcall function 00007FF61BD506C4: GetModuleHandleW.KERNEL32 ref: 00007FF61BD507FB
Part of subcall function 00007FF61BD506C4: GetProcAddress.KERNEL32 ref: 00007FF61BD5080B
Part of subcall function 00007FF61BD506C4: GetSystemDefaultLangID.KERNEL32 ref: 00007FF61BD5083E

GetCurrentThreadId.KERNEL32 ref: 00007FF61BD418D5
CoRegisterClassObject.OLE32 ref: 00007FF61BD4190A
CoRegisterClassObject.OLE32 ref: 00007FF61BD4192C
malloc.LIBCMT ref: 00007FF61BD41935

Part of subcall function 00007FF61BD5F3A8: _FF_MSGBANNER.LIBCMT ref: 00007FF61BD5F3D8
Part of subcall function 00007FF61BD5F3A8: _NMSG_WRITE.LIBCMT ref: 00007FF61BD5F3E2
Part of subcall function 00007FF61BD5F3A8: HeapAlloc.KERNEL32(?,?,?,00007FF61BD633D0,?,?,?,00007FF61BD6DBE4,?,?,?,00007FF61BD6DAE3,?,?,?,00007FF61BD5F4C5), ref: 00007FF61BD5F3FD
Part of subcall function 00007FF61BD5F3A8: _callnewh.LIBCMT ref: 00007FF61BD5F416
Part of subcall function 00007FF61BD5F3A8: _errno.LIBCMT ref: 00007FF61BD5F421
Part of subcall function 00007FF61BD5F3A8: _errno.LIBCMT ref: 00007FF61BD5F42C

CreateEventW.KERNEL32 ref: 00007FF61BD41959
GetCurrentThreadId.KERNEL32 ref: 00007FF61BD4196B
CreateThread.KERNEL32 ref: 00007FF61BD41997
GetCurrentThreadId.KERNEL32 ref: 00007FF61BD419A1
CommandLineToArgvW.SHELL32 ref: 00007FF61BD419B9
LocalFree.KERNEL32 ref: 00007FF61BD41A2A
GetMessageW.USER32 ref: 00007FF61BD41A42
GetCurrentThreadId.KERNEL32 ref: 00007FF61BD41A5B
GetCurrentThreadId.KERNEL32 ref: 00007FF61BD41A7E
GetCurrentThreadId.KERNEL32 ref: 00007FF61BD41A96
DispatchMessageW.USER32 ref: 00007FF61BD41AA6
GetMessageW.USER32 ref: 00007FF61BD41AB8
GetCurrentThreadId.KERNEL32 ref: 00007FF61BD41ACB
PostThreadMessageW.USER32 ref: 00007FF61BD41ADB
SetEvent.KERNEL32 ref: 00007FF61BD41AEA
WaitForSingleObject.KERNEL32 ref: 00007FF61BD41B05
CloseHandle.KERNEL32 ref: 00007FF61BD41B0F
CloseHandle.KERNEL32 ref: 00007FF61BD41B22
CoRevokeClassObject.OLE32 ref: 00007FF61BD41B33
CoRevokeClassObject.OLE32 ref: 00007FF61BD41B44
CoUninitialize.OLE32 ref: 00007FF61BD41B59

Strings

!!!param=(%ws), and result=%d(0x%x), xrefs: 00007FF61BD41A13
--pt=, xrefs: 00007FF61BD419D6

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: Thread$Current$Object$ClassMessage$Handle$CloseCreateEventInitializeRegisterRevokeSystemTime_errno$AddressAllocArgvCommandCountCriticalDefaultDispatchErrorFileFreeHeapLangLineLocalModeModulePostProcSectionSingleSpinUninitializeWait_callnewhmalloc
String ID: !!!param=(%ws), and result=%d(0x%x)$--pt=
API String ID: 936543831-3547824706
Opcode ID: 58205efe5a3e29f5020299fe62fb87e29203e1061887d7311f45762cce80e52e
Instruction ID: b8bbd503bb8f728346380e3dc8a6bd95b11de05872e79c49faace4b2b4aa2777
Opcode Fuzzy Hash: 58205efe5a3e29f5020299fe62fb87e29203e1061887d7311f45762cce80e52e
Instruction Fuzzy Hash: 77A11C32F08E5A8AEB1CCB71E4546AD37A1BF48F6CB446235CD0D92A64DE38A509C744

Function 00007FF61BD506C4 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 139
networklibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF61BD50715
GetModuleHandleW.KERNEL32 ref: 00007FF61BD507FB
GetProcAddress.KERNEL32 ref: 00007FF61BD5080B
GetSystemInfo.KERNEL32 ref: 00007FF61BD5081E
GetSystemDefaultLangID.KERNEL32 ref: 00007FF61BD5083E
InternetOpenA.WININET ref: 00007FF61BD5088D
InternetSetOptionW.WININET ref: 00007FF61BD508B7
InternetConnectW.WININET ref: 00007FF61BD508ED

Strings

GetNativeSystemInfo, xrefs: 00007FF61BD50801
qbwup.imtt.qq.com, xrefs: 00007FF61BD508DF
QQ Data Report, xrefs: 00007FF61BD50886
kernel32.dll, xrefs: 00007FF61BD507F4

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: InternetSystem$Time$AddressConnectDefaultFileHandleInfoLangModuleOpenOptionProc
String ID: GetNativeSystemInfo$QQ Data Report$kernel32.dll$qbwup.imtt.qq.com
API String ID: 3082367296-404951005
Opcode ID: dfcdd1e627b552f5fcc6b089cbe0647b8e705594d37419fb9a644f721dbe48a1
Instruction ID: e48ad9db8bcb7252dc3e0664991b667c8895e46c22ed5729e14173f25887858c
Opcode Fuzzy Hash: dfcdd1e627b552f5fcc6b089cbe0647b8e705594d37419fb9a644f721dbe48a1
Instruction Fuzzy Hash: 63614A26E09E4A9AFB1CEF21D4543E823A0EB4CB68F442236DA0D876B9DF7CD544C744

Function 00007FF61BD56FB1 Relevance: 17.7, Strings: 14, Instructions: 220
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0, xrefs: 00007FF61BD57051
5, xrefs: 00007FF61BD57049
6, xrefs: 00007FF61BD57079
4, xrefs: 00007FF61BD57081
, xrefs: 00007FF61BD57071
i, xrefs: 00007FF61BD57061
G, xrefs: 00007FF61BD5710C
u, xrefs: 00007FF61BD57069
M, xrefs: 00007FF61BD57029
l, xrefs: 00007FF61BD57039
(, xrefs: 00007FF61BD57059
z, xrefs: 00007FF61BD57031
T, xrefs: 00007FF61BD57114
a, xrefs: 00007FF61BD57041

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID:
String ID: $($0$4$5$6$G$M$T$a$i$l$u$z
API String ID: 0-2079474088
Opcode ID: 7d012af2536f1f7d995bb6865e94ab2d39a3359b1312110b88a70488074df788
Instruction ID: 556cfad332e130f1cd2234b72ed9dee0f6a924ced5cb42dc37dea3aceb5a8d1c
Opcode Fuzzy Hash: 7d012af2536f1f7d995bb6865e94ab2d39a3359b1312110b88a70488074df788
Instruction Fuzzy Hash: 28B16676A04B818AE768CF61D8487EE3BB5F748B9CF549129DF494BA08DF788548CB04

Function 00007FF61BD5D9A0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 200
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF61BD5DFE0: _wcsftime_l.LIBCMT ref: 00007FF61BD5E002

CreateFileW.KERNELBASE ref: 00007FF61BD5DA3B
DeviceIoControl.KERNELBASE ref: 00007FF61BD5DAAE
isalnum.LIBCMT ref: 00007FF61BD5DB7A
isalnum.LIBCMT ref: 00007FF61BD5DB87

Part of subcall function 00007FF61BD5D294: isspace.LIBCMT ref: 00007FF61BD5D2E5
Part of subcall function 00007FF61BD5D294: isprint.LIBCMT ref: 00007FF61BD5D334
Part of subcall function 00007FF61BD5D294: isprint.LIBCMT ref: 00007FF61BD5D366

GetLastError.KERNEL32 ref: 00007FF61BD5DCB7
FindCloseChangeNotification.KERNELBASE ref: 00007FF61BD5DCC0

Strings

\\.\PhysicalDrive%d, xrefs: 00007FF61BD5D9FE

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: isalnumisprint$ChangeCloseControlCreateDeviceErrorFileFindLastNotification_wcsftime_lisspace
String ID: \\.\PhysicalDrive%d
API String ID: 3713868347-2935326385
Opcode ID: 5f22f7dda0fa0d2083e89765b6fb2e99ee3076c198469aed35988f3e453eb5fa
Instruction ID: 00a970f0408dd2f988190c0edbe54349386c4c1c10ba8f5a73be8b1464a0a1c5
Opcode Fuzzy Hash: 5f22f7dda0fa0d2083e89765b6fb2e99ee3076c198469aed35988f3e453eb5fa
Instruction Fuzzy Hash: 2891F426E08AC648F728DB3598006EE2770FB99B68F405331DA9C87AE9DF38D149C704

Function 00007FF61BD5CF60 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 155
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32 ref: 00007FF61BD5CFCB
LoadLibraryW.KERNELBASE(?,00000000,00000001,?,00007FF61BD57E7A), ref: 00007FF61BD5D059
GetProcAddress.KERNEL32(?,00000000,00000001,?,00007FF61BD57E7A), ref: 00007FF61BD5D075
GetAdaptersInfo.IPHLPAPI(?,00000000,00000001,?,00007FF61BD57E7A), ref: 00007FF61BD5D09B
FreeLibrary.KERNEL32(?,00000000,00000001,?,00007FF61BD57E7A), ref: 00007FF61BD5D14A

Strings

iphlpapi.dll, xrefs: 00007FF61BD5D039
GetAdaptersInfo, xrefs: 00007FF61BD5D06B

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: Library$AdaptersAddressDirectoryFreeInfoLoadProcSystem
String ID: GetAdaptersInfo$iphlpapi.dll
API String ID: 779643986-3114217049
Opcode ID: 4a27c3a1f73799821867c693db5f1ce39942eb2f893445ff2fda54d3b6687bb2
Instruction ID: a2456f92935ef1c604ebe09ae4df613cd5dc63375b8c78a456d6a6b6a69f7000
Opcode Fuzzy Hash: 4a27c3a1f73799821867c693db5f1ce39942eb2f893445ff2fda54d3b6687bb2
Instruction Fuzzy Hash: AB510626A19AC599EB2CCF24D9145F937B0FB4CBA8F445232CA5C837A5EF38D606C310

Function 00007FF61BD5D434 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 191
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF61BD5DFE0: _wcsftime_l.LIBCMT ref: 00007FF61BD5E002

CreateFileW.KERNELBASE ref: 00007FF61BD5D4D3
DeviceIoControl.KERNELBASE ref: 00007FF61BD5D527
DeviceIoControl.KERNEL32 ref: 00007FF61BD5D5F1
CloseHandle.KERNEL32 ref: 00007FF61BD5D708

Strings

\\.\PhysicalDrive%d, xrefs: 00007FF61BD5D492
, xrefs: 00007FF61BD5D6C1

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: ControlDevice$CloseCreateFileHandle_wcsftime_l
String ID: $\\.\PhysicalDrive%d
API String ID: 2232022054-4129297631
Opcode ID: e552fafb8f0c2b07f14bd3e18931d16ec8ff4264b4c9298c1863061f42ef912c
Instruction ID: 1307d0afff09c3d60dedf103c8ddc8f856e23cb1a9b4e3aa52451545d5b9ad7e
Opcode Fuzzy Hash: e552fafb8f0c2b07f14bd3e18931d16ec8ff4264b4c9298c1863061f42ef912c
Instruction Fuzzy Hash: E781F522E08A8685FB18DB61E4007ED67B0FB89BA8F401235DA5D87AF5DF7CD146CB04

Function 00007FF61BD5DD00 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF61BD5DFE0: _wcsftime_l.LIBCMT ref: 00007FF61BD5E002

CreateFileW.KERNELBASE ref: 00007FF61BD5DD9A
DeviceIoControl.KERNELBASE ref: 00007FF61BD5DE2C
FindCloseChangeNotification.KERNELBASE ref: 00007FF61BD5DEF5

Strings

SCSIDISK, xrefs: 00007FF61BD5DDC8
\\.\Scsi%d:, xrefs: 00007FF61BD5DD59

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: ChangeCloseControlCreateDeviceFileFindNotification_wcsftime_l
String ID: SCSIDISK$\\.\Scsi%d:
API String ID: 1682414592-2176293039
Opcode ID: 577b507be059ceb8dda8a8d80dc6f0ca7d4625d406ab22ce9cbaccb78d2fb990
Instruction ID: f4071631d7d77ad780e51351d4daac0f4380fe5eb6947e5943a831547edad816
Opcode Fuzzy Hash: 577b507be059ceb8dda8a8d80dc6f0ca7d4625d406ab22ce9cbaccb78d2fb990
Instruction Fuzzy Hash: 2E518632F08A8649FB28DB65E4047EA7760EB59BA8F401231DE9C47AA5DF3CD146CB14

Function 00007FF61BD5DF34 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32 ref: 00007FF61BD5DF66

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 9310357b27b72605c91cda9fd868c2f1d05fda8222a43fcded9a615d6b2e3943
Instruction ID: 57b2e80d93c5ca2fcf4aad6fd217bbe0320d3d3b700b79077a1aa469796555e8
Opcode Fuzzy Hash: 9310357b27b72605c91cda9fd868c2f1d05fda8222a43fcded9a615d6b2e3943
Instruction Fuzzy Hash: A3119E60E0EA8E44FE1C5F526D149BA53A09F1EFE4E042335DE0E876F69E2CA4478224

Function 00007FF61BD5CA74 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 113
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE ref: 00007FF61BD5CAE8

Part of subcall function 00007FF61BD4F17C: _wcsftime_l.LIBCMT ref: 00007FF61BD4F19E

RegOpenKeyExA.KERNELBASE ref: 00007FF61BD5CB2E
RegQueryValueExA.KERNELBASE ref: 00007FF61BD5CB6F
RegQueryValueExA.ADVAPI32 ref: 00007FF61BD5CBBE
RegCloseKey.ADVAPI32 ref: 00007FF61BD5CC25
RegCloseKey.ADVAPI32 ref: 00007FF61BD5CC30

Strings

PCI, xrefs: 00007FF61BD5CBD1, 00007FF61BD5CBF6
%s\Connection, xrefs: 00007FF61BD5CAFE
System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}, xrefs: 00007FF61BD5CABF
PnpInstanceID, xrefs: 00007FF61BD5CBAF
MediaSubType, xrefs: 00007FF61BD5CB60

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: CloseOpenQueryValue$_wcsftime_l
String ID: %s\Connection$MediaSubType$PCI$PnpInstanceID$System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}
API String ID: 1942821279-3769660923
Opcode ID: 1e710f77e3ee06986cbe06514addf1342d7295bd946d04cac56360bd4f484af0
Instruction ID: 799cde96c7c77b3f3436396a241bd487643aeb4ee2ff0aab4e8cc4f13216bfe1
Opcode Fuzzy Hash: 1e710f77e3ee06986cbe06514addf1342d7295bd946d04cac56360bd4f484af0
Instruction Fuzzy Hash: DC514776A18F4686EB58CF11E48076A73B4FB8CB94F442235E68D83664DF7CD545CB40

Function 00007FF61BD56BE1 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 90
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00007FF61BD56C98

Strings

msvc, xrefs: 00007FF61BD56C1B
winh, xrefs: 00007FF61BD56C33
dll, xrefs: 00007FF61BD56C41
ttp., xrefs: 00007FF61BD56C3A
32.d, xrefs: 00007FF61BD56C07
rt.d, xrefs: 00007FF61BD56C22
user, xrefs: 00007FF61BD56BFB

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: LibraryLoad
String ID: 32.d$dll$msvc$rt.d$ttp.$user$winh
API String ID: 1029625771-3273083856
Opcode ID: 73224d7bf1c59c6d7a50056a5264328afd2584649fa69412497d679d280ec81e
Instruction ID: c31abecf591b65dfa36461f4013eef8db529113432f100ca0c66124bfe94d1e3
Opcode Fuzzy Hash: 73224d7bf1c59c6d7a50056a5264328afd2584649fa69412497d679d280ec81e
Instruction Fuzzy Hash: 1B417331E45F4687E618EBA1B04529E73B5FB59710F20D134EBD94BB6ADF38E8118348

Function 00007FF61BD57DC8 Relevance: 4.7, APIs: 3, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF61BD5CC60: NetWkstaTransportEnum.NETAPI32 ref: 00007FF61BD5CCB1
Part of subcall function 00007FF61BD5CC60: swscanf.LIBCMT ref: 00007FF61BD5CD30
Part of subcall function 00007FF61BD5CC60: NetApiBufferFree.NETAPI32 ref: 00007FF61BD5CD90

Part of subcall function 00007FF61BD58128: CreateFileW.KERNEL32 ref: 00007FF61BD58197
Part of subcall function 00007FF61BD58128: CopyFileW.KERNEL32 ref: 00007FF61BD581EF
Part of subcall function 00007FF61BD58128: DeleteFileW.KERNEL32 ref: 00007FF61BD58207
Part of subcall function 00007FF61BD58128: CreateFileW.KERNEL32 ref: 00007FF61BD58237
Part of subcall function 00007FF61BD58128: GetFileSize.KERNEL32 ref: 00007FF61BD5826B
Part of subcall function 00007FF61BD58128: ReadFile.KERNEL32 ref: 00007FF61BD5828E
Part of subcall function 00007FF61BD58128: CloseHandle.KERNEL32 ref: 00007FF61BD582A6

CoInitialize.OLE32 ref: 00007FF61BD58033

Part of subcall function 00007FF61BD5F658: malloc.LIBCMT ref: 00007FF61BD5F672

CoCreateGuid.OLE32 ref: 00007FF61BD58054
CoUninitialize.OLE32 ref: 00007FF61BD58076

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: File$Create$BufferCloseCopyDeleteEnumFreeGuidHandleInitializeReadSizeTransportUninitializeWkstamallocswscanf
String ID:
API String ID: 967320499-0
Opcode ID: f45f6e0889ba490f2accccdbf6b7aa0c194da9b90917add94f5b7e6bbfcb44cd
Instruction ID: 691f1ca98b0fa721cc78613b54abe7e9f42e9b2e79498603aab8ac81829e6eda
Opcode Fuzzy Hash: f45f6e0889ba490f2accccdbf6b7aa0c194da9b90917add94f5b7e6bbfcb44cd
Instruction Fuzzy Hash: E5A1A022E08E4685FB1CDB65E8411AE6770FB89B68F502235EE4D876B6DF39D484C708

Function 00007FF61BD573A1 Relevance: 3.1, APIs: 2, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF61BD56A61), ref: 00007FF61BD573F7
SleepEx.KERNEL32 ref: 00007FF61BD574A5

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: ChangeCloseFindNotificationSleep
String ID:
API String ID: 1821831730-0
Opcode ID: 17cfd8ad0c7638cb764231ca36a94797f8588443699496d39ce2ea07f32eeec3
Instruction ID: 76e31a641fda8884511d75a452610aa18496a9112cd4e3f46f0215db9e3c0ef7
Opcode Fuzzy Hash: 17cfd8ad0c7638cb764231ca36a94797f8588443699496d39ce2ea07f32eeec3
Instruction Fuzzy Hash: 4F416A72B006818AE7149F71E4143AD3BB2F749BDCF148239DF092BB58CF7885898B14

Function 00007FF61BD5694C Relevance: 3.1, APIs: 2, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy_s.LIBCMT ref: 00007FF61BD569C8
memcpy_s.LIBCMT ref: 00007FF61BD569EB

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 3ba629cbf69f092d9a6a99baa789089f6e541fc72971d204d36041c70e46a210
Instruction ID: 2d2b2e6c95ae2f4cb13698ab632489f5abc90d5fd12654bdc0e22a52294ce4f0
Opcode Fuzzy Hash: 3ba629cbf69f092d9a6a99baa789089f6e541fc72971d204d36041c70e46a210
Instruction Fuzzy Hash: 57318A32E09E8588FB289BA0E4513EC2370EB48B68F501335DA4D97AA5CF3CD5458744

Non-executed Functions

Function 00007FF61BD43FD4 Relevance: 35.5, APIs: 7, Strings: 13, Instructions: 479memoryCOMMON

Download Yara Rule

APIs

_snwprintf_s.LIBCMT ref: 00007FF61BD4417C
SysFreeString.OLEAUT32 ref: 00007FF61BD4422F
SysAllocString.OLEAUT32 ref: 00007FF61BD4423C
ShellExecuteW.SHELL32 ref: 00007FF61BD44289
_snwprintf_s.LIBCMT ref: 00007FF61BD44383
SysFreeString.OLEAUT32 ref: 00007FF61BD44515
_snwprintf_s.LIBCMT ref: 00007FF61BD445C6

Strings

!!!CCustomInternetExplorer::Navigate::TargetFrameName=%p, PostData =%p, Headers=%p, xrefs: 00007FF61BD4407B
Headers, xrefs: 00007FF61BD44130
Navigate, xrefs: 00007FF61BD4402D, 00007FF61BD4431F, 00007FF61BD44469
getqb(failed),callIE=0x%0x, xrefs: 00007FF61BD445AE
--force-qb-trident-mode --url=, xrefs: 00007FF61BD44235
!!!CCustomInternetExplorer::Navigate::succeeded GetQQBrowserRegExePath, hShellEcecute=0x%0x, bstrParam=(%ws), xrefs: 00007FF61BD4428F
open, xrefs: 00007FF61BD4426B
TargetFrameName, xrefs: 00007FF61BD44151
ShellExecute(failed)=%d, CallIE=0x%0x, xrefs: 00007FF61BD44367
Refresh, xrefs: 00007FF61BD446F2
success, xrefs: 00007FF61BD44443
PostData, xrefs: 00007FF61BD44137
%s|%s|%s|CallIE(hr=0x%0x), xrefs: 00007FF61BD44160

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: String_snwprintf_s$Free$AllocExecuteShell
String ID: !!!CCustomInternetExplorer::Navigate::TargetFrameName=%p, PostData =%p, Headers=%p$!!!CCustomInternetExplorer::Navigate::succeeded GetQQBrowserRegExePath, hShellEcecute=0x%0x, bstrParam=(%ws)$%s|%s|%s|CallIE(hr=0x%0x)$--force-qb-trident-mode --url=$Headers$Navigate$PostData$Refresh$ShellExecute(failed)=%d, CallIE=0x%0x$TargetFrameName$getqb(failed),callIE=0x%0x$open$success
API String ID: 1409506827-3779367281
Opcode ID: 1bd3418aa18722d502f0f989c2ef448bb372b33f642515aba0af826c2920730e
Instruction ID: 8e3bc836beba626fb72f063e0afb531d7f379a2213bbbf395c6c4b7593122712
Opcode Fuzzy Hash: 1bd3418aa18722d502f0f989c2ef448bb372b33f642515aba0af826c2920730e
Instruction Fuzzy Hash: 0E325022E08F8686EB1CDB61E4402ED77B4FB48BA8F505235EA4D97EA9DF38D145C740

Function 00007FF61BD47144 Relevance: 33.7, APIs: 7, Strings: 12, Instructions: 425memoryCOMMON

Download Yara Rule

APIs

_snwprintf_s.LIBCMT ref: 00007FF61BD472E2
SysFreeString.OLEAUT32 ref: 00007FF61BD47399
SysAllocString.OLEAUT32 ref: 00007FF61BD473A6
ShellExecuteW.SHELL32 ref: 00007FF61BD473F0
_snwprintf_s.LIBCMT ref: 00007FF61BD474AE
SysFreeString.OLEAUT32 ref: 00007FF61BD475D9
_snwprintf_s.LIBCMT ref: 00007FF61BD47685

Strings

Navigate2, xrefs: 00007FF61BD47197
Headers, xrefs: 00007FF61BD47296
getqb(failed),callIE=0x%0x, xrefs: 00007FF61BD4766E
--force-qb-trident-mode --url=, xrefs: 00007FF61BD4739F
success, xrefs: 00007FF61BD47543
QueryStatusWB, xrefs: 00007FF61BD4778E
!!!CCustomInternetExplorer::Navigate2::TargetFrameName=%p PostData=%p, Headers=%p, Url=(%ws), xrefs: 00007FF61BD471BE
PostData, xrefs: 00007FF61BD4729D
open, xrefs: 00007FF61BD473D4
%s|%s|%s|CallIE(hr=0x%0x), xrefs: 00007FF61BD472C6
TargetFrameName, xrefs: 00007FF61BD472B7
ShellExecute(failed)=%d, CallIE=0x%0x, xrefs: 00007FF61BD47493

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: String_snwprintf_s$Free$AllocExecuteShell
String ID: !!!CCustomInternetExplorer::Navigate2::TargetFrameName=%p PostData=%p, Headers=%p, Url=(%ws)$%s|%s|%s|CallIE(hr=0x%0x)$--force-qb-trident-mode --url=$Headers$Navigate2$PostData$QueryStatusWB$ShellExecute(failed)=%d, CallIE=0x%0x$TargetFrameName$getqb(failed),callIE=0x%0x$open$success
API String ID: 1409506827-1244131776
Opcode ID: 94eb9b60d4815c93928bcf632506e6fd5ac0767ceb5879db2def2a593c99b36b
Instruction ID: f54f2e79a237da6bba28b45149bb0b1ac86cf9eee4bf76d6a597175e2ca12dd9
Opcode Fuzzy Hash: 94eb9b60d4815c93928bcf632506e6fd5ac0767ceb5879db2def2a593c99b36b
Instruction Fuzzy Hash: A4126232E08E8685EB1CDB65E4402ED37B4FB48B68F506236EA4D97AA9DF3CD145C700

Function 00007FF61BD50AAC Relevance: 28.4, APIs: 9, Strings: 7, Instructions: 445networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF61BD52964: std::_Xbad_alloc.LIBCPMT ref: 00007FF61BD5299D

std::exception::exception.LIBCMT ref: 00007FF61BD50F7D
_CxxThrowException.LIBCMT ref: 00007FF61BD50F98
std::exception::exception.LIBCMT ref: 00007FF61BD50FB9
_CxxThrowException.LIBCMT ref: 00007FF61BD50FD4
htonl.WS2_32 ref: 00007FF61BD5102B
HttpOpenRequestW.WININET ref: 00007FF61BD5108C
HttpSendRequestA.WININET ref: 00007FF61BD510BC
InternetCloseHandle.WININET ref: 00007FF61BD510C9
InternetCloseHandle.WININET ref: 00007FF61BD510D1

Strings

qbpcstat, xrefs: 00007FF61BD50D2E
ServantName must not be empty, xrefs: 00007FF61BD50F68
POST, xrefs: 00007FF61BD5107E
HTTP/1.1, xrefs: 00007FF61BD51074
FuncName must not be empty, xrefs: 00007FF61BD50FA4
crypt, xrefs: 00007FF61BD50DC0
stat, xrefs: 00007FF61BD50D79

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: CloseExceptionHandleHttpInternetRequestThrowstd::exception::exception$OpenSendXbad_allochtonlstd::_
String ID: FuncName must not be empty$HTTP/1.1$POST$ServantName must not be empty$crypt$qbpcstat$stat
API String ID: 254083644-2247718545
Opcode ID: de6711ad864119869007c65ce8b63b81258a5e4cc7d5ab55e84a7347c8c6c515
Instruction ID: e1f0d7a030f85021c53dbeeec30f11c5afd941f8a0c34f35e64fcc3e8c6853c2
Opcode Fuzzy Hash: de6711ad864119869007c65ce8b63b81258a5e4cc7d5ab55e84a7347c8c6c515
Instruction Fuzzy Hash: 1122B232A08F8989EB28DF71D8406EC3775FB48B98F902236DA4D97A69DF38D554C704

Function 00007FF61BD63598 Relevance: 21.1, APIs: 14, Instructions: 146COMMONLIBRARYCODE

Download Yara Rule

APIs

__crtGetLocaleInfoA.LIBCMT ref: 00007FF61BD635F1

Part of subcall function 00007FF61BD6E648: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00007FF61BD6E668
Part of subcall function 00007FF61BD6E648: __crtGetLocaleInfoA_stat.LIBCMT ref: 00007FF61BD6E686

GetLastError.KERNEL32 ref: 00007FF61BD635FD
__crtGetLocaleInfoA.LIBCMT ref: 00007FF61BD63619
__crtGetLocaleInfoA.LIBCMT ref: 00007FF61BD63650
_calloc_crt.LIBCMT ref: 00007FF61BD6362C

Part of subcall function 00007FF61BD63320: _calloc_impl.LIBCMT ref: 00007FF61BD6334E

_calloc_crt.LIBCMT ref: 00007FF61BD63667
free.LIBCMT ref: 00007FF61BD6367F
free.LIBCMT ref: 00007FF61BD636CB
__crtGetLocaleInfoEx.LIBCMT ref: 00007FF61BD636EE
_calloc_crt.LIBCMT ref: 00007FF61BD63700
__crtGetLocaleInfoEx.LIBCMT ref: 00007FF61BD63718
free.LIBCMT ref: 00007FF61BD63724
__crtGetLocaleInfoEx.LIBCMT ref: 00007FF61BD6374F
_invoke_watson.LIBCMT ref: 00007FF61BD63777

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: Locale$Info__crt$_calloc_crtfree$A_statErrorLastUpdateUpdate::__calloc_impl_invoke_watson
String ID:
API String ID: 377212461-0
Opcode ID: e3bf062b5020bad119278e3234153a9c97d88ad087b0860666f44413645793e8
Instruction ID: 63710619b83dc3df2e3858fcb909d2472646ab2d7da3f47eab64087bdf42859f
Opcode Fuzzy Hash: e3bf062b5020bad119278e3234153a9c97d88ad087b0860666f44413645793e8
Instruction Fuzzy Hash: 8651F511F18ACA46FA6D9A6A945077A7294AFACFF4F046331DE0DD7BA5DE3CE4008700

Function 00007FF61BD5D748 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 140fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF61BD5DFE0: _wcsftime_l.LIBCMT ref: 00007FF61BD5E002

CreateFileW.KERNEL32 ref: 00007FF61BD5D7DE
DeviceIoControl.KERNEL32 ref: 00007FF61BD5D835
malloc.LIBCMT ref: 00007FF61BD5D848

Part of subcall function 00007FF61BD5F3A8: _FF_MSGBANNER.LIBCMT ref: 00007FF61BD5F3D8
Part of subcall function 00007FF61BD5F3A8: _NMSG_WRITE.LIBCMT ref: 00007FF61BD5F3E2
Part of subcall function 00007FF61BD5F3A8: HeapAlloc.KERNEL32(?,?,?,00007FF61BD633D0,?,?,?,00007FF61BD6DBE4,?,?,?,00007FF61BD6DAE3,?,?,?,00007FF61BD5F4C5), ref: 00007FF61BD5F3FD
Part of subcall function 00007FF61BD5F3A8: _callnewh.LIBCMT ref: 00007FF61BD5F416
Part of subcall function 00007FF61BD5F3A8: _errno.LIBCMT ref: 00007FF61BD5F421
Part of subcall function 00007FF61BD5F3A8: _errno.LIBCMT ref: 00007FF61BD5F42C

DeviceIoControl.KERNEL32 ref: 00007FF61BD5D890
free.LIBCMT ref: 00007FF61BD5D958
CloseHandle.KERNEL32 ref: 00007FF61BD5D960

Strings

\\.\PhysicalDrive%d, xrefs: 00007FF61BD5D7A3
., xrefs: 00007FF61BD5D8AB

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: ControlDevice_errno$AllocCloseCreateFileHandleHeap_callnewh_wcsftime_lfreemalloc
String ID: .$\\.\PhysicalDrive%d
API String ID: 3652198919-636426351
Opcode ID: 2cb9f29a0383857dff898a6d44bd58ec0e7d864761fd42d99c1947b355f38110
Instruction ID: 0f3b204635b2bd8afb03aa48823afbcb691c6327dbfcf4a915f86f702924e37e
Opcode Fuzzy Hash: 2cb9f29a0383857dff898a6d44bd58ec0e7d864761fd42d99c1947b355f38110
Instruction Fuzzy Hash: D251A332A18E4686FB28DF51E4147AE63A0FB89BA4F401235DE4D87BA5DF3CD145CB04

Function 00007FF61BD4EFA0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 103comthreadsleepCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF61BD4EFFB
PostThreadMessageW.USER32 ref: 00007FF61BD4F00E
Sleep.KERNEL32 ref: 00007FF61BD4F018
ShellExecuteW.SHELL32 ref: 00007FF61BD4F0A6
CoCreateInstance.OLE32 ref: 00007FF61BD4F0F1
CoCreateInstance.OLE32 ref: 00007FF61BD4F128

Strings

open, xrefs: 00007FF61BD4F09D
-Embedding, xrefs: 00007FF61BD4F064

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: CreateInstanceThread$CurrentExecuteMessagePostShellSleep
String ID: -Embedding$open
API String ID: 4109628772-2736633392
Opcode ID: fd2df4d1919a09f22f9c63018b7fd7111f9de143657e3ef7dbf67d501e261332
Instruction ID: 96da561574633287c5c5482c98e60dadafecdd3b4f26ab863cd8a60ea2d9c849
Opcode Fuzzy Hash: fd2df4d1919a09f22f9c63018b7fd7111f9de143657e3ef7dbf67d501e261332
Instruction Fuzzy Hash: 48518232E08E8A86E71CDF11E8442A96761FB8CB68F402236D94D87AB4DF7CE445CB40

Function 00007FF61BD4EA00 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 00007FF61BD4EA67
SysAllocString.OLEAUT32 ref: 00007FF61BD4EA74

Strings

NavigateHack, xrefs: 00007FF61BD4EAA1
FindBrowserByIndex, xrefs: 00007FF61BD4EBBB

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: String$AllocFree
String ID: FindBrowserByIndex$NavigateHack
API String ID: 344208780-3607754153
Opcode ID: de8f1f9ed67bc6513ebae345c0a51becab5b6116b3a1311c571633cf55c53bdc
Instruction ID: cc686dfa61cba77ea23ca2f6f198b0726e2f1190a7ec8d663b72592dec825daf
Opcode Fuzzy Hash: de8f1f9ed67bc6513ebae345c0a51becab5b6116b3a1311c571633cf55c53bdc
Instruction Fuzzy Hash: F2717C32E18E459AFB1CDB60D4503AC23A4FB58BA8F446635EA4D87EAACF3CD115C740

Function 00007FF61BD5ECDC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF61BD5ED3D
IsDebuggerPresent.KERNEL32 ref: 00007FF61BD5ED55
OutputDebugStringW.KERNEL32 ref: 00007FF61BD5ED66

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00007FF61BD5ED5F

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: DebugDebuggerErrorLastOutputPresentString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 389471666-631824599
Opcode ID: f676bf00bd45b925f24ae54672d027915a33156fdb6a16f405138c6fe5cc32f1
Instruction ID: c6b72286f6c1c23c4002767a9f241993fce75c69083ce9a7bfd97cd43792d1b0
Opcode Fuzzy Hash: f676bf00bd45b925f24ae54672d027915a33156fdb6a16f405138c6fe5cc32f1
Instruction Fuzzy Hash: 9C116D72E04F4A9BE70C9B26E9503B933A0FF18B69F406235C64DC2960EF7CE4648700

Function 00007FF61BD529E4 Relevance: 5.2, Strings: 3, Instructions: 1477COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF61BD52BE7
gfffffff, xrefs: 00007FF61BD53538
gfffffff, xrefs: 00007FF61BD52B2F

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: htonl$ExceptionThrowstd::exception::exception
String ID: gfffffff$gfffffff$gfffffff
API String ID: 1194782181-2968619780
Opcode ID: 7f4e2fb3dc5b2d2fb114832c0c81eb9e0488da7db746ea189fc7acc70b9d317e
Instruction ID: 44537ac96407a3f8a61dbc414348ff94acaf4473afe4213c5bb5896d3568a983
Opcode Fuzzy Hash: 7f4e2fb3dc5b2d2fb114832c0c81eb9e0488da7db746ea189fc7acc70b9d317e
Instruction Fuzzy Hash: A1C29566B089C586DF0CDB3596512FD2772EB4AFE4B407120EA5D4BB6ACE3CE402DB05

Function 00007FF61BD58C4C Relevance: 3.0, APIs: 2, Instructions: 24fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32 ref: 00007FF61BD58C76
FindClose.KERNEL32 ref: 00007FF61BD58C8B

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 8a02239767a8b36154e632c7aba0e0c2fca487b9197e97b71514e1963a2b26dd
Instruction ID: 7f3c9d35aad1e12d976c300007b32a6d89581bb442a728211618690213e49cd0
Opcode Fuzzy Hash: 8a02239767a8b36154e632c7aba0e0c2fca487b9197e97b71514e1963a2b26dd
Instruction Fuzzy Hash: D7F0E225E0AD0985EE6C9B24E45A3B53360FB58F78F542732C96D832F0CE2C90099700

Function 00007FF61BD6E900 Relevance: 1.5, APIs: 1, Instructions: 14COMMONLIBRARYCODE

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(?,?,?,?,00007FF61BD70EAB,?,?,00000140,00007FF61BD7157B), ref: 00007FF61BD6E931

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 73643b16058b4c7c9c70b5fc0a0d8582263b454781c721b842577a58b24a1dfe
Instruction ID: a7e01ac99a068863a4c5bd00420fc179bdf91536f9c76c1cca2262e12f087ae9
Opcode Fuzzy Hash: 73643b16058b4c7c9c70b5fc0a0d8582263b454781c721b842577a58b24a1dfe
Instruction Fuzzy Hash: 93E0EC26E19E8AD6F75C5B01FC9136037A0AF5DB25F503632C50CC6A74CE6CA1968705

Function 00007FF61BD5E1E8 Relevance: .7, Instructions: 683COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a37785044067b7a1469bff97e43a5488a276ebc2d2d122b53df96d93c8cdea13
Instruction ID: 36e9ad9e523bf675709288599cd5ce1a276f1b24d2b0397a99583be5512651a5
Opcode Fuzzy Hash: a37785044067b7a1469bff97e43a5488a276ebc2d2d122b53df96d93c8cdea13
Instruction Fuzzy Hash: 132283B7F345204BD31DCB69EC52FA836A2B75434C709A02CEA17D3F44EA3DEA158644

Function 00007FF61BD57670 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0a2dbce7e390b63f7df38598765106d3b12782b4211c6c1c5caf7da0a4464e1
Instruction ID: 10abda2feb9175b64af6ff571e8f9ecec970e7bc5494e6d5c1e88f4d2e3e5016
Opcode Fuzzy Hash: e0a2dbce7e390b63f7df38598765106d3b12782b4211c6c1c5caf7da0a4464e1
Instruction Fuzzy Hash: 345123737349184BA319CE39EA16A5A3391F3D974C748E124EF46E7B45EA3DE902C381

Function 00007FF61BD74B5C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 102COMMONLIBRARYCODE

Download Yara Rule

APIs

_validdrive.LIBCMT ref: 00007FF61BD74B95

Part of subcall function 00007FF61BD786B4: __doserrno.LIBCMT ref: 00007FF61BD786CE
Part of subcall function 00007FF61BD786B4: _errno.LIBCMT ref: 00007FF61BD786D9
Part of subcall function 00007FF61BD786B4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF61BD786E4

_errno.LIBCMT ref: 00007FF61BD74C32
_errno.LIBCMT ref: 00007FF61BD74BA9

Part of subcall function 00007FF61BD62964: _getptd_noexit.LIBCMT ref: 00007FF61BD62968

__doserrno.LIBCMT ref: 00007FF61BD74B9E

Part of subcall function 00007FF61BD628F4: _getptd_noexit.LIBCMT ref: 00007FF61BD628F8

_invalid_parameter_noinfo.LIBCMT ref: 00007FF61BD74BB4
_getdrive.LIBCMT ref: 00007FF61BD74BBE
_errno.LIBCMT ref: 00007FF61BD74BCE
GetFullPathNameW.KERNEL32 ref: 00007FF61BD74C1A

Strings

., xrefs: 00007FF61BD74C03
:, xrefs: 00007FF61BD74BEE

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: _errno$__doserrno_getptd_noexit_invalid_parameter_noinfo$FullNamePath_getdrive_validdrive
String ID: .$:
API String ID: 3206601966-4202072812
Opcode ID: c278636a75acf6b6aa7e52600644b43fcd6dd163b020e58cd30286ffe6d5198d
Instruction ID: 2b97792ef57ba7277666eb3ed9096be21898efe63e3dcb57af0bc3b83293e262
Opcode Fuzzy Hash: c278636a75acf6b6aa7e52600644b43fcd6dd163b020e58cd30286ffe6d5198d
Instruction Fuzzy Hash: BD31CB15E0CE8E42FA2E5F5184543BE6290AF8CF78F456235D94DC72B6DEBCD8418B11

Function 00007FF61BD42C9C Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 338memorythreadCOMMON

Download Yara Rule

APIs

StringFromGUID2.OLE32 ref: 00007FF61BD42CE7
SysAllocString.OLEAUT32 ref: 00007FF61BD42CF1
StringFromGUID2.OLE32 ref: 00007FF61BD431C7
SysAllocString.OLEAUT32 ref: 00007FF61BD431D1
GetCurrentThreadId.KERNEL32 ref: 00007FF61BD42D0E

Part of subcall function 00007FF61BD4130C: _CxxThrowException.LIBCMT ref: 00007FF61BD41320

SysFreeString.OLEAUT32 ref: 00007FF61BD43200
SysFreeString.OLEAUT32 ref: 00007FF61BD4320F

Strings

!!!enter CCustomInternetExplorer::QueryInterface::IID(%ws), threadid=%d, xrefs: 00007FF61BD42D1A
!!!enter CCustomInternetExplorer::QueryInterface::IID(%ws) should pass(%ws), xrefs: 00007FF61BD42D5A
!!!enter CCustomInternetExplorer::QueryInterface::IID(%ws) not supported, xrefs: 00007FF61BD431ED
!!!IEWebBrowser for QueryInterface(%ws) got 0x%0x, xrefs: 00007FF61BD42ECC
!!!enter CCustomInternetExplorer::QueryInterface::IID(%ws) not supported, m_pIEWebBrowser2=%p, xrefs: 00007FF61BD43036
!!!CreateIEWebBrowser2() in QueryInterface(%ws) got 0x%0x, xrefs: 00007FF61BD42E9C

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: String$AllocFreeFrom$CurrentExceptionThreadThrow
String ID: !!!CreateIEWebBrowser2() in QueryInterface(%ws) got 0x%0x$!!!IEWebBrowser for QueryInterface(%ws) got 0x%0x$!!!enter CCustomInternetExplorer::QueryInterface::IID(%ws) not supported$!!!enter CCustomInternetExplorer::QueryInterface::IID(%ws) not supported, m_pIEWebBrowser2=%p$!!!enter CCustomInternetExplorer::QueryInterface::IID(%ws) should pass(%ws)$!!!enter CCustomInternetExplorer::QueryInterface::IID(%ws), threadid=%d
API String ID: 2093652262-2840267380
Opcode ID: cad24af98e3b99c65bb915084164526389ec252c12579296056ed3c6e499cd0d
Instruction ID: e0e3cfb8990367c626fce50176340a3fca17f1b061f3e746f646b69d73ad6397
Opcode Fuzzy Hash: cad24af98e3b99c65bb915084164526389ec252c12579296056ed3c6e499cd0d
Instruction Fuzzy Hash: A102FD22F18E4A85EB5DDB15D4802786761EB49F78F846632DA4D87BB8CFBCE844C350

Function 00007FF61BD4F4D8 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 64libraryloaderCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(?,?,?,00007FF61BD425AB), ref: 00007FF61BD4F4FB
GetLastError.KERNEL32(?,?,?,00007FF61BD425AB), ref: 00007FF61BD4F50B
OpenProcess.KERNEL32(?,?,?,00007FF61BD425AB), ref: 00007FF61BD4F520
GetModuleHandleW.KERNEL32(?,?,?,00007FF61BD425AB), ref: 00007FF61BD4F548
GetProcAddress.KERNEL32(?,?,?,00007FF61BD425AB), ref: 00007FF61BD4F558
LoadLibraryW.KERNEL32(?,?,?,00007FF61BD425AB), ref: 00007FF61BD4F571
GetProcAddress.KERNEL32(?,?,?,00007FF61BD425AB), ref: 00007FF61BD4F586
CloseHandle.KERNEL32(?,?,?,00007FF61BD425AB), ref: 00007FF61BD4F5B4

Strings

GetProcessImageFileNameW, xrefs: 00007FF61BD4F57C
kernel32, xrefs: 00007FF61BD4F541
K32GetProcessImageFileNameW, xrefs: 00007FF61BD4F54E
psapi.dll, xrefs: 00007FF61BD4F56A

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: AddressHandleOpenProcProcess$CloseErrorLastLibraryLoadModule
String ID: GetProcessImageFileNameW$K32GetProcessImageFileNameW$kernel32$psapi.dll
API String ID: 1640075399-1140887699
Opcode ID: aa82de994624b4998622f923e83a535e56021346db82b491f78cc213d6dde9bb
Instruction ID: 6f558e2382926725f08438d5ea98d60f4797a05d902ce2e426a502107eee35b5
Opcode Fuzzy Hash: aa82de994624b4998622f923e83a535e56021346db82b491f78cc213d6dde9bb
Instruction Fuzzy Hash: 6D212A61F0EF0B85EA5C9F16E85427827A1AF4CFA5F486639D90EC37B4EE6CE4448740

Function 00007FF61BD4F3D0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 68threadlibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF61BD4257F), ref: 00007FF61BD4F402
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF61BD4257F), ref: 00007FF61BD4F41E
OpenThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF61BD4257F), ref: 00007FF61BD4F44C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF61BD4257F), ref: 00007FF61BD4F45A
OpenThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF61BD4257F), ref: 00007FF61BD4F46F
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF61BD4257F), ref: 00007FF61BD4F4A7

Strings

NtQueryInformationThread, xrefs: 00007FF61BD4F414
ntdll.dll, xrefs: 00007FF61BD4F3FB

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: HandleOpenThread$AddressCloseErrorLastModuleProc
String ID: NtQueryInformationThread$ntdll.dll
API String ID: 2925828140-2698099043
Opcode ID: b15917006222226be9306d18a042d1e7103124e091ac296d0882ca0ad3a46121
Instruction ID: ae9342f13bac923eb471d0288322fd7ec44d13f649f280b4113f4faee58c16e8
Opcode Fuzzy Hash: b15917006222226be9306d18a042d1e7103124e091ac296d0882ca0ad3a46121
Instruction Fuzzy Hash: 4F217E22E19F0A86EB1CDB16A89416963A1FF8CFA4F446635D94D83B74EF3CE405C740

Function 00007FF61BD4F79C Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 90registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF61BD4F2D8: GetModuleHandleW.KERNEL32 ref: 00007FF61BD4F318
Part of subcall function 00007FF61BD4F2D8: GetProcAddress.KERNEL32 ref: 00007FF61BD4F32D
Part of subcall function 00007FF61BD4F2D8: RegCloseKey.ADVAPI32 ref: 00007FF61BD4F39B

RegQueryValueExW.ADVAPI32 ref: 00007FF61BD4F880
PathFileExistsW.SHLWAPI ref: 00007FF61BD4F8E2
RegCloseKey.ADVAPI32 ref: 00007FF61BD4F8FA

Strings

Software\Wow6432Node\Tencent\QQBrowser, xrefs: 00007FF61BD4F81A
Software\Tencent\QQBrowser, xrefs: 00007FF61BD4F7FD
QQBrowser.exe, xrefs: 00007FF61BD4F8C6
InstallDir, xrefs: 00007FF61BD4F874

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: Close$AddressExistsFileHandleModulePathProcQueryValue
String ID: InstallDir$QQBrowser.exe$Software\Tencent\QQBrowser$Software\Wow6432Node\Tencent\QQBrowser
API String ID: 3970199010-1871758474
Opcode ID: a4d2b91cced5d2252ad5ecd6bf6790e37562157be7f73dccbdb02d7fce924ec1
Instruction ID: 269c5a4fcfd25b3c435c4faabd038bbfc479d5284c6b817e12e67cb15bb35626
Opcode Fuzzy Hash: a4d2b91cced5d2252ad5ecd6bf6790e37562157be7f73dccbdb02d7fce924ec1
Instruction Fuzzy Hash: 6B417032E08F4585EA1C9B21E8441AA6364FB89BB4F506335EA6DC3BB9DF3CD545C740

Function 00007FF61BD5AE24 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF61BD5AE45

Part of subcall function 00007FF61BD7A1C0: _lock.LIBCMT ref: 00007FF61BD7A1D2

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF61BD5AE6A
messages.LIBCPMT ref: 00007FF61BD5AEED
std::bad_exception::bad_exception.LIBCMT ref: 00007FF61BD5AF04
_CxxThrowException.LIBCMT ref: 00007FF61BD5AF15
std::_Facet_Register.LIBCPMT ref: 00007FF61BD5AF33

Strings

bad cast, xrefs: 00007FF61BD5AEF8

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 620047600-3145022300
Opcode ID: 6fa198d8182d60241d03b708863fe7a84b2709087642af159d215598ae70a9eb
Instruction ID: c78fb22b79a63890714b918de704eedac5f2acffab0f2889876a183a96fc23e9
Opcode Fuzzy Hash: 6fa198d8182d60241d03b708863fe7a84b2709087642af159d215598ae70a9eb
Instruction Fuzzy Hash: F6315B21E0DF5A81FA1D9B15E8900B96371EB98FB4B442332DA5D876F9DE3CE846C305

Function 00007FF61BD5B5F4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF61BD5B615

Part of subcall function 00007FF61BD7A1C0: _lock.LIBCMT ref: 00007FF61BD7A1D2

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF61BD5B63A
numpunct.LIBCPMT ref: 00007FF61BD5B6BD
std::bad_exception::bad_exception.LIBCMT ref: 00007FF61BD5B6D4
_CxxThrowException.LIBCMT ref: 00007FF61BD5B6E5
std::_Facet_Register.LIBCPMT ref: 00007FF61BD5B703

Strings

bad cast, xrefs: 00007FF61BD5B6C8

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_locknumpunctstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 4068408745-3145022300
Opcode ID: b59a08d1540ec987e1887726f7663786dbea4613d7ad03c91e53d418083ca5fc
Instruction ID: 08dd4439046958c33c7b3516c2f451ee8f5cdb103b06446ad7880fa0a05f9486
Opcode Fuzzy Hash: b59a08d1540ec987e1887726f7663786dbea4613d7ad03c91e53d418083ca5fc
Instruction Fuzzy Hash: F1313E21E09E0A91FA1D9F25E8900B96371EB98FB4B142332D65DC77F5DE7CE8468B04

Function 00007FF61BD5BE10 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF61BD5BE31

Part of subcall function 00007FF61BD7A1C0: _lock.LIBCMT ref: 00007FF61BD7A1D2

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF61BD5BE56
ctype.LIBCPMT ref: 00007FF61BD5BED9
std::bad_exception::bad_exception.LIBCMT ref: 00007FF61BD5BEF0
_CxxThrowException.LIBCMT ref: 00007FF61BD5BF01
std::_Facet_Register.LIBCPMT ref: 00007FF61BD5BF1F

Strings

bad cast, xrefs: 00007FF61BD5BEE4

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockctypestd::bad_exception::bad_exception
String ID: bad cast
API String ID: 3320480354-3145022300
Opcode ID: 1e214aa9f60b7bf54ab17ca2b64ecbdf3207e7ccc1a0268482592e6b885839f2
Instruction ID: 7a4aa0a8118dbfbe18a9ff93a588f7f89de95d6b9b2831ce0b1b12bb2d719c47
Opcode Fuzzy Hash: 1e214aa9f60b7bf54ab17ca2b64ecbdf3207e7ccc1a0268482592e6b885839f2
Instruction Fuzzy Hash: E9314021E09E4A81EA1D9F15E8500B96371EB88FB4F186332DA5DC76F5DE3CE4858B04

Function 00007FF61BD69637 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

__DestructExceptionObject.LIBCMT ref: 00007FF61BD69662
RaiseException.KERNEL32 ref: 00007FF61BD6968B
__DestructExceptionObject.LIBCMT ref: 00007FF61BD696EC
_getptd.LIBCMT ref: 00007FF61BD6963F

Part of subcall function 00007FF61BD648AC: _getptd_noexit.LIBCMT ref: 00007FF61BD648B2

_getptd.LIBCMT ref: 00007FF61BD696F1
_getptd.LIBCMT ref: 00007FF61BD696FD

Strings

csm, xrefs: 00007FF61BD696BF

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: Exception_getptd$DestructObject$Raise_getptd_noexit
String ID: csm
API String ID: 2851507484-1018135373
Opcode ID: f63c31c8744fcde41ace1429d150bb829a6fb854e99d4356c7669e496792e9cb
Instruction ID: 6b3a1f13b31c9bb48b6f94b745e1e95e8edd7e8cb9d0e59eb66a41fa230047f1
Opcode Fuzzy Hash: f63c31c8744fcde41ace1429d150bb829a6fb854e99d4356c7669e496792e9cb
Instruction Fuzzy Hash: 37214B76A08A8982E638DB55E0403AE7361F78CFA4F055236DE9D437A5CF3DE485CB00

Function 00007FF61BD65478 Relevance: 12.2, APIs: 8, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc_crt.LIBCMT ref: 00007FF61BD654A1

Part of subcall function 00007FF61BD633A0: malloc.LIBCMT ref: 00007FF61BD633CB
Part of subcall function 00007FF61BD633A0: Sleep.KERNEL32(?,?,?,00007FF61BD6DBE4,?,?,?,00007FF61BD6DAE3,?,?,?,00007FF61BD5F4C5,?,?,?,00007FF61BD5F5B9), ref: 00007FF61BD633DE

free.LIBCMT ref: 00007FF61BD655A2
free.LIBCMT ref: 00007FF61BD655BE

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: free$Sleep_malloc_crtmalloc
String ID:
API String ID: 2523592665-0
Opcode ID: ffe51e098a28f5bc81262543e1a2495965659b64c93bc8964f93e359b729555d
Instruction ID: f196da2f35cc32469270f671e1a5c2840f58e549260d4c409b5071fbcbace5fc
Opcode Fuzzy Hash: ffe51e098a28f5bc81262543e1a2495965659b64c93bc8964f93e359b729555d
Instruction Fuzzy Hash: 8B617336A04F8A92FA1C9B16E94166933A4FB8CB68F441235DE5C87B61DF3CE4A5C740

Function 00007FF61BD415C4 Relevance: 10.7, APIs: 7, Instructions: 155threadmemorywindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF61BD4160C
PostThreadMessageW.USER32 ref: 00007FF61BD41620

Part of subcall function 00007FF61BD41348: InitializeCriticalSection.KERNEL32 ref: 00007FF61BD4138D
Part of subcall function 00007FF61BD41348: EnterCriticalSection.KERNEL32 ref: 00007FF61BD413B5
Part of subcall function 00007FF61BD41348: LeaveCriticalSection.KERNEL32 ref: 00007FF61BD41401

CoRevokeClassObject.OLE32 ref: 00007FF61BD41656
CoRevokeClassObject.OLE32 ref: 00007FF61BD41667
StringFromGUID2.OLE32 ref: 00007FF61BD4167E
SysAllocString.OLEAUT32 ref: 00007FF61BD41688
SysFreeString.OLEAUT32 ref: 00007FF61BD417E5

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: CriticalSectionString$ClassObjectRevokeThread$AllocCurrentEnterFreeFromInitializeLeaveMessagePost
String ID:
API String ID: 1381646855-0
Opcode ID: a029d25510344f831e2ec24893b9987acfd9a486f14a21de3c8d25aeeaf843b1
Instruction ID: 58dfadd8832582367d09a17646beddaaa7cd582f39cb52c183fa2d80cc8509d2
Opcode Fuzzy Hash: a029d25510344f831e2ec24893b9987acfd9a486f14a21de3c8d25aeeaf843b1
Instruction Fuzzy Hash: 6C618F22E08F8586E71C9B62E8406AD67B4FB89B64F542235DA4D97FB4DF38E450CB00

Function 00007FF61BD5FBE8 Relevance: 10.6, APIs: 7, Instructions: 122COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF61BD5FC13
_errno.LIBCMT ref: 00007FF61BD5FC08

Part of subcall function 00007FF61BD62964: _getptd_noexit.LIBCMT ref: 00007FF61BD62968

_errno.LIBCMT ref: 00007FF61BD5FCB6
_invalid_parameter_noinfo.LIBCMT ref: 00007FF61BD5FCC1

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$_getptd_noexit
String ID:
API String ID: 1573762532-0
Opcode ID: 36164a5b92ab75e8b9d0270866404d9543f1fa6deae194a1da3a023a4b3b9817
Instruction ID: d8f486552bd396baca949cffbf96a4558e0744479e6c77f0b59b6b9062a2545c
Opcode Fuzzy Hash: 36164a5b92ab75e8b9d0270866404d9543f1fa6deae194a1da3a023a4b3b9817
Instruction Fuzzy Hash: DD413075E08ADE41EB6C7B11908017972B0EF58FB4F846272DE9C8B6E5DE2CD4418704

Function 00007FF61BD58128 Relevance: 10.6, APIs: 7, Instructions: 113fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF61BD58434: SHGetSpecialFolderPathW.SHELL32 ref: 00007FF61BD584BF

CreateFileW.KERNEL32 ref: 00007FF61BD58197
CreateFileW.KERNEL32 ref: 00007FF61BD58237

Part of subcall function 00007FF61BD58C4C: FindClose.KERNEL32 ref: 00007FF61BD58C8B

CopyFileW.KERNEL32 ref: 00007FF61BD581EF
DeleteFileW.KERNEL32 ref: 00007FF61BD58207
GetFileSize.KERNEL32 ref: 00007FF61BD5826B
ReadFile.KERNEL32 ref: 00007FF61BD5828E
CloseHandle.KERNEL32 ref: 00007FF61BD582A6

Part of subcall function 00007FF61BD58C4C: FindFirstFileW.KERNEL32 ref: 00007FF61BD58C76

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: File$CloseCreateFind$CopyDeleteFirstFolderHandlePathReadSizeSpecial
String ID:
API String ID: 2284925675-0
Opcode ID: e2c09bcf50226816ff0f6ef4bf8d80569a357a0aade116ce0efe607448ec2109
Instruction ID: 620c8805c1f1616585c975d2d2a3a00a3e01d51d1e52657e45b87010e04e06e5
Opcode Fuzzy Hash: e2c09bcf50226816ff0f6ef4bf8d80569a357a0aade116ce0efe607448ec2109
Instruction Fuzzy Hash: 41519E32B04E45DAEB18DF65D4542AC63B1FB88BA8F805335DA2D93AE8DF38D514C744

Function 00007FF61BD5F76C Relevance: 10.6, APIs: 7, Instructions: 107COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF61BD5F792
_errno.LIBCMT ref: 00007FF61BD5F787

Part of subcall function 00007FF61BD62964: _getptd_noexit.LIBCMT ref: 00007FF61BD62968

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00007FF61BD5F811
_errno.LIBCMT ref: 00007FF61BD5F822
_invalid_parameter_noinfo.LIBCMT ref: 00007FF61BD5F82D

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: Locale_errno_invalid_parameter_noinfo$UpdateUpdate::__getptd_noexit
String ID:
API String ID: 781512312-0
Opcode ID: 114d716205cd9dd7d1c115ba21ab42b81c090a2b93a5ee04d70adfc3818b5fa7
Instruction ID: 9f6316a479c8179c68fcf91539a96978b112909c1310364b8684de75d816d42c
Opcode Fuzzy Hash: 114d716205cd9dd7d1c115ba21ab42b81c090a2b93a5ee04d70adfc3818b5fa7
Instruction Fuzzy Hash: 7C413B72E08A9B81EB6CB71190401FD36B1EF58FB0F945276D6DC8B6E8DE2CD8418704

Function 00007FF61BD790A4 Relevance: 10.6, APIs: 7, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00007FF61BD790D8

Part of subcall function 00007FF61BD5F6C4: _getptd.LIBCMT ref: 00007FF61BD5F6DA
Part of subcall function 00007FF61BD5F6C4: __updatetlocinfo.LIBCMT ref: 00007FF61BD5F70F
Part of subcall function 00007FF61BD5F6C4: __updatetmbcinfo.LIBCMT ref: 00007FF61BD5F736

_errno.LIBCMT ref: 00007FF61BD790F3
_invalid_parameter_noinfo.LIBCMT ref: 00007FF61BD790FE

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_invalid_parameter_noinfo
String ID:
API String ID: 3191669884-0
Opcode ID: 5afd3457c7a2ea1a5f02dee57da20931110c2d528eea28ea6e04efb072b26444
Instruction ID: 6ad8d2b04a5579a78274630577793348f388c9fbf4c1097e0bda4e3b4c119a7f
Opcode Fuzzy Hash: 5afd3457c7a2ea1a5f02dee57da20931110c2d528eea28ea6e04efb072b26444
Instruction Fuzzy Hash: 8831D132E18F8A95E62C9B11C4845A9B6A0EB5CFF4F146232EE59837E5CF7CD851C700

Function 00007FF61BD4F2D8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF61BD4F318
GetProcAddress.KERNEL32 ref: 00007FF61BD4F32D
RegOpenKeyExW.ADVAPI32 ref: 00007FF61BD4F389
RegCloseKey.ADVAPI32 ref: 00007FF61BD4F39B

Strings

Advapi32.dll, xrefs: 00007FF61BD4F311
RegOpenKeyTransactedW, xrefs: 00007FF61BD4F323

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: AddressCloseHandleModuleOpenProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 823179699-3913318428
Opcode ID: 46beea28c6eae07af4a728249fe307b16fa5c9b9b6675718f3559790d5a38139
Instruction ID: de9c41d6a8ed2c04a8774916c514781b3e9975d63e000fb9a30b7466c6a246f5
Opcode Fuzzy Hash: 46beea28c6eae07af4a728249fe307b16fa5c9b9b6675718f3559790d5a38139
Instruction Fuzzy Hash: C3214132A18E4986FB2C9B51E4583B963A0FB49FA8F586235EA4D87A64DF3CD4548700

Function 00007FF61BD4142C Relevance: 10.6, APIs: 7, Instructions: 62timethreadwindowCOMMON

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF61BD41462

Part of subcall function 00007FF61BD5F368: HeapFree.KERNEL32(?,?,00000000,00007FF61BD6493A,?,?,?,00007FF61BD6296D,?,?,?,?,00007FF61BD5F446), ref: 00007FF61BD5F37E
Part of subcall function 00007FF61BD5F368: _errno.LIBCMT ref: 00007FF61BD5F388
Part of subcall function 00007FF61BD5F368: GetLastError.KERNEL32(?,?,00000000,00007FF61BD6493A,?,?,?,00007FF61BD6296D,?,?,?,?,00007FF61BD5F446), ref: 00007FF61BD5F390

CreateWaitableTimerW.KERNEL32 ref: 00007FF61BD4148C
GetLastError.KERNEL32 ref: 00007FF61BD4149A
SetWaitableTimer.KERNEL32 ref: 00007FF61BD414C7
WaitForMultipleObjects.KERNEL32 ref: 00007FF61BD414E1
GetCurrentThreadId.KERNEL32 ref: 00007FF61BD414F7
PostThreadMessageW.USER32 ref: 00007FF61BD4150C

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: ErrorLastThreadTimerWaitable$CreateCurrentFreeHeapMessageMultipleObjectsPostWait_errnofree
String ID:
API String ID: 2911511307-0
Opcode ID: 689c32a63b2e1eb818ab7082173d63fae4e2e3531b0e754b93d29fbe0c040a1d
Instruction ID: 3d51635f1663d7252a1b95fe63e8bece5db5571889a5d94423b5d7a91180d175
Opcode Fuzzy Hash: 689c32a63b2e1eb818ab7082173d63fae4e2e3531b0e754b93d29fbe0c040a1d
Instruction Fuzzy Hash: 3321B632E18F4587E75D8B24E41176A77A0FF8DB64F102334E68E82964DF6CE044CB00

Function 00007FF61BD5C324 Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 50COMMON

Download Yara Rule

APIs

_CxxThrowException.LIBCMT ref: 00007FF61BD5C36D
_CxxThrowException.LIBCMT ref: 00007FF61BD5C395
_CxxThrowException.LIBCMT ref: 00007FF61BD5C3B2
_CxxThrowException.LIBCMT ref: 00007FF61BD5C3CF

Strings

ios_base::badbit set, xrefs: 00007FF61BD5C37A
ios_base::eofbit set, xrefs: 00007FF61BD5C3B8
ios_base::failbit set, xrefs: 00007FF61BD5C39B

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: ExceptionThrow
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 432778473-1866435925
Opcode ID: 093aac91aca3d5cb444e93d4d42d2825fe212e2d82f146a169df17e4c3784bdb
Instruction ID: 5cd0a5de793453222272e0e04908e397df24558f174e8ee465ed9b16cfe601fe
Opcode Fuzzy Hash: 093aac91aca3d5cb444e93d4d42d2825fe212e2d82f146a169df17e4c3784bdb
Instruction Fuzzy Hash: C3116061E18E0F95FF5CDB64D8814EC2370AF58F28F543231D61D9A975EE68E545C304

Function 00007FF61BD69734 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF61BD69755
_getptd.LIBCMT ref: 00007FF61BD69763
_getptd.LIBCMT ref: 00007FF61BD69775

Strings

RCC, xrefs: 00007FF61BD6973B
csm, xrefs: 00007FF61BD6974B
MOC, xrefs: 00007FF61BD69743

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: _getptd
String ID: MOC$RCC$csm
API String ID: 3186804695-2671469338
Opcode ID: 5c374d830ee814f54b2f9fa3c3e92b96ec2efda21db6e13fed2e5b8fabcddbb5
Instruction ID: 75f579d4b056aa62c63aa360194600a5030ab766c5a7a3bc89f51d769a8cc662
Opcode Fuzzy Hash: 5c374d830ee814f54b2f9fa3c3e92b96ec2efda21db6e13fed2e5b8fabcddbb5
Instruction Fuzzy Hash: 71F0FE35D089CE85E65D2B5085453FC32A0AF5CF25F85A671C21CC22A29FAC64848A22

Function 00007FF61BD42900 Relevance: 9.1, APIs: 6, Instructions: 119memoryCOMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32 ref: 00007FF61BD4295B
SysAllocStringLen.OLEAUT32 ref: 00007FF61BD42995
SysStringLen.OLEAUT32 ref: 00007FF61BD429B0
memcpy_s.LIBCMT ref: 00007FF61BD429C6
memcpy_s.LIBCMT ref: 00007FF61BD429F7
SysFreeString.OLEAUT32 ref: 00007FF61BD42A1C

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: String$memcpy_s$AllocFree
String ID:
API String ID: 3865269606-0
Opcode ID: e22d06bfb5369b301686315787000ad3005f2f7fca881707cd04031463c0dc54
Instruction ID: 314770b2330e729c6ec5d5b81a0d8482d73e665230e67090d156564435c1d07d
Opcode Fuzzy Hash: e22d06bfb5369b301686315787000ad3005f2f7fca881707cd04031463c0dc54
Instruction Fuzzy Hash: D041E425F18E4F82EA2C5B5144591781690AF8CFB8F24633ACE1DC7FF5CE6CE4548208

Function 00007FF61BD5B400 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

localeconv.LIBCMT ref: 00007FF61BD5B426

Part of subcall function 00007FF61BD61C30: _getptd.LIBCMT ref: 00007FF61BD61C34
Part of subcall function 00007FF61BD61C30: __updatetlocinfo.LIBCMT ref: 00007FF61BD61C57

_Getcvt.LIBCPMT ref: 00007FF61BD5B433

Part of subcall function 00007FF61BD7A568: ___lc_codepage_func.LIBCMT ref: 00007FF61BD7A58C
Part of subcall function 00007FF61BD7A568: ___mb_cur_max_func.LIBCMT ref: 00007FF61BD7A593
Part of subcall function 00007FF61BD7A568: ___lc_locale_name_func.LIBCMT ref: 00007FF61BD7A59B

_Getcvt.LIBCPMT ref: 00007FF61BD5B45C

Strings

true, xrefs: 00007FF61BD5B4BF
false, xrefs: 00007FF61BD5B495

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: Getcvt$___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__updatetlocinfo_getptdlocaleconv
String ID: false$true
API String ID: 379465546-2658103896
Opcode ID: c770085aa06cf17b6387c8f837feb050c9cc296f023650f2e6eb596c1cc5e8d8
Instruction ID: 3a8e2b0d08d206a2c2a8c224f7c2e252792ce9ae308d7d181c945e985e86443e
Opcode Fuzzy Hash: c770085aa06cf17b6387c8f837feb050c9cc296f023650f2e6eb596c1cc5e8d8
Instruction Fuzzy Hash: 0B31E522A08F8A41E7298F21964036D7BA0EB58FF8F156371CAAC473F5CE38D455C380

Function 00007FF61BD4F69C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SHGetSpecialFolderPathW.SHELL32 ref: 00007FF61BD4F6E2
PathAppendW.SHLWAPI ref: 00007FF61BD4F6FE
GetFileVersionInfoW.VERSION ref: 00007FF61BD4F72F
VerQueryValueW.VERSION ref: 00007FF61BD4F758

Strings

\Internet Explorer\iexplore.exe, xrefs: 00007FF61BD4F6F0

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: Path$AppendFileFolderInfoQuerySpecialValueVersion
String ID: \Internet Explorer\iexplore.exe
API String ID: 3320195616-38705447
Opcode ID: 84e7ca486809708aacdf764988d78f65cf761cafb01ba4910b894d15dae9b407
Instruction ID: 435147e1c129bb9df43818ddc181319d9d908d4243f6a4ac571d4855159136b5
Opcode Fuzzy Hash: 84e7ca486809708aacdf764988d78f65cf761cafb01ba4910b894d15dae9b407
Instruction Fuzzy Hash: CD212161A18E4B95EB2C9F21E8547BA63A0FB4CB58F446135D64DC7974DF7CE244C700

Function 00007FF61BD7417C Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF61BD741A0

Part of subcall function 00007FF61BD74080: _errno.LIBCMT ref: 00007FF61BD74089
Part of subcall function 00007FF61BD74080: _invalid_parameter_noinfo.LIBCMT ref: 00007FF61BD74094

cvtdate.LIBCMT ref: 00007FF61BD74285
cvtdate.LIBCMT ref: 00007FF61BD74389
_invoke_watson.LIBCMT ref: 00007FF61BD74423

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: cvtdate$_errno_get_daylight_invalid_parameter_noinfo_invoke_watson
String ID:
API String ID: 1447642234-0
Opcode ID: a3b1e53b5f70f45bfea4914cdc108dd655034d0a9fcfc8361ab68712039ad71a
Instruction ID: 55e07881e5019f642ca8c1d64a02d726acd4ef3de37c8c565dfa046a0d966ee1
Opcode Fuzzy Hash: a3b1e53b5f70f45bfea4914cdc108dd655034d0a9fcfc8361ab68712039ad71a
Instruction Fuzzy Hash: 00815572D18A56C7D37D8F05A451479FBE5FB98B54F10623AEA8982A74DFBCE4408F00

Function 00007FF61BD73430 Relevance: 7.6, APIs: 5, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00007FF61BD73492
_isleadbyte_l.LIBCMT ref: 00007FF61BD734C2
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF61BD67267), ref: 00007FF61BD73501
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF61BD67267), ref: 00007FF61BD7354F
_errno.LIBCMT ref: 00007FF61BD73559

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::__errno_isleadbyte_l
String ID:
API String ID: 2998201375-0
Opcode ID: 875ca83cb4141ce2e370ac5f9a9d47422609fd01dcb68c20e4be45d132a48f4f
Instruction ID: 0e9f2a44d1d35fbb7130c14d41d13576ad0ae3ba4655e2d6e17d72b5946404d1
Opcode Fuzzy Hash: 875ca83cb4141ce2e370ac5f9a9d47422609fd01dcb68c20e4be45d132a48f4f
Instruction Fuzzy Hash: 9041B932E08B8686E76C8F15A1815797BA1EB48FB8F145235DB4C977B5CF7CD4528700

Function 00007FF61BD60B78 Relevance: 7.5, APIs: 5, Instructions: 25COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF61BD60B85

Part of subcall function 00007FF61BD648AC: _getptd_noexit.LIBCMT ref: 00007FF61BD648B2

_inconsistency.LIBCMT ref: 00007FF61BD60B93

Part of subcall function 00007FF61BD61374: DecodePointer.KERNEL32(?,?,?,?,00007FF61BD69D4D,?,?,?,00007FF61BD607DE), ref: 00007FF61BD6137F

_getptd.LIBCMT ref: 00007FF61BD60B98
_inconsistency.LIBCMT ref: 00007FF61BD60BB4
_getptd.LIBCMT ref: 00007FF61BD60BC4

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: _getptd$_inconsistency$DecodePointer_getptd_noexit
String ID:
API String ID: 3566995948-0
Opcode ID: b1ff322655b69a1476251a369cc291caccd7b7030a3ca704fc697a4b73b927dc
Instruction ID: 7347d5210d444f79ac6e73b5a99a9f4294141bb61b4013bc822afc7e36416243
Opcode Fuzzy Hash: b1ff322655b69a1476251a369cc291caccd7b7030a3ca704fc697a4b73b927dc
Instruction Fuzzy Hash: 2BF08921E09DCA80EA5D6B55D0811FC7361DF4CFA4F0CB331D64D472A7DE68E4908714

Function 00007FF61BD543C4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

htonl.WS2_32 ref: 00007FF61BD54482
std::exception::exception.LIBCMT ref: 00007FF61BD54538
_CxxThrowException.LIBCMT ref: 00007FF61BD54553

Part of subcall function 00007FF61BD54B88: _wcsftime_l.LIBCMT ref: 00007FF61BD54BAA

Strings

invalid string size, tag: %d, size: %u, xrefs: 00007FF61BD5440F

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: ExceptionThrow_wcsftime_lhtonlstd::exception::exception
String ID: invalid string size, tag: %d, size: %u
API String ID: 2297430322-3143865162
Opcode ID: 1e4bbb424b589b7c4d6a9f69d28644da6729227b79945c1b82c0398d7d9d0045
Instruction ID: 4e046fa654d6b8029005a06552bddc50a43fb17afbe51da41d645a5b5422c9e2
Opcode Fuzzy Hash: 1e4bbb424b589b7c4d6a9f69d28644da6729227b79945c1b82c0398d7d9d0045
Instruction Fuzzy Hash: E141D466F08A4A9AFB1C9BB4D0003EC2771E709F98F402231CE0C97A9ACE78E059D745

Function 00007FF61BD5CDC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

Netbios.NETAPI32 ref: 00007FF61BD5CE22
Netbios.NETAPI32 ref: 00007FF61BD5CE66
Netbios.NETAPI32 ref: 00007FF61BD5CEBA

Strings

3, xrefs: 00007FF61BD5CEA8

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: Netbios
String ID: 3
API String ID: 544444789-1842515611
Opcode ID: fc2c6cc1660e2a1a7a068082d65f1229dadc3ebeeb12d96405019ee56709e9e2
Instruction ID: a007c4fec5b88bc51deda284aae1fac04619c44c5e889cf2ea214a9f40f59ee5
Opcode Fuzzy Hash: fc2c6cc1660e2a1a7a068082d65f1229dadc3ebeeb12d96405019ee56709e9e2
Instruction Fuzzy Hash: 5441A126A0DAC54DE7298F7198403ED7B70F759B48F485275DACC83B5ACE2CD206CB10

Function 00007FF61BD5CC60 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

NetWkstaTransportEnum.NETAPI32 ref: 00007FF61BD5CCB1
swscanf.LIBCMT ref: 00007FF61BD5CD30

Part of subcall function 00007FF61BD62040: vscan_fn.LIBCMT ref: 00007FF61BD6206B

NetApiBufferFree.NETAPI32 ref: 00007FF61BD5CD90

Strings

%2hx%2hx%2hx%2hx%2hx%2hx, xrefs: 00007FF61BD5CD1F

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: BufferEnumFreeTransportWkstaswscanfvscan_fn
String ID: %2hx%2hx%2hx%2hx%2hx%2hx
API String ID: 2287809651-1625236832
Opcode ID: 562012ec4a8d04ffbd1ac61d7800b8f51613bfbd1697ddc3d8399b8b53b45b8e
Instruction ID: db937c7d6e48cffa90a4397f0df64232484dce5ae5a3fdc3cf00f463d19adf8b
Opcode Fuzzy Hash: 562012ec4a8d04ffbd1ac61d7800b8f51613bfbd1697ddc3d8399b8b53b45b8e
Instruction Fuzzy Hash: BF418A66F14E4589FB588F71E4802EC37B4FB08B58B486236DE4DA3B68EE38C542C344

Function 00007FF61BD58434 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 86COMMON

Download Yara Rule

APIs

SHGetSpecialFolderPathW.SHELL32 ref: 00007FF61BD584BF

Strings

\Global.db, xrefs: 00007FF61BD58567
\Tencent\Desktop, xrefs: 00007FF61BD58547
\Tencent\DeskUpdate, xrefs: 00007FF61BD5853E

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: FolderPathSpecial
String ID: \Global.db$\Tencent\DeskUpdate$\Tencent\Desktop
API String ID: 994120019-3757207327
Opcode ID: ef9c67a7b736c5df7e5daa3a7a868a4ff0da9a40d72e9e1e0b6a8c9ecd359c25
Instruction ID: 58d2a41cdd9488d382556c3c4dcaa2faddb738e4367caa1046cedbc696e4eb76
Opcode Fuzzy Hash: ef9c67a7b736c5df7e5daa3a7a868a4ff0da9a40d72e9e1e0b6a8c9ecd359c25
Instruction Fuzzy Hash: 1431B432E18F8A81EA289F25E4517A92760FB49BB4F402330D96D87AF5DF3DE045C704

Function 00007FF61BD42530 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF61BD4255D

Part of subcall function 00007FF61BD4F3D0: GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF61BD4257F), ref: 00007FF61BD4F402

Part of subcall function 00007FF61BD4F4D8: OpenProcess.KERNEL32(?,?,?,00007FF61BD425AB), ref: 00007FF61BD4F4FB
Part of subcall function 00007FF61BD4F4D8: GetLastError.KERNEL32(?,?,?,00007FF61BD425AB), ref: 00007FF61BD4F50B
Part of subcall function 00007FF61BD4F4D8: OpenProcess.KERNEL32(?,?,?,00007FF61BD425AB), ref: 00007FF61BD4F520

PathFindFileNameW.SHLWAPI ref: 00007FF61BD425B0
PathFindFileNameW.SHLWAPI ref: 00007FF61BD425DA

Strings

!!!pid=%d through (tid=%d), name=%ws(%ws), xrefs: 00007FF61BD425C1

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: FileFindNameOpenPathProcess$CurrentErrorHandleLastModuleThread
String ID: !!!pid=%d through (tid=%d), name=%ws(%ws)
API String ID: 4126646617-725543756
Opcode ID: d9a42e5648462b841738da11a7d38eaa4930a2defaf0a3aad7186ab1921fdfb4
Instruction ID: d20d2271fa0d6d579d9928cd5c3d730338a549b3fa7a810669d726bd277b5b4d
Opcode Fuzzy Hash: d9a42e5648462b841738da11a7d38eaa4930a2defaf0a3aad7186ab1921fdfb4
Instruction Fuzzy Hash: BF31AA22E28E8691EA6CDF11E4445AA7361FB8CB60F416331DA5E83AB5DF3CE545C740

Function 00007FF61BD4F92C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32 ref: 00007FF61BD4F99A
RegSetValueExW.ADVAPI32 ref: 00007FF61BD4F9D8
RegCloseKey.ADVAPI32 ref: 00007FF61BD4F9E6

Strings

Software\Tencent\QQBrowser\QBroker, xrefs: 00007FF61BD4F961

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: CloseCreateValue
String ID: Software\Tencent\QQBrowser\QBroker
API String ID: 1818849710-661104360
Opcode ID: c339afa961175439d270a1f878aef2dd04e9f67a5ceaaee9c33060fd387883c7
Instruction ID: 8120bba051a0505b7f691cd0c497214e19f2fa330e458b5a65b9e7e08500208e
Opcode Fuzzy Hash: c339afa961175439d270a1f878aef2dd04e9f67a5ceaaee9c33060fd387883c7
Instruction Fuzzy Hash: 67218632A18E8586EB188F10F4553AAB3A4FB8CBACF542235D68D47A74CF7CD144CB00

Function 00007FF61BD4F5D4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

SHGetSpecialFolderPathW.SHELL32 ref: 00007FF61BD4F61D
PathAppendW.SHLWAPI ref: 00007FF61BD4F633
PathFileExistsW.SHLWAPI ref: 00007FF61BD4F63E

Strings

\Internet Explorer\iexplore.exe, xrefs: 00007FF61BD4F627

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: Path$AppendExistsFileFolderSpecial
String ID: \Internet Explorer\iexplore.exe
API String ID: 2859893649-38705447
Opcode ID: 04ff5b0c2f70b85f27fe75ce75b636d5ad538f00c212532b620ced39efe5c13e
Instruction ID: 905f49b756e145a4454d4c2e30377325e03fe02c1a03e9b3671d4637f30d0b27
Opcode Fuzzy Hash: 04ff5b0c2f70b85f27fe75ce75b636d5ad538f00c212532b620ced39efe5c13e
Instruction Fuzzy Hash: 82114521E08A8A51EE389B61E4553BA6360FB9CB68F942335D6AD879F4DF6CD205C700

Function 00007FF61BD7BB62 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF61BD60B78: _getptd.LIBCMT ref: 00007FF61BD60B85
Part of subcall function 00007FF61BD60B78: _inconsistency.LIBCMT ref: 00007FF61BD60B93
Part of subcall function 00007FF61BD60B78: _getptd.LIBCMT ref: 00007FF61BD60B98
Part of subcall function 00007FF61BD60B78: _inconsistency.LIBCMT ref: 00007FF61BD60BB4

__DestructExceptionObject.LIBCMT ref: 00007FF61BD7BBAF
_getptd.LIBCMT ref: 00007FF61BD7BBB5
_getptd.LIBCMT ref: 00007FF61BD7BBC8

Part of subcall function 00007FF61BD60C08: _getptd.LIBCMT ref: 00007FF61BD60C11

Strings

csm, xrefs: 00007FF61BD7BB82

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: _getptd$_inconsistency$DestructExceptionObject
String ID: csm
API String ID: 2821275340-1018135373
Opcode ID: 54738449fae25136525e3d73a4cde9389fcf728a346489a781f55c28ab9eb91b
Instruction ID: 13bb0da2b38b7e1080da38cbd1ef14a4d2c0c0d7df325d73347a1f3e1ac63d3f
Opcode Fuzzy Hash: 54738449fae25136525e3d73a4cde9389fcf728a346489a781f55c28ab9eb91b
Instruction Fuzzy Hash: C4018422D05A8A85D76C9F2184E12FE3360EB4CF68F086231DE4DCA35ACE68D8808B41

Function 00007FF61BD5F658 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30COMMONLIBRARYCODE

Download Yara Rule

APIs

_callnewh.LIBCMT ref: 00007FF61BD5F666
malloc.LIBCMT ref: 00007FF61BD5F672

Part of subcall function 00007FF61BD5F3A8: _FF_MSGBANNER.LIBCMT ref: 00007FF61BD5F3D8
Part of subcall function 00007FF61BD5F3A8: _NMSG_WRITE.LIBCMT ref: 00007FF61BD5F3E2
Part of subcall function 00007FF61BD5F3A8: HeapAlloc.KERNEL32(?,?,?,00007FF61BD633D0,?,?,?,00007FF61BD6DBE4,?,?,?,00007FF61BD6DAE3,?,?,?,00007FF61BD5F4C5), ref: 00007FF61BD5F3FD
Part of subcall function 00007FF61BD5F3A8: _callnewh.LIBCMT ref: 00007FF61BD5F416
Part of subcall function 00007FF61BD5F3A8: _errno.LIBCMT ref: 00007FF61BD5F421
Part of subcall function 00007FF61BD5F3A8: _errno.LIBCMT ref: 00007FF61BD5F42C

_CxxThrowException.LIBCMT ref: 00007FF61BD5F6BB

Part of subcall function 00007FF61BD606E8: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF61BD5ECA1), ref: 00007FF61BD60756
Part of subcall function 00007FF61BD606E8: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF61BD5ECA1), ref: 00007FF61BD60795

Strings

bad allocation, xrefs: 00007FF61BD5F682

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: Exception_callnewh_errno$AllocFileHeaderHeapRaiseThrowmalloc
String ID: bad allocation
API String ID: 1214304046-2104205924
Opcode ID: b81a1a26c0a4adbc31c3fa8f9502520f94a1c5b7c375de76df4e8ba8216c7643
Instruction ID: 17f84d39e71c9929998a10d98e6cd37b182fbf3e85931b60f8c7bca1820a2de3
Opcode Fuzzy Hash: b81a1a26c0a4adbc31c3fa8f9502520f94a1c5b7c375de76df4e8ba8216c7643
Instruction Fuzzy Hash: B1F09651E09F4F41EE2CA740A4404B56364FF8DB68F442235DA8D8B7B5EE7CE244CB00

Function 00007FF61BD5A4B4 Relevance: 6.3, APIs: 4, Instructions: 302stringCOMMON

Download Yara Rule

APIs

strcspn.LIBCMT ref: 00007FF61BD5A55C
localeconv.LIBCMT ref: 00007FF61BD5A56F
strcspn.LIBCMT ref: 00007FF61BD5A585
_Mpunct.LIBCPMT ref: 00007FF61BD5A657

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: strcspn$Mpunctlocaleconv
String ID:
API String ID: 2882554788-0
Opcode ID: 053ecaac9354419ddf1ac585ae6d1347d06da948ae916d9b4f2870e79173457f
Instruction ID: b283a39fef09e162d398b14b55167f8ffd925fc0616d4ad671c01327d3a93523
Opcode Fuzzy Hash: 053ecaac9354419ddf1ac585ae6d1347d06da948ae916d9b4f2870e79173457f
Instruction Fuzzy Hash: 8DD18C22F09F8989EB088FB5D0406EC2771FB49B98F546225DE8DA7B5ADF38D046C744

Function 00007FF61BD5D294 Relevance: 6.1, APIs: 4, Instructions: 145COMMON

Download Yara Rule

APIs

isspace.LIBCMT ref: 00007FF61BD5D2E5
isprint.LIBCMT ref: 00007FF61BD5D334
isprint.LIBCMT ref: 00007FF61BD5D366
isspace.LIBCMT ref: 00007FF61BD5D3C2

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: isprintisspace
String ID:
API String ID: 2609633722-0
Opcode ID: cb33ea4c5fb831a7523e1f192c435978392835876fc21bf0941de0629dea0196
Instruction ID: 5d2c0ebba01b9f4819db729ec12f29b61a36e656d57841f1c9b198f778970bca
Opcode Fuzzy Hash: cb33ea4c5fb831a7523e1f192c435978392835876fc21bf0941de0629dea0196
Instruction Fuzzy Hash: BA412462E0CEDE45F72E8E79459477D6EA0DB19FA0F086270CF89866B2DD3CA442C314

Function 00007FF61BD582E4 Relevance: 6.1, APIs: 4, Instructions: 85fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF61BD58434: SHGetSpecialFolderPathW.SHELL32 ref: 00007FF61BD584BF

CreateFileW.KERNEL32 ref: 00007FF61BD58353
CreateFileW.KERNEL32 ref: 00007FF61BD58398
WriteFile.KERNEL32 ref: 00007FF61BD583DC
CloseHandle.KERNEL32 ref: 00007FF61BD583F4

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: File$Create$CloseFolderHandlePathSpecialWrite
String ID:
API String ID: 261467261-0
Opcode ID: 87a36924370a38567c8f29f943b8af8cacfb3f5e16a5e2e4da282d07ff7eaf9b
Instruction ID: 85bdd9b4473198ea5bcc8c35038a326e2e4a530c59835708793f1bd74cefac1e
Opcode Fuzzy Hash: 87a36924370a38567c8f29f943b8af8cacfb3f5e16a5e2e4da282d07ff7eaf9b
Instruction Fuzzy Hash: BE319D32B04A859AE7189F25E4546AC7361FB88BB8F405335EA6D83BE8CF38D5158704

Function 00007FF61BD79AFC Relevance: 6.1, APIs: 4, Instructions: 62stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00007FF61BD79B20

Part of subcall function 00007FF61BD5F6C4: _getptd.LIBCMT ref: 00007FF61BD5F6DA
Part of subcall function 00007FF61BD5F6C4: __updatetlocinfo.LIBCMT ref: 00007FF61BD5F70F
Part of subcall function 00007FF61BD5F6C4: __updatetmbcinfo.LIBCMT ref: 00007FF61BD5F736

_errno.LIBCMT ref: 00007FF61BD79B2C

Part of subcall function 00007FF61BD62964: _getptd_noexit.LIBCMT ref: 00007FF61BD62968

_invalid_parameter_noinfo.LIBCMT ref: 00007FF61BD79B37
strchr.LIBCMT ref: 00007FF61BD79B4D

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_getptd_noexit_invalid_parameter_noinfostrchr
String ID:
API String ID: 4151157258-0
Opcode ID: 9f204ea91d6198c4a82ef353745b2060fa986f5a3426e358ba194c17e780f943
Instruction ID: dd85ec66613a9390e226add04527df92c157731aea455e5235c1a7adc7f009fe
Opcode Fuzzy Hash: 9f204ea91d6198c4a82ef353745b2060fa986f5a3426e358ba194c17e780f943
Instruction Fuzzy Hash: 9221F953E1CAAAA1EB6C5625D0D01BD67D0EB88FF8F186331E68E876E5CD6CD4418700

Function 00007FF61BD5C69C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87registryCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,?,?,?,00007FF61BD5C635), ref: 00007FF61BD5C7A6
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,00007FF61BD5C635), ref: 00007FF61BD5C7BA

Part of subcall function 00007FF61BD4238C: std::_Xbad_alloc.LIBCPMT ref: 00007FF61BD4242D

Strings

string too long, xrefs: 00007FF61BD5C779, 00007FF61BD5C786

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: Close$HandleXbad_allocstd::_
String ID: string too long
API String ID: 3601596506-2556327735
Opcode ID: 372d5d49983c13a36cddd18aa35a4e4ff7c67db2dcde71bf080ae64639e4d0e4
Instruction ID: 738ea8755562b3bd11335e27ebc6ab14fa5c25afdacefde193aa99608d9bec52
Opcode Fuzzy Hash: 372d5d49983c13a36cddd18aa35a4e4ff7c67db2dcde71bf080ae64639e4d0e4
Instruction Fuzzy Hash: 8C315222E19E0981EA1C4B15D4442382374EB48FB5F686335DA2D97BF4DF7CE5528388

Function 00007FF61BD47860 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

_snwprintf_s.LIBCMT ref: 00007FF61BD47901

Part of subcall function 00007FF61BD5F8E0: _vsnprintf_s_l.LIBCMT ref: 00007FF61BD5F8F8

Strings

cmdID=0x%0x, xrefs: 00007FF61BD478EE
ExecWB, xrefs: 00007FF61BD478A9

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: _snwprintf_s_vsnprintf_s_l
String ID: ExecWB$cmdID=0x%0x
API String ID: 2495276089-1305857435
Opcode ID: d2504834d054f49e557b6adf1fcb99767156465117bdd46e3a5108ef1bc64949
Instruction ID: 7d25f112c3f1fd3ab34ab7ccdfa0be25137b24f6dff90cac7664d1f15d11cd24
Opcode Fuzzy Hash: d2504834d054f49e557b6adf1fcb99767156465117bdd46e3a5108ef1bc64949
Instruction Fuzzy Hash: 92419222E08B8A86F718DB65E4403ED7761FB88768F501235DA8D47AAACF7CD145CB40

Function 00007FF61BD45C40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69threadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF61BD45D1C
PostThreadMessageW.USER32 ref: 00007FF61BD45D2E

Strings

Quit, xrefs: 00007FF61BD45C82

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: Thread$CurrentMessagePost
String ID: Quit
API String ID: 3590184027-3818420395
Opcode ID: c5d0bb174f7255261121061f4f28705b061de229dd0f39cf965b494ab33ca0ef
Instruction ID: 4c683b2426006691ecaaf2f6d4eca391abd90b75826b27005acf3bfae92505f3
Opcode Fuzzy Hash: c5d0bb174f7255261121061f4f28705b061de229dd0f39cf965b494ab33ca0ef
Instruction Fuzzy Hash: 6D315932A18A459AFB18DF30E4443ED33A4EB48B5CF806635EA4D87EAACF38D114C750

Function 00007FF61BD4FA0C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32 ref: 00007FF61BD4FAA8
RegCloseKey.ADVAPI32 ref: 00007FF61BD4FAD6

Strings

Software\Tencent\QQBrowser\QBroker, xrefs: 00007FF61BD4FA3F

Memory Dump Source

Source File: 00000000.00000002.3273984107.00007FF61BD41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61BD40000, based on PE: true

Associated: 00000000.00000002.3273965318.00007FF61BD40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274021381.00007FF61BD7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274044925.00007FF61BD94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274083951.00007FF61BD95000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61bd40000_EBAbsk8ydv.jbxd

Similarity

API ID: CloseQueryValue
String ID: Software\Tencent\QQBrowser\QBroker
API String ID: 3356406503-661104360
Opcode ID: c2fdb8d571b8b3e4283bdc6ab94a3081b84b2d7644d909ec7713784ee6c357a3
Instruction ID: fb70411e909e93a7a1eb39682fede61d0121370b599c6dd292e525c4c883dafa
Opcode Fuzzy Hash: c2fdb8d571b8b3e4283bdc6ab94a3081b84b2d7644d909ec7713784ee6c357a3
Instruction Fuzzy Hash: E0315632E14E1989FB189B7098492ED33B4FB0CBA8F445636CE0D93A68DF38D148C794

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report EBAbsk8ydv.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Statistics

CPU Usage

Windows Analysis Report
EBAbsk8ydv.exe

Function 00007FF61BD41848 Relevance: 51.0, APIs: 27, Strings: 2, Instructions: 227
threadwindowsynchronizationCOMMON

Function 00007FF61BD506C4 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 139
networklibraryloaderCOMMON

Function 00007FF61BD56FB1 Relevance: 17.7, Strings: 14, Instructions: 220
COMMON

Function 00007FF61BD5D9A0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 200
fileCOMMON

Function 00007FF61BD5CF60 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 155
libraryloaderCOMMON

Function 00007FF61BD5D434 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 191
fileCOMMON

Function 00007FF61BD5DD00 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127
fileCOMMON

Function 00007FF61BD5DF34 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Function 00007FF61BD5CA74 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 113
registryCOMMON

Function 00007FF61BD56BE1 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 90
libraryCOMMON

Function 00007FF61BD57DC8 Relevance: 4.7, APIs: 3, Instructions: 230
COMMON

Function 00007FF61BD573A1 Relevance: 3.1, APIs: 2, Instructions: 95
COMMON

Function 00007FF61BD5694C Relevance: 3.1, APIs: 2, Instructions: 81
COMMON