Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
EBAbsk8ydv.exe

Overview

General Information

Sample name:EBAbsk8ydv.exe
renamed because original name is a hash value
Original sample name:4fdb0465d2a66e1d810e072b8e205bf7445566a8e9a97c4cd3da0a7b4dc991a4.exe
Analysis ID:1488510
MD5:e546e832f5762cbf8f28b6558c012b8d
SHA1:ad6368dbb616f9a1a56ec1d3ac9026887928ad63
SHA256:4fdb0465d2a66e1d810e072b8e205bf7445566a8e9a97c4cd3da0a7b4dc991a4
Tags:dssdhome-xyzexe
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Contains functionality to infect the boot sector
Performs DNS queries to domains with low reputation
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (date check)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
Queries disk information (often used to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64
  • EBAbsk8ydv.exe (PID: 2488 cmdline: "C:\Users\user\Desktop\EBAbsk8ydv.exe" MD5: E546E832F5762CBF8F28B6558C012B8D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: EBAbsk8ydv.exeVirustotal: Detection: 12%Perma Link
Source: EBAbsk8ydv.exeReversingLabs: Detection: 13%
Source: EBAbsk8ydv.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: E:\F1_proj_trunk\f1\src\features\qbroker\Release\qbroker64.pdb; source: EBAbsk8ydv.exe
Source: Binary string: E:\F1_proj_trunk\f1\src\features\qbroker\Release\qbroker64.pdb source: EBAbsk8ydv.exe
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FA9F14C0 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_wfullpath,_errno,_errno,_errno,_wfullpath,IsRootUNCName,GetDriveTypeW,free,__loctotime64_t,free,_wsopen_s,_fstat64,_close,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,__loctotime64_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,__loctotime64_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,__loctotime64_t,FindClose,__wdtoxmode,GetLastError,_dosmaperr,FindClose,GetLastError,_dosmaperr,FindClose,0_2_00007FF7FA9F14C0
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FA9E8C4C FindFirstFileW,FindClose,0_2_00007FF7FA9E8C4C

Networking

barindex
Performs DNS queries to domains with low reputation
Source: DNS query: xn--ypd.dssdhome.xyz
Source: DNS query: xn--ypd.dssdhome.xyz
Source: Joe Sandbox ViewIP Address: 169.150.247.37 169.150.247.37
Source: global trafficHTTP traffic detected: GET /11/ip.bin HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2Host: xn--ypd.dssdhome.xyz
Source: global trafficHTTP traffic detected: GET /11/ip.bin HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2Host: xn--ypd.dssdhome.xyz
Source: global trafficHTTP traffic detected: GET /11/ip.bin HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2Host: xn--ypd.dssdhome.xyz
Source: global trafficHTTP traffic detected: GET /11/ip.bin HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2Host: xn--ypd.dssdhome.xyz
Source: global trafficHTTP traffic detected: GET /11/ip.bin HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2Host: xn--ypd.dssdhome.xyz
Source: global trafficHTTP traffic detected: GET /11/ip.bin HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2Host: xn--ypd.dssdhome.xyz
Source: global trafficHTTP traffic detected: GET /11/ip.bin HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2Host: xn--ypd.dssdhome.xyz
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /11/ip.bin HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2Host: xn--ypd.dssdhome.xyz
Source: global trafficHTTP traffic detected: GET /11/ip.bin HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2Host: xn--ypd.dssdhome.xyz
Source: global trafficHTTP traffic detected: GET /11/ip.bin HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2Host: xn--ypd.dssdhome.xyz
Source: global trafficHTTP traffic detected: GET /11/ip.bin HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2Host: xn--ypd.dssdhome.xyz
Source: global trafficHTTP traffic detected: GET /11/ip.bin HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2Host: xn--ypd.dssdhome.xyz
Source: global trafficHTTP traffic detected: GET /11/ip.bin HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2Host: xn--ypd.dssdhome.xyz
Source: global trafficHTTP traffic detected: GET /11/ip.bin HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2Host: xn--ypd.dssdhome.xyz
Source: global trafficDNS traffic detected: DNS query: xn--ypd.dssdhome.xyz
Source: EBAbsk8ydv.exe, 00000000.00000002.3938638347.00000065E12FA000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://11.dssdhome.xyz/11/ip.bin
Source: EBAbsk8ydv.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: EBAbsk8ydv.exeString found in binary or memory: http://ocsp.thawte.com0
Source: EBAbsk8ydv.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: EBAbsk8ydv.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: EBAbsk8ydv.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: EBAbsk8ydv.exe, 00000000.00000003.3806545319.0000022251D1D000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3885206665.0000022251D29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://xn--ypd.dssdhome.xyz/
Source: EBAbsk8ydv.exe, 00000000.00000003.3920722011.0000022251D1D000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000002.3938753625.0000022251D1D000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3806545319.0000022251D1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://xn--ypd.dssdhome.xyz/.2
Source: EBAbsk8ydv.exe, 00000000.00000003.3920722011.0000022251D1D000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000002.3938753625.0000022251D1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://xn--ypd.dssdhome.xyz/.dll
Source: EBAbsk8ydv.exe, 00000000.00000002.3938753625.0000022251CA8000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3499379857.0000022251D1D000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3806545319.0000022251D1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://xn--ypd.dssdhome.xyz/11/ip.bin
Source: EBAbsk8ydv.exe, 00000000.00000002.3938753625.0000022251CE0000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3920722011.0000022251CE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://xn--ypd.dssdhome.xyz/11/ip.binfU)
Source: EBAbsk8ydv.exe, 00000000.00000003.3397293978.0000022251CE0000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3499474925.0000022251CE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://xn--ypd.dssdhome.xyz/11/ip.binsFF
Source: EBAbsk8ydv.exe, 00000000.00000003.3920722011.0000022251D1D000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000002.3938753625.0000022251D1D000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3806545319.0000022251D1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://xn--ypd.dssdhome.xyz/3
Source: EBAbsk8ydv.exe, 00000000.00000003.3499379857.0000022251D1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://xn--ypd.dssdhome.xyz/dll
Source: EBAbsk8ydv.exe, 00000000.00000003.3397209493.0000022251D1D000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3499379857.0000022251D1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://xn--ypd.dssdhome.xyz/l
Source: EBAbsk8ydv.exe, 00000000.00000003.3920722011.0000022251D1D000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000002.3938753625.0000022251D1D000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3806545319.0000022251D1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://xn--ypd.dssdhome.xyz/n
Source: EBAbsk8ydv.exe, 00000000.00000003.3499379857.0000022251D1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://xn--ypd.dssdhome.xyz/s.dll
Source: EBAbsk8ydv.exe, 00000000.00000003.3920722011.0000022251D10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://xn--ypd.dssdhome.xyz:80/11/ip.bin
Source: EBAbsk8ydv.exe, 00000000.00000003.3920722011.0000022251CE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xn--ypd.ds
Source: EBAbsk8ydv.exe, 00000000.00000003.3397209493.0000022251D1D000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3921258964.0000022251D42000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3499379857.0000022251D1D000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3806545319.0000022251D1D000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000002.3938753625.0000022251CDC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xn--ypd.dssdhome.xyz/11/ip.bin
Source: EBAbsk8ydv.exe, 00000000.00000003.3397209493.0000022251D03000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3920722011.0000022251CFD000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000002.3938753625.0000022251CFD000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3499379857.0000022251D04000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3806545319.0000022251CE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xn--ypd.dssdhome.xyz/11/ip.binLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedEx
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FA9EDD00: CreateFileW,DeviceIoControl,FindCloseChangeNotification,0_2_00007FF7FA9EDD00
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FA9ED4340_2_00007FF7FA9ED434
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FA9ED9A00_2_00007FF7FA9ED9A0
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FA9E6FB10_2_00007FF7FA9E6FB1
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FA9D18480_2_00007FF7FA9D1848
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FAA07B2C0_2_00007FF7FAA07B2C
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FA9F2B780_2_00007FF7FA9F2B78
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FA9F14C00_2_00007FF7FA9F14C0
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FAA014E00_2_00007FF7FAA014E0
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FAA024540_2_00007FF7FAA02454
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FAA0442C0_2_00007FF7FAA0442C
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FA9F4C2C0_2_00007FF7FA9F4C2C
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FA9DEA000_2_00007FF7FA9DEA00
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FA9E29E40_2_00007FF7FA9E29E4
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FA9EE1E80_2_00007FF7FA9EE1E8
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FA9D71440_2_00007FF7FA9D7144
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FAA072C80_2_00007FF7FAA072C8
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FA9E0AAC0_2_00007FF7FA9E0AAC
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FA9F6AAC0_2_00007FF7FA9F6AAC
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FA9FA2780_2_00007FF7FA9FA278
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FA9D3FD40_2_00007FF7FA9D3FD4
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FA9FC7B40_2_00007FF7FA9FC7B4
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FA9FAFF00_2_00007FF7FA9FAFF0
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FAA048900_2_00007FF7FAA04890
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FA9F5D540_2_00007FF7FA9F5D54
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FAA08D8C0_2_00007FF7FAA08D8C
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FAA00EBC0_2_00007FF7FAA00EBC
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FA9F9EC80_2_00007FF7FA9F9EC8
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FA9F4EA00_2_00007FF7FA9F4EA0
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FA9FB6AC0_2_00007FF7FA9FB6AC
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FA9F2E900_2_00007FF7FA9F2E90
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FA9E76700_2_00007FF7FA9E7670
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FAA0A6600_2_00007FF7FAA0A660
Source: EBAbsk8ydv.exeStatic PE information: invalid certificate
Source: EBAbsk8ydv.exeBinary or memory string: OriginalFilename vs EBAbsk8ydv.exe
Source: EBAbsk8ydv.exe, 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameqbroker.exe, vs EBAbsk8ydv.exe
Source: EBAbsk8ydv.exeBinary or memory string: OriginalFilenameqbroker.exe, vs EBAbsk8ydv.exe
Source: classification engineClassification label: mal56.troj.winEXE@1/0@2/1
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FA9DEFA0 GetCurrentThreadId,PostThreadMessageW,Sleep,ShellExecuteW,CoCreateInstance,CoCreateInstance,0_2_00007FF7FA9DEFA0
Source: EBAbsk8ydv.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: EBAbsk8ydv.exeVirustotal: Detection: 12%
Source: EBAbsk8ydv.exeReversingLabs: Detection: 13%
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeSection loaded: webio.dllJump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: EBAbsk8ydv.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: EBAbsk8ydv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: EBAbsk8ydv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: EBAbsk8ydv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: EBAbsk8ydv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: EBAbsk8ydv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: EBAbsk8ydv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: EBAbsk8ydv.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: EBAbsk8ydv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: E:\F1_proj_trunk\f1\src\features\qbroker\Release\qbroker64.pdb; source: EBAbsk8ydv.exe
Source: Binary string: E:\F1_proj_trunk\f1\src\features\qbroker\Release\qbroker64.pdb source: EBAbsk8ydv.exe
Source: EBAbsk8ydv.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: EBAbsk8ydv.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: EBAbsk8ydv.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: EBAbsk8ydv.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: EBAbsk8ydv.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FA9ECF60 GetSystemDirectoryW,LoadLibraryW,GetProcAddress,GetAdaptersInfo,FreeLibrary,0_2_00007FF7FA9ECF60
Source: EBAbsk8ydv.exeStatic PE information: real checksum: 0x63c9a should be: 0x61a23

Persistence and Installation Behavior

barindex
Contains functionality to infect the boot sector
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d0_2_00007FF7FA9ED434
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: CreateFileW,DeviceIoControl,isalnum,isalnum,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive%d0_2_00007FF7FA9ED9A0
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: CreateFileW,DeviceIoControl,malloc,DeviceIoControl,free,CloseHandle, \\.\PhysicalDrive%d0_2_00007FF7FA9ED748

Boot Survival

barindex
Contains functionality to infect the boot sector
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d0_2_00007FF7FA9ED434
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: CreateFileW,DeviceIoControl,isalnum,isalnum,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive%d0_2_00007FF7FA9ED9A0
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: CreateFileW,DeviceIoControl,malloc,DeviceIoControl,free,CloseHandle, \\.\PhysicalDrive%d0_2_00007FF7FA9ED748
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FA9F2B78 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00007FF7FA9F2B78
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: GetSystemDirectoryW,LoadLibraryW,GetProcAddress,GetAdaptersInfo,FreeLibrary,0_2_00007FF7FA9ECF60
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-22256
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe TID: 420Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exe TID: 420Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FA9F14C0 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_wfullpath,_errno,_errno,_errno,_wfullpath,IsRootUNCName,GetDriveTypeW,free,__loctotime64_t,free,_wsopen_s,_fstat64,_close,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,__loctotime64_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,__loctotime64_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,__loctotime64_t,FindClose,__wdtoxmode,GetLastError,_dosmaperr,FindClose,GetLastError,_dosmaperr,FindClose,0_2_00007FF7FA9F14C0
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FA9E8C4C FindFirstFileW,FindClose,0_2_00007FF7FA9E8C4C
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FA9E06C4 GetSystemTimeAsFileTime,GetModuleHandleW,GetProcAddress,GetSystemInfo,GetSystemDefaultLangID,InternetOpenA,InternetSetOptionW,InternetConnectW,0_2_00007FF7FA9E06C4
Source: EBAbsk8ydv.exe, 00000000.00000003.3920722011.0000022251D1D000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3397209493.0000022251D1D000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3499379857.0000022251D1D000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000002.3938753625.0000022251D1D000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3806545319.0000022251D1D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: EBAbsk8ydv.exe, 00000000.00000002.3938753625.0000022251CA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0s
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeAPI call chain: ExitProcess graph end nodegraph_0-22196
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FA9EECDC GetLastError,IsDebuggerPresent,OutputDebugStringW,0_2_00007FF7FA9EECDC
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FA9EECDC GetLastError,IsDebuggerPresent,OutputDebugStringW,0_2_00007FF7FA9EECDC
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FA9ECF60 GetSystemDirectoryW,LoadLibraryW,GetProcAddress,GetAdaptersInfo,FreeLibrary,0_2_00007FF7FA9ECF60
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FAA04D00 _lseeki64_nolock,_lseeki64_nolock,GetProcessHeap,HeapAlloc,_errno,_errno,_setmode_nolock,_write_nolock,__doserrno,_errno,_setmode_nolock,GetProcessHeap,HeapFree,_lseeki64_nolock,_get_osfhandle,SetEndOfFile,_errno,__doserrno,GetLastError,_lseeki64_nolock,0_2_00007FF7FAA04D00
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FA9F87D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7FA9F87D8
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: _getptd,_getptd,LcidFromHexString,GetLocaleInfoW,TestDefaultLanguage,0_2_00007FF7FAA01BD0
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: __crtGetLocaleInfoEx,0_2_00007FF7FAA013DC
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: __crtGetLocaleInfoEx,__crtGetLocaleInfoEx,GetACP,0_2_00007FF7FAA01328
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,IsValidCodePage,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,wcschr,wcschr,__crtGetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage,__crtGetUserDefaultLocaleName,_invoke_watson,_invoke_watson,_getptd,_getptd,LcidFromHexString,GetLocaleInfoW,0_2_00007FF7FAA014E0
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: __crtGetLocaleInfoEx,malloc,__crtGetLocaleInfoEx,WideCharToMultiByte,free,0_2_00007FF7FA9FE4DC
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: _getptd,_getptd,LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,TestDefaultLanguage,0_2_00007FF7FAA019A0
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: __crtDownlevelLocaleNameToLCID,GetLocaleInfoW,0_2_00007FF7FA9FE944
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: EnumSystemLocalesW,0_2_00007FF7FA9FE900
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: _getptd,EnumSystemLocalesW,0_2_00007FF7FAA0190C
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: _getptd,EnumSystemLocalesW,0_2_00007FF7FAA01858
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: _getptd,GetLocaleInfoW,0_2_00007FF7FAA01DCC
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: __crtGetLocaleInfoA,GetLastError,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,free,free,__crtGetLocaleInfoEx,_calloc_crt,__crtGetLocaleInfoEx,free,__crtGetLocaleInfoEx,_invoke_watson,0_2_00007FF7FA9F3598
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00007FF7FAA01D1C
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: _getptd,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,TestDefaultCountry,__crtGetLocaleInfoEx,TestDefaultCountry,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_getptd,__crtGetLocaleInfoEx,_invoke_watson,0_2_00007FF7FAA00EBC
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: _getptd,__lc_wcstolc,__get_qualified_locale_downlevel,__get_qualified_locale,__lc_lctowcs,__crtGetLocaleInfoEx,GetACP,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,0_2_00007FF7FA9F4EA0
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,0_2_00007FF7FA9FE648
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: _getptd,_getptd,TranslateName,GetLcidFromLangCountry,GetLcidFromLanguage,TranslateName,GetLcidFromLangCountry,GetLcidFromLanguage,_getptd,EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,__crtDownlevelLCIDToLocaleName,__crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,_itow_s,0_2_00007FF7FAA01E74
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FA9E06C4 GetSystemTimeAsFileTime,GetModuleHandleW,GetProcAddress,GetSystemInfo,GetSystemDefaultLangID,InternetOpenA,InternetSetOptionW,InternetConnectW,0_2_00007FF7FA9E06C4
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FAA0442C _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,_getenv_helper_nolock,free,_malloc_crt,_invoke_watson,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,0_2_00007FF7FAA0442C
Source: C:\Users\user\Desktop\EBAbsk8ydv.exeCode function: 0_2_00007FF7FA9EDF34 GetVersionExW,0_2_00007FF7FA9EDF34

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Native API		1
Bootkit		1
DLL Side-Loading		2
Virtualization/Sandbox Evasion		OS Credential Dumping2
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		Boot or Logon Initialization Scripts1
Bootkit		LSASS Memory41
Security Software Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account Manager2
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS1
System Network Configuration Discovery		Distributed Component Object ModelInput Capture12
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials24
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
EBAbsk8ydv.exe12%VirustotalBrowse
EBAbsk8ydv.exe14%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://crl.thawte.com/ThawteTimestampingCA.crl00%URL Reputationsafe
http://crl.thawte.com/ThawteTimestampingCA.crl00%URL Reputationsafe
http://ocsp.thawte.com00%URL Reputationsafe
http://xn--ypd.dssdhome.xyz/l0%Avira URL Cloudsafe
http://xn--ypd.dssdhome.xyz/0%Avira URL Cloudsafe
https://xn--ypd.ds0%Avira URL Cloudsafe
http://xn--ypd.dssdhome.xyz/11/ip.bin0%Avira URL Cloudsafe
http://11.dssdhome.xyz/11/ip.bin0%Avira URL Cloudsafe
http://xn--ypd.dssdhome.xyz/n0%Avira URL Cloudsafe
https://xn--ypd.dssdhome.xyz/11/ip.bin0%Avira URL Cloudsafe
http://xn--ypd.dssdhome.xyz/11/ip.bin0%VirustotalBrowse
http://xn--ypd.dssdhome.xyz/30%Avira URL Cloudsafe
http://xn--ypd.dssdhome.xyz:80/11/ip.bin0%Avira URL Cloudsafe
https://xn--ypd.dssdhome.xyz/11/ip.binLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedEx0%Avira URL Cloudsafe
http://xn--ypd.dssdhome.xyz/11/ip.binfU)0%Avira URL Cloudsafe
http://xn--ypd.dssdhome.xyz/dll0%Avira URL Cloudsafe
http://xn--ypd.dssdhome.xyz/.20%Avira URL Cloudsafe
http://xn--ypd.dssdhome.xyz/.dll0%Avira URL Cloudsafe
http://xn--ypd.dssdhome.xyz/s.dll0%Avira URL Cloudsafe
http://xn--ypd.dssdhome.xyz:80/11/ip.bin0%VirustotalBrowse
http://xn--ypd.dssdhome.xyz/11/ip.binsFF0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
mooscc.b-cdn.net
169.150.247.37
truefalse
    		unknown
    xn--ypd.dssdhome.xyz
    		unknown
    		unknowntrue
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://xn--ypd.dssdhome.xyz/EBAbsk8ydv.exe, 00000000.00000003.3806545319.0000022251D1D000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3885206665.0000022251D29000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://xn--ypd.dssdhome.xyz/11/ip.binEBAbsk8ydv.exe, 00000000.00000002.3938753625.0000022251CA8000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3499379857.0000022251D1D000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3806545319.0000022251D1D000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      http://11.dssdhome.xyz/11/ip.binEBAbsk8ydv.exe, 00000000.00000002.3938638347.00000065E12FA000.00000004.00000010.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://xn--ypd.dsEBAbsk8ydv.exe, 00000000.00000003.3920722011.0000022251CE0000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://crl.thawte.com/ThawteTimestampingCA.crl0EBAbsk8ydv.exefalse
      • URL Reputation: safe
      • URL Reputation: safe
      		unknown
      http://xn--ypd.dssdhome.xyz/lEBAbsk8ydv.exe, 00000000.00000003.3397209493.0000022251D1D000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3499379857.0000022251D1D000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://xn--ypd.dssdhome.xyz/nEBAbsk8ydv.exe, 00000000.00000003.3920722011.0000022251D1D000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000002.3938753625.0000022251D1D000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3806545319.0000022251D1D000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://ocsp.thawte.com0EBAbsk8ydv.exefalse
      • URL Reputation: safe
      		unknown
      https://xn--ypd.dssdhome.xyz/11/ip.binEBAbsk8ydv.exe, 00000000.00000003.3397209493.0000022251D1D000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3921258964.0000022251D42000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3499379857.0000022251D1D000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3806545319.0000022251D1D000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000002.3938753625.0000022251CDC000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://xn--ypd.dssdhome.xyz/3EBAbsk8ydv.exe, 00000000.00000003.3920722011.0000022251D1D000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000002.3938753625.0000022251D1D000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3806545319.0000022251D1D000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://xn--ypd.dssdhome.xyz:80/11/ip.binEBAbsk8ydv.exe, 00000000.00000003.3920722011.0000022251D10000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://xn--ypd.dssdhome.xyz/11/ip.binLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedExEBAbsk8ydv.exe, 00000000.00000003.3397209493.0000022251D03000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3920722011.0000022251CFD000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000002.3938753625.0000022251CFD000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3499379857.0000022251D04000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3806545319.0000022251CE0000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://xn--ypd.dssdhome.xyz/11/ip.binfU)EBAbsk8ydv.exe, 00000000.00000002.3938753625.0000022251CE0000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3920722011.0000022251CE0000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://xn--ypd.dssdhome.xyz/dllEBAbsk8ydv.exe, 00000000.00000003.3499379857.0000022251D1D000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://xn--ypd.dssdhome.xyz/.2EBAbsk8ydv.exe, 00000000.00000003.3920722011.0000022251D1D000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000002.3938753625.0000022251D1D000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3806545319.0000022251D1D000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://xn--ypd.dssdhome.xyz/.dllEBAbsk8ydv.exe, 00000000.00000003.3920722011.0000022251D1D000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000002.3938753625.0000022251D1D000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://xn--ypd.dssdhome.xyz/s.dllEBAbsk8ydv.exe, 00000000.00000003.3499379857.0000022251D1D000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://xn--ypd.dssdhome.xyz/11/ip.binsFFEBAbsk8ydv.exe, 00000000.00000003.3397293978.0000022251CE0000.00000004.00000020.00020000.00000000.sdmp, EBAbsk8ydv.exe, 00000000.00000003.3499474925.0000022251CE0000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown

      World Map of Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public IPs

      IPDomainCountryFlagASNASN NameMalicious
      169.150.247.37
      		mooscc.b-cdn.netUnited States
      		2711SPIRITTEL-ASUSfalse

      General Information

      Joe Sandbox version:40.0.0 Tourmaline
      Analysis ID:1488510
      Start date and time:2024-08-06 06:51:33 +02:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 4m 52s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Run name:Run with higher sleep bypass
      Number of analysed new started processes analysed:5
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:EBAbsk8ydv.exe
      renamed because original name is a hash value
      Original Sample Name:4fdb0465d2a66e1d810e072b8e205bf7445566a8e9a97c4cd3da0a7b4dc991a4.exe
      Detection:MAL
      Classification:mal56.troj.winEXE@1/0@2/1
      EGA Information:
      • Successful, ratio: 100%
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 13
      • Number of non-executed functions: 55
      Cookbook Comments:
      • Found application associated with file extension: .exe
      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

      Warnings

      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com

      Simulations

      Behavior and APIs

      No simulations

      Joe Sandbox View / Context

      IPs

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      169.150.247.37https://softworldinc.comGet hashmaliciousUnknownBrowse
      • cdn.rawgit.com/michalsnik/aos/2.1.1/dist/aos.js
      http://office365secure-thresholdacoustics-q5cdxz-my-sharepoint-com.b-cdn.netGet hashmaliciousUnknownBrowse
      • office365secure-thresholdacoustics-q5cdxz-my-sharepoint-com.b-cdn.net/background-mailbox.jpg

      Domains

      No context

      ASNs

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      SPIRITTEL-ASUShttps://mato-camp-v4.b-cdn.net/kestyGet hashmaliciousUnknownBrowse
      • 169.150.247.33
      https://forms.office.com/Pages/ResponsePage.aspx?id=mZB7T0Dtr0mx-Js9AsqUvjkKVGExcKpLpLje28x2_kZUOVA4UU9WT0pSQUFPSTZPUlhWTElINUNETy4uGet hashmaliciousHTMLPhisherBrowse
      • 169.150.247.37
      https://16784846511.cloud/Get hashmaliciousUnknownBrowse
      • 169.150.247.36
      jQ0zXV2d1X.elfGet hashmaliciousMiraiBrowse
      • 165.167.232.23
      https://ipfs.io/ipfs/QmVLJJWuJ1bT38BeLkxSKLDMhVADeV6vmCtQ5cAqW3qdoRGet hashmaliciousHTMLPhisherBrowse
      • 169.150.247.36
      IISz6QDXkY.elfGet hashmaliciousMiraiBrowse
      • 207.146.102.5
      https://markeertrafficservicebv6t3etwyghdsbn.dorik.io/Get hashmaliciousUnknownBrowse
      • 169.150.247.36
      https://link.storjshare.io/s/jvktcsf5ypoak5aucs6fn6noqgga/crowdstrikesupport/update.zip?download=1Get hashmaliciousUnknownBrowse
      • 169.150.247.39

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      No created / dropped files found

      Static File Info

      General

      File type:PE32+ executable (GUI) x86-64, for MS Windows
      Entropy (8bit):6.219147275536416
      TrID:
      • Win64 Executable GUI (202006/5) 92.65%
      • Win64 Executable (generic) (12005/4) 5.51%
      • Generic Win/DOS Executable (2004/3) 0.92%
      • DOS Executable Generic (2002/1) 0.92%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
      File name:EBAbsk8ydv.exe
      File size:352'608 bytes
      MD5:e546e832f5762cbf8f28b6558c012b8d
      SHA1:ad6368dbb616f9a1a56ec1d3ac9026887928ad63
      SHA256:4fdb0465d2a66e1d810e072b8e205bf7445566a8e9a97c4cd3da0a7b4dc991a4
      SHA512:f68c9286765cca89fc63020b2573ddc88cff745e5502fd5cf97c1160ce8f46a6bd08227be335d3a2022a1ac179eddddbd52d05c7a9c32332cffcc1dbd7de21c7
      SSDEEP:6144:rEdue2soURTO6e6FMCnIpXsuJr79LLKFdLEH5Z:rm2soUQR+nIhLKFd4Z
      TLSH:94747E69F2E455F8C46BC63689964642D3F27C261A7ADF4F13A0472B2F332909F2D712
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B....p...p...p..@!F..p..@!x.Jp..@!y..p....W..p....R..p...p...p..{.|..p..."B..p...p...p..{.G..p..Rich.p.........................

      File Icon

      Icon Hash:00928e8e8686b000

      Static PE Info

      General

      Entrypoint:0x140020618
      Entrypoint Section:.text
      Digitally signed:true
      Imagebase:0x140000000
      Subsystem:windows gui
      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Time Stamp:0x5626F46B [Wed Oct 21 02:11:55 2015 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:5
      OS Version Minor:2
      File Version Major:5
      File Version Minor:2
      Subsystem Version Major:5
      Subsystem Version Minor:2
      Import Hash:b330d810ce52a718c58fc0a72cbb426c

      Authenticode Signature

      Signature Valid:false
      Signature Issuer:CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
      Signature Validation Error:The digital signature of the object did not verify
      Error Number:-2146869232
      Not Before, Not After
      • 16/01/2013 19:00:00 16/02/2016 18:59:59
      Subject Chain
      • CN=Tencent Technology(Shenzhen) Company Limited, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Tencent Technology(Shenzhen) Company Limited, L=shenzhen, S=guangdong, C=CN
      Version:3
      Thumbprint MD5:242913A2A31BAD3BC7F08E547E0BBFAD
      Thumbprint SHA-1:2FDD445591CD2EEDBEF8B8A281896A59C08B3DC9
      Thumbprint SHA-256:16DB61B6F85E044F6DE44775EC093BEFDA52C35C4AB1424E9463C01B5E11E386
      Serial:7170BD93CF3F189AE6452B514C49340E

      Entrypoint Preview

      Instruction
      dec eax
      sub esp, 28h
      call 00007F7B7918C838h
      dec eax
      add esp, 28h
      jmp 00007F7B79184C7Bh
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      nop word ptr [eax+eax+00000000h]
      dec eax
      mov eax, ecx
      dec eax
      neg ecx
      dec eax
      test eax, 00000007h
      je 00007F7B79184E51h
      nop
      mov dl, byte ptr [eax]
      dec eax
      inc eax
      test dl, dl
      je 00007F7B79184EA1h
      test al, 07h
      jne 00007F7B79184E35h
      dec ecx
      mov eax, FEFEFEFFh

      Rich Headers

      Programming Language:
      • [RES] VS2013 build 21005
      • [LNK] VS2013 UPD4 build 31101

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x4da380xf0.rdata
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x580000x6e8.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x550000x2a54.pdata
      IMAGE_DIRECTORY_ENTRY_SECURITY0x548000x1960
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x590000xbf4.reloc
      IMAGE_DIRECTORY_ENTRY_DEBUG0x3c6100x38.rdata
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x481f00x70.rdata
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x3c0000x538.rdata
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000x3affc0x3b000043d7a8a7762ce240ee30b0e264bf052False0.4893198821504237data6.43588709572288IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .rdata0x3c0000x12bca0x12c00b8c697b4fe8eae5f35d8658801eb1c54False0.3447395833333333data4.4036530103672185IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .data0x4f0000x52380x2800752715e664679c0b2c6de2e3dfe40a72False0.24716796875data3.448216610884499IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .pdata0x550000x2a540x2c00c883e64b3fad00cc2dfa25ec2d2587a5False0.4665305397727273data5.31766570768096IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .rsrc0x580000x6e80x800dfea87dd18bd72fb2394ad0ec611cfd5False0.40478515625data4.374395563555661IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .reloc0x590000xbf40xc00e2b726280567b8e93f7147381710dc80False0.4895833333333333data5.420233678628129IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

      Resources

      NameRVASizeTypeLanguageCountryZLIB Complexity
      RT_VERSION0x580a00x2dcdataChineseChina0.47950819672131145
      RT_MANIFEST0x583800x365XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (809), with CRLF line terminatorsEnglishUnited States0.4890678941311853

      Imports

      DLLImport
      KERNEL32.dllGetLastError, HeapSize, EnterCriticalSection, CreateEventW, DecodePointer, WaitForMultipleObjects, CreateWaitableTimerW, DeleteCriticalSection, GetCurrentThreadId, CloseHandle, CreateThread, RaiseException, Sleep, GetCurrentProcess, GetModuleHandleW, OpenProcess, LoadLibraryW, GetProcAddress, OpenThread, GetModuleHandleA, LocalFree, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, InitializeCriticalSection, GetProcessHeap, SetEvent, WaitForSingleObject, HeapFree, SetWaitableTimer, HeapAlloc, SetErrorMode, GetModuleFileNameW, HeapReAlloc, SetEnvironmentVariableA, FlushFileBuffers, WriteConsoleW, ReadConsoleW, SetEndOfFile, GetTimeZoneInformation, SetStdHandle, SetFilePointerEx, GetConsoleMode, GetConsoleCP, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, CompareStringW, LoadLibraryExW, GetCurrentDirectoryW, GetFullPathNameW, PeekNamedPipe, GetFileInformationByHandle, FileTimeToLocalFileTime, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, TerminateProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlVirtualUnwind, RtlCaptureContext, FreeEnvironmentStringsW, IsDebuggerPresent, OutputDebugStringW, MultiByteToWideChar, WideCharToMultiByte, GetSystemDefaultLangID, GetSystemTimeAsFileTime, GetSystemInfo, GetVersionExW, CreateFileW, CopyFileW, DeleteFileW, GetFileSize, ReadFile, WriteFile, FindFirstFileW, FindClose, ExpandEnvironmentStringsW, GetSystemDirectoryW, FreeLibrary, DeviceIoControl, EncodePointer, GetCommandLineW, RtlPcToFileHeader, RtlLookupFunctionEntry, RtlUnwindEx, FindFirstFileExW, GetDriveTypeW, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, CreateDirectoryW, IsProcessorFeaturePresent, ExitProcess, GetModuleHandleExW, GetStdHandle, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, GetStringTypeW, GetFileType, GetStartupInfoW, QueryPerformanceCounter, GetCurrentProcessId, GetEnvironmentStringsW
      USER32.dllPostThreadMessageW, PostQuitMessage, GetMessageW, DispatchMessageW
      ADVAPI32.dllRegSetValueExW, RegCloseKey, RegOpenKeyExW, RegQueryValueExW, RegCreateKeyExW, RegOpenKeyExA, RegQueryValueExA
      SHELL32.dllCommandLineToArgvW, ShellExecuteW, SHGetSpecialFolderPathW
      ole32.dllCoUninitialize, StringFromGUID2, CoInitializeEx, CoRevokeClassObject, CoRegisterClassObject, CoCreateInstance, CoInitialize, CoCreateGuid, CoRegisterMessageFilter
      OLEAUT32.dllSysAllocString, SysFreeString, SysStringLen, VariantClear, VariantInit, SysAllocStringLen, VariantChangeType
      SHLWAPI.dllPathAppendW, PathFileExistsW, PathFindFileNameW
      VERSION.dllGetFileVersionInfoW, VerQueryValueW
      WS2_32.dllhtonl, htons
      WININET.dllHttpSendRequestA, HttpOpenRequestW, InternetConnectW, InternetSetOptionW, InternetOpenA, InternetCloseHandle
      NETAPI32.dllNetbios, NetApiBufferFree, NetWkstaTransportEnum

      Possible Origin

      Language of compilation systemCountry where language is spokenMap
      ChineseChina
      EnglishUnited States

      Network Behavior

      Network Port Distribution

      TCP Packets

      TimestampSource PortDest PortSource IPDest IP
      Aug 6, 2024 06:54:20.904459000 CEST4971480192.168.2.6169.150.247.37
      Aug 6, 2024 06:54:20.909313917 CEST8049714169.150.247.37192.168.2.6
      Aug 6, 2024 06:54:20.909380913 CEST4971480192.168.2.6169.150.247.37
      Aug 6, 2024 06:54:20.909967899 CEST4971480192.168.2.6169.150.247.37
      Aug 6, 2024 06:54:20.914833069 CEST8049714169.150.247.37192.168.2.6
      Aug 6, 2024 06:54:21.539872885 CEST8049714169.150.247.37192.168.2.6
      Aug 6, 2024 06:54:21.581625938 CEST4971480192.168.2.6169.150.247.37
      Aug 6, 2024 06:54:31.552712917 CEST4971480192.168.2.6169.150.247.37
      Aug 6, 2024 06:54:31.557707071 CEST8049714169.150.247.37192.168.2.6
      Aug 6, 2024 06:54:31.737569094 CEST8049714169.150.247.37192.168.2.6
      Aug 6, 2024 06:54:31.784774065 CEST4971480192.168.2.6169.150.247.37
      Aug 6, 2024 06:54:41.766303062 CEST4971480192.168.2.6169.150.247.37
      Aug 6, 2024 06:54:41.771150112 CEST8049714169.150.247.37192.168.2.6
      Aug 6, 2024 06:54:41.951476097 CEST8049714169.150.247.37192.168.2.6
      Aug 6, 2024 06:54:42.003565073 CEST4971480192.168.2.6169.150.247.37
      Aug 6, 2024 06:54:51.974584103 CEST4971480192.168.2.6169.150.247.37
      Aug 6, 2024 06:54:51.979671955 CEST8049714169.150.247.37192.168.2.6
      Aug 6, 2024 06:54:52.161663055 CEST8049714169.150.247.37192.168.2.6
      Aug 6, 2024 06:54:52.206763029 CEST4971480192.168.2.6169.150.247.37
      Aug 6, 2024 06:55:02.177726030 CEST4971480192.168.2.6169.150.247.37
      Aug 6, 2024 06:55:02.183000088 CEST8049714169.150.247.37192.168.2.6
      Aug 6, 2024 06:55:02.409629107 CEST8049714169.150.247.37192.168.2.6
      Aug 6, 2024 06:55:02.456922054 CEST4971480192.168.2.6169.150.247.37
      Aug 6, 2024 06:55:12.478053093 CEST4971480192.168.2.6169.150.247.37
      Aug 6, 2024 06:55:12.482887983 CEST8049714169.150.247.37192.168.2.6
      Aug 6, 2024 06:55:12.668390036 CEST8049714169.150.247.37192.168.2.6
      Aug 6, 2024 06:55:12.668579102 CEST4971480192.168.2.6169.150.247.37
      Aug 6, 2024 06:55:12.674016953 CEST8049714169.150.247.37192.168.2.6
      Aug 6, 2024 06:55:12.674063921 CEST4971480192.168.2.6169.150.247.37
      Aug 6, 2024 06:55:23.387135029 CEST4971580192.168.2.6169.150.247.37
      Aug 6, 2024 06:55:23.392205000 CEST8049715169.150.247.37192.168.2.6
      Aug 6, 2024 06:55:23.392278910 CEST4971580192.168.2.6169.150.247.37
      Aug 6, 2024 06:55:23.393651009 CEST4971580192.168.2.6169.150.247.37
      Aug 6, 2024 06:55:23.398497105 CEST8049715169.150.247.37192.168.2.6
      Aug 6, 2024 06:55:24.064744949 CEST8049715169.150.247.37192.168.2.6
      Aug 6, 2024 06:55:24.113007069 CEST4971580192.168.2.6169.150.247.37

      UDP Packets

      TimestampSource PortDest PortSource IPDest IP
      Aug 6, 2024 06:54:20.537060022 CEST5149153192.168.2.61.1.1.1
      Aug 6, 2024 06:54:20.897933960 CEST53514911.1.1.1192.168.2.6
      Aug 6, 2024 06:55:22.696399927 CEST6251953192.168.2.61.1.1.1
      Aug 6, 2024 06:55:23.307462931 CEST53625191.1.1.1192.168.2.6

      DNS Queries

      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
      Aug 6, 2024 06:54:20.537060022 CEST192.168.2.61.1.1.10xdbbStandard query (0)xn--ypd.dssdhome.xyzA (IP address)IN (0x0001)false
      Aug 6, 2024 06:55:22.696399927 CEST192.168.2.61.1.1.10xcb1eStandard query (0)xn--ypd.dssdhome.xyzA (IP address)IN (0x0001)false

      DNS Answers

      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
      Aug 6, 2024 06:54:20.897933960 CEST1.1.1.1192.168.2.60xdbbNo error (0)xn--ypd.dssdhome.xyzmooscc.b-cdn.netCNAME (Canonical name)IN (0x0001)false
      Aug 6, 2024 06:54:20.897933960 CEST1.1.1.1192.168.2.60xdbbNo error (0)mooscc.b-cdn.net169.150.247.37A (IP address)IN (0x0001)false
      Aug 6, 2024 06:55:23.307462931 CEST1.1.1.1192.168.2.60xcb1eNo error (0)xn--ypd.dssdhome.xyzmooscc.b-cdn.netCNAME (Canonical name)IN (0x0001)false
      Aug 6, 2024 06:55:23.307462931 CEST1.1.1.1192.168.2.60xcb1eNo error (0)mooscc.b-cdn.net169.150.247.37A (IP address)IN (0x0001)false

      HTTP Request Dependency Graph

      • xn--ypd.dssdhome.xyz

      HTTP Packets

      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
      0192.168.2.649714169.150.247.37802488C:\Users\user\Desktop\EBAbsk8ydv.exe
      TimestampBytes transferredDirectionData
      Aug 6, 2024 06:54:20.909967899 CEST153OUTGET /11/ip.bin HTTP/1.1
      Connection: Keep-Alive
      User-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2
      Host: xn--ypd.dssdhome.xyz
      Aug 6, 2024 06:54:21.539872885 CEST527INHTTP/1.1 301 Moved Permanently
      Date: Tue, 06 Aug 2024 04:54:21 GMT
      Content-Type: text/html
      Content-Length: 162
      Connection: keep-alive
      Server: BunnyCDN-DE1-1080
      CDN-PullZone: 2373567
      CDN-Uid: 95780366-96cb-4089-af63-a08b2db1368d
      CDN-RequestCountryCode: US
      Location: https://xn--ypd.dssdhome.xyz/11/ip.bin
      CDN-RequestId: 3fde225c8452d734131da18c56a37dfb
      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>
      Aug 6, 2024 06:54:31.552712917 CEST153OUTGET /11/ip.bin HTTP/1.1
      Connection: Keep-Alive
      User-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2
      Host: xn--ypd.dssdhome.xyz
      Aug 6, 2024 06:54:31.737569094 CEST527INHTTP/1.1 301 Moved Permanently
      Date: Tue, 06 Aug 2024 04:54:31 GMT
      Content-Type: text/html
      Content-Length: 162
      Connection: keep-alive
      Server: BunnyCDN-DE1-1080
      CDN-PullZone: 2373567
      CDN-Uid: 95780366-96cb-4089-af63-a08b2db1368d
      CDN-RequestCountryCode: US
      Location: https://xn--ypd.dssdhome.xyz/11/ip.bin
      CDN-RequestId: 50f0749d292190a97d2c3125c585dc4b
      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>
      Aug 6, 2024 06:54:41.766303062 CEST153OUTGET /11/ip.bin HTTP/1.1
      Connection: Keep-Alive
      User-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2
      Host: xn--ypd.dssdhome.xyz
      Aug 6, 2024 06:54:41.951476097 CEST527INHTTP/1.1 301 Moved Permanently
      Date: Tue, 06 Aug 2024 04:54:41 GMT
      Content-Type: text/html
      Content-Length: 162
      Connection: keep-alive
      Server: BunnyCDN-DE1-1080
      CDN-PullZone: 2373567
      CDN-Uid: 95780366-96cb-4089-af63-a08b2db1368d
      CDN-RequestCountryCode: US
      Location: https://xn--ypd.dssdhome.xyz/11/ip.bin
      CDN-RequestId: 0088e30e5e1828b1593dec1701e10a6d
      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>
      Aug 6, 2024 06:54:51.974584103 CEST153OUTGET /11/ip.bin HTTP/1.1
      Connection: Keep-Alive
      User-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2
      Host: xn--ypd.dssdhome.xyz
      Aug 6, 2024 06:54:52.161663055 CEST527INHTTP/1.1 301 Moved Permanently
      Date: Tue, 06 Aug 2024 04:54:52 GMT
      Content-Type: text/html
      Content-Length: 162
      Connection: keep-alive
      Server: BunnyCDN-DE1-1080
      CDN-PullZone: 2373567
      CDN-Uid: 95780366-96cb-4089-af63-a08b2db1368d
      CDN-RequestCountryCode: US
      Location: https://xn--ypd.dssdhome.xyz/11/ip.bin
      CDN-RequestId: 4e024ec02e9035057e3aa1749e7262f0
      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>
      Aug 6, 2024 06:55:02.177726030 CEST153OUTGET /11/ip.bin HTTP/1.1
      Connection: Keep-Alive
      User-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2
      Host: xn--ypd.dssdhome.xyz
      Aug 6, 2024 06:55:02.409629107 CEST527INHTTP/1.1 301 Moved Permanently
      Date: Tue, 06 Aug 2024 04:55:02 GMT
      Content-Type: text/html
      Content-Length: 162
      Connection: keep-alive
      Server: BunnyCDN-DE1-1080
      CDN-PullZone: 2373567
      CDN-Uid: 95780366-96cb-4089-af63-a08b2db1368d
      CDN-RequestCountryCode: US
      Location: https://xn--ypd.dssdhome.xyz/11/ip.bin
      CDN-RequestId: 45ade02b2bd2b3a25bcf77d5ac2a58eb
      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>
      Aug 6, 2024 06:55:12.478053093 CEST153OUTGET /11/ip.bin HTTP/1.1
      Connection: Keep-Alive
      User-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2
      Host: xn--ypd.dssdhome.xyz
      Aug 6, 2024 06:55:12.668390036 CEST365INHTTP/1.1 301 Moved Permanently
      Date: Tue, 06 Aug 2024 04:55:12 GMT
      Content-Type: text/html
      Content-Length: 162
      Connection: keep-alive
      Server: BunnyCDN-DE1-1080
      CDN-PullZone: 2373567
      CDN-Uid: 95780366-96cb-4089-af63-a08b2db1368d
      CDN-RequestCountryCode: US
      Location: https://xn--ypd.dssdhome.xyz/11/ip.bin
      CDN-RequestId: 18f4b088be584eebb7fa210a555a7390


      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
      1192.168.2.649715169.150.247.37802488C:\Users\user\Desktop\EBAbsk8ydv.exe
      TimestampBytes transferredDirectionData
      Aug 6, 2024 06:55:23.393651009 CEST153OUTGET /11/ip.bin HTTP/1.1
      Connection: Keep-Alive
      User-Agent: Mozilla/5.0 (Linux i644 ; en-US) Gecko/20100101 Firefox/70.2
      Host: xn--ypd.dssdhome.xyz
      Aug 6, 2024 06:55:24.064744949 CEST527INHTTP/1.1 301 Moved Permanently
      Date: Tue, 06 Aug 2024 04:55:23 GMT
      Content-Type: text/html
      Content-Length: 162
      Connection: keep-alive
      Server: BunnyCDN-DE1-1080
      CDN-PullZone: 2373567
      CDN-Uid: 95780366-96cb-4089-af63-a08b2db1368d
      CDN-RequestCountryCode: US
      Location: https://xn--ypd.dssdhome.xyz/11/ip.bin
      CDN-RequestId: ec2b719c8a490edf28af830c9f5dc6ee
      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      High Level Behavior Distribution

      Click to dive into process behavior distribution

      System Behavior

      General

      Target ID:0
      Start time:00:52:19
      Start date:06/08/2024
      Path:C:\Users\user\Desktop\EBAbsk8ydv.exe
      Wow64 process (32bit):false
      Commandline:"C:\Users\user\Desktop\EBAbsk8ydv.exe"
      Imagebase:0x7ff7fa9d0000
      File size:352'608 bytes
      MD5 hash:E546E832F5762CBF8F28B6558C012B8D
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low
      Has exited:false

      Disassembly

      Reset < >

        Execution Graph

        Execution Coverage:2.9%
        Dynamic/Decrypted Code Coverage:0%
        Signature Coverage:29.4%
        Total number of Nodes:385
        Total number of Limit Nodes:10
        execution_graph 22043 7ff7fa9f0460 22084 7ff7fa9f8308 GetStartupInfoW 22043->22084 22045 7ff7fa9f0474 22085 7ff7fa9f29d4 GetProcessHeap 22045->22085 22047 7ff7fa9f04d4 22048 7ff7fa9f04fa 22047->22048 22049 7ff7fa9f04e6 22047->22049 22050 7ff7fa9f04e1 22047->22050 22086 7ff7fa9f4a18 22048->22086 22192 7ff7fa9f2e90 59 API calls 6 library calls 22049->22192 22191 7ff7fa9f2e1c 59 API calls 2 library calls 22050->22191 22055 7ff7fa9f0525 _RTC_Initialize 22103 7ff7fa9f78dc 22055->22103 22056 7ff7fa9f04f0 22193 7ff7fa9f2a74 GetModuleHandleExW GetProcAddress ExitProcess __crtCorExitProcess 22056->22193 22057 7ff7fa9f0511 22195 7ff7fa9f2e90 59 API calls 6 library calls 22057->22195 22058 7ff7fa9f050c 22194 7ff7fa9f2e1c 59 API calls 2 library calls 22058->22194 22062 7ff7fa9f051b 22196 7ff7fa9f2a74 GetModuleHandleExW GetProcAddress ExitProcess __crtCorExitProcess 22062->22196 22065 7ff7fa9f0530 22066 7ff7fa9f053e GetCommandLineW 22065->22066 22197 7ff7fa9f05ec 59 API calls 2 library calls 22065->22197 22121 7ff7fa9f8130 GetEnvironmentStringsW 22066->22121 22072 7ff7fa9f056a 22134 7ff7fa9f7e94 22072->22134 22076 7ff7fa9f057d 22148 7ff7fa9f2ad4 22076->22148 22079 7ff7fa9f0587 22080 7ff7fa9f0592 22079->22080 22200 7ff7fa9f2a8c 67 API calls 3 library calls 22079->22200 22154 7ff7fa9d1848 SetErrorMode CoInitializeEx 22080->22154 22083 7ff7fa9f05a8 22084->22045 22085->22047 22201 7ff7fa9f2b78 EncodePointer 22086->22201 22088 7ff7fa9f4a23 22206 7ff7fa9fdc4c 22088->22206 22091 7ff7fa9f4a8a 22211 7ff7fa9f4a98 62 API calls 2 library calls 22091->22211 22095 7ff7fa9f04ff 22095->22055 22095->22057 22095->22058 22214 7ff7fa9fdac0 22103->22214 22105 7ff7fa9f790b 22106 7ff7fa9f3320 _calloc_crt 59 API calls 22105->22106 22107 7ff7fa9f791f 22106->22107 22108 7ff7fa9f799a GetStartupInfoW 22107->22108 22109 7ff7fa9f792f _ioinit 22107->22109 22115 7ff7fa9f7af6 22108->22115 22117 7ff7fa9f79b4 22108->22117 22109->22065 22110 7ff7fa9f7bdb 22111 7ff7fa9fdcb0 type_info::_Type_info_dtor LeaveCriticalSection 22110->22111 22111->22109 22112 7ff7fa9f7b3e GetStdHandle 22113 7ff7fa9f7b69 GetFileType 22112->22113 22112->22115 22113->22115 22114 7ff7fa9f3320 _calloc_crt 59 API calls 22114->22117 22115->22110 22115->22112 22119 7ff7fa9f8334 _mtinitlocknum InitializeCriticalSectionAndSpinCount 22115->22119 22116 7ff7fa9f7a10 22116->22115 22118 7ff7fa9f7a98 GetFileType 22116->22118 22120 7ff7fa9f8334 _mtinitlocknum InitializeCriticalSectionAndSpinCount 22116->22120 22117->22114 22117->22115 22117->22116 22118->22116 22119->22115 22120->22116 22123 7ff7fa9f0550 22121->22123 22124 7ff7fa9f8156 22121->22124 22128 7ff7fa9f7c0c GetModuleFileNameW 22123->22128 22219 7ff7fa9f33a0 59 API calls malloc 22124->22219 22126 7ff7fa9f8178 _expandlocale 22127 7ff7fa9f8191 FreeEnvironmentStringsW 22126->22127 22127->22123 22129 7ff7fa9f7c4c wparse_cmdline 22128->22129 22130 7ff7fa9f055c 22129->22130 22131 7ff7fa9f7ca7 22129->22131 22130->22072 22198 7ff7fa9f2a8c 67 API calls 3 library calls 22130->22198 22220 7ff7fa9f33a0 59 API calls malloc 22131->22220 22133 7ff7fa9f7cac wparse_cmdline 22133->22130 22135 7ff7fa9f7ec7 _expandlocale 22134->22135 22136 7ff7fa9f056f 22134->22136 22221 7ff7fa9f3320 22135->22221 22136->22076 22199 7ff7fa9f2a8c 67 API calls 3 library calls 22136->22199 22138 7ff7fa9f7f5f 22226 7ff7fa9ef368 59 API calls 2 library calls 22138->22226 22140 7ff7fa9f3320 _calloc_crt 59 API calls 22144 7ff7fa9f7ef7 _expandlocale 22140->22144 22141 7ff7fa9f7f9f 22227 7ff7fa9ef368 59 API calls 2 library calls 22141->22227 22144->22136 22144->22138 22144->22140 22144->22141 22145 7ff7fa9f7fb7 22144->22145 22225 7ff7fa9efe20 59 API calls 2 library calls 22144->22225 22228 7ff7fa9f39f8 15 API calls _call_reportfault 22145->22228 22149 7ff7fa9f2ae6 _IsNonwritableInCurrentImage 22148->22149 22239 7ff7fa9faa5c 22149->22239 22151 7ff7fa9f2b03 _initterm_e 22153 7ff7fa9f2b26 _IsNonwritableInCurrentImage doexit 22151->22153 22242 7ff7fa9ef5b0 70 API calls _onexit 22151->22242 22153->22079 22243 7ff7fa9dfdac 22154->22243 22158 7ff7fa9d189c _winput_s_l 22159 7ff7fa9d18ab GetCurrentThreadId 22158->22159 22160 7ff7fa9d18e9 CoRegisterClassObject CoRegisterClassObject 22159->22160 22277 7ff7fa9ef3a8 59 API calls 5 library calls 22160->22277 22162 7ff7fa9d193a 22163 7ff7fa9d19a1 GetCurrentThreadId 22162->22163 22164 7ff7fa9d1942 CreateEventW 22162->22164 22166 7ff7fa9d1a30 GetMessageW 22163->22166 22167 7ff7fa9d19b2 CommandLineToArgvW 22163->22167 22164->22163 22165 7ff7fa9d1968 GetCurrentThreadId CreateThread 22164->22165 22165->22163 22168 7ff7fa9d1a4f 22166->22168 22167->22166 22182 7ff7fa9d19c7 _wsetlocale_nolock 22167->22182 22169 7ff7fa9d1ac2 22168->22169 22175 7ff7fa9d1a5b GetCurrentThreadId 22168->22175 22178 7ff7fa9d1aa2 DispatchMessageW GetMessageW 22168->22178 22179 7ff7fa9d1a7e GetCurrentThreadId 22168->22179 22187 7ff7fa9d1a96 GetCurrentThreadId 22168->22187 22171 7ff7fa9d1ae1 22169->22171 22172 7ff7fa9d1acb GetCurrentThreadId PostThreadMessageW 22169->22172 22170 7ff7fa9d1a27 LocalFree 22170->22166 22173 7ff7fa9d1af4 22171->22173 22174 7ff7fa9d1aea SetEvent 22171->22174 22172->22171 22176 7ff7fa9d1b1d 22173->22176 22177 7ff7fa9d1afd WaitForSingleObject CloseHandle 22173->22177 22174->22173 22175->22168 22180 7ff7fa9d1b22 CloseHandle 22176->22180 22181 7ff7fa9d1b2c 22176->22181 22177->22176 22178->22168 22179->22168 22179->22178 22180->22181 22183 7ff7fa9d1b33 CoRevokeClassObject 22181->22183 22184 7ff7fa9d1b3d 22181->22184 22182->22170 22183->22184 22185 7ff7fa9d1b44 CoRevokeClassObject 22184->22185 22186 7ff7fa9d1b4e CoUninitialize 22184->22186 22185->22186 22278 7ff7fa9eedd0 22186->22278 22187->22169 22187->22178 22191->22049 22192->22056 22194->22057 22195->22062 22202 7ff7fa9f2b91 _init_pointers 22201->22202 22212 7ff7fa9f13b4 EncodePointer 22202->22212 22204 7ff7fa9f2bb1 _init_pointers 22205 7ff7fa9f83ac 34 API calls 22204->22205 22205->22088 22207 7ff7fa9fdc67 22206->22207 22209 7ff7fa9f4a28 22207->22209 22213 7ff7fa9f8334 InitializeCriticalSectionAndSpinCount 22207->22213 22209->22091 22210 7ff7fa9f8298 TlsAlloc 22209->22210 22211->22095 22212->22204 22213->22207 22215 7ff7fa9fdaef EnterCriticalSection 22214->22215 22216 7ff7fa9fdade 22214->22216 22218 7ff7fa9fdb8c 59 API calls 7 library calls 22216->22218 22218->22215 22219->22126 22220->22133 22222 7ff7fa9f3345 22221->22222 22224 7ff7fa9f3381 22222->22224 22229 7ff7fa9fe384 22222->22229 22224->22144 22225->22144 22226->22136 22227->22136 22230 7ff7fa9fe399 22229->22230 22234 7ff7fa9fe3b6 22229->22234 22231 7ff7fa9fe3a7 22230->22231 22230->22234 22237 7ff7fa9f2964 59 API calls _getptd_noexit 22231->22237 22233 7ff7fa9fe3ce HeapAlloc 22233->22234 22235 7ff7fa9fe3ac 22233->22235 22234->22233 22234->22235 22238 7ff7fa9f29f4 DecodePointer 22234->22238 22235->22222 22237->22235 22238->22234 22240 7ff7fa9faa6f EncodePointer 22239->22240 22240->22240 22241 7ff7fa9faa8a 22240->22241 22241->22151 22242->22153 22244 7ff7fa9dfdca 22243->22244 22245 7ff7fa9d1894 22244->22245 22246 7ff7fa9dfe5c 22244->22246 22247 7ff7fa9dfded 22244->22247 22253 7ff7fa9e06c4 22245->22253 22246->22245 22248 7ff7fa9dfe54 Sleep 22246->22248 22287 7ff7fa9ef658 61 API calls 4 library calls 22247->22287 22248->22246 22250 7ff7fa9dfdf7 22250->22245 22288 7ff7fa9e01b0 61 API calls 22250->22288 22252 7ff7fa9dfe0c InitializeCriticalSectionAndSpinCount 22252->22245 22254 7ff7fa9e0906 22253->22254 22255 7ff7fa9e0701 22253->22255 22258 7ff7fa9eedd0 _expandlocale 9 API calls 22254->22258 22256 7ff7fa9e0711 GetSystemTimeAsFileTime 22255->22256 22257 7ff7fa9e073b 22255->22257 22256->22257 22289 7ff7fa9e694c 22257->22289 22259 7ff7fa9e0912 22258->22259 22259->22158 22261 7ff7fa9e074f 22306 7ff7fa9e6a44 LoadLibraryA FindCloseChangeNotification SleepEx 22261->22306 22263 7ff7fa9e0798 22307 7ff7fa9dfe74 63 API calls 22263->22307 22265 7ff7fa9e07de 22266 7ff7fa9e07e6 22265->22266 22267 7ff7fa9e07ef GetModuleHandleW GetProcAddress 22265->22267 22266->22267 22268 7ff7fa9e081e GetSystemInfo 22267->22268 22269 7ff7fa9e081a GetSystemDefaultLangID 22267->22269 22268->22269 22271 7ff7fa9e0856 22269->22271 22308 7ff7fa9dfe74 63 API calls 22271->22308 22273 7ff7fa9e0868 22274 7ff7fa9e0879 InternetOpenA 22273->22274 22274->22254 22275 7ff7fa9e089f InternetSetOptionW InternetConnectW 22274->22275 22275->22254 22276 7ff7fa9e08ff 22275->22276 22276->22254 22277->22162 22279 7ff7fa9eedd9 22278->22279 22280 7ff7fa9d1b6e 22279->22280 22281 7ff7fa9f2174 IsProcessorFeaturePresent 22279->22281 22280->22083 22282 7ff7fa9f218b 22281->22282 22553 7ff7fa9f8224 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 22282->22553 22284 7ff7fa9f219e 22554 7ff7fa9f2128 5 API calls 2 library calls 22284->22554 22287->22250 22288->22252 22290 7ff7fa9e69aa 22289->22290 22305 7ff7fa9e6a07 22289->22305 22291 7ff7fa9e69cf 22290->22291 22292 7ff7fa9e69bc 22290->22292 22309 7ff7fa9e7d20 22291->22309 22321 7ff7fa9efd98 59 API calls 4 library calls 22292->22321 22293 7ff7fa9eedd0 _expandlocale 9 API calls 22294 7ff7fa9e6a30 22293->22294 22317 7ff7fa9e6be1 22294->22317 22299 7ff7fa9e6a57 22300 7ff7fa9e73a1 FindCloseChangeNotification SleepEx 22299->22300 22304 7ff7fa9e6a61 22300->22304 22303 7ff7fa9e69cd 22314 7ff7fa9ec568 22303->22314 22304->22261 22305->22293 22306->22263 22307->22265 22308->22273 22323 7ff7fa9e7dc8 22309->22323 22311 7ff7fa9e7d78 22312 7ff7fa9eedd0 _expandlocale 9 API calls 22311->22312 22313 7ff7fa9e69d6 22312->22313 22313->22303 22322 7ff7fa9efd98 59 API calls 4 library calls 22313->22322 22540 7ff7fa9eb1a0 22314->22540 22316 7ff7fa9ec59d 22316->22305 22318 7ff7fa9e6c4d 22317->22318 22319 7ff7fa9e6c8d LoadLibraryA 22318->22319 22320 7ff7fa9e6caf 22319->22320 22321->22303 22322->22303 22324 7ff7fa9e7e4f 22323->22324 22364 7ff7fa9ecf60 22324->22364 22327 7ff7fa9e7e81 22382 7ff7fa9edf34 22327->22382 22329 7ff7fa9e7e90 22329->22327 22396 7ff7fa9ecdc0 12 API calls 2 library calls 22329->22396 22335 7ff7fa9e7ed0 22363 7ff7fa9e7f4d 22335->22363 22398 7ff7fa9e8d94 61 API calls 22335->22398 22336 7ff7fa9e7f01 22399 7ff7fa9e4c18 61 API calls 22336->22399 22339 7ff7fa9e7ff6 22341 7ff7fa9e8022 22339->22341 22342 7ff7fa9e8003 22339->22342 22340 7ff7fa9e7f15 22400 7ff7fa9e8e40 61 API calls 22340->22400 22405 7ff7fa9e8128 190 API calls _expandlocale 22341->22405 22404 7ff7fa9eea7c 9 API calls _expandlocale 22342->22404 22346 7ff7fa9e7f27 22401 7ff7fa9e4c18 61 API calls 22346->22401 22347 7ff7fa9e802a 22349 7ff7fa9e802e CoInitialize 22347->22349 22357 7ff7fa9e8020 22347->22357 22406 7ff7fa9ef658 61 API calls 4 library calls 22349->22406 22350 7ff7fa9e7f3b 22402 7ff7fa9e8e40 61 API calls 22350->22402 22353 7ff7fa9e8049 22354 7ff7fa9e8051 CoCreateGuid 22353->22354 22355 7ff7fa9e805e 22353->22355 22354->22355 22359 7ff7fa9e8076 CoUninitialize 22355->22359 22360 7ff7fa9e807c 22355->22360 22356 7ff7fa9eedd0 _expandlocale 9 API calls 22358 7ff7fa9e810d 22356->22358 22357->22356 22358->22311 22359->22360 22361 7ff7fa9e8089 22360->22361 22407 7ff7fa9e82e4 185 API calls _expandlocale 22360->22407 22361->22357 22403 7ff7fa9e8e7c 61 API calls 22363->22403 22365 7ff7fa9ecf89 _winput_s_l _write_nolock 22364->22365 22366 7ff7fa9ecfbd GetSystemDirectoryW 22365->22366 22368 7ff7fa9ecfdf 22366->22368 22367 7ff7fa9ed01e 22408 7ff7fa9f22f8 22367->22408 22368->22367 22369 7ff7fa9ed1bb 22368->22369 22430 7ff7fa9f2248 9 API calls __report_securityfailure 22369->22430 22373 7ff7fa9ed1c0 22374 7ff7fa9ed06b GetProcAddress 22375 7ff7fa9ed089 GetAdaptersInfo 22374->22375 22376 7ff7fa9ed147 FreeLibrary 22374->22376 22375->22376 22381 7ff7fa9ed0a5 22375->22381 22378 7ff7fa9ed16a 22376->22378 22377 7ff7fa9eedd0 _expandlocale 9 API calls 22379 7ff7fa9e7e7a 22377->22379 22378->22377 22379->22327 22395 7ff7fa9ecc60 61 API calls 2 library calls 22379->22395 22381->22376 22417 7ff7fa9eca74 RegOpenKeyExA 22381->22417 22383 7ff7fa9edf55 GetVersionExW 22382->22383 22384 7ff7fa9edf72 22382->22384 22383->22384 22387 7ff7fa9e7eba 22384->22387 22468 7ff7fa9ed434 22384->22468 22387->22335 22397 7ff7fa9e8cac 107 API calls 22387->22397 22392 7ff7fa9edfb4 22504 7ff7fa9ed748 93 API calls 4 library calls 22392->22504 22394 7ff7fa9edfc2 22394->22387 22395->22329 22396->22327 22397->22335 22398->22336 22399->22340 22400->22346 22401->22350 22402->22363 22403->22339 22404->22357 22405->22347 22406->22353 22407->22361 22411 7ff7fa9f230b 22408->22411 22409 7ff7fa9f2310 22413 7ff7fa9ed052 LoadLibraryW 22409->22413 22431 7ff7fa9f2964 59 API calls _getptd_noexit 22409->22431 22411->22409 22414 7ff7fa9f2362 22411->22414 22413->22374 22413->22378 22414->22413 22433 7ff7fa9f2964 59 API calls _getptd_noexit 22414->22433 22416 7ff7fa9f2335 22432 7ff7fa9f39d8 16 API calls _invalid_parameter_noinfo 22416->22432 22418 7ff7fa9ecc36 22417->22418 22419 7ff7fa9ecaf6 22417->22419 22421 7ff7fa9eedd0 _expandlocale 9 API calls 22418->22421 22434 7ff7fa9df17c 22419->22434 22423 7ff7fa9ecc44 22421->22423 22423->22381 22424 7ff7fa9ecc2b RegCloseKey 22424->22418 22425 7ff7fa9ecb3c RegQueryValueExA 22426 7ff7fa9ecc20 RegCloseKey 22425->22426 22427 7ff7fa9ecb7d _winput_s_l 22425->22427 22426->22424 22428 7ff7fa9ecb96 RegQueryValueExA 22427->22428 22428->22426 22429 7ff7fa9ecbc8 22428->22429 22429->22426 22430->22373 22431->22416 22432->22413 22433->22416 22437 7ff7fa9efa10 22434->22437 22440 7ff7fa9efa30 22437->22440 22441 7ff7fa9efa5e 22440->22441 22442 7ff7fa9efa68 22440->22442 22441->22442 22444 7ff7fa9efa8a 22441->22444 22443 7ff7fa9f2964 _errno 59 API calls 22442->22443 22445 7ff7fa9df1a3 RegOpenKeyExA 22442->22445 22466 7ff7fa9efb42 22443->22466 22446 7ff7fa9efa8f 22444->22446 22447 7ff7fa9efadc 22444->22447 22445->22424 22445->22425 22449 7ff7fa9f2964 _errno 59 API calls 22446->22449 22450 7ff7fa9f2964 _errno 59 API calls 22447->22450 22448 7ff7fa9f39d8 _invalid_parameter_noinfo 16 API calls 22448->22445 22451 7ff7fa9efa94 22449->22451 22452 7ff7fa9efae1 22450->22452 22454 7ff7fa9ef928 _vsnprintf_helper 87 API calls 22451->22454 22453 7ff7fa9ef928 _vsnprintf_helper 87 API calls 22452->22453 22455 7ff7fa9efb0d 22453->22455 22456 7ff7fa9efac0 22454->22456 22457 7ff7fa9efb31 22455->22457 22459 7ff7fa9efb1d 22455->22459 22456->22457 22458 7ff7fa9efac5 22456->22458 22457->22445 22464 7ff7fa9f2964 _errno 59 API calls 22457->22464 22460 7ff7fa9f2964 _errno 59 API calls 22458->22460 22461 7ff7fa9f2964 _errno 59 API calls 22459->22461 22462 7ff7fa9efaca 22460->22462 22463 7ff7fa9efb22 22461->22463 22462->22445 22465 7ff7fa9f2964 _errno 59 API calls 22462->22465 22463->22445 22467 7ff7fa9f2964 _errno 59 API calls 22463->22467 22464->22466 22465->22445 22466->22448 22467->22445 22479 7ff7fa9ed476 _winput_s_l 22468->22479 22469 7ff7fa9ed719 22470 7ff7fa9eedd0 _expandlocale 9 API calls 22469->22470 22471 7ff7fa9ed72a 22470->22471 22471->22387 22481 7ff7fa9edd00 22471->22481 22474 7ff7fa9ed4e6 DeviceIoControl 22475 7ff7fa9ed705 CloseHandle 22474->22475 22474->22479 22475->22479 22476 7ff7fa9ed582 DeviceIoControl 22476->22479 22477 7ff7fa9ed1c4 61 API calls 22477->22479 22478 7ff7fa9ed6f9 22478->22475 22479->22469 22479->22475 22479->22476 22479->22477 22479->22478 22505 7ff7fa9edfe0 22479->22505 22508 7ff7fa9ec9ac 61 API calls 22479->22508 22483 7ff7fa9edd3d _winput_s_l 22481->22483 22482 7ff7fa9edf06 22484 7ff7fa9eedd0 _expandlocale 9 API calls 22482->22484 22483->22482 22486 7ff7fa9edfe0 87 API calls 22483->22486 22488 7ff7fa9eddc2 DeviceIoControl 22483->22488 22489 7ff7fa9edef2 FindCloseChangeNotification 22483->22489 22490 7ff7fa9ed1c4 61 API calls 22483->22490 22485 7ff7fa9edf17 22484->22485 22485->22387 22491 7ff7fa9ed9a0 22485->22491 22487 7ff7fa9edd74 CreateFileW 22486->22487 22487->22483 22488->22483 22489->22483 22490->22483 22502 7ff7fa9ed9e2 _winput_s_l 22491->22502 22492 7ff7fa9edcd1 22493 7ff7fa9eedd0 _expandlocale 9 API calls 22492->22493 22494 7ff7fa9edce2 22493->22494 22494->22387 22494->22392 22495 7ff7fa9edfe0 87 API calls 22496 7ff7fa9eda19 CreateFileW 22495->22496 22496->22502 22497 7ff7fa9eda78 DeviceIoControl 22498 7ff7fa9edcb7 GetLastError 22497->22498 22497->22502 22499 7ff7fa9edcbd FindCloseChangeNotification 22498->22499 22499->22502 22500 7ff7fa9ed294 70 API calls 22500->22502 22501 7ff7fa9f23e0 70 API calls isalnum 22501->22502 22502->22492 22502->22495 22502->22497 22502->22499 22502->22500 22502->22501 22503 7ff7fa9d1d10 61 API calls 22502->22503 22503->22502 22504->22394 22509 7ff7fa9f0158 22505->22509 22508->22479 22512 7ff7fa9f0178 22509->22512 22513 7ff7fa9f01b2 22512->22513 22514 7ff7fa9f01a8 22512->22514 22515 7ff7fa9f2964 _errno 59 API calls 22513->22515 22538 7ff7fa9ed4ad CreateFileW 22513->22538 22514->22513 22517 7ff7fa9f01d4 22514->22517 22516 7ff7fa9f0291 22515->22516 22520 7ff7fa9f39d8 _invalid_parameter_noinfo 16 API calls 22516->22520 22518 7ff7fa9f0229 22517->22518 22519 7ff7fa9f01d9 22517->22519 22521 7ff7fa9f2964 _errno 59 API calls 22518->22521 22522 7ff7fa9f2964 _errno 59 API calls 22519->22522 22520->22538 22523 7ff7fa9f022e 22521->22523 22524 7ff7fa9f01de 22522->22524 22525 7ff7fa9f02c8 _vswprintf_helper 87 API calls 22523->22525 22526 7ff7fa9f02c8 _vswprintf_helper 87 API calls 22524->22526 22527 7ff7fa9f025a 22525->22527 22528 7ff7fa9f020a 22526->22528 22529 7ff7fa9f027f 22527->22529 22531 7ff7fa9f026b 22527->22531 22528->22529 22530 7ff7fa9f020f 22528->22530 22535 7ff7fa9f2964 _errno 59 API calls 22529->22535 22529->22538 22532 7ff7fa9f2964 _errno 59 API calls 22530->22532 22534 7ff7fa9f2964 _errno 59 API calls 22531->22534 22533 7ff7fa9f0214 22532->22533 22537 7ff7fa9f2964 _errno 59 API calls 22533->22537 22533->22538 22536 7ff7fa9f0270 22534->22536 22535->22516 22536->22538 22539 7ff7fa9f2964 _errno 59 API calls 22536->22539 22537->22538 22538->22474 22538->22479 22539->22538 22541 7ff7fa9eb1c2 22540->22541 22542 7ff7fa9eb25c 22540->22542 22544 7ff7fa9eb1cc 22541->22544 22545 7ff7fa9eb268 22541->22545 22551 7ff7fa9eec6c 61 API calls 2 library calls 22542->22551 22549 7ff7fa9eb1db _winput_s_l 22544->22549 22550 7ff7fa9d2098 61 API calls 3 library calls 22544->22550 22552 7ff7fa9eec6c 61 API calls 2 library calls 22545->22552 22549->22316 22550->22549 22553->22284

        Executed Functions

        Function 00007FF7FA9D1848 Relevance: 51.0, APIs: 27, Strings: 2, Instructions: 227threadwindowsynchronizationCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 0 7ff7fa9d1848-7ff7fa9d1897 SetErrorMode CoInitializeEx call 7ff7fa9dfdac call 7ff7fa9e06c4 4 7ff7fa9d189c-7ff7fa9d1940 call 7ff7fa9f1140 GetCurrentThreadId CoRegisterClassObject * 2 call 7ff7fa9ef3a8 0->4 10 7ff7fa9d19a1-7ff7fa9d19b0 GetCurrentThreadId 4->10 11 7ff7fa9d1942-7ff7fa9d1966 CreateEventW 4->11 13 7ff7fa9d1a30-7ff7fa9d1a4d GetMessageW 10->13 14 7ff7fa9d19b2-7ff7fa9d19c5 CommandLineToArgvW 10->14 11->10 12 7ff7fa9d1968-7ff7fa9d199d GetCurrentThreadId CreateThread 11->12 12->10 15 7ff7fa9d1abe-7ff7fa9d1ac0 13->15 14->13 16 7ff7fa9d19c7-7ff7fa9d19ce 14->16 17 7ff7fa9d1a4f-7ff7fa9d1a52 15->17 18 7ff7fa9d1ac2-7ff7fa9d1ac4 15->18 19 7ff7fa9d19d0 16->19 20 7ff7fa9d1a27-7ff7fa9d1a2a LocalFree 16->20 17->18 23 7ff7fa9d1a54-7ff7fa9d1a59 17->23 21 7ff7fa9d1ac6-7ff7fa9d1ac9 18->21 22 7ff7fa9d1ae1-7ff7fa9d1ae8 18->22 24 7ff7fa9d19d3-7ff7fa9d19ea call 7ff7fa9f012c 19->24 20->13 21->22 25 7ff7fa9d1acb-7ff7fa9d1adb GetCurrentThreadId PostThreadMessageW 21->25 26 7ff7fa9d1af4-7ff7fa9d1afb 22->26 27 7ff7fa9d1aea-7ff7fa9d1af0 SetEvent 22->27 28 7ff7fa9d1a5b-7ff7fa9d1a64 GetCurrentThreadId 23->28 29 7ff7fa9d1a77-7ff7fa9d1a7c 23->29 41 7ff7fa9d19ec-7ff7fa9d19f5 24->41 42 7ff7fa9d19f9-7ff7fa9d1a22 call 7ff7fa9f0074 call 7ff7fa9d12fc 24->42 25->22 33 7ff7fa9d1b1d-7ff7fa9d1b20 26->33 34 7ff7fa9d1afd-7ff7fa9d1b19 WaitForSingleObject CloseHandle 26->34 27->26 31 7ff7fa9d1a74 28->31 32 7ff7fa9d1a66-7ff7fa9d1a69 28->32 36 7ff7fa9d1aa2-7ff7fa9d1ab8 DispatchMessageW GetMessageW 29->36 37 7ff7fa9d1a7e-7ff7fa9d1a87 GetCurrentThreadId 29->37 31->29 32->31 38 7ff7fa9d1a6b-7ff7fa9d1a6d 32->38 39 7ff7fa9d1b22-7ff7fa9d1b28 CloseHandle 33->39 40 7ff7fa9d1b2c-7ff7fa9d1b31 33->40 34->33 36->15 37->36 43 7ff7fa9d1a89-7ff7fa9d1a90 37->43 38->31 46 7ff7fa9d1a6f-7ff7fa9d1a72 38->46 39->40 47 7ff7fa9d1b33-7ff7fa9d1b39 CoRevokeClassObject 40->47 48 7ff7fa9d1b3d-7ff7fa9d1b42 40->48 41->24 49 7ff7fa9d19f7 41->49 42->20 43->36 44 7ff7fa9d1a92-7ff7fa9d1a94 43->44 44->36 52 7ff7fa9d1a96-7ff7fa9d1aa0 GetCurrentThreadId 44->52 46->52 47->48 50 7ff7fa9d1b44-7ff7fa9d1b4a CoRevokeClassObject 48->50 51 7ff7fa9d1b4e-7ff7fa9d1b89 CoUninitialize call 7ff7fa9eedd0 48->51 49->20 50->51 52->18 52->36
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: Thread$Current$Object$ClassMessage$Handle$CloseCreateEventInitializeRegisterRevokeSystemTime_errno$AddressAllocArgvCommandCountCriticalDefaultDispatchErrorFileFreeHeapLangLineLocalModeModulePostProcSectionSingleSpinUninitializeWait_callnewhmalloc
        • String ID: !!!param=(%ws), and result=%d(0x%x)$--pt=
        • API String ID: 936543831-3547824706
        • Opcode ID: 58205efe5a3e29f5020299fe62fb87e29203e1061887d7311f45762cce80e52e
        • Instruction ID: 5bfa141bfe620420226d1a44574b90ff49c3b422c1bf9aa4a6447edb76713bb7
        • Opcode Fuzzy Hash: 58205efe5a3e29f5020299fe62fb87e29203e1061887d7311f45762cce80e52e
        • Instruction Fuzzy Hash: D7A13E36B08A038AFB10EF71E4549ACB3A1FF44748B904075CD6D97AD4DE3CA55AC7A0
        Function 00007FF7FA9E06C4 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 139networklibraryloaderCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: InternetSystem$Time$AddressConnectDefaultFileHandleInfoLangModuleOpenOptionProc
        • String ID: GetNativeSystemInfo$QQ Data Report$kernel32.dll$qbwup.imtt.qq.com
        • API String ID: 3082367296-404951005
        • Opcode ID: dfcdd1e627b552f5fcc6b089cbe0647b8e705594d37419fb9a644f721dbe48a1
        • Instruction ID: aad12919c150ebaf2d2d7779327c10ac48f716a486441c4c68e23a5366fe2751
        • Opcode Fuzzy Hash: dfcdd1e627b552f5fcc6b089cbe0647b8e705594d37419fb9a644f721dbe48a1
        • Instruction Fuzzy Hash: 4A618E26A08A429AFB10EF30D4847E863A0EF54758F8001B5DA2D876EADF3DD559C7B1
        Function 00007FF7FA9E6FB1 Relevance: 17.7, Strings: 14, Instructions: 220COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 135 7ff7fa9e6fb1-7ff7fa9e7137 139 7ff7fa9e71c0 135->139 140 7ff7fa9e713d-7ff7fa9e715b 135->140 141 7ff7fa9e71c2-7ff7fa9e71e2 139->141 140->139 143 7ff7fa9e715d-7ff7fa9e717e 140->143 145 7ff7fa9e7180-7ff7fa9e719b 143->145 146 7ff7fa9e71ba 143->146 145->146 148 7ff7fa9e719d-7ff7fa9e71b5 145->148 146->139 150 7ff7fa9e71e3-7ff7fa9e721b 148->150 151 7ff7fa9e71b7 148->151 153 7ff7fa9e7221-7ff7fa9e7225 150->153 154 7ff7fa9e738a-7ff7fa9e739c 150->154 151->146 155 7ff7fa9e7245-7ff7fa9e726a 153->155 156 7ff7fa9e7227-7ff7fa9e723b 153->156 154->139 160 7ff7fa9e7384 155->160 161 7ff7fa9e7270 155->161 156->155 160->154 162 7ff7fa9e7278-7ff7fa9e727d 161->162 162->160 163 7ff7fa9e7283-7ff7fa9e72b6 162->163 165 7ff7fa9e7381 163->165 166 7ff7fa9e72bc-7ff7fa9e72c9 163->166 165->160 166->160 167 7ff7fa9e72cf-7ff7fa9e72ec 166->167 169 7ff7fa9e734e-7ff7fa9e736e 167->169 170 7ff7fa9e72ee 167->170 169->141 171 7ff7fa9e72f1-7ff7fa9e72f9 170->171 171->169 173 7ff7fa9e72fb-7ff7fa9e7313 171->173 173->160 176 7ff7fa9e7315-7ff7fa9e7330 173->176 179 7ff7fa9e7373-7ff7fa9e737d 176->179 180 7ff7fa9e7332-7ff7fa9e734c 176->180 179->165 180->169 180->171
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID:
        • String ID: $($0$4$5$6$G$M$T$a$i$l$u$z
        • API String ID: 0-2079474088
        • Opcode ID: 7d012af2536f1f7d995bb6865e94ab2d39a3359b1312110b88a70488074df788
        • Instruction ID: 342e69265496549e71dd7cd37ede28e845c9a3a2316cd2d526fd3b92289ce866
        • Opcode Fuzzy Hash: 7d012af2536f1f7d995bb6865e94ab2d39a3359b1312110b88a70488074df788
        • Instruction Fuzzy Hash: 01B166766047818AE760CF61E8887AE7BB5F748B8CF448029DF495BB48DF788549CB60
        Function 00007FF7FA9ED9A0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 200fileCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 226 7ff7fa9ed9a0-7ff7fa9ed9df 227 7ff7fa9ed9e2-7ff7fa9ed9e4 226->227 228 7ff7fa9edcd1-7ff7fa9edcfc call 7ff7fa9eedd0 227->228 229 7ff7fa9ed9ea-7ff7fa9eda48 call 7ff7fa9f1140 call 7ff7fa9edfe0 CreateFileW 227->229 236 7ff7fa9edcc6-7ff7fa9edccb 229->236 237 7ff7fa9eda4e-7ff7fa9edab6 call 7ff7fa9f1140 DeviceIoControl 229->237 236->227 236->228 240 7ff7fa9edabc-7ff7fa9edb0f call 7ff7fa9f1140 * 3 237->240 241 7ff7fa9edcb7 GetLastError 237->241 249 7ff7fa9edb11-7ff7fa9edb22 call 7ff7fa9ed294 240->249 250 7ff7fa9edb27-7ff7fa9edb36 240->250 242 7ff7fa9edcbd-7ff7fa9edcc0 FindCloseChangeNotification 241->242 242->236 249->250 252 7ff7fa9edb4e-7ff7fa9edb5c 250->252 253 7ff7fa9edb38-7ff7fa9edb49 call 7ff7fa9ed294 250->253 255 7ff7fa9edb5e-7ff7fa9edb74 call 7ff7fa9ed294 252->255 256 7ff7fa9edb77-7ff7fa9edb81 call 7ff7fa9f23e0 252->256 253->252 255->256 261 7ff7fa9edb83-7ff7fa9edb8e call 7ff7fa9f23e0 256->261 262 7ff7fa9edb94-7ff7fa9edbac 256->262 261->242 261->262 264 7ff7fa9edbb3-7ff7fa9edbb7 262->264 265 7ff7fa9edbae-7ff7fa9edbb1 262->265 268 7ff7fa9edbbb-7ff7fa9edbc2 264->268 267 7ff7fa9edbc4-7ff7fa9edbe5 call 7ff7fa9d1d10 call 7ff7fa9e171c 265->267 273 7ff7fa9edbf1-7ff7fa9edc07 267->273 274 7ff7fa9edbe7-7ff7fa9edbec call 7ff7fa9eedb8 267->274 268->267 268->268 276 7ff7fa9edc0e-7ff7fa9edc15 273->276 277 7ff7fa9edc09-7ff7fa9edc0c 273->277 274->273 278 7ff7fa9edc19-7ff7fa9edc20 276->278 279 7ff7fa9edc22-7ff7fa9edc46 call 7ff7fa9d1d10 call 7ff7fa9e171c 277->279 278->278 278->279 284 7ff7fa9edc52-7ff7fa9edc68 279->284 285 7ff7fa9edc48-7ff7fa9edc4d call 7ff7fa9eedb8 279->285 287 7ff7fa9edc6f-7ff7fa9edc76 284->287 288 7ff7fa9edc6a-7ff7fa9edc6d 284->288 285->284 290 7ff7fa9edc7a-7ff7fa9edc81 287->290 289 7ff7fa9edc83-7ff7fa9edca7 call 7ff7fa9d1d10 call 7ff7fa9e171c 288->289 295 7ff7fa9edcb3-7ff7fa9edcb5 289->295 296 7ff7fa9edca9-7ff7fa9edcae call 7ff7fa9eedb8 289->296 290->289 290->290 295->242 296->295
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: isalnumisprint$ChangeCloseControlCreateDeviceErrorFileFindLastNotification_wcsftime_lisspace
        • String ID: \\.\PhysicalDrive%d
        • API String ID: 3713868347-2935326385
        • Opcode ID: 5f22f7dda0fa0d2083e89765b6fb2e99ee3076c198469aed35988f3e453eb5fa
        • Instruction ID: 52b1896d6b145acc84466c836e7b8b6ad6bda569ce3fa85cdbf927045080ea5f
        • Opcode Fuzzy Hash: 5f22f7dda0fa0d2083e89765b6fb2e99ee3076c198469aed35988f3e453eb5fa
        • Instruction Fuzzy Hash: 0A91D826A0C6C254F720EB3594802EEB760FB95398FD05271DA7C87ADADF39D149C7A0
        Function 00007FF7FA9ECF60 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 155libraryloaderCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: Library$AdaptersAddressDirectoryFreeInfoLoadProcSystem
        • String ID: GetAdaptersInfo$iphlpapi.dll
        • API String ID: 779643986-3114217049
        • Opcode ID: 4a27c3a1f73799821867c693db5f1ce39942eb2f893445ff2fda54d3b6687bb2
        • Instruction ID: 9b6e368f38211d8ee521ab2ea7c595cbd31379c8b79ed7a37015e57cefa71e33
        • Opcode Fuzzy Hash: 4a27c3a1f73799821867c693db5f1ce39942eb2f893445ff2fda54d3b6687bb2
        • Instruction Fuzzy Hash: 355138266186C199FB25EF20D5942F9B7A0FF59744F845172CA6C837C2EF38D606C361
        Function 00007FF7FA9ED434 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 191fileCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 338 7ff7fa9ed434-7ff7fa9ed473 339 7ff7fa9ed476-7ff7fa9ed478 338->339 340 7ff7fa9ed47e-7ff7fa9ed4e0 call 7ff7fa9f1140 call 7ff7fa9edfe0 CreateFileW 339->340 341 7ff7fa9ed719-7ff7fa9ed744 call 7ff7fa9eedd0 339->341 348 7ff7fa9ed4e6-7ff7fa9ed534 DeviceIoControl 340->348 349 7ff7fa9ed70e-7ff7fa9ed713 340->349 350 7ff7fa9ed705-7ff7fa9ed708 CloseHandle 348->350 351 7ff7fa9ed53a-7ff7fa9ed565 call 7ff7fa9f1140 * 2 348->351 349->339 349->341 350->349 356 7ff7fa9ed5ff 351->356 357 7ff7fa9ed56b-7ff7fa9ed572 351->357 359 7ff7fa9ed601-7ff7fa9ed603 356->359 357->356 358 7ff7fa9ed578-7ff7fa9ed580 357->358 358->356 361 7ff7fa9ed582-7ff7fa9ed5fd DeviceIoControl 358->361 359->350 360 7ff7fa9ed609-7ff7fa9ed60d 359->360 360->350 362 7ff7fa9ed613-7ff7fa9ed63c call 7ff7fa9ed1c4 call 7ff7fa9e171c 360->362 361->359 367 7ff7fa9ed63e-7ff7fa9ed643 call 7ff7fa9eedb8 362->367 368 7ff7fa9ed648-7ff7fa9ed671 call 7ff7fa9ed1c4 call 7ff7fa9e171c 362->368 367->368 374 7ff7fa9ed673-7ff7fa9ed678 call 7ff7fa9eedb8 368->374 375 7ff7fa9ed67d-7ff7fa9ed6a8 call 7ff7fa9ed1c4 call 7ff7fa9e171c 368->375 374->375 381 7ff7fa9ed6b4-7ff7fa9ed6b7 375->381 382 7ff7fa9ed6aa-7ff7fa9ed6af call 7ff7fa9eedb8 375->382 384 7ff7fa9ed703 381->384 385 7ff7fa9ed6b9-7ff7fa9ed6cf call 7ff7fa9ec9e4 381->385 382->381 384->350 385->384 388 7ff7fa9ed6d1-7ff7fa9ed6d4 385->388 388->384 389 7ff7fa9ed6d6-7ff7fa9ed6f7 call 7ff7fa9ec9ac call 7ff7fa9e171c 388->389 389->384 394 7ff7fa9ed6f9-7ff7fa9ed6fe call 7ff7fa9eedb8 389->394 394->384
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: ControlDevice$CloseCreateFileHandle_wcsftime_l
        • String ID: $\\.\PhysicalDrive%d
        • API String ID: 2232022054-4129297631
        • Opcode ID: e552fafb8f0c2b07f14bd3e18931d16ec8ff4264b4c9298c1863061f42ef912c
        • Instruction ID: f9e4ede590e3be1d27eb768471deec183c283f429bea0a29a14ed47c9c54ad00
        • Opcode Fuzzy Hash: e552fafb8f0c2b07f14bd3e18931d16ec8ff4264b4c9298c1863061f42ef912c
        • Instruction Fuzzy Hash: 0681F722B0C64185FF10EB61E4803EDA7A0FB95798F800175DA6D87AD6DF7CD145CBA1
        Function 00007FF7FA9EDD00 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127fileCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: ChangeCloseControlCreateDeviceFileFindNotification_wcsftime_l
        • String ID: SCSIDISK$\\.\Scsi%d:
        • API String ID: 1682414592-2176293039
        • Opcode ID: 577b507be059ceb8dda8a8d80dc6f0ca7d4625d406ab22ce9cbaccb78d2fb990
        • Instruction ID: c24dce74043ec3b892981036b79913d75bf2b170365f751524dfb1411f432794
        • Opcode Fuzzy Hash: 577b507be059ceb8dda8a8d80dc6f0ca7d4625d406ab22ce9cbaccb78d2fb990
        • Instruction Fuzzy Hash: AC51D63270864249FB20EB25E4447EAA7A0FB55798FC00171DE6C47AD6DF3CD145CBA1
        Function 00007FF7FA9EDF34 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: Version
        • String ID:
        • API String ID: 1889659487-0
        • Opcode ID: 9310357b27b72605c91cda9fd868c2f1d05fda8222a43fcded9a615d6b2e3943
        • Instruction ID: e49a741c759b16db9d3b4a6a19039254907747b13df6c28b4016ccd9d143a937
        • Opcode Fuzzy Hash: 9310357b27b72605c91cda9fd868c2f1d05fda8222a43fcded9a615d6b2e3943
        • Instruction Fuzzy Hash: 5611C120E1C35644FF10FB126A443B5D2805F26BC4F8024B5DE2D97AD79E2CA41A86B2
        Function 00007FF7FA9ECA74 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 113registryCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: CloseOpenQueryValue$_wcsftime_l
        • String ID: %s\Connection$MediaSubType$PCI$PnpInstanceID$System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}
        • API String ID: 1942821279-3769660923
        • Opcode ID: 1e710f77e3ee06986cbe06514addf1342d7295bd946d04cac56360bd4f484af0
        • Instruction ID: 7682ad934595a42390734293f2e5bee14080a59effbb02d6cdc778ce106938ea
        • Opcode Fuzzy Hash: 1e710f77e3ee06986cbe06514addf1342d7295bd946d04cac56360bd4f484af0
        • Instruction Fuzzy Hash: 6C51713261CB4296FB50DF21E48066AF3B4FB88794F901171EA9D83A99DF3CD509CB90
        Function 00007FF7FA9E6BE1 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 90libraryCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: LibraryLoad
        • String ID: 32.d$dll$msvc$rt.d$ttp.$user$winh
        • API String ID: 1029625771-3273083856
        • Opcode ID: 73224d7bf1c59c6d7a50056a5264328afd2584649fa69412497d679d280ec81e
        • Instruction ID: 970a5f936a11ab37a9db6bdb66509af1bdc57440d1d51f319052110ac4b26026
        • Opcode Fuzzy Hash: 73224d7bf1c59c6d7a50056a5264328afd2584649fa69412497d679d280ec81e
        • Instruction Fuzzy Hash: F9413131E49B4286F710FF61B08929EB6A5FB95304F508074D7E94B79ADF38E82183A1
        Function 00007FF7FA9E7DC8 Relevance: 4.7, APIs: 3, Instructions: 230COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 436 7ff7fa9e7dc8-7ff7fa9e7e4d 437 7ff7fa9e7e54 436->437 438 7ff7fa9e7e4f-7ff7fa9e7e52 436->438 439 7ff7fa9e7e57-7ff7fa9e7e63 437->439 438->439 440 7ff7fa9e7e65-7ff7fa9e7e68 439->440 441 7ff7fa9e7e6a 439->441 442 7ff7fa9e7e6d-7ff7fa9e7e7f call 7ff7fa9ecf60 440->442 441->442 445 7ff7fa9e7e86-7ff7fa9e7e92 call 7ff7fa9ecc60 442->445 446 7ff7fa9e7e81-7ff7fa9e7e84 442->446 445->446 451 7ff7fa9e7e94-7ff7fa9e7ea0 call 7ff7fa9ecdc0 445->451 447 7ff7fa9e7ea4-7ff7fa9e7eb5 call 7ff7fa9edf34 446->447 452 7ff7fa9e7eba-7ff7fa9e7ec0 447->452 451->447 454 7ff7fa9e7ec2-7ff7fa9e7ee0 call 7ff7fa9e8cac call 7ff7fa9e171c 452->454 455 7ff7fa9e7eeb-7ff7fa9e7eee 452->455 454->455 470 7ff7fa9e7ee2-7ff7fa9e7ee6 call 7ff7fa9eedb8 454->470 458 7ff7fa9e7ef4-7ff7fa9e7f5d call 7ff7fa9e8d94 call 7ff7fa9e4c18 call 7ff7fa9e8e40 call 7ff7fa9e4c18 call 7ff7fa9e8e40 call 7ff7fa9e171c 455->458 459 7ff7fa9e7fe0 455->459 510 7ff7fa9e7f5f-7ff7fa9e7f63 call 7ff7fa9eedb8 458->510 511 7ff7fa9e7f68-7ff7fa9e7f7f 458->511 462 7ff7fa9e7fe6-7ff7fa9e7ffa call 7ff7fa9e8e7c 459->462 471 7ff7fa9e8022-7ff7fa9e802c call 7ff7fa9e8128 462->471 472 7ff7fa9e7ffc-7ff7fa9e8001 462->472 470->455 482 7ff7fa9e808e-7ff7fa9e8094 471->482 483 7ff7fa9e802e-7ff7fa9e804f CoInitialize call 7ff7fa9ef658 471->483 472->471 473 7ff7fa9e8003-7ff7fa9e8020 call 7ff7fa9eea7c 472->473 473->482 484 7ff7fa9e8096-7ff7fa9e809b call 7ff7fa9eedb8 482->484 485 7ff7fa9e80a0-7ff7fa9e80b4 482->485 495 7ff7fa9e8051-7ff7fa9e805c CoCreateGuid 483->495 496 7ff7fa9e8069-7ff7fa9e8074 call 7ff7fa9eedb8 483->496 484->485 489 7ff7fa9e80b6-7ff7fa9e80bb call 7ff7fa9eedb8 485->489 490 7ff7fa9e80c0-7ff7fa9e80d3 485->490 489->490 497 7ff7fa9e80d5-7ff7fa9e80da call 7ff7fa9eedb8 490->497 498 7ff7fa9e80df-7ff7fa9e80f3 490->498 495->496 500 7ff7fa9e805e-7ff7fa9e8066 495->500 512 7ff7fa9e8076 CoUninitialize 496->512 513 7ff7fa9e807c-7ff7fa9e807f 496->513 497->498 503 7ff7fa9e80f5-7ff7fa9e80f9 call 7ff7fa9eedb8 498->503 504 7ff7fa9e80fe-7ff7fa9e8127 call 7ff7fa9eedd0 498->504 500->496 503->504 510->511 517 7ff7fa9e7f81-7ff7fa9e7f85 call 7ff7fa9eedb8 511->517 518 7ff7fa9e7f8a-7ff7fa9e7f9b 511->518 512->513 514 7ff7fa9e8081-7ff7fa9e8089 call 7ff7fa9e82e4 513->514 515 7ff7fa9e808b 513->515 514->482 515->482 517->518 521 7ff7fa9e7fa6-7ff7fa9e7fb7 518->521 522 7ff7fa9e7f9d-7ff7fa9e7fa1 call 7ff7fa9eedb8 518->522 525 7ff7fa9e7fc2-7ff7fa9e7fd3 521->525 526 7ff7fa9e7fb9-7ff7fa9e7fbd call 7ff7fa9eedb8 521->526 522->521 525->462 528 7ff7fa9e7fd5-7ff7fa9e7fde call 7ff7fa9eedb8 525->528 526->525 528->462
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: File$Create$BufferCloseCopyDeleteEnumFreeGuidHandleInitializeReadSizeTransportUninitializeWkstamallocswscanf
        • String ID:
        • API String ID: 967320499-0
        • Opcode ID: f45f6e0889ba490f2accccdbf6b7aa0c194da9b90917add94f5b7e6bbfcb44cd
        • Instruction ID: 8d880a5c6969dd9c5f30855e88acdea84056bb7d82342611682d12eb8dd47b5c
        • Opcode Fuzzy Hash: f45f6e0889ba490f2accccdbf6b7aa0c194da9b90917add94f5b7e6bbfcb44cd
        • Instruction Fuzzy Hash: 27A19022A1C64185FB10EB61E8801EEA770FBA1748F900475EE6D876E7DF79D484C7B1
        Function 00007FF7FA9E73A1 Relevance: 3.1, APIs: 2, Instructions: 95COMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: ChangeCloseFindNotificationSleep
        • String ID:
        • API String ID: 1821831730-0
        • Opcode ID: 17cfd8ad0c7638cb764231ca36a94797f8588443699496d39ce2ea07f32eeec3
        • Instruction ID: 8f3b51d3dfdbda912a92a30696180a5e1ce7b77dcdb811bbaba29d34b49274f0
        • Opcode Fuzzy Hash: 17cfd8ad0c7638cb764231ca36a94797f8588443699496d39ce2ea07f32eeec3
        • Instruction Fuzzy Hash: C3415972A046808AE710DF71E4583AD3AB2F749BDCF148139DF192BB88DF7885898B50
        Function 00007FF7FA9E694C Relevance: 3.1, APIs: 2, Instructions: 81COMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: memcpy_s
        • String ID:
        • API String ID: 1502251526-0
        • Opcode ID: 3ba629cbf69f092d9a6a99baa789089f6e541fc72971d204d36041c70e46a210
        • Instruction ID: fcdb52f73e6e28c9a6fc6759398a4755f876522f8785302e86a667bdcda85a52
        • Opcode Fuzzy Hash: 3ba629cbf69f092d9a6a99baa789089f6e541fc72971d204d36041c70e46a210
        • Instruction Fuzzy Hash: AD318E32B09A4194FB20EB60E4913FCA3B0AB54B48F940275CE6D976C6CF3CD556C7A1

        Non-executed Functions

        Function 00007FF7FA9D3FD4 Relevance: 35.5, APIs: 7, Strings: 13, Instructions: 479memoryCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: String_snwprintf_s$Free$AllocExecuteShell
        • String ID: !!!CCustomInternetExplorer::Navigate::TargetFrameName=%p, PostData =%p, Headers=%p$!!!CCustomInternetExplorer::Navigate::succeeded GetQQBrowserRegExePath, hShellEcecute=0x%0x, bstrParam=(%ws)$%s|%s|%s|CallIE(hr=0x%0x)$--force-qb-trident-mode --url=$Headers$Navigate$PostData$Refresh$ShellExecute(failed)=%d, CallIE=0x%0x$TargetFrameName$getqb(failed),callIE=0x%0x$open$success
        • API String ID: 1409506827-3779367281
        • Opcode ID: 1bd3418aa18722d502f0f989c2ef448bb372b33f642515aba0af826c2920730e
        • Instruction ID: 254d88c21731e666e03c3912f63a4ec6fb018f26a00afb8afcc24d456e93bf94
        • Opcode Fuzzy Hash: 1bd3418aa18722d502f0f989c2ef448bb372b33f642515aba0af826c2920730e
        • Instruction Fuzzy Hash: 7C32C732A08B8295FB10EF64E4442EDB7A4FB84798F900175DAAD97AD9CF3CD185C790
        Function 00007FF7FA9D7144 Relevance: 33.7, APIs: 7, Strings: 12, Instructions: 425memoryCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: String_snwprintf_s$Free$AllocExecuteShell
        • String ID: !!!CCustomInternetExplorer::Navigate2::TargetFrameName=%p PostData=%p, Headers=%p, Url=(%ws)$%s|%s|%s|CallIE(hr=0x%0x)$--force-qb-trident-mode --url=$Headers$Navigate2$PostData$QueryStatusWB$ShellExecute(failed)=%d, CallIE=0x%0x$TargetFrameName$getqb(failed),callIE=0x%0x$open$success
        • API String ID: 1409506827-1244131776
        • Opcode ID: 94eb9b60d4815c93928bcf632506e6fd5ac0767ceb5879db2def2a593c99b36b
        • Instruction ID: e95d3a855745e386c5f6f31f8aabe735fb10f220b8173566ffafd7e69097c13b
        • Opcode Fuzzy Hash: 94eb9b60d4815c93928bcf632506e6fd5ac0767ceb5879db2def2a593c99b36b
        • Instruction Fuzzy Hash: E1126232A08A8295FB10EF64E4442EDB7B0FB84758F900175EAAD97AD5DF3CD185C7A0
        Function 00007FF7FA9E0AAC Relevance: 28.4, APIs: 9, Strings: 7, Instructions: 445networkCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: CloseExceptionHandleHttpInternetRequestThrowstd::exception::exception$OpenSendXbad_allochtonlstd::_
        • String ID: FuncName must not be empty$HTTP/1.1$POST$ServantName must not be empty$crypt$qbpcstat$stat
        • API String ID: 254083644-2247718545
        • Opcode ID: de6711ad864119869007c65ce8b63b81258a5e4cc7d5ab55e84a7347c8c6c515
        • Instruction ID: c13dd8e6f261e071cd54a9262da8cfc5d63b23d83858686c8c586e63a9a3e640
        • Opcode Fuzzy Hash: de6711ad864119869007c65ce8b63b81258a5e4cc7d5ab55e84a7347c8c6c515
        • Instruction Fuzzy Hash: E8229032608B8189FB20EF70D8806EC7775FB54788F904076DA6D57A9ADF38D554C7A0
        Function 00007FF7FA9F3598 Relevance: 21.1, APIs: 14, Instructions: 146COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: Locale$Info__crt$_calloc_crtfree$A_statErrorLastUpdateUpdate::__calloc_impl_invoke_watson
        • String ID:
        • API String ID: 377212461-0
        • Opcode ID: e3bf062b5020bad119278e3234153a9c97d88ad087b0860666f44413645793e8
        • Instruction ID: 589ed10a2bf355678eb85740cf1216c329359e7251ecfb45d6f00a2cf0d29b46
        • Opcode Fuzzy Hash: e3bf062b5020bad119278e3234153a9c97d88ad087b0860666f44413645793e8
        • Instruction Fuzzy Hash: 3651D161B1824306FF65EA22581277BD2807F98BC4F845179DE3DDBBC6DE3CE40086A0
        Function 00007FF7FA9ED748 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 140fileCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: ControlDevice_errno$AllocCloseCreateFileHandleHeap_callnewh_wcsftime_lfreemalloc
        • String ID: .$\\.\PhysicalDrive%d
        • API String ID: 3652198919-636426351
        • Opcode ID: 2cb9f29a0383857dff898a6d44bd58ec0e7d864761fd42d99c1947b355f38110
        • Instruction ID: 3641343af4817cf7774b0a7fa36cafa3f883571db05b91ce24343cff6e35bc7a
        • Opcode Fuzzy Hash: 2cb9f29a0383857dff898a6d44bd58ec0e7d864761fd42d99c1947b355f38110
        • Instruction Fuzzy Hash: C851D13270C64286FB20EB61E8947AAA3A0FB95794F800134DE6D87AD6DF3CD545CB61
        Function 00007FF7FA9DEFA0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 103comthreadsleepCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: CreateInstanceThread$CurrentExecuteMessagePostShellSleep
        • String ID: -Embedding$open
        • API String ID: 4109628772-2736633392
        • Opcode ID: fd2df4d1919a09f22f9c63018b7fd7111f9de143657e3ef7dbf67d501e261332
        • Instruction ID: 0da52f2a22dc63c2f1d45c6343732fa771f0a4b05df979adef3af1fdb48dadb3
        • Opcode Fuzzy Hash: fd2df4d1919a09f22f9c63018b7fd7111f9de143657e3ef7dbf67d501e261332
        • Instruction Fuzzy Hash: 53519431A0C64291F710EF20E8846A9E7A0FF84754FC04175D9AD97AE4DF3CE49AC7A0
        Function 00007FF7FA9DEA00 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158memoryCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: String$AllocFree
        • String ID: FindBrowserByIndex$NavigateHack
        • API String ID: 344208780-3607754153
        • Opcode ID: de8f1f9ed67bc6513ebae345c0a51becab5b6116b3a1311c571633cf55c53bdc
        • Instruction ID: 2688c988eabf5c5749011a6853e60d2743cf4af9e10fc8bcedd5ca5b7aa6b175
        • Opcode Fuzzy Hash: de8f1f9ed67bc6513ebae345c0a51becab5b6116b3a1311c571633cf55c53bdc
        • Instruction Fuzzy Hash: 73716E32A18A4299FB10EB60D4943AC73A0FB5478CF800475EA5D87ADADF7CD195C7A0
        Function 00007FF7FA9EECDC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
        Download Yara Rule
        APIs
        Strings
        • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00007FF7FA9EED5F
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: DebugDebuggerErrorLastOutputPresentString
        • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
        • API String ID: 389471666-631824599
        • Opcode ID: f676bf00bd45b925f24ae54672d027915a33156fdb6a16f405138c6fe5cc32f1
        • Instruction ID: f44cf3206a63b6552aa79ff0b13e79f2af548cda40c6e2239929c848b49d1299
        • Opcode Fuzzy Hash: f676bf00bd45b925f24ae54672d027915a33156fdb6a16f405138c6fe5cc32f1
        • Instruction Fuzzy Hash: 1B116D32A08B42A7F704EB26D944779B2A0FF18755F804175C66D82991DF7CE0B9C7A0
        Function 00007FF7FA9E29E4 Relevance: 5.2, Strings: 3, Instructions: 1477COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: htonl$ExceptionThrowstd::exception::exception
        • String ID: gfffffff$gfffffff$gfffffff
        • API String ID: 1194782181-2968619780
        • Opcode ID: 7f4e2fb3dc5b2d2fb114832c0c81eb9e0488da7db746ea189fc7acc70b9d317e
        • Instruction ID: 32ba44d04c370349c86e6e83213b1adc1d86f86e40778208370867b0d7198b12
        • Opcode Fuzzy Hash: 7f4e2fb3dc5b2d2fb114832c0c81eb9e0488da7db746ea189fc7acc70b9d317e
        • Instruction Fuzzy Hash: 99C2D25661C1C186EF04EB3196D11FD6762EB56BD4B806070EA6D4BB8BCF2CE802D772
        Function 00007FF7FA9E8C4C Relevance: 3.0, APIs: 2, Instructions: 24fileCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: Find$CloseFileFirst
        • String ID:
        • API String ID: 2295610775-0
        • Opcode ID: 8a02239767a8b36154e632c7aba0e0c2fca487b9197e97b71514e1963a2b26dd
        • Instruction ID: 294671d2c5d8d6a1fa9fd2104c327a0fcea1ea8c7bc4145d6c7238ebeb13fd36
        • Opcode Fuzzy Hash: 8a02239767a8b36154e632c7aba0e0c2fca487b9197e97b71514e1963a2b26dd
        • Instruction Fuzzy Hash: D4F08226A0E54181FF90EB70E4993797360BF66774F904772C97D872E1DE2CA04E96B0
        Function 00007FF7FA9FE900 Relevance: 1.5, APIs: 1, Instructions: 14COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • EnumSystemLocalesW.KERNEL32(?,?,?,?,00007FF7FAA00EAB,?,?,00000140,00007FF7FAA0157B), ref: 00007FF7FA9FE931
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: EnumLocalesSystem
        • String ID:
        • API String ID: 2099609381-0
        • Opcode ID: 73643b16058b4c7c9c70b5fc0a0d8582263b454781c721b842577a58b24a1dfe
        • Instruction ID: 81fa10730557c7a0491017eb67c2d26bd5690775a6705d6371cc3cd7e2857a5b
        • Opcode Fuzzy Hash: 73643b16058b4c7c9c70b5fc0a0d8582263b454781c721b842577a58b24a1dfe
        • Instruction Fuzzy Hash: 04E0E625E18643D6F754BB11FC81B6066D0AF59304FD040B2C42C57AE4CD6CA5AE87B5
        Function 00007FF7FA9EE1E8 Relevance: .7, Instructions: 683COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: a37785044067b7a1469bff97e43a5488a276ebc2d2d122b53df96d93c8cdea13
        • Instruction ID: fb961941f885db116e4793e91d9940e1253c0d1938155503b1f365a1cf196405
        • Opcode Fuzzy Hash: a37785044067b7a1469bff97e43a5488a276ebc2d2d122b53df96d93c8cdea13
        • Instruction Fuzzy Hash: 982283B7F345204BE31DCB69EC52FA836A2B75434C749A02CEA17D3F44EA3DEA158644
        Function 00007FF7FA9E7670 Relevance: .2, Instructions: 164COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e0a2dbce7e390b63f7df38598765106d3b12782b4211c6c1c5caf7da0a4464e1
        • Instruction ID: 79c4e4371cb59b3b72038e46d0884a43a838d01e6863a418b98684ddbd2360a6
        • Opcode Fuzzy Hash: e0a2dbce7e390b63f7df38598765106d3b12782b4211c6c1c5caf7da0a4464e1
        • Instruction Fuzzy Hash: 4E5123737349184BA319CE39EA16A5A3391F3D934C748E124EF46E7B45EA3DE902C381
        Function 00007FF7FAA04B5C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 102COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: _errno$__doserrno_getptd_noexit_invalid_parameter_noinfo$FullNamePath_getdrive_validdrive
        • String ID: .$:
        • API String ID: 3206601966-4202072812
        • Opcode ID: c278636a75acf6b6aa7e52600644b43fcd6dd163b020e58cd30286ffe6d5198d
        • Instruction ID: e482c0fc9aa4d8cf57932ac13c6d132658411a175e43fcc4c7f0e888dbe32f8a
        • Opcode Fuzzy Hash: c278636a75acf6b6aa7e52600644b43fcd6dd163b020e58cd30286ffe6d5198d
        • Instruction Fuzzy Hash: 2B317462A0C64353FB62BF719440B7DE690BF84744FC580B5DA6D872C2EE3CE84686B1
        Function 00007FF7FA9D2C9C Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 338memorythreadCOMMON
        Download Yara Rule
        APIs
        Strings
        • !!!enter CCustomInternetExplorer::QueryInterface::IID(%ws) not supported, xrefs: 00007FF7FA9D31ED
        • !!!CreateIEWebBrowser2() in QueryInterface(%ws) got 0x%0x, xrefs: 00007FF7FA9D2E9C
        • !!!enter CCustomInternetExplorer::QueryInterface::IID(%ws) not supported, m_pIEWebBrowser2=%p, xrefs: 00007FF7FA9D3036
        • !!!IEWebBrowser for QueryInterface(%ws) got 0x%0x, xrefs: 00007FF7FA9D2ECC
        • !!!enter CCustomInternetExplorer::QueryInterface::IID(%ws) should pass(%ws), xrefs: 00007FF7FA9D2D5A
        • !!!enter CCustomInternetExplorer::QueryInterface::IID(%ws), threadid=%d, xrefs: 00007FF7FA9D2D1A
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: String$AllocFreeFrom$CurrentExceptionThreadThrow
        • String ID: !!!CreateIEWebBrowser2() in QueryInterface(%ws) got 0x%0x$!!!IEWebBrowser for QueryInterface(%ws) got 0x%0x$!!!enter CCustomInternetExplorer::QueryInterface::IID(%ws) not supported$!!!enter CCustomInternetExplorer::QueryInterface::IID(%ws) not supported, m_pIEWebBrowser2=%p$!!!enter CCustomInternetExplorer::QueryInterface::IID(%ws) should pass(%ws)$!!!enter CCustomInternetExplorer::QueryInterface::IID(%ws), threadid=%d
        • API String ID: 2093652262-2840267380
        • Opcode ID: cad24af98e3b99c65bb915084164526389ec252c12579296056ed3c6e499cd0d
        • Instruction ID: 22204b4a5859e0bdc5f82c200701be0a8fd111e1e0f2ce17dd560545671a39a2
        • Opcode Fuzzy Hash: cad24af98e3b99c65bb915084164526389ec252c12579296056ed3c6e499cd0d
        • Instruction Fuzzy Hash: 3A021022A08A4681FB60EF25D484679E361EF44B94FC454B5DAAD877E4CF7CE885C3B0
        Function 00007FF7FA9DF4D8 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 64libraryloaderCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: AddressHandleOpenProcProcess$CloseErrorLastLibraryLoadModule
        • String ID: GetProcessImageFileNameW$K32GetProcessImageFileNameW$kernel32$psapi.dll
        • API String ID: 1640075399-1140887699
        • Opcode ID: aa82de994624b4998622f923e83a535e56021346db82b491f78cc213d6dde9bb
        • Instruction ID: b9f3f07086169e937192ce81e8d225503b33e8e4591946a90a04012933c25270
        • Opcode Fuzzy Hash: aa82de994624b4998622f923e83a535e56021346db82b491f78cc213d6dde9bb
        • Instruction Fuzzy Hash: F7214624B0DB0351FB54EF15A944535A291AF48B90FC48478C96E837D8EF2CE45EC7B0
        Function 00007FF7FA9DF3D0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 68threadlibraryloaderCOMMON
        Download Yara Rule
        APIs
        • GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7FA9D257F), ref: 00007FF7FA9DF402
        • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7FA9D257F), ref: 00007FF7FA9DF41E
        • OpenThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7FA9D257F), ref: 00007FF7FA9DF44C
        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7FA9D257F), ref: 00007FF7FA9DF45A
        • OpenThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7FA9D257F), ref: 00007FF7FA9DF46F
        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7FA9D257F), ref: 00007FF7FA9DF4A7
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: HandleOpenThread$AddressCloseErrorLastModuleProc
        • String ID: NtQueryInformationThread$ntdll.dll
        • API String ID: 2925828140-2698099043
        • Opcode ID: b15917006222226be9306d18a042d1e7103124e091ac296d0882ca0ad3a46121
        • Instruction ID: 445590c471d8fcf62476f778a35a0dadc8daae9a2aa89c6a355720dab8224cc5
        • Opcode Fuzzy Hash: b15917006222226be9306d18a042d1e7103124e091ac296d0882ca0ad3a46121
        • Instruction Fuzzy Hash: 7721A731B18B0142FB40EF25A444569A3A5FF88B80FC48075D99D83798EF3CE44ACBA0
        Function 00007FF7FA9DF79C Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 90registryCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: Close$AddressExistsFileHandleModulePathProcQueryValue
        • String ID: InstallDir$QQBrowser.exe$Software\Tencent\QQBrowser$Software\Wow6432Node\Tencent\QQBrowser
        • API String ID: 3970199010-1871758474
        • Opcode ID: a4d2b91cced5d2252ad5ecd6bf6790e37562157be7f73dccbdb02d7fce924ec1
        • Instruction ID: fa4731c4d7a82e3ff11c359edd81b3e9e35f5057dbc69f2f6ce5a547542113e7
        • Opcode Fuzzy Hash: a4d2b91cced5d2252ad5ecd6bf6790e37562157be7f73dccbdb02d7fce924ec1
        • Instruction Fuzzy Hash: 1C41A432A08B4191F710EF21E8451AAB364FB857A0F904275DABD937D8DF3CD445C7A0
        Function 00007FF7FA9EB5F4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_locknumpunctstd::bad_exception::bad_exception
        • String ID: bad cast
        • API String ID: 4068408745-3145022300
        • Opcode ID: b59a08d1540ec987e1887726f7663786dbea4613d7ad03c91e53d418083ca5fc
        • Instruction ID: 1bd7519fb481ca85b6b6adfe248597cf310be5005425b7da993a938aac7944c4
        • Opcode Fuzzy Hash: b59a08d1540ec987e1887726f7663786dbea4613d7ad03c91e53d418083ca5fc
        • Instruction Fuzzy Hash: 7E318A21A0CA0291FF11FB25E4804B9A361EB54BA4F9442B2D67D537E5DE3CE85AC7B0
        Function 00007FF7FA9EAE24 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
        • String ID: bad cast
        • API String ID: 620047600-3145022300
        • Opcode ID: 6fa198d8182d60241d03b708863fe7a84b2709087642af159d215598ae70a9eb
        • Instruction ID: 0fd068b9a639144ee870885547873b6b868c6ccbe6905d15811303133e2c623b
        • Opcode Fuzzy Hash: 6fa198d8182d60241d03b708863fe7a84b2709087642af159d215598ae70a9eb
        • Instruction Fuzzy Hash: 3C315321A1DA0281FB10EB25E4904B9A361EB947A0FD442B5D67D536E6DF3CE44AC7B0
        Function 00007FF7FA9EBE10 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockctypestd::bad_exception::bad_exception
        • String ID: bad cast
        • API String ID: 3320480354-3145022300
        • Opcode ID: 1e214aa9f60b7bf54ab17ca2b64ecbdf3207e7ccc1a0268482592e6b885839f2
        • Instruction ID: 57998e67dc2b3af8b092685e3eedbb54faeb708573f47d24c2fec85189b79d1b
        • Opcode Fuzzy Hash: 1e214aa9f60b7bf54ab17ca2b64ecbdf3207e7ccc1a0268482592e6b885839f2
        • Instruction Fuzzy Hash: 04318A21A0CB0281FB11FB25E4804B9E361EF947A0FD482B1D67D537E6DE3CE44A87A1
        Function 00007FF7FA9F9637 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: Exception_getptd$DestructObject$Raise_getptd_noexit
        • String ID: csm
        • API String ID: 2851507484-1018135373
        • Opcode ID: f63c31c8744fcde41ace1429d150bb829a6fb854e99d4356c7669e496792e9cb
        • Instruction ID: 968e8191cacf54acca11cb1a713746aca3dcf0cd37b9af7a324248ccec79b506
        • Opcode Fuzzy Hash: f63c31c8744fcde41ace1429d150bb829a6fb854e99d4356c7669e496792e9cb
        • Instruction Fuzzy Hash: 35213A3660868282EB30EB15E04026EB760FB85BA4F854275DEBD477D5DF3CE485CB50
        Function 00007FF7FA9F5478 Relevance: 12.2, APIs: 8, Instructions: 168COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: free$Sleep_malloc_crtmalloc
        • String ID:
        • API String ID: 2523592665-0
        • Opcode ID: ffe51e098a28f5bc81262543e1a2495965659b64c93bc8964f93e359b729555d
        • Instruction ID: dfd6ed434ac0b8bbf05e1c109336d45e7afd71450a147147c833022a122ac179
        • Opcode Fuzzy Hash: ffe51e098a28f5bc81262543e1a2495965659b64c93bc8964f93e359b729555d
        • Instruction Fuzzy Hash: 6261D636708B4292FB24EB12E940669B3A4FB84B94F844175DE7C87B91DF3CE465C790
        Function 00007FF7FA9D15C4 Relevance: 10.7, APIs: 7, Instructions: 155threadmemorywindowCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: CriticalSectionString$ClassObjectRevokeThread$AllocCurrentEnterFreeFromInitializeLeaveMessagePost
        • String ID:
        • API String ID: 1381646855-0
        • Opcode ID: a029d25510344f831e2ec24893b9987acfd9a486f14a21de3c8d25aeeaf843b1
        • Instruction ID: a2e24e48c6002f0efb9e675c3615680ba8b8e31456f82f9745b1e150c8d0bfe0
        • Opcode Fuzzy Hash: a029d25510344f831e2ec24893b9987acfd9a486f14a21de3c8d25aeeaf843b1
        • Instruction Fuzzy Hash: D461D232A0878286F700EB61E84466DB3B4FF81754FA00175DAAD87BE5DF38E491C7A0
        Function 00007FF7FA9EFBE8 Relevance: 10.6, APIs: 7, Instructions: 122COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: _errno_invalid_parameter_noinfo$_getptd_noexit
        • String ID:
        • API String ID: 1573762532-0
        • Opcode ID: 36164a5b92ab75e8b9d0270866404d9543f1fa6deae194a1da3a023a4b3b9817
        • Instruction ID: 83421288a6986b8a7689a7dc73a1d3e7dc09582b22483bbc794168c9ee1a6b09
        • Opcode Fuzzy Hash: 36164a5b92ab75e8b9d0270866404d9543f1fa6deae194a1da3a023a4b3b9817
        • Instruction Fuzzy Hash: A141E262E0C69781FB64FB1195801B9B6D0EB60B94FD440B7DAA8C76C6DB2CE581C3B1
        Function 00007FF7FA9E8128 Relevance: 10.6, APIs: 7, Instructions: 113fileCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: File$CloseCreateFind$CopyDeleteFirstFolderHandlePathReadSizeSpecial
        • String ID:
        • API String ID: 2284925675-0
        • Opcode ID: e2c09bcf50226816ff0f6ef4bf8d80569a357a0aade116ce0efe607448ec2109
        • Instruction ID: fb998ac5ab12a1d402d2ef503c92a6c1426e75c61b01c343522c65b5ea0a3dcb
        • Opcode Fuzzy Hash: e2c09bcf50226816ff0f6ef4bf8d80569a357a0aade116ce0efe607448ec2109
        • Instruction Fuzzy Hash: FE51D632B08A41DAF710EF71D4942ACA361FB54798FC08275D92D83AD9DF38D519C7A0
        Function 00007FF7FA9EF76C Relevance: 10.6, APIs: 7, Instructions: 107COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: Locale_errno_invalid_parameter_noinfo$UpdateUpdate::__getptd_noexit
        • String ID:
        • API String ID: 781512312-0
        • Opcode ID: 114d716205cd9dd7d1c115ba21ab42b81c090a2b93a5ee04d70adfc3818b5fa7
        • Instruction ID: 30d10873438b6b54064a52a07182f2668eba7e904ff6dc57fbeba68169c60ed6
        • Opcode Fuzzy Hash: 114d716205cd9dd7d1c115ba21ab42b81c090a2b93a5ee04d70adfc3818b5fa7
        • Instruction Fuzzy Hash: 5C411922E0C69381FB64FB1194801B9B2A0EB60BA0FD44077D6FD8B6C6DE2DD951C771
        Function 00007FF7FAA090A4 Relevance: 10.6, APIs: 7, Instructions: 72COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_invalid_parameter_noinfo
        • String ID:
        • API String ID: 3191669884-0
        • Opcode ID: 5afd3457c7a2ea1a5f02dee57da20931110c2d528eea28ea6e04efb072b26444
        • Instruction ID: 43220b01de24a8b8b4a86dfdbb48492ec6ec3a17546b73b84542cb6f7f191c68
        • Opcode Fuzzy Hash: 5afd3457c7a2ea1a5f02dee57da20931110c2d528eea28ea6e04efb072b26444
        • Instruction Fuzzy Hash: 9A31B135B0874686F760AF21D484A69F7A0EB54BE0F948171EA79437C5CF38D846C7A0
        Function 00007FF7FA9DF2D8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67registrylibraryloaderCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: AddressCloseHandleModuleOpenProc
        • String ID: Advapi32.dll$RegOpenKeyTransactedW
        • API String ID: 823179699-3913318428
        • Opcode ID: 46beea28c6eae07af4a728249fe307b16fa5c9b9b6675718f3559790d5a38139
        • Instruction ID: a72b2611121ef83fbee8627987dbb7f9d05d9a0c4ab4bf90e2efb498edee7f58
        • Opcode Fuzzy Hash: 46beea28c6eae07af4a728249fe307b16fa5c9b9b6675718f3559790d5a38139
        • Instruction Fuzzy Hash: FA21AC32608A8182FB64EF21E455739E2A0FB44BC8F948175DA9D876C4DF3CD495C760
        Function 00007FF7FA9D142C Relevance: 10.6, APIs: 7, Instructions: 62timethreadwindowCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: ErrorLastThreadTimerWaitable$CreateCurrentFreeHeapMessageMultipleObjectsPostWait_errnofree
        • String ID:
        • API String ID: 2911511307-0
        • Opcode ID: 689c32a63b2e1eb818ab7082173d63fae4e2e3531b0e754b93d29fbe0c040a1d
        • Instruction ID: 5af0e112d5ed71a199c2a38ea97a571451ef9a74989f807d9dbdb180618c200a
        • Opcode Fuzzy Hash: 689c32a63b2e1eb818ab7082173d63fae4e2e3531b0e754b93d29fbe0c040a1d
        • Instruction Fuzzy Hash: 9221D432A18B8283F754DF24E05572AF3A0FF89754FA05234E69E42A94DF2CE084CB50
        Function 00007FF7FA9EC324 Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 50COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: ExceptionThrow
        • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
        • API String ID: 432778473-1866435925
        • Opcode ID: 093aac91aca3d5cb444e93d4d42d2825fe212e2d82f146a169df17e4c3784bdb
        • Instruction ID: c6a46a2500c752ab67bb1ff6c5b3dc723c14c150e2cb2e88dba6784c613939a9
        • Opcode Fuzzy Hash: 093aac91aca3d5cb444e93d4d42d2825fe212e2d82f146a169df17e4c3784bdb
        • Instruction Fuzzy Hash: 78119061E0C607A4FF14FB24D8814ECA364AF50308FD01075D53D969E6EE2CE94AC7E1
        Function 00007FF7FA9F9734 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 22COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: _getptd
        • String ID: MOC$RCC$csm
        • API String ID: 3186804695-2671469338
        • Opcode ID: 5c374d830ee814f54b2f9fa3c3e92b96ec2efda21db6e13fed2e5b8fabcddbb5
        • Instruction ID: 22238c6bcb2ba06af371aaf0ab989ee280466f8362c385344c36e0bd42547f45
        • Opcode Fuzzy Hash: 5c374d830ee814f54b2f9fa3c3e92b96ec2efda21db6e13fed2e5b8fabcddbb5
        • Instruction Fuzzy Hash: B2F0F83990824796F755BB5081453BC62A0AF98715FD684B1C63C862C6DBAD68848AB2
        Function 00007FF7FA9D2900 Relevance: 9.1, APIs: 6, Instructions: 119memoryCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: String$memcpy_s$AllocFree
        • String ID:
        • API String ID: 3865269606-0
        • Opcode ID: e22d06bfb5369b301686315787000ad3005f2f7fca881707cd04031463c0dc54
        • Instruction ID: e9aa822dfd3ee964cdb29d7ccb9bad530f4be418e96cffaf06d87f213363c06f
        • Opcode Fuzzy Hash: e22d06bfb5369b301686315787000ad3005f2f7fca881707cd04031463c0dc54
        • Instruction Fuzzy Hash: B1411835B0864381FB28FB55555C13CD290EF44B94FA442B6DABDCBBE1CE2CE4D182A1
        Function 00007FF7FA9EB400 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 83COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: Getcvt$___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__updatetlocinfo_getptdlocaleconv
        • String ID: false$true
        • API String ID: 379465546-2658103896
        • Opcode ID: c770085aa06cf17b6387c8f837feb050c9cc296f023650f2e6eb596c1cc5e8d8
        • Instruction ID: ebb4a9833f2bb1f82f9cd2c90b1bd4bebd41a123c911c5012a0bb2c82f6157d8
        • Opcode Fuzzy Hash: c770085aa06cf17b6387c8f837feb050c9cc296f023650f2e6eb596c1cc5e8d8
        • Instruction Fuzzy Hash: B631C522609B8542F7129B25D64036DABA0EB64BF4F5583B5CEBC073E6DE38D856C3D0
        Function 00007FF7FA9DF69C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: Path$AppendFileFolderInfoQuerySpecialValueVersion
        • String ID: \Internet Explorer\iexplore.exe
        • API String ID: 3320195616-38705447
        • Opcode ID: 84e7ca486809708aacdf764988d78f65cf761cafb01ba4910b894d15dae9b407
        • Instruction ID: bb3d4499f83a4dea29f9369116578bc91c8fbbc3408754ab6a242da6c47d1e4e
        • Opcode Fuzzy Hash: 84e7ca486809708aacdf764988d78f65cf761cafb01ba4910b894d15dae9b407
        • Instruction Fuzzy Hash: 7A218221618A4795F720DF21E844AFAA3A0FF48748FC44075D65D875E8EF3DD249CBA0
        Function 00007FF7FAA0417C Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: cvtdate$_errno_get_daylight_invalid_parameter_noinfo_invoke_watson
        • String ID:
        • API String ID: 1447642234-0
        • Opcode ID: a3b1e53b5f70f45bfea4914cdc108dd655034d0a9fcfc8361ab68712039ad71a
        • Instruction ID: 9f8afaa7256b79f6c8f936ca4b8877f5a342d079b74b7ae31c47be64e53c72e0
        • Opcode Fuzzy Hash: a3b1e53b5f70f45bfea4914cdc108dd655034d0a9fcfc8361ab68712039ad71a
        • Instruction Fuzzy Hash: 328194719182528BF374AF15E040C3AFBE0FB94740F50817AEA5952AE4DB7DE45A8FA0
        Function 00007FF7FAA03430 Relevance: 7.6, APIs: 5, Instructions: 93COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::__errno_isleadbyte_l
        • String ID:
        • API String ID: 2998201375-0
        • Opcode ID: 875ca83cb4141ce2e370ac5f9a9d47422609fd01dcb68c20e4be45d132a48f4f
        • Instruction ID: c3803b9b286b424fcf9d94cfb86e59d4c6a5635a8855ecd7305e1ec66f2cca8a
        • Opcode Fuzzy Hash: 875ca83cb4141ce2e370ac5f9a9d47422609fd01dcb68c20e4be45d132a48f4f
        • Instruction Fuzzy Hash: E941D431A08B818AF7609F25E140A39E7A1EF44B84F548175EBAD97BE5CF3CE4468760
        Function 00007FF7FA9F0B78 Relevance: 7.5, APIs: 5, Instructions: 25COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: _getptd$_inconsistency$DecodePointer_getptd_noexit
        • String ID:
        • API String ID: 3566995948-0
        • Opcode ID: b1ff322655b69a1476251a369cc291caccd7b7030a3ca704fc697a4b73b927dc
        • Instruction ID: e2be8846eadd16e7f8703567b01d6101c76f3a00396c350f1bfc60e33bd51622
        • Opcode Fuzzy Hash: b1ff322655b69a1476251a369cc291caccd7b7030a3ca704fc697a4b73b927dc
        • Instruction Fuzzy Hash: DAF0D021A185C391FF51FB51D0411FCD254AF88B95F9D41B1DA784B6CAEE68E45083A0
        Function 00007FF7FA9E43C4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: ExceptionThrow_wcsftime_lhtonlstd::exception::exception
        • String ID: invalid string size, tag: %d, size: %u
        • API String ID: 2297430322-3143865162
        • Opcode ID: 1e4bbb424b589b7c4d6a9f69d28644da6729227b79945c1b82c0398d7d9d0045
        • Instruction ID: 2ead8d8a1ddefbbadcc31adeaf13ec619241d107ec4cb239a2ba11250077b0f5
        • Opcode Fuzzy Hash: 1e4bbb424b589b7c4d6a9f69d28644da6729227b79945c1b82c0398d7d9d0045
        • Instruction Fuzzy Hash: 8841C226B0C64299FB14EB74D0803EC67A1A755788F8014B1CE2D5BACBDE39D05AC7E1
        Function 00007FF7FA9ECDC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: Netbios
        • String ID: 3
        • API String ID: 544444789-1842515611
        • Opcode ID: fc2c6cc1660e2a1a7a068082d65f1229dadc3ebeeb12d96405019ee56709e9e2
        • Instruction ID: 84001feadfd4a96cbec3b792e3fe515066a41ca7215fb2249f1eb61468f6862c
        • Opcode Fuzzy Hash: fc2c6cc1660e2a1a7a068082d65f1229dadc3ebeeb12d96405019ee56709e9e2
        • Instruction Fuzzy Hash: 5D418F2660C6C199EB21DF7594403EDAB60F75A748F8441B5DBEC43B8BCB38D206CBA1
        Function 00007FF7FA9ECC60 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 98COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: BufferEnumFreeTransportWkstaswscanfvscan_fn
        • String ID: %2hx%2hx%2hx%2hx%2hx%2hx
        • API String ID: 2287809651-1625236832
        • Opcode ID: 562012ec4a8d04ffbd1ac61d7800b8f51613bfbd1697ddc3d8399b8b53b45b8e
        • Instruction ID: f12698c80ebbf5932afa99a89ac97e166bf6c99009a448c5d60c9e8b38972ae7
        • Opcode Fuzzy Hash: 562012ec4a8d04ffbd1ac61d7800b8f51613bfbd1697ddc3d8399b8b53b45b8e
        • Instruction Fuzzy Hash: 6C41AC23B18A4198FB40CF70E4802EC77B4FB08744B845136DEADA3B99EE38C556C3A0
        Function 00007FF7FA9E8434 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 86COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: FolderPathSpecial
        • String ID: \Global.db$\Tencent\DeskUpdate$\Tencent\Desktop
        • API String ID: 994120019-3757207327
        • Opcode ID: ef9c67a7b736c5df7e5daa3a7a868a4ff0da9a40d72e9e1e0b6a8c9ecd359c25
        • Instruction ID: 9ed47a7fb268cf962d552f25d3fad073266ce86600dd17177d793cfef6926403
        • Opcode Fuzzy Hash: ef9c67a7b736c5df7e5daa3a7a868a4ff0da9a40d72e9e1e0b6a8c9ecd359c25
        • Instruction Fuzzy Hash: 4631A326A1C68181FB20EF25E4907A9A360FB457A4FD05374D57D476E6DF3CE045CBA0
        Function 00007FF7FA9D2530 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82threadCOMMON
        Download Yara Rule
        APIs
        • GetCurrentThreadId.KERNEL32 ref: 00007FF7FA9D255D
          • Part of subcall function 00007FF7FA9DF3D0: GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7FA9D257F), ref: 00007FF7FA9DF402
          • Part of subcall function 00007FF7FA9DF4D8: OpenProcess.KERNEL32(?,?,?,00007FF7FA9D25AB), ref: 00007FF7FA9DF4FB
          • Part of subcall function 00007FF7FA9DF4D8: GetLastError.KERNEL32(?,?,?,00007FF7FA9D25AB), ref: 00007FF7FA9DF50B
          • Part of subcall function 00007FF7FA9DF4D8: OpenProcess.KERNEL32(?,?,?,00007FF7FA9D25AB), ref: 00007FF7FA9DF520
        • PathFindFileNameW.SHLWAPI ref: 00007FF7FA9D25B0
        • PathFindFileNameW.SHLWAPI ref: 00007FF7FA9D25DA
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: FileFindNameOpenPathProcess$CurrentErrorHandleLastModuleThread
        • String ID: !!!pid=%d through (tid=%d), name=%ws(%ws)
        • API String ID: 4126646617-725543756
        • Opcode ID: d9a42e5648462b841738da11a7d38eaa4930a2defaf0a3aad7186ab1921fdfb4
        • Instruction ID: 480f1876f9e3aa0bc3a3d931ac8c6133ee9c30c7e0ddb442343ffcb96031f616
        • Opcode Fuzzy Hash: d9a42e5648462b841738da11a7d38eaa4930a2defaf0a3aad7186ab1921fdfb4
        • Instruction Fuzzy Hash: D9319526A1878292FB60EF21E4485ADE360FF94750FC05171EAAE836D5DF3CE585C7A0
        Function 00007FF7FA9DF92C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53registryCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: CloseCreateValue
        • String ID: Software\Tencent\QQBrowser\QBroker
        • API String ID: 1818849710-661104360
        • Opcode ID: c339afa961175439d270a1f878aef2dd04e9f67a5ceaaee9c33060fd387883c7
        • Instruction ID: bf3bf1487ac23c4f84145713cc35aa7c7df30c112537d2aea90e314d7299c33f
        • Opcode Fuzzy Hash: c339afa961175439d270a1f878aef2dd04e9f67a5ceaaee9c33060fd387883c7
        • Instruction Fuzzy Hash: C4218332A18A8192FB50DF10F44576AF3A4FB8879CF944135D69D47A98DF7CD049CB50
        Function 00007FF7FA9DF5D4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: Path$AppendExistsFileFolderSpecial
        • String ID: \Internet Explorer\iexplore.exe
        • API String ID: 2859893649-38705447
        • Opcode ID: 04ff5b0c2f70b85f27fe75ce75b636d5ad538f00c212532b620ced39efe5c13e
        • Instruction ID: 9bd83b4b8b42885a17ceb30f8c87854cc07b7d534b4ed0ffb86d1c50805c50c0
        • Opcode Fuzzy Hash: 04ff5b0c2f70b85f27fe75ce75b636d5ad538f00c212532b620ced39efe5c13e
        • Instruction Fuzzy Hash: 2D11932160868651FF30EB21E4997BAA360FF98794FC04275D6BD879E4DF2CD249CB60
        Function 00007FF7FAA0BB62 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: _getptd$_inconsistency$DestructExceptionObject
        • String ID: csm
        • API String ID: 2821275340-1018135373
        • Opcode ID: 54738449fae25136525e3d73a4cde9389fcf728a346489a781f55c28ab9eb91b
        • Instruction ID: 4ceab6f41c12c3d282ca8026f41c700fb0b183cddf6bccf4d2cdb8b7cab6bf3b
        • Opcode Fuzzy Hash: 54738449fae25136525e3d73a4cde9389fcf728a346489a781f55c28ab9eb91b
        • Instruction Fuzzy Hash: FB01842290424385FB70BF31C4916BC6364EB95759F8840B1D9BD8A389DE68D4858791
        Function 00007FF7FA9EF658 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • _callnewh.LIBCMT ref: 00007FF7FA9EF666
        • malloc.LIBCMT ref: 00007FF7FA9EF672
          • Part of subcall function 00007FF7FA9EF3A8: _FF_MSGBANNER.LIBCMT ref: 00007FF7FA9EF3D8
          • Part of subcall function 00007FF7FA9EF3A8: _NMSG_WRITE.LIBCMT ref: 00007FF7FA9EF3E2
          • Part of subcall function 00007FF7FA9EF3A8: HeapAlloc.KERNEL32(?,?,?,00007FF7FA9F33D0,?,?,?,00007FF7FA9FDBE4,?,?,?,00007FF7FA9FDAE3,?,?,?,00007FF7FA9EF4C5), ref: 00007FF7FA9EF3FD
          • Part of subcall function 00007FF7FA9EF3A8: _callnewh.LIBCMT ref: 00007FF7FA9EF416
          • Part of subcall function 00007FF7FA9EF3A8: _errno.LIBCMT ref: 00007FF7FA9EF421
          • Part of subcall function 00007FF7FA9EF3A8: _errno.LIBCMT ref: 00007FF7FA9EF42C
        • _CxxThrowException.LIBCMT ref: 00007FF7FA9EF6BB
          • Part of subcall function 00007FF7FA9F06E8: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7FA9EECA1), ref: 00007FF7FA9F0756
          • Part of subcall function 00007FF7FA9F06E8: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7FA9EECA1), ref: 00007FF7FA9F0795
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: Exception_callnewh_errno$AllocFileHeaderHeapRaiseThrowmalloc
        • String ID: bad allocation
        • API String ID: 1214304046-2104205924
        • Opcode ID: b81a1a26c0a4adbc31c3fa8f9502520f94a1c5b7c375de76df4e8ba8216c7643
        • Instruction ID: 5a5f642dd6ec823c37a73092104e5cbfa558fcb598c0e313bf0a12290d8a332f
        • Opcode Fuzzy Hash: b81a1a26c0a4adbc31c3fa8f9502520f94a1c5b7c375de76df4e8ba8216c7643
        • Instruction Fuzzy Hash: 71F0C211A0CB4B52FF24F710A4404B4D354AB95388FC40075D9BD477E6EE2CE249CBB1
        Function 00007FF7FA9EA4B4 Relevance: 6.3, APIs: 4, Instructions: 302stringCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: strcspn$Mpunctlocaleconv
        • String ID:
        • API String ID: 2882554788-0
        • Opcode ID: 053ecaac9354419ddf1ac585ae6d1347d06da948ae916d9b4f2870e79173457f
        • Instruction ID: 9e5f7dd06a28c01ae4afccdf773ffcf9b0def8b930802ca16cc50e53ea1fbd97
        • Opcode Fuzzy Hash: 053ecaac9354419ddf1ac585ae6d1347d06da948ae916d9b4f2870e79173457f
        • Instruction Fuzzy Hash: B6D18D26B1CA8589FB10DBB5C0802EC6771FB59B88F944175DE9D57B9ACF38D04AC3A0
        Function 00007FF7FA9ED294 Relevance: 6.1, APIs: 4, Instructions: 145COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: isprintisspace
        • String ID:
        • API String ID: 2609633722-0
        • Opcode ID: cb33ea4c5fb831a7523e1f192c435978392835876fc21bf0941de0629dea0196
        • Instruction ID: 72fea2de9a0e4dd5110ffb20bb6c3d666741cdaaca2c190ff1c36d1341c0fdb6
        • Opcode Fuzzy Hash: cb33ea4c5fb831a7523e1f192c435978392835876fc21bf0941de0629dea0196
        • Instruction Fuzzy Hash: 29411742A0C6D645F712EE3945D437EEE909B31B84F8860B4CFA9876D3EE2DA441C3B1
        Function 00007FF7FA9E82E4 Relevance: 6.1, APIs: 4, Instructions: 85fileCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: File$Create$CloseFolderHandlePathSpecialWrite
        • String ID:
        • API String ID: 261467261-0
        • Opcode ID: 87a36924370a38567c8f29f943b8af8cacfb3f5e16a5e2e4da282d07ff7eaf9b
        • Instruction ID: c236a081d26c71a5ed1a643f90397fff02839f93b315a358846128a8b86a9e42
        • Opcode Fuzzy Hash: 87a36924370a38567c8f29f943b8af8cacfb3f5e16a5e2e4da282d07ff7eaf9b
        • Instruction Fuzzy Hash: A331B132708A409AF710EF75D4946ACB3A0FB587A8F808375EA6D43BD9DF38D5158760
        Function 00007FF7FAA09AFC Relevance: 6.1, APIs: 4, Instructions: 62stringCOMMONLIBRARYCODE
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_getptd_noexit_invalid_parameter_noinfostrchr
        • String ID:
        • API String ID: 4151157258-0
        • Opcode ID: 9f204ea91d6198c4a82ef353745b2060fa986f5a3426e358ba194c17e780f943
        • Instruction ID: dc77e67424fe625dd14d92e38513eb2a909a81580308f15b939915436e0900f1
        • Opcode Fuzzy Hash: 9f204ea91d6198c4a82ef353745b2060fa986f5a3426e358ba194c17e780f943
        • Instruction Fuzzy Hash: 0B212956A1C2A242FB606631908057DE7D0EB86BF4F98C8B1E6FE476C5CD2CD446C7B0
        Function 00007FF7FA9EC69C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87registryCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: Close$HandleXbad_allocstd::_
        • String ID: string too long
        • API String ID: 3601596506-2556327735
        • Opcode ID: 372d5d49983c13a36cddd18aa35a4e4ff7c67db2dcde71bf080ae64639e4d0e4
        • Instruction ID: dd0d2835f599822d6e14698804d5163a7dfeefcc6e4df58ae1a8c8456f7f1a55
        • Opcode Fuzzy Hash: 372d5d49983c13a36cddd18aa35a4e4ff7c67db2dcde71bf080ae64639e4d0e4
        • Instruction Fuzzy Hash: 87316F22B1DA0181FB18AF15D484238A270EB64F94FA44271CABD873D6DF39E45683F6
        Function 00007FF7FA9D7860 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: _snwprintf_s_vsnprintf_s_l
        • String ID: ExecWB$cmdID=0x%0x
        • API String ID: 2495276089-1305857435
        • Opcode ID: d2504834d054f49e557b6adf1fcb99767156465117bdd46e3a5108ef1bc64949
        • Instruction ID: 3b50ec0966b936a6227037748f3b3c68da30ebc558349ac9b2a42a559ee6fec1
        • Opcode Fuzzy Hash: d2504834d054f49e557b6adf1fcb99767156465117bdd46e3a5108ef1bc64949
        • Instruction Fuzzy Hash: 8241C532A0C78689F710EB64E4843EDA7A1FB84358F900175DAAC4AADACF7CD185C790
        Function 00007FF7FA9D5C40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69threadwindowCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: Thread$CurrentMessagePost
        • String ID: Quit
        • API String ID: 3590184027-3818420395
        • Opcode ID: c5d0bb174f7255261121061f4f28705b061de229dd0f39cf965b494ab33ca0ef
        • Instruction ID: 8b5940231a7433f929a1f4e54ed08a138ed8914348ad9df174b52dc222930add
        • Opcode Fuzzy Hash: c5d0bb174f7255261121061f4f28705b061de229dd0f39cf965b494ab33ca0ef
        • Instruction Fuzzy Hash: 81314B32A18A4199FB10EF70E4447ED73A4EB5474CF800475EA5D8BA8ADF78D195C7A0
        Function 00007FF7FA9DFA0C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65registryCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3939090646.00007FF7FA9D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FA9D0000, based on PE: true
        • Associated: 00000000.00000002.3939076939.00007FF7FA9D0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939114549.00007FF7FAA0C000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA1F000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939130593.00007FF7FAA24000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.3939157823.00007FF7FAA25000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff7fa9d0000_EBAbsk8ydv.jbxd
        Similarity
        • API ID: CloseQueryValue
        • String ID: Software\Tencent\QQBrowser\QBroker
        • API String ID: 3356406503-661104360
        • Opcode ID: c2fdb8d571b8b3e4283bdc6ab94a3081b84b2d7644d909ec7713784ee6c357a3
        • Instruction ID: a3760a3c9157900dcdd5fcb8e2590a10a6472599900e9944e92e4203279d0c1d
        • Opcode Fuzzy Hash: c2fdb8d571b8b3e4283bdc6ab94a3081b84b2d7644d909ec7713784ee6c357a3
        • Instruction Fuzzy Hash: 90315632A14A1589FB10DB7098492AD73F4FB08788F844576CE6D96A88EF38D195C7A0