Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LtmV2sDcTK.exe

Overview

General Information

Sample name:LtmV2sDcTK.exe
renamed because original name is a hash value
Original sample name:98ceec87cb638db932e818b0e0b72e4de6870e6aba08b172faefcc97808685cf.exe
Analysis ID:1508522
MD5:2e7c2fa8c75a99967dbf0d6ccf82d0df
SHA1:87f9c8377d643cb2d749debfc999e002201ca292
SHA256:98ceec87cb638db932e818b0e0b72e4de6870e6aba08b172faefcc97808685cf
Tags:116-198-231-169exe
Infos:

Detection

CobaltStrike, Metasploit
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
Yara detected Metasploit Payload
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
AV process strings found (often used to terminate AV products)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
One or more processes crash
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • LtmV2sDcTK.exe (PID: 5248 cmdline: "C:\Users\user\Desktop\LtmV2sDcTK.exe" MD5: 2E7C2FA8C75A99967DBF0D6CCF82D0DF)
    • WerFault.exe (PID: 3304 cmdline: C:\Windows\system32\WerFault.exe -u -p 5248 -s 1224 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Cobalt Strike, CobaltStrikeCobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.
  • APT 29
  • APT32
  • APT41
  • AQUATIC PANDA
  • Anunak
  • Cobalt
  • Codoso
  • CopyKittens
  • DarkHydrus
  • FIN6
  • FIN7
  • Leviathan
  • Mustang Panda
  • Shell Crew
  • Stone Panda
  • TianWu
  • UNC1878
  • UNC2452
  • Winnti Umbrella
https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"C2Server": "http://116.198.231.169:63222/jquery-3.3.2.slim.min.js", "User Agent": "User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\n"}

Threatname: Metasploit

{"Headers": "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nReferer: http://code.jquery.com/\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\n", "Type": "Metasploit Download", "URL": "http://116.198.231.169/jquery-3.3.2.slim.min.js"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4FB6.tmp.dmpWindows_Trojan_Metasploit_7bc0f998Identifies the API address lookup function leverage by metasploit shellcodeunknown
  • 0x1bc91:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4FB6.tmp.dmpWindows_Trojan_Metasploit_c9773203Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.unknown
  • 0x1bcfd:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2948402496.0000006AD78FD000.00000040.00000010.00020000.00000000.sdmpJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
    00000000.00000002.2948402496.0000006AD78FD000.00000040.00000010.00020000.00000000.sdmpJoeSecurity_CobaltStrike_3Yara detected CobaltStrikeJoe Security
      00000000.00000002.2948402496.0000006AD78FD000.00000040.00000010.00020000.00000000.sdmpWindows_Trojan_Metasploit_7bc0f998Identifies the API address lookup function leverage by metasploit shellcodeunknown
      • 0xe81:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
      00000000.00000002.2948402496.0000006AD78FD000.00000040.00000010.00020000.00000000.sdmpWindows_Trojan_Metasploit_c9773203Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.unknown
      • 0xeed:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1

      Sigma Signatures

      No Sigma rule has matched

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-09-10T10:58:41.962223+020020287653Unknown Traffic192.168.2.549704116.198.231.16963222TCP
      2024-09-10T10:58:46.106093+020020287653Unknown Traffic192.168.2.549707116.198.231.16963222TCP
      2024-09-10T10:58:50.183653+020020287653Unknown Traffic192.168.2.549710116.198.231.16963222TCP
      2024-09-10T10:58:54.361605+020020287653Unknown Traffic192.168.2.549713116.198.231.16963222TCP
      2024-09-10T10:58:58.813542+020020287653Unknown Traffic192.168.2.549717116.198.231.16963222TCP
      2024-09-10T10:59:02.907545+020020287653Unknown Traffic192.168.2.549724116.198.231.16963222TCP
      2024-09-10T10:59:06.958588+020020287653Unknown Traffic192.168.2.549727116.198.231.16963222TCP
      2024-09-10T10:59:10.992677+020020287653Unknown Traffic192.168.2.549730116.198.231.16963222TCP
      2024-09-10T10:59:14.951779+020020287653Unknown Traffic192.168.2.549733116.198.231.16963222TCP
      2024-09-10T10:59:19.061173+020020287653Unknown Traffic192.168.2.549736116.198.231.16963222TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: LtmV2sDcTK.exeAvira: detected
      Found malware configuration
      Source: 00000000.00000002.2948402496.0000006AD78FD000.00000040.00000010.00020000.00000000.sdmpMalware Configuration Extractor: CobaltStrike {"C2Server": "http://116.198.231.169:63222/jquery-3.3.2.slim.min.js", "User Agent": "User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\n"}
      Source: 00000000.00000002.2948402496.0000006AD78FD000.00000040.00000010.00020000.00000000.sdmpMalware Configuration Extractor: Metasploit {"Headers": "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nReferer: http://code.jquery.com/\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\n", "Type": "Metasploit Download", "URL": "http://116.198.231.169/jquery-3.3.2.slim.min.js"}
      Multi AV Scanner detection for submitted file
      Source: LtmV2sDcTK.exeReversingLabs: Detection: 60%
      Source: LtmV2sDcTK.exeVirustotal: Detection: 37%Perma Link
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
      Source: LtmV2sDcTK.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

      Networking

      barindex
      C2 URLs / IPs found in malware configuration
      Source: Malware configuration extractorURLs: http://116.198.231.169:63222/jquery-3.3.2.slim.min.js
      Source: Malware configuration extractorURLs: http://116.198.231.169/jquery-3.3.2.slim.min.js
      Source: global trafficTCP traffic: 192.168.2.5:49704 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49707 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49710 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49704 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49713 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49717 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49730 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49727 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49724 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49736 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49733 -> 116.198.231.169:63222
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: LtmV2sDcTK.exe, 00000000.00000002.2948541073.0000025454FEA000.00000004.00000020.00020000.00000000.sdmp, LtmV2sDcTK.exe, 00000000.00000002.2948541073.000002545502A000.00000004.00000020.00020000.00000000.sdmp, LtmV2sDcTK.exe, 00000000.00000003.2465339472.000002545502A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.jquery.com/
      Source: LtmV2sDcTK.exe, 00000000.00000003.2424244410.000002545502A000.00000004.00000020.00020000.00000000.sdmp, LtmV2sDcTK.exe, 00000000.00000003.2445008563.000002545502A000.00000004.00000020.00020000.00000000.sdmp, LtmV2sDcTK.exe, 00000000.00000002.2948541073.0000025454FEA000.00000004.00000020.00020000.00000000.sdmp, LtmV2sDcTK.exe, 00000000.00000002.2948541073.000002545502A000.00000004.00000020.00020000.00000000.sdmp, LtmV2sDcTK.exe, 00000000.00000003.2465339472.000002545502A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.jquery.com/B
      Source: LtmV2sDcTK.exe, 00000000.00000003.2424244410.000002545502A000.00000004.00000020.00020000.00000000.sdmp, LtmV2sDcTK.exe, 00000000.00000003.2445008563.000002545502A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.jquery.com/G
      Source: LtmV2sDcTK.exe, 00000000.00000002.2948541073.0000025454FEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.jquery.com/q
      Source: Amcache.hve.6.drString found in binary or memory: http://upx.sf.net
      Source: LtmV2sDcTK.exe, 00000000.00000002.2948541073.0000025455013000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169/
      Source: LtmV2sDcTK.exe, 00000000.00000002.2948541073.0000025454FEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/
      Source: LtmV2sDcTK.exe, 00000000.00000002.2948541073.0000025454FEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/AppData
      Source: LtmV2sDcTK.exe, 00000000.00000002.2948541073.0000025454FEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/al
      Source: LtmV2sDcTK.exe, 00000000.00000002.2948541073.0000025454FEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/bV=1
      Source: LtmV2sDcTK.exe, 00000000.00000002.2948541073.0000025454FEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/dll
      Source: LtmV2sDcTK.exe, 00000000.00000002.2948541073.0000025454F9C000.00000004.00000020.00020000.00000000.sdmp, LtmV2sDcTK.exe, 00000000.00000002.2948541073.0000025454FEA000.00000004.00000020.00020000.00000000.sdmp, LtmV2sDcTK.exe, 00000000.00000002.2948541073.0000025455013000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/jquery-3.3.2.slim.min.js
      Source: LtmV2sDcTK.exe, 00000000.00000002.2948541073.0000025454FEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/jquery-3.3.2.slim.min.js=
      Source: LtmV2sDcTK.exe, 00000000.00000002.2948541073.0000025454F9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/jquery-3.3.2.slim.min.jsRjC1
      Source: LtmV2sDcTK.exe, 00000000.00000002.2948541073.0000025454FEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/jquery-3.3.2.slim.min.jsU
      Source: LtmV2sDcTK.exe, 00000000.00000002.2948541073.0000025454FEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/jquery-3.3.2.slim.min.jsingsm
      Source: LtmV2sDcTK.exe, 00000000.00000002.2948541073.0000025454FEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/jquery-3.3.2.slim.min.jskies
      Source: LtmV2sDcTK.exe, 00000000.00000002.2948541073.0000025454FEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/jquery-3.3.2.slim.min.jsock
      Source: LtmV2sDcTK.exe, 00000000.00000002.2948541073.0000025454F9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/jquery-3.3.2.slim.min.jszjk1

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 00000000.00000002.2948402496.0000006AD78FD000.00000040.00000010.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
      Source: 00000000.00000002.2948402496.0000006AD78FD000.00000040.00000010.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
      Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER4FB6.tmp.dmp, type: DROPPEDMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
      Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER4FB6.tmp.dmp, type: DROPPEDMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
      Source: C:\Users\user\Desktop\LtmV2sDcTK.exeCode function: 0_2_00007FF7026E11540_2_00007FF7026E1154
      Source: C:\Users\user\Desktop\LtmV2sDcTK.exeCode function: 0_2_00007FF7026E19E00_2_00007FF7026E19E0
      Source: C:\Users\user\Desktop\LtmV2sDcTK.exeCode function: 0_2_00007FF7026E2E900_2_00007FF7026E2E90
      Source: C:\Users\user\Desktop\LtmV2sDcTK.exeCode function: 0_2_00007FF7026E14230_2_00007FF7026E1423
      Source: C:\Users\user\Desktop\LtmV2sDcTK.exeCode function: 0_2_00007FF7026E1CB20_2_00007FF7026E1CB2
      Source: C:\Users\user\Desktop\LtmV2sDcTK.exeCode function: 0_2_0000006AD78FDF420_2_0000006AD78FDF42
      Source: C:\Users\user\Desktop\LtmV2sDcTK.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5248 -s 1224
      Source: 00000000.00000002.2948402496.0000006AD78FD000.00000040.00000010.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
      Source: 00000000.00000002.2948402496.0000006AD78FD000.00000040.00000010.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
      Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER4FB6.tmp.dmp, type: DROPPEDMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
      Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER4FB6.tmp.dmp, type: DROPPEDMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
      Source: classification engineClassification label: mal96.troj.winEXE@2/5@0/1
      Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5248
      Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\9b6e7674-c3db-4773-96c5-fe9eedb31e25Jump to behavior
      Source: LtmV2sDcTK.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\LtmV2sDcTK.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: LtmV2sDcTK.exeReversingLabs: Detection: 60%
      Source: LtmV2sDcTK.exeVirustotal: Detection: 37%
      Source: unknownProcess created: C:\Users\user\Desktop\LtmV2sDcTK.exe "C:\Users\user\Desktop\LtmV2sDcTK.exe"
      Source: C:\Users\user\Desktop\LtmV2sDcTK.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5248 -s 1224
      Source: C:\Users\user\Desktop\LtmV2sDcTK.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\LtmV2sDcTK.exeSection loaded: msvcp140.dllJump to behavior
      Source: C:\Users\user\Desktop\LtmV2sDcTK.exeSection loaded: vcruntime140_1.dllJump to behavior
      Source: C:\Users\user\Desktop\LtmV2sDcTK.exeSection loaded: vcruntime140.dllJump to behavior
      Source: C:\Users\user\Desktop\LtmV2sDcTK.exeSection loaded: vcruntime140.dllJump to behavior
      Source: C:\Users\user\Desktop\LtmV2sDcTK.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\Desktop\LtmV2sDcTK.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\LtmV2sDcTK.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\LtmV2sDcTK.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\LtmV2sDcTK.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\LtmV2sDcTK.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\LtmV2sDcTK.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\LtmV2sDcTK.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\LtmV2sDcTK.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\LtmV2sDcTK.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\LtmV2sDcTK.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\LtmV2sDcTK.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\LtmV2sDcTK.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\LtmV2sDcTK.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\LtmV2sDcTK.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\LtmV2sDcTK.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Users\user\Desktop\LtmV2sDcTK.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
      Source: LtmV2sDcTK.exeStatic PE information: Image base 0x140000000 > 0x60000000
      Source: LtmV2sDcTK.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Source: LtmV2sDcTK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: C:\Users\user\Desktop\LtmV2sDcTK.exeCode function: 0_2_0000006AD78FDF9B push eax; ret 0_2_0000006AD78FE1F7
      Source: C:\Users\user\Desktop\LtmV2sDcTK.exeCode function: 0_2_0000006AD78FE179 push eax; ret 0_2_0000006AD78FE1F7
      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: Amcache.hve.6.drBinary or memory string: VMware
      Source: Amcache.hve.6.drBinary or memory string: VMware Virtual USB Mouse
      Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin
      Source: Amcache.hve.6.drBinary or memory string: VMware, Inc.
      Source: Amcache.hve.6.drBinary or memory string: VMware20,1hbin@
      Source: Amcache.hve.6.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
      Source: Amcache.hve.6.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
      Source: Amcache.hve.6.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
      Source: LtmV2sDcTK.exe, 00000000.00000002.2948541073.0000025455013000.00000004.00000020.00020000.00000000.sdmp, LtmV2sDcTK.exe, 00000000.00000002.2948541073.0000025454FD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: Amcache.hve.6.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
      Source: Amcache.hve.6.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
      Source: Amcache.hve.6.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
      Source: Amcache.hve.6.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
      Source: Amcache.hve.6.drBinary or memory string: vmci.sys
      Source: Amcache.hve.6.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
      Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin`
      Source: Amcache.hve.6.drBinary or memory string: \driver\vmci,\driver\pci
      Source: Amcache.hve.6.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
      Source: LtmV2sDcTK.exe, 00000000.00000002.2948541073.0000025455013000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWQ
      Source: Amcache.hve.6.drBinary or memory string: VMware20,1
      Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Generation Counter
      Source: Amcache.hve.6.drBinary or memory string: NECVMWar VMware SATA CD00
      Source: Amcache.hve.6.drBinary or memory string: VMware Virtual disk SCSI Disk Device
      Source: Amcache.hve.6.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
      Source: Amcache.hve.6.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
      Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
      Source: Amcache.hve.6.drBinary or memory string: VMware PCI VMCI Bus Device
      Source: Amcache.hve.6.drBinary or memory string: VMware VMCI Bus Device
      Source: Amcache.hve.6.drBinary or memory string: VMware Virtual RAM
      Source: Amcache.hve.6.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
      Source: Amcache.hve.6.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
      Source: C:\Users\user\Desktop\LtmV2sDcTK.exeCode function: 0_2_00007FF7026E67E8 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7026E67E8
      Source: C:\Users\user\Desktop\LtmV2sDcTK.exeCode function: 0_2_00007FF7026E6990 SetUnhandledExceptionFilter,0_2_00007FF7026E6990
      Source: C:\Users\user\Desktop\LtmV2sDcTK.exeCode function: 0_2_00007FF7026E67E8 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7026E67E8
      Source: C:\Users\user\Desktop\LtmV2sDcTK.exeCode function: 0_2_00007FF7026E6A00 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF7026E6A00
      Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
      Source: Amcache.hve.6.drBinary or memory string: msmpeng.exe
      Source: Amcache.hve.6.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
      Source: Amcache.hve.6.drBinary or memory string: MsMpEng.exe

      Remote Access Functionality

      barindex
      Yara detected CobaltStrike
      Source: Yara matchFile source: 00000000.00000002.2948402496.0000006AD78FD000.00000040.00000010.00020000.00000000.sdmp, type: MEMORY
      Yara detected Metasploit Payload
      Source: Yara matchFile source: 00000000.00000002.2948402496.0000006AD78FD000.00000040.00000010.00020000.00000000.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
      DLL Side-Loading      		1
      Process Injection      		1
      Process Injection      		OS Credential Dumping1
      System Time Discovery      		Remote Services1
      Archive Collected Data      		1
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
      DLL Side-Loading      		1
      DLL Side-Loading      		LSASS Memory21
      Security Software Discovery      		Remote Desktop ProtocolData from Removable Media1
      Non-Standard Port      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
      Obfuscated Files or Information      		Security Account Manager2
      System Information Discovery      		SMB/Windows Admin SharesData from Network Shared Drive1
      Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      LtmV2sDcTK.exe61%ReversingLabsWin64.Backdoor.MeterpreterReverseShell
      LtmV2sDcTK.exe38%VirustotalBrowse
      LtmV2sDcTK.exe100%AviraTR/AD.MeterpreterSC.cupky

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://upx.sf.net0%URL Reputationsafe
      http://code.jquery.com/0%Avira URL Cloudsafe
      http://code.jquery.com/G0%Avira URL Cloudsafe
      https://116.198.231.169:63222/dll0%Avira URL Cloudsafe
      http://116.198.231.169:63222/jquery-3.3.2.slim.min.js0%Avira URL Cloudsafe
      https://116.198.231.169:63222/jquery-3.3.2.slim.min.js=0%Avira URL Cloudsafe
      https://116.198.231.169:63222/jquery-3.3.2.slim.min.jskies0%Avira URL Cloudsafe
      https://116.198.231.169:63222/jquery-3.3.2.slim.min.jszjk10%Avira URL Cloudsafe
      http://116.198.231.169:63222/jquery-3.3.2.slim.min.js0%VirustotalBrowse
      http://code.jquery.com/G0%VirustotalBrowse
      http://code.jquery.com/B0%Avira URL Cloudsafe
      https://116.198.231.169:63222/jquery-3.3.2.slim.min.jsRjC10%Avira URL Cloudsafe
      https://116.198.231.169:63222/jquery-3.3.2.slim.min.jsingsm0%Avira URL Cloudsafe
      https://116.198.231.169:63222/dll0%VirustotalBrowse
      https://116.198.231.169:63222/jquery-3.3.2.slim.min.jskies0%VirustotalBrowse
      https://116.198.231.169:63222/jquery-3.3.2.slim.min.js0%Avira URL Cloudsafe
      http://code.jquery.com/1%VirustotalBrowse
      https://116.198.231.169:63222/0%Avira URL Cloudsafe
      http://code.jquery.com/B0%VirustotalBrowse
      https://116.198.231.169:63222/jquery-3.3.2.slim.min.jsock0%Avira URL Cloudsafe
      https://116.198.231.169:63222/jquery-3.3.2.slim.min.js0%VirustotalBrowse
      http://code.jquery.com/q0%Avira URL Cloudsafe
      https://116.198.231.169:63222/al0%Avira URL Cloudsafe
      https://116.198.231.169/0%Avira URL Cloudsafe
      https://116.198.231.169:63222/bV=10%Avira URL Cloudsafe
      https://116.198.231.169:63222/jquery-3.3.2.slim.min.jsU0%Avira URL Cloudsafe
      http://code.jquery.com/q1%VirustotalBrowse
      https://116.198.231.169:63222/AppData0%Avira URL Cloudsafe
      https://116.198.231.169/0%VirustotalBrowse
      http://116.198.231.169/jquery-3.3.2.slim.min.js0%Avira URL Cloudsafe
      https://116.198.231.169:63222/0%VirustotalBrowse

      Domains and IPs

      Contacted Domains

      No contacted domains info

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://116.198.231.169:63222/jquery-3.3.2.slim.min.jstrue
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      http://116.198.231.169/jquery-3.3.2.slim.min.jstrue
      • Avira URL Cloud: safe
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://code.jquery.com/LtmV2sDcTK.exe, 00000000.00000002.2948541073.0000025454FEA000.00000004.00000020.00020000.00000000.sdmp, LtmV2sDcTK.exe, 00000000.00000002.2948541073.000002545502A000.00000004.00000020.00020000.00000000.sdmp, LtmV2sDcTK.exe, 00000000.00000003.2465339472.000002545502A000.00000004.00000020.00020000.00000000.sdmptrue
      • 1%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      http://code.jquery.com/GLtmV2sDcTK.exe, 00000000.00000003.2424244410.000002545502A000.00000004.00000020.00020000.00000000.sdmp, LtmV2sDcTK.exe, 00000000.00000003.2445008563.000002545502A000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169:63222/dllLtmV2sDcTK.exe, 00000000.00000002.2948541073.0000025454FEA000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169:63222/jquery-3.3.2.slim.min.js=LtmV2sDcTK.exe, 00000000.00000002.2948541073.0000025454FEA000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169:63222/jquery-3.3.2.slim.min.jskiesLtmV2sDcTK.exe, 00000000.00000002.2948541073.0000025454FEA000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169:63222/jquery-3.3.2.slim.min.jszjk1LtmV2sDcTK.exe, 00000000.00000002.2948541073.0000025454F9C000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://code.jquery.com/BLtmV2sDcTK.exe, 00000000.00000003.2424244410.000002545502A000.00000004.00000020.00020000.00000000.sdmp, LtmV2sDcTK.exe, 00000000.00000003.2445008563.000002545502A000.00000004.00000020.00020000.00000000.sdmp, LtmV2sDcTK.exe, 00000000.00000002.2948541073.0000025454FEA000.00000004.00000020.00020000.00000000.sdmp, LtmV2sDcTK.exe, 00000000.00000002.2948541073.000002545502A000.00000004.00000020.00020000.00000000.sdmp, LtmV2sDcTK.exe, 00000000.00000003.2465339472.000002545502A000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169:63222/jquery-3.3.2.slim.min.jsRjC1LtmV2sDcTK.exe, 00000000.00000002.2948541073.0000025454F9C000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169:63222/jquery-3.3.2.slim.min.jsingsmLtmV2sDcTK.exe, 00000000.00000002.2948541073.0000025454FEA000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169:63222/jquery-3.3.2.slim.min.jsLtmV2sDcTK.exe, 00000000.00000002.2948541073.0000025454F9C000.00000004.00000020.00020000.00000000.sdmp, LtmV2sDcTK.exe, 00000000.00000002.2948541073.0000025454FEA000.00000004.00000020.00020000.00000000.sdmp, LtmV2sDcTK.exe, 00000000.00000002.2948541073.0000025455013000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169:63222/LtmV2sDcTK.exe, 00000000.00000002.2948541073.0000025454FEA000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      http://upx.sf.netAmcache.hve.6.drfalse
      • URL Reputation: safe
      		unknown
      https://116.198.231.169:63222/jquery-3.3.2.slim.min.jsockLtmV2sDcTK.exe, 00000000.00000002.2948541073.0000025454FEA000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://code.jquery.com/qLtmV2sDcTK.exe, 00000000.00000002.2948541073.0000025454FEA000.00000004.00000020.00020000.00000000.sdmpfalse
      • 1%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169:63222/alLtmV2sDcTK.exe, 00000000.00000002.2948541073.0000025454FEA000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169/LtmV2sDcTK.exe, 00000000.00000002.2948541073.0000025455013000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169:63222/bV=1LtmV2sDcTK.exe, 00000000.00000002.2948541073.0000025454FEA000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169:63222/jquery-3.3.2.slim.min.jsULtmV2sDcTK.exe, 00000000.00000002.2948541073.0000025454FEA000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169:63222/AppDataLtmV2sDcTK.exe, 00000000.00000002.2948541073.0000025454FEA000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown

      World Map of Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public IPs

      IPDomainCountryFlagASNASN NameMalicious
      116.198.231.169
      		unknownChina
      		137699CHINATELECOM-JIANGSU-SUQIAN-IDCCHINATELECOMJiangsuSuqiantrue

      General Information

      Joe Sandbox version:40.0.0 Tourmaline
      Analysis ID:1508522
      Start date and time:2024-09-10 10:57:44 +02:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 5m 1s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Run name:Run with higher sleep bypass
      Number of analysed new started processes analysed:8
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:LtmV2sDcTK.exe
      renamed because original name is a hash value
      Original Sample Name:98ceec87cb638db932e818b0e0b72e4de6870e6aba08b172faefcc97808685cf.exe
      Detection:MAL
      Classification:mal96.troj.winEXE@2/5@0/1
      EGA Information:
      • Successful, ratio: 100%
      HCA Information:
      • Successful, ratio: 86%
      • Number of executed functions: 4
      • Number of non-executed functions: 11
      Cookbook Comments:
      • Found application associated with file extension: .exe
      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

      Warnings

      • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
      • Excluded IPs from analysis (whitelisted): 20.42.73.29
      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com

      Simulations

      Behavior and APIs

      No simulations

      Joe Sandbox View / Context

      IPs

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      116.198.231.169TEiot52yrz.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
        2PSj0qX4W6.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
          QT2hJT3Syn.exeGet hashmaliciousCobaltStrike, MetasploitBrowse

            Domains

            No context

            ASNs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            CHINATELECOM-JIANGSU-SUQIAN-IDCCHINATELECOMJiangsuSuqianTEiot52yrz.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
            • 116.198.231.169
            2PSj0qX4W6.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
            • 116.198.231.169
            QT2hJT3Syn.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
            • 116.198.231.169
            gOEF4WOJ3c.elfGet hashmaliciousUnknownBrowse
            • 116.198.238.210

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_LtmV2sDcTK.exe_6f432411f7e3795a6924a77011d972658b73a_7f8e8508_70d54e1a-387b-4360-89c4-3cad73c540cd\Report.wer

            Download File
            Process:C:\Windows\System32\WerFault.exe
            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
            Category:dropped
            Size (bytes):65536
            Entropy (8bit):0.9233161409876522
            Encrypted:false
            SSDEEP:192:8FKoU67tBb0I3Dkjc4bzuiFr9Z24lO8M:5oUmtBoI3DkjtzuiFr9Y4lO8M
            MD5:0C0A143F19A276BFC700440C785E9090
            SHA1:8C82C1812611131B082F248E9FD102869A40543B
            SHA-256:A86BCBE59FC9C0BF37F3C88B9EFB244EB7ADB5F7AF9AF42ABBFBF9DE2AD8744C
            SHA-512:EF20A0D390745F2257DA2B2F6326879EAF3EAA9C4BAF6594D24300777C857172D5394A68832873FD178FECD6E0B64F838E8DB0A5385591C454CE45231F0759E7
            Malicious:true
            Reputation:low
            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.0.4.3.2.3.6.0.2.2.1.0.2.1.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.0.4.3.2.3.6.0.8.4.6.0.1.6.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.0.d.5.4.e.1.a.-.3.8.7.b.-.4.3.6.0.-.8.9.c.4.-.3.c.a.d.7.3.c.5.4.0.c.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.2.4.1.4.a.9.1.-.e.d.9.b.-.4.3.9.8.-.a.4.6.3.-.c.c.3.8.6.4.9.0.f.1.1.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.L.t.m.V.2.s.D.c.T.K...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.8.0.-.0.0.0.1.-.0.0.1.4.-.1.4.f.0.-.5.3.a.0.5.f.0.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.d.b.1.0.0.a.e.f.a.6.6.3.5.5.a.8.c.1.0.3.6.b.f.8.4.f.1.5.0.5.3.0.0.0.0.f.f.f.f.!.0.0.0.0.8.7.f.9.c.8.3.7.7.d.6.4.3.c.b.2.d.7.4.9.d.e.b.f.c.9.9.9.e.0.0.2.2.0.1.c.a.2.9.2.!.L.t.m.V.2.s.D.c.T.K...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.6././.2.1.:.1.2.

            C:\ProgramData\Microsoft\Windows\WER\Temp\WER4FB6.tmp.dmp

            Download File
            Process:C:\Windows\System32\WerFault.exe
            File Type:Mini DuMP crash report, 14 streams, Tue Sep 10 08:59:20 2024, 0x1205a4 type
            Category:dropped
            Size (bytes):143704
            Entropy (8bit):1.4714481695330766
            Encrypted:false
            SSDEEP:192:CWt+Vl1NyrpROIoI5uLZUaUyYnfTFCtMvmq5OIKjTybrmem62BCBkJ:Tg/LYa9I5uLZrUotFqLIyXmem62BCBkJ
            MD5:696C1EAEF8708175B289A73499A1D4B3
            SHA1:47769ECDA15AC2213BE734D7335CF3A2AF277C90
            SHA-256:B389C9B9C4FD8ED5AA5ABAB7C506E06781C5E5ABED96AC939BEE33BD4EBE7051
            SHA-512:00AF3B92B0E9E3C30EDC4C781FC5B534C5173CE24E40C7C4A393A1F6CE92C04537BA5673E9B28BCCFCC3C83AF43B530290252E55B45603FC19A4F763117D88ED
            Malicious:false
            Yara Hits:
            • Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER4FB6.tmp.dmp, Author: unknown
            • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER4FB6.tmp.dmp, Author: unknown
            Reputation:low
            Preview:MDMP..a..... .......h..f........................................,S..........T.......8...........T...........x...............P...........<...............................................................................eJ..............Lw......................T...........>..f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\ProgramData\Microsoft\Windows\WER\Temp\WER50E0.tmp.WERInternalMetadata.xml

            Download File
            Process:C:\Windows\System32\WerFault.exe
            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
            Category:dropped
            Size (bytes):8900
            Entropy (8bit):3.7047795306837856
            Encrypted:false
            SSDEEP:192:R6l7wVeJQoG6YEIdl6nGHggmfnzkpDB89bAlkf8Igm:R6lXJfG6YEilCGHggmfznAWfT
            MD5:DE8EA59075785D776D383F68D1DE7231
            SHA1:89AC50E985F087C20F95096BC7B8409E938C0715
            SHA-256:F42F8DF5D428128F063DE724332794A5C51CA59E04FA4F39C3DCA7ECCF125506
            SHA-512:F24F8F406C330A1FD96DE9960F68486C5293809711E7B3EC87C2768AE5889CB3AE44F5A4DF0632F3629C176D23DAF0DA759FF7734944A724DAF45731E23C894E
            Malicious:false
            Reputation:low
            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.2.4.8.<./.P.i.

            C:\ProgramData\Microsoft\Windows\WER\Temp\WER510F.tmp.xml

            Download File
            Process:C:\Windows\System32\WerFault.exe
            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):4800
            Entropy (8bit):4.486086466402742
            Encrypted:false
            SSDEEP:48:cvIwWl8zsJJg771I9pWWpW8VYrgYm8M4JujO1FByq8vNjO91PJsf4d:uIjfbI7i37V0Jg6WFe1BA4d
            MD5:5DACC6E91F8266AC6088CD6B7D368EE2
            SHA1:6FABA853FC31B088479EBD170ADDF9C130166099
            SHA-256:9F3795127CC65A5A377D2CDFC879AFD155B6A0724B011BEE2F3852EE55D509A6
            SHA-512:14CBC8A77574914EE70FC6FD17B3BE9386C8B59A4E03402C716FBDA8DFB53AC3FED9D376981FD6C98FC0F6A85B90AD6699D269D0417E00EE8BD9617FD7F806E6
            Malicious:false
            Reputation:low
            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="493922" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

            C:\Windows\appcompat\Programs\Amcache.hve

            Download File
            Process:C:\Windows\System32\WerFault.exe
            File Type:MS Windows registry file, NT/2000 or above
            Category:dropped
            Size (bytes):1835008
            Entropy (8bit):4.421597657148385
            Encrypted:false
            SSDEEP:6144:FSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNP0uhiTw:MvloTMW+EZMM6DFyd03w
            MD5:1EFE553133551F86FC2914A7FF675B65
            SHA1:4D7E96ED1A48FC59DC9643CC8F522883C5FE578B
            SHA-256:2A63E9FDCCEC3665A94E87044C9F743C2AE0F7479C00E0942D085A92F64AD63E
            SHA-512:E28881B001216EA53DC983041B086EC67A74F172A690BCF0BD0DF0AE97245B5DE18F773E61145EF7D89E2A8BDFDAEEFE1B5DEB0CE32BB6C42E5CAE70E3FC8EC9
            Malicious:false
            Reputation:low
            Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmv.0._................................................................................................................................................................................................................................................................................................................................................x'.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            Static File Info

            General

            File type:PE32+ executable (GUI) x86-64, for MS Windows
            Entropy (8bit):6.5292035095368535
            TrID:
            • Win64 Executable GUI (202006/5) 92.65%
            • Win64 Executable (generic) (12005/4) 5.51%
            • Generic Win/DOS Executable (2004/3) 0.92%
            • DOS Executable Generic (2002/1) 0.92%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:LtmV2sDcTK.exe
            File size:51'712 bytes
            MD5:2e7c2fa8c75a99967dbf0d6ccf82d0df
            SHA1:87f9c8377d643cb2d749debfc999e002201ca292
            SHA256:98ceec87cb638db932e818b0e0b72e4de6870e6aba08b172faefcc97808685cf
            SHA512:e599ff443deb6481efe2da010f04583c65cae9059e64438856c08bb7b505d035e566b5d9b4931439f281f01716453bc9e75d72c0654180c20bd1f77c351187b5
            SSDEEP:1536:3jhX4gMZu8wcFHMESJ7qF3CNES4oqiedNRU:3jh8Zu8wcFHMESJ7q3Czgz
            TLSH:9133294BDE6216F5E4B7C23881A2B23BF9F139E64A30E70B97D551071B22770A43EB44
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m...)..A)..A)..A .EA%..A...@*..A...@ ..A...@0..A...@/..Ab..@,..A)..Af..A:..@*..A:..@(..ARich)..A................PE..d...Cwuf...

            File Icon

            Icon Hash:00928e8e8686b000

            Static PE Info

            General

            Entrypoint:0x140006484
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x140000000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Time Stamp:0x66757743 [Fri Jun 21 12:51:15 2024 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:6
            OS Version Minor:0
            File Version Major:6
            File Version Minor:0
            Subsystem Version Major:6
            Subsystem Version Minor:0
            Import Hash:6603ea65ff245fea1598db6fadad400d

            Entrypoint Preview

            Instruction
            dec eax
            sub esp, 28h
            call 00007FF908EC50F8h
            dec eax
            add esp, 28h
            jmp 00007FF908EC49F7h
            int3
            int3
            jmp 00007FF908EC5332h
            int3
            int3
            int3
            dec eax
            and dword ptr [ecx+10h], 00000000h
            dec eax
            lea eax, dword ptr [00000EE4h]
            dec eax
            mov dword ptr [ecx+08h], eax
            dec eax
            lea eax, dword ptr [00000EC9h]
            dec eax
            mov dword ptr [ecx], eax
            dec eax
            mov eax, ecx
            ret
            int3
            int3
            dec eax
            sub esp, 48h
            dec eax
            lea ecx, dword ptr [esp+20h]
            call 00007FF908EC4B57h
            dec eax
            lea edx, dword ptr [0000578Bh]
            dec eax
            lea ecx, dword ptr [esp+20h]
            call 00007FF908EC524Eh
            int3
            dec eax
            sub esp, 48h
            dec eax
            lea ecx, dword ptr [esp+20h]
            call 00007FF908EC24CFh
            dec eax
            lea edx, dword ptr [0000583Bh]
            dec eax
            lea ecx, dword ptr [esp+20h]
            call 00007FF908EC522Eh
            int3
            dec eax
            mov dword ptr [esp+10h], ebx
            dec eax
            mov dword ptr [esp+18h], esi
            push ebp
            push edi
            inc ecx
            push esi
            dec eax
            mov ebp, esp
            dec eax
            sub esp, 10h
            xor eax, eax
            xor ecx, ecx
            cpuid
            inc esp
            mov eax, ecx
            inc esp
            mov edx, edx
            inc ecx
            xor edx, 49656E69h
            inc ecx
            xor eax, 6C65746Eh
            inc esp
            mov ecx, ebx
            inc esp
            mov esi, eax
            xor ecx, ecx
            mov eax, 00000001h
            cpuid
            inc ebp
            or edx, eax
            mov dword ptr [ebp-10h], eax
            inc ecx
            xor ecx, 756E6547h

            Rich Headers

            Programming Language:
            • [IMP] VS2008 SP1 build 30729

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0xbd4c0xf0.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0xe0000x5b8.pdata
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0xf0000x68.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0xb2d00x38.rdata
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb1900x140.rdata
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x70000x2a0.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x5e520x60000540a54e1e41ee73500608066b82dfabFalse0.3524576822916667data5.580721179770209IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rdata0x70000x5a600x5c008df635e0647fdbe2e0f433bf71434d14False0.6346382472826086data7.130658907572664IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0xd0000x2000x20048c645ee3ae018ed638eac40ff31ae84False0.26171875DOS executable (block device driver \377\377\377\377\377\377)2.221799086773IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .pdata0xe0000x5b80x60040c05ff07060f4e120676ec8539e1384False0.4596354166666667data4.033669625654416IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0xf0000x680x20093219434cb3d69672f2d4070d710cb32False0.203125data1.2434609234962133IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Imports

            DLLImport
            KERNEL32.dllGetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcessId, QueryPerformanceCounter, GetModuleHandleW, IsProcessorFeaturePresent, LoadLibraryA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, InitializeSListHead, VirtualProtect
            MSVCP140.dll?flags@ios_base@std@@QEBAHXZ, ?good@ios_base@std@@QEBA_NXZ, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ?width@ios_base@std@@QEAA_J_J@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z, ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ, ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z, ?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ, ?uncaught_exception@std@@YA_NXZ, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?_Xlength_error@std@@YAXPEBD@Z, ?width@ios_base@std@@QEBA_JXZ
            CRYPT32.dllCertEnumSystemStore
            VCRUNTIME140_1.dll__CxxFrameHandler4
            VCRUNTIME140.dll__std_exception_copy, __current_exception_context, memcpy, __current_exception, _CxxThrowException, __C_specific_handler, memset, memchr, __std_exception_destroy
            api-ms-win-crt-string-l1-1-0.dllisalnum, strlen
            api-ms-win-crt-runtime-l1-1-0.dll__p___argc, __p___argv, _c_exit, _register_thread_local_exe_atexit_callback, _exit, exit, _invalid_parameter_noinfo_noreturn, _initterm_e, terminate, _configure_narrow_argv, _initterm, _get_initial_narrow_environment, _initialize_onexit_table, _initialize_narrow_environment, _set_app_type, _seh_filter_exe, _cexit, _crt_atexit, _register_onexit_function
            api-ms-win-crt-heap-l1-1-0.dll_callnewh, _set_new_mode, free, malloc
            api-ms-win-crt-math-l1-1-0.dll__setusermatherr
            api-ms-win-crt-stdio-l1-1-0.dll_set_fmode, __p__commode
            api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale

            Network Behavior

            Suricata IDS Alerts

            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
            2024-09-10T10:58:41.962223+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.549704116.198.231.16963222TCP
            2024-09-10T10:58:46.106093+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.549707116.198.231.16963222TCP
            2024-09-10T10:58:50.183653+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.549710116.198.231.16963222TCP
            2024-09-10T10:58:54.361605+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.549713116.198.231.16963222TCP
            2024-09-10T10:58:58.813542+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.549717116.198.231.16963222TCP
            2024-09-10T10:59:02.907545+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.549724116.198.231.16963222TCP
            2024-09-10T10:59:06.958588+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.549727116.198.231.16963222TCP
            2024-09-10T10:59:10.992677+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.549730116.198.231.16963222TCP
            2024-09-10T10:59:14.951779+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.549733116.198.231.16963222TCP
            2024-09-10T10:59:19.061173+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.549736116.198.231.16963222TCP

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Sep 10, 2024 10:58:39.893266916 CEST4970463222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:39.898262978 CEST6322249704116.198.231.169192.168.2.5
            Sep 10, 2024 10:58:39.898394108 CEST4970463222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:39.975496054 CEST4970463222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:39.980664968 CEST6322249704116.198.231.169192.168.2.5
            Sep 10, 2024 10:58:41.961920023 CEST6322249704116.198.231.169192.168.2.5
            Sep 10, 2024 10:58:41.962223053 CEST4970463222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:41.962223053 CEST4970463222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:41.962817907 CEST4970563222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:41.967210054 CEST6322249704116.198.231.169192.168.2.5
            Sep 10, 2024 10:58:41.967644930 CEST6322249705116.198.231.169192.168.2.5
            Sep 10, 2024 10:58:41.967729092 CEST4970563222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:41.968091965 CEST4970563222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:41.972889900 CEST6322249705116.198.231.169192.168.2.5
            Sep 10, 2024 10:58:44.072877884 CEST6322249705116.198.231.169192.168.2.5
            Sep 10, 2024 10:58:44.073100090 CEST4970563222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:44.073764086 CEST4970663222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:44.073764086 CEST4970563222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:44.078682899 CEST6322249706116.198.231.169192.168.2.5
            Sep 10, 2024 10:58:44.078699112 CEST6322249705116.198.231.169192.168.2.5
            Sep 10, 2024 10:58:44.078798056 CEST4970663222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:44.079011917 CEST4970663222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:44.080475092 CEST4970763222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:44.084146023 CEST6322249706116.198.231.169192.168.2.5
            Sep 10, 2024 10:58:44.084223032 CEST4970663222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:44.085302114 CEST6322249707116.198.231.169192.168.2.5
            Sep 10, 2024 10:58:44.085374117 CEST4970763222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:44.085659027 CEST4970763222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:44.090579987 CEST6322249707116.198.231.169192.168.2.5
            Sep 10, 2024 10:58:46.106008053 CEST6322249707116.198.231.169192.168.2.5
            Sep 10, 2024 10:58:46.106092930 CEST4970763222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:46.106182098 CEST4970763222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:46.106770992 CEST4970863222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:46.110913038 CEST6322249707116.198.231.169192.168.2.5
            Sep 10, 2024 10:58:46.111692905 CEST6322249708116.198.231.169192.168.2.5
            Sep 10, 2024 10:58:46.111774921 CEST4970863222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:46.112010002 CEST4970863222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:46.116822958 CEST6322249708116.198.231.169192.168.2.5
            Sep 10, 2024 10:58:48.158993006 CEST6322249708116.198.231.169192.168.2.5
            Sep 10, 2024 10:58:48.159178972 CEST4970863222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:48.159373045 CEST4970863222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:48.160105944 CEST4970963222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:48.164285898 CEST6322249708116.198.231.169192.168.2.5
            Sep 10, 2024 10:58:48.164977074 CEST6322249709116.198.231.169192.168.2.5
            Sep 10, 2024 10:58:48.165098906 CEST4970963222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:48.165431976 CEST4970963222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:48.167073965 CEST4971063222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:48.170326948 CEST6322249709116.198.231.169192.168.2.5
            Sep 10, 2024 10:58:48.170432091 CEST4970963222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:48.171883106 CEST6322249710116.198.231.169192.168.2.5
            Sep 10, 2024 10:58:48.171998024 CEST4971063222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:48.172544956 CEST4971063222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:48.177508116 CEST6322249710116.198.231.169192.168.2.5
            Sep 10, 2024 10:58:50.182658911 CEST6322249710116.198.231.169192.168.2.5
            Sep 10, 2024 10:58:50.183653116 CEST4971063222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:50.183653116 CEST4971163222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:50.183653116 CEST4971063222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:50.188594103 CEST6322249710116.198.231.169192.168.2.5
            Sep 10, 2024 10:58:50.188610077 CEST6322249711116.198.231.169192.168.2.5
            Sep 10, 2024 10:58:50.188771963 CEST4971163222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:50.189131021 CEST4971163222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:50.194041967 CEST6322249711116.198.231.169192.168.2.5
            Sep 10, 2024 10:58:52.292670965 CEST6322249711116.198.231.169192.168.2.5
            Sep 10, 2024 10:58:52.293061018 CEST4971163222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:52.293119907 CEST4971163222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:52.293889999 CEST4971263222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:52.298913002 CEST6322249711116.198.231.169192.168.2.5
            Sep 10, 2024 10:58:52.299671888 CEST6322249712116.198.231.169192.168.2.5
            Sep 10, 2024 10:58:52.299776077 CEST4971263222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:52.299956083 CEST4971263222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:52.305053949 CEST6322249712116.198.231.169192.168.2.5
            Sep 10, 2024 10:58:52.305140972 CEST4971263222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:52.305641890 CEST4971363222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:52.310517073 CEST6322249713116.198.231.169192.168.2.5
            Sep 10, 2024 10:58:52.310681105 CEST4971363222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:52.311023951 CEST4971363222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:52.316530943 CEST6322249713116.198.231.169192.168.2.5
            Sep 10, 2024 10:58:54.361540079 CEST6322249713116.198.231.169192.168.2.5
            Sep 10, 2024 10:58:54.361604929 CEST4971363222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:54.361737013 CEST4971363222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:54.362339973 CEST4971463222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:54.670007944 CEST4971363222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:54.685019016 CEST6322249713116.198.231.169192.168.2.5
            Sep 10, 2024 10:58:54.685095072 CEST4971363222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:54.692121029 CEST6322249713116.198.231.169192.168.2.5
            Sep 10, 2024 10:58:54.692164898 CEST6322249714116.198.231.169192.168.2.5
            Sep 10, 2024 10:58:54.692229986 CEST4971463222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:54.692681074 CEST4971463222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:54.692800999 CEST6322249713116.198.231.169192.168.2.5
            Sep 10, 2024 10:58:54.692850113 CEST4971363222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:54.697467089 CEST6322249714116.198.231.169192.168.2.5
            Sep 10, 2024 10:58:56.715267897 CEST6322249714116.198.231.169192.168.2.5
            Sep 10, 2024 10:58:56.715329885 CEST4971463222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:56.715769053 CEST4971463222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:56.716373920 CEST4971663222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:56.720611095 CEST6322249714116.198.231.169192.168.2.5
            Sep 10, 2024 10:58:56.721267939 CEST6322249716116.198.231.169192.168.2.5
            Sep 10, 2024 10:58:56.721342087 CEST4971663222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:56.721452951 CEST4971663222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:56.722903967 CEST4971763222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:56.726713896 CEST6322249716116.198.231.169192.168.2.5
            Sep 10, 2024 10:58:56.726764917 CEST4971663222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:56.727761030 CEST6322249717116.198.231.169192.168.2.5
            Sep 10, 2024 10:58:56.727821112 CEST4971763222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:56.728138924 CEST4971763222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:56.736335993 CEST6322249717116.198.231.169192.168.2.5
            Sep 10, 2024 10:58:58.813474894 CEST6322249717116.198.231.169192.168.2.5
            Sep 10, 2024 10:58:58.813541889 CEST4971763222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:58.813642025 CEST4971763222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:58.814224958 CEST4972163222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:58.818527937 CEST6322249717116.198.231.169192.168.2.5
            Sep 10, 2024 10:58:58.819283962 CEST6322249721116.198.231.169192.168.2.5
            Sep 10, 2024 10:58:58.819360971 CEST4972163222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:58.819653034 CEST4972163222192.168.2.5116.198.231.169
            Sep 10, 2024 10:58:58.824683905 CEST6322249721116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:00.867486954 CEST6322249721116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:00.867629051 CEST4972163222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:00.867824078 CEST4972163222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:00.868563890 CEST4972363222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:00.873426914 CEST6322249721116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:00.873439074 CEST6322249723116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:00.873557091 CEST4972363222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:00.873682022 CEST4972363222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:00.875072956 CEST4972463222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:00.879458904 CEST6322249723116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:00.879528999 CEST4972363222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:00.882509947 CEST6322249724116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:00.882591963 CEST4972463222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:00.882922888 CEST4972463222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:00.889718056 CEST6322249724116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:02.907417059 CEST6322249724116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:02.907545090 CEST4972463222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:02.907744884 CEST4972463222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:02.908379078 CEST4972563222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:02.912579060 CEST6322249724116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:02.913199902 CEST6322249725116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:02.913300037 CEST4972563222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:02.913506985 CEST4972563222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:02.918328047 CEST6322249725116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:04.909683943 CEST6322249725116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:04.909806013 CEST4972563222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:04.910084009 CEST4972563222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:04.910697937 CEST4972663222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:04.914906025 CEST6322249725116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:04.915515900 CEST6322249726116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:04.915589094 CEST4972663222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:04.915679932 CEST4972663222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:04.918570042 CEST4972763222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:04.920722008 CEST6322249726116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:04.920773029 CEST4972663222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:04.923475981 CEST6322249727116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:04.923547029 CEST4972763222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:04.923788071 CEST4972763222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:04.928599119 CEST6322249727116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:06.958374977 CEST6322249727116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:06.958587885 CEST4972763222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:06.958648920 CEST4972763222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:06.959299088 CEST4972863222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:06.963531017 CEST6322249727116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:06.964205027 CEST6322249728116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:06.964272022 CEST4972863222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:06.964526892 CEST4972863222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:06.969321012 CEST6322249728116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:08.961380005 CEST6322249728116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:08.961503029 CEST4972863222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:08.961781025 CEST4972863222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:08.962366104 CEST4972963222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:08.967271090 CEST6322249728116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:08.967988968 CEST6322249729116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:08.968084097 CEST4972963222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:08.968182087 CEST4972963222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:08.969619989 CEST4973063222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:08.974472046 CEST6322249729116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:08.974565029 CEST4972963222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:08.975874901 CEST6322249730116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:08.975949049 CEST4973063222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:08.976239920 CEST4973063222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:08.981441975 CEST6322249730116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:10.992494106 CEST6322249730116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:10.992676973 CEST4973063222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:10.993087053 CEST4973063222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:10.997227907 CEST4973163222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:10.997951984 CEST6322249730116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:11.002110004 CEST6322249731116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:11.002176046 CEST4973163222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:11.002418041 CEST4973163222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:11.007369041 CEST6322249731116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:12.970555067 CEST6322249731116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:12.970629930 CEST4973163222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:12.970714092 CEST4973163222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:12.975876093 CEST6322249731116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:12.977377892 CEST4973263222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:12.982539892 CEST6322249732116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:12.982620001 CEST4973263222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:12.982708931 CEST4973263222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:12.984006882 CEST4973363222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:12.988080025 CEST6322249732116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:12.988177061 CEST4973263222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:12.989734888 CEST6322249733116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:12.989824057 CEST4973363222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:12.990050077 CEST4973363222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:12.994905949 CEST6322249733116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:14.951637030 CEST6322249733116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:14.951778889 CEST4973363222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:14.951828003 CEST4973363222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:14.957048893 CEST4973463222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:14.958087921 CEST6322249733116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:14.961942911 CEST6322249734116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:14.962049007 CEST4973463222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:14.962423086 CEST4973463222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:14.968020916 CEST6322249734116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:17.024293900 CEST6322249734116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:17.024421930 CEST4973463222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:17.024590015 CEST4973463222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:17.029361963 CEST6322249734116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:17.030442953 CEST4973563222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:17.035249949 CEST6322249735116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:17.035360098 CEST4973563222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:17.035485983 CEST4973563222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:17.038677931 CEST4973663222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:17.040522099 CEST6322249735116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:17.040594101 CEST4973563222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:17.043596983 CEST6322249736116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:17.043690920 CEST4973663222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:17.044121981 CEST4973663222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:17.048911095 CEST6322249736116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:19.060976028 CEST6322249736116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:19.061172962 CEST4973663222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:19.061376095 CEST4973663222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:19.066173077 CEST6322249736116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:19.067217112 CEST4973763222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:19.072077036 CEST6322249737116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:19.072159052 CEST4973763222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:19.072633028 CEST4973763222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:19.077749968 CEST6322249737116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:21.054650068 CEST6322249737116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:21.054708958 CEST4973763222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:21.054806948 CEST4973763222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:21.055425882 CEST4973863222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:21.059786081 CEST6322249737116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:21.060333014 CEST6322249738116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:21.060394049 CEST4973863222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:21.060699940 CEST4973863222192.168.2.5116.198.231.169
            Sep 10, 2024 10:59:21.066143036 CEST6322249738116.198.231.169192.168.2.5
            Sep 10, 2024 10:59:21.066201925 CEST4973863222192.168.2.5116.198.231.169

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:04:58:38
            Start date:10/09/2024
            Path:C:\Users\user\Desktop\LtmV2sDcTK.exe
            Wow64 process (32bit):false
            Commandline:"C:\Users\user\Desktop\LtmV2sDcTK.exe"
            Imagebase:0x7ff7026e0000
            File size:51'712 bytes
            MD5 hash:2E7C2FA8C75A99967DBF0D6CCF82D0DF
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.2948402496.0000006AD78FD000.00000040.00000010.00020000.00000000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2948402496.0000006AD78FD000.00000040.00000010.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000002.2948402496.0000006AD78FD000.00000040.00000010.00020000.00000000.sdmp, Author: unknown
            • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.2948402496.0000006AD78FD000.00000040.00000010.00020000.00000000.sdmp, Author: unknown
            Reputation:low
            Has exited:true

            General

            Target ID:6
            Start time:04:59:20
            Start date:10/09/2024
            Path:C:\Windows\System32\WerFault.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\WerFault.exe -u -p 5248 -s 1224
            Imagebase:0x7ff60cb40000
            File size:570'736 bytes
            MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:10.1%
              Dynamic/Decrypted Code Coverage:1.6%
              Signature Coverage:5.5%
              Total number of Nodes:309
              Total number of Limit Nodes:1
              execution_graph 1793 7ff7026e6d8c 1794 7ff7026e5d78 3 API calls 1793->1794 1795 7ff7026e6d9e 1794->1795 1500 7ff7026e6308 1501 7ff7026e6321 1500->1501 1502 7ff7026e645f 1501->1502 1503 7ff7026e6329 __scrt_acquire_startup_lock 1501->1503 1534 7ff7026e67e8 IsProcessorFeaturePresent 1502->1534 1505 7ff7026e6469 1503->1505 1506 7ff7026e6347 __scrt_release_startup_lock 1503->1506 1507 7ff7026e67e8 9 API calls 1505->1507 1509 7ff7026e636c 1506->1509 1511 7ff7026e63f2 _get_initial_narrow_environment __p___argv __p___argc 1506->1511 1514 7ff7026e63ea _register_thread_local_exe_atexit_callback 1506->1514 1508 7ff7026e6474 1507->1508 1510 7ff7026e647c _exit 1508->1510 1520 7ff7026e57d0 1511->1520 1514->1511 1517 7ff7026e641f 1518 7ff7026e6424 _cexit 1517->1518 1519 7ff7026e6429 1517->1519 1518->1519 1519->1509 1521 7ff7026e57e5 1520->1521 1540 7ff7026e452c 1521->1540 1527 7ff7026e5873 1576 7ff7026e5440 1527->1576 1530 7ff7026e44a4 Concurrency::details::VirtualProcessor::Initialize 2 API calls 1531 7ff7026e5958 1530->1531 1532 7ff7026e693c GetModuleHandleW 1531->1532 1533 7ff7026e641b 1532->1533 1533->1508 1533->1517 1535 7ff7026e680e 1534->1535 1536 7ff7026e681c memset RtlCaptureContext RtlLookupFunctionEntry 1535->1536 1537 7ff7026e6856 RtlVirtualUnwind 1536->1537 1538 7ff7026e6892 memset IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 1536->1538 1537->1538 1539 7ff7026e6912 1538->1539 1539->1505 1541 7ff7026e454b 1540->1541 1580 7ff7026e4a3c strlen 1541->1580 1543 7ff7026e4556 Concurrency::details::WorkQueue::IsStructuredEmpty 1581 7ff7026e4cd8 1543->1581 1545 7ff7026e4570 1546 7ff7026e5504 1545->1546 1638 7ff7026e409c 1546->1638 1548 7ff7026e553c Concurrency::details::WorkQueue::IsStructuredEmpty 1549 7ff7026e5588 memcpy 1548->1549 1550 7ff7026e55af Concurrency::details::WorkQueue::IsStructuredEmpty 1549->1550 1551 7ff7026e55d8 memcpy 1550->1551 1552 7ff7026e55fb 1551->1552 1652 7ff7026e2e90 1552->1652 1556 7ff7026e572c 1557 7ff7026e452c 7 API calls 1556->1557 1558 7ff7026e573e 1557->1558 1668 7ff7026e5f6c 1558->1668 1559 7ff7026e56df memset 1671 7ff7026e59bc 1559->1671 1563 7ff7026e5759 1565 7ff7026e5f6c Concurrency::details::VirtualProcessor::Initialize free 1563->1565 1566 7ff7026e5774 1565->1566 1567 7ff7026e44cc memcpy 1566->1567 1568 7ff7026e578a 1567->1568 1569 7ff7026e44a4 Concurrency::details::VirtualProcessor::Initialize _invalid_parameter_noinfo_noreturn free 1568->1569 1570 7ff7026e57a2 Concurrency::details::ScheduleGroupBase::LocateSegment 1569->1570 1571 7ff7026e44a4 Concurrency::details::VirtualProcessor::Initialize _invalid_parameter_noinfo_noreturn free 1570->1571 1572 7ff7026e57be 1571->1572 1573 7ff7026e44a4 1572->1573 1778 7ff7026e4600 1573->1778 1575 7ff7026e44b7 Concurrency::details::VirtualProcessor::Initialize 1575->1527 1577 7ff7026e546e strlen 1576->1577 1578 7ff7026e5461 1577->1578 1579 7ff7026e54fe LoadLibraryA VirtualProtect CertEnumSystemStore 1577->1579 1578->1577 1579->1530 1580->1543 1582 7ff7026e4cff 1581->1582 1584 7ff7026e4d0b Concurrency::details::WorkQueue::IsStructuredEmpty 1582->1584 1592 7ff7026e403c ?_Xlength_error@std@@YAXPEBD 1582->1592 1585 7ff7026e4d44 1584->1585 1587 7ff7026e4daa 1584->1587 1593 7ff7026e4a58 memcpy 1585->1593 1594 7ff7026e525c 1587->1594 1589 7ff7026e4dda Concurrency::details::WorkQueue::IsStructuredEmpty 1597 7ff7026e4a58 memcpy 1589->1597 1591 7ff7026e4d76 Concurrency::details::WorkQueue::IsStructuredEmpty Concurrency::details::VirtualProcessor::Initialize 1591->1545 1592->1584 1593->1591 1598 7ff7026e52b0 1594->1598 1597->1591 1601 7ff7026e52d8 1598->1601 1602 7ff7026e52f0 allocator 1601->1602 1605 7ff7026e5300 1602->1605 1606 7ff7026e5315 1605->1606 1607 7ff7026e528c 1605->1607 1608 7ff7026e5320 1606->1608 1609 7ff7026e532c 1606->1609 1607->1589 1612 7ff7026e5354 1608->1612 1620 7ff7026e3f5c 1609->1620 1613 7ff7026e5377 1612->1613 1616 7ff7026e537c 1612->1616 1623 7ff7026e3ec4 1613->1623 1615 7ff7026e3f5c allocator 2 API calls 1617 7ff7026e5387 1615->1617 1616->1615 1618 7ff7026e5396 _invalid_parameter_noinfo_noreturn 1617->1618 1619 7ff7026e53a9 1617->1619 1618->1617 1618->1618 1619->1607 1628 7ff7026e5fa0 1620->1628 1626 7ff7026e3e38 1623->1626 1625 7ff7026e3ed2 _CxxThrowException 1625->1616 1627 7ff7026e3e52 std::bad_alloc::bad_alloc 1626->1627 1627->1625 1629 7ff7026e5fba malloc 1628->1629 1630 7ff7026e3f6f 1629->1630 1631 7ff7026e5fab 1629->1631 1630->1607 1631->1629 1632 7ff7026e5fca 1631->1632 1633 7ff7026e5fd5 allocator 1632->1633 1635 7ff7026e64c0 1632->1635 1636 7ff7026e64a0 std::bad_alloc::bad_alloc 1635->1636 1637 7ff7026e64ce _CxxThrowException 1636->1637 1647 7ff7026e40bc 1638->1647 1639 7ff7026e43d4 1692 7ff7026e44cc 1639->1692 1642 7ff7026e44a4 Concurrency::details::VirtualProcessor::Initialize 2 API calls 1643 7ff7026e43f8 1642->1643 1643->1548 1644 7ff7026e4404 memchr 1646 7ff7026e4294 1644->1646 1646->1639 1646->1644 1649 7ff7026e4304 1646->1649 1647->1646 1696 7ff7026e4054 isalnum 1647->1696 1698 7ff7026e4404 1647->1698 1702 7ff7026e447c 1647->1702 1648 7ff7026e447c 8 API calls 1648->1649 1649->1639 1649->1648 1654 7ff7026e2ebb 1652->1654 1655 7ff7026e2eb6 1652->1655 1653 7ff7026e2f01 memcpy memcpy 1653->1655 1654->1653 1654->1655 1656 7ff7026e3920 1655->1656 1657 7ff7026e3945 1656->1657 1658 7ff7026e394a 1656->1658 1657->1556 1657->1559 1658->1657 1659 7ff7026e3a88 1658->1659 1661 7ff7026e3993 1658->1661 1664 7ff7026e3b8b 1659->1664 1665 7ff7026e3a96 1659->1665 1661->1657 1666 7ff7026e3a20 memcpy 1661->1666 1752 7ff7026e287c 1661->1752 1662 7ff7026e287c memcpy 1662->1664 1664->1657 1664->1662 1665->1657 1667 7ff7026e3b23 memcpy 1665->1667 1756 7ff7026e2274 1665->1756 1666->1661 1667->1665 1669 7ff7026e6498 free 1668->1669 1760 7ff7026e4a3c strlen 1671->1760 1673 7ff7026e59df ?width@ios_base@std@ 1674 7ff7026e5a0f ?width@ios_base@std@ 1673->1674 1675 7ff7026e5a6e 1673->1675 1674->1675 1676 7ff7026e5a3c ?width@ios_base@std@ 1674->1676 1761 7ff7026e5dcc 1675->1761 1676->1675 1678 7ff7026e5a93 1679 7ff7026e5ab5 ?flags@ios_base@std@ 1678->1679 1680 7ff7026e5aa5 1678->1680 1682 7ff7026e5b7b 1679->1682 1689 7ff7026e5ae9 1679->1689 1681 7ff7026e5cc6 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N 1680->1681 1768 7ff7026e5d78 ?uncaught_exception@std@ 1681->1768 1684 7ff7026e5b94 ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2 ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J 1682->1684 1690 7ff7026e5be1 1682->1690 1684->1690 1686 7ff7026e5c9b ?width@ios_base@std@@QEAA_J_J 1686->1681 1687 7ff7026e5b04 ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@ ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2 ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD 1687->1689 1688 7ff7026e5c12 ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@ ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2 ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD 1688->1690 1689->1682 1689->1687 1690->1686 1690->1688 1691 7ff7026e5c89 1690->1691 1691->1686 1693 7ff7026e44e4 Concurrency::details::WorkQueue::IsStructuredEmpty 1692->1693 1705 7ff7026e47e8 1693->1705 1695 7ff7026e43e3 1695->1642 1697 7ff7026e406d 1696->1697 1697->1647 1699 7ff7026e4423 Concurrency::details::WorkQueue::IsStructuredEmpty 1698->1699 1709 7ff7026e4bf8 1699->1709 1714 7ff7026e46b0 1702->1714 1704 7ff7026e4497 1704->1647 1706 7ff7026e4817 Concurrency::details::WorkQueue::IsStructuredEmpty 1705->1706 1707 7ff7026e4829 memcpy 1706->1707 1708 7ff7026e4868 Concurrency::details::VirtualProcessor::Initialize 1707->1708 1708->1695 1710 7ff7026e4c1c 1709->1710 1711 7ff7026e443e 1709->1711 1713 7ff7026e51f8 memchr 1710->1713 1711->1647 1713->1711 1715 7ff7026e4741 1714->1715 1717 7ff7026e46dc Concurrency::details::WorkQueue::IsStructuredEmpty Concurrency::details::VirtualProcessor::Initialize 1714->1717 1718 7ff7026e4e5c 1715->1718 1717->1704 1719 7ff7026e4e9f 1718->1719 1721 7ff7026e4eb3 Concurrency::details::WorkQueue::IsStructuredEmpty 1719->1721 1731 7ff7026e403c ?_Xlength_error@std@@YAXPEBD 1719->1731 1722 7ff7026e525c 4 API calls 1721->1722 1723 7ff7026e4f12 Concurrency::details::WorkQueue::IsStructuredEmpty Concurrency::details::VirtualProcessor::Initialize 1722->1723 1724 7ff7026e4fb3 1723->1724 1726 7ff7026e4f54 Concurrency::details::WorkQueue::IsStructuredEmpty 1723->1726 1725 7ff7026e4774 memcpy 1724->1725 1730 7ff7026e4fa4 1725->1730 1732 7ff7026e4774 1726->1732 1728 7ff7026e4f90 1735 7ff7026e4ac0 1728->1735 1730->1717 1731->1721 1738 7ff7026e4a58 memcpy 1732->1738 1734 7ff7026e47a0 Concurrency::details::VirtualProcessor::Initialize 1734->1728 1739 7ff7026e4b88 1735->1739 1738->1734 1742 7ff7026e5044 1739->1742 1743 7ff7026e505d 1742->1743 1746 7ff7026e506c 1742->1746 1748 7ff7026e3f74 1743->1748 1745 7ff7026e5f6c Concurrency::details::VirtualProcessor::Initialize free 1747 7ff7026e4aed 1745->1747 1746->1745 1747->1730 1749 7ff7026e3fd8 1748->1749 1750 7ff7026e3fea _invalid_parameter_noinfo_noreturn 1749->1750 1751 7ff7026e3ffd 1749->1751 1750->1749 1750->1750 1751->1746 1753 7ff7026e28a2 1752->1753 1754 7ff7026e28a7 1752->1754 1753->1661 1754->1753 1755 7ff7026e2c89 memcpy 1754->1755 1755->1753 1757 7ff7026e229a 1756->1757 1758 7ff7026e229f 1756->1758 1757->1665 1758->1757 1759 7ff7026e267b memcpy 1758->1759 1759->1757 1760->1673 1774 7ff7026e5efc ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2 1761->1774 1764 7ff7026e5e11 1764->1678 1765 7ff7026e5e1c ?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2 1765->1764 1766 7ff7026e5e49 1765->1766 1766->1764 1767 7ff7026e5e60 ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12 ?good@ios_base@std@ 1766->1767 1767->1764 1769 7ff7026e5d8e 1768->1769 1770 7ff7026e5dab ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@ 1769->1770 1771 7ff7026e5dba 1769->1771 1770->1771 1776 7ff7026e5ea0 ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2 1771->1776 1775 7ff7026e5de9 ?good@ios_base@std@ 1774->1775 1775->1764 1775->1765 1777 7ff7026e5704 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 1776->1777 1777->1556 1779 7ff7026e461d Concurrency::details::WorkQueue::IsStructuredEmpty Concurrency::details::VirtualProcessor::Initialize 1778->1779 1780 7ff7026e4ac0 Concurrency::details::VirtualProcessor::Initialize 2 API calls 1779->1780 1781 7ff7026e4659 Concurrency::details::VirtualProcessor::Initialize 1779->1781 1780->1781 1781->1575 1800 7ff7026e6484 1803 7ff7026e6a00 1800->1803 1804 7ff7026e6a23 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 1803->1804 1805 7ff7026e648d 1803->1805 1804->1805 1806 7ff7026e1080 1807 7ff7026e1097 Concurrency::details::ScheduleGroupBase::LocateSegment 1806->1807 1808 7ff7026e10b1 1807->1808 1809 7ff7026e5f6c Concurrency::details::VirtualProcessor::Initialize free 1807->1809 1809->1808 1810 7ff7026e1000 1811 7ff7026e452c 7 API calls 1810->1811 1812 7ff7026e1017 1811->1812 1497 6ad78fdf42 1498 6ad78fdf4f LoadLibraryA InternetOpenA 1497->1498 1499 6ad78fe00f 1498->1499 1821 7ff7026e5f74 1822 7ff7026e5f96 1821->1822 1823 7ff7026e5f8c 1821->1823 1824 7ff7026e5f6c Concurrency::details::VirtualProcessor::Initialize free 1823->1824 1824->1822 1828 7ff7026e2534 1829 7ff7026e253e 1828->1829 1830 7ff7026e254c 1829->1830 1831 7ff7026e267b memcpy 1829->1831 1832 7ff7026e26c1 1831->1832 1833 7ff7026e6cf6 1834 7ff7026e44a4 Concurrency::details::VirtualProcessor::Initialize 2 API calls 1833->1834 1835 7ff7026e6d08 1834->1835 1836 7ff7026e6436 1837 7ff7026e693c GetModuleHandleW 1836->1837 1838 7ff7026e643d 1837->1838 1839 7ff7026e647c _exit 1838->1839 1840 7ff7026e6441 1838->1840 1841 7ff7026e3e6c 1846 7ff7026e3ea8 1841->1846 1844 7ff7026e3e9d 1845 7ff7026e5f6c Concurrency::details::VirtualProcessor::Initialize free 1845->1844 1849 7ff7026e3e1c 1846->1849 1852 7ff7026e3d00 __std_exception_destroy 1849->1852 1851 7ff7026e3e2f 1851->1844 1851->1845 1852->1851 1853 7ff7026e6dec 1854 7ff7026e5ea0 ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2 1853->1854 1855 7ff7026e6dfe 1854->1855 1856 7ff7026e3eec 1859 7ff7026e3f24 1856->1859 1862 7ff7026e3ca4 __std_exception_copy 1859->1862 1861 7ff7026e3f09 1862->1861 1863 7ff7026e62ec 1867 7ff7026e6990 SetUnhandledExceptionFilter 1863->1867 1868 7ff7026e3d68 1873 7ff7026e3d00 __std_exception_destroy 1868->1873 1870 7ff7026e3d7f 1871 7ff7026e5f6c Concurrency::details::VirtualProcessor::Initialize free 1870->1871 1872 7ff7026e3d99 1870->1872 1871->1872 1873->1870 1874 7ff7026e6224 1875 7ff7026e6234 1874->1875 1887 7ff7026e6054 1875->1887 1877 7ff7026e67e8 9 API calls 1878 7ff7026e62d9 1877->1878 1879 7ff7026e6258 _RTC_Initialize 1885 7ff7026e62bb 1879->1885 1895 7ff7026e6ab4 InitializeSListHead 1879->1895 1885->1877 1886 7ff7026e62c9 1885->1886 1888 7ff7026e6065 1887->1888 1889 7ff7026e6097 1887->1889 1890 7ff7026e60d4 1888->1890 1893 7ff7026e606a __scrt_release_startup_lock 1888->1893 1889->1879 1891 7ff7026e67e8 9 API calls 1890->1891 1892 7ff7026e60de 1891->1892 1893->1889 1894 7ff7026e6087 _initialize_onexit_table 1893->1894 1894->1889 1896 7ff7026e6da4 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N 1912 7ff7026e6e1c _seh_filter_exe 1913 7ff7026e23db 1914 7ff7026e23e5 1913->1914 1915 7ff7026e23f3 1914->1915 1916 7ff7026e267b memcpy 1914->1916 1916->1915 1917 7ff7026e5d18 ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12 1918 7ff7026e5717 1919 7ff7026e56a7 1918->1919 1920 7ff7026e572c 1919->1920 1921 7ff7026e56df memset 1919->1921 1922 7ff7026e452c 7 API calls 1920->1922 1923 7ff7026e59bc 23 API calls 1921->1923 1924 7ff7026e573e 1922->1924 1925 7ff7026e5704 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 1923->1925 1926 7ff7026e5f6c Concurrency::details::VirtualProcessor::Initialize free 1924->1926 1925->1920 1927 7ff7026e5759 1926->1927 1928 7ff7026e5f6c Concurrency::details::VirtualProcessor::Initialize free 1927->1928 1929 7ff7026e5774 1928->1929 1930 7ff7026e44cc memcpy 1929->1930 1931 7ff7026e578a 1930->1931 1932 7ff7026e44a4 Concurrency::details::VirtualProcessor::Initialize 2 API calls 1931->1932 1933 7ff7026e57a2 Concurrency::details::ScheduleGroupBase::LocateSegment 1932->1933 1934 7ff7026e44a4 Concurrency::details::VirtualProcessor::Initialize 2 API calls 1933->1934 1935 7ff7026e57be 1934->1935 1782 6ad78fdf9b HttpOpenRequestA 1783 6ad78fdfc2 1782->1783

              Executed Functions

              Function 0000006AD78FDF42 Relevance: 6.9, APIs: 2, Strings: 1, Instructions: 1633librarynetworkCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2948402496.0000006AD78FD000.00000040.00000010.00020000.00000000.sdmp, Offset: 0000006AD78FD000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6ad78fd000_LtmV2sDcTK.jbxd
              Yara matches
              Similarity
              • API ID: InternetLibraryLoadOpen
              • String ID: wini
              • API String ID: 2559873147-1606035523
              • Opcode ID: 0fd50fba13a0cf412481536cc214a373d68565132ac851142699336e80ce3788
              • Instruction ID: 8d602d621b4695f1b2c0b64586e9c26eae9419304fdd92d8552843cf4ed1c796
              • Opcode Fuzzy Hash: 0fd50fba13a0cf412481536cc214a373d68565132ac851142699336e80ce3788
              • Instruction Fuzzy Hash: 4D92B3314097D1AEEB669F34D055747BFA1FF4B714FA614EDC8C25E423C222A892CB92
              Function 00007FF7026E57D0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 93librarymemoryencryptionCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              Strings
              • fTk0IXs+RsZrY9epOUeq1oQ0l4RoVPjlVJoEuMX3zPeE+je8GdHrJUcxFZpepdr4SDRVKa6s7ouAvVNOqjbmDXauHJGPlOuvClVpjZvRyLdC2d6h5WF7twqC1kX9nIKWgL9KaawEYPrhgpcPJeSSnLatPbvLnYxgng2QCJQ8DmxkwRBosnzlWeW39pnWOJcwZvMht1Ue7ys35aku9WPa2jr1RTE8qRhrprEAHTM+xpPpcOmcTSt4aUDyEbOtWv6EV/1G, xrefs: 00007FF7026E57F0
              • kernel32.dll, xrefs: 00007FF7026E5905
              • W9UKQW5ltwlY8AGQc4nGwxhRPfHnsqCu, xrefs: 00007FF7026E580C
              • W9UKQW5ltwlY8AGQc4nGwxhRPfHnsqCu, xrefs: 00007FF7026E5825
              Memory Dump Source
              • Source File: 00000000.00000002.2948743654.00007FF7026E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7026E0000, based on PE: true
              • Associated: 00000000.00000002.2948732057.00007FF7026E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2948755896.00007FF7026E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2948768480.00007FF7026ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2948780362.00007FF7026EE000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff7026e0000_LtmV2sDcTK.jbxd
              Similarity
              • API ID: Concurrency::details::EmptyQueue::StructuredWorkmemcpy$CertEnumLibraryLoadProtectStoreSystemVirtual
              • String ID: W9UKQW5ltwlY8AGQc4nGwxhRPfHnsqCu$W9UKQW5ltwlY8AGQc4nGwxhRPfHnsqCu$fTk0IXs+RsZrY9epOUeq1oQ0l4RoVPjlVJoEuMX3zPeE+je8GdHrJUcxFZpepdr4SDRVKa6s7ouAvVNOqjbmDXauHJGPlOuvClVpjZvRyLdC2d6h5WF7twqC1kX9nIKWgL9KaawEYPrhgpcPJeSSnLatPbvLnYxgng2QCJQ8DmxkwRBosnzlWeW39pnWOJcwZvMht1Ue7ys35aku9WPa2jr1RTE8qRhrprEAHTM+xpPpcOmcTSt4aUDyEbOtWv6EV/1G$kernel32.dll
              • API String ID: 1274391132-1474288648
              • Opcode ID: 8bd6efedfb835c6262895cf33987eb0a2031c08ad2c6fa2203a3ec108a2f1f03
              • Instruction ID: 9ceb67cb91e9079003d0024157079b23619e3e3ce961b4809c42b418532b2a91
              • Opcode Fuzzy Hash: 8bd6efedfb835c6262895cf33987eb0a2031c08ad2c6fa2203a3ec108a2f1f03
              • Instruction Fuzzy Hash: 444107626085C5A5DE20DB50E8543EAAB62FFD4388FC00032F68D83F69EF6DD545CB10
              Function 00007FF7026E6308 Relevance: 12.1, APIs: 8, Instructions: 94COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2948743654.00007FF7026E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7026E0000, based on PE: true
              • Associated: 00000000.00000002.2948732057.00007FF7026E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2948755896.00007FF7026E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2948768480.00007FF7026ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2948780362.00007FF7026EE000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff7026e0000_LtmV2sDcTK.jbxd
              Similarity
              • API ID: __p___argc__p___argv__scrt_acquire_startup_lock__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
              • String ID:
              • API String ID: 1133592946-0
              • Opcode ID: 795f68f39069cbc62f03802973729ce4b798ecc3c9951e2823eb01123459fcb6
              • Instruction ID: d741e5f3a94c63610276c16208300a1599662bb226d457f879e4148df4d71b57
              • Opcode Fuzzy Hash: 795f68f39069cbc62f03802973729ce4b798ecc3c9951e2823eb01123459fcb6
              • Instruction Fuzzy Hash: A8313B23A08142A1EE54BB24DD123B99A9BAF6578CFC45434FA4D07AD7DFEEA404C630
              Function 0000006AD78FDF9B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99networkCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 239 6ad78fdf9b-6ad78fdfc1 HttpOpenRequestA 240 6ad78fdfc2-6ad78fdffe 239->240 243 6ad78fe004-6ad78fe007 240->243 244 6ad78fe1a1-6ad78fe1c2 240->244 245 6ad78fe199-6ad78fe19a 243->245 246 6ad78fe00d 243->246 248 6ad78fe1c4-6ad78fe1e1 244->248 245->244 246->240 248->245 250 6ad78fe1e3-6ad78fe1eb 248->250 250->248 251 6ad78fe1ed-6ad78fe1f7 250->251
              APIs
              • HttpOpenRequestA.WININET(00000000,00000000,84C03200,00000000), ref: 0000006AD78FDFB6
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2948402496.0000006AD78FD000.00000040.00000010.00020000.00000000.sdmp, Offset: 0000006AD78FD000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6ad78fd000_LtmV2sDcTK.jbxd
              Yara matches
              Similarity
              • API ID: HttpOpenRequest
              • String ID: U.;
              • API String ID: 1984915467-4213443877
              • Opcode ID: ab09341529980e95ac1e803047b3985bc20a26ea9b837d55d995e7e224907264
              • Instruction ID: 44305753174c8bd9196cf4d3bba622a666c6154d390c1d09de147cadd62bfebf
              • Opcode Fuzzy Hash: ab09341529980e95ac1e803047b3985bc20a26ea9b837d55d995e7e224907264
              • Instruction Fuzzy Hash: C7118BA034890D1BF62C919E7C6A73A61CBD3D9726F24812FB50FD33DADC58CC92442A

              Non-executed Functions

              Function 00007FF7026E67E8 Relevance: 13.6, APIs: 9, Instructions: 71COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2948743654.00007FF7026E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7026E0000, based on PE: true
              • Associated: 00000000.00000002.2948732057.00007FF7026E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2948755896.00007FF7026E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2948768480.00007FF7026ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2948780362.00007FF7026EE000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff7026e0000_LtmV2sDcTK.jbxd
              Similarity
              • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
              • String ID:
              • API String ID: 313767242-0
              • Opcode ID: e24a973d2b331336046820436802f9fa805a275ff50cf57bd253def1d79dafc7
              • Instruction ID: 165c4d4515767787e93fd8da42e452d47632ec7b406dd1d4b695d76ff97ecb49
              • Opcode Fuzzy Hash: e24a973d2b331336046820436802f9fa805a275ff50cf57bd253def1d79dafc7
              • Instruction Fuzzy Hash: 18316E73608B8196EB60AF60E8503EDB765FB94748F84403AEA4D47F94DF79D248C720
              Function 00007FF7026E2E90 Relevance: 6.6, APIs: 2, Strings: 2, Instructions: 581COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 350 7ff7026e2e90-7ff7026e2eb4 351 7ff7026e2eb6 350->351 352 7ff7026e2ebb-7ff7026e2ec3 350->352 353 7ff7026e3916-7ff7026e391d 351->353 354 7ff7026e2ec5-7ff7026e2ecd 352->354 355 7ff7026e2ede-7ff7026e2ee6 352->355 354->355 356 7ff7026e2ecf-7ff7026e2ed7 354->356 357 7ff7026e2f01-7ff7026e2fa1 memcpy * 2 355->357 358 7ff7026e2ee8-7ff7026e2ef0 355->358 356->355 361 7ff7026e2ed9 356->361 359 7ff7026e2fa3-7ff7026e2fa8 357->359 360 7ff7026e2faf-7ff7026e2fbe 357->360 358->357 362 7ff7026e2ef2-7ff7026e2efa 358->362 363 7ff7026e2faa-7ff7026e3048 359->363 364 7ff7026e3009-7ff7026e3018 359->364 365 7ff7026e2fc0-7ff7026e2fc8 360->365 366 7ff7026e2fca-7ff7026e2fd9 360->366 361->353 362->357 367 7ff7026e2efc 362->367 375 7ff7026e3052-7ff7026e3075 363->375 372 7ff7026e3024 364->372 373 7ff7026e301a-7ff7026e3022 364->373 369 7ff7026e2ff5-7ff7026e3007 365->369 370 7ff7026e2fe5 366->370 371 7ff7026e2fdb-7ff7026e2fe3 366->371 367->353 369->375 374 7ff7026e2fed-7ff7026e2ff1 370->374 371->374 376 7ff7026e302c-7ff7026e303e 372->376 373->376 374->369 377 7ff7026e3081-7ff7026e3093 375->377 376->375 378 7ff7026e3095-7ff7026e309d 377->378 379 7ff7026e30d9-7ff7026e30e1 377->379 380 7ff7026e30a9-7ff7026e30b1 378->380 381 7ff7026e30ed-7ff7026e30ff 379->381 382 7ff7026e30b3-7ff7026e30d5 380->382 383 7ff7026e30d7 380->383 384 7ff7026e3101-7ff7026e3109 381->384 385 7ff7026e3148-7ff7026e31a4 381->385 382->380 383->377 388 7ff7026e3115-7ff7026e311d 384->388 389 7ff7026e31b0-7ff7026e31b8 385->389 392 7ff7026e3146 388->392 393 7ff7026e311f-7ff7026e3144 388->393 390 7ff7026e326b-7ff7026e327b 389->390 391 7ff7026e31be-7ff7026e3266 389->391 395 7ff7026e3291-7ff7026e3299 390->395 391->389 392->381 393->388 398 7ff7026e329f-7ff7026e32a7 395->398 399 7ff7026e337b 395->399 398->399 400 7ff7026e32ad-7ff7026e3376 398->400 401 7ff7026e3383-7ff7026e338b 399->401 400->395 403 7ff7026e3806-7ff7026e380e 401->403 404 7ff7026e3391-7ff7026e349c 401->404 405 7ff7026e381a-7ff7026e382c 403->405 406 7ff7026e3512-7ff7026e351a 404->406 407 7ff7026e349e-7ff7026e34a6 404->407 409 7ff7026e3832-7ff7026e383a 405->409 410 7ff7026e390a-7ff7026e3912 405->410 411 7ff7026e3522-7ff7026e352f 406->411 408 7ff7026e34ae-7ff7026e34b6 407->408 414 7ff7026e350d 408->414 415 7ff7026e34b8-7ff7026e350b 408->415 416 7ff7026e3846-7ff7026e384e 409->416 410->353 412 7ff7026e3586-7ff7026e368a 411->412 413 7ff7026e3531-7ff7026e3584 411->413 417 7ff7026e368e-7ff7026e3696 412->417 413->411 418 7ff7026e36ed-7ff7026e3713 414->418 415->408 419 7ff7026e3854-7ff7026e3900 416->419 420 7ff7026e3905 416->420 417->418 423 7ff7026e3698-7ff7026e36eb 417->423 425 7ff7026e3801 418->425 426 7ff7026e3719-7ff7026e3721 418->426 419->416 420->405 423->417 425->401 426->425 427 7ff7026e3727-7ff7026e37fc 426->427
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2948743654.00007FF7026E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7026E0000, based on PE: true
              • Associated: 00000000.00000002.2948732057.00007FF7026E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2948755896.00007FF7026E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2948768480.00007FF7026ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2948780362.00007FF7026EE000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff7026e0000_LtmV2sDcTK.jbxd
              Similarity
              • API ID:
              • String ID: $
              • API String ID: 0-227171996
              • Opcode ID: ce9985986e7a16e9417682335ff6eac846c42425677f4b87566591c41d316c4d
              • Instruction ID: eff2896412e7869d13bd6cc451c35e579a325a3c45e4e6ea64a2724e9833a999
              • Opcode Fuzzy Hash: ce9985986e7a16e9417682335ff6eac846c42425677f4b87566591c41d316c4d
              • Instruction Fuzzy Hash: D152EC73609A81CADB74CB19E88076ABBA1F7C8749F444236E68E83B58DB7DD551CF00
              Function 00007FF7026E6A00 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2948743654.00007FF7026E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7026E0000, based on PE: true
              • Associated: 00000000.00000002.2948732057.00007FF7026E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2948755896.00007FF7026E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2948768480.00007FF7026ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2948780362.00007FF7026EE000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff7026e0000_LtmV2sDcTK.jbxd
              Similarity
              • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
              • String ID:
              • API String ID: 2933794660-0
              • Opcode ID: 4f0ed3d7c44258c2662e79e85a0674993ec415bbcf6ffa42194b6fbc29eb623c
              • Instruction ID: 483f9936a87a96696d5a3d7080d295c4ec23efad519407356c98837bb1fc7268
              • Opcode Fuzzy Hash: 4f0ed3d7c44258c2662e79e85a0674993ec415bbcf6ffa42194b6fbc29eb623c
              • Instruction Fuzzy Hash: 36113A66B14B419AEF00DF60EC442A877A4FB58758F840E31EA6D46BA4DFB8D159C350
              Function 00007FF7026E1154 Relevance: .6, Instructions: 550COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2948743654.00007FF7026E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7026E0000, based on PE: true
              • Associated: 00000000.00000002.2948732057.00007FF7026E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2948755896.00007FF7026E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2948768480.00007FF7026ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2948780362.00007FF7026EE000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff7026e0000_LtmV2sDcTK.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b27dbf3ec0a422b263cffaaebb98af3aa1fd7cf269184044aa5ce842c9682b3e
              • Instruction ID: 756b7ae599ba62c008f6499554e81711169cb41f6c8ea177bc1f4386e7a90f42
              • Opcode Fuzzy Hash: b27dbf3ec0a422b263cffaaebb98af3aa1fd7cf269184044aa5ce842c9682b3e
              • Instruction Fuzzy Hash: F7422F73609A859ADB04CB1CE89063AFBA1F7D8790F444526E79EC3BA9CA7CD551CF00
              Function 00007FF7026E19E0 Relevance: .6, Instructions: 550COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2948743654.00007FF7026E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7026E0000, based on PE: true
              • Associated: 00000000.00000002.2948732057.00007FF7026E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2948755896.00007FF7026E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2948768480.00007FF7026ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2948780362.00007FF7026EE000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff7026e0000_LtmV2sDcTK.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8cf41e5f2b4326b7b92995bf4544de512335b391d8981c46ffd877e208d0ac12
              • Instruction ID: 24a548483aa565ef2bcb34df21a39e968a92e962bc750e4ba08e9d063dec3a06
              • Opcode Fuzzy Hash: 8cf41e5f2b4326b7b92995bf4544de512335b391d8981c46ffd877e208d0ac12
              • Instruction Fuzzy Hash: 7E421C73608A859ADB45CB1CE89063AFBE1F7C8780F444526E69EC3B69DA7CD551CF00
              Function 00007FF7026E1423 Relevance: .1, Instructions: 137COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2948743654.00007FF7026E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7026E0000, based on PE: true
              • Associated: 00000000.00000002.2948732057.00007FF7026E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2948755896.00007FF7026E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2948768480.00007FF7026ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2948780362.00007FF7026EE000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff7026e0000_LtmV2sDcTK.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e1cb073c722dbeb7a1613e414c717d1bbe413e1924b949a2fed674e60258cf06
              • Instruction ID: c4de695cfc99f1077d3551f82359964c12d17356ac50f75ff37a5554c1d1c686
              • Opcode Fuzzy Hash: e1cb073c722dbeb7a1613e414c717d1bbe413e1924b949a2fed674e60258cf06
              • Instruction Fuzzy Hash: 9E6160B26189829BDB14DF08E89067AB7A2FFCC744F448635E34A87A59CB7DE550CF00
              Function 00007FF7026E1CB2 Relevance: .1, Instructions: 137COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2948743654.00007FF7026E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7026E0000, based on PE: true
              • Associated: 00000000.00000002.2948732057.00007FF7026E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2948755896.00007FF7026E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2948768480.00007FF7026ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2948780362.00007FF7026EE000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff7026e0000_LtmV2sDcTK.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ade8b643f1c0eeaaf7db3813646950adb663fa17e422860113df2ace2981a793
              • Instruction ID: f83794193694dae8bb948472ed44d2342f0ac7731a2c300bc2594833195bece6
              • Opcode Fuzzy Hash: ade8b643f1c0eeaaf7db3813646950adb663fa17e422860113df2ace2981a793
              • Instruction Fuzzy Hash: CF6160B26189819BDB14CF08E89067AB7A2FFCC744F448536E34A87A58CB3DE550CF00
              Function 00007FF7026E6990 Relevance: .0, Instructions: 2COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2948743654.00007FF7026E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7026E0000, based on PE: true
              • Associated: 00000000.00000002.2948732057.00007FF7026E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2948755896.00007FF7026E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2948768480.00007FF7026ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2948780362.00007FF7026EE000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff7026e0000_LtmV2sDcTK.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1efa7e2d928306cb2ca00731a208084a2c5edd186dd86c1f002025f8979efa9c
              • Instruction ID: df4ea835d8740043b947f12a876470433097b5341502c924da3cb9df8e0cfa39
              • Opcode Fuzzy Hash: 1efa7e2d928306cb2ca00731a208084a2c5edd186dd86c1f002025f8979efa9c
              • Instruction Fuzzy Hash: 2FA00162949842E4EE49AB00EC50020AA66AF70309BC01431E00D418A0AFAEA445D221
              Function 00007FF7026E59BC Relevance: 21.2, APIs: 14, Instructions: 195COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 252 7ff7026e59bc-7ff7026e5a0d call 7ff7026e4a3c ?width@ios_base@std@@QEBA_JXZ 255 7ff7026e5a0f-7ff7026e5a3a ?width@ios_base@std@@QEBA_JXZ 252->255 256 7ff7026e5a6e 252->256 255->256 257 7ff7026e5a3c-7ff7026e5a6c ?width@ios_base@std@@QEBA_JXZ 255->257 258 7ff7026e5a77-7ff7026e5aa3 call 7ff7026e5dcc call 7ff7026e5d68 256->258 257->258 263 7ff7026e5ab5-7ff7026e5ae3 ?flags@ios_base@std@@QEBAHXZ 258->263 264 7ff7026e5aa5-7ff7026e5ab0 258->264 266 7ff7026e5b8d-7ff7026e5b92 263->266 267 7ff7026e5ae9 263->267 265 7ff7026e5cc6-7ff7026e5d14 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z call 7ff7026e5d78 264->265 269 7ff7026e5b94-7ff7026e5bdf ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z 266->269 270 7ff7026e5bec-7ff7026e5bf1 266->270 271 7ff7026e5af8-7ff7026e5afe 267->271 269->270 273 7ff7026e5be1-7ff7026e5be8 269->273 274 7ff7026e5c9b-7ff7026e5cc4 ?width@ios_base@std@@QEAA_J_J@Z 270->274 275 7ff7026e5bf7 270->275 271->266 276 7ff7026e5b04-7ff7026e5b79 ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z call 7ff7026e5984 call 7ff7026e598c 271->276 273->270 274->265 277 7ff7026e5c06-7ff7026e5c0c 275->277 285 7ff7026e5b7b-7ff7026e5b86 276->285 286 7ff7026e5b88 276->286 277->274 279 7ff7026e5c12-7ff7026e5c87 ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z call 7ff7026e5984 call 7ff7026e598c 277->279 290 7ff7026e5c96 279->290 291 7ff7026e5c89-7ff7026e5c94 279->291 285->266 286->271 290->277 291->274
              APIs
                • Part of subcall function 00007FF7026E4A3C: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00007FF7026E4556,?,?,?,?,?,?,00007FF7026E1017), ref: 00007FF7026E4A4A
              • ?width@ios_base@std@@QEBA_JXZ.MSVCP140(?,?,?,?,?,?,?,?,00007FF7026E5704), ref: 00007FF7026E5A04
              • ?width@ios_base@std@@QEBA_JXZ.MSVCP140(?,?,?,?,?,?,?,?,00007FF7026E5704), ref: 00007FF7026E5A2F
              • ?width@ios_base@std@@QEBA_JXZ.MSVCP140(?,?,?,?,?,?,?,?,00007FF7026E5704), ref: 00007FF7026E5A5C
              • ?flags@ios_base@std@@QEBAHXZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7026E5704), ref: 00007FF7026E5AD5
              • ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7026E5704), ref: 00007FF7026E5B24
              • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7026E5704), ref: 00007FF7026E5B4B
              • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7026E5704), ref: 00007FF7026E5B5A
              • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7026E5704), ref: 00007FF7026E5BB4
              • ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7026E5704), ref: 00007FF7026E5BCA
              • ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7026E5704), ref: 00007FF7026E5C32
              • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7026E5704), ref: 00007FF7026E5C59
              • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7026E5704), ref: 00007FF7026E5C68
              • ?width@ios_base@std@@QEAA_J_J@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7026E5704), ref: 00007FF7026E5CBD
              • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7026E5704), ref: 00007FF7026E5CED
              Memory Dump Source
              • Source File: 00000000.00000002.2948743654.00007FF7026E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7026E0000, based on PE: true
              • Associated: 00000000.00000002.2948732057.00007FF7026E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2948755896.00007FF7026E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2948768480.00007FF7026ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2948780362.00007FF7026EE000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff7026e0000_LtmV2sDcTK.jbxd
              Similarity
              • API ID: U?$char_traits@$D@std@@@std@@$?width@ios_base@std@@$?rdbuf@?$basic_ios@D@std@@@2@V?$basic_streambuf@$?fill@?$basic_ios@?sputc@?$basic_streambuf@$?flags@ios_base@std@@?setstate@?$basic_ios@?sputn@?$basic_streambuf@strlen
              • String ID:
              • API String ID: 207065933-0
              • Opcode ID: 9a543b72adef7ad1c54ef009d41528a2a851eb801f28244e436a9c4c31cf3d2f
              • Instruction ID: 517b75039dbf1c43d4e1b85126ee5b720a16c3e834456e67579ed1fa098c4a9b
              • Opcode Fuzzy Hash: 9a543b72adef7ad1c54ef009d41528a2a851eb801f28244e436a9c4c31cf3d2f
              • Instruction Fuzzy Hash: F1910F73608B8596DE60DB15E894369FBA1FF88B89F808035EA8E87B54DF7DD004CB10
              Function 00007FF7026E5504 Relevance: 9.1, APIs: 6, Instructions: 148COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2948743654.00007FF7026E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7026E0000, based on PE: true
              • Associated: 00000000.00000002.2948732057.00007FF7026E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2948755896.00007FF7026E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2948768480.00007FF7026ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2948780362.00007FF7026EE000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff7026e0000_LtmV2sDcTK.jbxd
              Similarity
              • API ID: Concurrency::details::EmptyQueue::StructuredV01@Workmemcpy$??6?$basic_ostream@D@std@@@std@@U?$char_traits@V01@@memset
              • String ID:
              • API String ID: 2816322446-0
              • Opcode ID: da4bcb04198c5e8b51ca7315bf35769bb5109326478fd0f2e9130ee28da45189
              • Instruction ID: 0d11174c2edb3568dc43789fb87d0b7ac2daa58c21b015ad144c253fda98ddf5
              • Opcode Fuzzy Hash: da4bcb04198c5e8b51ca7315bf35769bb5109326478fd0f2e9130ee28da45189
              • Instruction Fuzzy Hash: 63711C6261CAC195DA50EB15F8903AEFB61FBC5784F901026FA8E83B69DF7DD444CB10
              Function 00007FF7026E5DCC Relevance: 6.1, APIs: 4, Instructions: 53COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
                • Part of subcall function 00007FF7026E5EFC: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP140(?,?,?,?,?,?,00007FF7026E5DE9), ref: 00007FF7026E5F3E
              • ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7026E5E04
              • ?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ.MSVCP140 ref: 00007FF7026E5E36
              Memory Dump Source
              • Source File: 00000000.00000002.2948743654.00007FF7026E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7026E0000, based on PE: true
              • Associated: 00000000.00000002.2948732057.00007FF7026E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2948755896.00007FF7026E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2948768480.00007FF7026ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2948780362.00007FF7026EE000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff7026e0000_LtmV2sDcTK.jbxd
              Similarity
              • API ID: U?$char_traits@$D@std@@@2@D@std@@@std@@$?good@ios_base@std@@?rdbuf@?$basic_ios@?tie@?$basic_ios@V?$basic_ostream@V?$basic_streambuf@
              • String ID:
              • API String ID: 3792166412-0
              • Opcode ID: 13b0947ac47d77500c650e49bf78466621c48817c9b605b7b586476316c5a0b5
              • Instruction ID: 285355e6f6d7308dad47cfe0ef032fb45aa014da0a4fbbfddd3f40f4f80649f8
              • Opcode Fuzzy Hash: 13b0947ac47d77500c650e49bf78466621c48817c9b605b7b586476316c5a0b5
              • Instruction Fuzzy Hash: E321BE2660DB8591DE10EB19E894229ABB1FBC9BC8F944025EF8E43B64DF7ED454C710