Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
QT2hJT3Syn.exe

Overview

General Information

Sample name:QT2hJT3Syn.exe
renamed because original name is a hash value
Original sample name:9bfd61a00155017d1a6768326549c65ea9bbe8884b92a7a013e97b507a9167ff.exe
Analysis ID:1508523
MD5:d19f3280851b5e9510a63fe7c80466ae
SHA1:00e04653569a6d8244edff8765deec3d6ed9c15f
SHA256:9bfd61a00155017d1a6768326549c65ea9bbe8884b92a7a013e97b507a9167ff
Tags:116-198-231-169exe
Infos:

Detection

CobaltStrike, Metasploit
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
Yara detected Metasploit Payload
C2 URLs / IPs found in malware configuration
AV process strings found (often used to terminate AV products)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
One or more processes crash
PE file contains an invalid checksum
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • QT2hJT3Syn.exe (PID: 420 cmdline: "C:\Users\user\Desktop\QT2hJT3Syn.exe" MD5: D19F3280851B5E9510A63FE7C80466AE)
    • WerFault.exe (PID: 2016 cmdline: C:\Windows\system32\WerFault.exe -u -p 420 -s 1420 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Cobalt Strike, CobaltStrikeCobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.
  • APT 29
  • APT32
  • APT41
  • AQUATIC PANDA
  • Anunak
  • Cobalt
  • Codoso
  • CopyKittens
  • DarkHydrus
  • FIN6
  • FIN7
  • Leviathan
  • Mustang Panda
  • Shell Crew
  • Stone Panda
  • TianWu
  • UNC1878
  • UNC2452
  • Winnti Umbrella
https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"C2Server": "http://116.198.231.169:63222/jquery-3.7.2.min.js", "User Agent": "User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\n"}

Threatname: Metasploit

{"Headers": "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nReferer: http://www.microsoft.com/\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\n", "Type": "Metasploit Download", "URL": "http://116.198.231.169/jquery-3.7.2.min.js"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF2AA.tmp.dmpWindows_Trojan_Metasploit_7bc0f998Identifies the API address lookup function leverage by metasploit shellcodeunknown
  • 0x9cab:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF2AA.tmp.dmpWindows_Trojan_Metasploit_c9773203Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.unknown
  • 0x9d17:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1862615257.0000000902FAE000.00000040.00000010.00020000.00000000.sdmpJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
    00000000.00000002.1862615257.0000000902FAE000.00000040.00000010.00020000.00000000.sdmpJoeSecurity_CobaltStrike_3Yara detected CobaltStrikeJoe Security
      00000000.00000002.1862615257.0000000902FAE000.00000040.00000010.00020000.00000000.sdmpWindows_Trojan_Metasploit_7bc0f998Identifies the API address lookup function leverage by metasploit shellcodeunknown
      • 0x6e5:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
      00000000.00000002.1862615257.0000000902FAE000.00000040.00000010.00020000.00000000.sdmpWindows_Trojan_Metasploit_c9773203Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.unknown
      • 0x751:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1

      Sigma Signatures

      No Sigma rule has matched

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-09-10T10:54:09.021829+020020287653Unknown Traffic192.168.2.949706116.198.231.16963222TCP
      2024-09-10T10:54:12.997124+020020287653Unknown Traffic192.168.2.949709116.198.231.16963222TCP
      2024-09-10T10:54:17.184645+020020287653Unknown Traffic192.168.2.949712116.198.231.16963222TCP
      2024-09-10T10:54:21.181917+020020287653Unknown Traffic192.168.2.949717116.198.231.16963222TCP
      2024-09-10T10:54:25.369978+020020287653Unknown Traffic192.168.2.949721116.198.231.16963222TCP
      2024-09-10T10:54:29.532212+020020287653Unknown Traffic192.168.2.949724116.198.231.16963222TCP
      2024-09-10T10:54:33.558180+020020287653Unknown Traffic192.168.2.949727116.198.231.16963222TCP
      2024-09-10T10:54:37.561102+020020287653Unknown Traffic192.168.2.949730116.198.231.16963222TCP
      2024-09-10T10:54:41.639898+020020287653Unknown Traffic192.168.2.949733116.198.231.16963222TCP
      2024-09-10T10:54:45.720763+020020287653Unknown Traffic192.168.2.949736116.198.231.16963222TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: QT2hJT3Syn.exeAvira: detected
      Found malware configuration
      Source: 00000000.00000002.1862615257.0000000902FAE000.00000040.00000010.00020000.00000000.sdmpMalware Configuration Extractor: CobaltStrike {"C2Server": "http://116.198.231.169:63222/jquery-3.7.2.min.js", "User Agent": "User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\n"}
      Source: 00000000.00000002.1862615257.0000000902FAE000.00000040.00000010.00020000.00000000.sdmpMalware Configuration Extractor: Metasploit {"Headers": "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nReferer: http://www.microsoft.com/\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\n", "Type": "Metasploit Download", "URL": "http://116.198.231.169/jquery-3.7.2.min.js"}
      Multi AV Scanner detection for submitted file
      Source: QT2hJT3Syn.exeReversingLabs: Detection: 28%
      Source: QT2hJT3Syn.exeVirustotal: Detection: 31%Perma Link
      Source: QT2hJT3Syn.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

      Networking

      barindex
      C2 URLs / IPs found in malware configuration
      Source: Malware configuration extractorURLs: http://116.198.231.169:63222/jquery-3.7.2.min.js
      Source: Malware configuration extractorURLs: http://116.198.231.169/jquery-3.7.2.min.js
      Source: global trafficTCP traffic: 192.168.2.9:49706 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49712 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49727 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49706 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49717 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49724 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49730 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49709 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49736 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49733 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49721 -> 116.198.231.169:63222
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: Amcache.hve.7.drString found in binary or memory: http://upx.sf.net
      Source: QT2hJT3Syn.exe, 00000000.00000002.1862944008.0000018B92727000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169/
      Source: QT2hJT3Syn.exe, 00000000.00000002.1862944008.0000018B92727000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169/$
      Source: QT2hJT3Syn.exe, 00000000.00000002.1862944008.0000018B9270C000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1770218937.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1790192849.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1688621736.0000018B92754000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/
      Source: QT2hJT3Syn.exe, 00000000.00000003.1608359854.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1628687831.0000018B92754000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/=
      Source: QT2hJT3Syn.exe, 00000000.00000002.1862944008.0000018B926BC000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1749896413.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1770218937.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1790192849.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1688621736.0000018B92754000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/jquery-3.7.2.min.js
      Source: QT2hJT3Syn.exe, 00000000.00000002.1862944008.0000018B92704000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/jquery-3.7.2.min.jsUsK
      Source: QT2hJT3Syn.exe, 00000000.00000003.1729412419.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1608359854.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1708837173.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1648594354.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1628687831.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1749896413.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1688621736.0000018B92754000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/jquery-3.7.2.min.jsl
      Source: QT2hJT3Syn.exe, 00000000.00000003.1729412419.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1608359854.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1708837173.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1648594354.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1628687831.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1688621736.0000018B92754000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/jquery-3.7.2.min.jss
      Source: QT2hJT3Syn.exe, 00000000.00000003.1729412419.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1608359854.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1708837173.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1648594354.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000002.1862944008.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1628687831.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1749896413.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1770218937.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1790192849.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1688621736.0000018B92754000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/jquery-3.7.2.min.jst
      Source: QT2hJT3Syn.exe, 00000000.00000002.1862944008.0000018B9270C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/rosoft
      Source: QT2hJT3Syn.exe, 00000000.00000003.1729412419.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000002.1862944008.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1749896413.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1770218937.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1790192849.0000018B92754000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/w

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 00000000.00000002.1862615257.0000000902FAE000.00000040.00000010.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
      Source: 00000000.00000002.1862615257.0000000902FAE000.00000040.00000010.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
      Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF2AA.tmp.dmp, type: DROPPEDMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
      Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF2AA.tmp.dmp, type: DROPPEDMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeCode function: 0_2_00007FF6C3903EB00_2_00007FF6C3903EB0
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeCode function: 0_2_00007FF6C3902DC00_2_00007FF6C3902DC0
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeCode function: 0_2_00007FF6C39025E00_2_00007FF6C39025E0
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeCode function: 0_2_00007FF6C39043600_2_00007FF6C3904360
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeCode function: 0_2_00007FF6C3902A600_2_00007FF6C3902A60
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeCode function: 0_2_0000000902FAE7E00_2_0000000902FAE7E0
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 420 -s 1420
      Source: 00000000.00000002.1862615257.0000000902FAE000.00000040.00000010.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
      Source: 00000000.00000002.1862615257.0000000902FAE000.00000040.00000010.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
      Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF2AA.tmp.dmp, type: DROPPEDMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
      Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF2AA.tmp.dmp, type: DROPPEDMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
      Source: classification engineClassification label: mal92.troj.winEXE@2/5@0/1
      Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess420
      Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\e7ede1d1-617a-4641-bd8f-97c37e993ecaJump to behavior
      Source: QT2hJT3Syn.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: QT2hJT3Syn.exeReversingLabs: Detection: 28%
      Source: QT2hJT3Syn.exeVirustotal: Detection: 31%
      Source: unknownProcess created: C:\Users\user\Desktop\QT2hJT3Syn.exe "C:\Users\user\Desktop\QT2hJT3Syn.exe"
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 420 -s 1420
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: msvcp140.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: vcruntime140_1.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: vcruntime140.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: vcruntime140.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: vcruntime140_1.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
      Source: QT2hJT3Syn.exeStatic PE information: Image base 0x140000000 > 0x60000000
      Source: QT2hJT3Syn.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
      Source: QT2hJT3Syn.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
      Source: QT2hJT3Syn.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
      Source: QT2hJT3Syn.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: QT2hJT3Syn.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
      Source: QT2hJT3Syn.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
      Source: QT2hJT3Syn.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Source: QT2hJT3Syn.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: QT2hJT3Syn.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
      Source: QT2hJT3Syn.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
      Source: QT2hJT3Syn.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
      Source: QT2hJT3Syn.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
      Source: QT2hJT3Syn.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
      Source: QT2hJT3Syn.exeStatic PE information: real checksum: 0x118b0 should be: 0x1df90
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeCode function: 0_2_0000000902FAE7E0 push eax; ret 0_2_0000000902FAEA5B
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeCode function: 0_2_0000000902FAE7FF push eax; ret 0_2_0000000902FAEA5B
      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: Amcache.hve.7.drBinary or memory string: VMware
      Source: Amcache.hve.7.drBinary or memory string: VMware Virtual USB Mouse
      Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin
      Source: Amcache.hve.7.drBinary or memory string: VMware, Inc.
      Source: Amcache.hve.7.drBinary or memory string: VMware20,1hbin@
      Source: Amcache.hve.7.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
      Source: Amcache.hve.7.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
      Source: Amcache.hve.7.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
      Source: QT2hJT3Syn.exe, 00000000.00000002.1862944008.0000018B9270C000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000002.1862944008.0000018B92746000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: Amcache.hve.7.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
      Source: Amcache.hve.7.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
      Source: QT2hJT3Syn.exe, 00000000.00000002.1862944008.0000018B92746000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: Amcache.hve.7.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
      Source: Amcache.hve.7.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
      Source: Amcache.hve.7.drBinary or memory string: vmci.sys
      Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin`
      Source: Amcache.hve.7.drBinary or memory string: \driver\vmci,\driver\pci
      Source: Amcache.hve.7.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
      Source: Amcache.hve.7.drBinary or memory string: VMware20,1
      Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Generation Counter
      Source: Amcache.hve.7.drBinary or memory string: NECVMWar VMware SATA CD00
      Source: Amcache.hve.7.drBinary or memory string: VMware Virtual disk SCSI Disk Device
      Source: Amcache.hve.7.drBinary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
      Source: Amcache.hve.7.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
      Source: Amcache.hve.7.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
      Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
      Source: Amcache.hve.7.drBinary or memory string: VMware PCI VMCI Bus Device
      Source: Amcache.hve.7.drBinary or memory string: VMware VMCI Bus Device
      Source: Amcache.hve.7.drBinary or memory string: VMware Virtual RAM
      Source: Amcache.hve.7.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
      Source: Amcache.hve.7.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeCode function: 0_2_00007FF6C3902038 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6C3902038
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeCode function: 0_2_00007FF6C390221C SetUnhandledExceptionFilter,0_2_00007FF6C390221C
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeCode function: 0_2_00007FF6C3902038 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6C3902038
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeCode function: 0_2_00007FF6C390228C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF6C390228C
      Source: Amcache.hve.7.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
      Source: Amcache.hve.7.drBinary or memory string: msmpeng.exe
      Source: Amcache.hve.7.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
      Source: Amcache.hve.7.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
      Source: Amcache.hve.7.drBinary or memory string: MsMpEng.exe

      Remote Access Functionality

      barindex
      Yara detected CobaltStrike
      Source: Yara matchFile source: 00000000.00000002.1862615257.0000000902FAE000.00000040.00000010.00020000.00000000.sdmp, type: MEMORY
      Yara detected Metasploit Payload
      Source: Yara matchFile source: 00000000.00000002.1862615257.0000000902FAE000.00000040.00000010.00020000.00000000.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
      DLL Side-Loading      		1
      Process Injection      		1
      Process Injection      		OS Credential Dumping1
      System Time Discovery      		Remote Services1
      Archive Collected Data      		1
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
      DLL Side-Loading      		1
      DLL Side-Loading      		LSASS Memory21
      Security Software Discovery      		Remote Desktop ProtocolData from Removable Media1
      Non-Standard Port      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
      Obfuscated Files or Information      		Security Account Manager2
      System Information Discovery      		SMB/Windows Admin SharesData from Network Shared Drive1
      Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      QT2hJT3Syn.exe29%ReversingLabsWin64.Backdoor.Cobeacon
      QT2hJT3Syn.exe31%VirustotalBrowse
      QT2hJT3Syn.exe100%AviraTR/AD.PatchedWinSwrort.uidrr

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://upx.sf.net0%URL Reputationsafe
      https://116.198.231.169:63222/jquery-3.7.2.min.js0%Avira URL Cloudsafe
      https://116.198.231.169:63222/jquery-3.7.2.min.jst0%Avira URL Cloudsafe
      https://116.198.231.169/$0%Avira URL Cloudsafe
      http://116.198.231.169:63222/jquery-3.7.2.min.js0%Avira URL Cloudsafe
      https://116.198.231.169:63222/jquery-3.7.2.min.jss0%Avira URL Cloudsafe
      https://116.198.231.169:63222/0%Avira URL Cloudsafe
      http://116.198.231.169/jquery-3.7.2.min.js0%Avira URL Cloudsafe
      https://116.198.231.169:63222/=0%Avira URL Cloudsafe
      https://116.198.231.169:63222/jquery-3.7.2.min.jsl0%Avira URL Cloudsafe
      https://116.198.231.169:63222/rosoft0%Avira URL Cloudsafe
      https://116.198.231.169/0%Avira URL Cloudsafe
      http://116.198.231.169:63222/jquery-3.7.2.min.js0%VirustotalBrowse
      https://116.198.231.169:63222/0%VirustotalBrowse
      https://116.198.231.169:63222/w0%Avira URL Cloudsafe
      https://116.198.231.169:63222/jquery-3.7.2.min.jsUsK0%Avira URL Cloudsafe
      https://116.198.231.169/0%VirustotalBrowse
      https://116.198.231.169:63222/jquery-3.7.2.min.js0%VirustotalBrowse

      Domains and IPs

      Contacted Domains

      No contacted domains info

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://116.198.231.169:63222/jquery-3.7.2.min.jstrue
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      http://116.198.231.169/jquery-3.7.2.min.jstrue
      • Avira URL Cloud: safe
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://116.198.231.169/$QT2hJT3Syn.exe, 00000000.00000002.1862944008.0000018B92727000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169:63222/jquery-3.7.2.min.jsQT2hJT3Syn.exe, 00000000.00000002.1862944008.0000018B926BC000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1749896413.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1770218937.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1790192849.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1688621736.0000018B92754000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169:63222/jquery-3.7.2.min.jstQT2hJT3Syn.exe, 00000000.00000003.1729412419.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1608359854.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1708837173.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1648594354.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000002.1862944008.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1628687831.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1749896413.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1770218937.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1790192849.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1688621736.0000018B92754000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169:63222/jquery-3.7.2.min.jssQT2hJT3Syn.exe, 00000000.00000003.1729412419.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1608359854.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1708837173.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1648594354.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1628687831.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1688621736.0000018B92754000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169:63222/QT2hJT3Syn.exe, 00000000.00000002.1862944008.0000018B9270C000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1770218937.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1790192849.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1688621736.0000018B92754000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      http://upx.sf.netAmcache.hve.7.drfalse
      • URL Reputation: safe
      		unknown
      https://116.198.231.169:63222/=QT2hJT3Syn.exe, 00000000.00000003.1608359854.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1628687831.0000018B92754000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169:63222/jquery-3.7.2.min.jslQT2hJT3Syn.exe, 00000000.00000003.1729412419.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1608359854.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1708837173.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1648594354.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1628687831.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1749896413.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1688621736.0000018B92754000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169:63222/rosoftQT2hJT3Syn.exe, 00000000.00000002.1862944008.0000018B9270C000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169/QT2hJT3Syn.exe, 00000000.00000002.1862944008.0000018B92727000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169:63222/wQT2hJT3Syn.exe, 00000000.00000003.1729412419.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000002.1862944008.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1749896413.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1770218937.0000018B92754000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1790192849.0000018B92754000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169:63222/jquery-3.7.2.min.jsUsKQT2hJT3Syn.exe, 00000000.00000002.1862944008.0000018B92704000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown

      World Map of Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public IPs

      IPDomainCountryFlagASNASN NameMalicious
      116.198.231.169
      		unknownChina
      		137699CHINATELECOM-JIANGSU-SUQIAN-IDCCHINATELECOMJiangsuSuqiantrue

      General Information

      Joe Sandbox version:40.0.0 Tourmaline
      Analysis ID:1508523
      Start date and time:2024-09-10 10:53:08 +02:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 3m 59s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:12
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:QT2hJT3Syn.exe
      renamed because original name is a hash value
      Original Sample Name:9bfd61a00155017d1a6768326549c65ea9bbe8884b92a7a013e97b507a9167ff.exe
      Detection:MAL
      Classification:mal92.troj.winEXE@2/5@0/1
      EGA Information:
      • Successful, ratio: 100%
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 5
      • Number of non-executed functions: 10
      Cookbook Comments:
      • Found application associated with file extension: .exe

      Warnings

      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
      • Excluded IPs from analysis (whitelisted): 20.42.65.92
      • Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
      • Not all processes where analyzed, report is missing behavior information
      • Report size getting too big, too many NtQueryValueKey calls found.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      04:54:54API Interceptor1x Sleep call for process: WerFault.exe modified

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASNs

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      CHINATELECOM-JIANGSU-SUQIAN-IDCCHINATELECOMJiangsuSuqiangOEF4WOJ3c.elfGet hashmaliciousUnknownBrowse
      • 116.198.238.210

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_QT2hJT3Syn.exe_7f1a37c4c18389bc5a9768bc74304b343de52_f3ab7727_f8dad36d-3db4-4f4b-aff7-272943b6f4c3\Report.wer

      Download File
      Process:C:\Windows\System32\WerFault.exe
      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):65536
      Entropy (8bit):0.9838394803953416
      Encrypted:false
      SSDEEP:192:jsBSd0I3DLNOj/XWPzuiFrzZ24lO8TiG:wBSeI3DkjQzuiFrzY4lO8TL
      MD5:84C27111EF538A1E3F35704D2BB5949D
      SHA1:892A290423362FD04351F21B95CB811B3213D63A
      SHA-256:05F46313650C86B05FD475DB980C2B80F03B1C7E2A463952688E6C6E0FF7CE4C
      SHA-512:846EF2FFF6229FCD2FB6102DB3078E806495DB86CF1ECD82EDD9299B0DD28837B42FE34EB345F319BD1BAD6E722F65F3811FF7FCE6CD1818FA63D8432227B74B
      Malicious:true
      Reputation:low
      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.0.4.3.2.0.8.7.5.5.6.1.8.5.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.0.4.3.2.0.8.7.9.7.8.0.6.8.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.8.d.a.d.3.6.d.-.3.d.b.4.-.4.f.4.b.-.a.f.f.7.-.2.7.2.9.4.3.b.6.f.4.c.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.d.e.d.4.6.a.3.-.b.d.3.5.-.4.5.b.e.-.8.8.d.4.-.c.5.e.b.4.9.b.7.2.2.b.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.Q.T.2.h.J.T.3.S.y.n...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.1.a.4.-.0.0.0.1.-.0.0.1.4.-.d.4.e.d.-.0.e.f.b.5.e.0.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.5.7.6.0.0.8.f.d.d.c.2.3.1.c.4.b.6.b.8.e.a.6.2.2.3.3.e.0.9.7.0.0.0.0.0.0.9.0.4.!.0.0.0.0.0.0.e.0.4.6.5.3.5.6.9.a.6.d.8.2.4.4.e.d.f.f.8.7.6.5.d.e.e.c.3.d.6.e.d.9.c.1.5.f.!.Q.T.2.h.J.T.3.S.y.n...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.8././.0.9.

      C:\ProgramData\Microsoft\Windows\WER\Temp\WERF2AA.tmp.dmp

      Download File
      Process:C:\Windows\System32\WerFault.exe
      File Type:Mini DuMP crash report, 14 streams, Tue Sep 10 08:54:47 2024, 0x1205a4 type
      Category:dropped
      Size (bytes):181100
      Entropy (8bit):1.3555617465497876
      Encrypted:false
      SSDEEP:1536:h1R0832p+8OhardsoKz8XeWjJFikzlbxbq:LR0832pfOhardsoa8XeWjJFikzFc
      MD5:8E3F521959D597E309C15A8DFFD81638
      SHA1:FD086391DF5409A8B7A2075F0B7753A60070518D
      SHA-256:C9F22A6C84B6CB09B8DC4617D44B79AF1564BDE8CAE130ECC6BA36761F9AF5EF
      SHA-512:132A8578617C223D84ACF05AF76D28E8E159964A7F01C29A7C57399481E50FD047CE30CA0EAA3A19B77D5104E4E65AE5100974D79CABB9359C364FDD4C4AF3B6
      Malicious:false
      Yara Hits:
      • Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF2AA.tmp.dmp, Author: unknown
      • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF2AA.tmp.dmp, Author: unknown
      Reputation:low
      Preview:MDMP..a..... .......W..f............D...............L.......$....f..........T.......8...........T...........H6..$...........@...........,!..............................................................................eJ.......!......Lw......................T...........)..f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\ProgramData\Microsoft\Windows\WER\Temp\WERF396.tmp.WERInternalMetadata.xml

      Download File
      Process:C:\Windows\System32\WerFault.exe
      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):10228
      Entropy (8bit):3.719384091537201
      Encrypted:false
      SSDEEP:192:R6l7wVeJJx86YcDQnHJgmfKkpDH89b0POf58m:R6lXJ/86YXnHJgmfKR0mfX
      MD5:AC53D3032795F9CE9553EB03A74369A2
      SHA1:F340BBF34BC5F94C02D2EA9AE1F1E0CF8B75FC7F
      SHA-256:BBD5C4FF6ECB57F200E4A1831C2F4FD62E2A6CF0195E309B4FFF66A6EDE311A2
      SHA-512:B2978C535FD5696F2D738590FAD3D5A15B34A7AE1F85658F72AF9600E22A81EB7823BADDE24981CD30C10F6D897DA9AFC931D858CB72067063AFFA0621DAC40C
      Malicious:false
      Reputation:low
      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.2.0.<./.P.i.d.

      C:\ProgramData\Microsoft\Windows\WER\Temp\WERF3D5.tmp.xml

      Download File
      Process:C:\Windows\System32\WerFault.exe
      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):4693
      Entropy (8bit):4.502807954957068
      Encrypted:false
      SSDEEP:48:cvIwWl8zs9Jg771I9p+WpW8VY9Ym8M4JYBOKFRyq85doOQlkFR/bd:uIjfXI7+/7V9JA1/PlkFNbd
      MD5:745382C41030B861E9F12BEEB23EC113
      SHA1:4D462674E4AE37F0994EAFC4ACD69B5CFD7773F4
      SHA-256:D811D55928B364681B261E3BE51F0CFA7426294DEA8AEA8AB21857AEA72093DD
      SHA-512:8DBA70DFD9E7ED8208A73FEC2FA56895CF2A5C9814DC2E3D273C5BABB544C46FC33A29BB6543A570D87045868A21ADE5291E9F76F94D5F15EB3DBC396831FB42
      Malicious:false
      Reputation:low
      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="493917" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

      C:\Windows\appcompat\Programs\Amcache.hve

      Download File
      Process:C:\Windows\System32\WerFault.exe
      File Type:MS Windows registry file, NT/2000 or above
      Category:dropped
      Size (bytes):1835008
      Entropy (8bit):4.394304484077498
      Encrypted:false
      SSDEEP:6144:jl4fiJoH0ncNXiUjt10qpG/gaocYGBoaUMMhA2NX4WABlBuNAmOBSqa:h4vFpMYQUMM6VFYSmU
      MD5:185A4D57B2D8CA069E8D37015095AE3B
      SHA1:6F2879DF9A37BAC4110DFB8436FD7603374BA9DB
      SHA-256:947FF6AF18750CD06BAE6CBF6F9ACB1C1D107B30859DA5F3CB7AAC727354DA3A
      SHA-512:2018091926AA411AA95B7E525EFFEB932B2606EBA579423A04BDE353189A05221D8B366BA7BE218D1EFF0F8EF93EFACF2D4E3F652A88303F6ECB4D0B31145ACB
      Malicious:false
      Reputation:low
      Preview:regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm./.._...............................................................................................................................................................................................................................................................................................................................................;&."........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      Static File Info

      General

      File type:PE32+ executable (GUI) x86-64, for MS Windows
      Entropy (8bit):7.269430115749708
      TrID:
      • Win64 Executable GUI (202006/5) 92.65%
      • Win64 Executable (generic) (12005/4) 5.51%
      • Generic Win/DOS Executable (2004/3) 0.92%
      • DOS Executable Generic (2002/1) 0.92%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
      File name:QT2hJT3Syn.exe
      File size:67'584 bytes
      MD5:d19f3280851b5e9510a63fe7c80466ae
      SHA1:00e04653569a6d8244edff8765deec3d6ed9c15f
      SHA256:9bfd61a00155017d1a6768326549c65ea9bbe8884b92a7a013e97b507a9167ff
      SHA512:78650af411cfc8a1a1cf05a2538454fa5de7b3c6b6d80eef0193b1d3270389f69f998f1e80768f949167b6075aca1fd70be22b006e11fbd63a725c4097b3a99a
      SSDEEP:1536:mWHMTN/JJ86S4oqiEcpI6rAz/saT4c6WuC0J8:mWIJ8L1U/T4c6W70J8
      TLSH:D963BF9A7B428CFEE95613388123A49EF3F27C111B22ABFF47C601552D633D96C7A650
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Q...Q...Q...X.N.].......R.......X.......H.......W.......T...Q.......B...P...B...R...B...P...RichQ...................PE..d..

      File Icon

      Icon Hash:0729494959591b1e

      Static PE Info

      General

      Entrypoint:0x140001cf4
      Entrypoint Section:.text
      Digitally signed:false
      Imagebase:0x140000000
      Subsystem:windows gui
      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Time Stamp:0x66B5A165 [Fri Aug 9 04:56:05 2024 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:6
      OS Version Minor:0
      File Version Major:6
      File Version Minor:0
      Subsystem Version Major:6
      Subsystem Version Minor:0
      Import Hash:6102f16ed129485447b57b8b35734f82

      Entrypoint Preview

      Instruction
      dec eax
      sub esp, 28h
      call 00007F7504F12F24h
      dec eax
      add esp, 28h
      jmp 00007F7504F1280Fh
      int3
      int3
      jmp 00007F7504F13156h
      int3
      int3
      int3
      dec eax
      and dword ptr [ecx+10h], 00000000h
      dec eax
      lea eax, dword ptr [00004664h]
      dec eax
      mov dword ptr [ecx+08h], eax
      dec eax
      lea eax, dword ptr [00004649h]
      dec eax
      mov dword ptr [ecx], eax
      dec eax
      mov eax, ecx
      ret
      int3
      int3
      dec eax
      sub esp, 48h
      dec eax
      lea ecx, dword ptr [esp+20h]
      call 00007F7504F12967h
      dec eax
      lea edx, dword ptr [000091C3h]
      dec eax
      lea ecx, dword ptr [esp+20h]
      call 00007F7504F13078h
      int3
      dec eax
      mov dword ptr [esp+10h], ebx
      dec eax
      mov dword ptr [esp+18h], esi
      push ebp
      push edi
      inc ecx
      push esi
      dec eax
      mov ebp, esp
      dec eax
      sub esp, 10h
      xor eax, eax
      xor ecx, ecx
      cpuid
      inc esp
      mov eax, ecx
      inc esp
      mov edx, edx
      inc ecx
      xor edx, 49656E69h
      inc ecx
      xor eax, 6C65746Eh
      inc esp
      mov ecx, ebx
      inc esp
      mov esi, eax
      xor ecx, ecx
      mov eax, 00000001h
      cpuid
      inc ebp
      or edx, eax
      mov dword ptr [ebp-10h], eax
      inc ecx
      xor ecx, 756E6547h
      mov dword ptr [ebp-0Ch], ebx
      inc ebp
      or edx, ecx
      mov dword ptr [ebp-08h], ecx
      mov edi, ecx
      mov dword ptr [ebp-04h], edx
      jne 00007F7504F129EDh
      dec eax
      or dword ptr [0000A26Dh], FFFFFFFFh
      and eax, 0FFF3FF0h
      dec eax
      mov dword ptr [00000055h], 00000000h

      Rich Headers

      Programming Language:
      • [IMP] VS2008 SP1 build 30729

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0xaff40xf0.rdata
      IMAGE_DIRECTORY_ENTRY_RESOURCE0xf0000x56ec.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0xd0000x438.pdata
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0xe0000x70.reloc
      IMAGE_DIRECTORY_ENTRY_DEBUG0xa3b00x38.rdata
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa2700x140.rdata
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x60000x290.rdata
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000x45840x4600d031826de6e0e6fb9ccc321e78e11d07False0.5434151785714286data6.374369452326817IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .rdata0x60000x5bc40x5c00d9c437122c60c894b2f54adf5a7e1a71False0.6548488451086957data7.210114059723916IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .data0xc0000x2000x20059db9f2a508b239ec802e9d0119966a6False0.26171875DOS executable (block device driver \377\377\377\377\377\377)2.224911641545331IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .pdata0xd0000x4380x600221a3fb74e87cf68c7ec77be366c615cFalse0.3580729166666667data3.1722964215356337IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .reloc0xe0000x700x20081c0371bb37172bdb766a9f4233486e2False0.224609375data1.3216181203289816IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
      .rsrc0xf0000x56ec0x5800568a6f175845f6ba67d1ccd2ac08b100False0.9483753551136364data7.839562838980695IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

      Resources

      NameRVASizeTypeLanguageCountryZLIB Complexity
      RT_ICON0xf2a80x2ecPNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0147058823529411
      RT_ICON0xf5940x592PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0077138849929874
      RT_ICON0xfb280x8f4PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.0047993019197208
      RT_ICON0x1041c0x156dPNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.0020054694621696
      RT_ICON0x1198c0x324PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.013681592039801
      RT_ICON0x11cb00x60cPNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0071059431524547
      RT_ICON0x122bc0x998PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.0044788273615635
      RT_ICON0x12c540x16b3PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.0018929616245051
      RT_GROUP_ICON0x143080x3edata0.8709677419354839
      RT_GROUP_ICON0x143480x3edata0.8870967741935484
      RT_VERSION0x143880x364dataEnglishUnited States0.5483870967741935

      Imports

      DLLImport
      KERNEL32.dllHeapCreate, WaitForSingleObject, Sleep, LoadLibraryA, CreateThread, HeapAlloc, GetModuleHandleW, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, QueryPerformanceCounter
      USER32.dllMessageBoxW
      MSVCP140.dll?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, ?good@ios_base@std@@QEBA_NXZ, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z, ?uncaught_exception@std@@YA_NXZ, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?_Xlength_error@std@@YAXPEBD@Z, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
      VCRUNTIME140_1.dll__CxxFrameHandler4
      VCRUNTIME140.dll__current_exception, _CxxThrowException, __current_exception_context, memcpy, __C_specific_handler, __std_exception_copy, __std_exception_destroy, __std_terminate, memset, memchr
      api-ms-win-crt-string-l1-1-0.dllisalnum, strcmp
      api-ms-win-crt-runtime-l1-1-0.dll_initterm_e, _initterm, _register_thread_local_exe_atexit_callback, terminate, _c_exit, _set_app_type, exit, _exit, _seh_filter_exe, _get_narrow_winmain_command_line, _crt_atexit, _register_onexit_function, _initialize_onexit_table, _initialize_narrow_environment, _configure_narrow_argv, _invalid_parameter_noinfo_noreturn, _cexit
      api-ms-win-crt-heap-l1-1-0.dllfree, _set_new_mode, malloc, _callnewh
      api-ms-win-crt-math-l1-1-0.dll__setusermatherr
      api-ms-win-crt-stdio-l1-1-0.dll_set_fmode, __p__commode
      api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale

      Possible Origin

      Language of compilation systemCountry where language is spokenMap
      EnglishUnited States

      Network Behavior

      Suricata IDS Alerts

      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
      2024-09-10T10:54:09.021829+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949706116.198.231.16963222TCP
      2024-09-10T10:54:12.997124+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949709116.198.231.16963222TCP
      2024-09-10T10:54:17.184645+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949712116.198.231.16963222TCP
      2024-09-10T10:54:21.181917+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949717116.198.231.16963222TCP
      2024-09-10T10:54:25.369978+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949721116.198.231.16963222TCP
      2024-09-10T10:54:29.532212+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949724116.198.231.16963222TCP
      2024-09-10T10:54:33.558180+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949727116.198.231.16963222TCP
      2024-09-10T10:54:37.561102+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949730116.198.231.16963222TCP
      2024-09-10T10:54:41.639898+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949733116.198.231.16963222TCP
      2024-09-10T10:54:45.720763+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949736116.198.231.16963222TCP

      Network Port Distribution

      TCP Packets

      TimestampSource PortDest PortSource IPDest IP
      Sep 10, 2024 10:54:07.016092062 CEST4970663222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:07.021130085 CEST6322249706116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:07.021254063 CEST4970663222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:07.036092043 CEST4970663222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:07.041214943 CEST6322249706116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:09.021452904 CEST6322249706116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:09.021828890 CEST4970663222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:09.021830082 CEST4970663222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:09.022531986 CEST4970763222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:09.027584076 CEST6322249706116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:09.028564930 CEST6322249707116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:09.028640985 CEST4970763222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:09.028907061 CEST4970763222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:09.034774065 CEST6322249707116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:11.012276888 CEST6322249707116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:11.012468100 CEST4970763222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:11.012545109 CEST4970763222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:11.013183117 CEST4970863222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:11.017399073 CEST6322249707116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:11.017961025 CEST6322249708116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:11.018033028 CEST4970863222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:11.018191099 CEST4970863222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:11.020723104 CEST4970963222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:11.023258924 CEST6322249708116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:11.023333073 CEST4970863222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:11.025650978 CEST6322249709116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:11.025796890 CEST4970963222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:11.027144909 CEST4970963222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:11.031946898 CEST6322249709116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:12.996912956 CEST6322249709116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:12.997123957 CEST4970963222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:12.997174025 CEST4970963222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:12.997859001 CEST4971063222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:13.003571987 CEST6322249709116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:13.003607035 CEST6322249710116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:13.003686905 CEST4971063222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:13.003982067 CEST4971063222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:13.009695053 CEST6322249710116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:15.104696035 CEST6322249710116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:15.104773998 CEST4971063222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:15.104852915 CEST4971063222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:15.105547905 CEST4971163222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:15.109710932 CEST6322249710116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:15.110618114 CEST6322249711116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:15.110690117 CEST4971163222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:15.110810041 CEST4971163222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:15.113152027 CEST4971263222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:15.115993023 CEST6322249711116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:15.116059065 CEST4971163222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:15.118294954 CEST6322249712116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:15.118370056 CEST4971263222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:15.118671894 CEST4971263222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:15.123567104 CEST6322249712116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:17.184556961 CEST6322249712116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:17.184644938 CEST4971263222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:17.184762001 CEST4971263222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:17.185298920 CEST4971363222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:17.189579010 CEST6322249712116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:17.190291882 CEST6322249713116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:17.190367937 CEST4971363222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:17.190586090 CEST4971363222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:17.195439100 CEST6322249713116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:19.167866945 CEST6322249713116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:19.167947054 CEST4971363222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:19.168054104 CEST4971363222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:19.168622971 CEST4971663222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:19.172873974 CEST6322249713116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:19.173470020 CEST6322249716116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:19.173548937 CEST4971663222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:19.173671007 CEST4971663222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:19.178932905 CEST6322249716116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:19.178989887 CEST4971663222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:19.183950901 CEST4971763222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:19.188929081 CEST6322249717116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:19.188997030 CEST4971763222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:19.190561056 CEST4971763222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:19.195528984 CEST6322249717116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:21.181823015 CEST6322249717116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:21.181916952 CEST4971763222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:21.182200909 CEST4971763222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:21.183110952 CEST4971963222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:21.186930895 CEST6322249717116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:21.188055038 CEST6322249719116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:21.188150883 CEST4971963222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:21.188486099 CEST4971963222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:21.193314075 CEST6322249719116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:23.246778965 CEST6322249719116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:23.246881962 CEST4971963222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:23.276552916 CEST4971963222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:23.278177977 CEST4972063222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:23.281780958 CEST6322249719116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:23.283040047 CEST6322249720116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:23.283150911 CEST4972063222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:23.284111977 CEST4972063222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:23.288630962 CEST4972163222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:23.289196968 CEST6322249720116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:23.289252996 CEST4972063222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:23.293617010 CEST6322249721116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:23.293698072 CEST4972163222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:23.294167995 CEST4972163222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:23.299197912 CEST6322249721116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:25.369527102 CEST6322249721116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:25.369977951 CEST4972163222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:25.369977951 CEST4972163222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:25.370637894 CEST4972263222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:25.374855995 CEST6322249721116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:25.375441074 CEST6322249722116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:25.375513077 CEST4972263222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:25.375744104 CEST4972263222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:25.380538940 CEST6322249722116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:27.451416969 CEST6322249722116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:27.451642990 CEST4972263222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:27.451745033 CEST4972263222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:27.452615976 CEST4972363222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:27.456885099 CEST6322249722116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:27.457632065 CEST6322249723116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:27.457719088 CEST4972363222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:27.457814932 CEST4972363222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:27.460241079 CEST4972463222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:27.463067055 CEST6322249723116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:27.463130951 CEST4972363222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:27.465142965 CEST6322249724116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:27.465209961 CEST4972463222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:27.465545893 CEST4972463222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:27.470361948 CEST6322249724116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:29.532124996 CEST6322249724116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:29.532212019 CEST4972463222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:29.532360077 CEST4972463222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:29.537158966 CEST6322249724116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:29.537523985 CEST4972563222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:29.542424917 CEST6322249725116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:29.542541027 CEST4972563222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:29.542953014 CEST4972563222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:29.547945023 CEST6322249725116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:31.567467928 CEST6322249725116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:31.567590952 CEST4972563222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:31.567713976 CEST4972563222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:31.571324110 CEST4972663222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:31.572571993 CEST6322249725116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:31.576250076 CEST6322249726116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:31.576364040 CEST4972663222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:31.576531887 CEST4972663222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:31.581576109 CEST4972763222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:31.581733942 CEST6322249726116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:31.581799984 CEST4972663222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:31.586484909 CEST6322249727116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:31.586555958 CEST4972763222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:31.586843014 CEST4972763222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:31.591768026 CEST6322249727116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:33.558120012 CEST6322249727116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:33.558180094 CEST4972763222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:33.558372021 CEST4972763222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:33.562309980 CEST4972863222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:33.563705921 CEST6322249727116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:33.569133043 CEST6322249728116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:33.569209099 CEST4972863222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:33.569993019 CEST4972863222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:33.575047016 CEST6322249728116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:35.571562052 CEST6322249728116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:35.571686029 CEST4972863222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:35.571830988 CEST4972863222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:35.572523117 CEST4972963222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:35.576606989 CEST6322249728116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:35.577461958 CEST6322249729116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:35.577547073 CEST4972963222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:35.577619076 CEST4972963222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:35.579514980 CEST4973063222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:35.582861900 CEST6322249729116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:35.582928896 CEST4972963222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:35.584383011 CEST6322249730116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:35.584456921 CEST4973063222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:35.584702015 CEST4973063222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:35.589514971 CEST6322249730116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:37.560899019 CEST6322249730116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:37.561101913 CEST4973063222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:37.561212063 CEST4973063222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:37.563808918 CEST4973163222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:37.566200018 CEST6322249730116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:37.569186926 CEST6322249731116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:37.569258928 CEST4973163222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:37.569531918 CEST4973163222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:37.575814962 CEST6322249731116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:39.582501888 CEST6322249731116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:39.582585096 CEST4973163222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:39.582681894 CEST4973163222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:39.586247921 CEST4973263222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:39.587562084 CEST6322249731116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:39.591150045 CEST6322249732116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:39.591223955 CEST4973263222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:39.591350079 CEST4973263222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:39.593759060 CEST4973363222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:39.596689939 CEST6322249732116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:39.596738100 CEST4973263222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:39.598694086 CEST6322249733116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:39.598774910 CEST4973363222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:39.599127054 CEST4973363222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:39.604013920 CEST6322249733116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:41.639740944 CEST6322249733116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:41.639898062 CEST4973363222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:41.640079021 CEST4973363222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:41.643310070 CEST4973463222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:41.644928932 CEST6322249733116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:41.648292065 CEST6322249734116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:41.648375988 CEST4973463222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:41.648718119 CEST4973463222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:41.653645992 CEST6322249734116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:43.688385010 CEST6322249734116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:43.688458920 CEST4973463222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:43.688575029 CEST4973463222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:43.692219973 CEST4973563222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:43.693375111 CEST6322249734116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:43.697324991 CEST6322249735116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:43.697393894 CEST4973563222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:43.697510958 CEST4973563222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:43.701380968 CEST4973663222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:43.702502012 CEST6322249735116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:43.702564001 CEST4973563222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:43.706326008 CEST6322249736116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:43.706449032 CEST4973663222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:43.706831932 CEST4973663222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:43.711602926 CEST6322249736116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:45.720673084 CEST6322249736116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:45.720762968 CEST4973663222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:45.720877886 CEST4973663222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:45.724683046 CEST4973763222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:45.725920916 CEST6322249736116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:45.729635000 CEST6322249737116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:45.729727030 CEST4973763222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:45.730057955 CEST4973763222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:45.734935999 CEST6322249737116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:47.717924118 CEST6322249737116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:47.718033075 CEST4973763222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:47.718203068 CEST4973763222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:47.720426083 CEST4973863222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:47.724200964 CEST6322249737116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:47.725434065 CEST6322249738116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:47.725502014 CEST4973863222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:47.725620985 CEST4973863222192.168.2.9116.198.231.169
      Sep 10, 2024 10:54:47.730977058 CEST6322249738116.198.231.169192.168.2.9
      Sep 10, 2024 10:54:47.731024981 CEST4973863222192.168.2.9116.198.231.169

      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      High Level Behavior Distribution

      Click to dive into process behavior distribution

      Behavior

      Click to jump to process

      System Behavior

      General

      Target ID:0
      Start time:04:54:01
      Start date:10/09/2024
      Path:C:\Users\user\Desktop\QT2hJT3Syn.exe
      Wow64 process (32bit):false
      Commandline:"C:\Users\user\Desktop\QT2hJT3Syn.exe"
      Imagebase:0x7ff6c3900000
      File size:67'584 bytes
      MD5 hash:D19F3280851B5E9510A63FE7C80466AE
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Yara matches:
      • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.1862615257.0000000902FAE000.00000040.00000010.00020000.00000000.sdmp, Author: Joe Security
      • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.1862615257.0000000902FAE000.00000040.00000010.00020000.00000000.sdmp, Author: Joe Security
      • Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000002.1862615257.0000000902FAE000.00000040.00000010.00020000.00000000.sdmp, Author: unknown
      • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.1862615257.0000000902FAE000.00000040.00000010.00020000.00000000.sdmp, Author: unknown
      Reputation:low
      Has exited:true

      General

      Target ID:7
      Start time:04:54:47
      Start date:10/09/2024
      Path:C:\Windows\System32\WerFault.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\WerFault.exe -u -p 420 -s 1420
      Imagebase:0x7ff7a1930000
      File size:570'736 bytes
      MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      Disassembly

      Reset < >

        Execution Graph

        Execution Coverage:12%
        Dynamic/Decrypted Code Coverage:6.9%
        Signature Coverage:30.7%
        Total number of Nodes:261
        Total number of Limit Nodes:3
        execution_graph 1263 902fae6a7 1264 902fae6bf 1263->1264 1264->1264 1266 902fae6de 1264->1266 1267 902fae7a6 1264->1267 1268 902fae7b3 LoadLibraryA InternetOpenA 1267->1268 1269 902fae873 1268->1269 1270 902fae7e0 2 API calls 1269->1270 1271 902faea61 1270->1271 1272 7ff6c39054d0 1273 7ff6c39054f3 1272->1273 1274 7ff6c39054e3 1272->1274 1276 7ff6c3901260 1274->1276 1277 7ff6c3901273 1276->1277 1278 7ff6c390129f 1276->1278 1279 7ff6c3901297 1277->1279 1280 7ff6c39012b8 _invalid_parameter_noinfo_noreturn 1277->1280 1278->1273 1281 7ff6c39017e4 free 1279->1281 1282 7ff6c39012c0 1280->1282 1281->1278 1283 7ff6c3901319 memcpy 1282->1283 1284 7ff6c3901336 1282->1284 1287 7ff6c39013e1 1282->1287 1285 7ff6c39013c3 1283->1285 1286 7ff6c39013a6 memcpy 1284->1286 1284->1287 1289 7ff6c390139e 1284->1289 1292 7ff6c3901342 1284->1292 1285->1273 1286->1285 1288 7ff6c39011a0 Concurrency::cancel_current_task __std_exception_copy 1287->1288 1296 7ff6c39013ec 1288->1296 1293 7ff6c3901818 3 API calls 1289->1293 1290 7ff6c3901818 3 API calls 1291 7ff6c3901358 1290->1291 1294 7ff6c390135d 1291->1294 1295 7ff6c3901397 _invalid_parameter_noinfo_noreturn 1291->1295 1292->1290 1293->1294 1294->1286 1295->1289 1297 7ff6c3901487 1296->1297 1298 7ff6c390154c 1296->1298 1301 7ff6c39014b2 1296->1301 1302 7ff6c390147a 1296->1302 1303 7ff6c390146d 1296->1303 1299 7ff6c3901818 3 API calls 1297->1299 1300 7ff6c39011a0 Concurrency::cancel_current_task __std_exception_copy 1298->1300 1299->1303 1305 7ff6c3901557 1300->1305 1304 7ff6c3901818 3 API calls 1301->1304 1302->1297 1302->1298 1306 7ff6c39014ce memcpy 1303->1306 1307 7ff6c3901511 _invalid_parameter_noinfo_noreturn 1303->1307 1311 7ff6c390150f 1303->1311 1304->1303 1308 7ff6c39014ef 1306->1308 1309 7ff6c3901504 1306->1309 1307->1311 1308->1307 1308->1309 1310 7ff6c39017e4 free 1309->1310 1310->1311 1311->1273 1312 7ff6c3901150 __std_exception_destroy 1313 7ff6c3905450 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N 1314 7ff6c3905290 1315 7ff6c39052d9 1314->1315 1317 7ff6c390530b 1314->1317 1316 7ff6c39052e0 strcmp 1315->1316 1315->1317 1316->1315 1316->1317 1252 902fae7a6 1253 902fae7b3 LoadLibraryA InternetOpenA 1252->1253 1254 902fae873 1253->1254 1257 902fae7e0 InternetConnectA 1254->1257 1258 902fae878 1257->1258 1261 902fae7ff HttpOpenRequestA 1258->1261 1262 902fae826 1261->1262 1106 7ff6c3901b80 1107 7ff6c3901b94 1106->1107 1108 7ff6c3901ccc 1107->1108 1109 7ff6c3901b9c __scrt_acquire_startup_lock 1107->1109 1166 7ff6c3902038 IsProcessorFeaturePresent 1108->1166 1111 7ff6c3901cd6 1109->1111 1118 7ff6c3901bba __scrt_release_startup_lock 1109->1118 1112 7ff6c3902038 9 API calls 1111->1112 1113 7ff6c3901ce1 1112->1113 1115 7ff6c3901ce9 _exit 1113->1115 1114 7ff6c3901bdf 1116 7ff6c3901c65 1128 7ff6c3902180 memset GetStartupInfoW 1116->1128 1118->1114 1118->1116 1121 7ff6c3901c5d _register_thread_local_exe_atexit_callback 1118->1121 1119 7ff6c3901c6a _get_narrow_winmain_command_line 1129 7ff6c3903eb0 1119->1129 1121->1116 1125 7ff6c3901c91 1126 7ff6c3901c9b 1125->1126 1127 7ff6c3901c96 _cexit 1125->1127 1126->1114 1127->1126 1128->1119 1172 7ff6c3905390 1129->1172 1132 7ff6c3903ef1 memcpy 1134 7ff6c3903f50 1132->1134 1133 7ff6c3901c86 1164 7ff6c39021c8 GetModuleHandleW 1133->1164 1134->1134 1135 7ff6c390434b 1134->1135 1136 7ff6c3903f72 memcpy 1134->1136 1137 7ff6c3903f9e 1134->1137 1213 7ff6c39011a0 1135->1213 1138 7ff6c390403a 1136->1138 1139 7ff6c3903fef 1137->1139 1144 7ff6c3903ffd 1137->1144 1145 7ff6c390400c 1137->1145 1149 7ff6c3903faa 1137->1149 1174 7ff6c3904360 1138->1174 1143 7ff6c3904014 memcpy 1139->1143 1143->1138 1144->1135 1144->1149 1150 7ff6c3901818 3 API calls 1145->1150 1147 7ff6c390408f memset 1152 7ff6c39040fa memset 1147->1152 1153 7ff6c39040c7 1147->1153 1148 7ff6c3904356 1201 7ff6c3901818 1149->1201 1154 7ff6c3903fc0 1150->1154 1151 7ff6c390432f _invalid_parameter_noinfo_noreturn 1156 7ff6c3904336 1151->1156 1160 7ff6c3904112 1152->1160 1153->1152 1154->1143 1154->1151 1157 7ff6c39017e4 free 1156->1157 1157->1133 1158 7ff6c3904210 strcmp 1159 7ff6c390423c 7 API calls 1158->1159 1158->1160 1162 7ff6c39042d8 Sleep 1159->1162 1160->1158 1160->1159 1162->1133 1163 7ff6c3904306 1162->1163 1163->1151 1163->1156 1165 7ff6c3901c8d 1164->1165 1165->1113 1165->1125 1167 7ff6c390205e 1166->1167 1168 7ff6c390206c memset RtlCaptureContext RtlLookupFunctionEntry 1167->1168 1169 7ff6c39020e2 memset IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 1168->1169 1170 7ff6c39020a6 RtlVirtualUnwind 1168->1170 1171 7ff6c3902162 1169->1171 1170->1169 1171->1111 1173 7ff6c3903ec9 MessageBoxW 1172->1173 1173->1132 1173->1133 1216 7ff6c39039c0 1174->1216 1176 7ff6c3904397 1177 7ff6c39043ab memcpy 1176->1177 1178 7ff6c3901a94 1177->1178 1179 7ff6c39043d6 memcpy 1178->1179 1180 7ff6c390441e memcpy 1179->1180 1183 7ff6c39050b1 1179->1183 1187 7ff6c390445d 1180->1187 1181 7ff6c39050eb 1185 7ff6c39017e4 free 1181->1185 1182 7ff6c39050ed memset 1234 7ff6c3901560 1182->1234 1183->1181 1183->1182 1184 7ff6c39044e6 1192 7ff6c390450c memset 1184->1192 1199 7ff6c390452d 1184->1199 1188 7ff6c3905132 1185->1188 1187->1184 1190 7ff6c39044c5 memset 1187->1190 1191 7ff6c39017e4 free 1188->1191 1190->1187 1194 7ff6c390513a 1191->1194 1192->1184 1193 7ff6c3904052 1193->1147 1193->1151 1210 7ff6c39017e4 1193->1210 1194->1193 1195 7ff6c3905176 1194->1195 1196 7ff6c390516f _invalid_parameter_noinfo_noreturn 1194->1196 1197 7ff6c39017e4 free 1195->1197 1196->1195 1197->1193 1198 7ff6c3905061 memcpy 1198->1183 1198->1199 1199->1183 1199->1198 1200 7ff6c3904e41 memcpy 1199->1200 1200->1199 1202 7ff6c3901832 malloc 1201->1202 1203 7ff6c3901823 1202->1203 1204 7ff6c390183c 1202->1204 1203->1202 1205 7ff6c3901842 1203->1205 1204->1154 1208 7ff6c390184d 1205->1208 1248 7ff6c3901d30 1205->1248 1207 7ff6c39011a0 Concurrency::cancel_current_task __std_exception_copy 1209 7ff6c3901853 1207->1209 1208->1207 1211 7ff6c3901d08 free 1210->1211 1214 7ff6c39011ae Concurrency::cancel_current_task 1213->1214 1215 7ff6c39011bf __std_exception_copy 1214->1215 1215->1148 1232 7ff6c3903dca 1216->1232 1233 7ff6c3903a0f 1216->1233 1217 7ff6c3903ca2 1219 7ff6c3903cd2 1217->1219 1220 7ff6c3903cb1 memset 1217->1220 1217->1232 1218 7ff6c3903a4b isalnum 1218->1233 1221 7ff6c3903d0c 1219->1221 1222 7ff6c3903cf8 memchr 1219->1222 1220->1219 1223 7ff6c3903d35 memchr 1221->1223 1224 7ff6c3903d4c 1221->1224 1222->1221 1223->1224 1226 7ff6c3903d74 memchr 1224->1226 1227 7ff6c3903d8b 1224->1227 1225 7ff6c3903ac2 memchr 1225->1233 1226->1227 1230 7ff6c3903db3 memchr 1227->1230 1227->1232 1228 7ff6c3903af9 memchr 1228->1233 1229 7ff6c3903b3c memchr 1229->1233 1230->1232 1231 7ff6c3903b7f memchr 1231->1233 1232->1176 1233->1217 1233->1218 1233->1225 1233->1228 1233->1229 1233->1231 1238 7ff6c3901592 ?good@ios_base@std@ 1234->1238 1236 7ff6c39015f5 1239 7ff6c39015ff ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N ?uncaught_exception@std@ 1236->1239 1242 7ff6c390164d ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J 1236->1242 1245 7ff6c3901625 ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD 1236->1245 1237 7ff6c39015c7 1237->1236 1240 7ff6c39015dd ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12 ?good@ios_base@std@ 1237->1240 1238->1236 1238->1237 1243 7ff6c39016df ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@ 1239->1243 1247 7ff6c39016e9 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 1239->1247 1240->1236 1242->1239 1246 7ff6c3901672 1242->1246 1243->1247 1244 7ff6c3901677 ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD 1244->1239 1244->1246 1245->1236 1245->1239 1246->1239 1246->1244 1247->1181 1251 7ff6c3901d10 1248->1251 1250 7ff6c3901d3e _CxxThrowException 1251->1250 1318 7ff6c3902dc0 1319 7ff6c3902de8 1318->1319 1321 7ff6c3902ddd 1318->1321 1320 7ff6c3902fc6 memcpy 1320->1319 1320->1321 1321->1319 1321->1320 1321->1321 1322 7ff6c3901000 1323 7ff6c3901818 3 API calls 1322->1323 1324 7ff6c390100e 1323->1324 1325 7ff6c3901100 __std_exception_destroy 1326 7ff6c3901135 1325->1326 1327 7ff6c3901128 1325->1327 1328 7ff6c39017e4 free 1327->1328 1328->1326 1330 7ff6c3903e80 isalnum 1331 7ff6c3903e95 1330->1331 1332 902fae6cc 1333 902fae7a6 4 API calls 1332->1333 1334 902fae6de 1333->1334 1334->1334 1335 7ff6c3901cf4 1338 7ff6c390228c 1335->1338 1339 7ff6c3901cfd 1338->1339 1340 7ff6c39022af GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 1338->1340 1340->1339 1341 7ff6c39016b1 1342 7ff6c39016bf ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N ?uncaught_exception@std@ 1341->1342 1343 7ff6c39016df ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@ 1342->1343 1344 7ff6c39016e9 1342->1344 1343->1344 1345 7ff6c3901070 1346 7ff6c3901092 1345->1346 1347 7ff6c3901088 1345->1347 1348 7ff6c39017e4 free 1347->1348 1348->1346 1353 7ff6c3901ca8 1354 7ff6c39021c8 GetModuleHandleW 1353->1354 1355 7ff6c3901caf 1354->1355 1356 7ff6c3901cb3 1355->1356 1357 7ff6c3901ce9 _exit 1355->1357 1358 7ff6c3901b64 1362 7ff6c390221c SetUnhandledExceptionFilter 1358->1362 1363 7ff6c39054a3 _seh_filter_exe 1364 7ff6c3901760 ?uncaught_exception@std@ 1365 7ff6c3901773 ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@ 1364->1365 1366 7ff6c390177d 1364->1366 1365->1366 1367 7ff6c39010a0 __std_exception_copy 1368 7ff6c39024e0 1369 7ff6c39025bb 1368->1369 1371 7ff6c3902503 1368->1371 1371->1369 1372 7ff6c3902585 memcpy 1371->1372 1373 7ff6c3902a60 1371->1373 1372->1369 1372->1371 1374 7ff6c3902a88 1373->1374 1375 7ff6c3902a7d 1373->1375 1374->1371 1375->1374 1376 7ff6c3902c76 memcpy 1375->1376 1376->1374 1376->1375 1377 7ff6c39025e0 1378 7ff6c39025e9 1377->1378 1382 7ff6c39026fb 1377->1382 1379 7ff6c39026a7 memset 1378->1379 1380 7ff6c39026c8 1378->1380 1379->1378 1381 7ff6c39026da memset 1380->1381 1380->1382 1381->1380 1382->1382 1383 7ff6c3905520 1384 7ff6c3905531 1383->1384 1385 7ff6c3905568 1383->1385 1386 7ff6c3905563 1384->1386 1387 7ff6c390555c _invalid_parameter_noinfo_noreturn 1384->1387 1388 7ff6c39017e4 free 1386->1388 1387->1386 1388->1385 1389 7ff6c3901720 ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12 1390 7ff6c3901a9c 1391 7ff6c3901aac 1390->1391 1403 7ff6c39018cc 1391->1403 1393 7ff6c3902038 9 API calls 1394 7ff6c3901b51 1393->1394 1395 7ff6c3901ad0 _RTC_Initialize 1400 7ff6c3901b33 1395->1400 1411 7ff6c3902340 InitializeSListHead 1395->1411 1400->1393 1402 7ff6c3901b41 1400->1402 1404 7ff6c39018dd 1403->1404 1408 7ff6c390190f 1403->1408 1405 7ff6c390194c 1404->1405 1409 7ff6c39018e2 __scrt_acquire_startup_lock 1404->1409 1406 7ff6c3902038 9 API calls 1405->1406 1407 7ff6c3901956 1406->1407 1408->1395 1409->1408 1410 7ff6c39018ff _initialize_onexit_table 1409->1410 1410->1408

        Callgraph

        • Executed
        • Not Executed
        • Opacity -> Relevance
        • Disassembly available
        callgraph 0 Function_00007FF6C3901854 79 Function_00007FF6C3902024 0->79 1 Function_00007FF6C3902354 2 Function_00007FF6C39017D0 3 Function_00007FF6C39054D0 41 Function_00007FF6C3901260 3->41 4 Function_00007FF6C3901D50 5 Function_00007FF6C3902350 6 Function_00007FF6C3901150 7 Function_00007FF6C3905450 8 Function_00007FF6C39018CC 21 Function_00007FF6C3902038 8->21 8->79 9 Function_00007FF6C39021C8 10 Function_0000000902FAE7E0 77 Function_0000000902FAE7FF 10->77 11 Function_00007FF6C39021C4 12 Function_00007FF6C3905440 13 Function_00007FF6C3905340 13->2 14 Function_00007FF6C39039C0 15 Function_00007FF6C3902DC0 16 Function_00007FF6C3902340 17 Function_00007FF6C3901A40 18 Function_00007FF6C39021BC 19 Function_0000000902FAE6CC 54 Function_0000000902FAE7A6 19->54 20 Function_0000000902FAE5C9 74 Function_00007FF6C3902030 21->74 22 Function_00007FF6C3902338 23 Function_00007FF6C3901CF4 56 Function_00007FF6C390228C 23->56 24 Function_00007FF6C39019F0 24->79 25 Function_00007FF6C3901070 30 Function_00007FF6C39017E4 25->30 26 Function_00007FF6C3901170 27 Function_00007FF6C3903970 28 Function_00007FF6C39017EC 28->30 29 Function_00007FF6C39019E9 31 Function_00007FF6C3902364 31->1 42 Function_00007FF6C390235C 31->42 32 Function_00007FF6C3901B64 32->11 89 Function_00007FF6C390221C 32->89 33 Function_00007FF6C3901760 34 Function_00007FF6C39010E0 35 Function_00007FF6C39024E0 39 Function_00007FF6C3902A60 35->39 36 Function_00007FF6C39025E0 37 Function_00007FF6C3901560 38 Function_00007FF6C3904360 38->14 38->30 38->37 40 Function_00007FF6C3905260 41->30 85 Function_00007FF6C39011A0 41->85 92 Function_00007FF6C3901818 41->92 43 Function_00007FF6C39023D8 44 Function_00007FF6C3901958 45 Function_00007FF6C3901A14 45->5 46 Function_00007FF6C3902394 47 Function_0000000902FAE424 48 Function_0000000902FAE6A7 48->54 49 Function_00007FF6C3903990 50 Function_00007FF6C3901D10 51 Function_00007FF6C3901890 51->4 51->5 52 Function_00007FF6C3905390 53 Function_00007FF6C3905290 54->10 55 Function_00007FF6C390550C 57 Function_00007FF6C390238C 58 Function_00007FF6C390548B 59 Function_00007FF6C3902288 60 Function_00007FF6C3901B80 60->0 60->9 60->21 60->24 60->44 60->45 60->46 60->51 60->57 66 Function_00007FF6C3902180 60->66 72 Function_00007FF6C3903EB0 60->72 61 Function_00007FF6C3901000 61->17 61->92 62 Function_00007FF6C3901100 62->30 63 Function_00007FF6C3901200 64 Function_00007FF6C3905500 65 Function_00007FF6C3902380 67 Function_00007FF6C3903E80 68 Function_00007FF6C3901A7C 68->17 69 Function_00007FF6C3903935 70 Function_00007FF6C39016B1 71 Function_0000000902FAEA87 72->2 72->30 72->38 72->52 72->85 72->92 73 Function_00007FF6C3901D30 73->50 75 Function_00007FF6C3905430 76 Function_00007FF6C390222C 78 Function_00007FF6C3901CA8 78->9 80 Function_00007FF6C39054A3 81 Function_00007FF6C3901720 82 Function_00007FF6C3905520 82->30 83 Function_00007FF6C39017A0 84 Function_00007FF6C39010A0 85->26 86 Function_00007FF6C39051A0 87 Function_0000000902FAEA75 88 Function_00007FF6C390201C 90 Function_00007FF6C3901A9C 90->5 90->8 90->11 90->16 90->18 90->21 90->22 90->31 90->59 90->65 90->68 90->88 91 Function_00007FF6C390239C 90->91 92->73 92->85

        Executed Functions

        Function 00007FF6C3903EB0 Relevance: 37.1, APIs: 17, Strings: 4, Instructions: 302memorysleeplibraryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 0 7ff6c3903eb0-7ff6c3903eeb call 7ff6c3905390 MessageBoxW 3 7ff6c3903ef1-7ff6c3903f4f memcpy 0->3 4 7ff6c390433b-7ff6c390434a 0->4 5 7ff6c3903f50-7ff6c3903f57 3->5 5->5 6 7ff6c3903f59-7ff6c3903f66 5->6 7 7ff6c3903f6c-7ff6c3903f70 6->7 8 7ff6c390434b-7ff6c3904350 call 7ff6c3901240 6->8 9 7ff6c3903f72-7ff6c3903f99 memcpy 7->9 10 7ff6c3903f9e-7ff6c3903fa8 7->10 20 7ff6c3904351-7ff6c3904356 call 7ff6c39011a0 8->20 12 7ff6c390403a-7ff6c390405b call 7ff6c3904360 9->12 14 7ff6c3903faa-7ff6c3903fb4 10->14 15 7ff6c3903fd7-7ff6c3903fed 10->15 27 7ff6c390408f-7ff6c39040c5 memset 12->27 28 7ff6c390405d-7ff6c390406f 12->28 16 7ff6c3903fb8-7ff6c3903fc3 call 7ff6c3901818 14->16 17 7ff6c3903ff4-7ff6c3903ffb 15->17 18 7ff6c3903fef-7ff6c3903ff2 15->18 35 7ff6c390432f-7ff6c3904335 _invalid_parameter_noinfo_noreturn 16->35 36 7ff6c3903fc9-7ff6c3903fd5 16->36 24 7ff6c3903ffd-7ff6c3904004 17->24 25 7ff6c390400c-7ff6c3904011 call 7ff6c3901818 17->25 23 7ff6c3904014-7ff6c3904035 memcpy 18->23 23->12 24->20 31 7ff6c390400a 24->31 25->23 37 7ff6c39040fa-7ff6c390410b memset 27->37 38 7ff6c39040c7-7ff6c39040ce 27->38 33 7ff6c3904071-7ff6c3904084 28->33 34 7ff6c390408a call 7ff6c39017e4 28->34 31->16 33->34 33->35 34->27 43 7ff6c3904336 call 7ff6c39017e4 35->43 36->23 42 7ff6c3904112-7ff6c3904119 37->42 41 7ff6c39040d3-7ff6c39040f8 38->41 41->37 41->41 42->42 44 7ff6c390411b-7ff6c3904121 42->44 43->4 46 7ff6c39041bf-7ff6c39041cd call 7ff6c39017d0 44->46 47 7ff6c3904127-7ff6c3904137 44->47 53 7ff6c39041cf 46->53 54 7ff6c39041de-7ff6c390420e 46->54 49 7ff6c3904140-7ff6c3904150 47->49 51 7ff6c3904152-7ff6c3904156 49->51 52 7ff6c3904158-7ff6c390415f 49->52 55 7ff6c3904174-7ff6c3904184 51->55 56 7ff6c3904161-7ff6c3904165 52->56 57 7ff6c3904167-7ff6c390416e 52->57 61 7ff6c39041d0-7ff6c39041dc 53->61 62 7ff6c3904210-7ff6c3904232 strcmp 54->62 63 7ff6c390423c 54->63 59 7ff6c390418c-7ff6c3904193 55->59 60 7ff6c3904186-7ff6c390418a 55->60 56->55 57->55 58 7ff6c3904170 57->58 58->55 66 7ff6c3904195-7ff6c3904199 59->66 67 7ff6c390419b-7ff6c39041a2 59->67 65 7ff6c39041a8-7ff6c39041bd 60->65 61->54 61->61 64 7ff6c3904241-7ff6c39042d1 VirtualProtect LoadLibraryA CreateThread WaitForSingleObject HeapCreate HeapAlloc memcpy 62->64 68 7ff6c3904234-7ff6c390423a 62->68 63->64 71 7ff6c39042d8-7ff6c3904304 Sleep 64->71 65->46 65->49 66->65 67->65 69 7ff6c39041a4 67->69 68->62 68->63 69->65 71->4 72 7ff6c3904306-7ff6c3904318 71->72 72->43 73 7ff6c390431a-7ff6c390432d 72->73 73->35 73->43
        APIs
        • MessageBoxW.USER32 ref: 00007FF6C3903EE2
        • memcpy.VCRUNTIME140(?,00000000,?,00000000,?,00007FF6C3901C86), ref: 00007FF6C3903F05
        • memcpy.VCRUNTIME140 ref: 00007FF6C3903F8F
        • memcpy.VCRUNTIME140(?,00000000,?,00000000,?,00007FF6C3901C86), ref: 00007FF6C3904030
        • memset.VCRUNTIME140(?,00000000,?,00000000,?,00007FF6C3901C86), ref: 00007FF6C39040B6
        • memset.VCRUNTIME140(?,00000000,?,00000000,?,00007FF6C3901C86), ref: 00007FF6C3904106
        • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,00000000,?,00007FF6C3901C86), ref: 00007FF6C390422B
        • VirtualProtect.KERNELBASE(?,00000000,?,00000000,?,00007FF6C3901C86), ref: 00007FF6C3904261
        • LoadLibraryA.KERNEL32(?,00000000,?,00000000,?,00007FF6C3901C86), ref: 00007FF6C390426A
        • CreateThread.KERNELBASE ref: 00007FF6C3904286
        • WaitForSingleObject.KERNEL32(?,00000000,?,00000000,?,00007FF6C3901C86), ref: 00007FF6C3904294
        • HeapCreate.KERNEL32(?,00000000,?,00000000,?,00007FF6C3901C86), ref: 00007FF6C39042A7
        • HeapAlloc.KERNEL32(?,00000000,?,00000000,?,00007FF6C3901C86), ref: 00007FF6C39042BB
        • memcpy.VCRUNTIME140(?,00000000,?,00000000,?,00007FF6C3901C86), ref: 00007FF6C39042D1
        • Sleep.KERNEL32(?,00000000,?,00000000,?,00007FF6C3901C86), ref: 00007FF6C39042DD
          • Part of subcall function 00007FF6C3901818: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6C390100E), ref: 00007FF6C3901832
        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,?,00000000,?,00007FF6C3901C86), ref: 00007FF6C390432F
        • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6C3904351
        Strings
        • VirtualProtect, xrefs: 00007FF6C3904241
        • rW/xHjl/tpwqf1jaiPmqhwLTh/9V+0ClGm9TOkOcD5z/T4vuhcMWvccRToRnKodSXfv3fSUMfPE6HBpgW6PiXjGOslgM0HbL2BrCFb+ChiWMg7HLEpejgVGYwPZdvNhe8n5PcmSJtUFshxv0HtreU7iJABqRT6gm2O7nG9z2fd6wruUBN/we2QsjOTQ3El7aaLkEhYWQTuVJnyogTuU1PjvIYQe4B6ZL7gaqArtsu8VAJJuT5mPIceKgQo8wZKJn6SdG, xrefs: 00007FF6C3903EFE
        • GetProcAddress, xrefs: 00007FF6C3904216
        • kernel32.dll, xrefs: 00007FF6C3904263
        Memory Dump Source
        • Source File: 00000000.00000002.1863232775.00007FF6C3901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C3900000, based on PE: true
        • Associated: 00000000.00000002.1863220053.00007FF6C3900000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1863246371.00007FF6C3906000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1863260514.00007FF6C390C000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1863273593.00007FF6C390D000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff6c3900000_QT2hJT3Syn.jbxd
        Similarity
        • API ID: memcpy$CreateHeapmemset$AllocConcurrency::cancel_current_taskLibraryLoadMessageObjectProtectSingleSleepThreadVirtualWait_invalid_parameter_noinfo_noreturnmallocstrcmp
        • String ID: GetProcAddress$VirtualProtect$kernel32.dll$rW/xHjl/tpwqf1jaiPmqhwLTh/9V+0ClGm9TOkOcD5z/T4vuhcMWvccRToRnKodSXfv3fSUMfPE6HBpgW6PiXjGOslgM0HbL2BrCFb+ChiWMg7HLEpejgVGYwPZdvNhe8n5PcmSJtUFshxv0HtreU7iJABqRT6gm2O7nG9z2fd6wruUBN/we2QsjOTQ3El7aaLkEhYWQTuVJnyogTuU1PjvIYQe4B6ZL7gaqArtsu8VAJJuT5mPIceKgQo8wZKJn6SdG
        • API String ID: 1700708136-1027293778
        • Opcode ID: f9bc0d7294f68d03651fd688e6f71cc41f92d764ef2405ada01706ca51ef2039
        • Instruction ID: 1cb5c2e6c94f5a250767254c202775518a856036c5877e24eadf7e045eb906bb
        • Opcode Fuzzy Hash: f9bc0d7294f68d03651fd688e6f71cc41f92d764ef2405ada01706ca51ef2039
        • Instruction Fuzzy Hash: 08D1F722A08AC285EB10CF25D441BFE6761FB58796F404231EA9EA76D7EF3CD585CB00
        Function 0000000902FAE7E0 Relevance: 1.8, APIs: 1, Instructions: 295networkCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 152 902fae7e0-902fae878 InternetConnectA call 902fae7ff 155 902fae87d-902fae880 152->155 156 902fae882 155->156 157 902fae8e7-902fae8eb 155->157 160 902fae884-902fae89b 156->160 161 902fae8fd-902fae901 156->161 158 902fae955-902fae959 157->158 159 902fae8ed 157->159 162 902fae95c-902fae95e 158->162 159->162 163 902fae8ee-902fae8f6 159->163 166 902fae82d-902fae862 160->166 167 902fae89d 160->167 164 902fae903-902fae90f 161->164 165 902fae970-902fae977 161->165 172 902fae9d5-902fae9d7 162->172 173 902fae95f 162->173 168 902fae968-902fae96c 163->168 169 902fae8f8-902fae8f9 163->169 170 902fae911-902fae919 164->170 171 902fae94e 164->171 176 902fae979-902fae97e 165->176 177 902fae9de-902fae9e7 165->177 220 902fae868-902fae86b 166->220 221 902faea05-902faea0d 166->221 174 902fae91a 167->174 175 902fae89f-902fae8d1 167->175 186 902fae9d8-902fae9d9 168->186 187 902fae96e-902fae96f 168->187 169->161 170->174 183 902fae990-902fae995 170->183 181 902fae9bf 171->181 182 902fae950 171->182 172->186 173->172 184 902fae961-902fae966 173->184 174->183 185 902fae91c-902fae921 174->185 188 902fae8d3-902fae8d5 175->188 189 902fae947 175->189 190 902fae980-902fae981 176->190 191 902fae9ad-902fae9b3 176->191 179 902fae996-902fae999 177->179 180 902fae9e9-902fae9ef 177->180 193 902fae99b-902fae99c 179->193 194 902faea0e-902faea26 179->194 201 902fae9f4-902fae9f8 180->201 198 902fae9c0 181->198 202 902fae9c1-902fae9d1 182->202 203 902fae952-902fae953 182->203 183->179 184->168 196 902fae923-902fae939 185->196 197 902fae984 185->197 199 902fae9db-902fae9dd 186->199 187->165 204 902fae99d-902fae9aa 187->204 205 902fae8d7 188->205 206 902fae93c 188->206 189->198 200 902fae949 189->200 192 902fae983 190->192 195 902fae9b4-902fae9bd 191->195 192->197 193->204 227 902faea28-902faea45 194->227 195->181 196->206 197->198 209 902fae986-902fae989 197->209 198->202 199->177 200->176 212 902fae94b-902fae94c 200->212 214 902faea73-902faeaa6 201->214 215 902fae9fa-902faea02 201->215 202->172 203->158 203->192 204->199 210 902fae9ac 204->210 207 902fae8d9-902fae8e0 205->207 208 902fae94d 205->208 206->176 211 902fae93d 206->211 207->203 217 902fae8e2-902fae8e3 207->217 208->171 209->201 218 902fae98b-902fae98f 209->218 210->191 211->176 219 902fae93f-902fae942 211->219 212->208 229 902faeaa7 214->229 215->221 217->157 218->183 219->195 224 902fae944-902fae946 219->224 225 902fae871 220->225 226 902fae9fd-902fae9fe 220->226 221->194 224->189 225->166 226->221 227->226 231 902faea47-902faea4f 227->231 229->229 231->227 232 902faea51-902faea5b 231->232
        APIs
        • InternetConnectA.WININET(00000003,00000003,00000002,00000001), ref: 0000000902FAE7FB
          • Part of subcall function 0000000902FAE7FF: HttpOpenRequestA.WININET(00000000,00000000,84C03200,00000000), ref: 0000000902FAE81A
        Memory Dump Source
        • Source File: 00000000.00000002.1862615257.0000000902FAE000.00000040.00000010.00020000.00000000.sdmp, Offset: 0000000902FAE000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_902fae000_QT2hJT3Syn.jbxd
        Yara matches
        Similarity
        • API ID: ConnectHttpInternetOpenRequest
        • String ID:
        • API String ID: 1341064763-0
        • Opcode ID: e3167bb3e8b5aeea410c5bda1354292710fbe9dd2fdc2113092930280f81d543
        • Instruction ID: c5138fa9583434a1ac020ca43846f1f85ad8a052ea9c146c137d880f5fa95f9b
        • Opcode Fuzzy Hash: e3167bb3e8b5aeea410c5bda1354292710fbe9dd2fdc2113092930280f81d543
        • Instruction Fuzzy Hash: 9DA190719183975EFB6A9B38846E366BFF5FB19390F2805BDC2C18B1E7D1509802C74A
        Function 00007FF6C3901B80 Relevance: 10.6, APIs: 7, Instructions: 94COMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1863232775.00007FF6C3901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C3900000, based on PE: true
        • Associated: 00000000.00000002.1863220053.00007FF6C3900000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1863246371.00007FF6C3906000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1863260514.00007FF6C390C000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1863273593.00007FF6C390D000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff6c3900000_QT2hJT3Syn.jbxd
        Similarity
        • API ID: __scrt_acquire_startup_lock__scrt_get_show_window_mode__scrt_release_startup_lock_cexit_exit_get_narrow_winmain_command_line_register_thread_local_exe_atexit_callback
        • String ID:
        • API String ID: 3995423050-0
        • Opcode ID: 1a752565a283e8bc6c4718bd7f0bfa4515868e64581fd36a0b3e31664e51b0ac
        • Instruction ID: ac323e1f0586e1d5b0bc2118fa0404532b5ec251c8522df96f49f91161b978e5
        • Opcode Fuzzy Hash: 1a752565a283e8bc6c4718bd7f0bfa4515868e64581fd36a0b3e31664e51b0ac
        • Instruction Fuzzy Hash: 4B310C25E0C2D385FA54AF659453BB922A1AF4D786F444034E9CEFB2D3FE6CE8048291
        Function 0000000902FAE7A6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56librarynetworkCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 127 902fae7a6-902faea5c LoadLibraryA InternetOpenA call 902fae7e0 132 902faea61-902faeaa6 127->132 136 902faeaa7 132->136 136->136
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1862615257.0000000902FAE000.00000040.00000010.00020000.00000000.sdmp, Offset: 0000000902FAE000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_902fae000_QT2hJT3Syn.jbxd
        Yara matches
        Similarity
        • API ID: InternetLibraryLoadOpen
        • String ID: wini
        • API String ID: 2559873147-1606035523
        • Opcode ID: 5f93fe04556e9114a692b7a8cb09660883b66be0f4b4a600167b52d13b5f35d2
        • Instruction ID: fccbab18af54b7468763034c97b509e31ff6ed364c598b70a499d579114c9cea
        • Opcode Fuzzy Hash: 5f93fe04556e9114a692b7a8cb09660883b66be0f4b4a600167b52d13b5f35d2
        • Instruction Fuzzy Hash: 5D01DAB005C2469FE32D8F30880B37B7AA6EB42B05F2454BEE1C3864A3C92108428B86
        Function 0000000902FAE7FF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99networkCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 137 902fae7ff-902fae825 HttpOpenRequestA 138 902fae826-902fae862 137->138 142 902fae868-902fae86b 138->142 143 902faea05-902faea26 138->143 144 902fae871 142->144 145 902fae9fd-902fae9fe 142->145 148 902faea28-902faea45 143->148 144->138 145->143 148->145 150 902faea47-902faea4f 148->150 150->148 151 902faea51-902faea5b 150->151
        APIs
        • HttpOpenRequestA.WININET(00000000,00000000,84C03200,00000000), ref: 0000000902FAE81A
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1862615257.0000000902FAE000.00000040.00000010.00020000.00000000.sdmp, Offset: 0000000902FAE000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_902fae000_QT2hJT3Syn.jbxd
        Yara matches
        Similarity
        • API ID: HttpOpenRequest
        • String ID: U.;
        • API String ID: 1984915467-4213443877
        • Opcode ID: 0673e6ba89fcafa97f45a20ababb8eb16fe70298331e982a3612c8fa0d542fd6
        • Instruction ID: a9717c00710bbb5696ef4c34c3e51ef4cde02bbfc62673a94976bc5d149a3531
        • Opcode Fuzzy Hash: 0673e6ba89fcafa97f45a20ababb8eb16fe70298331e982a3612c8fa0d542fd6
        • Instruction Fuzzy Hash: A111B2A034890E1BF65C929D7C5A73611CAD3D8755F20813FB54EC33D6DC54CC83816A

        Non-executed Functions

        Function 00007FF6C3904360 Relevance: 15.9, APIs: 10, Instructions: 882COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 302 7ff6c3904360-7ff6c3904418 call 7ff6c39039c0 call 7ff6c3901a94 memcpy call 7ff6c3901a94 memcpy 309 7ff6c39050b1-7ff6c39050d0 302->309 310 7ff6c390441e-7ff6c390445b memcpy 302->310 311 7ff6c39050d2 309->311 312 7ff6c3905116-7ff6c3905144 call 7ff6c39012c0 call 7ff6c39017e4 * 2 309->312 313 7ff6c3904475-7ff6c3904479 310->313 314 7ff6c390445d-7ff6c3904465 310->314 315 7ff6c39050d6-7ff6c39050d9 311->315 355 7ff6c390517b-7ff6c3905198 312->355 356 7ff6c3905146-7ff6c3905158 312->356 318 7ff6c3904482-7ff6c3904490 313->318 319 7ff6c390447b-7ff6c3904480 313->319 316 7ff6c3904493-7ff6c39044b3 314->316 317 7ff6c3904467-7ff6c3904473 314->317 322 7ff6c39050ed-7ff6c3905110 memset call 7ff6c3901560 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z 315->322 323 7ff6c39050db-7ff6c39050e9 315->323 324 7ff6c39044b5-7ff6c39044b9 316->324 325 7ff6c39044f9-7ff6c39044fe 316->325 317->316 318->316 319->316 322->312 323->315 329 7ff6c39050eb 323->329 331 7ff6c39044c0-7ff6c39044c3 324->331 327 7ff6c3904540-7ff6c390455e 325->327 328 7ff6c3904500 325->328 334 7ff6c3904560-7ff6c3904567 327->334 335 7ff6c39045b9-7ff6c39045c9 327->335 333 7ff6c3904507-7ff6c390450a 328->333 329->312 337 7ff6c39044c5-7ff6c39044d6 memset 331->337 338 7ff6c39044dc-7ff6c39044e4 331->338 341 7ff6c3904523-7ff6c390452b 333->341 342 7ff6c390450c-7ff6c390451d memset 333->342 343 7ff6c3904570-7ff6c39045a4 334->343 344 7ff6c3904632-7ff6c3904635 335->344 345 7ff6c39045cb 335->345 337->338 338->331 339 7ff6c39044e6-7ff6c39044f3 338->339 339->325 341->333 349 7ff6c390452d-7ff6c390453a 341->349 342->341 343->343 350 7ff6c39045a6-7ff6c39045b2 343->350 346 7ff6c390463b 344->346 347 7ff6c390480a-7ff6c3904811 344->347 351 7ff6c39045d0-7ff6c39045d3 345->351 352 7ff6c3904642-7ff6c39046bb 346->352 353 7ff6c39048b2-7ff6c39048be 347->353 354 7ff6c3904817-7ff6c390481e 347->354 349->327 350->335 357 7ff6c39045d9-7ff6c390461d 351->357 358 7ff6c39047f7-7ff6c3904803 351->358 360 7ff6c39046f0-7ff6c3904705 352->360 361 7ff6c39046bd-7ff6c39046c0 352->361 353->309 365 7ff6c39048c4-7ff6c39048d2 353->365 362 7ff6c3904820-7ff6c3904823 354->362 363 7ff6c390515a-7ff6c390516d 356->363 364 7ff6c3905176 call 7ff6c39017e4 356->364 357->351 359 7ff6c390461f-7ff6c390462b 357->359 358->347 359->344 360->360 371 7ff6c3904707-7ff6c3904772 360->371 366 7ff6c390479b-7ff6c39047a1 361->366 367 7ff6c39046c6 361->367 368 7ff6c3904825-7ff6c3904836 362->368 369 7ff6c3904897-7ff6c390489f 362->369 363->364 370 7ff6c390516f-7ff6c3905175 _invalid_parameter_noinfo_noreturn 363->370 364->355 365->309 373 7ff6c39048d8-7ff6c39048f5 365->373 379 7ff6c39047a3-7ff6c39047a6 366->379 380 7ff6c39047ee-7ff6c39047f1 366->380 374 7ff6c39046d0-7ff6c39046e4 367->374 375 7ff6c3904840-7ff6c390488f 368->375 369->362 376 7ff6c39048a5-7ff6c39048ab 369->376 370->364 371->366 377 7ff6c3904774-7ff6c3904778 371->377 373->309 378 7ff6c39048fb 373->378 374->374 381 7ff6c39046e6-7ff6c39046e9 374->381 375->375 382 7ff6c3904891 375->382 376->353 383 7ff6c3904780-7ff6c3904794 377->383 384 7ff6c3904900-7ff6c3904907 378->384 379->358 385 7ff6c39047a8-7ff6c39047ec 379->385 380->352 380->358 381->379 382->369 383->383 386 7ff6c3904796-7ff6c3904799 383->386 387 7ff6c3904f72-7ff6c3904f80 384->387 388 7ff6c390490d-7ff6c3904911 384->388 385->379 385->380 386->379 391 7ff6c3905061-7ff6c390509e memcpy 387->391 392 7ff6c3904f86-7ff6c3904f8c 387->392 389 7ff6c3904ca4-7ff6c3904cb8 388->389 390 7ff6c3904917-7ff6c39049bc 388->390 396 7ff6c3904cc3-7ff6c3904cfc 389->396 397 7ff6c3904cba-7ff6c3904cc0 389->397 393 7ff6c39049c2-7ff6c39049d8 390->393 394 7ff6c3904b0d-7ff6c3904c9f 390->394 391->309 395 7ff6c39050a0-7ff6c39050ac 391->395 392->391 398 7ff6c3904f92-7ff6c3904f96 392->398 399 7ff6c39049e0-7ff6c3904af5 393->399 400 7ff6c3904f64-7ff6c3904f6d 394->400 395->384 401 7ff6c3904cfe 396->401 402 7ff6c3904d56-7ff6c3904d63 396->402 397->396 403 7ff6c3904f9c-7ff6c3904fb4 398->403 404 7ff6c390503a-7ff6c390503d 398->404 399->399 406 7ff6c3904afb-7ff6c3904b08 399->406 400->387 407 7ff6c3904d00-7ff6c3904d47 401->407 408 7ff6c3904e89-7ff6c3904e8e 402->408 409 7ff6c3904d69-7ff6c3904d7d 402->409 410 7ff6c3904fc2-7ff6c3904fcb 403->410 411 7ff6c3904fb6-7ff6c3904fc0 403->411 404->391 405 7ff6c390503f-7ff6c3905048 404->405 412 7ff6c3905050-7ff6c390505f 405->412 406->394 407->407 415 7ff6c3904d49-7ff6c3904d4f 407->415 413 7ff6c3904e94-7ff6c3904eb7 408->413 414 7ff6c3904f5f 408->414 416 7ff6c3904d82-7ff6c3904d87 409->416 417 7ff6c3904fd4-7ff6c3904fd9 410->417 418 7ff6c3904fcd-7ff6c3904fd2 410->418 411->404 411->410 412->391 412->412 420 7ff6c3904ec0-7ff6c3904f59 413->420 414->400 415->402 421 7ff6c3904e41-7ff6c3904e7c memcpy 416->421 422 7ff6c3904d8d-7ff6c3904dad 416->422 419 7ff6c3904fe0-7ff6c3905038 417->419 418->417 419->404 419->419 420->414 420->420 421->416 423 7ff6c3904e82 421->423 424 7ff6c3904db0-7ff6c3904e31 422->424 423->408 424->424 425 7ff6c3904e37-7ff6c3904e3c 424->425 425->421
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1863232775.00007FF6C3901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C3900000, based on PE: true
        • Associated: 00000000.00000002.1863220053.00007FF6C3900000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1863246371.00007FF6C3906000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1863260514.00007FF6C390C000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1863273593.00007FF6C390D000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff6c3900000_QT2hJT3Syn.jbxd
        Similarity
        • API ID: memcpy$memchrmemset$_invalid_parameter_noinfo_noreturnisalnum
        • String ID:
        • API String ID: 581468037-0
        • Opcode ID: 8ef4aaa22b329a95060205e8a9b0493baab4ad5e0559fcd37528c45140d44259
        • Instruction ID: dce232b982861def789d238e5284f9c79cbef6d530cadf70fb9730db8b5a2d5c
        • Opcode Fuzzy Hash: 8ef4aaa22b329a95060205e8a9b0493baab4ad5e0559fcd37528c45140d44259
        • Instruction Fuzzy Hash: 0C8223726082D08BD7258F389450AFE7BA1F74974AF459125DBCAAB786DF3CE600CB40
        Function 00007FF6C3902038 Relevance: 13.6, APIs: 9, Instructions: 71COMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1863232775.00007FF6C3901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C3900000, based on PE: true
        • Associated: 00000000.00000002.1863220053.00007FF6C3900000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1863246371.00007FF6C3906000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1863260514.00007FF6C390C000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1863273593.00007FF6C390D000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff6c3900000_QT2hJT3Syn.jbxd
        Similarity
        • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
        • String ID:
        • API String ID: 313767242-0
        • Opcode ID: 9ffe9f7a2552eabd9cbd91c231be09652aabbf0b04a8f210b51f505912c4f0c6
        • Instruction ID: bb0acca2e906cf8292496f3d16826426cb8fa049f0811d9cc0827970119531e7
        • Opcode Fuzzy Hash: 9ffe9f7a2552eabd9cbd91c231be09652aabbf0b04a8f210b51f505912c4f0c6
        • Instruction Fuzzy Hash: C7310F72609BC186EB609F61E8417EE7374FB88745F44403ADA8E97B96EF38D548C710
        Function 00007FF6C390228C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1863232775.00007FF6C3901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C3900000, based on PE: true
        • Associated: 00000000.00000002.1863220053.00007FF6C3900000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1863246371.00007FF6C3906000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1863260514.00007FF6C390C000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1863273593.00007FF6C390D000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff6c3900000_QT2hJT3Syn.jbxd
        Similarity
        • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
        • String ID:
        • API String ID: 2933794660-0
        • Opcode ID: 0fbad5fd6f2767220c7461670684e260ec7aafaf3dc54847602cb2efa943320e
        • Instruction ID: 5490a7a432076fccccb0187f1549df65bedbe7a4ecccc6c630faff4cf25df982
        • Opcode Fuzzy Hash: 0fbad5fd6f2767220c7461670684e260ec7aafaf3dc54847602cb2efa943320e
        • Instruction Fuzzy Hash: 48114822B14B418AEB00DF61E8466B833B4FB1D759F440E31DAAD967A5EF3CE1988340
        Function 00007FF6C39025E0 Relevance: 4.8, APIs: 2, Strings: 1, Instructions: 294COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 550 7ff6c39025e0-7ff6c39025e3 551 7ff6c3902a59 550->551 552 7ff6c39025e9-7ff6c3902642 550->552 553 7ff6c3902644-7ff6c390264c 552->553 554 7ff6c390265f-7ff6c3902668 552->554 555 7ff6c3902681-7ff6c390269f 553->555 556 7ff6c390264e-7ff6c390265d 553->556 557 7ff6c3902671-7ff6c390267e 554->557 558 7ff6c390266a-7ff6c390266f 554->558 559 7ff6c39026a2-7ff6c39026a5 555->559 556->555 557->555 558->555 560 7ff6c39026b8-7ff6c39026c6 559->560 561 7ff6c39026a7-7ff6c39026b3 memset 559->561 560->559 562 7ff6c39026c8-7ff6c39026cc 560->562 561->560 563 7ff6c39026ce 562->563 564 7ff6c39026fb-7ff6c390271d 562->564 565 7ff6c39026d5-7ff6c39026d8 563->565 566 7ff6c3902761-7ff6c390276e 564->566 567 7ff6c390271f 564->567 568 7ff6c39026eb-7ff6c39026f9 565->568 569 7ff6c39026da-7ff6c39026e6 memset 565->569 571 7ff6c39027c1-7ff6c39027c4 566->571 572 7ff6c3902770 566->572 570 7ff6c3902722-7ff6c3902758 567->570 568->564 568->565 569->568 570->570 575 7ff6c390275a 570->575 573 7ff6c39029ac-7ff6c39029c6 571->573 574 7ff6c39027ca-7ff6c39027d8 571->574 576 7ff6c3902773-7ff6c3902776 572->576 578 7ff6c3902a40-7ff6c3902a58 573->578 579 7ff6c39029c8-7ff6c39029cf 573->579 577 7ff6c39027e0-7ff6c3902855 574->577 575->566 576->573 580 7ff6c390277c-7ff6c39027b8 576->580 582 7ff6c3902887-7ff6c3902897 577->582 583 7ff6c3902857-7ff6c390285b 577->583 578->551 584 7ff6c39029d0-7ff6c39029d3 579->584 580->576 581 7ff6c39027ba 580->581 581->571 589 7ff6c39028a0-7ff6c39028ad 582->589 585 7ff6c3902944-7ff6c390294a 583->585 586 7ff6c3902861-7ff6c390286d 583->586 587 7ff6c39029d5-7ff6c39029db 584->587 588 7ff6c3902a32-7ff6c3902a3e 584->588 593 7ff6c390299c-7ff6c390299f 585->593 594 7ff6c390294c-7ff6c390294f 585->594 590 7ff6c3902870-7ff6c390287d 586->590 591 7ff6c39029e0-7ff6c3902a30 587->591 588->578 588->584 589->589 592 7ff6c39028af-7ff6c3902919 589->592 590->590 597 7ff6c390287f-7ff6c3902882 590->597 591->588 591->591 592->585 598 7ff6c390291b-7ff6c3902927 592->598 593->577 596 7ff6c39029a5 593->596 595 7ff6c3902950-7ff6c3902953 594->595 595->596 599 7ff6c3902955-7ff6c3902993 595->599 596->573 597->594 600 7ff6c3902930-7ff6c390293d 598->600 599->595 601 7ff6c3902995 599->601 600->600 602 7ff6c390293f-7ff6c3902942 600->602 601->593 602->594
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1863232775.00007FF6C3901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C3900000, based on PE: true
        • Associated: 00000000.00000002.1863220053.00007FF6C3900000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1863246371.00007FF6C3906000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1863260514.00007FF6C390C000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1863273593.00007FF6C390D000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff6c3900000_QT2hJT3Syn.jbxd
        Similarity
        • API ID: memset
        • String ID:
        • API String ID: 2221118986-3916222277
        • Opcode ID: 10fe64071739a2ded2f0a5419cf26234a9cb385721e058ba0fcc83c8cc307c78
        • Instruction ID: d4636727b37755a381ac28643842976c48f724942c1b2af7e6ad97c49d07bc89
        • Opcode Fuzzy Hash: 10fe64071739a2ded2f0a5419cf26234a9cb385721e058ba0fcc83c8cc307c78
        • Instruction Fuzzy Hash: A8C1F272B182D186E715CF289541BBD3BE0E749B45F858036DACDEB346EE78E541C710
        Function 00007FF6C3902A60 Relevance: 1.7, APIs: 1, Instructions: 443COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1863232775.00007FF6C3901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C3900000, based on PE: true
        • Associated: 00000000.00000002.1863220053.00007FF6C3900000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1863246371.00007FF6C3906000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1863260514.00007FF6C390C000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1863273593.00007FF6C390D000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff6c3900000_QT2hJT3Syn.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 68d9fd08a1a3572f31eb62606a6418c6cd1bf873439365f6d5667c21df0fb5db
        • Instruction ID: 87067800045348fa2b8d1e673e95ffc946a821e502c0a3e4178842cc5d588dea
        • Opcode Fuzzy Hash: 68d9fd08a1a3572f31eb62606a6418c6cd1bf873439365f6d5667c21df0fb5db
        • Instruction Fuzzy Hash: D31256732087E48AC7108F2D98409BE7FA4F399B4AF498215EFC987786CA3DE615C750
        Function 00007FF6C3902DC0 Relevance: 1.7, APIs: 1, Instructions: 442COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1863232775.00007FF6C3901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C3900000, based on PE: true
        • Associated: 00000000.00000002.1863220053.00007FF6C3900000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1863246371.00007FF6C3906000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1863260514.00007FF6C390C000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1863273593.00007FF6C390D000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff6c3900000_QT2hJT3Syn.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: d16f77bd1055aef42d53165e0a7d8d775166ff36071f674d1390ceb6bc1ed32d
        • Instruction ID: f20880916a1e40af2154d8584ab9ab1de3ff11bdfb02c0af54637a4cdfbe69b2
        • Opcode Fuzzy Hash: d16f77bd1055aef42d53165e0a7d8d775166ff36071f674d1390ceb6bc1ed32d
        • Instruction Fuzzy Hash: 841246736083E48AD7108F2D98449AE7FA4F389B4AF4A8215DFC897782CA3CF515C720
        Function 00007FF6C390221C Relevance: .0, Instructions: 2COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1863232775.00007FF6C3901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C3900000, based on PE: true
        • Associated: 00000000.00000002.1863220053.00007FF6C3900000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1863246371.00007FF6C3906000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1863260514.00007FF6C390C000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1863273593.00007FF6C390D000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff6c3900000_QT2hJT3Syn.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 185bb21c631b42b625ea131c3156779a1e8468bba62d3009b45224cd70e431eb
        • Instruction ID: 3345a7038a6cb1f7dd95bf2877943e5f028b1b3069557cff6fdfe53151a01276
        • Opcode Fuzzy Hash: 185bb21c631b42b625ea131c3156779a1e8468bba62d3009b45224cd70e431eb
        • Instruction Fuzzy Hash: E3A00162949886A0E6198F55A9528342230EB58302B418432C08DA1062AF2DE4488201
        Function 00007FF6C3901260 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 217COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 233 7ff6c3901260-7ff6c3901271 234 7ff6c3901273-7ff6c3901280 233->234 235 7ff6c390129f-7ff6c39012b7 233->235 236 7ff6c3901282-7ff6c3901295 234->236 237 7ff6c390129a call 7ff6c39017e4 234->237 238 7ff6c39012b8-7ff6c39012f0 _invalid_parameter_noinfo_noreturn 236->238 239 7ff6c3901297 236->239 237->235 242 7ff6c39012f7-7ff6c39012fe 238->242 239->237 242->242 243 7ff6c3901300-7ff6c390130d 242->243 244 7ff6c3901313-7ff6c3901317 243->244 245 7ff6c39013e1-7ff6c39013e6 call 7ff6c3901240 243->245 246 7ff6c3901319-7ff6c3901331 memcpy 244->246 247 7ff6c3901336-7ff6c3901340 244->247 256 7ff6c39013e7-7ff6c390141c call 7ff6c39011a0 245->256 249 7ff6c39013c3-7ff6c39013e0 246->249 250 7ff6c3901342-7ff6c390134c 247->250 251 7ff6c390136b-7ff6c3901381 247->251 255 7ff6c3901350 250->255 253 7ff6c3901383-7ff6c390138a 251->253 254 7ff6c39013a6-7ff6c39013bf memcpy 251->254 258 7ff6c390139e 253->258 259 7ff6c390138c-7ff6c3901393 253->259 254->249 260 7ff6c3901353 call 7ff6c3901818 255->260 269 7ff6c3901422-7ff6c3901443 256->269 270 7ff6c390154c-7ff6c3901551 call 7ff6c3901240 256->270 264 7ff6c390139e call 7ff6c3901818 258->264 259->256 263 7ff6c3901395 259->263 261 7ff6c3901358-7ff6c390135b 260->261 265 7ff6c390135d-7ff6c3901369 261->265 266 7ff6c3901397-7ff6c390139d _invalid_parameter_noinfo_noreturn 261->266 263->255 268 7ff6c39013a3 264->268 265->254 266->258 268->254 271 7ff6c3901445-7ff6c3901454 269->271 272 7ff6c3901489-7ff6c3901493 269->272 277 7ff6c3901552-7ff6c3901557 call 7ff6c39011a0 270->277 271->272 275 7ff6c3901456-7ff6c390146b 271->275 276 7ff6c3901497 272->276 278 7ff6c3901471-7ff6c3901478 275->278 279 7ff6c390146d-7ff6c390146f 275->279 280 7ff6c390149a call 7ff6c3901818 276->280 283 7ff6c39014b2 278->283 284 7ff6c390147a-7ff6c3901481 278->284 282 7ff6c39014ba-7ff6c39014cc 279->282 285 7ff6c390149f-7ff6c39014a2 280->285 288 7ff6c39014ce-7ff6c39014ed memcpy 282->288 289 7ff6c3901518-7ff6c3901524 call 7ff6c39053e4 282->289 286 7ff6c39014b2 call 7ff6c3901818 283->286 284->277 290 7ff6c3901487 284->290 291 7ff6c39014a4-7ff6c39014b0 285->291 292 7ff6c3901511-7ff6c3901517 _invalid_parameter_noinfo_noreturn 285->292 293 7ff6c39014b7 286->293 294 7ff6c39014ef-7ff6c3901502 288->294 295 7ff6c3901507-7ff6c390150f call 7ff6c39017e4 288->295 301 7ff6c3901529-7ff6c390154b 289->301 290->276 291->282 292->289 293->282 294->292 297 7ff6c3901504 294->297 295->301 297->295
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1863232775.00007FF6C3901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C3900000, based on PE: true
        • Associated: 00000000.00000002.1863220053.00007FF6C3900000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1863246371.00007FF6C3906000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1863260514.00007FF6C390C000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1863273593.00007FF6C390D000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff6c3900000_QT2hJT3Syn.jbxd
        Similarity
        • API ID: _invalid_parameter_noinfo_noreturnmemcpy$Concurrency::cancel_current_task
        • String ID: string too long
        • API String ID: 621473597-2556327735
        • Opcode ID: dc214a706161d04807a1c17e90786c25c00201b982d4ed9808e8b67d56e755a6
        • Instruction ID: 1b6724a565dbbb7afea20c40fc1f375b4530d70b58d44a9d5668831c11131e2f
        • Opcode Fuzzy Hash: dc214a706161d04807a1c17e90786c25c00201b982d4ed9808e8b67d56e755a6
        • Instruction Fuzzy Hash: 40812526B08BC184EA149F65A04176D23A1EB08BD5F544635DBEE9BBD7EF7CE0818380
        Function 00007FF6C3901560 Relevance: 13.6, APIs: 9, Instructions: 124COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 426 7ff6c3901560-7ff6c3901590 427 7ff6c3901592-7ff6c3901596 426->427 428 7ff6c3901598 426->428 429 7ff6c390159a-7ff6c39015aa 427->429 428->429 430 7ff6c39015b3-7ff6c39015c5 ?good@ios_base@std@@QEBA_NXZ 429->430 431 7ff6c39015ac-7ff6c39015b2 429->431 432 7ff6c39015f7-7ff6c39015fd 430->432 433 7ff6c39015c7-7ff6c39015d6 430->433 431->430 437 7ff6c39015ff-7ff6c3901604 432->437 438 7ff6c3901609-7ff6c390161c 432->438 435 7ff6c39015f5 433->435 436 7ff6c39015d8-7ff6c39015db 433->436 435->432 436->435 439 7ff6c39015dd-7ff6c39015f3 ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ ?good@ios_base@std@@QEBA_NXZ 436->439 440 7ff6c39016bf-7ff6c39016dd ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z ?uncaught_exception@std@@YA_NXZ 437->440 441 7ff6c390161e 438->441 442 7ff6c390164d-7ff6c3901670 ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z 438->442 439->432 445 7ff6c39016df-7ff6c39016e8 ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ 440->445 446 7ff6c39016e9-7ff6c39016f8 440->446 447 7ff6c3901620-7ff6c3901623 441->447 443 7ff6c3901672-7ff6c3901675 442->443 444 7ff6c3901698 442->444 448 7ff6c390169f-7ff6c39016af 443->448 449 7ff6c3901677-7ff6c3901691 ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z 443->449 450 7ff6c390169b 444->450 445->446 451 7ff6c3901701-7ff6c3901711 446->451 452 7ff6c39016fa-7ff6c3901700 446->452 447->442 453 7ff6c3901625-7ff6c390163f ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z 447->453 448->440 449->444 454 7ff6c3901693-7ff6c3901696 449->454 450->448 452->451 455 7ff6c3901641-7ff6c3901646 453->455 456 7ff6c3901648-7ff6c390164b 453->456 454->443 455->450 456->447
        APIs
        • ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF6C39015BD
        • ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF6C39015DD
        • ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF6C39015ED
        • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF6C3901636
        • ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140 ref: 00007FF6C3901666
        • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF6C3901688
        • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF6C39016CE
        • ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF6C39016D5
        • ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF6C39016E2
        Memory Dump Source
        • Source File: 00000000.00000002.1863232775.00007FF6C3901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C3900000, based on PE: true
        • Associated: 00000000.00000002.1863220053.00007FF6C3900000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1863246371.00007FF6C3906000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1863260514.00007FF6C390C000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1863273593.00007FF6C390D000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff6c3900000_QT2hJT3Syn.jbxd
        Similarity
        • API ID: D@std@@@std@@U?$char_traits@$?good@ios_base@std@@?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
        • String ID:
        • API String ID: 3274656010-0
        • Opcode ID: 2d83f5bf139d5ddab99d305bf5690e1c03955fd8ff749a6140a8785ce57e8d76
        • Instruction ID: f0685cfbe42b51a3941e2cbfa8a31d09fbabc182b5329bb1fbdf3905f04553a1
        • Opcode Fuzzy Hash: 2d83f5bf139d5ddab99d305bf5690e1c03955fd8ff749a6140a8785ce57e8d76
        • Instruction Fuzzy Hash: E9518436608A8181EB209F1AE591A3CA7B1EF89F93F15C531CA9F977A2DF3DD4458340
        Function 00007FF6C39039C0 Relevance: 12.8, APIs: 10, Instructions: 329COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 469 7ff6c39039c0-7ff6c3903a09 470 7ff6c3903e62-7ff6c3903e75 469->470 471 7ff6c3903a0f-7ff6c3903a1e 469->471 472 7ff6c3903a20-7ff6c3903a30 471->472 473 7ff6c3903a35-7ff6c3903a39 472->473 474 7ff6c3903a32 472->474 475 7ff6c3903ca2-7ff6c3903ca5 473->475 476 7ff6c3903a3f-7ff6c3903a46 473->476 474->473 475->470 479 7ff6c3903cab-7ff6c3903caf 475->479 477 7ff6c3903a4b-7ff6c3903a59 isalnum 476->477 478 7ff6c3903a48 476->478 480 7ff6c3903a5b-7ff6c3903a63 477->480 481 7ff6c3903a69-7ff6c3903a71 477->481 478->477 482 7ff6c3903cd2-7ff6c3903cf6 479->482 483 7ff6c3903cb1-7ff6c3903ccd memset 479->483 480->475 480->481 486 7ff6c3903a73 481->486 487 7ff6c3903a76-7ff6c3903a93 481->487 484 7ff6c3903d15 482->484 485 7ff6c3903cf8-7ff6c3903d0a memchr 482->485 483->482 489 7ff6c3903d1d-7ff6c3903d33 484->489 485->484 488 7ff6c3903d0c-7ff6c3903d13 485->488 486->487 490 7ff6c3903c92 487->490 491 7ff6c3903a99-7ff6c3903ac0 487->491 488->489 492 7ff6c3903d35-7ff6c3903d4a memchr 489->492 493 7ff6c3903d51 489->493 496 7ff6c3903c97-7ff6c3903c9c 490->496 494 7ff6c3903ac2-7ff6c3903ad4 memchr 491->494 495 7ff6c3903adb 491->495 492->493 497 7ff6c3903d4c-7ff6c3903d4f 492->497 498 7ff6c3903d58-7ff6c3903d72 493->498 494->495 499 7ff6c3903ad6-7ff6c3903ad9 494->499 500 7ff6c3903ae2-7ff6c3903af7 495->500 496->472 496->475 497->498 501 7ff6c3903d74-7ff6c3903d89 memchr 498->501 502 7ff6c3903d90 498->502 499->500 503 7ff6c3903b15 500->503 504 7ff6c3903af9-7ff6c3903b0e memchr 500->504 501->502 506 7ff6c3903d8b-7ff6c3903d8e 501->506 507 7ff6c3903d97-7ff6c3903db1 502->507 505 7ff6c3903b1c-7ff6c3903b3a 503->505 504->503 508 7ff6c3903b10-7ff6c3903b13 504->508 509 7ff6c3903b3c-7ff6c3903b51 memchr 505->509 510 7ff6c3903b58 505->510 506->507 511 7ff6c3903db3-7ff6c3903dc8 memchr 507->511 512 7ff6c3903dcf 507->512 508->505 509->510 514 7ff6c3903b53-7ff6c3903b56 509->514 515 7ff6c3903b5f-7ff6c3903b7d 510->515 511->512 516 7ff6c3903dca-7ff6c3903dcd 511->516 513 7ff6c3903dd6-7ff6c3903e12 512->513 513->470 517 7ff6c3903e14-7ff6c3903e18 513->517 514->515 518 7ff6c3903b7f-7ff6c3903b94 memchr 515->518 519 7ff6c3903b9b 515->519 516->513 520 7ff6c3903e20-7ff6c3903e31 517->520 518->519 521 7ff6c3903b96-7ff6c3903b99 518->521 522 7ff6c3903ba2-7ff6c3903be3 519->522 523 7ff6c3903e33-7ff6c3903e42 520->523 524 7ff6c3903e52-7ff6c3903e55 call 7ff6c39013f0 520->524 521->522 525 7ff6c3903be5-7ff6c3903bf4 522->525 526 7ff6c3903c04-7ff6c3903c07 call 7ff6c39013f0 522->526 527 7ff6c3903e44 523->527 528 7ff6c3903e47-7ff6c3903e50 523->528 533 7ff6c3903e5a-7ff6c3903e60 524->533 530 7ff6c3903bf9-7ff6c3903c02 525->530 531 7ff6c3903bf6 525->531 534 7ff6c3903c0c-7ff6c3903c17 526->534 527->528 528->533 530->534 531->530 533->470 533->520 535 7ff6c3903c19-7ff6c3903c28 534->535 536 7ff6c3903c38-7ff6c3903c3f call 7ff6c39013f0 534->536 537 7ff6c3903c2d-7ff6c3903c36 535->537 538 7ff6c3903c2a 535->538 540 7ff6c3903c44-7ff6c3903c4f 536->540 537->540 538->537 541 7ff6c3903c51-7ff6c3903c60 540->541 542 7ff6c3903c7a-7ff6c3903c90 call 7ff6c39013f0 540->542 543 7ff6c3903c65-7ff6c3903c78 541->543 544 7ff6c3903c62 541->544 542->496 543->496 544->543
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1863232775.00007FF6C3901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C3900000, based on PE: true
        • Associated: 00000000.00000002.1863220053.00007FF6C3900000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1863246371.00007FF6C3906000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1863260514.00007FF6C390C000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1863273593.00007FF6C390D000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff6c3900000_QT2hJT3Syn.jbxd
        Similarity
        • API ID: memchr$isalnummemcpymemset
        • String ID:
        • API String ID: 2613388124-0
        • Opcode ID: 1c4aa18a20eb7564f907b3e35b9d161b37e06d40664dc32e136580126c14a596
        • Instruction ID: 279e9c04426c9547dc69f0747231142b4b2d13ed9086393c372ae120869ad310
        • Opcode Fuzzy Hash: 1c4aa18a20eb7564f907b3e35b9d161b37e06d40664dc32e136580126c14a596
        • Instruction Fuzzy Hash: AFD10862B097D285EB019F2594826792B92EB09FEAF144235DDADA7BD7EF3CD401D300