Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
QT2hJT3Syn.exe

Overview

General Information

Sample name:QT2hJT3Syn.exe
renamed because original name is a hash value
Original sample name:9bfd61a00155017d1a6768326549c65ea9bbe8884b92a7a013e97b507a9167ff.exe
Analysis ID:1508523
MD5:d19f3280851b5e9510a63fe7c80466ae
SHA1:00e04653569a6d8244edff8765deec3d6ed9c15f
SHA256:9bfd61a00155017d1a6768326549c65ea9bbe8884b92a7a013e97b507a9167ff
Tags:116-198-231-169exe
Infos:

Detection

CobaltStrike, Metasploit
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
Yara detected Metasploit Payload
C2 URLs / IPs found in malware configuration
AV process strings found (often used to terminate AV products)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
One or more processes crash
PE file contains an invalid checksum
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • QT2hJT3Syn.exe (PID: 6588 cmdline: "C:\Users\user\Desktop\QT2hJT3Syn.exe" MD5: D19F3280851B5E9510A63FE7C80466AE)
    • WerFault.exe (PID: 6108 cmdline: C:\Windows\system32\WerFault.exe -u -p 6588 -s 1388 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Cobalt Strike, CobaltStrikeCobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.
  • APT 29
  • APT32
  • APT41
  • AQUATIC PANDA
  • Anunak
  • Cobalt
  • Codoso
  • CopyKittens
  • DarkHydrus
  • FIN6
  • FIN7
  • Leviathan
  • Mustang Panda
  • Shell Crew
  • Stone Panda
  • TianWu
  • UNC1878
  • UNC2452
  • Winnti Umbrella
https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"C2Server": "http://116.198.231.169:63222/jquery-3.7.2.min.js", "User Agent": "User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\n"}

Threatname: Metasploit

{"Headers": "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nReferer: http://www.microsoft.com/\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\n", "Type": "Metasploit Download", "URL": "http://116.198.231.169/jquery-3.7.2.min.js"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB570.tmp.dmpWindows_Trojan_Metasploit_7bc0f998Identifies the API address lookup function leverage by metasploit shellcodeunknown
  • 0x8ed3:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB570.tmp.dmpWindows_Trojan_Metasploit_c9773203Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.unknown
  • 0x8f3f:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2617351207.000000995739E000.00000040.00000010.00020000.00000000.sdmpJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
    00000000.00000002.2617351207.000000995739E000.00000040.00000010.00020000.00000000.sdmpJoeSecurity_CobaltStrike_3Yara detected CobaltStrikeJoe Security
      00000000.00000002.2617351207.000000995739E000.00000040.00000010.00020000.00000000.sdmpWindows_Trojan_Metasploit_7bc0f998Identifies the API address lookup function leverage by metasploit shellcodeunknown
      • 0xa65:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
      00000000.00000002.2617351207.000000995739E000.00000040.00000010.00020000.00000000.sdmpWindows_Trojan_Metasploit_c9773203Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.unknown
      • 0xad1:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1

      Sigma Signatures

      No Sigma rule has matched

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-09-10T10:58:45.805295+020020287653Unknown Traffic192.168.2.449730116.198.231.16963222TCP
      2024-09-10T10:58:49.904119+020020287653Unknown Traffic192.168.2.449733116.198.231.16963222TCP
      2024-09-10T10:58:54.035146+020020287653Unknown Traffic192.168.2.449736116.198.231.16963222TCP
      2024-09-10T10:58:58.765949+020020287653Unknown Traffic192.168.2.449741116.198.231.16963222TCP
      2024-09-10T10:59:02.875405+020020287653Unknown Traffic192.168.2.449748116.198.231.16963222TCP
      2024-09-10T10:59:06.930846+020020287653Unknown Traffic192.168.2.449751116.198.231.16963222TCP
      2024-09-10T10:59:10.998546+020020287653Unknown Traffic192.168.2.449754116.198.231.16963222TCP
      2024-09-10T10:59:15.034083+020020287653Unknown Traffic192.168.2.449757116.198.231.16963222TCP
      2024-09-10T10:59:19.109811+020020287653Unknown Traffic192.168.2.449760116.198.231.16963222TCP
      2024-09-10T10:59:23.134618+020020287653Unknown Traffic192.168.2.449763116.198.231.16963222TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: QT2hJT3Syn.exeAvira: detected
      Found malware configuration
      Source: 00000000.00000002.2617351207.000000995739E000.00000040.00000010.00020000.00000000.sdmpMalware Configuration Extractor: CobaltStrike {"C2Server": "http://116.198.231.169:63222/jquery-3.7.2.min.js", "User Agent": "User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\n"}
      Source: 00000000.00000002.2617351207.000000995739E000.00000040.00000010.00020000.00000000.sdmpMalware Configuration Extractor: Metasploit {"Headers": "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nReferer: http://www.microsoft.com/\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\n", "Type": "Metasploit Download", "URL": "http://116.198.231.169/jquery-3.7.2.min.js"}
      Multi AV Scanner detection for submitted file
      Source: QT2hJT3Syn.exeReversingLabs: Detection: 28%
      Source: QT2hJT3Syn.exeVirustotal: Detection: 31%Perma Link
      Source: QT2hJT3Syn.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

      Networking

      barindex
      C2 URLs / IPs found in malware configuration
      Source: Malware configuration extractorURLs: http://116.198.231.169:63222/jquery-3.7.2.min.js
      Source: Malware configuration extractorURLs: http://116.198.231.169/jquery-3.7.2.min.js
      Source: global trafficTCP traffic: 192.168.2.4:49730 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49741 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49730 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49763 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49748 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49733 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49757 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49751 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49736 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49754 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49760 -> 116.198.231.169:63222
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: Amcache.hve.6.drString found in binary or memory: http://upx.sf.net
      Source: QT2hJT3Syn.exe, 00000000.00000002.2617523350.0000022D0897E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169/
      Source: QT2hJT3Syn.exe, 00000000.00000002.2617523350.0000022D0897E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169/c
      Source: QT2hJT3Syn.exe, 00000000.00000003.1909422858.0000022D089B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/
      Source: QT2hJT3Syn.exe, 00000000.00000003.2032084275.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2072522890.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2092768222.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2113063580.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2011741310.0000022D089B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/7:l
      Source: QT2hJT3Syn.exe, 00000000.00000003.2173772952.0000022D089B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/::g
      Source: QT2hJT3Syn.exe, 00000000.00000003.2032084275.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2072522890.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2092768222.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000002.2617523350.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2193997417.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2113063580.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2133525479.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2153550863.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2011741310.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2173772952.0000022D089B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/=:z
      Source: QT2hJT3Syn.exe, 00000000.00000002.2617523350.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2193997417.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2173772952.0000022D089B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/Q:
      Source: QT2hJT3Syn.exe, 00000000.00000003.2032084275.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2072522890.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2092768222.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2113063580.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2011741310.0000022D089B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/_:
      Source: QT2hJT3Syn.exe, 00000000.00000002.2617523350.0000022D0897E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/f
      Source: QT2hJT3Syn.exe, 00000000.00000003.1909422858.0000022D089B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/jquery-3.7.2.min.js
      Source: QT2hJT3Syn.exe, 00000000.00000002.2617523350.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2193997417.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2133525479.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2153550863.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2173772952.0000022D089B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/jquery-3.7.2.min.js#8
      Source: QT2hJT3Syn.exe, 00000000.00000003.2032084275.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2072522890.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2092768222.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000002.2617523350.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2193997417.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2113063580.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2133525479.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2153550863.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2011741310.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2173772952.0000022D089B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/jquery-3.7.2.min.js;8
      Source: QT2hJT3Syn.exe, 00000000.00000002.2617523350.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2193997417.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2173772952.0000022D089B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/jquery-3.7.2.min.jso9G
      Source: QT2hJT3Syn.exe, 00000000.00000003.2032084275.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2072522890.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2092768222.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000002.2617523350.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2193997417.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2113063580.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1882778411.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2133525479.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2153550863.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2011741310.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2173772952.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1909422858.0000022D089B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/jquery-3.7.2.min.jsw8
      Source: QT2hJT3Syn.exe, 00000000.00000002.2617523350.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2193997417.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2173772952.0000022D089B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/m:
      Source: QT2hJT3Syn.exe, 00000000.00000002.2617523350.0000022D0897E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/nRouteHelper.dllj
      Source: QT2hJT3Syn.exe, 00000000.00000002.2617523350.0000022D0897E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/t

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 00000000.00000002.2617351207.000000995739E000.00000040.00000010.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
      Source: 00000000.00000002.2617351207.000000995739E000.00000040.00000010.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
      Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERB570.tmp.dmp, type: DROPPEDMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
      Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERB570.tmp.dmp, type: DROPPEDMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeCode function: 0_2_00007FF7D9953EB00_2_00007FF7D9953EB0
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeCode function: 0_2_00007FF7D9952DC00_2_00007FF7D9952DC0
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeCode function: 0_2_00007FF7D99525E00_2_00007FF7D99525E0
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeCode function: 0_2_00007FF7D99543600_2_00007FF7D9954360
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeCode function: 0_2_00007FF7D9952A600_2_00007FF7D9952A60
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeCode function: 0_2_000000995739EB600_2_000000995739EB60
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6588 -s 1388
      Source: 00000000.00000002.2617351207.000000995739E000.00000040.00000010.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
      Source: 00000000.00000002.2617351207.000000995739E000.00000040.00000010.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
      Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERB570.tmp.dmp, type: DROPPEDMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
      Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERB570.tmp.dmp, type: DROPPEDMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
      Source: classification engineClassification label: mal92.troj.winEXE@2/5@0/1
      Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6588
      Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\4cb44b40-c232-44b6-b9c0-fb70bd149ddeJump to behavior
      Source: QT2hJT3Syn.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: QT2hJT3Syn.exeReversingLabs: Detection: 28%
      Source: QT2hJT3Syn.exeVirustotal: Detection: 31%
      Source: unknownProcess created: C:\Users\user\Desktop\QT2hJT3Syn.exe "C:\Users\user\Desktop\QT2hJT3Syn.exe"
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6588 -s 1388
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: msvcp140.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: vcruntime140_1.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: vcruntime140.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: vcruntime140.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: vcruntime140_1.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: vcruntime140.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
      Source: QT2hJT3Syn.exeStatic PE information: Image base 0x140000000 > 0x60000000
      Source: QT2hJT3Syn.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
      Source: QT2hJT3Syn.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
      Source: QT2hJT3Syn.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
      Source: QT2hJT3Syn.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: QT2hJT3Syn.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
      Source: QT2hJT3Syn.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
      Source: QT2hJT3Syn.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Source: QT2hJT3Syn.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: QT2hJT3Syn.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
      Source: QT2hJT3Syn.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
      Source: QT2hJT3Syn.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
      Source: QT2hJT3Syn.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
      Source: QT2hJT3Syn.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
      Source: QT2hJT3Syn.exeStatic PE information: real checksum: 0x118b0 should be: 0x1df90
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeCode function: 0_2_000000995739EB7F push eax; ret 0_2_000000995739EDDB
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeCode function: 0_2_000000995739EB60 push eax; ret 0_2_000000995739EDDB
      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: Amcache.hve.6.drBinary or memory string: VMware
      Source: Amcache.hve.6.drBinary or memory string: VMware Virtual USB Mouse
      Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin
      Source: Amcache.hve.6.drBinary or memory string: VMware, Inc.
      Source: Amcache.hve.6.drBinary or memory string: VMware20,1hbin@
      Source: Amcache.hve.6.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
      Source: Amcache.hve.6.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
      Source: Amcache.hve.6.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
      Source: QT2hJT3Syn.exe, 00000000.00000002.2617523350.0000022D08968000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000002.2617523350.0000022D089A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: Amcache.hve.6.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
      Source: Amcache.hve.6.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
      Source: Amcache.hve.6.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
      Source: Amcache.hve.6.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
      Source: Amcache.hve.6.drBinary or memory string: vmci.sys
      Source: Amcache.hve.6.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
      Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin`
      Source: Amcache.hve.6.drBinary or memory string: \driver\vmci,\driver\pci
      Source: QT2hJT3Syn.exe, 00000000.00000002.2617523350.0000022D089A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWR,
      Source: Amcache.hve.6.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
      Source: Amcache.hve.6.drBinary or memory string: VMware20,1
      Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Generation Counter
      Source: Amcache.hve.6.drBinary or memory string: NECVMWar VMware SATA CD00
      Source: Amcache.hve.6.drBinary or memory string: VMware Virtual disk SCSI Disk Device
      Source: Amcache.hve.6.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
      Source: Amcache.hve.6.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
      Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
      Source: Amcache.hve.6.drBinary or memory string: VMware PCI VMCI Bus Device
      Source: Amcache.hve.6.drBinary or memory string: VMware VMCI Bus Device
      Source: Amcache.hve.6.drBinary or memory string: VMware Virtual RAM
      Source: Amcache.hve.6.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
      Source: Amcache.hve.6.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeCode function: 0_2_00007FF7D9952038 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7D9952038
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeCode function: 0_2_00007FF7D9952038 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7D9952038
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeCode function: 0_2_00007FF7D995221C SetUnhandledExceptionFilter,0_2_00007FF7D995221C
      Source: C:\Users\user\Desktop\QT2hJT3Syn.exeCode function: 0_2_00007FF7D995228C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF7D995228C
      Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
      Source: Amcache.hve.6.drBinary or memory string: msmpeng.exe
      Source: Amcache.hve.6.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
      Source: Amcache.hve.6.drBinary or memory string: MsMpEng.exe

      Remote Access Functionality

      barindex
      Yara detected CobaltStrike
      Source: Yara matchFile source: 00000000.00000002.2617351207.000000995739E000.00000040.00000010.00020000.00000000.sdmp, type: MEMORY
      Yara detected Metasploit Payload
      Source: Yara matchFile source: 00000000.00000002.2617351207.000000995739E000.00000040.00000010.00020000.00000000.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
      DLL Side-Loading      		1
      Process Injection      		1
      Process Injection      		OS Credential Dumping1
      System Time Discovery      		Remote Services1
      Archive Collected Data      		1
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
      DLL Side-Loading      		1
      DLL Side-Loading      		LSASS Memory21
      Security Software Discovery      		Remote Desktop ProtocolData from Removable Media1
      Non-Standard Port      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
      Obfuscated Files or Information      		Security Account Manager2
      System Information Discovery      		SMB/Windows Admin SharesData from Network Shared Drive1
      Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      QT2hJT3Syn.exe29%ReversingLabsWin64.Backdoor.Cobeacon
      QT2hJT3Syn.exe31%VirustotalBrowse
      QT2hJT3Syn.exe100%AviraTR/AD.PatchedWinSwrort.uidrr

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://upx.sf.net0%URL Reputationsafe
      https://116.198.231.169:63222/jquery-3.7.2.min.js0%Avira URL Cloudsafe
      https://116.198.231.169:63222/::g0%Avira URL Cloudsafe
      https://116.198.231.169:63222/jquery-3.7.2.min.js#80%Avira URL Cloudsafe
      https://116.198.231.169:63222/7:l0%Avira URL Cloudsafe
      https://116.198.231.169/c0%Avira URL Cloudsafe
      https://116.198.231.169:63222/m:0%Avira URL Cloudsafe
      https://116.198.231.169:63222/_:0%Avira URL Cloudsafe
      https://116.198.231.169:63222/jquery-3.7.2.min.js#80%VirustotalBrowse
      https://116.198.231.169:63222/f0%Avira URL Cloudsafe
      https://116.198.231.169:63222/jquery-3.7.2.min.js0%VirustotalBrowse
      http://116.198.231.169:63222/jquery-3.7.2.min.js0%Avira URL Cloudsafe
      https://116.198.231.169:63222/0%Avira URL Cloudsafe
      http://116.198.231.169/jquery-3.7.2.min.js0%Avira URL Cloudsafe
      https://116.198.231.169:63222/f0%VirustotalBrowse
      https://116.198.231.169:63222/jquery-3.7.2.min.js;80%Avira URL Cloudsafe
      https://116.198.231.169:63222/0%VirustotalBrowse
      https://116.198.231.169:63222/jquery-3.7.2.min.jso9G0%Avira URL Cloudsafe
      https://116.198.231.169:63222/jquery-3.7.2.min.jsw80%Avira URL Cloudsafe
      https://116.198.231.169:63222/nRouteHelper.dllj0%Avira URL Cloudsafe
      https://116.198.231.169:63222/=:z0%Avira URL Cloudsafe
      https://116.198.231.169:63222/t0%Avira URL Cloudsafe
      https://116.198.231.169:63222/Q:0%Avira URL Cloudsafe
      https://116.198.231.169/0%Avira URL Cloudsafe
      http://116.198.231.169:63222/jquery-3.7.2.min.js0%VirustotalBrowse
      https://116.198.231.169/0%VirustotalBrowse

      Domains and IPs

      Contacted Domains

      No contacted domains info

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://116.198.231.169:63222/jquery-3.7.2.min.jstrue
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      http://116.198.231.169/jquery-3.7.2.min.jstrue
      • Avira URL Cloud: safe
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://116.198.231.169:63222/7:lQT2hJT3Syn.exe, 00000000.00000003.2032084275.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2072522890.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2092768222.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2113063580.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2011741310.0000022D089B1000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169:63222/jquery-3.7.2.min.jsQT2hJT3Syn.exe, 00000000.00000003.1909422858.0000022D089B1000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169/cQT2hJT3Syn.exe, 00000000.00000002.2617523350.0000022D0897E000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169:63222/::gQT2hJT3Syn.exe, 00000000.00000003.2173772952.0000022D089B1000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169:63222/jquery-3.7.2.min.js#8QT2hJT3Syn.exe, 00000000.00000002.2617523350.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2193997417.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2133525479.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2153550863.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2173772952.0000022D089B1000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169:63222/m:QT2hJT3Syn.exe, 00000000.00000002.2617523350.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2193997417.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2173772952.0000022D089B1000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169:63222/_:QT2hJT3Syn.exe, 00000000.00000003.2032084275.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2072522890.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2092768222.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2113063580.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2011741310.0000022D089B1000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169:63222/fQT2hJT3Syn.exe, 00000000.00000002.2617523350.0000022D0897E000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169:63222/QT2hJT3Syn.exe, 00000000.00000003.1909422858.0000022D089B1000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169:63222/jquery-3.7.2.min.js;8QT2hJT3Syn.exe, 00000000.00000003.2032084275.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2072522890.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2092768222.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000002.2617523350.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2193997417.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2113063580.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2133525479.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2153550863.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2011741310.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2173772952.0000022D089B1000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169:63222/jquery-3.7.2.min.jso9GQT2hJT3Syn.exe, 00000000.00000002.2617523350.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2193997417.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2173772952.0000022D089B1000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://upx.sf.netAmcache.hve.6.drfalse
      • URL Reputation: safe
      		unknown
      https://116.198.231.169:63222/jquery-3.7.2.min.jsw8QT2hJT3Syn.exe, 00000000.00000003.2032084275.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2072522890.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2092768222.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000002.2617523350.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2193997417.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2113063580.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1882778411.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2133525479.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2153550863.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2011741310.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2173772952.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.1909422858.0000022D089B1000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169:63222/nRouteHelper.dlljQT2hJT3Syn.exe, 00000000.00000002.2617523350.0000022D0897E000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169:63222/=:zQT2hJT3Syn.exe, 00000000.00000003.2032084275.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2072522890.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2092768222.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000002.2617523350.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2193997417.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2113063580.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2133525479.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2153550863.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2011741310.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2173772952.0000022D089B1000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169:63222/tQT2hJT3Syn.exe, 00000000.00000002.2617523350.0000022D0897E000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169:63222/Q:QT2hJT3Syn.exe, 00000000.00000002.2617523350.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2193997417.0000022D089B1000.00000004.00000020.00020000.00000000.sdmp, QT2hJT3Syn.exe, 00000000.00000003.2173772952.0000022D089B1000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169/QT2hJT3Syn.exe, 00000000.00000002.2617523350.0000022D0897E000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown

      World Map of Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public IPs

      IPDomainCountryFlagASNASN NameMalicious
      116.198.231.169
      		unknownChina
      		137699CHINATELECOM-JIANGSU-SUQIAN-IDCCHINATELECOMJiangsuSuqiantrue

      General Information

      Joe Sandbox version:40.0.0 Tourmaline
      Analysis ID:1508523
      Start date and time:2024-09-10 10:57:41 +02:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 5m 2s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Run name:Run with higher sleep bypass
      Number of analysed new started processes analysed:8
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:QT2hJT3Syn.exe
      renamed because original name is a hash value
      Original Sample Name:9bfd61a00155017d1a6768326549c65ea9bbe8884b92a7a013e97b507a9167ff.exe
      Detection:MAL
      Classification:mal92.troj.winEXE@2/5@0/1
      EGA Information:
      • Successful, ratio: 100%
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 5
      • Number of non-executed functions: 10
      Cookbook Comments:
      • Found application associated with file extension: .exe
      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

      Warnings

      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
      • Excluded IPs from analysis (whitelisted): 52.168.117.173
      • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
      • Not all processes where analyzed, report is missing behavior information
      • Report size getting too big, too many NtQueryValueKey calls found.

      Simulations

      Behavior and APIs

      No simulations

      Joe Sandbox View / Context

      IPs

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      116.198.231.169TEiot52yrz.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
        2PSj0qX4W6.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
          LtmV2sDcTK.exeGet hashmaliciousCobaltStrike, MetasploitBrowse

            Domains

            No context

            ASNs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            CHINATELECOM-JIANGSU-SUQIAN-IDCCHINATELECOMJiangsuSuqianTEiot52yrz.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
            • 116.198.231.169
            2PSj0qX4W6.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
            • 116.198.231.169
            LtmV2sDcTK.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
            • 116.198.231.169
            gOEF4WOJ3c.elfGet hashmaliciousUnknownBrowse
            • 116.198.238.210

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_QT2hJT3Syn.exe_9773be4c1fb0eae18060de5a34e28b4a9399aa1_f3ab7727_a77f3ba9-fb32-4995-93cb-c27340063859\Report.wer

            Download File
            Process:C:\Windows\System32\WerFault.exe
            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
            Category:dropped
            Size (bytes):65536
            Entropy (8bit):0.9839308801033855
            Encrypted:false
            SSDEEP:192:8eg4X6S50I3D8jfP+PzuiFr9Z24lO8TU:PXKSaI3D8jwzuiFr9Y4lO8TU
            MD5:A33B898C59EC7EB478EF533F18A8023E
            SHA1:7667B449A892B9A1F10030B31A3697D2D3C17938
            SHA-256:C0FB1A4CA40558DAA9DEA896479ED2C97B0930F18DCEB149BC869A586B52A17C
            SHA-512:2B40290B5E3B5CDA6E63616BB51224D21984B7F0E7DEB12C7A3181F09AEE51A05446B0D95EC7C038735ED91289D6AAC6D163B40665DC7AB099B11155D77DB9B5
            Malicious:true
            Reputation:low
            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.0.4.3.2.3.6.4.6.9.6.4.6.0.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.0.4.3.2.3.6.5.1.0.2.6.9.9.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.7.7.f.3.b.a.9.-.f.b.3.2.-.4.9.9.5.-.9.3.c.b.-.c.2.7.3.4.0.0.6.3.8.5.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.d.9.5.c.1.d.0.-.2.d.1.8.-.4.8.0.3.-.8.0.1.c.-.8.2.f.2.3.e.3.9.a.8.d.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.Q.T.2.h.J.T.3.S.y.n...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.b.c.-.0.0.0.1.-.0.0.1.4.-.1.d.c.1.-.f.4.9.f.5.f.0.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.5.7.6.0.0.8.f.d.d.c.2.3.1.c.4.b.6.b.8.e.a.6.2.2.3.3.e.0.9.7.0.0.0.0.0.0.9.0.4.!.0.0.0.0.0.0.e.0.4.6.5.3.5.6.9.a.6.d.8.2.4.4.e.d.f.f.8.7.6.5.d.e.e.c.3.d.6.e.d.9.c.1.5.f.!.Q.T.2.h.J.T.3.S.y.n...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.8././.0.9.

            C:\ProgramData\Microsoft\Windows\WER\Temp\WERB570.tmp.dmp

            Download File
            Process:C:\Windows\System32\WerFault.exe
            File Type:Mini DuMP crash report, 14 streams, Tue Sep 10 08:59:24 2024, 0x1205a4 type
            Category:dropped
            Size (bytes):154972
            Entropy (8bit):1.4614159444920982
            Encrypted:false
            SSDEEP:384:TqodCVjVSIRA6iv+gebrQ4UbLp/4O8f80yStE/GYSFW2exnCPT:TqodCZep/4O8fzF8xCL
            MD5:391E934405B2E7B61E8B8DC4E21F7775
            SHA1:91C5369017A2022CA8513F5F84F460F2C343BCDE
            SHA-256:988FEA3CE4F51007599A45D82064D4394E4B950A21E73D948463AEFA59F929FA
            SHA-512:C4E989F32068B2EC9D018398456BBE029BB7F49DF86ED1E7B3612AB43295E86E2AB99D999D0879F1E007D5EA449006B4B31A16527537A2D4B326C73B45A7808C
            Malicious:false
            Yara Hits:
            • Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERB570.tmp.dmp, Author: unknown
            • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERB570.tmp.dmp, Author: unknown
            Reputation:low
            Preview:MDMP..a..... .......l..f.........................................\..........T.......8...........T............5...'....................... ..............................................................................eJ......d!......Lw......................T...........=..f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\ProgramData\Microsoft\Windows\WER\Temp\WERB63C.tmp.WERInternalMetadata.xml

            Download File
            Process:C:\Windows\System32\WerFault.exe
            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
            Category:dropped
            Size (bytes):10230
            Entropy (8bit):3.7202987326664974
            Encrypted:false
            SSDEEP:192:R6l7wVeJ8WC6Y9dRJc9gmfOTpDa89bkCVf0cgNsm:R6lXJNC6Y/RJc9gmfOVkofXC
            MD5:DEA7C9252430F5455C9DEBF74C678AF4
            SHA1:517A1B8EE134408400001D44DCD6A9E808CB0143
            SHA-256:F5F6C0B1B958216E20189890A5FA5772A3C35676BB1EAD6E91EE594DB5296576
            SHA-512:86936902079B5E6B9E2065770A8A0BA9DEB2A9A677C84CBD5EEB03C55069DBE5B45341B5C9DEC63DED740F6DB478FF0B9414581510ABDF9B4F05696474F92882
            Malicious:false
            Reputation:low
            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.5.8.8.<./.P.i.

            C:\ProgramData\Microsoft\Windows\WER\Temp\WERB67C.tmp.xml

            Download File
            Process:C:\Windows\System32\WerFault.exe
            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):4693
            Entropy (8bit):4.506143139180314
            Encrypted:false
            SSDEEP:48:cvIwWl8zsJJg771I9YDWpW8VYXYm8M4JYqQOKFEJyq85dpQOYlkFR/+d:uIjfbI7jy7VPJBQQJAQrlkFN+d
            MD5:A0C5450FCCD1F696127AC8FF8257B812
            SHA1:2B6ABEC9C569C41F8FC58ADCCEF10C63F8414B81
            SHA-256:72E2A0F5769C553AE01165F819FF4261B64CCF331F44BDC90529A4873F9A0008
            SHA-512:6768B7AC8394CBF3FA20C48CFE4753528C789DCA62C8DAA92B0299C7D117F415521BDD5C5233DBCF12CB354934546D8EF24BA1BB88C60622B79150A5B80B6390
            Malicious:false
            Reputation:low
            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="493922" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

            C:\Windows\appcompat\Programs\Amcache.hve

            Download File
            Process:C:\Windows\System32\WerFault.exe
            File Type:MS Windows registry file, NT/2000 or above
            Category:dropped
            Size (bytes):1835008
            Entropy (8bit):4.465918874888848
            Encrypted:false
            SSDEEP:6144:8IXfpi67eLPU9skLmb0b48WSPKaJG8nAgejZMMhA2gX4WABl0uNrdwBCswSb5:BXD948WlLZMM6YFHB+5
            MD5:DB3FF01C4A73A5EBCB34B0CB83E90F52
            SHA1:859E353862D6D2C94C0D5D585B8106742197B435
            SHA-256:78B26CE99D43E6EDAE850A36BB3ECE413B2330B281BB70EB3F33385F459BBB19
            SHA-512:E6FF7F07FDEBD52B324EB2E52E8E59AA402804624322AC9D4B5E53383DAB1F8EC8D402591348C80BFFC32FB82F235F09DCB9A4E5D25FAFA916035D9999DB6A13
            Malicious:false
            Reputation:low
            Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..._................................................................................................................................................................................................................................................................................................................................................Q.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            Static File Info

            General

            File type:PE32+ executable (GUI) x86-64, for MS Windows
            Entropy (8bit):7.269430115749708
            TrID:
            • Win64 Executable GUI (202006/5) 92.65%
            • Win64 Executable (generic) (12005/4) 5.51%
            • Generic Win/DOS Executable (2004/3) 0.92%
            • DOS Executable Generic (2002/1) 0.92%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:QT2hJT3Syn.exe
            File size:67'584 bytes
            MD5:d19f3280851b5e9510a63fe7c80466ae
            SHA1:00e04653569a6d8244edff8765deec3d6ed9c15f
            SHA256:9bfd61a00155017d1a6768326549c65ea9bbe8884b92a7a013e97b507a9167ff
            SHA512:78650af411cfc8a1a1cf05a2538454fa5de7b3c6b6d80eef0193b1d3270389f69f998f1e80768f949167b6075aca1fd70be22b006e11fbd63a725c4097b3a99a
            SSDEEP:1536:mWHMTN/JJ86S4oqiEcpI6rAz/saT4c6WuC0J8:mWIJ8L1U/T4c6W70J8
            TLSH:D963BF9A7B428CFEE95613388123A49EF3F27C111B22ABFF47C601552D633D96C7A650
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Q...Q...Q...X.N.].......R.......X.......H.......W.......T...Q.......B...P...B...R...B...P...RichQ...................PE..d..

            File Icon

            Icon Hash:0729494959591b1e

            Static PE Info

            General

            Entrypoint:0x140001cf4
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x140000000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Time Stamp:0x66B5A165 [Fri Aug 9 04:56:05 2024 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:6
            OS Version Minor:0
            File Version Major:6
            File Version Minor:0
            Subsystem Version Major:6
            Subsystem Version Minor:0
            Import Hash:6102f16ed129485447b57b8b35734f82

            Entrypoint Preview

            Instruction
            dec eax
            sub esp, 28h
            call 00007F2414B207A4h
            dec eax
            add esp, 28h
            jmp 00007F2414B2008Fh
            int3
            int3
            jmp 00007F2414B209D6h
            int3
            int3
            int3
            dec eax
            and dword ptr [ecx+10h], 00000000h
            dec eax
            lea eax, dword ptr [00004664h]
            dec eax
            mov dword ptr [ecx+08h], eax
            dec eax
            lea eax, dword ptr [00004649h]
            dec eax
            mov dword ptr [ecx], eax
            dec eax
            mov eax, ecx
            ret
            int3
            int3
            dec eax
            sub esp, 48h
            dec eax
            lea ecx, dword ptr [esp+20h]
            call 00007F2414B201E7h
            dec eax
            lea edx, dword ptr [000091C3h]
            dec eax
            lea ecx, dword ptr [esp+20h]
            call 00007F2414B208F8h
            int3
            dec eax
            mov dword ptr [esp+10h], ebx
            dec eax
            mov dword ptr [esp+18h], esi
            push ebp
            push edi
            inc ecx
            push esi
            dec eax
            mov ebp, esp
            dec eax
            sub esp, 10h
            xor eax, eax
            xor ecx, ecx
            cpuid
            inc esp
            mov eax, ecx
            inc esp
            mov edx, edx
            inc ecx
            xor edx, 49656E69h
            inc ecx
            xor eax, 6C65746Eh
            inc esp
            mov ecx, ebx
            inc esp
            mov esi, eax
            xor ecx, ecx
            mov eax, 00000001h
            cpuid
            inc ebp
            or edx, eax
            mov dword ptr [ebp-10h], eax
            inc ecx
            xor ecx, 756E6547h
            mov dword ptr [ebp-0Ch], ebx
            inc ebp
            or edx, ecx
            mov dword ptr [ebp-08h], ecx
            mov edi, ecx
            mov dword ptr [ebp-04h], edx
            jne 00007F2414B2026Dh
            dec eax
            or dword ptr [0000A26Dh], FFFFFFFFh
            and eax, 0FFF3FF0h
            dec eax
            mov dword ptr [00000055h], 00000000h

            Rich Headers

            Programming Language:
            • [IMP] VS2008 SP1 build 30729

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0xaff40xf0.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0xf0000x56ec.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0xd0000x438.pdata
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0xe0000x70.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0xa3b00x38.rdata
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa2700x140.rdata
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x60000x290.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x45840x4600d031826de6e0e6fb9ccc321e78e11d07False0.5434151785714286data6.374369452326817IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rdata0x60000x5bc40x5c00d9c437122c60c894b2f54adf5a7e1a71False0.6548488451086957data7.210114059723916IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0xc0000x2000x20059db9f2a508b239ec802e9d0119966a6False0.26171875DOS executable (block device driver \377\377\377\377\377\377)2.224911641545331IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .pdata0xd0000x4380x600221a3fb74e87cf68c7ec77be366c615cFalse0.3580729166666667data3.1722964215356337IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0xe0000x700x20081c0371bb37172bdb766a9f4233486e2False0.224609375data1.3216181203289816IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
            .rsrc0xf0000x56ec0x5800568a6f175845f6ba67d1ccd2ac08b100False0.9483753551136364data7.839562838980695IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_ICON0xf2a80x2ecPNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0147058823529411
            RT_ICON0xf5940x592PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0077138849929874
            RT_ICON0xfb280x8f4PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.0047993019197208
            RT_ICON0x1041c0x156dPNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.0020054694621696
            RT_ICON0x1198c0x324PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.013681592039801
            RT_ICON0x11cb00x60cPNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0071059431524547
            RT_ICON0x122bc0x998PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.0044788273615635
            RT_ICON0x12c540x16b3PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.0018929616245051
            RT_GROUP_ICON0x143080x3edata0.8709677419354839
            RT_GROUP_ICON0x143480x3edata0.8870967741935484
            RT_VERSION0x143880x364dataEnglishUnited States0.5483870967741935

            Imports

            DLLImport
            KERNEL32.dllHeapCreate, WaitForSingleObject, Sleep, LoadLibraryA, CreateThread, HeapAlloc, GetModuleHandleW, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, QueryPerformanceCounter
            USER32.dllMessageBoxW
            MSVCP140.dll?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, ?good@ios_base@std@@QEBA_NXZ, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z, ?uncaught_exception@std@@YA_NXZ, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?_Xlength_error@std@@YAXPEBD@Z, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
            VCRUNTIME140_1.dll__CxxFrameHandler4
            VCRUNTIME140.dll__current_exception, _CxxThrowException, __current_exception_context, memcpy, __C_specific_handler, __std_exception_copy, __std_exception_destroy, __std_terminate, memset, memchr
            api-ms-win-crt-string-l1-1-0.dllisalnum, strcmp
            api-ms-win-crt-runtime-l1-1-0.dll_initterm_e, _initterm, _register_thread_local_exe_atexit_callback, terminate, _c_exit, _set_app_type, exit, _exit, _seh_filter_exe, _get_narrow_winmain_command_line, _crt_atexit, _register_onexit_function, _initialize_onexit_table, _initialize_narrow_environment, _configure_narrow_argv, _invalid_parameter_noinfo_noreturn, _cexit
            api-ms-win-crt-heap-l1-1-0.dllfree, _set_new_mode, malloc, _callnewh
            api-ms-win-crt-math-l1-1-0.dll__setusermatherr
            api-ms-win-crt-stdio-l1-1-0.dll_set_fmode, __p__commode
            api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishUnited States

            Network Behavior

            Suricata IDS Alerts

            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
            2024-09-10T10:58:45.805295+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449730116.198.231.16963222TCP
            2024-09-10T10:58:49.904119+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449733116.198.231.16963222TCP
            2024-09-10T10:58:54.035146+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449736116.198.231.16963222TCP
            2024-09-10T10:58:58.765949+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449741116.198.231.16963222TCP
            2024-09-10T10:59:02.875405+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449748116.198.231.16963222TCP
            2024-09-10T10:59:06.930846+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449751116.198.231.16963222TCP
            2024-09-10T10:59:10.998546+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449754116.198.231.16963222TCP
            2024-09-10T10:59:15.034083+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449757116.198.231.16963222TCP
            2024-09-10T10:59:19.109811+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449760116.198.231.16963222TCP
            2024-09-10T10:59:23.134618+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449763116.198.231.16963222TCP

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Sep 10, 2024 10:58:43.758131981 CEST4973063222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:43.764611006 CEST6322249730116.198.231.169192.168.2.4
            Sep 10, 2024 10:58:43.764699936 CEST4973063222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:43.794102907 CEST4973063222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:43.799022913 CEST6322249730116.198.231.169192.168.2.4
            Sep 10, 2024 10:58:45.805049896 CEST6322249730116.198.231.169192.168.2.4
            Sep 10, 2024 10:58:45.805294991 CEST4973063222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:45.805345058 CEST4973063222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:45.808933020 CEST4973163222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:45.810237885 CEST6322249730116.198.231.169192.168.2.4
            Sep 10, 2024 10:58:45.813857079 CEST6322249731116.198.231.169192.168.2.4
            Sep 10, 2024 10:58:45.813951969 CEST4973163222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:45.814260006 CEST4973163222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:45.819109917 CEST6322249731116.198.231.169192.168.2.4
            Sep 10, 2024 10:58:47.872833014 CEST6322249731116.198.231.169192.168.2.4
            Sep 10, 2024 10:58:47.873039007 CEST4973163222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:47.873867989 CEST4973163222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:47.876543999 CEST4973263222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:47.879692078 CEST6322249731116.198.231.169192.168.2.4
            Sep 10, 2024 10:58:47.882460117 CEST6322249732116.198.231.169192.168.2.4
            Sep 10, 2024 10:58:47.882554054 CEST4973263222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:47.882685900 CEST4973263222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:47.888441086 CEST4973363222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:47.889218092 CEST6322249732116.198.231.169192.168.2.4
            Sep 10, 2024 10:58:47.889324903 CEST4973263222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:47.894175053 CEST6322249733116.198.231.169192.168.2.4
            Sep 10, 2024 10:58:47.894270897 CEST4973363222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:47.894575119 CEST4973363222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:47.900820017 CEST6322249733116.198.231.169192.168.2.4
            Sep 10, 2024 10:58:49.902786016 CEST6322249733116.198.231.169192.168.2.4
            Sep 10, 2024 10:58:49.904119015 CEST4973363222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:49.904270887 CEST4973363222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:49.909096956 CEST6322249733116.198.231.169192.168.2.4
            Sep 10, 2024 10:58:49.911626101 CEST4973463222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:49.916635036 CEST6322249734116.198.231.169192.168.2.4
            Sep 10, 2024 10:58:49.916728973 CEST4973463222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:49.917155027 CEST4973463222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:49.921955109 CEST6322249734116.198.231.169192.168.2.4
            Sep 10, 2024 10:58:51.932179928 CEST6322249734116.198.231.169192.168.2.4
            Sep 10, 2024 10:58:51.932280064 CEST4973463222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:51.932456017 CEST4973463222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:51.935085058 CEST4973563222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:51.938368082 CEST6322249734116.198.231.169192.168.2.4
            Sep 10, 2024 10:58:51.940850019 CEST6322249735116.198.231.169192.168.2.4
            Sep 10, 2024 10:58:51.940932989 CEST4973563222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:51.941056967 CEST4973563222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:51.944641113 CEST4973663222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:51.946450949 CEST6322249735116.198.231.169192.168.2.4
            Sep 10, 2024 10:58:51.946517944 CEST4973563222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:51.949587107 CEST6322249736116.198.231.169192.168.2.4
            Sep 10, 2024 10:58:51.949978113 CEST4973663222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:51.949978113 CEST4973663222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:51.955117941 CEST6322249736116.198.231.169192.168.2.4
            Sep 10, 2024 10:58:54.035084009 CEST6322249736116.198.231.169192.168.2.4
            Sep 10, 2024 10:58:54.035145998 CEST4973663222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:54.035249949 CEST4973663222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:54.039737940 CEST4973763222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:54.337465048 CEST4973663222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:54.361259937 CEST6322249736116.198.231.169192.168.2.4
            Sep 10, 2024 10:58:54.361304998 CEST4973663222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:54.683594942 CEST6322249736116.198.231.169192.168.2.4
            Sep 10, 2024 10:58:54.683643103 CEST4973663222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:54.691303015 CEST6322249736116.198.231.169192.168.2.4
            Sep 10, 2024 10:58:54.691422939 CEST6322249737116.198.231.169192.168.2.4
            Sep 10, 2024 10:58:54.691497087 CEST4973763222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:54.691737890 CEST6322249736116.198.231.169192.168.2.4
            Sep 10, 2024 10:58:54.691773891 CEST4973663222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:54.691962957 CEST4973763222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:54.696837902 CEST6322249737116.198.231.169192.168.2.4
            Sep 10, 2024 10:58:56.699539900 CEST6322249737116.198.231.169192.168.2.4
            Sep 10, 2024 10:58:56.699625015 CEST4973763222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:56.699693918 CEST4973763222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:56.702323914 CEST4974063222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:56.704504013 CEST6322249737116.198.231.169192.168.2.4
            Sep 10, 2024 10:58:56.707171917 CEST6322249740116.198.231.169192.168.2.4
            Sep 10, 2024 10:58:56.707237959 CEST4974063222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:56.707395077 CEST4974063222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:56.712131023 CEST4974163222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:56.712840080 CEST6322249740116.198.231.169192.168.2.4
            Sep 10, 2024 10:58:56.712881088 CEST4974063222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:56.716969967 CEST6322249741116.198.231.169192.168.2.4
            Sep 10, 2024 10:58:56.717044115 CEST4974163222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:56.717350006 CEST4974163222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:56.722222090 CEST6322249741116.198.231.169192.168.2.4
            Sep 10, 2024 10:58:58.765882015 CEST6322249741116.198.231.169192.168.2.4
            Sep 10, 2024 10:58:58.765949011 CEST4974163222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:58.766026974 CEST4974163222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:58.766525030 CEST4974563222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:58.770963907 CEST6322249741116.198.231.169192.168.2.4
            Sep 10, 2024 10:58:58.771466017 CEST6322249745116.198.231.169192.168.2.4
            Sep 10, 2024 10:58:58.771534920 CEST4974563222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:58.771795034 CEST4974563222192.168.2.4116.198.231.169
            Sep 10, 2024 10:58:58.776650906 CEST6322249745116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:00.832192898 CEST6322249745116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:00.832271099 CEST4974563222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:00.832365036 CEST4974563222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:00.833012104 CEST4974763222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:00.837419033 CEST6322249745116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:00.838108063 CEST6322249747116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:00.838538885 CEST4974763222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:00.838646889 CEST4974763222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:00.840727091 CEST4974863222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:00.843666077 CEST6322249747116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:00.843720913 CEST4974763222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:00.845738888 CEST6322249748116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:00.845798969 CEST4974863222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:00.846127033 CEST4974863222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:00.851494074 CEST6322249748116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:02.875322104 CEST6322249748116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:02.875405073 CEST4974863222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:02.875494003 CEST4974863222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:02.876707077 CEST4974963222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:02.880296946 CEST6322249748116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:02.882599115 CEST6322249749116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:02.882678032 CEST4974963222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:02.882960081 CEST4974963222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:02.887773037 CEST6322249749116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:04.886533976 CEST6322249749116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:04.886703968 CEST4974963222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:04.886807919 CEST4974963222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:04.887306929 CEST4975063222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:04.891625881 CEST6322249749116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:04.892127037 CEST6322249750116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:04.892210007 CEST4975063222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:04.892318010 CEST4975063222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:04.894712925 CEST4975163222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:04.897375107 CEST6322249750116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:04.897455931 CEST4975063222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:04.899703979 CEST6322249751116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:04.899806976 CEST4975163222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:04.900156021 CEST4975163222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:04.905044079 CEST6322249751116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:06.930447102 CEST6322249751116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:06.930845976 CEST4975163222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:06.931231022 CEST4975163222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:06.934432983 CEST4975263222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:06.936003923 CEST6322249751116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:06.939294100 CEST6322249752116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:06.939366102 CEST4975263222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:06.939646006 CEST4975263222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:06.946193933 CEST6322249752116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:08.965465069 CEST6322249752116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:08.965533972 CEST4975263222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:08.965632915 CEST4975263222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:08.968099117 CEST4975363222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:08.971379995 CEST6322249752116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:08.974172115 CEST6322249753116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:08.974338055 CEST4975363222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:08.974338055 CEST4975363222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:08.978257895 CEST4975463222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:08.979873896 CEST6322249753116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:08.980103016 CEST6322249753116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:08.980156898 CEST4975363222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:08.983679056 CEST6322249754116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:08.983751059 CEST4975463222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:08.984019041 CEST4975463222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:08.989511013 CEST6322249754116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:10.997436047 CEST6322249754116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:10.998545885 CEST4975463222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:10.998631954 CEST4975463222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:10.999223948 CEST4975563222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:11.003457069 CEST6322249754116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:11.004076958 CEST6322249755116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:11.004259109 CEST4975563222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:11.004523039 CEST4975563222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:11.009325981 CEST6322249755116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:13.006623030 CEST6322249755116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:13.009548903 CEST4975563222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:13.009629965 CEST4975563222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:13.014522076 CEST6322249755116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:13.022764921 CEST4975663222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:13.028240919 CEST6322249756116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:13.028322935 CEST4975663222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:13.028503895 CEST4975663222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:13.030687094 CEST4975763222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:13.034523964 CEST6322249756116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:13.034580946 CEST4975663222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:13.035706997 CEST6322249757116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:13.035763979 CEST4975763222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:13.036000013 CEST4975763222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:13.041086912 CEST6322249757116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:15.033972979 CEST6322249757116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:15.034082890 CEST4975763222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:15.034157991 CEST4975763222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:15.036770105 CEST4975863222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:15.039926052 CEST6322249757116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:15.044568062 CEST6322249758116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:15.044646978 CEST4975863222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:15.044976950 CEST4975863222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:15.049789906 CEST6322249758116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:17.057945013 CEST6322249758116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:17.058547974 CEST4975863222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:17.063710928 CEST4975863222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:17.068033934 CEST4975963222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:17.069633961 CEST6322249758116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:17.072936058 CEST6322249759116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:17.074572086 CEST4975963222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:17.074695110 CEST4975963222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:17.076956034 CEST4976063222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:17.079726934 CEST6322249759116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:17.081867933 CEST6322249760116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:17.081948996 CEST4975963222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:17.081984043 CEST4976063222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:17.082261086 CEST4976063222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:17.087032080 CEST6322249760116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:19.104685068 CEST6322249760116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:19.109811068 CEST4976063222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:19.109885931 CEST4976063222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:19.112216949 CEST4976163222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:19.114890099 CEST6322249760116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:19.117077112 CEST6322249761116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:19.122566938 CEST4976163222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:19.122898102 CEST4976163222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:19.127803087 CEST6322249761116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:21.112323046 CEST6322249761116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:21.112386942 CEST4976163222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:21.112624884 CEST4976163222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:21.114809036 CEST4976263222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:21.117465019 CEST6322249761116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:21.119664907 CEST6322249762116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:21.119745016 CEST4976263222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:21.119862080 CEST4976263222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:21.124620914 CEST4976363222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:21.125508070 CEST6322249762116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:21.125562906 CEST4976263222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:21.129520893 CEST6322249763116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:21.129592896 CEST4976363222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:21.129798889 CEST4976363222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:21.134906054 CEST6322249763116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:23.134493113 CEST6322249763116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:23.134618044 CEST4976363222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:23.134712934 CEST4976363222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:23.137036085 CEST4976463222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:23.140155077 CEST6322249763116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:23.142083883 CEST6322249764116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:23.142164946 CEST4976463222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:23.142474890 CEST4976463222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:23.147934914 CEST6322249764116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:25.155025959 CEST6322249764116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:25.156979084 CEST4976463222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:25.157080889 CEST4976463222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:25.159776926 CEST4976563222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:25.161973000 CEST6322249764116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:25.164700985 CEST6322249765116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:25.164808989 CEST4976563222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:25.164947033 CEST4976563222192.168.2.4116.198.231.169
            Sep 10, 2024 10:59:25.170629978 CEST6322249765116.198.231.169192.168.2.4
            Sep 10, 2024 10:59:25.172998905 CEST4976563222192.168.2.4116.198.231.169

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:04:58:37
            Start date:10/09/2024
            Path:C:\Users\user\Desktop\QT2hJT3Syn.exe
            Wow64 process (32bit):false
            Commandline:"C:\Users\user\Desktop\QT2hJT3Syn.exe"
            Imagebase:0x7ff7d9950000
            File size:67'584 bytes
            MD5 hash:D19F3280851B5E9510A63FE7C80466AE
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.2617351207.000000995739E000.00000040.00000010.00020000.00000000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2617351207.000000995739E000.00000040.00000010.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000002.2617351207.000000995739E000.00000040.00000010.00020000.00000000.sdmp, Author: unknown
            • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.2617351207.000000995739E000.00000040.00000010.00020000.00000000.sdmp, Author: unknown
            Reputation:low
            Has exited:true

            General

            Target ID:6
            Start time:04:59:24
            Start date:10/09/2024
            Path:C:\Windows\System32\WerFault.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\WerFault.exe -u -p 6588 -s 1388
            Imagebase:0x7ff753dc0000
            File size:570'736 bytes
            MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:13.4%
              Dynamic/Decrypted Code Coverage:8.3%
              Signature Coverage:30.8%
              Total number of Nodes:266
              Total number of Limit Nodes:6
              execution_graph 1107 7ff7d9951b80 1108 7ff7d9951b94 1107->1108 1109 7ff7d9951ccc 1108->1109 1110 7ff7d9951b9c __scrt_acquire_startup_lock 1108->1110 1167 7ff7d9952038 IsProcessorFeaturePresent 1109->1167 1112 7ff7d9951cd6 1110->1112 1117 7ff7d9951bba __scrt_release_startup_lock 1110->1117 1113 7ff7d9952038 9 API calls 1112->1113 1114 7ff7d9951ce1 1113->1114 1116 7ff7d9951ce9 _exit 1114->1116 1115 7ff7d9951bdf 1117->1115 1118 7ff7d9951c65 1117->1118 1122 7ff7d9951c5d _register_thread_local_exe_atexit_callback 1117->1122 1129 7ff7d9952180 memset GetStartupInfoW 1118->1129 1120 7ff7d9951c6a _get_narrow_winmain_command_line 1130 7ff7d9953eb0 1120->1130 1122->1118 1126 7ff7d9951c91 1127 7ff7d9951c9b 1126->1127 1128 7ff7d9951c96 _cexit 1126->1128 1127->1115 1128->1127 1129->1120 1173 7ff7d9955390 1130->1173 1132 7ff7d9953ec9 MessageBoxW 1133 7ff7d9951c86 1132->1133 1134 7ff7d9953ef1 memcpy 1132->1134 1165 7ff7d99521c8 GetModuleHandleW 1133->1165 1135 7ff7d9953f50 1134->1135 1135->1135 1136 7ff7d9953f9e 1135->1136 1137 7ff7d9953f72 memcpy 1135->1137 1142 7ff7d995434b 1135->1142 1139 7ff7d9953faa 1136->1139 1140 7ff7d9953fef 1136->1140 1146 7ff7d995400c 1136->1146 1147 7ff7d9953ffd 1136->1147 1138 7ff7d995403a 1137->1138 1175 7ff7d9954360 1138->1175 1202 7ff7d9951818 1139->1202 1145 7ff7d9954014 memcpy 1140->1145 1214 7ff7d99511a0 1142->1214 1145->1138 1151 7ff7d9951818 3 API calls 1146->1151 1147->1139 1147->1142 1149 7ff7d995408f memset 1153 7ff7d99540c7 1149->1153 1154 7ff7d99540fa memset 1149->1154 1150 7ff7d9954356 1155 7ff7d9953fc0 1151->1155 1152 7ff7d995432f _invalid_parameter_noinfo_noreturn 1157 7ff7d9954336 1152->1157 1153->1154 1161 7ff7d9954112 1154->1161 1155->1145 1155->1152 1158 7ff7d99517e4 free 1157->1158 1158->1133 1159 7ff7d995423c 7 API calls 1163 7ff7d99542d8 Sleep 1159->1163 1160 7ff7d9954210 strcmp 1160->1159 1160->1161 1161->1159 1161->1160 1163->1133 1164 7ff7d9954306 1163->1164 1164->1152 1164->1157 1166 7ff7d9951c8d 1165->1166 1166->1114 1166->1126 1168 7ff7d995205e 1167->1168 1169 7ff7d995206c memset RtlCaptureContext RtlLookupFunctionEntry 1168->1169 1170 7ff7d99520a6 RtlVirtualUnwind 1169->1170 1171 7ff7d99520e2 memset IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 1169->1171 1170->1171 1172 7ff7d9952162 1171->1172 1172->1112 1174 7ff7d99553ba 1173->1174 1174->1132 1174->1174 1217 7ff7d99539c0 1175->1217 1177 7ff7d9954397 1178 7ff7d99543ab memcpy 1177->1178 1179 7ff7d9951a94 1178->1179 1180 7ff7d99543d6 memcpy 1179->1180 1181 7ff7d995441e memcpy 1180->1181 1183 7ff7d99550b1 1180->1183 1186 7ff7d995445d 1181->1186 1182 7ff7d99550eb 1187 7ff7d99517e4 free 1182->1187 1183->1182 1184 7ff7d99550ed memset 1183->1184 1235 7ff7d9951560 1184->1235 1189 7ff7d99544c5 memset 1186->1189 1192 7ff7d99544e6 1186->1192 1190 7ff7d9955132 1187->1190 1189->1186 1193 7ff7d99517e4 free 1190->1193 1191 7ff7d995450c memset 1191->1192 1192->1191 1200 7ff7d995452d 1192->1200 1194 7ff7d995513a 1193->1194 1195 7ff7d9954052 1194->1195 1196 7ff7d9955176 1194->1196 1197 7ff7d995516f _invalid_parameter_noinfo_noreturn 1194->1197 1195->1149 1195->1152 1211 7ff7d99517e4 1195->1211 1198 7ff7d99517e4 free 1196->1198 1197->1196 1198->1195 1199 7ff7d9955061 memcpy 1199->1183 1199->1200 1200->1183 1200->1199 1201 7ff7d9954e41 memcpy 1200->1201 1201->1200 1203 7ff7d9951832 malloc 1202->1203 1204 7ff7d995183c 1203->1204 1205 7ff7d9951823 1203->1205 1204->1155 1205->1203 1206 7ff7d9951842 1205->1206 1207 7ff7d995184d 1206->1207 1249 7ff7d9951d30 1206->1249 1209 7ff7d99511a0 Concurrency::cancel_current_task __std_exception_copy 1207->1209 1210 7ff7d9951853 1209->1210 1212 7ff7d9951d08 free 1211->1212 1215 7ff7d99511ae Concurrency::cancel_current_task 1214->1215 1216 7ff7d99511bf __std_exception_copy 1215->1216 1216->1150 1233 7ff7d9953dca 1217->1233 1234 7ff7d9953a0f 1217->1234 1218 7ff7d9953ca2 1220 7ff7d9953cb1 memset 1218->1220 1221 7ff7d9953cd2 1218->1221 1218->1233 1219 7ff7d9953a4b isalnum 1219->1234 1220->1221 1222 7ff7d9953cf8 memchr 1221->1222 1223 7ff7d9953d0c 1221->1223 1222->1223 1224 7ff7d9953d35 memchr 1223->1224 1225 7ff7d9953d4c 1223->1225 1224->1225 1227 7ff7d9953d74 memchr 1225->1227 1228 7ff7d9953d8b 1225->1228 1226 7ff7d9953ac2 memchr 1226->1234 1227->1228 1231 7ff7d9953db3 memchr 1228->1231 1228->1233 1229 7ff7d9953af9 memchr 1229->1234 1230 7ff7d9953b3c memchr 1230->1234 1231->1233 1232 7ff7d9953b7f memchr 1232->1234 1233->1177 1234->1218 1234->1219 1234->1226 1234->1229 1234->1230 1234->1232 1239 7ff7d9951592 ?good@ios_base@std@ 1235->1239 1237 7ff7d99515f5 1242 7ff7d995164d ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J 1237->1242 1245 7ff7d99515ff ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N ?uncaught_exception@std@ 1237->1245 1246 7ff7d9951625 ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD 1237->1246 1238 7ff7d99515c7 1238->1237 1240 7ff7d99515dd ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12 ?good@ios_base@std@ 1238->1240 1239->1237 1239->1238 1240->1237 1242->1245 1248 7ff7d9951672 1242->1248 1243 7ff7d99516df ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@ 1247 7ff7d99516e9 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 1243->1247 1244 7ff7d9951677 ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD 1244->1245 1244->1248 1245->1243 1245->1247 1246->1237 1246->1245 1247->1182 1248->1244 1248->1245 1252 7ff7d9951d10 1249->1252 1251 7ff7d9951d3e _CxxThrowException 1252->1251 1253 7ff7d9952dc0 1254 7ff7d9952de8 1253->1254 1256 7ff7d9952ddd 1253->1256 1255 7ff7d9952fc6 memcpy 1255->1254 1255->1256 1256->1254 1256->1255 1256->1256 1257 7ff7d9951100 __std_exception_destroy 1258 7ff7d9951128 1257->1258 1259 7ff7d9951135 1257->1259 1260 7ff7d99517e4 free 1258->1260 1260->1259 1261 7ff7d9951000 1262 7ff7d9951818 3 API calls 1261->1262 1263 7ff7d995100e 1262->1263 1265 7ff7d9953e80 isalnum 1266 7ff7d9953e95 1265->1266 1092 995739eb26 1093 995739eb33 LoadLibraryA InternetOpenA 1092->1093 1094 995739ebf3 1093->1094 1097 995739eb60 InternetConnectA 1094->1097 1098 995739eba6 1097->1098 1099 995739ebf8 1097->1099 1101 995739ebc6 HttpSendRequestA 1098->1101 1102 995739ebfd 1098->1102 1103 995739eb7f HttpOpenRequestA 1099->1103 1101->1098 1101->1102 1104 995739eba6 1103->1104 1105 995739ebc6 HttpSendRequestA 1104->1105 1106 995739ed7d 1104->1106 1105->1104 1105->1106 1106->1102 1267 995739ea27 1268 995739ea3f 1267->1268 1268->1268 1271 995739eb26 1268->1271 1272 995739eb33 LoadLibraryA InternetOpenA 1271->1272 1273 995739ebf3 1272->1273 1274 995739eb60 4 API calls 1273->1274 1275 995739ede1 1274->1275 1276 7ff7d99554d0 1277 7ff7d99554f3 1276->1277 1278 7ff7d99554e3 1276->1278 1280 7ff7d9951260 1278->1280 1281 7ff7d9951273 1280->1281 1282 7ff7d995129f 1280->1282 1283 7ff7d9951297 1281->1283 1285 7ff7d99512b8 _invalid_parameter_noinfo_noreturn 1281->1285 1282->1277 1284 7ff7d99517e4 free 1283->1284 1284->1282 1286 7ff7d99512c0 1285->1286 1287 7ff7d9951319 memcpy 1286->1287 1288 7ff7d9951336 1286->1288 1290 7ff7d99513e1 1286->1290 1289 7ff7d99513c3 1287->1289 1288->1290 1291 7ff7d99513a6 memcpy 1288->1291 1292 7ff7d995139e 1288->1292 1295 7ff7d9951342 1288->1295 1289->1277 1294 7ff7d99511a0 Concurrency::cancel_current_task __std_exception_copy 1290->1294 1291->1289 1296 7ff7d9951818 3 API calls 1292->1296 1293 7ff7d9951818 3 API calls 1297 7ff7d9951358 1293->1297 1301 7ff7d99513ec 1294->1301 1295->1293 1298 7ff7d995135d 1296->1298 1297->1298 1299 7ff7d9951397 _invalid_parameter_noinfo_noreturn 1297->1299 1298->1291 1299->1292 1300 7ff7d9951487 1302 7ff7d9951818 3 API calls 1300->1302 1301->1300 1303 7ff7d995154c 1301->1303 1304 7ff7d995147a 1301->1304 1305 7ff7d99514b2 1301->1305 1306 7ff7d995146d 1301->1306 1302->1306 1307 7ff7d99511a0 Concurrency::cancel_current_task __std_exception_copy 1303->1307 1304->1300 1304->1303 1309 7ff7d9951818 3 API calls 1305->1309 1308 7ff7d9951511 _invalid_parameter_noinfo_noreturn 1306->1308 1310 7ff7d99514ce memcpy 1306->1310 1315 7ff7d995150f 1306->1315 1311 7ff7d9951557 1307->1311 1308->1315 1309->1306 1312 7ff7d9951504 1310->1312 1313 7ff7d99514ef 1310->1313 1314 7ff7d99517e4 free 1312->1314 1313->1308 1313->1312 1314->1315 1315->1277 1316 7ff7d9951150 __std_exception_destroy 1317 7ff7d9955450 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N 1318 7ff7d9955290 1319 7ff7d99552d9 1318->1319 1320 7ff7d995530b 1318->1320 1319->1320 1321 7ff7d99552e0 strcmp 1319->1321 1321->1319 1321->1320 1322 7ff7d9951a9c 1323 7ff7d9951aac 1322->1323 1335 7ff7d99518cc 1323->1335 1325 7ff7d9952038 9 API calls 1326 7ff7d9951b51 1325->1326 1327 7ff7d9951ad0 _RTC_Initialize 1333 7ff7d9951b33 1327->1333 1343 7ff7d9952340 InitializeSListHead 1327->1343 1333->1325 1334 7ff7d9951b41 1333->1334 1336 7ff7d99518dd 1335->1336 1337 7ff7d995190f 1335->1337 1338 7ff7d995194c 1336->1338 1341 7ff7d99518e2 __scrt_release_startup_lock 1336->1341 1337->1327 1339 7ff7d9952038 9 API calls 1338->1339 1340 7ff7d9951956 1339->1340 1341->1337 1342 7ff7d99518ff _initialize_onexit_table 1341->1342 1342->1337 1344 7ff7d99554a3 _seh_filter_exe 1345 7ff7d9951b64 1349 7ff7d995221c SetUnhandledExceptionFilter 1345->1349 1350 995739ea4c 1351 995739eb26 6 API calls 1350->1351 1352 995739ea5e 1350->1352 1351->1352 1353 7ff7d9951720 ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12 1354 7ff7d99510a0 __std_exception_copy 1355 7ff7d9955520 1356 7ff7d9955568 1355->1356 1357 7ff7d9955531 1355->1357 1358 7ff7d9955563 1357->1358 1359 7ff7d995555c _invalid_parameter_noinfo_noreturn 1357->1359 1360 7ff7d99517e4 free 1358->1360 1359->1358 1360->1356 1361 7ff7d9951760 ?uncaught_exception@std@ 1362 7ff7d995177d 1361->1362 1363 7ff7d9951773 ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@ 1361->1363 1363->1362 1364 7ff7d99524e0 1367 7ff7d99525bb 1364->1367 1368 7ff7d9952503 1364->1368 1366 7ff7d9952585 memcpy 1366->1367 1366->1368 1368->1366 1368->1367 1369 7ff7d9952a60 1368->1369 1370 7ff7d9952a88 1369->1370 1372 7ff7d9952a7d 1369->1372 1370->1368 1371 7ff7d9952c76 memcpy 1371->1370 1371->1372 1372->1370 1372->1371 1372->1372 1373 7ff7d99525e0 1374 7ff7d99525e9 1373->1374 1378 7ff7d99526fb 1373->1378 1375 7ff7d99526a7 memset 1374->1375 1376 7ff7d99526c8 1374->1376 1375->1374 1377 7ff7d99526da memset 1376->1377 1376->1378 1377->1376 1378->1378 1383 7ff7d9951ca8 1384 7ff7d99521c8 GetModuleHandleW 1383->1384 1385 7ff7d9951caf 1384->1385 1386 7ff7d9951ce9 _exit 1385->1386 1387 7ff7d9951cb3 1385->1387 1388 7ff7d9951cf4 1391 7ff7d995228c 1388->1391 1392 7ff7d9951cfd 1391->1392 1393 7ff7d99522af GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 1391->1393 1393->1392 1394 7ff7d9951070 1395 7ff7d9951088 1394->1395 1396 7ff7d9951092 1394->1396 1397 7ff7d99517e4 free 1395->1397 1397->1396 1398 7ff7d99516b1 1399 7ff7d99516bf ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N ?uncaught_exception@std@ 1398->1399 1400 7ff7d99516e9 1399->1400 1401 7ff7d99516df ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@ 1399->1401 1401->1400

              Callgraph

              • Executed
              • Not Executed
              • Opacity -> Relevance
              • Disassembly available
              callgraph 0 Function_00007FF7D99521BC 1 Function_00007FF7D9952038 43 Function_00007FF7D9952030 1->43 2 Function_00007FF7D9952338 3 Function_00007FF7D99521C4 4 Function_000000995739E329 5 Function_00007FF7D9952DC0 6 Function_00007FF7D99539C0 7 Function_00007FF7D9952340 8 Function_00007FF7D9951A40 9 Function_00007FF7D9955340 17 Function_00007FF7D99517D0 9->17 10 Function_00007FF7D9955440 11 Function_00007FF7D99518CC 11->1 29 Function_00007FF7D9952024 11->29 12 Function_000000995739EB26 68 Function_000000995739EB60 12->68 13 Function_00007FF7D99521C8 14 Function_000000995739EA27 14->12 15 Function_00007FF7D9951854 15->29 16 Function_00007FF7D9952354 18 Function_00007FF7D99554D0 85 Function_00007FF7D9951260 18->85 19 Function_00007FF7D9951D50 20 Function_00007FF7D9952350 21 Function_00007FF7D9951150 22 Function_00007FF7D9955450 23 Function_00007FF7D9951A9C 23->0 23->1 23->2 23->3 23->7 23->11 23->20 24 Function_00007FF7D995239C 23->24 25 Function_00007FF7D995201C 23->25 47 Function_00007FF7D9951A7C 23->47 53 Function_00007FF7D9952380 23->53 60 Function_00007FF7D9952288 23->60 74 Function_00007FF7D9952364 23->74 26 Function_00007FF7D995221C 27 Function_00007FF7D9951818 31 Function_00007FF7D99511A0 27->31 42 Function_00007FF7D9951D30 27->42 28 Function_00007FF7D99554A3 30 Function_00007FF7D99551A0 91 Function_00007FF7D9951170 31->91 32 Function_00007FF7D99510A0 33 Function_00007FF7D99517A0 34 Function_00007FF7D9951720 35 Function_00007FF7D9955520 73 Function_00007FF7D99517E4 35->73 36 Function_00007FF7D995222C 37 Function_000000995739EE07 38 Function_00007FF7D9951CA8 38->13 39 Function_00007FF7D9953935 40 Function_000000995739E87C 41 Function_00007FF7D9953EB0 41->17 41->27 41->31 65 Function_00007FF7D9955390 41->65 41->73 82 Function_00007FF7D9954360 41->82 63 Function_00007FF7D9951D10 42->63 44 Function_00007FF7D9955430 45 Function_00007FF7D99516B1 46 Function_000000995739EB7F 47->8 48 Function_00007FF7D9951100 48->73 49 Function_00007FF7D9951000 49->8 49->27 50 Function_00007FF7D9951200 51 Function_00007FF7D9955500 52 Function_00007FF7D9951B80 52->1 52->13 52->15 52->41 54 Function_00007FF7D9952180 52->54 59 Function_00007FF7D995238C 52->59 61 Function_00007FF7D9951A14 52->61 62 Function_00007FF7D9952394 52->62 64 Function_00007FF7D9951890 52->64 72 Function_00007FF7D9951958 52->72 89 Function_00007FF7D99519F0 52->89 55 Function_00007FF7D9953E80 56 Function_00007FF7D995548B 57 Function_00007FF7D995550C 58 Function_00007FF7D995228C 61->20 64->19 64->20 66 Function_00007FF7D9953990 67 Function_00007FF7D9955290 68->46 69 Function_000000995739E360 70 Function_00007FF7D995235C 71 Function_00007FF7D99523D8 74->16 74->70 75 Function_00007FF7D9951B64 75->3 75->26 76 Function_000000995739EA4C 76->12 77 Function_00007FF7D99510E0 78 Function_00007FF7D9951760 79 Function_00007FF7D99524E0 83 Function_00007FF7D9952A60 79->83 80 Function_00007FF7D99525E0 81 Function_00007FF7D9951560 82->6 82->73 82->81 84 Function_00007FF7D9955260 85->27 85->31 85->73 86 Function_00007FF7D99517EC 86->73 87 Function_00007FF7D99519E9 88 Function_00007FF7D9951CF4 88->58 89->29 90 Function_00007FF7D9951070 90->73 92 Function_00007FF7D9953970 93 Function_000000995739E0C0

              Executed Functions

              Function 00007FF7D9953EB0 Relevance: 37.1, APIs: 17, Strings: 4, Instructions: 302memorysleeplibraryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 0 7ff7d9953eb0-7ff7d9953eeb call 7ff7d9955390 MessageBoxW 3 7ff7d995433b-7ff7d995434a 0->3 4 7ff7d9953ef1-7ff7d9953f4f memcpy 0->4 5 7ff7d9953f50-7ff7d9953f57 4->5 5->5 6 7ff7d9953f59-7ff7d9953f66 5->6 7 7ff7d995434b-7ff7d9954350 call 7ff7d9951240 6->7 8 7ff7d9953f6c-7ff7d9953f70 6->8 20 7ff7d9954351-7ff7d9954356 call 7ff7d99511a0 7->20 10 7ff7d9953f9e-7ff7d9953fa8 8->10 11 7ff7d9953f72-7ff7d9953f99 memcpy 8->11 14 7ff7d9953fd7-7ff7d9953fed 10->14 15 7ff7d9953faa-7ff7d9953fb4 10->15 13 7ff7d995403a-7ff7d995405b call 7ff7d9954360 11->13 27 7ff7d995405d-7ff7d995406f 13->27 28 7ff7d995408f-7ff7d99540c5 memset 13->28 17 7ff7d9953ff4-7ff7d9953ffb 14->17 18 7ff7d9953fef-7ff7d9953ff2 14->18 16 7ff7d9953fb8-7ff7d9953fc3 call 7ff7d9951818 15->16 35 7ff7d9953fc9-7ff7d9953fd5 16->35 36 7ff7d995432f-7ff7d9954335 _invalid_parameter_noinfo_noreturn 16->36 24 7ff7d995400c-7ff7d9954011 call 7ff7d9951818 17->24 25 7ff7d9953ffd-7ff7d9954004 17->25 23 7ff7d9954014-7ff7d9954035 memcpy 18->23 23->13 24->23 25->20 31 7ff7d995400a 25->31 33 7ff7d995408a call 7ff7d99517e4 27->33 34 7ff7d9954071-7ff7d9954084 27->34 37 7ff7d99540c7-7ff7d99540ce 28->37 38 7ff7d99540fa-7ff7d995410b memset 28->38 31->16 33->28 34->33 34->36 35->23 43 7ff7d9954336 call 7ff7d99517e4 36->43 41 7ff7d99540d3-7ff7d99540f8 37->41 42 7ff7d9954112-7ff7d9954119 38->42 41->38 41->41 42->42 44 7ff7d995411b-7ff7d9954121 42->44 43->3 46 7ff7d9954127-7ff7d9954137 44->46 47 7ff7d99541bf-7ff7d99541cd call 7ff7d99517d0 44->47 49 7ff7d9954140-7ff7d9954150 46->49 53 7ff7d99541de-7ff7d995420e 47->53 54 7ff7d99541cf 47->54 51 7ff7d9954158-7ff7d995415f 49->51 52 7ff7d9954152-7ff7d9954156 49->52 56 7ff7d9954167-7ff7d995416e 51->56 57 7ff7d9954161-7ff7d9954165 51->57 55 7ff7d9954174-7ff7d9954184 52->55 62 7ff7d995423c 53->62 63 7ff7d9954210-7ff7d9954232 strcmp 53->63 61 7ff7d99541d0-7ff7d99541dc 54->61 59 7ff7d995418c-7ff7d9954193 55->59 60 7ff7d9954186-7ff7d995418a 55->60 56->55 58 7ff7d9954170 56->58 57->55 58->55 66 7ff7d995419b-7ff7d99541a2 59->66 67 7ff7d9954195-7ff7d9954199 59->67 65 7ff7d99541a8-7ff7d99541bd 60->65 61->53 61->61 64 7ff7d9954241-7ff7d99542d1 VirtualProtect LoadLibraryA CreateThread WaitForSingleObject HeapCreate HeapAlloc memcpy 62->64 63->64 68 7ff7d9954234-7ff7d995423a 63->68 71 7ff7d99542d8-7ff7d9954304 Sleep 64->71 65->47 65->49 66->65 69 7ff7d99541a4 66->69 67->65 68->62 68->63 69->65 71->3 72 7ff7d9954306-7ff7d9954318 71->72 72->43 73 7ff7d995431a-7ff7d995432d 72->73 73->36 73->43
              APIs
              • MessageBoxW.USER32 ref: 00007FF7D9953EE2
              • memcpy.VCRUNTIME140(?,00000000,?,00000000,?,00007FF7D9951C86), ref: 00007FF7D9953F05
              • memcpy.VCRUNTIME140 ref: 00007FF7D9953F8F
              • memcpy.VCRUNTIME140(?,00000000,?,00000000,?,00007FF7D9951C86), ref: 00007FF7D9954030
              • memset.VCRUNTIME140(?,00000000,?,00000000,?,00007FF7D9951C86), ref: 00007FF7D99540B6
              • memset.VCRUNTIME140(?,00000000,?,00000000,?,00007FF7D9951C86), ref: 00007FF7D9954106
              • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,00000000,?,00007FF7D9951C86), ref: 00007FF7D995422B
              • VirtualProtect.KERNELBASE(?,00000000,?,00000000,?,00007FF7D9951C86), ref: 00007FF7D9954261
              • LoadLibraryA.KERNEL32(?,00000000,?,00000000,?,00007FF7D9951C86), ref: 00007FF7D995426A
              • CreateThread.KERNELBASE ref: 00007FF7D9954286
              • WaitForSingleObject.KERNEL32(?,00000000,?,00000000,?,00007FF7D9951C86), ref: 00007FF7D9954294
              • HeapCreate.KERNEL32(?,00000000,?,00000000,?,00007FF7D9951C86), ref: 00007FF7D99542A7
              • HeapAlloc.KERNEL32(?,00000000,?,00000000,?,00007FF7D9951C86), ref: 00007FF7D99542BB
              • memcpy.VCRUNTIME140(?,00000000,?,00000000,?,00007FF7D9951C86), ref: 00007FF7D99542D1
              • Sleep.KERNEL32(?,00000000,?,00000000,?,00007FF7D9951C86), ref: 00007FF7D99542DD
                • Part of subcall function 00007FF7D9951818: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7D995100E), ref: 00007FF7D9951832
              • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,?,00000000,?,00007FF7D9951C86), ref: 00007FF7D995432F
              • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7D9954351
              Strings
              • rW/xHjl/tpwqf1jaiPmqhwLTh/9V+0ClGm9TOkOcD5z/T4vuhcMWvccRToRnKodSXfv3fSUMfPE6HBpgW6PiXjGOslgM0HbL2BrCFb+ChiWMg7HLEpejgVGYwPZdvNhe8n5PcmSJtUFshxv0HtreU7iJABqRT6gm2O7nG9z2fd6wruUBN/we2QsjOTQ3El7aaLkEhYWQTuVJnyogTuU1PjvIYQe4B6ZL7gaqArtsu8VAJJuT5mPIceKgQo8wZKJn6SdG, xrefs: 00007FF7D9953EFE
              • kernel32.dll, xrefs: 00007FF7D9954263
              • GetProcAddress, xrefs: 00007FF7D9954216
              • VirtualProtect, xrefs: 00007FF7D9954241
              Memory Dump Source
              • Source File: 00000000.00000002.2617790359.00007FF7D9951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D9950000, based on PE: true
              • Associated: 00000000.00000002.2617779419.00007FF7D9950000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2617801917.00007FF7D9956000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2617813626.00007FF7D995C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2617825903.00007FF7D995D000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff7d9950000_QT2hJT3Syn.jbxd
              Similarity
              • API ID: memcpy$CreateHeapmemset$AllocConcurrency::cancel_current_taskLibraryLoadMessageObjectProtectSingleSleepThreadVirtualWait_invalid_parameter_noinfo_noreturnmallocstrcmp
              • String ID: GetProcAddress$VirtualProtect$kernel32.dll$rW/xHjl/tpwqf1jaiPmqhwLTh/9V+0ClGm9TOkOcD5z/T4vuhcMWvccRToRnKodSXfv3fSUMfPE6HBpgW6PiXjGOslgM0HbL2BrCFb+ChiWMg7HLEpejgVGYwPZdvNhe8n5PcmSJtUFshxv0HtreU7iJABqRT6gm2O7nG9z2fd6wruUBN/we2QsjOTQ3El7aaLkEhYWQTuVJnyogTuU1PjvIYQe4B6ZL7gaqArtsu8VAJJuT5mPIceKgQo8wZKJn6SdG
              • API String ID: 1700708136-1027293778
              • Opcode ID: f9bc0d7294f68d03651fd688e6f71cc41f92d764ef2405ada01706ca51ef2039
              • Instruction ID: f0d27e86d9ef6be61ea0e342b8b0180f8515be6d89d6ed34f0fa05ef1f53d2f8
              • Opcode Fuzzy Hash: f9bc0d7294f68d03651fd688e6f71cc41f92d764ef2405ada01706ca51ef2039
              • Instruction Fuzzy Hash: 0AD1B322A08A8296EB90EF25D8403BEA771FB94798FD04233DA5E47AD5DE3CD585C710
              Function 000000995739EB60 Relevance: 3.3, APIs: 2, Instructions: 295networkCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 150 995739eb60-995739eb7d InternetConnectA 151 995739eba6-995739ebe2 HttpSendRequestA 150->151 152 995739ebf8 call 995739eb7f 150->152 158 995739ed85-995739ed8d 151->158 159 995739ebe8-995739ebeb 151->159 155 995739ebfd-995739ec00 152->155 156 995739ec02 155->156 157 995739ec67-995739ec6b 155->157 160 995739ec04-995739ec1d 156->160 161 995739ec7d-995739ec81 156->161 164 995739ecd5-995739ecd9 157->164 165 995739ec6d 157->165 166 995739ed8e-995739eda6 158->166 162 995739ebf1 159->162 163 995739ed7d-995739ed7e 159->163 172 995739ec9a 160->172 173 995739ec1f-995739ec51 160->173 170 995739ec83-995739ec8f 161->170 171 995739ecf0-995739ecf7 161->171 162->151 163->158 168 995739ecdc-995739ecde 164->168 165->168 169 995739ec6e-995739ec76 165->169 196 995739eda8-995739edc5 166->196 181 995739ed55-995739ed57 168->181 182 995739ecdf 168->182 176 995739ece8-995739ecec 169->176 177 995739ec78-995739ec79 169->177 179 995739ec91-995739ec99 170->179 180 995739ecce 170->180 174 995739ecf9-995739ecfe 171->174 175 995739ed5e-995739ed67 171->175 183 995739ec9c-995739eca1 172->183 184 995739ed10-995739ed15 172->184 188 995739ec53-995739ec55 173->188 189 995739ecc7 173->189 190 995739ed2d-995739ed33 174->190 191 995739ed00-995739ed01 174->191 192 995739ed16-995739ed19 175->192 193 995739ed69-995739ed6f 175->193 186 995739ed58-995739ed59 176->186 187 995739ecee-995739ecef 176->187 177->161 179->172 179->184 194 995739ecd0 180->194 195 995739ed3f 180->195 181->186 182->181 185 995739ece1-995739ece6 182->185 198 995739ed04 183->198 199 995739eca3-995739ecb9 183->199 184->192 185->176 201 995739ed5b-995739ed5d 186->201 187->171 206 995739ed1d-995739ed2a 187->206 207 995739ec57 188->207 208 995739ecbc 188->208 200 995739ed40 189->200 202 995739ecc9 189->202 197 995739ed34-995739ed3d 190->197 209 995739ed03 191->209 192->166 210 995739ed1b-995739ed1c 192->210 203 995739ed74-995739ed78 193->203 204 995739ecd2-995739ecd3 194->204 205 995739ed41-995739ed51 194->205 195->200 196->163 222 995739edc7-995739edcf 196->222 197->195 198->200 218 995739ed06-995739ed09 198->218 199->208 200->205 201->175 202->174 212 995739eccb-995739eccc 202->212 213 995739edf3-995739ee26 203->213 214 995739ed7a-995739ed82 203->214 204->164 204->209 205->181 206->201 219 995739ed2c 206->219 216 995739ec59-995739ec60 207->216 217 995739eccd 207->217 208->174 211 995739ecbd 208->211 209->198 210->206 211->174 220 995739ecbf-995739ecc2 211->220 212->217 228 995739ee27 213->228 214->158 216->204 223 995739ec62-995739ec63 216->223 217->180 218->203 224 995739ed0b-995739ed0f 218->224 219->190 220->197 225 995739ecc4-995739ecc6 220->225 222->196 227 995739edd1-995739eddb 222->227 223->157 224->184 225->189 228->228
              APIs
              • InternetConnectA.WININET(00000003,00000003,00000002,00000001), ref: 000000995739EB7B
                • Part of subcall function 000000995739EB7F: HttpOpenRequestA.WININET(00000000,00000000,84C03200,00000000), ref: 000000995739EB9A
                • Part of subcall function 000000995739EB7F: HttpSendRequestA.WININET(000000995739EBAD,000000995739EBAD), ref: 000000995739EBDE
              Memory Dump Source
              • Source File: 00000000.00000002.2617351207.000000995739E000.00000040.00000010.00020000.00000000.sdmp, Offset: 000000995739E000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_995739e000_QT2hJT3Syn.jbxd
              Yara matches
              Similarity
              • API ID: HttpRequest$ConnectInternetOpenSend
              • String ID:
              • API String ID: 3744200278-0
              • Opcode ID: e3167bb3e8b5aeea410c5bda1354292710fbe9dd2fdc2113092930280f81d543
              • Instruction ID: dbf25d72eccec2f227d63f6de976f82066dc53d567e97cfad96d33bd07fcc7f5
              • Opcode Fuzzy Hash: e3167bb3e8b5aeea410c5bda1354292710fbe9dd2fdc2113092930280f81d543
              • Instruction Fuzzy Hash: 99A17A23198A954EEB2B4FBCA41A3777F91EB02320F2E059DD4C18B1D7D1708B06C769
              Function 00007FF7D9951B80 Relevance: 10.6, APIs: 7, Instructions: 94COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2617790359.00007FF7D9951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D9950000, based on PE: true
              • Associated: 00000000.00000002.2617779419.00007FF7D9950000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2617801917.00007FF7D9956000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2617813626.00007FF7D995C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2617825903.00007FF7D995D000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff7d9950000_QT2hJT3Syn.jbxd
              Similarity
              • API ID: __scrt_acquire_startup_lock__scrt_get_show_window_mode__scrt_release_startup_lock_cexit_exit_get_narrow_winmain_command_line_register_thread_local_exe_atexit_callback
              • String ID:
              • API String ID: 3995423050-0
              • Opcode ID: 1a752565a283e8bc6c4718bd7f0bfa4515868e64581fd36a0b3e31664e51b0ac
              • Instruction ID: 69b56cc9a5adec860d5992b1a5074522abce95dc56b6ae516c926c44dfbd9fad
              • Opcode Fuzzy Hash: 1a752565a283e8bc6c4718bd7f0bfa4515868e64581fd36a0b3e31664e51b0ac
              • Instruction Fuzzy Hash: 61310721A0C10366FAE4BF65D4912BF92B1AFC538CFC44036E64D47297DE2EE8448270
              Function 000000995739EB7F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99networkCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 127 995739eb7f-995739eba5 HttpOpenRequestA 128 995739eba6-995739ebe2 HttpSendRequestA 127->128 130 995739ed85-995739eda6 128->130 131 995739ebe8-995739ebeb 128->131 136 995739eda8-995739edc5 130->136 132 995739ebf1 131->132 133 995739ed7d-995739ed7e 131->133 132->128 133->130 136->133 138 995739edc7-995739edcf 136->138 138->136 139 995739edd1-995739eddb 138->139
              APIs
              • HttpOpenRequestA.WININET(00000000,00000000,84C03200,00000000), ref: 000000995739EB9A
              • HttpSendRequestA.WININET(000000995739EBAD,000000995739EBAD), ref: 000000995739EBDE
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2617351207.000000995739E000.00000040.00000010.00020000.00000000.sdmp, Offset: 000000995739E000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_995739e000_QT2hJT3Syn.jbxd
              Yara matches
              Similarity
              • API ID: HttpRequest$OpenSend
              • String ID: U.;
              • API String ID: 3451552748-4213443877
              • Opcode ID: 0673e6ba89fcafa97f45a20ababb8eb16fe70298331e982a3612c8fa0d542fd6
              • Instruction ID: e10573e55bde8a2d7ed99b925aa9476de2a0bd8041372df73260d5c183bf47e0
              • Opcode Fuzzy Hash: 0673e6ba89fcafa97f45a20ababb8eb16fe70298331e982a3612c8fa0d542fd6
              • Instruction Fuzzy Hash: F911DDA1388C0D1BF61D859D7C5A73620CAD3C8765F25812FB50EC33DADD68CD82412A
              Function 000000995739EB26 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56librarynetworkCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 140 995739eb26-995739eddc LoadLibraryA InternetOpenA call 995739eb60 145 995739ede1-995739ee26 140->145 149 995739ee27 145->149 149->149
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2617351207.000000995739E000.00000040.00000010.00020000.00000000.sdmp, Offset: 000000995739E000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_995739e000_QT2hJT3Syn.jbxd
              Yara matches
              Similarity
              • API ID: InternetLibraryLoadOpen
              • String ID: wini
              • API String ID: 2559873147-1606035523
              • Opcode ID: 5f93fe04556e9114a692b7a8cb09660883b66be0f4b4a600167b52d13b5f35d2
              • Instruction ID: bb45c2289e3829e286df8f680c18b10cca86eb5cab7a22d65ef98a043250ee95
              • Opcode Fuzzy Hash: 5f93fe04556e9114a692b7a8cb09660883b66be0f4b4a600167b52d13b5f35d2
              • Instruction Fuzzy Hash: 6A01413209CA448FD32E4EB4680733B7AD1EB42B15F2654AEE0C3854A3C9300A428B96

              Non-executed Functions

              Function 00007FF7D9954360 Relevance: 15.9, APIs: 10, Instructions: 882COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 298 7ff7d9954360-7ff7d9954418 call 7ff7d99539c0 call 7ff7d9951a94 memcpy call 7ff7d9951a94 memcpy 305 7ff7d995441e-7ff7d995445b memcpy 298->305 306 7ff7d99550b1-7ff7d99550d0 298->306 307 7ff7d995445d-7ff7d9954465 305->307 308 7ff7d9954475-7ff7d9954479 305->308 309 7ff7d9955116-7ff7d9955144 call 7ff7d99512c0 call 7ff7d99517e4 * 2 306->309 310 7ff7d99550d2 306->310 311 7ff7d9954467-7ff7d9954473 307->311 312 7ff7d9954493-7ff7d99544b3 307->312 314 7ff7d995447b-7ff7d9954480 308->314 315 7ff7d9954482-7ff7d9954490 308->315 348 7ff7d995517b-7ff7d9955198 309->348 349 7ff7d9955146-7ff7d9955158 309->349 313 7ff7d99550d6-7ff7d99550d9 310->313 311->312 319 7ff7d99544f9-7ff7d99544fe 312->319 320 7ff7d99544b5-7ff7d99544b9 312->320 317 7ff7d99550db-7ff7d99550e9 313->317 318 7ff7d99550ed-7ff7d9955110 memset call 7ff7d9951560 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z 313->318 314->312 315->312 317->313 322 7ff7d99550eb 317->322 318->309 326 7ff7d9954540-7ff7d995455e 319->326 327 7ff7d9954500 319->327 324 7ff7d99544c0-7ff7d99544c3 320->324 322->309 332 7ff7d99544dc-7ff7d99544e4 324->332 333 7ff7d99544c5-7ff7d99544d6 memset 324->333 329 7ff7d99545b9-7ff7d99545c9 326->329 330 7ff7d9954560-7ff7d9954567 326->330 328 7ff7d9954507-7ff7d995450a 327->328 335 7ff7d995450c-7ff7d995451d memset 328->335 336 7ff7d9954523-7ff7d995452b 328->336 338 7ff7d99545cb 329->338 339 7ff7d9954632-7ff7d9954635 329->339 337 7ff7d9954570-7ff7d99545a4 330->337 332->324 340 7ff7d99544e6-7ff7d99544f3 332->340 333->332 335->336 336->328 343 7ff7d995452d-7ff7d995453a 336->343 337->337 344 7ff7d99545a6-7ff7d99545b2 337->344 345 7ff7d99545d0-7ff7d99545d3 338->345 346 7ff7d995463b 339->346 347 7ff7d995480a-7ff7d9954811 339->347 340->319 343->326 344->329 350 7ff7d99547f7-7ff7d9954803 345->350 351 7ff7d99545d9-7ff7d995461d 345->351 352 7ff7d9954642-7ff7d99546bb 346->352 353 7ff7d9954817-7ff7d995481e 347->353 354 7ff7d99548b2-7ff7d99548be 347->354 358 7ff7d995515a-7ff7d995516d 349->358 359 7ff7d9955176 call 7ff7d99517e4 349->359 350->347 351->345 361 7ff7d995461f-7ff7d995462b 351->361 355 7ff7d99546bd-7ff7d99546c0 352->355 356 7ff7d99546f0-7ff7d9954705 352->356 357 7ff7d9954820-7ff7d9954823 353->357 354->306 360 7ff7d99548c4-7ff7d99548d2 354->360 362 7ff7d995479b-7ff7d99547a1 355->362 363 7ff7d99546c6 355->363 356->356 367 7ff7d9954707-7ff7d9954772 356->367 364 7ff7d9954897-7ff7d995489f 357->364 365 7ff7d9954825-7ff7d9954836 357->365 358->359 366 7ff7d995516f-7ff7d9955175 _invalid_parameter_noinfo_noreturn 358->366 359->348 360->306 369 7ff7d99548d8-7ff7d99548f5 360->369 361->339 375 7ff7d99547ee-7ff7d99547f1 362->375 376 7ff7d99547a3-7ff7d99547a6 362->376 370 7ff7d99546d0-7ff7d99546e4 363->370 364->357 372 7ff7d99548a5-7ff7d99548ab 364->372 371 7ff7d9954840-7ff7d995488f 365->371 366->359 367->362 373 7ff7d9954774-7ff7d9954778 367->373 369->306 374 7ff7d99548fb 369->374 370->370 377 7ff7d99546e6-7ff7d99546e9 370->377 371->371 378 7ff7d9954891 371->378 372->354 379 7ff7d9954780-7ff7d9954794 373->379 380 7ff7d9954900-7ff7d9954907 374->380 375->350 375->352 376->350 381 7ff7d99547a8-7ff7d99547ec 376->381 377->376 378->364 379->379 382 7ff7d9954796-7ff7d9954799 379->382 383 7ff7d995490d-7ff7d9954911 380->383 384 7ff7d9954f72-7ff7d9954f80 380->384 381->375 381->376 382->376 387 7ff7d9954917-7ff7d99549bc 383->387 388 7ff7d9954ca4-7ff7d9954cb8 383->388 385 7ff7d9954f86-7ff7d9954f8c 384->385 386 7ff7d9955061-7ff7d995509e memcpy 384->386 385->386 392 7ff7d9954f92-7ff7d9954f96 385->392 386->306 389 7ff7d99550a0-7ff7d99550ac 386->389 393 7ff7d9954b0d-7ff7d9954c9f 387->393 394 7ff7d99549c2-7ff7d99549d8 387->394 390 7ff7d9954cba-7ff7d9954cc0 388->390 391 7ff7d9954cc3-7ff7d9954cfc 388->391 389->380 390->391 396 7ff7d9954cfe 391->396 397 7ff7d9954d56-7ff7d9954d63 391->397 398 7ff7d9954f9c-7ff7d9954fb4 392->398 399 7ff7d995503a-7ff7d995503d 392->399 395 7ff7d9954f64-7ff7d9954f6d 393->395 400 7ff7d99549e0-7ff7d9954af5 394->400 395->384 401 7ff7d9954d00-7ff7d9954d47 396->401 402 7ff7d9954e89-7ff7d9954e8e 397->402 403 7ff7d9954d69-7ff7d9954d7d 397->403 404 7ff7d9954fb6-7ff7d9954fc0 398->404 405 7ff7d9954fc2-7ff7d9954fcb 398->405 399->386 406 7ff7d995503f-7ff7d9955048 399->406 400->400 407 7ff7d9954afb-7ff7d9954b08 400->407 401->401 410 7ff7d9954d49-7ff7d9954d4f 401->410 408 7ff7d9954e94-7ff7d9954eb7 402->408 409 7ff7d9954f5f 402->409 411 7ff7d9954d82-7ff7d9954d87 403->411 404->399 404->405 412 7ff7d9954fcd-7ff7d9954fd2 405->412 413 7ff7d9954fd4-7ff7d9954fd9 405->413 414 7ff7d9955050-7ff7d995505f 406->414 407->393 415 7ff7d9954ec0-7ff7d9954f59 408->415 409->395 410->397 416 7ff7d9954d8d-7ff7d9954dad 411->416 417 7ff7d9954e41-7ff7d9954e7c memcpy 411->417 412->413 418 7ff7d9954fe0-7ff7d9955038 413->418 414->386 414->414 415->409 415->415 419 7ff7d9954db0-7ff7d9954e31 416->419 417->411 420 7ff7d9954e82 417->420 418->399 418->418 419->419 421 7ff7d9954e37-7ff7d9954e3c 419->421 420->402 421->417
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2617790359.00007FF7D9951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D9950000, based on PE: true
              • Associated: 00000000.00000002.2617779419.00007FF7D9950000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2617801917.00007FF7D9956000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2617813626.00007FF7D995C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2617825903.00007FF7D995D000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff7d9950000_QT2hJT3Syn.jbxd
              Similarity
              • API ID: memcpy$memchrmemset$_invalid_parameter_noinfo_noreturnisalnum
              • String ID:
              • API String ID: 581468037-0
              • Opcode ID: 8ef4aaa22b329a95060205e8a9b0493baab4ad5e0559fcd37528c45140d44259
              • Instruction ID: 9f4c1d521f33ee130f4a1e1d920e7bee8c6cb35660139c6ec939ca2ab225b17a
              • Opcode Fuzzy Hash: 8ef4aaa22b329a95060205e8a9b0493baab4ad5e0559fcd37528c45140d44259
              • Instruction Fuzzy Hash: AB8233726082D09BD7658F3894406FEBBA1F78A74DFC59126DB8A4B786CB3CE601C750
              Function 00007FF7D9952038 Relevance: 13.6, APIs: 9, Instructions: 71COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2617790359.00007FF7D9951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D9950000, based on PE: true
              • Associated: 00000000.00000002.2617779419.00007FF7D9950000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2617801917.00007FF7D9956000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2617813626.00007FF7D995C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2617825903.00007FF7D995D000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff7d9950000_QT2hJT3Syn.jbxd
              Similarity
              • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
              • String ID:
              • API String ID: 313767242-0
              • Opcode ID: 9ffe9f7a2552eabd9cbd91c231be09652aabbf0b04a8f210b51f505912c4f0c6
              • Instruction ID: 5f31ed822c4f1a302e20c37660e086481b9544aa4a4073a86ed65979444e8419
              • Opcode Fuzzy Hash: 9ffe9f7a2552eabd9cbd91c231be09652aabbf0b04a8f210b51f505912c4f0c6
              • Instruction Fuzzy Hash: 55310F72609B8196EBA09F61E8407EFB374FB94748F84403ADA4E47B99DF38D548C720
              Function 00007FF7D995228C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2617790359.00007FF7D9951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D9950000, based on PE: true
              • Associated: 00000000.00000002.2617779419.00007FF7D9950000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2617801917.00007FF7D9956000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2617813626.00007FF7D995C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2617825903.00007FF7D995D000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff7d9950000_QT2hJT3Syn.jbxd
              Similarity
              • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
              • String ID:
              • API String ID: 2933794660-0
              • Opcode ID: 0fbad5fd6f2767220c7461670684e260ec7aafaf3dc54847602cb2efa943320e
              • Instruction ID: 9191d2fef644d2339d4f55442282b2cfa8e67cc9e794f1f87bfcd0c8946df941
              • Opcode Fuzzy Hash: 0fbad5fd6f2767220c7461670684e260ec7aafaf3dc54847602cb2efa943320e
              • Instruction Fuzzy Hash: 88114F22B14B019AEB40EF71E8442BE73B4F75975CF840E32DA5D82754EF38D1548350
              Function 00007FF7D99525E0 Relevance: 4.8, APIs: 2, Strings: 1, Instructions: 294COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 546 7ff7d99525e0-7ff7d99525e3 547 7ff7d9952a59 546->547 548 7ff7d99525e9-7ff7d9952642 546->548 549 7ff7d9952644-7ff7d995264c 548->549 550 7ff7d995265f-7ff7d9952668 548->550 551 7ff7d995264e-7ff7d995265d 549->551 552 7ff7d9952681-7ff7d995269f 549->552 553 7ff7d995266a-7ff7d995266f 550->553 554 7ff7d9952671-7ff7d995267e 550->554 551->552 555 7ff7d99526a2-7ff7d99526a5 552->555 553->552 554->552 556 7ff7d99526a7-7ff7d99526b3 memset 555->556 557 7ff7d99526b8-7ff7d99526c6 555->557 556->557 557->555 558 7ff7d99526c8-7ff7d99526cc 557->558 559 7ff7d99526fb-7ff7d995271d 558->559 560 7ff7d99526ce 558->560 562 7ff7d995271f 559->562 563 7ff7d9952761-7ff7d995276e 559->563 561 7ff7d99526d5-7ff7d99526d8 560->561 564 7ff7d99526eb-7ff7d99526f9 561->564 565 7ff7d99526da-7ff7d99526e6 memset 561->565 566 7ff7d9952722-7ff7d9952758 562->566 567 7ff7d9952770 563->567 568 7ff7d99527c1-7ff7d99527c4 563->568 564->559 564->561 565->564 566->566 569 7ff7d995275a 566->569 570 7ff7d9952773-7ff7d9952776 567->570 571 7ff7d99529ac-7ff7d99529c6 568->571 572 7ff7d99527ca-7ff7d99527d8 568->572 569->563 570->571 576 7ff7d995277c-7ff7d99527b8 570->576 574 7ff7d99529c8-7ff7d99529cf 571->574 575 7ff7d9952a40-7ff7d9952a58 571->575 573 7ff7d99527e0-7ff7d9952855 572->573 577 7ff7d9952887-7ff7d9952897 573->577 578 7ff7d9952857-7ff7d995285b 573->578 579 7ff7d99529d0-7ff7d99529d3 574->579 575->547 576->570 580 7ff7d99527ba 576->580 585 7ff7d99528a0-7ff7d99528ad 577->585 581 7ff7d9952944-7ff7d995294a 578->581 582 7ff7d9952861-7ff7d995286d 578->582 583 7ff7d99529d5-7ff7d99529db 579->583 584 7ff7d9952a32-7ff7d9952a3e 579->584 580->568 589 7ff7d995299c-7ff7d995299f 581->589 590 7ff7d995294c-7ff7d995294f 581->590 586 7ff7d9952870-7ff7d995287d 582->586 587 7ff7d99529e0-7ff7d9952a30 583->587 584->575 584->579 585->585 588 7ff7d99528af-7ff7d9952919 585->588 586->586 592 7ff7d995287f-7ff7d9952882 586->592 587->584 587->587 588->581 593 7ff7d995291b-7ff7d9952927 588->593 589->573 591 7ff7d99529a5 589->591 594 7ff7d9952950-7ff7d9952953 590->594 591->571 592->590 595 7ff7d9952930-7ff7d995293d 593->595 594->591 596 7ff7d9952955-7ff7d9952993 594->596 595->595 597 7ff7d995293f-7ff7d9952942 595->597 596->594 598 7ff7d9952995 596->598 597->590 598->589
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2617790359.00007FF7D9951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D9950000, based on PE: true
              • Associated: 00000000.00000002.2617779419.00007FF7D9950000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2617801917.00007FF7D9956000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2617813626.00007FF7D995C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2617825903.00007FF7D995D000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff7d9950000_QT2hJT3Syn.jbxd
              Similarity
              • API ID: memset
              • String ID:
              • API String ID: 2221118986-3916222277
              • Opcode ID: 10fe64071739a2ded2f0a5419cf26234a9cb385721e058ba0fcc83c8cc307c78
              • Instruction ID: 263062de2372a2493d4a89ea3e8ee431166fb694fbdfbfab59e642ef23cfe573
              • Opcode Fuzzy Hash: 10fe64071739a2ded2f0a5419cf26234a9cb385721e058ba0fcc83c8cc307c78
              • Instruction Fuzzy Hash: C1C11472B182918BE765DF2895507BE7BE0F789B49FC58036DA4D8B344DB78E601C720
              Function 00007FF7D9952A60 Relevance: 1.7, APIs: 1, Instructions: 443COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2617790359.00007FF7D9951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D9950000, based on PE: true
              • Associated: 00000000.00000002.2617779419.00007FF7D9950000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2617801917.00007FF7D9956000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2617813626.00007FF7D995C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2617825903.00007FF7D995D000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff7d9950000_QT2hJT3Syn.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 68d9fd08a1a3572f31eb62606a6418c6cd1bf873439365f6d5667c21df0fb5db
              • Instruction ID: 7c5b03349cbed545e928b68d974a78185850c9755451bef8f6d47d54165eaa3c
              • Opcode Fuzzy Hash: 68d9fd08a1a3572f31eb62606a6418c6cd1bf873439365f6d5667c21df0fb5db
              • Instruction Fuzzy Hash: E01246732087E48AC7508F2D98405AF7FA4F399B4AF894216EFC947786CA3DE615C760
              Function 00007FF7D9952DC0 Relevance: 1.7, APIs: 1, Instructions: 442COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2617790359.00007FF7D9951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D9950000, based on PE: true
              • Associated: 00000000.00000002.2617779419.00007FF7D9950000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2617801917.00007FF7D9956000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2617813626.00007FF7D995C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2617825903.00007FF7D995D000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff7d9950000_QT2hJT3Syn.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d16f77bd1055aef42d53165e0a7d8d775166ff36071f674d1390ceb6bc1ed32d
              • Instruction ID: 54bc590f011b6dab066ab00251679cc791891b4f6cff1f2b4042aac5a9fc6b92
              • Opcode Fuzzy Hash: d16f77bd1055aef42d53165e0a7d8d775166ff36071f674d1390ceb6bc1ed32d
              • Instruction Fuzzy Hash: 821235736083E48AD7508F2D98444AFBBA4F399B49F8A8216DFC947782CA3CF515C720
              Function 00007FF7D995221C Relevance: .0, Instructions: 2COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2617790359.00007FF7D9951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D9950000, based on PE: true
              • Associated: 00000000.00000002.2617779419.00007FF7D9950000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2617801917.00007FF7D9956000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2617813626.00007FF7D995C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2617825903.00007FF7D995D000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff7d9950000_QT2hJT3Syn.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 185bb21c631b42b625ea131c3156779a1e8468bba62d3009b45224cd70e431eb
              • Instruction ID: 8f0d5b23558e864e1e5b4f39ead441b918e2ba4f30dc9a04b0489f9ef8598563
              • Opcode Fuzzy Hash: 185bb21c631b42b625ea131c3156779a1e8468bba62d3009b45224cd70e431eb
              • Instruction Fuzzy Hash: 58A00126909802A1E699AF21A85043EA230AB94309BC14432C00D410649E2DE444C220
              Function 00007FF7D9951260 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 217COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 229 7ff7d9951260-7ff7d9951271 230 7ff7d9951273-7ff7d9951280 229->230 231 7ff7d995129f-7ff7d99512b7 229->231 232 7ff7d995129a call 7ff7d99517e4 230->232 233 7ff7d9951282-7ff7d9951295 230->233 232->231 235 7ff7d9951297 233->235 236 7ff7d99512b8-7ff7d99512f0 _invalid_parameter_noinfo_noreturn 233->236 235->232 238 7ff7d99512f7-7ff7d99512fe 236->238 238->238 239 7ff7d9951300-7ff7d995130d 238->239 240 7ff7d9951313-7ff7d9951317 239->240 241 7ff7d99513e1-7ff7d99513e6 call 7ff7d9951240 239->241 242 7ff7d9951319-7ff7d9951331 memcpy 240->242 243 7ff7d9951336-7ff7d9951340 240->243 250 7ff7d99513e7-7ff7d995141c call 7ff7d99511a0 241->250 245 7ff7d99513c3-7ff7d99513e0 242->245 246 7ff7d995136b-7ff7d9951381 243->246 247 7ff7d9951342-7ff7d995134c 243->247 251 7ff7d9951383-7ff7d995138a 246->251 252 7ff7d99513a6-7ff7d99513bf memcpy 246->252 249 7ff7d9951350 247->249 255 7ff7d9951353 call 7ff7d9951818 249->255 265 7ff7d995154c-7ff7d9951551 call 7ff7d9951240 250->265 266 7ff7d9951422-7ff7d9951443 250->266 253 7ff7d995138c-7ff7d9951393 251->253 254 7ff7d995139e 251->254 252->245 253->250 257 7ff7d9951395 253->257 258 7ff7d995139e call 7ff7d9951818 254->258 259 7ff7d9951358-7ff7d995135b 255->259 257->249 261 7ff7d99513a3 258->261 262 7ff7d995135d-7ff7d9951369 259->262 263 7ff7d9951397-7ff7d995139d _invalid_parameter_noinfo_noreturn 259->263 261->252 262->252 263->254 276 7ff7d9951552-7ff7d9951557 call 7ff7d99511a0 265->276 267 7ff7d9951489-7ff7d9951493 266->267 268 7ff7d9951445-7ff7d9951454 266->268 271 7ff7d9951497 267->271 268->267 270 7ff7d9951456-7ff7d995146b 268->270 273 7ff7d995146d-7ff7d995146f 270->273 274 7ff7d9951471-7ff7d9951478 270->274 275 7ff7d995149a call 7ff7d9951818 271->275 277 7ff7d99514ba-7ff7d99514cc 273->277 278 7ff7d995147a-7ff7d9951481 274->278 279 7ff7d99514b2 274->279 280 7ff7d995149f-7ff7d99514a2 275->280 286 7ff7d99514ce-7ff7d99514ed memcpy 277->286 287 7ff7d9951518-7ff7d9951524 call 7ff7d99553e4 277->287 278->276 282 7ff7d9951487 278->282 285 7ff7d99514b2 call 7ff7d9951818 279->285 283 7ff7d99514a4-7ff7d99514b0 280->283 284 7ff7d9951511-7ff7d9951517 _invalid_parameter_noinfo_noreturn 280->284 282->271 283->277 284->287 292 7ff7d99514b7 285->292 289 7ff7d9951507-7ff7d995150f call 7ff7d99517e4 286->289 290 7ff7d99514ef-7ff7d9951502 286->290 297 7ff7d9951529-7ff7d995154b 287->297 289->297 290->284 293 7ff7d9951504 290->293 292->277 293->289
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2617790359.00007FF7D9951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D9950000, based on PE: true
              • Associated: 00000000.00000002.2617779419.00007FF7D9950000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2617801917.00007FF7D9956000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2617813626.00007FF7D995C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2617825903.00007FF7D995D000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff7d9950000_QT2hJT3Syn.jbxd
              Similarity
              • API ID: _invalid_parameter_noinfo_noreturnmemcpy$Concurrency::cancel_current_task
              • String ID: string too long
              • API String ID: 621473597-2556327735
              • Opcode ID: dc214a706161d04807a1c17e90786c25c00201b982d4ed9808e8b67d56e755a6
              • Instruction ID: cc40f91abf887c0f5d376aaf568c39a1904a0cc4651f66f37edeef6db9dbb9eb
              • Opcode Fuzzy Hash: dc214a706161d04807a1c17e90786c25c00201b982d4ed9808e8b67d56e755a6
              • Instruction Fuzzy Hash: E381F662B08781A5EA74AF61A14036EA371EB85BD8FD44636DB6D07BD5CF7CD091C320
              Function 00007FF7D9951560 Relevance: 13.6, APIs: 9, Instructions: 124COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 422 7ff7d9951560-7ff7d9951590 423 7ff7d9951598 422->423 424 7ff7d9951592-7ff7d9951596 422->424 425 7ff7d995159a-7ff7d99515aa 423->425 424->425 426 7ff7d99515ac-7ff7d99515b2 425->426 427 7ff7d99515b3-7ff7d99515c5 ?good@ios_base@std@@QEBA_NXZ 425->427 426->427 428 7ff7d99515f7-7ff7d99515fd 427->428 429 7ff7d99515c7-7ff7d99515d6 427->429 433 7ff7d9951609-7ff7d995161c 428->433 434 7ff7d99515ff-7ff7d9951604 428->434 431 7ff7d99515d8-7ff7d99515db 429->431 432 7ff7d99515f5 429->432 431->432 435 7ff7d99515dd-7ff7d99515f3 ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ ?good@ios_base@std@@QEBA_NXZ 431->435 432->428 437 7ff7d995164d-7ff7d9951670 ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z 433->437 438 7ff7d995161e 433->438 436 7ff7d99516bf-7ff7d99516dd ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z ?uncaught_exception@std@@YA_NXZ 434->436 435->428 439 7ff7d99516e9-7ff7d99516f8 436->439 440 7ff7d99516df-7ff7d99516e8 ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ 436->440 442 7ff7d9951698 437->442 443 7ff7d9951672-7ff7d9951675 437->443 441 7ff7d9951620-7ff7d9951623 438->441 448 7ff7d99516fa-7ff7d9951700 439->448 449 7ff7d9951701-7ff7d9951711 439->449 440->439 441->437 447 7ff7d9951625-7ff7d995163f ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z 441->447 446 7ff7d995169b 442->446 444 7ff7d9951677-7ff7d9951691 ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z 443->444 445 7ff7d995169f-7ff7d99516af 443->445 444->442 450 7ff7d9951693-7ff7d9951696 444->450 445->436 446->445 451 7ff7d9951648-7ff7d995164b 447->451 452 7ff7d9951641-7ff7d9951646 447->452 448->449 450->443 451->441 452->446
              APIs
              • ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7D99515BD
              • ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF7D99515DD
              • ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7D99515ED
              • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF7D9951636
              • ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140 ref: 00007FF7D9951666
              • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF7D9951688
              • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7D99516CE
              • ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF7D99516D5
              • ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF7D99516E2
              Memory Dump Source
              • Source File: 00000000.00000002.2617790359.00007FF7D9951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D9950000, based on PE: true
              • Associated: 00000000.00000002.2617779419.00007FF7D9950000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2617801917.00007FF7D9956000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2617813626.00007FF7D995C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2617825903.00007FF7D995D000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff7d9950000_QT2hJT3Syn.jbxd
              Similarity
              • API ID: D@std@@@std@@U?$char_traits@$?good@ios_base@std@@?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
              • String ID:
              • API String ID: 3274656010-0
              • Opcode ID: 2d83f5bf139d5ddab99d305bf5690e1c03955fd8ff749a6140a8785ce57e8d76
              • Instruction ID: 84376d8d9806d87376a987c2b17d2e2e9b2b16a2a7078afb96af94a2abeabaaf
              • Opcode Fuzzy Hash: 2d83f5bf139d5ddab99d305bf5690e1c03955fd8ff749a6140a8785ce57e8d76
              • Instruction Fuzzy Hash: D5511E32609A4192EBA0AF1AE59023EE770EBC5B99FD5C533CA5E437A4CF3DD4468310
              Function 00007FF7D99539C0 Relevance: 12.8, APIs: 10, Instructions: 329COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 465 7ff7d99539c0-7ff7d9953a09 466 7ff7d9953a0f-7ff7d9953a1e 465->466 467 7ff7d9953e62-7ff7d9953e75 465->467 468 7ff7d9953a20-7ff7d9953a30 466->468 469 7ff7d9953a35-7ff7d9953a39 468->469 470 7ff7d9953a32 468->470 471 7ff7d9953a3f-7ff7d9953a46 469->471 472 7ff7d9953ca2-7ff7d9953ca5 469->472 470->469 474 7ff7d9953a4b-7ff7d9953a59 isalnum 471->474 475 7ff7d9953a48 471->475 472->467 473 7ff7d9953cab-7ff7d9953caf 472->473 476 7ff7d9953cb1-7ff7d9953ccd memset 473->476 477 7ff7d9953cd2-7ff7d9953cf6 473->477 478 7ff7d9953a5b-7ff7d9953a63 474->478 479 7ff7d9953a69-7ff7d9953a71 474->479 475->474 476->477 480 7ff7d9953cf8-7ff7d9953d0a memchr 477->480 481 7ff7d9953d15 477->481 478->472 478->479 482 7ff7d9953a73 479->482 483 7ff7d9953a76-7ff7d9953a93 479->483 480->481 484 7ff7d9953d0c-7ff7d9953d13 480->484 485 7ff7d9953d1d-7ff7d9953d33 481->485 482->483 486 7ff7d9953a99-7ff7d9953ac0 483->486 487 7ff7d9953c92 483->487 484->485 488 7ff7d9953d35-7ff7d9953d4a memchr 485->488 489 7ff7d9953d51 485->489 490 7ff7d9953adb 486->490 491 7ff7d9953ac2-7ff7d9953ad4 memchr 486->491 492 7ff7d9953c97-7ff7d9953c9c 487->492 488->489 493 7ff7d9953d4c-7ff7d9953d4f 488->493 494 7ff7d9953d58-7ff7d9953d72 489->494 496 7ff7d9953ae2-7ff7d9953af7 490->496 491->490 495 7ff7d9953ad6-7ff7d9953ad9 491->495 492->468 492->472 493->494 497 7ff7d9953d74-7ff7d9953d89 memchr 494->497 498 7ff7d9953d90 494->498 495->496 499 7ff7d9953af9-7ff7d9953b0e memchr 496->499 500 7ff7d9953b15 496->500 497->498 503 7ff7d9953d8b-7ff7d9953d8e 497->503 504 7ff7d9953d97-7ff7d9953db1 498->504 499->500 501 7ff7d9953b10-7ff7d9953b13 499->501 502 7ff7d9953b1c-7ff7d9953b3a 500->502 501->502 505 7ff7d9953b3c-7ff7d9953b51 memchr 502->505 506 7ff7d9953b58 502->506 503->504 507 7ff7d9953db3-7ff7d9953dc8 memchr 504->507 508 7ff7d9953dcf 504->508 505->506 511 7ff7d9953b53-7ff7d9953b56 505->511 512 7ff7d9953b5f-7ff7d9953b7d 506->512 507->508 509 7ff7d9953dca-7ff7d9953dcd 507->509 510 7ff7d9953dd6-7ff7d9953e12 508->510 509->510 510->467 513 7ff7d9953e14-7ff7d9953e18 510->513 511->512 514 7ff7d9953b9b 512->514 515 7ff7d9953b7f-7ff7d9953b94 memchr 512->515 516 7ff7d9953e20-7ff7d9953e31 513->516 518 7ff7d9953ba2-7ff7d9953be3 514->518 515->514 517 7ff7d9953b96-7ff7d9953b99 515->517 519 7ff7d9953e33-7ff7d9953e42 516->519 520 7ff7d9953e52-7ff7d9953e55 call 7ff7d99513f0 516->520 517->518 521 7ff7d9953c04-7ff7d9953c07 call 7ff7d99513f0 518->521 522 7ff7d9953be5-7ff7d9953bf4 518->522 523 7ff7d9953e47-7ff7d9953e50 519->523 524 7ff7d9953e44 519->524 530 7ff7d9953e5a-7ff7d9953e60 520->530 529 7ff7d9953c0c-7ff7d9953c17 521->529 526 7ff7d9953bf9-7ff7d9953c02 522->526 527 7ff7d9953bf6 522->527 523->530 524->523 526->529 527->526 531 7ff7d9953c38-7ff7d9953c3f call 7ff7d99513f0 529->531 532 7ff7d9953c19-7ff7d9953c28 529->532 530->467 530->516 536 7ff7d9953c44-7ff7d9953c4f 531->536 533 7ff7d9953c2d-7ff7d9953c36 532->533 534 7ff7d9953c2a 532->534 533->536 534->533 537 7ff7d9953c7a-7ff7d9953c90 call 7ff7d99513f0 536->537 538 7ff7d9953c51-7ff7d9953c60 536->538 537->492 539 7ff7d9953c65-7ff7d9953c78 538->539 540 7ff7d9953c62 538->540 539->492 540->539
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2617790359.00007FF7D9951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D9950000, based on PE: true
              • Associated: 00000000.00000002.2617779419.00007FF7D9950000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2617801917.00007FF7D9956000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2617813626.00007FF7D995C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2617825903.00007FF7D995D000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff7d9950000_QT2hJT3Syn.jbxd
              Similarity
              • API ID: memchr$isalnummemcpymemset
              • String ID:
              • API String ID: 2613388124-0
              • Opcode ID: 1c4aa18a20eb7564f907b3e35b9d161b37e06d40664dc32e136580126c14a596
              • Instruction ID: 0962f5fca76d92a470c94d9654088aba174ca76956501603f7e66c7b53c1a77b
              • Opcode Fuzzy Hash: 1c4aa18a20eb7564f907b3e35b9d161b37e06d40664dc32e136580126c14a596
              • Instruction Fuzzy Hash: BFD10722A09782A5EB41BF25940127EABB1EB81BECFD44636DD2D47BD5DE3CD446C320