Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
TEiot52yrz.exe

Overview

General Information

Sample name:TEiot52yrz.exe
renamed because original name is a hash value
Original sample name:915cc233f5c3b36f2aa5a9a0aa2fcd28b8ee406e42c08b71177dab901c219d41.exe
Analysis ID:1508525
MD5:fa332de9a0e7da5e975173ee47246172
SHA1:c6e74c68a11a9d318137aba895f2bcde89d42f2b
SHA256:915cc233f5c3b36f2aa5a9a0aa2fcd28b8ee406e42c08b71177dab901c219d41
Tags:116-198-231-169exe
Infos:

Detection

CobaltStrike, Metasploit
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
Yara detected Metasploit Payload
C2 URLs / IPs found in malware configuration
AV process strings found (often used to terminate AV products)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
One or more processes crash
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • TEiot52yrz.exe (PID: 7788 cmdline: "C:\Users\user\Desktop\TEiot52yrz.exe" MD5: FA332DE9A0E7DA5E975173EE47246172)
    • WerFault.exe (PID: 5848 cmdline: C:\Windows\system32\WerFault.exe -u -p 7788 -s 1192 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Cobalt Strike, CobaltStrikeCobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.
  • APT 29
  • APT32
  • APT41
  • AQUATIC PANDA
  • Anunak
  • Cobalt
  • Codoso
  • CopyKittens
  • DarkHydrus
  • FIN6
  • FIN7
  • Leviathan
  • Mustang Panda
  • Shell Crew
  • Stone Panda
  • TianWu
  • UNC1878
  • UNC2452
  • Winnti Umbrella
https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"C2Server": "http://116.198.231.169:63222/jquery-3.3.2.slim.min.js", "User Agent": "User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\n"}

Threatname: Metasploit

{"Headers": "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nReferer: http://code.jquery.com/\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\n", "Type": "Metasploit Download", "URL": "http://116.198.231.169/jquery-3.3.2.slim.min.js"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD4A1.tmp.dmpWindows_Trojan_Metasploit_7bc0f998Identifies the API address lookup function leverage by metasploit shellcodeunknown
  • 0x1bd79:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD4A1.tmp.dmpWindows_Trojan_Metasploit_c9773203Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.unknown
  • 0x1bde5:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.1771906385.00000076FB5BE000.00000040.00000010.00020000.00000000.sdmpJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
    00000007.00000002.1771906385.00000076FB5BE000.00000040.00000010.00020000.00000000.sdmpJoeSecurity_CobaltStrike_3Yara detected CobaltStrikeJoe Security
      00000007.00000002.1771906385.00000076FB5BE000.00000040.00000010.00020000.00000000.sdmpWindows_Trojan_Metasploit_7bc0f998Identifies the API address lookup function leverage by metasploit shellcodeunknown
      • 0x61:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
      00000007.00000002.1771906385.00000076FB5BE000.00000040.00000010.00020000.00000000.sdmpWindows_Trojan_Metasploit_c9773203Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.unknown
      • 0xcd:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1

      Sigma Signatures

      No Sigma rule has matched

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-09-10T10:55:16.172006+020020287653Unknown Traffic192.168.2.1049707116.198.231.16963222TCP
      2024-09-10T10:55:20.852883+020020287653Unknown Traffic192.168.2.1049710116.198.231.16963222TCP
      2024-09-10T10:55:25.060105+020020287653Unknown Traffic192.168.2.1049713116.198.231.16963222TCP
      2024-09-10T10:55:29.314528+020020287653Unknown Traffic192.168.2.1049716116.198.231.16963222TCP
      2024-09-10T10:55:33.550685+020020287653Unknown Traffic192.168.2.1049723116.198.231.16963222TCP
      2024-09-10T10:55:37.934760+020020287653Unknown Traffic192.168.2.1049726116.198.231.16963222TCP
      2024-09-10T10:55:42.196559+020020287653Unknown Traffic192.168.2.1049729116.198.231.16963222TCP
      2024-09-10T10:55:46.376638+020020287653Unknown Traffic192.168.2.1049732116.198.231.16963222TCP
      2024-09-10T10:55:50.479481+020020287653Unknown Traffic192.168.2.1049735116.198.231.16963222TCP
      2024-09-10T10:55:55.331575+020020287653Unknown Traffic192.168.2.1049738116.198.231.16963222TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: TEiot52yrz.exeAvira: detected
      Found malware configuration
      Source: 00000007.00000002.1771906385.00000076FB5BE000.00000040.00000010.00020000.00000000.sdmpMalware Configuration Extractor: CobaltStrike {"C2Server": "http://116.198.231.169:63222/jquery-3.3.2.slim.min.js", "User Agent": "User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\n"}
      Source: 00000007.00000002.1771906385.00000076FB5BE000.00000040.00000010.00020000.00000000.sdmpMalware Configuration Extractor: Metasploit {"Headers": "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nReferer: http://code.jquery.com/\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\n", "Type": "Metasploit Download", "URL": "http://116.198.231.169/jquery-3.3.2.slim.min.js"}
      Multi AV Scanner detection for submitted file
      Source: TEiot52yrz.exeReversingLabs: Detection: 60%
      Source: TEiot52yrz.exeVirustotal: Detection: 60%Perma Link
      Source: TEiot52yrz.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

      Networking

      barindex
      C2 URLs / IPs found in malware configuration
      Source: Malware configuration extractorURLs: http://116.198.231.169:63222/jquery-3.3.2.slim.min.js
      Source: Malware configuration extractorURLs: http://116.198.231.169/jquery-3.3.2.slim.min.js
      Source: global trafficTCP traffic: 192.168.2.10:49707 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.10:49710 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.10:49716 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.10:49738 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.10:49726 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.10:49735 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.10:49713 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.10:49723 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.10:49729 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.10:49732 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.10:49707 -> 116.198.231.169:63222
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: TEiot52yrz.exe, 00000007.00000003.1703154920.000002242F77E000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000007.00000003.1703107624.000002242F7B9000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000007.00000003.1723907163.000002242F7B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.jquery.com/
      Source: TEiot52yrz.exe, 00000007.00000002.1772601417.000002242F77E000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000007.00000003.1591840224.000002242F77E000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000007.00000003.1703154920.000002242F77E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.jquery.com/(
      Source: TEiot52yrz.exe, 00000007.00000003.1654586335.000002242F7B9000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000007.00000003.1613554998.000002242F7B9000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000007.00000003.1703107624.000002242F7B9000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000007.00000003.1723907163.000002242F7B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.jquery.com/9
      Source: TEiot52yrz.exe, 00000007.00000003.1703107624.000002242F7B9000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000007.00000003.1723907163.000002242F7B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.jquery.com/k
      Source: TEiot52yrz.exe, 00000007.00000003.1703107624.000002242F7B9000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000007.00000003.1723907163.000002242F7B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.jquery.com/p
      Source: TEiot52yrz.exe, 00000007.00000002.1772601417.000002242F77E000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000007.00000003.1591840224.000002242F77E000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000007.00000003.1703154920.000002242F77E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.jquery.com/q
      Source: Amcache.hve.12.drString found in binary or memory: http://upx.sf.net
      Source: TEiot52yrz.exe, 00000007.00000003.1703154920.000002242F77E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169/
      Source: TEiot52yrz.exe, 00000007.00000003.1591840224.000002242F760000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169/r
      Source: TEiot52yrz.exe, 00000007.00000003.1703154920.000002242F77E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/
      Source: TEiot52yrz.exe, 00000007.00000003.1591840224.000002242F77E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/X/W
      Source: TEiot52yrz.exe, 00000007.00000003.1591840224.000002242F77E000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000007.00000003.1703154920.000002242F77E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/d
      Source: TEiot52yrz.exe, 00000007.00000002.1772601417.000002242F77E000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000007.00000003.1703154920.000002242F77E000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000007.00000002.1772520465.000002242F72C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/jquery-3.3.2.slim.min.js
      Source: TEiot52yrz.exe, 00000007.00000002.1772601417.000002242F77E000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000007.00000003.1703154920.000002242F77E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/jquery-3.3.2.slim.min.jsa0
      Source: TEiot52yrz.exe, 00000007.00000002.1772520465.000002242F72C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/jquery-3.3.2.slim.min.jsb
      Source: TEiot52yrz.exe, 00000007.00000003.1591840224.000002242F77E000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000007.00000003.1703154920.000002242F77E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/k
      Source: TEiot52yrz.exe, 00000007.00000002.1772601417.000002242F77E000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000007.00000003.1591840224.000002242F77E000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000007.00000003.1703154920.000002242F77E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/l
      Source: TEiot52yrz.exe, 00000007.00000003.1591840224.000002242F77E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/pData

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 00000007.00000002.1771906385.00000076FB5BE000.00000040.00000010.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
      Source: 00000007.00000002.1771906385.00000076FB5BE000.00000040.00000010.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
      Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERD4A1.tmp.dmp, type: DROPPEDMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
      Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERD4A1.tmp.dmp, type: DROPPEDMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
      Source: C:\Users\user\Desktop\TEiot52yrz.exeCode function: 7_2_00007FF6E7F55D5C7_2_00007FF6E7F55D5C
      Source: C:\Users\user\Desktop\TEiot52yrz.exeCode function: 7_2_00007FF6E7F557857_2_00007FF6E7F55785
      Source: C:\Users\user\Desktop\TEiot52yrz.exeCode function: 7_2_00007FF6E7F53DE87_2_00007FF6E7F53DE8
      Source: C:\Users\user\Desktop\TEiot52yrz.exeCode function: 7_2_00007FF6E7F5603A7_2_00007FF6E7F5603A
      Source: C:\Users\user\Desktop\TEiot52yrz.exeCode function: 7_2_00007FF6E7F554A47_2_00007FF6E7F554A4
      Source: C:\Users\user\Desktop\TEiot52yrz.exeCode function: 7_2_00000076FB5BE1227_2_00000076FB5BE122
      Source: C:\Users\user\Desktop\TEiot52yrz.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7788 -s 1192
      Source: 00000007.00000002.1771906385.00000076FB5BE000.00000040.00000010.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
      Source: 00000007.00000002.1771906385.00000076FB5BE000.00000040.00000010.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
      Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERD4A1.tmp.dmp, type: DROPPEDMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
      Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERD4A1.tmp.dmp, type: DROPPEDMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
      Source: classification engineClassification label: mal92.troj.winEXE@2/5@0/1
      Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7788
      Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\4ce0ec32-25f2-44d7-9afb-bc7d0bd7b482Jump to behavior
      Source: TEiot52yrz.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\TEiot52yrz.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: TEiot52yrz.exeReversingLabs: Detection: 60%
      Source: TEiot52yrz.exeVirustotal: Detection: 60%
      Source: unknownProcess created: C:\Users\user\Desktop\TEiot52yrz.exe "C:\Users\user\Desktop\TEiot52yrz.exe"
      Source: C:\Users\user\Desktop\TEiot52yrz.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7788 -s 1192
      Source: C:\Users\user\Desktop\TEiot52yrz.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\TEiot52yrz.exeSection loaded: msvcp140.dllJump to behavior
      Source: C:\Users\user\Desktop\TEiot52yrz.exeSection loaded: vcruntime140_1.dllJump to behavior
      Source: C:\Users\user\Desktop\TEiot52yrz.exeSection loaded: vcruntime140.dllJump to behavior
      Source: C:\Users\user\Desktop\TEiot52yrz.exeSection loaded: vcruntime140.dllJump to behavior
      Source: C:\Users\user\Desktop\TEiot52yrz.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\Desktop\TEiot52yrz.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\TEiot52yrz.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\TEiot52yrz.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\TEiot52yrz.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\TEiot52yrz.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\TEiot52yrz.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\TEiot52yrz.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\TEiot52yrz.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\TEiot52yrz.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\TEiot52yrz.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\TEiot52yrz.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\TEiot52yrz.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\TEiot52yrz.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\TEiot52yrz.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\TEiot52yrz.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Users\user\Desktop\TEiot52yrz.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
      Source: TEiot52yrz.exeStatic PE information: Image base 0x140000000 > 0x60000000
      Source: TEiot52yrz.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Source: TEiot52yrz.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: C:\Users\user\Desktop\TEiot52yrz.exeCode function: 7_2_00000076FB5BE17B push eax; ret 7_2_00000076FB5BE3D7
      Source: C:\Users\user\Desktop\TEiot52yrz.exeCode function: 7_2_00000076FB5BE359 push eax; ret 7_2_00000076FB5BE3D7
      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: Amcache.hve.12.drBinary or memory string: VMware
      Source: Amcache.hve.12.drBinary or memory string: VMware Virtual USB Mouse
      Source: Amcache.hve.12.drBinary or memory string: vmci.syshbin
      Source: Amcache.hve.12.drBinary or memory string: VMware, Inc.
      Source: Amcache.hve.12.drBinary or memory string: VMware20,1hbin@
      Source: Amcache.hve.12.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
      Source: Amcache.hve.12.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
      Source: Amcache.hve.12.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
      Source: TEiot52yrz.exe, 00000007.00000002.1772601417.000002242F7A1000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000007.00000003.1591840224.000002242F7A1000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000007.00000003.1591840224.000002242F760000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000007.00000003.1703154920.000002242F7A1000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000007.00000003.1703154920.000002242F761000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000007.00000002.1772601417.000002242F761000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: Amcache.hve.12.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
      Source: Amcache.hve.12.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
      Source: Amcache.hve.12.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
      Source: TEiot52yrz.exe, 00000007.00000002.1772601417.000002242F7A1000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000007.00000003.1591840224.000002242F7A1000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000007.00000003.1703154920.000002242F7A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWa
      Source: Amcache.hve.12.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
      Source: Amcache.hve.12.drBinary or memory string: vmci.sys
      Source: Amcache.hve.12.drBinary or memory string: vmci.syshbin`
      Source: Amcache.hve.12.drBinary or memory string: \driver\vmci,\driver\pci
      Source: Amcache.hve.12.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
      Source: Amcache.hve.12.drBinary or memory string: VMware-42 27 ae 88 8c 2b 21 02-a5 86 22 5b 84 51 ac f0
      Source: Amcache.hve.12.drBinary or memory string: VMware20,1
      Source: Amcache.hve.12.drBinary or memory string: Microsoft Hyper-V Generation Counter
      Source: Amcache.hve.12.drBinary or memory string: NECVMWar VMware SATA CD00
      Source: Amcache.hve.12.drBinary or memory string: VMware Virtual disk SCSI Disk Device
      Source: Amcache.hve.12.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
      Source: Amcache.hve.12.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
      Source: Amcache.hve.12.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
      Source: Amcache.hve.12.drBinary or memory string: VMware PCI VMCI Bus Device
      Source: Amcache.hve.12.drBinary or memory string: VMware VMCI Bus Device
      Source: Amcache.hve.12.drBinary or memory string: VMware Virtual RAM
      Source: Amcache.hve.12.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
      Source: Amcache.hve.12.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
      Source: C:\Users\user\Desktop\TEiot52yrz.exeCode function: 7_2_00007FF6E7F5365C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00007FF6E7F5365C
      Source: C:\Users\user\Desktop\TEiot52yrz.exeCode function: 7_2_00007FF6E7F52B74 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_00007FF6E7F52B74
      Source: C:\Users\user\Desktop\TEiot52yrz.exeCode function: 7_2_00007FF6E7F53804 SetUnhandledExceptionFilter,7_2_00007FF6E7F53804
      Source: C:\Users\user\Desktop\TEiot52yrz.exeCode function: 7_2_00007FF6E7F5365C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00007FF6E7F5365C
      Source: C:\Users\user\Desktop\TEiot52yrz.exeCode function: 7_2_00007FF6E7F53874 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,7_2_00007FF6E7F53874
      Source: Amcache.hve.12.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
      Source: Amcache.hve.12.drBinary or memory string: msmpeng.exe
      Source: Amcache.hve.12.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
      Source: Amcache.hve.12.drBinary or memory string: MsMpEng.exe

      Remote Access Functionality

      barindex
      Yara detected CobaltStrike
      Source: Yara matchFile source: 00000007.00000002.1771906385.00000076FB5BE000.00000040.00000010.00020000.00000000.sdmp, type: MEMORY
      Yara detected Metasploit Payload
      Source: Yara matchFile source: 00000007.00000002.1771906385.00000076FB5BE000.00000040.00000010.00020000.00000000.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
      DLL Side-Loading      		1
      Process Injection      		1
      Process Injection      		OS Credential Dumping1
      System Time Discovery      		Remote Services1
      Archive Collected Data      		1
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
      DLL Side-Loading      		1
      DLL Side-Loading      		LSASS Memory21
      Security Software Discovery      		Remote Desktop ProtocolData from Removable Media1
      Non-Standard Port      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
      Obfuscated Files or Information      		Security Account Manager2
      System Information Discovery      		SMB/Windows Admin SharesData from Network Shared Drive1
      Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      TEiot52yrz.exe61%ReversingLabsWin64.Backdoor.MeterpreterReverseShell
      TEiot52yrz.exe60%VirustotalBrowse
      TEiot52yrz.exe100%AviraTR/AD.MeterpreterSC.zrtjs

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://upx.sf.net0%URL Reputationsafe
      https://116.198.231.169:63222/k0%Avira URL Cloudsafe
      https://116.198.231.169:63222/l0%Avira URL Cloudsafe
      http://116.198.231.169:63222/jquery-3.3.2.slim.min.js0%Avira URL Cloudsafe
      http://code.jquery.com/0%Avira URL Cloudsafe
      http://code.jquery.com/(0%Avira URL Cloudsafe
      http://code.jquery.com/k0%Avira URL Cloudsafe
      https://116.198.231.169:63222/d0%Avira URL Cloudsafe
      https://116.198.231.169:63222/jquery-3.3.2.slim.min.jsb0%Avira URL Cloudsafe
      https://116.198.231.169:63222/jquery-3.3.2.slim.min.js0%Avira URL Cloudsafe
      https://116.198.231.169:63222/0%Avira URL Cloudsafe
      http://code.jquery.com/90%Avira URL Cloudsafe
      https://116.198.231.169:63222/pData0%Avira URL Cloudsafe
      https://116.198.231.169/r0%Avira URL Cloudsafe
      http://code.jquery.com/q0%Avira URL Cloudsafe
      http://code.jquery.com/p0%Avira URL Cloudsafe
      https://116.198.231.169:63222/jquery-3.3.2.slim.min.jsa00%Avira URL Cloudsafe
      https://116.198.231.169/0%Avira URL Cloudsafe
      http://116.198.231.169/jquery-3.3.2.slim.min.js0%Avira URL Cloudsafe
      https://116.198.231.169:63222/X/W0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      No contacted domains info

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://116.198.231.169:63222/jquery-3.3.2.slim.min.jstrue
      • Avira URL Cloud: safe
      		unknown
      http://116.198.231.169/jquery-3.3.2.slim.min.jstrue
      • Avira URL Cloud: safe
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://116.198.231.169:63222/lTEiot52yrz.exe, 00000007.00000002.1772601417.000002242F77E000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000007.00000003.1591840224.000002242F77E000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000007.00000003.1703154920.000002242F77E000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169:63222/kTEiot52yrz.exe, 00000007.00000003.1591840224.000002242F77E000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000007.00000003.1703154920.000002242F77E000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://code.jquery.com/(TEiot52yrz.exe, 00000007.00000002.1772601417.000002242F77E000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000007.00000003.1591840224.000002242F77E000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000007.00000003.1703154920.000002242F77E000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://code.jquery.com/TEiot52yrz.exe, 00000007.00000003.1703154920.000002242F77E000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000007.00000003.1703107624.000002242F7B9000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000007.00000003.1723907163.000002242F7B9000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://code.jquery.com/kTEiot52yrz.exe, 00000007.00000003.1703107624.000002242F7B9000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000007.00000003.1723907163.000002242F7B9000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169:63222/dTEiot52yrz.exe, 00000007.00000003.1591840224.000002242F77E000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000007.00000003.1703154920.000002242F77E000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169:63222/jquery-3.3.2.slim.min.jsbTEiot52yrz.exe, 00000007.00000002.1772520465.000002242F72C000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169:63222/jquery-3.3.2.slim.min.jsTEiot52yrz.exe, 00000007.00000002.1772601417.000002242F77E000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000007.00000003.1703154920.000002242F77E000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000007.00000002.1772520465.000002242F72C000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169:63222/TEiot52yrz.exe, 00000007.00000003.1703154920.000002242F77E000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://code.jquery.com/9TEiot52yrz.exe, 00000007.00000003.1654586335.000002242F7B9000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000007.00000003.1613554998.000002242F7B9000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000007.00000003.1703107624.000002242F7B9000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000007.00000003.1723907163.000002242F7B9000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://upx.sf.netAmcache.hve.12.drfalse
      • URL Reputation: safe
      		unknown
      https://116.198.231.169:63222/pDataTEiot52yrz.exe, 00000007.00000003.1591840224.000002242F77E000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169/rTEiot52yrz.exe, 00000007.00000003.1591840224.000002242F760000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://code.jquery.com/qTEiot52yrz.exe, 00000007.00000002.1772601417.000002242F77E000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000007.00000003.1591840224.000002242F77E000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000007.00000003.1703154920.000002242F77E000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://code.jquery.com/pTEiot52yrz.exe, 00000007.00000003.1703107624.000002242F7B9000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000007.00000003.1723907163.000002242F7B9000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169:63222/jquery-3.3.2.slim.min.jsa0TEiot52yrz.exe, 00000007.00000002.1772601417.000002242F77E000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000007.00000003.1703154920.000002242F77E000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169/TEiot52yrz.exe, 00000007.00000003.1703154920.000002242F77E000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169:63222/X/WTEiot52yrz.exe, 00000007.00000003.1591840224.000002242F77E000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown

      World Map of Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public IPs

      IPDomainCountryFlagASNASN NameMalicious
      116.198.231.169
      		unknownChina
      		137699CHINATELECOM-JIANGSU-SUQIAN-IDCCHINATELECOMJiangsuSuqiantrue

      General Information

      Joe Sandbox version:40.0.0 Tourmaline
      Analysis ID:1508525
      Start date and time:2024-09-10 10:54:20 +02:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 4m 0s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:17
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:TEiot52yrz.exe
      renamed because original name is a hash value
      Original Sample Name:915cc233f5c3b36f2aa5a9a0aa2fcd28b8ee406e42c08b71177dab901c219d41.exe
      Detection:MAL
      Classification:mal92.troj.winEXE@2/5@0/1
      EGA Information:
      • Successful, ratio: 100%
      HCA Information:
      • Successful, ratio: 86%
      • Number of executed functions: 4
      • Number of non-executed functions: 11
      Cookbook Comments:
      • Found application associated with file extension: .exe

      Warnings

      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
      • Excluded IPs from analysis (whitelisted): 20.42.65.92
      • Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
      • Not all processes where analyzed, report is missing behavior information

      Simulations

      Behavior and APIs

      TimeTypeDescription
      04:56:01API Interceptor1x Sleep call for process: WerFault.exe modified

      Joe Sandbox View / Context

      IPs

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      116.198.231.169LtmV2sDcTK.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
        QT2hJT3Syn.exeGet hashmaliciousCobaltStrike, MetasploitBrowse

          Domains

          No context

          ASNs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          CHINATELECOM-JIANGSU-SUQIAN-IDCCHINATELECOMJiangsuSuqianLtmV2sDcTK.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
          • 116.198.231.169
          QT2hJT3Syn.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
          • 116.198.231.169
          gOEF4WOJ3c.elfGet hashmaliciousUnknownBrowse
          • 116.198.238.210

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_TEiot52yrz.exe_d23f16c97e88e178369da9a9b73acf7cc86966_8fd4efbb_14680be6-56b5-4a96-a3b1-60837cf7e648\Report.wer

          Download File
          Process:C:\Windows\System32\WerFault.exe
          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
          Category:dropped
          Size (bytes):65536
          Entropy (8bit):0.923354596152919
          Encrypted:false
          SSDEEP:96:SQF/D1ZQs4hqKeoh7Rb6NbQXIDcQWc6zcEZcw37n+HbHg/JgwPt8sKa9bATFUp2f:XVQU60I3DEjc4bzuiFrCZ24lO8Z
          MD5:492FE676002D4AE241A06642AAB9E226
          SHA1:139896AA9E2FD77DF1ADC5E3970EA692A701F4B6
          SHA-256:20BA5509063F1EE5CBA9BF6EE9908545C85031EE4A692BD7A214AA1D7A1F9012
          SHA-512:772DBFFA33C86BE0607091DD276881CE73BFA02B0AF4C81B89374ADA24081CA7BBA59395DAD203AB496A212606302BB27260C28A1EDFB820BB3193A36C866640
          Malicious:true
          Reputation:low
          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.0.4.3.2.1.5.7.3.2.3.4.3.2.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.0.4.3.2.1.5.7.6.8.2.8.2.5.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.4.6.8.0.b.e.6.-.5.6.b.5.-.4.a.9.6.-.a.3.b.1.-.6.0.8.3.7.c.f.7.e.6.4.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.6.a.4.4.b.c.b.-.5.6.4.d.-.4.3.f.b.-.a.2.2.8.-.0.9.1.3.8.5.b.4.9.4.e.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.T.E.i.o.t.5.2.y.r.z...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.6.c.-.0.0.0.1.-.0.0.1.3.-.2.4.5.e.-.a.0.2.5.5.f.0.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.8.0.0.7.2.f.0.1.5.e.8.9.b.6.b.4.5.f.8.7.8.a.2.5.c.5.7.b.f.f.9.0.0.0.0.f.f.f.f.!.0.0.0.0.c.6.e.7.4.c.6.8.a.1.1.a.9.d.3.1.8.1.3.7.a.b.a.8.9.5.f.2.b.c.d.e.8.9.d.4.2.f.2.b.!.T.E.i.o.t.5.2.y.r.z...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.6././.2.1.:.1.4.

          C:\ProgramData\Microsoft\Windows\WER\Temp\WERD4A1.tmp.dmp

          Download File
          Process:C:\Windows\System32\WerFault.exe
          File Type:Mini DuMP crash report, 14 streams, Tue Sep 10 08:55:57 2024, 0x1205a4 type
          Category:dropped
          Size (bytes):142820
          Entropy (8bit):1.4843651892308436
          Encrypted:false
          SSDEEP:384:YL79P9R3zyI2WL0oQLMdzLrWG33Sw/SVTuYIKANgqEp8m:YL79P9pzyI2WLkMdzhKgYIKANgqESm
          MD5:9F5855DCDE72348C0897DFC34A4F5CBD
          SHA1:21DA357B4CF539BA00AFCD8609BBA6DDE4BE3838
          SHA-256:AF69F3BBF0A02E22BC6626F3487BF0FAEE327AD231DC92D10F4A770A93FF9283
          SHA-512:D13AA2BBCC8C660BEBDF799D847FA6F11E745AD35478CFEA25315F89C9D12EF1CE536437311215CDCA9459EEE7805688490C1295059E13E5FEFA601CAB304E45
          Malicious:false
          Yara Hits:
          • Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERD4A1.tmp.dmp, Author: unknown
          • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERD4A1.tmp.dmp, Author: unknown
          Reputation:low
          Preview:MDMP..a..... ..........f........................................,S..........T.......8...........T...........x...l...........P...........<...............................................................................eJ..............Lw......................T.......l...p..f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\ProgramData\Microsoft\Windows\WER\Temp\WERD55D.tmp.WERInternalMetadata.xml

          Download File
          Process:C:\Windows\System32\WerFault.exe
          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
          Category:dropped
          Size (bytes):8900
          Entropy (8bit):3.7051605883814895
          Encrypted:false
          SSDEEP:192:R6l7wVeJcrcW6YWHnHgmfVKpDRC89b0Khfp8m:R6lXJwF6YWHgmfVM70sfH
          MD5:5D41606B29596162C7547EDE66C2578E
          SHA1:208CE0C9CBF0874B787E6FB33868FB208C523E0F
          SHA-256:809991094687292C33846FB0FF2FE3C10BEDF6AB3DA3CF76A456FDFF2BDB41F9
          SHA-512:54F719EE081FA5A11C9EEB8B5BD996221669A66FCC6DFC392D1F26821D0B0CF11C1CAC5A7D05A4F7FC875DA5EC51F70E12CB097B127FF71CE4003CC76A76F1A1
          Malicious:false
          Reputation:low
          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.7.8.8.<./.P.i.

          C:\ProgramData\Microsoft\Windows\WER\Temp\WERD58D.tmp.xml

          Download File
          Process:C:\Windows\System32\WerFault.exe
          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):4800
          Entropy (8bit):4.486190742345975
          Encrypted:false
          SSDEEP:48:cvIwWl8zsoJg771I9NKWpW8VYbYm8M4JK6jO1FwIyq8vG6jOETxad:uIjfuI7er7VrJKspIWGs7Txad
          MD5:94801AD72870315E7B96C45FCCEF89F9
          SHA1:BDB021A0FDCABE4CD33C6F06F40D39B43D49D8E7
          SHA-256:3AF7AB665948F456EF9346A257D2C3174233731004449529FC869D7574A738F3
          SHA-512:EC930E0A0C0DF17AC2D72CAFA5398329D0043A790B743A8750EDE696933EBE5B537C1151DD8F96F748C26C241FCAF2BE128BD7625AE80BA59E8BAD1994707715
          Malicious:false
          Reputation:low
          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="493918" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

          C:\Windows\appcompat\Programs\Amcache.hve

          Download File
          Process:C:\Windows\System32\WerFault.exe
          File Type:MS Windows registry file, NT/2000 or above
          Category:dropped
          Size (bytes):1835008
          Entropy (8bit):4.296029237847674
          Encrypted:false
          SSDEEP:6144:M41fWRYkg7Di2vXoy00lWZgiWaaKxC44Q0NbuDs+BZmBMZJh1Vj7:h1/YCW2AoQ0NiTZwMHrVn
          MD5:234E6DA82807FAF6AD944FD63F220CA8
          SHA1:3D802FB9D7FAF85F51549C9F2B2ADB0B63524F65
          SHA-256:1418917B81A5382569AEFBBAF1118F388CB7372797A063269920783C95FA4DC9
          SHA-512:FCD571398FA649C687DCCA75840A10FFF4923EC9F0516D9829E5C5FBC1C6E22C6BC4D6D2FD877F71CCE23B9B71B45ED91A82F77EE4944EF58F42E2907165EBC2
          Malicious:false
          Reputation:low
          Preview:regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmZ.D@_.................................................................................................................................................................................................................................................................................................................................................Pt........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          Static File Info

          General

          File type:PE32+ executable (GUI) x86-64, for MS Windows
          Entropy (8bit):6.5071715281779605
          TrID:
          • Win64 Executable GUI (202006/5) 92.65%
          • Win64 Executable (generic) (12005/4) 5.51%
          • Generic Win/DOS Executable (2004/3) 0.92%
          • DOS Executable Generic (2002/1) 0.92%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:TEiot52yrz.exe
          File size:53'760 bytes
          MD5:fa332de9a0e7da5e975173ee47246172
          SHA1:c6e74c68a11a9d318137aba895f2bcde89d42f2b
          SHA256:915cc233f5c3b36f2aa5a9a0aa2fcd28b8ee406e42c08b71177dab901c219d41
          SHA512:d929f944ebf93719ff6762bcfc56927a29418d71f72636be72b443f6c7d1e04dc6de6e56f8077e2c435f0d7afedf511e99c5768083c243f5f763587ec4158546
          SSDEEP:1536:zli07qgtT9e0uLwwpX996H810S4oqiedINb:zli07qgtg0uLwwp6HGgGb
          TLSH:F633394BEB5256F4F0BBE234C1A2B23BF9F139A45631AB0F96D555030B22770A43E749
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:n6\[.e\[.e\[.eU#.eP[.e...dX[.e...dV[.e...dG[.e...dZ[.e.#.dY[.e\[.e.[.eO..d_[.eO..d][.eRich\[.e........................PE..d..

          File Icon

          Icon Hash:90cececece8e8eb0

          Static PE Info

          General

          Entrypoint:0x1400032f8
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x140000000
          Subsystem:windows gui
          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
          Time Stamp:0x66758E29 [Fri Jun 21 14:28:57 2024 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:6
          OS Version Minor:0
          File Version Major:6
          File Version Minor:0
          Subsystem Version Major:6
          Subsystem Version Minor:0
          Import Hash:bd1e68ad73a2d648185022e899d7f29c

          Entrypoint Preview

          Instruction
          dec eax
          sub esp, 28h
          call 00007FB5413038A8h
          dec eax
          add esp, 28h
          jmp 00007FB5413031A7h
          int3
          int3
          jmp 00007FB541303ADEh
          int3
          int3
          int3
          dec eax
          and dword ptr [ecx+10h], 00000000h
          dec eax
          lea eax, dword ptr [00005090h]
          dec eax
          mov dword ptr [ecx+08h], eax
          dec eax
          lea eax, dword ptr [00005075h]
          dec eax
          mov dword ptr [ecx], eax
          dec eax
          mov eax, ecx
          ret
          int3
          int3
          dec eax
          sub esp, 48h
          dec eax
          lea ecx, dword ptr [esp+20h]
          call 00007FB541303307h
          dec eax
          lea edx, dword ptr [000099EFh]
          dec eax
          lea ecx, dword ptr [esp+20h]
          call 00007FB5413039FAh
          int3
          dec eax
          sub esp, 48h
          dec eax
          lea ecx, dword ptr [esp+20h]
          call 00007FB54130123Bh
          dec eax
          lea edx, dword ptr [00009A9Fh]
          dec eax
          lea ecx, dword ptr [esp+20h]
          call 00007FB5413039DAh
          int3
          dec eax
          mov dword ptr [esp+10h], ebx
          dec eax
          mov dword ptr [esp+18h], esi
          push ebp
          push edi
          inc ecx
          push esi
          dec eax
          mov ebp, esp
          dec eax
          sub esp, 10h
          xor eax, eax
          xor ecx, ecx
          cpuid
          inc esp
          mov eax, ecx
          inc esp
          mov edx, edx
          inc ecx
          xor edx, 49656E69h
          inc ecx
          xor eax, 6C65746Eh
          inc esp
          mov ecx, ebx
          inc esp
          mov esi, eax
          xor ecx, ecx
          mov eax, 00000001h
          cpuid
          inc ebp
          or edx, eax
          mov dword ptr [ebp-10h], eax
          inc ecx
          xor ecx, 756E6547h

          Rich Headers

          Programming Language:
          • [IMP] VS2008 SP1 build 30729

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0xce240xf0.rdata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0xf0000x630.pdata
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x100000x6c.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0xc2f00x38.rdata
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xc1b00x140.rdata
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000x64320x66008759b1b67f2b54eac6557e9c4522457eFalse0.36278339460784315Macintosh HFS Extended version -16056 data (mounted) last mounted by: 'H\20', created: Fri Aug 26 02:24:04 2078, last modified: Sun Mar 11 23:42:58 2057, last backup: Mon Dec 18 02:10:29 2028, block size: -1064976267, number of blocks: -616002748, free blocks: 6092412275.60729868940022IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .rdata0x80000x5b700x5c007092854450d6513858403ce1ddf23e97False0.6414741847826086data7.175727936294308IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .data0xe0000x7a00x200a762b3a5c773f37ff67e8e610aabbdceFalse0.251953125DOS executable (block device driver)2.236712118068703IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .pdata0xf0000x6300x800200a12bd55e0318e3d7585101f49e6d3False0.3828125data3.4957689526148887IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .reloc0x100000x6c0x2007068c81aba75ebf8f944a190333902ffFalse0.220703125data1.3343316886712333IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

          Imports

          DLLImport
          KERNEL32.dllGetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcessId, QueryPerformanceCounter, GetModuleHandleW, IsDebuggerPresent, LoadLibraryA, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, InitializeSListHead, IsProcessorFeaturePresent, VirtualProtect
          MSVCP140.dll?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ, ?flags@ios_base@std@@QEBAHXZ, ?width@ios_base@std@@QEBA_JXZ, ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, ?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ, ?uncaught_exception@std@@YA_NXZ, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ?width@ios_base@std@@QEAA_J_J@Z, ?_Xlength_error@std@@YAXPEBD@Z, ?good@ios_base@std@@QEBA_NXZ
          CRYPT32.dllCertEnumSystemStore
          VCRUNTIME140_1.dll__CxxFrameHandler4
          VCRUNTIME140.dllmemcpy, __std_exception_destroy, __std_exception_copy, memchr, memset, __C_specific_handler, _CxxThrowException, __current_exception, __current_exception_context
          api-ms-win-crt-string-l1-1-0.dllisalnum, strlen
          api-ms-win-crt-runtime-l1-1-0.dll_c_exit, _register_thread_local_exe_atexit_callback, __p___argv, _get_initial_narrow_environment, terminate, _register_onexit_function, _exit, exit, _crt_atexit, _initialize_narrow_environment, _initterm, _configure_narrow_argv, _set_app_type, _initterm_e, _invalid_parameter_noinfo_noreturn, _cexit, __p___argc, _seh_filter_exe, _initialize_onexit_table
          api-ms-win-crt-heap-l1-1-0.dllmalloc, free, _set_new_mode, _callnewh
          api-ms-win-crt-math-l1-1-0.dll__setusermatherr
          api-ms-win-crt-stdio-l1-1-0.dll__p__commode, _set_fmode
          api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale

          Network Behavior

          Suricata IDS Alerts

          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
          2024-09-10T10:55:16.172006+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.1049707116.198.231.16963222TCP
          2024-09-10T10:55:20.852883+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.1049710116.198.231.16963222TCP
          2024-09-10T10:55:25.060105+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.1049713116.198.231.16963222TCP
          2024-09-10T10:55:29.314528+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.1049716116.198.231.16963222TCP
          2024-09-10T10:55:33.550685+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.1049723116.198.231.16963222TCP
          2024-09-10T10:55:37.934760+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.1049726116.198.231.16963222TCP
          2024-09-10T10:55:42.196559+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.1049729116.198.231.16963222TCP
          2024-09-10T10:55:46.376638+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.1049732116.198.231.16963222TCP
          2024-09-10T10:55:50.479481+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.1049735116.198.231.16963222TCP
          2024-09-10T10:55:55.331575+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.1049738116.198.231.16963222TCP

          Network Port Distribution

          TCP Packets

          TimestampSource PortDest PortSource IPDest IP
          Sep 10, 2024 10:55:14.107218981 CEST4970763222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:14.112708092 CEST6322249707116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:14.112781048 CEST4970763222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:14.141244888 CEST4970763222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:14.146311998 CEST6322249707116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:16.171864033 CEST6322249707116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:16.172005892 CEST4970763222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:16.172168016 CEST4970763222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:16.172765017 CEST4970863222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:16.176930904 CEST6322249707116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:16.177572012 CEST6322249708116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:16.177654982 CEST4970863222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:16.177850962 CEST4970863222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:16.183046103 CEST6322249708116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:18.191905975 CEST6322249708116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:18.192025900 CEST4970863222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:18.192118883 CEST4970863222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:18.192612886 CEST4970963222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:18.198218107 CEST6322249708116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:18.198230028 CEST6322249709116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:18.198312998 CEST4970963222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:18.198410034 CEST4970963222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:18.203975916 CEST6322249709116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:18.204049110 CEST4970963222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:18.218803883 CEST4971063222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:18.223695040 CEST6322249710116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:18.223774910 CEST4971063222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:18.224076986 CEST4971063222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:18.229053974 CEST6322249710116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:20.852694035 CEST6322249710116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:20.852883101 CEST4971063222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:20.852997065 CEST6322249710116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:20.853046894 CEST4971063222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:20.853245020 CEST4971063222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:20.853584051 CEST6322249710116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:20.853636980 CEST4971063222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:20.857814074 CEST4971163222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:20.858282089 CEST6322249710116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:20.862652063 CEST6322249711116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:20.862740993 CEST4971163222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:20.863157988 CEST4971163222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:20.867934942 CEST6322249711116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:22.862358093 CEST6322249711116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:22.862431049 CEST4971163222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:22.862577915 CEST4971163222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:22.865911961 CEST4971263222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:22.867328882 CEST6322249711116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:22.870815992 CEST6322249712116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:22.870922089 CEST4971263222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:22.871078968 CEST4971263222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:22.872808933 CEST4971363222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:22.876404047 CEST6322249712116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:22.876508951 CEST4971263222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:22.877717018 CEST6322249713116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:22.877803087 CEST4971363222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:22.878231049 CEST4971363222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:22.883008957 CEST6322249713116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:25.059993982 CEST6322249713116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:25.060105085 CEST4971363222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:25.060364008 CEST4971363222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:25.062691927 CEST4971463222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:25.065248013 CEST6322249713116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:25.067728043 CEST6322249714116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:25.067926884 CEST4971463222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:25.068355083 CEST4971463222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:25.077413082 CEST6322249714116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:27.125807047 CEST6322249714116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:27.125916004 CEST4971463222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:27.126012087 CEST4971463222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:27.129204988 CEST4971563222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:27.130753994 CEST6322249714116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:27.134063005 CEST6322249715116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:27.134162903 CEST4971563222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:27.134314060 CEST4971563222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:27.138617039 CEST4971663222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:27.139235973 CEST6322249715116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:27.139308929 CEST4971563222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:27.143495083 CEST6322249716116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:27.143596888 CEST4971663222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:27.143879890 CEST4971663222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:27.148644924 CEST6322249716116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:29.314465046 CEST6322249716116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:29.314527988 CEST4971663222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:29.314945936 CEST4971663222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:29.319788933 CEST6322249716116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:29.325774908 CEST4971863222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:29.330698967 CEST6322249718116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:29.330779076 CEST4971863222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:29.331099987 CEST4971863222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:29.335912943 CEST6322249718116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:31.466381073 CEST6322249718116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:31.466599941 CEST4971863222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:31.466599941 CEST4971863222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:31.471355915 CEST4972263222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:31.471518993 CEST6322249718116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:31.476197004 CEST6322249722116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:31.476330996 CEST4972263222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:31.476500988 CEST4972263222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:31.478465080 CEST4972363222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:31.481384039 CEST6322249722116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:31.481442928 CEST4972263222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:31.483342886 CEST6322249723116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:31.483499050 CEST4972363222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:31.483824015 CEST4972363222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:31.488581896 CEST6322249723116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:33.550565004 CEST6322249723116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:33.550684929 CEST4972363222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:33.550775051 CEST4972363222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:33.555533886 CEST6322249723116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:33.556050062 CEST4972463222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:33.561026096 CEST6322249724116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:33.561218023 CEST4972463222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:33.561517000 CEST4972463222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:33.566266060 CEST6322249724116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:35.802422047 CEST6322249724116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:35.802494049 CEST4972463222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:35.802572966 CEST4972463222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:35.805840015 CEST4972563222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:35.807400942 CEST6322249724116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:35.810615063 CEST6322249725116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:35.810683966 CEST4972563222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:35.810805082 CEST4972563222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:35.811948061 CEST4972663222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:35.815834999 CEST6322249725116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:35.815891027 CEST4972563222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:35.816706896 CEST6322249726116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:35.816771030 CEST4972663222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:35.817068100 CEST4972663222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:35.821822882 CEST6322249726116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:37.934530973 CEST6322249726116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:37.934760094 CEST4972663222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:37.934761047 CEST4972663222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:37.939683914 CEST6322249726116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:37.941485882 CEST4972763222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:37.946393013 CEST6322249727116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:37.946508884 CEST4972763222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:37.946794987 CEST4972763222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:37.951602936 CEST6322249727116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:40.066704988 CEST6322249727116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:40.066812992 CEST4972763222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:40.066947937 CEST4972763222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:40.072145939 CEST4972863222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:40.073117971 CEST6322249727116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:40.078517914 CEST6322249728116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:40.078619957 CEST4972863222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:40.078756094 CEST4972863222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:40.081856012 CEST4972963222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:40.085452080 CEST6322249728116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:40.085524082 CEST4972863222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:40.088115931 CEST6322249729116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:40.088202000 CEST4972963222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:40.088496923 CEST4972963222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:40.094705105 CEST6322249729116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:42.196346045 CEST6322249729116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:42.196558952 CEST4972963222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:42.196975946 CEST4972963222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:42.201561928 CEST4973063222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:42.201890945 CEST6322249729116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:42.206602097 CEST6322249730116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:42.206681013 CEST4973063222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:42.206969976 CEST4973063222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:42.212064028 CEST6322249730116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:44.201756954 CEST6322249730116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:44.201911926 CEST4973063222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:44.201999903 CEST4973063222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:44.207027912 CEST6322249730116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:44.210915089 CEST4973163222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:44.215935946 CEST6322249731116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:44.216095924 CEST4973163222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:44.216175079 CEST4973163222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:44.217467070 CEST4973263222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:44.221604109 CEST6322249731116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:44.221687078 CEST4973163222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:44.222548008 CEST6322249732116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:44.222623110 CEST4973263222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:44.222887039 CEST4973263222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:44.227749109 CEST6322249732116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:46.376059055 CEST6322249732116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:46.376637936 CEST4973263222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:46.376637936 CEST4973263222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:46.382811069 CEST6322249732116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:46.383532047 CEST4973363222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:46.389769077 CEST6322249733116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:46.389862061 CEST4973363222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:46.390222073 CEST4973363222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:46.396368027 CEST6322249733116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:48.434499979 CEST6322249733116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:48.434614897 CEST4973363222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:48.434731960 CEST4973363222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:48.439851999 CEST6322249733116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:48.441770077 CEST4973463222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:48.446651936 CEST6322249734116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:48.446768045 CEST4973463222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:48.446841002 CEST4973463222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:48.448101997 CEST4973563222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:48.451955080 CEST6322249734116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:48.452028036 CEST4973463222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:48.452997923 CEST6322249735116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:48.453072071 CEST4973563222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:48.453399897 CEST4973563222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:48.458323002 CEST6322249735116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:50.479345083 CEST6322249735116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:50.479480982 CEST4973563222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:50.479626894 CEST4973563222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:50.483727932 CEST4973663222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:50.484613895 CEST6322249735116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:50.488636017 CEST6322249736116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:50.488727093 CEST4973663222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:50.489017010 CEST4973663222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:50.493879080 CEST6322249736116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:52.530267000 CEST6322249736116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:52.530394077 CEST4973663222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:52.530488968 CEST4973663222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:52.534614086 CEST4973763222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:52.536649942 CEST6322249736116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:52.540513992 CEST6322249737116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:52.540601015 CEST4973763222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:52.540818930 CEST4973763222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:52.543648958 CEST4973863222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:52.546797991 CEST6322249737116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:52.546860933 CEST4973763222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:52.549560070 CEST6322249738116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:52.549798012 CEST4973863222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:52.550087929 CEST4973863222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:52.555913925 CEST6322249738116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:55.331469059 CEST6322249738116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:55.331574917 CEST4973863222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:55.331747055 CEST6322249738116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:55.331820011 CEST4973863222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:55.331820011 CEST4973863222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:55.332000017 CEST6322249738116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:55.332042933 CEST4973863222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:55.338206053 CEST6322249738116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:55.344966888 CEST4973963222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:55.354830980 CEST6322249739116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:55.354918957 CEST4973963222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:55.355288982 CEST4973963222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:55.361598969 CEST6322249739116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:57.411556005 CEST6322249739116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:57.411704063 CEST4973963222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:57.411782980 CEST4973963222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:57.415911913 CEST4974063222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:57.416640997 CEST6322249739116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:57.421608925 CEST6322249740116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:57.421681881 CEST4974063222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:57.421765089 CEST4974063222192.168.2.10116.198.231.169
          Sep 10, 2024 10:55:57.426899910 CEST6322249740116.198.231.169192.168.2.10
          Sep 10, 2024 10:55:57.426961899 CEST4974063222192.168.2.10116.198.231.169

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:7
          Start time:04:55:12
          Start date:10/09/2024
          Path:C:\Users\user\Desktop\TEiot52yrz.exe
          Wow64 process (32bit):false
          Commandline:"C:\Users\user\Desktop\TEiot52yrz.exe"
          Imagebase:0x7ff6e7f50000
          File size:53'760 bytes
          MD5 hash:FA332DE9A0E7DA5E975173EE47246172
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000007.00000002.1771906385.00000076FB5BE000.00000040.00000010.00020000.00000000.sdmp, Author: Joe Security
          • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000007.00000002.1771906385.00000076FB5BE000.00000040.00000010.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000007.00000002.1771906385.00000076FB5BE000.00000040.00000010.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000007.00000002.1771906385.00000076FB5BE000.00000040.00000010.00020000.00000000.sdmp, Author: unknown
          Reputation:low
          Has exited:true

          General

          Target ID:12
          Start time:04:55:57
          Start date:10/09/2024
          Path:C:\Windows\System32\WerFault.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\WerFault.exe -u -p 7788 -s 1192
          Imagebase:0x7ff6f9aa0000
          File size:570'736 bytes
          MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          Disassembly

          Reset < >

            Execution Graph

            Execution Coverage:10.6%
            Dynamic/Decrypted Code Coverage:1.3%
            Signature Coverage:9%
            Total number of Nodes:376
            Total number of Limit Nodes:1
            execution_graph 1464 7ff6e7f5317c 1465 7ff6e7f53195 1464->1465 1466 7ff6e7f5319d __scrt_acquire_startup_lock 1465->1466 1467 7ff6e7f532d3 1465->1467 1469 7ff6e7f532dd 1466->1469 1475 7ff6e7f531bb __scrt_release_startup_lock 1466->1475 1500 7ff6e7f5365c IsProcessorFeaturePresent 1467->1500 1470 7ff6e7f5365c 9 API calls 1469->1470 1471 7ff6e7f532e8 1470->1471 1473 7ff6e7f532f0 _exit 1471->1473 1472 7ff6e7f531e0 1474 7ff6e7f53266 _get_initial_narrow_environment __p___argv __p___argc 1484 7ff6e7f56afc 1474->1484 1475->1472 1475->1474 1478 7ff6e7f5325e _register_thread_local_exe_atexit_callback 1475->1478 1478->1474 1481 7ff6e7f53293 1482 7ff6e7f5329d 1481->1482 1483 7ff6e7f53298 _cexit 1481->1483 1482->1472 1483->1482 1485 7ff6e7f56b11 1484->1485 1506 7ff6e7f515ac 1485->1506 1493 7ff6e7f56bb7 1544 7ff6e7f57008 1493->1544 1494 7ff6e7f51524 Concurrency::details::ResourceManager::CreateNodeTopology 2 API calls 1495 7ff6e7f56c9c 1494->1495 1548 7ff6e7f52b20 1495->1548 1498 7ff6e7f537b0 GetModuleHandleW 1499 7ff6e7f5328f 1498->1499 1499->1471 1499->1481 1501 7ff6e7f53682 1500->1501 1502 7ff6e7f53690 memset RtlCaptureContext RtlLookupFunctionEntry 1501->1502 1503 7ff6e7f536ca RtlVirtualUnwind 1502->1503 1504 7ff6e7f53706 memset IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 1502->1504 1503->1504 1505 7ff6e7f53786 1504->1505 1505->1469 1507 7ff6e7f515cb 1506->1507 1557 7ff6e7f51abc strlen 1507->1557 1509 7ff6e7f515d6 Concurrency::details::WorkQueue::IsStructuredEmpty 1558 7ff6e7f51d58 1509->1558 1512 7ff6e7f56cc0 1630 7ff6e7f56700 1512->1630 1514 7ff6e7f56d0a Concurrency::details::WorkQueue::IsStructuredEmpty 1515 7ff6e7f56d56 memcpy 1514->1515 1516 7ff6e7f56d7d Concurrency::details::WorkQueue::IsStructuredEmpty 1515->1516 1517 7ff6e7f56daf memcpy 1516->1517 1518 7ff6e7f56dd5 1517->1518 1648 7ff6e7f53de8 1518->1648 1522 7ff6e7f56f06 1523 7ff6e7f515ac 15 API calls 1522->1523 1524 7ff6e7f56f18 1523->1524 1664 7ff6e7f52b40 1524->1664 1526 7ff6e7f56eb9 memset 1667 7ff6e7f5253c 1526->1667 1528 7ff6e7f56f2d 1531 7ff6e7f52b40 Concurrency::details::ResourceManager::CreateNodeTopology free 1528->1531 1532 7ff6e7f56f6d 1531->1532 1533 7ff6e7f5154c memcpy 1532->1533 1534 7ff6e7f56fae 1533->1534 1535 7ff6e7f51524 Concurrency::details::ResourceManager::CreateNodeTopology _invalid_parameter_noinfo_noreturn free 1534->1535 1536 7ff6e7f56fc6 Concurrency::details::_UnrealizedChore::_UnstructuredChoreWrapper 1535->1536 1537 7ff6e7f51524 Concurrency::details::ResourceManager::CreateNodeTopology _invalid_parameter_noinfo_noreturn free 1536->1537 1538 7ff6e7f56fe2 1537->1538 1539 7ff6e7f52b20 8 API calls 1538->1539 1540 7ff6e7f56bac 1539->1540 1541 7ff6e7f51524 1540->1541 1815 7ff6e7f51680 1541->1815 1543 7ff6e7f51537 Concurrency::details::ResourceManager::CreateNodeTopology 1543->1493 1545 7ff6e7f57036 strlen 1544->1545 1546 7ff6e7f56c49 LoadLibraryA VirtualProtect CertEnumSystemStore 1545->1546 1547 7ff6e7f57029 1545->1547 1546->1494 1547->1545 1549 7ff6e7f52b29 1548->1549 1550 7ff6e7f52b34 1549->1550 1551 7ff6e7f52ba8 IsProcessorFeaturePresent 1549->1551 1550->1498 1552 7ff6e7f52bc0 1551->1552 1819 7ff6e7f52da0 RtlCaptureContext 1552->1819 1557->1509 1576 7ff6e7f5223c 1558->1576 1562 7ff6e7f51d9d Concurrency::details::WorkQueue::IsStructuredEmpty 1563 7ff6e7f51e48 1562->1563 1564 7ff6e7f51dd9 1562->1564 1566 7ff6e7f5223c 8 API calls 1563->1566 1581 7ff6e7f51ad8 memcpy 1564->1581 1567 7ff6e7f51e52 1566->1567 1582 7ff6e7f5218c 1567->1582 1571 7ff6e7f52b20 8 API calls 1573 7ff6e7f515f0 1571->1573 1572 7ff6e7f51e7b Concurrency::details::WorkQueue::IsStructuredEmpty 1589 7ff6e7f51ad8 memcpy 1572->1589 1573->1512 1575 7ff6e7f51e11 Concurrency::details::WorkQueue::IsStructuredEmpty Concurrency::details::ResourceManager::CreateNodeTopology 1575->1571 1577 7ff6e7f5225e Concurrency::details::WorkQueue::IsStructuredEmpty _Min_value _Max_value 1576->1577 1578 7ff6e7f52b20 8 API calls 1577->1578 1579 7ff6e7f51d8e 1578->1579 1579->1562 1580 7ff6e7f5146c ?_Xlength_error@std@@YAXPEBD 1579->1580 1580->1562 1581->1575 1583 7ff6e7f521c8 _Max_value 1582->1583 1584 7ff6e7f52b20 8 API calls 1583->1584 1585 7ff6e7f51e67 1584->1585 1586 7ff6e7f52368 1585->1586 1590 7ff6e7f523bc 1586->1590 1589->1575 1593 7ff6e7f523e4 1590->1593 1594 7ff6e7f523fc allocator 1593->1594 1597 7ff6e7f5240c 1594->1597 1598 7ff6e7f52421 1597->1598 1603 7ff6e7f52398 1597->1603 1599 7ff6e7f5242c 1598->1599 1600 7ff6e7f52438 1598->1600 1604 7ff6e7f52460 1599->1604 1612 7ff6e7f5138c 1600->1612 1603->1572 1605 7ff6e7f52488 1604->1605 1606 7ff6e7f52483 1604->1606 1607 7ff6e7f5138c allocator 2 API calls 1605->1607 1615 7ff6e7f512f4 1606->1615 1609 7ff6e7f52493 1607->1609 1610 7ff6e7f524a2 _invalid_parameter_noinfo_noreturn 1609->1610 1611 7ff6e7f524b5 1609->1611 1610->1609 1610->1610 1611->1603 1620 7ff6e7f52e14 1612->1620 1618 7ff6e7f51268 1615->1618 1617 7ff6e7f51302 _CxxThrowException 1617->1605 1619 7ff6e7f51282 std::bad_alloc::bad_alloc 1618->1619 1619->1617 1621 7ff6e7f52e2e malloc 1620->1621 1622 7ff6e7f5139f 1621->1622 1623 7ff6e7f52e1f 1621->1623 1622->1603 1623->1621 1624 7ff6e7f52e3e 1623->1624 1626 7ff6e7f52e49 allocator 1624->1626 1627 7ff6e7f53334 1624->1627 1628 7ff6e7f53314 std::bad_alloc::bad_alloc 1627->1628 1629 7ff6e7f53342 _CxxThrowException 1628->1629 1647 7ff6e7f56732 1630->1647 1631 7ff6e7f56a6d 1690 7ff6e7f5154c 1631->1690 1634 7ff6e7f51524 Concurrency::details::ResourceManager::CreateNodeTopology 2 API calls 1636 7ff6e7f56a94 1634->1636 1640 7ff6e7f52b20 8 API calls 1636->1640 1638 7ff6e7f51484 memchr 1642 7ff6e7f5695f 1638->1642 1639 7ff6e7f56913 1639->1631 1639->1642 1703 7ff6e7f52c7c 1639->1703 1641 7ff6e7f56aa9 1640->1641 1641->1514 1642->1638 1644 7ff6e7f5699d 1642->1644 1643 7ff6e7f514fc 16 API calls 1643->1644 1644->1631 1644->1643 1647->1639 1694 7ff6e7f56ab4 isalnum 1647->1694 1696 7ff6e7f51484 1647->1696 1700 7ff6e7f514fc 1647->1700 1650 7ff6e7f53e13 1648->1650 1651 7ff6e7f53e0e 1648->1651 1649 7ff6e7f53e59 memcpy memcpy 1649->1651 1650->1649 1650->1651 1652 7ff6e7f53ac8 1651->1652 1653 7ff6e7f53aed 1652->1653 1654 7ff6e7f53af2 1652->1654 1653->1522 1653->1526 1654->1653 1655 7ff6e7f53c30 1654->1655 1658 7ff6e7f53b3b 1654->1658 1660 7ff6e7f53d33 1655->1660 1661 7ff6e7f53c3e 1655->1661 1658->1653 1662 7ff6e7f53bc8 memcpy 1658->1662 1773 7ff6e7f5487c 1658->1773 1659 7ff6e7f5487c 9 API calls 1659->1660 1660->1653 1660->1659 1661->1653 1663 7ff6e7f53ccb memcpy 1661->1663 1780 7ff6e7f54e94 1661->1780 1662->1658 1663->1661 1665 7ff6e7f5330c free 1664->1665 1797 7ff6e7f51abc strlen 1667->1797 1669 7ff6e7f5256e ?width@ios_base@std@ 1670 7ff6e7f525fd 1669->1670 1671 7ff6e7f5259e ?width@ios_base@std@ 1669->1671 1798 7ff6e7f52968 1670->1798 1671->1670 1672 7ff6e7f525cb ?width@ios_base@std@ 1671->1672 1672->1670 1674 7ff6e7f52622 1675 7ff6e7f52644 ?flags@ios_base@std@ 1674->1675 1676 7ff6e7f52634 1674->1676 1677 7ff6e7f5270a 1675->1677 1687 7ff6e7f52678 1675->1687 1678 7ff6e7f52855 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N 1676->1678 1680 7ff6e7f52723 ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2 ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J 1677->1680 1688 7ff6e7f52770 1677->1688 1805 7ff6e7f52914 ?uncaught_exception@std@ 1678->1805 1680->1688 1681 7ff6e7f52693 ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@ ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2 ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD 1681->1687 1683 7ff6e7f5282a ?width@ios_base@std@@QEAA_J_J 1683->1678 1684 7ff6e7f52b20 8 API calls 1686 7ff6e7f528ac ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 1684->1686 1685 7ff6e7f527a1 ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@ ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2 ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD 1685->1688 1686->1522 1687->1677 1687->1681 1688->1683 1688->1685 1689 7ff6e7f52818 1688->1689 1689->1683 1691 7ff6e7f51564 Concurrency::details::WorkQueue::IsStructuredEmpty 1690->1691 1706 7ff6e7f51868 1691->1706 1693 7ff6e7f515a1 1693->1634 1695 7ff6e7f56acd 1694->1695 1695->1647 1697 7ff6e7f514a3 Concurrency::details::WorkQueue::IsStructuredEmpty 1696->1697 1710 7ff6e7f51c78 1697->1710 1715 7ff6e7f51730 1700->1715 1702 7ff6e7f51517 1702->1647 1763 7ff6e7f52c90 IsProcessorFeaturePresent 1703->1763 1707 7ff6e7f51897 Concurrency::details::WorkQueue::IsStructuredEmpty 1706->1707 1708 7ff6e7f518a9 memcpy 1707->1708 1709 7ff6e7f518e8 Concurrency::details::ResourceManager::CreateNodeTopology 1708->1709 1709->1693 1711 7ff6e7f51c9c 1710->1711 1712 7ff6e7f514be 1710->1712 1714 7ff6e7f52304 memchr 1711->1714 1712->1647 1714->1712 1716 7ff6e7f5175c Concurrency::details::WorkQueue::IsStructuredEmpty Concurrency::details::ResourceManager::CreateNodeTopology 1715->1716 1717 7ff6e7f517c1 1715->1717 1716->1702 1719 7ff6e7f51f14 1717->1719 1720 7ff6e7f5223c 8 API calls 1719->1720 1721 7ff6e7f51f66 1720->1721 1722 7ff6e7f51f7a 1721->1722 1737 7ff6e7f5146c ?_Xlength_error@std@@YAXPEBD 1721->1737 1738 7ff6e7f52158 1722->1738 1725 7ff6e7f51fb3 Concurrency::details::WorkQueue::IsStructuredEmpty 1726 7ff6e7f52368 4 API calls 1725->1726 1727 7ff6e7f51fd9 Concurrency::details::WorkQueue::IsStructuredEmpty Concurrency::details::ResourceManager::CreateNodeTopology 1726->1727 1728 7ff6e7f5207a 1727->1728 1729 7ff6e7f5201b Concurrency::details::WorkQueue::IsStructuredEmpty 1727->1729 1730 7ff6e7f517f4 memcpy 1728->1730 1743 7ff6e7f517f4 1729->1743 1733 7ff6e7f5206b 1730->1733 1732 7ff6e7f52057 1746 7ff6e7f51b40 1732->1746 1735 7ff6e7f52b20 8 API calls 1733->1735 1736 7ff6e7f520cc 1735->1736 1736->1716 1737->1722 1739 7ff6e7f5223c 8 API calls 1738->1739 1740 7ff6e7f52170 1739->1740 1741 7ff6e7f5218c 8 API calls 1740->1741 1742 7ff6e7f52186 1741->1742 1742->1725 1749 7ff6e7f51ad8 memcpy 1743->1749 1745 7ff6e7f51820 Concurrency::details::ResourceManager::CreateNodeTopology 1745->1732 1750 7ff6e7f51c08 1746->1750 1749->1745 1753 7ff6e7f52118 1750->1753 1754 7ff6e7f52140 1753->1754 1755 7ff6e7f52131 1753->1755 1757 7ff6e7f52b40 Concurrency::details::ResourceManager::CreateNodeTopology free 1754->1757 1759 7ff6e7f513a4 1755->1759 1758 7ff6e7f51b6d 1757->1758 1758->1733 1760 7ff6e7f51408 1759->1760 1761 7ff6e7f5141a _invalid_parameter_noinfo_noreturn 1760->1761 1762 7ff6e7f5142d 1760->1762 1761->1760 1761->1761 1762->1754 1764 7ff6e7f52ca7 1763->1764 1769 7ff6e7f52d30 RtlCaptureContext RtlLookupFunctionEntry 1764->1769 1770 7ff6e7f52cbb 1769->1770 1771 7ff6e7f52d60 RtlVirtualUnwind 1769->1771 1772 7ff6e7f52b74 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 1770->1772 1771->1770 1774 7ff6e7f548a7 1773->1774 1778 7ff6e7f548a2 1773->1778 1775 7ff6e7f548b8 1774->1775 1777 7ff6e7f548db 1774->1777 1787 7ff6e7f554a4 1775->1787 1777->1778 1779 7ff6e7f54c89 memcpy 1777->1779 1778->1658 1779->1778 1781 7ff6e7f54eba 1780->1781 1782 7ff6e7f54ebf 1780->1782 1781->1661 1783 7ff6e7f54ed0 1782->1783 1785 7ff6e7f54ef3 1782->1785 1792 7ff6e7f55d5c 1783->1792 1785->1781 1786 7ff6e7f5529b memcpy 1785->1786 1786->1781 1788 7ff6e7f554d3 1787->1788 1789 7ff6e7f52b20 8 API calls 1788->1789 1790 7ff6e7f557a4 1788->1790 1791 7ff6e7f55d4f 1789->1791 1790->1778 1791->1778 1793 7ff6e7f55d8b 1792->1793 1794 7ff6e7f56059 1793->1794 1795 7ff6e7f52b20 8 API calls 1793->1795 1794->1781 1796 7ff6e7f565fe 1795->1796 1796->1781 1797->1669 1811 7ff6e7f52a98 ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2 1798->1811 1801 7ff6e7f529ad 1801->1674 1802 7ff6e7f529b8 ?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2 1802->1801 1803 7ff6e7f529e5 1802->1803 1803->1801 1804 7ff6e7f529fc ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12 ?good@ios_base@std@ 1803->1804 1804->1801 1806 7ff6e7f5292a 1805->1806 1807 7ff6e7f52956 1806->1807 1808 7ff6e7f52947 ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@ 1806->1808 1813 7ff6e7f52a3c ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2 1807->1813 1808->1807 1812 7ff6e7f52985 ?good@ios_base@std@ 1811->1812 1812->1801 1812->1802 1814 7ff6e7f5289a 1813->1814 1814->1684 1816 7ff6e7f5169d Concurrency::details::WorkQueue::IsStructuredEmpty Concurrency::details::ResourceManager::CreateNodeTopology 1815->1816 1817 7ff6e7f51b40 Concurrency::details::ResourceManager::CreateNodeTopology 2 API calls 1816->1817 1818 7ff6e7f516d9 Concurrency::details::ResourceManager::CreateNodeTopology 1816->1818 1817->1818 1818->1543 1820 7ff6e7f52dba RtlLookupFunctionEntry 1819->1820 1821 7ff6e7f52bd3 1820->1821 1822 7ff6e7f52dd0 RtlVirtualUnwind 1820->1822 1823 7ff6e7f52b74 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 1821->1823 1822->1820 1822->1821 1838 7ff6e7f532f8 1841 7ff6e7f53874 1838->1841 1842 7ff6e7f53301 1841->1842 1843 7ff6e7f53897 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 1841->1843 1843->1842 1844 7ff6e7f55785 1845 7ff6e7f5578f 1844->1845 1846 7ff6e7f557a4 1845->1846 1847 7ff6e7f52b20 8 API calls 1845->1847 1848 7ff6e7f55d4f 1847->1848 1849 7ff6e7f5737e _seh_filter_exe 1850 7ff6e7f54b3f 1851 7ff6e7f54b49 1850->1851 1852 7ff6e7f54b57 1851->1852 1853 7ff6e7f54c89 memcpy 1851->1853 1854 7ff6e7f54ccf 1853->1854 1855 7ff6e7f51000 1856 7ff6e7f515ac 15 API calls 1855->1856 1857 7ff6e7f51017 1856->1857 1861 7ff6e7f57306 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N 1862 7ff6e7f52b48 1863 7ff6e7f52b6a 1862->1863 1864 7ff6e7f52b60 1862->1864 1865 7ff6e7f52b40 Concurrency::details::ResourceManager::CreateNodeTopology free 1864->1865 1865->1863 1875 7ff6e7f51915 1876 7ff6e7f5191f Concurrency::details::WorkQueue::IsStructuredEmpty Concurrency::details::ResourceManager::CreateNodeTopology 1875->1876 1878 7ff6e7f51926 Concurrency::details::ResourceManager::CreateNodeTopology 1876->1878 1879 7ff6e7f51ad8 memcpy 1876->1879 1879->1878 1880 7ff6e7f5734e 1881 7ff6e7f52a3c ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2 1880->1881 1882 7ff6e7f57360 1881->1882 1827 76fb5be17b HttpOpenRequestA 1828 76fb5be1a2 1827->1828 1883 7ff6e7f51210 1888 7ff6e7f5124c 1883->1888 1886 7ff6e7f52b40 Concurrency::details::ResourceManager::CreateNodeTopology free 1887 7ff6e7f51241 1886->1887 1891 7ff6e7f51130 __std_exception_destroy 1888->1891 1890 7ff6e7f51227 1890->1886 1890->1887 1891->1890 1892 7ff6e7f5739c 1893 7ff6e7f51524 Concurrency::details::ResourceManager::CreateNodeTopology 2 API calls 1892->1893 1894 7ff6e7f573ae 1893->1894 1906 7ff6e7f5131c 1909 7ff6e7f51354 1906->1909 1912 7ff6e7f510d4 __std_exception_copy 1909->1912 1911 7ff6e7f51339 1912->1911 1913 7ff6e7f51198 1918 7ff6e7f51130 __std_exception_destroy 1913->1918 1915 7ff6e7f511af 1916 7ff6e7f511c9 1915->1916 1917 7ff6e7f52b40 Concurrency::details::ResourceManager::CreateNodeTopology free 1915->1917 1917->1916 1918->1915 1919 7ff6e7f53098 1920 7ff6e7f530a8 1919->1920 1932 7ff6e7f52ec8 1920->1932 1922 7ff6e7f5365c 9 API calls 1923 7ff6e7f5314d 1922->1923 1924 7ff6e7f530cc _RTC_Initialize 1930 7ff6e7f5312f 1924->1930 1940 7ff6e7f53928 InitializeSListHead 1924->1940 1930->1922 1931 7ff6e7f5313d 1930->1931 1933 7ff6e7f52ed9 1932->1933 1934 7ff6e7f52f0b 1932->1934 1935 7ff6e7f52f48 1933->1935 1938 7ff6e7f52ede __scrt_acquire_startup_lock 1933->1938 1934->1924 1936 7ff6e7f5365c 9 API calls 1935->1936 1937 7ff6e7f52f52 1936->1937 1938->1934 1939 7ff6e7f52efb _initialize_onexit_table 1938->1939 1939->1934 1948 7ff6e7f53160 1952 7ff6e7f53804 SetUnhandledExceptionFilter 1948->1952 1953 7ff6e7f532aa 1954 7ff6e7f537b0 GetModuleHandleW 1953->1954 1955 7ff6e7f532b1 1954->1955 1956 7ff6e7f532f0 _exit 1955->1956 1957 7ff6e7f532b5 1955->1957 1824 76fb5be122 1825 76fb5be12f LoadLibraryA InternetOpenA 1824->1825 1826 76fb5be1ef 1825->1826 1962 7ff6e7f571b4 1963 7ff6e7f571ec __GSHandlerCheckCommon 1962->1963 1964 7ff6e7f57207 __CxxFrameHandler4 1963->1964 1965 7ff6e7f57218 1963->1965 1964->1965 1969 7ff6e7f528b4 ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12 1970 7ff6e7f572ee 1971 7ff6e7f52914 3 API calls 1970->1971 1972 7ff6e7f57300 1971->1972 1973 7ff6e7f51030 1975 7ff6e7f51047 Concurrency::details::_UnrealizedChore::_UnstructuredChoreWrapper 1973->1975 1974 7ff6e7f51061 1975->1974 1976 7ff6e7f52b40 Concurrency::details::ResourceManager::CreateNodeTopology free 1975->1976 1976->1974 1977 7ff6e7f56ef1 1978 7ff6e7f56e81 1977->1978 1979 7ff6e7f56f06 1978->1979 1981 7ff6e7f56eb9 memset 1978->1981 1980 7ff6e7f515ac 15 API calls 1979->1980 1982 7ff6e7f56f18 1980->1982 1983 7ff6e7f5253c 31 API calls 1981->1983 1985 7ff6e7f52b40 Concurrency::details::ResourceManager::CreateNodeTopology free 1982->1985 1984 7ff6e7f56ede ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 1983->1984 1984->1979 1986 7ff6e7f56f2d 1985->1986 1987 7ff6e7f52b40 Concurrency::details::ResourceManager::CreateNodeTopology free 1986->1987 1988 7ff6e7f56f6d 1987->1988 1989 7ff6e7f5154c memcpy 1988->1989 1990 7ff6e7f56fae 1989->1990 1991 7ff6e7f51524 Concurrency::details::ResourceManager::CreateNodeTopology 2 API calls 1990->1991 1992 7ff6e7f56fc6 Concurrency::details::_UnrealizedChore::_UnstructuredChoreWrapper 1991->1992 1993 7ff6e7f51524 Concurrency::details::ResourceManager::CreateNodeTopology 2 API calls 1992->1993 1994 7ff6e7f56fe2 1993->1994 1995 7ff6e7f52b20 8 API calls 1994->1995 1996 7ff6e7f56ffa 1995->1996

            Executed Functions

            Function 00000076FB5BE122 Relevance: 6.6, APIs: 2, Strings: 1, Instructions: 1335librarynetworkCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 74 76fb5be122-76fb5be157 LoadLibraryA InternetOpenA 76 76fb5be1ef-76fb5bef06 call 76fb5be15c 74->76 80 76fb5bef33 76->80 81 76fb5bef08-76fb5bef09 76->81 82 76fb5bef7f 80->82 83 76fb5bef35-76fb5bef3a 80->83 84 76fb5bef65 81->84 85 76fb5bef0b 81->85 88 76fb5bef80-76fb5bef86 82->88 86 76fb5befa1 83->86 87 76fb5bef3c 83->87 89 76fb5bef66 84->89 85->89 90 76fb5bef0d-76fb5bef12 85->90 92 76fb5befa2 86->92 91 76fb5bef3e 87->91 87->92 93 76fb5bef88-76fb5bef8a 88->93 94 76fb5befcd-76fb5befce 88->94 95 76fb5bef68 89->95 96 76fb5befba 89->96 97 76fb5bef15-76fb5bef24 90->97 98 76fb5bef46 90->98 100 76fb5bef40-76fb5bef45 91->100 101 76fb5bef74 91->101 106 76fb5befa4-76fb5befb5 92->106 104 76fb5beff4-76fb5befff 93->104 105 76fb5bef8c 93->105 102 76fb5befcf-76fb5befd4 94->102 107 76fb5befb6-76fb5befb9 95->107 108 76fb5bef6a-76fb5bef70 95->108 99 76fb5befbb 96->99 109 76fb5bef73 97->109 110 76fb5bef26-76fb5bef32 97->110 98->88 103 76fb5bef49-76fb5bef4a 98->103 111 76fb5befbc-76fb5befcb 99->111 100->98 112 76fb5bef75 101->112 113 76fb5befed-76fb5befef 101->113 114 76fb5befd6-76fb5befe7 102->114 115 76fb5bef8d 103->115 116 76fb5bef4c 103->116 105->115 117 76fb5beff2-76fb5beff3 105->117 106->107 107->96 108->109 109->101 110->80 111->94 118 76fb5befe8 112->118 119 76fb5bef76 112->119 113->117 114->118 115->117 121 76fb5bef8f-76fb5bef97 115->121 116->106 120 76fb5bef4e-76fb5bef50 116->120 117->104 123 76fb5befe9-76fb5befeb 118->123 119->99 122 76fb5bef77-76fb5bef7e 119->122 120->111 124 76fb5bef52-76fb5bef57 120->124 121->123 125 76fb5bef99-76fb5befa0 121->125 122->82 123->113 124->86 126 76fb5bef59-76fb5bef5e 124->126 125->86 126->114 127 76fb5bef60-76fb5bef63 126->127 127->84 127->102
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000007.00000002.1771906385.00000076FB5BE000.00000040.00000010.00020000.00000000.sdmp, Offset: 00000076FB5BE000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_7_2_76fb5be000_TEiot52yrz.jbxd
            Yara matches
            Similarity
            • API ID: InternetLibraryLoadOpen
            • String ID: wini
            • API String ID: 2559873147-1606035523
            • Opcode ID: 51c54267f9cd2cca7edefae26dac4bc1127b3a3d473d53d62c89283203456324
            • Instruction ID: b6e83d95d97e127da1a5af8cd89b931c09583ea484ce94ab12e89b991048bcef
            • Opcode Fuzzy Hash: 51c54267f9cd2cca7edefae26dac4bc1127b3a3d473d53d62c89283203456324
            • Instruction Fuzzy Hash: D07283714097D1AEEBA39F78D054243BFA0BF4B714BAA18FDD8C25F023C265A842D752
            Function 00007FF6E7F56AFC Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 99librarymemoryencryptionCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            Strings
            • fTk0IXs+RsZrY9epOUeq1oQ0l4RoVPjlVJoEuMX3zPeE+je8GdHrJUcxFZpepdr4SDRVKa6s7ouAvVNOqjbmDXauHJGPlOuvClVpjZvRyLdC2d6h5WF7twqC1kX9nIKWgL9KaawEYPrhgpcPJeSSnLatPbvLnYxgng2QCJQ8DmxkwRBosnzlWeW39pnWOJcwZvMht1Ue7ys35aku9WPa2jr1RTE8qRhrprEAHTM+xpPpcOmcTSt4aUDyEbOtWv6EV/1G, xrefs: 00007FF6E7F56B2E
            • W9UKQW5ltwlY8AGQc4nGwxhRPfHnsqCu, xrefs: 00007FF6E7F56B4A
            • kernel32.dll, xrefs: 00007FF6E7F56C49
            • W9UKQW5ltwlY8AGQc4nGwxhRPfHnsqCu, xrefs: 00007FF6E7F56B66
            Memory Dump Source
            • Source File: 00000007.00000002.1772890159.00007FF6E7F51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E7F50000, based on PE: true
            • Associated: 00000007.00000002.1772838031.00007FF6E7F50000.00000002.00000001.01000000.00000004.sdmpDownload File
            • Associated: 00000007.00000002.1772907807.00007FF6E7F58000.00000002.00000001.01000000.00000004.sdmpDownload File
            • Associated: 00000007.00000002.1772929218.00007FF6E7F5E000.00000004.00000001.01000000.00000004.sdmpDownload File
            • Associated: 00000007.00000002.1772944075.00007FF6E7F5F000.00000002.00000001.01000000.00000004.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_7_2_7ff6e7f50000_TEiot52yrz.jbxd
            Similarity
            • API ID: Concurrency::details::EmptyQueue::StructuredWorkmemcpy$CertEnumLibraryLoadProtectStoreSystemVirtual
            • String ID: W9UKQW5ltwlY8AGQc4nGwxhRPfHnsqCu$W9UKQW5ltwlY8AGQc4nGwxhRPfHnsqCu$fTk0IXs+RsZrY9epOUeq1oQ0l4RoVPjlVJoEuMX3zPeE+je8GdHrJUcxFZpepdr4SDRVKa6s7ouAvVNOqjbmDXauHJGPlOuvClVpjZvRyLdC2d6h5WF7twqC1kX9nIKWgL9KaawEYPrhgpcPJeSSnLatPbvLnYxgng2QCJQ8DmxkwRBosnzlWeW39pnWOJcwZvMht1Ue7ys35aku9WPa2jr1RTE8qRhrprEAHTM+xpPpcOmcTSt4aUDyEbOtWv6EV/1G$kernel32.dll
            • API String ID: 1274391132-1474288648
            • Opcode ID: 0021a513d3075bfe4559da1246eef3f31aed97dd76e4d3ed1e31a3c18aea7553
            • Instruction ID: 7e5ecc4ec3c9f7eeb78fc1253cd10e301f25435bcd77f967224243835bb39d3b
            • Opcode Fuzzy Hash: 0021a513d3075bfe4559da1246eef3f31aed97dd76e4d3ed1e31a3c18aea7553
            • Instruction Fuzzy Hash: 8941452260CAC695DA60DB54F4503EB67A1FBC8784F804132E69EC3BA9EF3DD945CB05
            Function 00007FF6E7F5317C Relevance: 12.1, APIs: 8, Instructions: 94COMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            Memory Dump Source
            • Source File: 00000007.00000002.1772890159.00007FF6E7F51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E7F50000, based on PE: true
            • Associated: 00000007.00000002.1772838031.00007FF6E7F50000.00000002.00000001.01000000.00000004.sdmpDownload File
            • Associated: 00000007.00000002.1772907807.00007FF6E7F58000.00000002.00000001.01000000.00000004.sdmpDownload File
            • Associated: 00000007.00000002.1772929218.00007FF6E7F5E000.00000004.00000001.01000000.00000004.sdmpDownload File
            • Associated: 00000007.00000002.1772944075.00007FF6E7F5F000.00000002.00000001.01000000.00000004.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_7_2_7ff6e7f50000_TEiot52yrz.jbxd
            Similarity
            • API ID: __p___argc__p___argv__scrt_acquire_startup_lock__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
            • String ID:
            • API String ID: 1133592946-0
            • Opcode ID: b8b73077751ae62d481563376bd79326efdf3318ec70507a033230f709591385
            • Instruction ID: a9960a6cafa6ce489f0cbbffbfa9cd89311470c6815504c8adaf298628236423
            • Opcode Fuzzy Hash: b8b73077751ae62d481563376bd79326efdf3318ec70507a033230f709591385
            • Instruction Fuzzy Hash: DE313A23E0C50382FA14AB69F4513F92291AF45788F44C534EA7EC76D7DE2FAC05824B
            Function 00000076FB5BE17B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99networkCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 128 76fb5be17b-76fb5be1a1 HttpOpenRequestA 129 76fb5be1a2-76fb5be1de 128->129 132 76fb5be381-76fb5be3a2 129->132 133 76fb5be1e4-76fb5be1e7 129->133 137 76fb5be3a4-76fb5be3c1 132->137 134 76fb5be379-76fb5be37a 133->134 135 76fb5be1ed 133->135 134->132 135->129 137->134 139 76fb5be3c3-76fb5be3cb 137->139 139->137 140 76fb5be3cd-76fb5be3d7 139->140
            APIs
            • HttpOpenRequestA.WININET(00000000,00000000,84C03200,00000000), ref: 00000076FB5BE196
            Strings
            Memory Dump Source
            • Source File: 00000007.00000002.1771906385.00000076FB5BE000.00000040.00000010.00020000.00000000.sdmp, Offset: 00000076FB5BE000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_7_2_76fb5be000_TEiot52yrz.jbxd
            Yara matches
            Similarity
            • API ID: HttpOpenRequest
            • String ID: U.;
            • API String ID: 1984915467-4213443877
            • Opcode ID: ab09341529980e95ac1e803047b3985bc20a26ea9b837d55d995e7e224907264
            • Instruction ID: 61e1a4f195e225146181d8f93f0068da1b1798b9e81f6221d893c8736b6301f2
            • Opcode Fuzzy Hash: ab09341529980e95ac1e803047b3985bc20a26ea9b837d55d995e7e224907264
            • Instruction Fuzzy Hash: 5E118BA134890D1BF62885AEBC6A73A21CAD7D8765F24823FF50FC32D6DC58DC82415A

            Non-executed Functions

            Function 00007FF6E7F5365C Relevance: 13.6, APIs: 9, Instructions: 71COMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            Memory Dump Source
            • Source File: 00000007.00000002.1772890159.00007FF6E7F51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E7F50000, based on PE: true
            • Associated: 00000007.00000002.1772838031.00007FF6E7F50000.00000002.00000001.01000000.00000004.sdmpDownload File
            • Associated: 00000007.00000002.1772907807.00007FF6E7F58000.00000002.00000001.01000000.00000004.sdmpDownload File
            • Associated: 00000007.00000002.1772929218.00007FF6E7F5E000.00000004.00000001.01000000.00000004.sdmpDownload File
            • Associated: 00000007.00000002.1772944075.00007FF6E7F5F000.00000002.00000001.01000000.00000004.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_7_2_7ff6e7f50000_TEiot52yrz.jbxd
            Similarity
            • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
            • String ID:
            • API String ID: 313767242-0
            • Opcode ID: 7335fbb8426a945ac828c7077c8e300b3c8bd9ec95d4022230abd3d7a7f75a14
            • Instruction ID: dc9eb2fd3954754e4712f399f12f5c0bc1c3fdfe96a0541ac67dbf88a95c97f8
            • Opcode Fuzzy Hash: 7335fbb8426a945ac828c7077c8e300b3c8bd9ec95d4022230abd3d7a7f75a14
            • Instruction Fuzzy Hash: 3C314F73609B818AEB608F64F8407ED73A4FB85748F44803ADA5E87B98DF39D948C715
            Function 00007FF6E7F53DE8 Relevance: 6.6, APIs: 2, Strings: 2, Instructions: 581COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 249 7ff6e7f53de8-7ff6e7f53e0c 250 7ff6e7f53e13-7ff6e7f53e1b 249->250 251 7ff6e7f53e0e 249->251 253 7ff6e7f53e1d-7ff6e7f53e25 250->253 254 7ff6e7f53e36-7ff6e7f53e3e 250->254 252 7ff6e7f5486e-7ff6e7f54875 251->252 253->254 257 7ff6e7f53e27-7ff6e7f53e2f 253->257 255 7ff6e7f53e59-7ff6e7f53ef9 memcpy * 2 254->255 256 7ff6e7f53e40-7ff6e7f53e48 254->256 259 7ff6e7f53efb-7ff6e7f53f00 255->259 260 7ff6e7f53f07-7ff6e7f53f16 255->260 256->255 258 7ff6e7f53e4a-7ff6e7f53e52 256->258 257->254 261 7ff6e7f53e31 257->261 258->255 262 7ff6e7f53e54 258->262 263 7ff6e7f53f02-7ff6e7f53fa0 259->263 264 7ff6e7f53f61-7ff6e7f53f70 259->264 265 7ff6e7f53f18-7ff6e7f53f20 260->265 266 7ff6e7f53f22-7ff6e7f53f31 260->266 261->252 262->252 274 7ff6e7f53faa-7ff6e7f53fcd 263->274 271 7ff6e7f53f7c 264->271 272 7ff6e7f53f72-7ff6e7f53f7a 264->272 268 7ff6e7f53f4d-7ff6e7f53f5f 265->268 269 7ff6e7f53f3d 266->269 270 7ff6e7f53f33-7ff6e7f53f3b 266->270 268->274 275 7ff6e7f53f45-7ff6e7f53f49 269->275 270->275 273 7ff6e7f53f84-7ff6e7f53f96 271->273 272->273 273->274 276 7ff6e7f53fd9-7ff6e7f53feb 274->276 275->268 277 7ff6e7f53fed-7ff6e7f53ff5 276->277 278 7ff6e7f54031-7ff6e7f54039 276->278 279 7ff6e7f54001-7ff6e7f54009 277->279 280 7ff6e7f54045-7ff6e7f54057 278->280 281 7ff6e7f5400b-7ff6e7f5402d 279->281 282 7ff6e7f5402f 279->282 283 7ff6e7f54059-7ff6e7f54061 280->283 284 7ff6e7f540a0-7ff6e7f540fc 280->284 281->279 282->276 288 7ff6e7f5406d-7ff6e7f54075 283->288 285 7ff6e7f54108-7ff6e7f54110 284->285 291 7ff6e7f54116-7ff6e7f541be 285->291 292 7ff6e7f541c3-7ff6e7f541d3 285->292 289 7ff6e7f54077-7ff6e7f5409c 288->289 290 7ff6e7f5409e 288->290 289->288 290->280 291->285 296 7ff6e7f541e9-7ff6e7f541f1 292->296 297 7ff6e7f541f7-7ff6e7f541ff 296->297 298 7ff6e7f542d3 296->298 297->298 299 7ff6e7f54205-7ff6e7f542ce 297->299 300 7ff6e7f542db-7ff6e7f542e3 298->300 299->296 302 7ff6e7f542e9-7ff6e7f543f4 300->302 303 7ff6e7f5475e-7ff6e7f54766 300->303 304 7ff6e7f5446a-7ff6e7f54472 302->304 305 7ff6e7f543f6-7ff6e7f543fe 302->305 306 7ff6e7f54772-7ff6e7f54784 303->306 309 7ff6e7f5447a-7ff6e7f54487 304->309 310 7ff6e7f54406-7ff6e7f5440e 305->310 307 7ff6e7f5478a-7ff6e7f54792 306->307 308 7ff6e7f54862-7ff6e7f5486a 306->308 313 7ff6e7f5479e-7ff6e7f547a6 307->313 308->252 314 7ff6e7f54489-7ff6e7f544dc 309->314 315 7ff6e7f544de-7ff6e7f545e2 309->315 311 7ff6e7f54465 310->311 312 7ff6e7f54410-7ff6e7f54463 310->312 316 7ff6e7f54645-7ff6e7f5466b 311->316 312->310 317 7ff6e7f547ac-7ff6e7f54858 313->317 318 7ff6e7f5485d 313->318 314->309 319 7ff6e7f545e6-7ff6e7f545ee 315->319 324 7ff6e7f54759 316->324 325 7ff6e7f54671-7ff6e7f54679 316->325 317->313 318->306 319->316 322 7ff6e7f545f0-7ff6e7f54643 319->322 322->319 324->300 325->324 326 7ff6e7f5467f-7ff6e7f54754 325->326
            Strings
            Memory Dump Source
            • Source File: 00000007.00000002.1772890159.00007FF6E7F51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E7F50000, based on PE: true
            • Associated: 00000007.00000002.1772838031.00007FF6E7F50000.00000002.00000001.01000000.00000004.sdmpDownload File
            • Associated: 00000007.00000002.1772907807.00007FF6E7F58000.00000002.00000001.01000000.00000004.sdmpDownload File
            • Associated: 00000007.00000002.1772929218.00007FF6E7F5E000.00000004.00000001.01000000.00000004.sdmpDownload File
            • Associated: 00000007.00000002.1772944075.00007FF6E7F5F000.00000002.00000001.01000000.00000004.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_7_2_7ff6e7f50000_TEiot52yrz.jbxd
            Similarity
            • API ID:
            • String ID: $
            • API String ID: 0-227171996
            • Opcode ID: d8bd270e9d87edd875d7f9d873967e908e7bfa0f1dd1a07bdc383474c52699a2
            • Instruction ID: cd5760c77a9fcc3ca2cd30ccf2c5bc8e3996e8ee49573ff5c078b52ffdab0aa4
            • Opcode Fuzzy Hash: d8bd270e9d87edd875d7f9d873967e908e7bfa0f1dd1a07bdc383474c52699a2
            • Instruction Fuzzy Hash: A852D873609A81CAD774CB19E4807AAB7A1F7C8749F148226E69E87B58CB3DD941CF04
            Function 00007FF6E7F53874 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            Memory Dump Source
            • Source File: 00000007.00000002.1772890159.00007FF6E7F51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E7F50000, based on PE: true
            • Associated: 00000007.00000002.1772838031.00007FF6E7F50000.00000002.00000001.01000000.00000004.sdmpDownload File
            • Associated: 00000007.00000002.1772907807.00007FF6E7F58000.00000002.00000001.01000000.00000004.sdmpDownload File
            • Associated: 00000007.00000002.1772929218.00007FF6E7F5E000.00000004.00000001.01000000.00000004.sdmpDownload File
            • Associated: 00000007.00000002.1772944075.00007FF6E7F5F000.00000002.00000001.01000000.00000004.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_7_2_7ff6e7f50000_TEiot52yrz.jbxd
            Similarity
            • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
            • String ID:
            • API String ID: 2933794660-0
            • Opcode ID: 9b69f90bbb091b32707effc177f545cd80205cc59f5ac2c3711d41dd0f4641bd
            • Instruction ID: 66bc197977d115f613d086751219e7a8c7e42462759972f6f73a81c5cbbb6605
            • Opcode Fuzzy Hash: 9b69f90bbb091b32707effc177f545cd80205cc59f5ac2c3711d41dd0f4641bd
            • Instruction Fuzzy Hash: 1A111526B14F068AEB008F60F8553E933A4FB19768F440E31EA6D877A4DF78D9988341
            Function 00007FF6E7F55D5C Relevance: .6, Instructions: 556COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000007.00000002.1772890159.00007FF6E7F51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E7F50000, based on PE: true
            • Associated: 00000007.00000002.1772838031.00007FF6E7F50000.00000002.00000001.01000000.00000004.sdmpDownload File
            • Associated: 00000007.00000002.1772907807.00007FF6E7F58000.00000002.00000001.01000000.00000004.sdmpDownload File
            • Associated: 00000007.00000002.1772929218.00007FF6E7F5E000.00000004.00000001.01000000.00000004.sdmpDownload File
            • Associated: 00000007.00000002.1772944075.00007FF6E7F5F000.00000002.00000001.01000000.00000004.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_7_2_7ff6e7f50000_TEiot52yrz.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 54a46b35d7a26a7fb26f39faf249998ab39fdfcee5fcf209b6738682e87834f0
            • Instruction ID: 2b3c5ee1f005e6341e253377bbbe4921fd3e8fc43b1fe84c9ebb8b08ccebe817
            • Opcode Fuzzy Hash: 54a46b35d7a26a7fb26f39faf249998ab39fdfcee5fcf209b6738682e87834f0
            • Instruction Fuzzy Hash: 3A422C73218A818AD759CB1DF89067ABBA1F7C8791F444126E79EC3B69CE3CD551CB00
            Function 00007FF6E7F554A4 Relevance: .6, Instructions: 556COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000007.00000002.1772890159.00007FF6E7F51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E7F50000, based on PE: true
            • Associated: 00000007.00000002.1772838031.00007FF6E7F50000.00000002.00000001.01000000.00000004.sdmpDownload File
            • Associated: 00000007.00000002.1772907807.00007FF6E7F58000.00000002.00000001.01000000.00000004.sdmpDownload File
            • Associated: 00000007.00000002.1772929218.00007FF6E7F5E000.00000004.00000001.01000000.00000004.sdmpDownload File
            • Associated: 00000007.00000002.1772944075.00007FF6E7F5F000.00000002.00000001.01000000.00000004.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_7_2_7ff6e7f50000_TEiot52yrz.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 114221cd8fb83a4d1b3f4e9c07f063070523e9746f19f36e16c9c60b1fbf2ef1
            • Instruction ID: 0a917e26d70fda762e9c8c0c7790943274901709df8e61cd217934c3f88d8a76
            • Opcode Fuzzy Hash: 114221cd8fb83a4d1b3f4e9c07f063070523e9746f19f36e16c9c60b1fbf2ef1
            • Instruction Fuzzy Hash: 07422B7321CA818AD754CB1DF89067ABBA1F7C8785F44412AE69EC3BA9DE3CD551CB00
            Function 00007FF6E7F5603A Relevance: .1, Instructions: 137COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000007.00000002.1772890159.00007FF6E7F51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E7F50000, based on PE: true
            • Associated: 00000007.00000002.1772838031.00007FF6E7F50000.00000002.00000001.01000000.00000004.sdmpDownload File
            • Associated: 00000007.00000002.1772907807.00007FF6E7F58000.00000002.00000001.01000000.00000004.sdmpDownload File
            • Associated: 00000007.00000002.1772929218.00007FF6E7F5E000.00000004.00000001.01000000.00000004.sdmpDownload File
            • Associated: 00000007.00000002.1772944075.00007FF6E7F5F000.00000002.00000001.01000000.00000004.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_7_2_7ff6e7f50000_TEiot52yrz.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 92bf19dc8cd86aff032756dfb13700223f95881ed97291965757eed8e9fc06d6
            • Instruction ID: ef6d5c025ad9472e4eb9e29ad0cc127a81b081427d3b9c6bd2d7bdd671b60e60
            • Opcode Fuzzy Hash: 92bf19dc8cd86aff032756dfb13700223f95881ed97291965757eed8e9fc06d6
            • Instruction Fuzzy Hash: D56132B76189418BD724CB18E89077AB3A2FBCC745F458635E35A87A58DB3DEA50CB00
            Function 00007FF6E7F55785 Relevance: .1, Instructions: 137COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000007.00000002.1772890159.00007FF6E7F51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E7F50000, based on PE: true
            • Associated: 00000007.00000002.1772838031.00007FF6E7F50000.00000002.00000001.01000000.00000004.sdmpDownload File
            • Associated: 00000007.00000002.1772907807.00007FF6E7F58000.00000002.00000001.01000000.00000004.sdmpDownload File
            • Associated: 00000007.00000002.1772929218.00007FF6E7F5E000.00000004.00000001.01000000.00000004.sdmpDownload File
            • Associated: 00000007.00000002.1772944075.00007FF6E7F5F000.00000002.00000001.01000000.00000004.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_7_2_7ff6e7f50000_TEiot52yrz.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4f29163b5e8fdaf0dc49c2304f5fe647261e8bcf9fb33c4e691343a0f95705ad
            • Instruction ID: 1d011f3a10a8be6967e94940f93122ca1284f0d2bedaa632ac72a4b58ded23a8
            • Opcode Fuzzy Hash: 4f29163b5e8fdaf0dc49c2304f5fe647261e8bcf9fb33c4e691343a0f95705ad
            • Instruction Fuzzy Hash: 766140B66189418BD724CF18E49077AB3A2FBC8745F458635E35AC7A58DA3DEA50CB00
            Function 00007FF6E7F53804 Relevance: .0, Instructions: 2COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000007.00000002.1772890159.00007FF6E7F51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E7F50000, based on PE: true
            • Associated: 00000007.00000002.1772838031.00007FF6E7F50000.00000002.00000001.01000000.00000004.sdmpDownload File
            • Associated: 00000007.00000002.1772907807.00007FF6E7F58000.00000002.00000001.01000000.00000004.sdmpDownload File
            • Associated: 00000007.00000002.1772929218.00007FF6E7F5E000.00000004.00000001.01000000.00000004.sdmpDownload File
            • Associated: 00000007.00000002.1772944075.00007FF6E7F5F000.00000002.00000001.01000000.00000004.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_7_2_7ff6e7f50000_TEiot52yrz.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 43b4fbbec666916b0587e8a13de0dadc5ecbb71f9984410eb9ff46545bbfccba
            • Instruction ID: 8747136f276c71212b4087b169767ba23fe597cc9cc681d7ab1cc14b9586d768
            • Opcode Fuzzy Hash: 43b4fbbec666916b0587e8a13de0dadc5ecbb71f9984410eb9ff46545bbfccba
            • Instruction Fuzzy Hash: D8A0022390CC42D0E6088B04F9512B163B0FF50305B45C471C42DC3160DF3EAD55C32B
            Function 00007FF6E7F5253C Relevance: 21.2, APIs: 14, Instructions: 201COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 141 7ff6e7f5253c-7ff6e7f5259c call 7ff6e7f51abc ?width@ios_base@std@@QEBA_JXZ 144 7ff6e7f525fd 141->144 145 7ff6e7f5259e-7ff6e7f525c9 ?width@ios_base@std@@QEBA_JXZ 141->145 147 7ff6e7f52606-7ff6e7f52632 call 7ff6e7f52968 call 7ff6e7f52904 144->147 145->144 146 7ff6e7f525cb-7ff6e7f525fb ?width@ios_base@std@@QEBA_JXZ 145->146 146->147 152 7ff6e7f52644-7ff6e7f52672 ?flags@ios_base@std@@QEBAHXZ 147->152 153 7ff6e7f52634-7ff6e7f5263f 147->153 154 7ff6e7f5271c-7ff6e7f52721 152->154 155 7ff6e7f52678 152->155 156 7ff6e7f52855-7ff6e7f528b0 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z call 7ff6e7f52914 call 7ff6e7f52b20 153->156 159 7ff6e7f5277b-7ff6e7f52780 154->159 160 7ff6e7f52723-7ff6e7f5276e ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z 154->160 157 7ff6e7f52687-7ff6e7f5268d 155->157 157->154 161 7ff6e7f52693-7ff6e7f52708 ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z call 7ff6e7f52504 call 7ff6e7f5250c 157->161 164 7ff6e7f5282a-7ff6e7f52853 ?width@ios_base@std@@QEAA_J_J@Z 159->164 165 7ff6e7f52786 159->165 160->159 163 7ff6e7f52770-7ff6e7f52777 160->163 177 7ff6e7f5270a-7ff6e7f52715 161->177 178 7ff6e7f52717 161->178 163->159 164->156 168 7ff6e7f52795-7ff6e7f5279b 165->168 168->164 169 7ff6e7f527a1-7ff6e7f52816 ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z call 7ff6e7f52504 call 7ff6e7f5250c 168->169 181 7ff6e7f52818-7ff6e7f52823 169->181 182 7ff6e7f52825 169->182 177->154 178->157 181->164 182->168
            APIs
              • Part of subcall function 00007FF6E7F51ABC: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00007FF6E7F515D6,?,?,?,?,?,?,00007FF6E7F51017), ref: 00007FF6E7F51ACA
            • ?width@ios_base@std@@QEBA_JXZ.MSVCP140 ref: 00007FF6E7F52593
            • ?width@ios_base@std@@QEBA_JXZ.MSVCP140 ref: 00007FF6E7F525BE
            • ?width@ios_base@std@@QEBA_JXZ.MSVCP140 ref: 00007FF6E7F525EB
            • ?flags@ios_base@std@@QEBAHXZ.MSVCP140 ref: 00007FF6E7F52664
            • ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ.MSVCP140 ref: 00007FF6E7F526B3
            • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP140 ref: 00007FF6E7F526DA
            • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF6E7F526E9
            • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP140 ref: 00007FF6E7F52743
            • ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140 ref: 00007FF6E7F52759
            • ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ.MSVCP140 ref: 00007FF6E7F527C1
            • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP140 ref: 00007FF6E7F527E8
            • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF6E7F527F7
            • ?width@ios_base@std@@QEAA_J_J@Z.MSVCP140 ref: 00007FF6E7F5284C
            • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF6E7F5287C
            Memory Dump Source
            • Source File: 00000007.00000002.1772890159.00007FF6E7F51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E7F50000, based on PE: true
            • Associated: 00000007.00000002.1772838031.00007FF6E7F50000.00000002.00000001.01000000.00000004.sdmpDownload File
            • Associated: 00000007.00000002.1772907807.00007FF6E7F58000.00000002.00000001.01000000.00000004.sdmpDownload File
            • Associated: 00000007.00000002.1772929218.00007FF6E7F5E000.00000004.00000001.01000000.00000004.sdmpDownload File
            • Associated: 00000007.00000002.1772944075.00007FF6E7F5F000.00000002.00000001.01000000.00000004.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_7_2_7ff6e7f50000_TEiot52yrz.jbxd
            Similarity
            • API ID: U?$char_traits@$D@std@@@std@@$?width@ios_base@std@@$?rdbuf@?$basic_ios@D@std@@@2@V?$basic_streambuf@$?fill@?$basic_ios@?sputc@?$basic_streambuf@$?flags@ios_base@std@@?setstate@?$basic_ios@?sputn@?$basic_streambuf@strlen
            • String ID:
            • API String ID: 207065933-0
            • Opcode ID: f4bc5cb1901ef092bd8a86ad73b7320c61d8d2db2b875ebc753e22042a0a0f00
            • Instruction ID: d21aae9a0732601a02cb17cd195283741dd5be05be5d0e1c03e6e03d03e34c42
            • Opcode Fuzzy Hash: f4bc5cb1901ef092bd8a86ad73b7320c61d8d2db2b875ebc753e22042a0a0f00
            • Instruction Fuzzy Hash: ABA1FA77A09B8586DA60CB55F4943AAB7A0FBC8B85F008136DA9EC3765DF3DD8048B05
            Function 00007FF6E7F56CC0 Relevance: 9.2, APIs: 6, Instructions: 166COMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            Memory Dump Source
            • Source File: 00000007.00000002.1772890159.00007FF6E7F51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E7F50000, based on PE: true
            • Associated: 00000007.00000002.1772838031.00007FF6E7F50000.00000002.00000001.01000000.00000004.sdmpDownload File
            • Associated: 00000007.00000002.1772907807.00007FF6E7F58000.00000002.00000001.01000000.00000004.sdmpDownload File
            • Associated: 00000007.00000002.1772929218.00007FF6E7F5E000.00000004.00000001.01000000.00000004.sdmpDownload File
            • Associated: 00000007.00000002.1772944075.00007FF6E7F5F000.00000002.00000001.01000000.00000004.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_7_2_7ff6e7f50000_TEiot52yrz.jbxd
            Similarity
            • API ID: Concurrency::details::EmptyQueue::StructuredV01@Workmemcpy$??6?$basic_ostream@D@std@@@std@@U?$char_traits@V01@@memset
            • String ID:
            • API String ID: 2816322446-0
            • Opcode ID: b9c5c220a8161afe00995a3b5838346bc2764bb80acdb38bfd23fd1c6c53baac
            • Instruction ID: d54acce9ce0b379d38fe1b93c7ca1a507cf4b59dc8db63bf6626b12064984aba
            • Opcode Fuzzy Hash: b9c5c220a8161afe00995a3b5838346bc2764bb80acdb38bfd23fd1c6c53baac
            • Instruction Fuzzy Hash: 55813A3361DA8585DA60DB15F8903AEB7A0FBC5780F109026EA9E83B69DF3DD844CB05
            Function 00007FF6E7F52968 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
            Download Yara Rule

            Control-flow Graph

            APIs
              • Part of subcall function 00007FF6E7F52A98: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP140(?,?,?,?,?,?,00007FF6E7F52985), ref: 00007FF6E7F52ADA
            • ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF6E7F529A0
            • ?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ.MSVCP140 ref: 00007FF6E7F529D2
            Memory Dump Source
            • Source File: 00000007.00000002.1772890159.00007FF6E7F51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E7F50000, based on PE: true
            • Associated: 00000007.00000002.1772838031.00007FF6E7F50000.00000002.00000001.01000000.00000004.sdmpDownload File
            • Associated: 00000007.00000002.1772907807.00007FF6E7F58000.00000002.00000001.01000000.00000004.sdmpDownload File
            • Associated: 00000007.00000002.1772929218.00007FF6E7F5E000.00000004.00000001.01000000.00000004.sdmpDownload File
            • Associated: 00000007.00000002.1772944075.00007FF6E7F5F000.00000002.00000001.01000000.00000004.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_7_2_7ff6e7f50000_TEiot52yrz.jbxd
            Similarity
            • API ID: U?$char_traits@$D@std@@@2@D@std@@@std@@$?good@ios_base@std@@?rdbuf@?$basic_ios@?tie@?$basic_ios@V?$basic_ostream@V?$basic_streambuf@
            • String ID:
            • API String ID: 3792166412-0
            • Opcode ID: 61c6c2cae3a07f63e2bf5b4d9e59194abfd40384aa0aa098eae079579a8cfedb
            • Instruction ID: 08232a670e9bf9a499e9dc7f93cc496125d90849811b1374eacfeb759eb8ac4d
            • Opcode Fuzzy Hash: 61c6c2cae3a07f63e2bf5b4d9e59194abfd40384aa0aa098eae079579a8cfedb
            • Instruction Fuzzy Hash: 3421EC2760DB8581DA10CB4AF494369A7B0FBC9B94F508125EF8E83724DF3ED8409705