Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
TEiot52yrz.exe

Overview

General Information

Sample name:TEiot52yrz.exe
renamed because original name is a hash value
Original sample name:915cc233f5c3b36f2aa5a9a0aa2fcd28b8ee406e42c08b71177dab901c219d41.exe
Analysis ID:1508525
MD5:fa332de9a0e7da5e975173ee47246172
SHA1:c6e74c68a11a9d318137aba895f2bcde89d42f2b
SHA256:915cc233f5c3b36f2aa5a9a0aa2fcd28b8ee406e42c08b71177dab901c219d41
Tags:116-198-231-169exe
Infos:

Detection

CobaltStrike, Metasploit
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
Yara detected Metasploit Payload
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
AV process strings found (often used to terminate AV products)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
One or more processes crash
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • TEiot52yrz.exe (PID: 6740 cmdline: "C:\Users\user\Desktop\TEiot52yrz.exe" MD5: FA332DE9A0E7DA5E975173EE47246172)
    • WerFault.exe (PID: 5092 cmdline: C:\Windows\system32\WerFault.exe -u -p 6740 -s 1100 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Cobalt Strike, CobaltStrikeCobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.
  • APT 29
  • APT32
  • APT41
  • AQUATIC PANDA
  • Anunak
  • Cobalt
  • Codoso
  • CopyKittens
  • DarkHydrus
  • FIN6
  • FIN7
  • Leviathan
  • Mustang Panda
  • Shell Crew
  • Stone Panda
  • TianWu
  • UNC1878
  • UNC2452
  • Winnti Umbrella
https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"C2Server": "http://116.198.231.169:63222/jquery-3.3.2.slim.min.js", "User Agent": "User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\n"}

Threatname: Metasploit

{"Headers": "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nReferer: http://code.jquery.com/\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\n", "Type": "Metasploit Download", "URL": "http://116.198.231.169/jquery-3.3.2.slim.min.js"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\Microsoft\Windows\WER\Temp\WER319B.tmp.dmpWindows_Trojan_Metasploit_7bc0f998Identifies the API address lookup function leverage by metasploit shellcodeunknown
  • 0x1a349:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
C:\ProgramData\Microsoft\Windows\WER\Temp\WER319B.tmp.dmpWindows_Trojan_Metasploit_c9773203Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.unknown
  • 0x1a3b5:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2172455610.000000E1057AE000.00000040.00000010.00020000.00000000.sdmpJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
    00000000.00000002.2172455610.000000E1057AE000.00000040.00000010.00020000.00000000.sdmpJoeSecurity_CobaltStrike_3Yara detected CobaltStrikeJoe Security
      00000000.00000002.2172455610.000000E1057AE000.00000040.00000010.00020000.00000000.sdmpWindows_Trojan_Metasploit_7bc0f998Identifies the API address lookup function leverage by metasploit shellcodeunknown
      • 0x131:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
      00000000.00000002.2172455610.000000E1057AE000.00000040.00000010.00020000.00000000.sdmpWindows_Trojan_Metasploit_c9773203Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.unknown
      • 0x19d:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1

      Sigma Signatures

      No Sigma rule has matched

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-09-10T10:59:46.099185+020020287653Unknown Traffic192.168.2.749699116.198.231.16963222TCP
      2024-09-10T10:59:50.318619+020020287653Unknown Traffic192.168.2.749702116.198.231.16963222TCP
      2024-09-10T10:59:54.697952+020020287653Unknown Traffic192.168.2.749705116.198.231.16963222TCP
      2024-09-10T10:59:59.017704+020020287653Unknown Traffic192.168.2.749708116.198.231.16963222TCP
      2024-09-10T11:00:03.146814+020020287653Unknown Traffic192.168.2.749713116.198.231.16963222TCP
      2024-09-10T11:00:07.587572+020020287653Unknown Traffic192.168.2.749718116.198.231.16963222TCP
      2024-09-10T11:00:11.860949+020020287653Unknown Traffic192.168.2.749721116.198.231.16963222TCP
      2024-09-10T11:00:16.128098+020020287653Unknown Traffic192.168.2.749724116.198.231.16963222TCP
      2024-09-10T11:00:20.591162+020020287653Unknown Traffic192.168.2.749727116.198.231.16963222TCP
      2024-09-10T11:00:25.056689+020020287653Unknown Traffic192.168.2.749730116.198.231.16963222TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: TEiot52yrz.exeAvira: detected
      Found malware configuration
      Source: 00000000.00000002.2172455610.000000E1057AE000.00000040.00000010.00020000.00000000.sdmpMalware Configuration Extractor: CobaltStrike {"C2Server": "http://116.198.231.169:63222/jquery-3.3.2.slim.min.js", "User Agent": "User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\n"}
      Source: 00000000.00000002.2172455610.000000E1057AE000.00000040.00000010.00020000.00000000.sdmpMalware Configuration Extractor: Metasploit {"Headers": "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nReferer: http://code.jquery.com/\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\n", "Type": "Metasploit Download", "URL": "http://116.198.231.169/jquery-3.3.2.slim.min.js"}
      Multi AV Scanner detection for submitted file
      Source: TEiot52yrz.exeReversingLabs: Detection: 60%
      Source: TEiot52yrz.exeVirustotal: Detection: 60%Perma Link
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 82.1% probability
      Source: TEiot52yrz.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

      Networking

      barindex
      C2 URLs / IPs found in malware configuration
      Source: Malware configuration extractorURLs: http://116.198.231.169:63222/jquery-3.3.2.slim.min.js
      Source: Malware configuration extractorURLs: http://116.198.231.169/jquery-3.3.2.slim.min.js
      Source: global trafficTCP traffic: 192.168.2.7:49699 -> 116.198.231.169:63222
      Source: Joe Sandbox ViewIP Address: 116.198.231.169 116.198.231.169
      Source: Joe Sandbox ViewASN Name: CHINATELECOM-JIANGSU-SUQIAN-IDCCHINATELECOMJiangsuSuqian CHINATELECOM-JIANGSU-SUQIAN-IDCCHINATELECOMJiangsuSuqian
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49699 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49702 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49708 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49705 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49721 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49713 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49718 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49727 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49724 -> 116.198.231.169:63222
      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49730 -> 116.198.231.169:63222
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: unknownTCP traffic detected without corresponding DNS query: 116.198.231.169
      Source: TEiot52yrz.exe, 00000000.00000002.2172690846.0000021B456F2000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000003.1591223618.0000021B45724000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000003.1636439563.0000021B45724000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000003.1615500987.0000021B45724000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000002.2172690846.0000021B45724000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000003.1550406186.0000021B45724000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000002.2172455610.000000E1057AE000.00000040.00000010.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000003.1681843568.0000021B45724000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000003.1528198264.0000021B45724000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000003.1570868288.0000021B45724000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.jquery.com/
      Source: TEiot52yrz.exe, 00000000.00000003.1660155451.0000021B45724000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000003.1636439563.0000021B45724000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000003.1615500987.0000021B45724000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000002.2172690846.0000021B45724000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000003.1681843568.0000021B45724000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.jquery.com/B
      Source: TEiot52yrz.exe, 00000000.00000003.1636439563.0000021B45724000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000003.1615500987.0000021B45724000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.jquery.com/G
      Source: TEiot52yrz.exe, 00000000.00000003.1660193942.0000021B456F2000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000003.1550425603.0000021B456F2000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000002.2172690846.0000021B456F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.jquery.com/SioE
      Source: TEiot52yrz.exe, 00000000.00000003.1660193942.0000021B456F2000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000003.1550425603.0000021B456F2000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000002.2172690846.0000021B456F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.jquery.com/V
      Source: Amcache.hve.13.drString found in binary or memory: http://upx.sf.net
      Source: TEiot52yrz.exe, 00000000.00000003.1660193942.0000021B45706000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000002.2172690846.0000021B45706000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000003.1550425603.0000021B45706000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169/
      Source: TEiot52yrz.exe, 00000000.00000003.1660193942.0000021B45706000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000002.2172690846.0000021B45706000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000003.1550425603.0000021B45706000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169/Gl4
      Source: TEiot52yrz.exe, 00000000.00000002.2172690846.0000021B456D4000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000003.1660193942.0000021B456D4000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000003.1550425603.0000021B456D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/
      Source: TEiot52yrz.exe, 00000000.00000002.2172690846.0000021B456D4000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000003.1660193942.0000021B456D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/$
      Source: TEiot52yrz.exe, 00000000.00000003.1660193942.0000021B456F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/O
      Source: TEiot52yrz.exe, 00000000.00000002.2172633122.0000021B4569C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/jquery-3.3.2.slim.min.js
      Source: TEiot52yrz.exe, 00000000.00000002.2172633122.0000021B4569C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/jquery-3.3.2.slim.min.jsr
      Source: TEiot52yrz.exe, 00000000.00000003.1660193942.0000021B456F2000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000003.1550425603.0000021B456F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/l
      Source: TEiot52yrz.exe, 00000000.00000002.2172690846.0000021B456D4000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000003.1660193942.0000021B456D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/ntdesk
      Source: TEiot52yrz.exe, 00000000.00000003.1550425603.0000021B456D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/sk
      Source: TEiot52yrz.exe, 00000000.00000003.1550425603.0000021B456F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.198.231.169:63222/~

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 00000000.00000002.2172455610.000000E1057AE000.00000040.00000010.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
      Source: 00000000.00000002.2172455610.000000E1057AE000.00000040.00000010.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
      Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER319B.tmp.dmp, type: DROPPEDMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
      Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER319B.tmp.dmp, type: DROPPEDMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
      Source: C:\Users\user\Desktop\TEiot52yrz.exeCode function: 0_2_00007FF6295454A40_2_00007FF6295454A4
      Source: C:\Users\user\Desktop\TEiot52yrz.exeCode function: 0_2_00007FF62954603A0_2_00007FF62954603A
      Source: C:\Users\user\Desktop\TEiot52yrz.exeCode function: 0_2_00007FF6295457850_2_00007FF629545785
      Source: C:\Users\user\Desktop\TEiot52yrz.exeCode function: 0_2_00007FF629545D5C0_2_00007FF629545D5C
      Source: C:\Users\user\Desktop\TEiot52yrz.exeCode function: 0_2_00007FF629543DE80_2_00007FF629543DE8
      Source: C:\Users\user\Desktop\TEiot52yrz.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6740 -s 1100
      Source: 00000000.00000002.2172455610.000000E1057AE000.00000040.00000010.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
      Source: 00000000.00000002.2172455610.000000E1057AE000.00000040.00000010.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
      Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER319B.tmp.dmp, type: DROPPEDMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
      Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER319B.tmp.dmp, type: DROPPEDMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
      Source: classification engineClassification label: mal96.troj.winEXE@2/5@0/1
      Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6740
      Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\413ecb78-240d-42c9-acf4-f046fb819b77Jump to behavior
      Source: TEiot52yrz.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\TEiot52yrz.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: TEiot52yrz.exeReversingLabs: Detection: 60%
      Source: TEiot52yrz.exeVirustotal: Detection: 60%
      Source: unknownProcess created: C:\Users\user\Desktop\TEiot52yrz.exe "C:\Users\user\Desktop\TEiot52yrz.exe"
      Source: C:\Users\user\Desktop\TEiot52yrz.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6740 -s 1100
      Source: C:\Users\user\Desktop\TEiot52yrz.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\TEiot52yrz.exeSection loaded: msvcp140.dllJump to behavior
      Source: C:\Users\user\Desktop\TEiot52yrz.exeSection loaded: vcruntime140_1.dllJump to behavior
      Source: C:\Users\user\Desktop\TEiot52yrz.exeSection loaded: vcruntime140.dllJump to behavior
      Source: C:\Users\user\Desktop\TEiot52yrz.exeSection loaded: vcruntime140_1.dllJump to behavior
      Source: C:\Users\user\Desktop\TEiot52yrz.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\Desktop\TEiot52yrz.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\TEiot52yrz.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\TEiot52yrz.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\TEiot52yrz.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\TEiot52yrz.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\TEiot52yrz.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\TEiot52yrz.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\TEiot52yrz.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\TEiot52yrz.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\TEiot52yrz.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\TEiot52yrz.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\TEiot52yrz.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\TEiot52yrz.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\TEiot52yrz.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\TEiot52yrz.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Users\user\Desktop\TEiot52yrz.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
      Source: TEiot52yrz.exeStatic PE information: Image base 0x140000000 > 0x60000000
      Source: TEiot52yrz.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Source: TEiot52yrz.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: C:\Users\user\Desktop\TEiot52yrz.exeCode function: 0_2_000000E1057AE24B push eax; ret 0_2_000000E1057AE4A7
      Source: C:\Users\user\Desktop\TEiot52yrz.exeCode function: 0_2_000000E1057AE429 push eax; ret 0_2_000000E1057AE4A7
      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: Amcache.hve.13.drBinary or memory string: VMware
      Source: Amcache.hve.13.drBinary or memory string: VMware Virtual USB Mouse
      Source: Amcache.hve.13.drBinary or memory string: vmci.syshbin
      Source: Amcache.hve.13.drBinary or memory string: VMware, Inc.
      Source: Amcache.hve.13.drBinary or memory string: VMware20,1hbin@
      Source: TEiot52yrz.exe, 00000000.00000003.1550425603.0000021B45714000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000002.2172690846.0000021B45714000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000003.1660193942.0000021B45714000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWc}
      Source: Amcache.hve.13.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
      Source: Amcache.hve.13.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
      Source: Amcache.hve.13.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
      Source: TEiot52yrz.exe, 00000000.00000002.2172690846.0000021B456D4000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000003.1660193942.0000021B456D4000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000003.1550425603.0000021B45714000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000002.2172690846.0000021B45714000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000003.1550425603.0000021B456D5000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000003.1660193942.0000021B45714000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: Amcache.hve.13.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
      Source: Amcache.hve.13.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
      Source: Amcache.hve.13.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
      Source: Amcache.hve.13.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
      Source: Amcache.hve.13.drBinary or memory string: vmci.sys
      Source: Amcache.hve.13.drBinary or memory string: vmci.syshbin`
      Source: Amcache.hve.13.drBinary or memory string: \driver\vmci,\driver\pci
      Source: Amcache.hve.13.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
      Source: Amcache.hve.13.drBinary or memory string: VMware20,1
      Source: Amcache.hve.13.drBinary or memory string: Microsoft Hyper-V Generation Counter
      Source: Amcache.hve.13.drBinary or memory string: NECVMWar VMware SATA CD00
      Source: Amcache.hve.13.drBinary or memory string: VMware Virtual disk SCSI Disk Device
      Source: Amcache.hve.13.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
      Source: Amcache.hve.13.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
      Source: Amcache.hve.13.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
      Source: Amcache.hve.13.drBinary or memory string: VMware PCI VMCI Bus Device
      Source: Amcache.hve.13.drBinary or memory string: VMware VMCI Bus Device
      Source: Amcache.hve.13.drBinary or memory string: VMware Virtual RAM
      Source: Amcache.hve.13.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
      Source: Amcache.hve.13.drBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
      Source: Amcache.hve.13.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
      Source: C:\Users\user\Desktop\TEiot52yrz.exeCode function: 0_2_00007FF62954365C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF62954365C
      Source: C:\Users\user\Desktop\TEiot52yrz.exeCode function: 0_2_00007FF62954365C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF62954365C
      Source: C:\Users\user\Desktop\TEiot52yrz.exeCode function: 0_2_00007FF629542B74 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF629542B74
      Source: C:\Users\user\Desktop\TEiot52yrz.exeCode function: 0_2_00007FF629543804 SetUnhandledExceptionFilter,0_2_00007FF629543804
      Source: C:\Users\user\Desktop\TEiot52yrz.exeCode function: 0_2_00007FF629543874 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF629543874
      Source: Amcache.hve.13.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
      Source: Amcache.hve.13.drBinary or memory string: msmpeng.exe
      Source: Amcache.hve.13.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
      Source: Amcache.hve.13.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
      Source: Amcache.hve.13.drBinary or memory string: MsMpEng.exe

      Remote Access Functionality

      barindex
      Yara detected CobaltStrike
      Source: Yara matchFile source: 00000000.00000002.2172455610.000000E1057AE000.00000040.00000010.00020000.00000000.sdmp, type: MEMORY
      Yara detected Metasploit Payload
      Source: Yara matchFile source: 00000000.00000002.2172455610.000000E1057AE000.00000040.00000010.00020000.00000000.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
      DLL Side-Loading      		1
      Process Injection      		1
      Process Injection      		OS Credential Dumping1
      System Time Discovery      		Remote Services1
      Archive Collected Data      		1
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
      DLL Side-Loading      		1
      DLL Side-Loading      		LSASS Memory21
      Security Software Discovery      		Remote Desktop ProtocolData from Removable Media1
      Non-Standard Port      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
      Obfuscated Files or Information      		Security Account Manager2
      System Information Discovery      		SMB/Windows Admin SharesData from Network Shared Drive1
      Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      TEiot52yrz.exe61%ReversingLabsWin64.Backdoor.MeterpreterReverseShell
      TEiot52yrz.exe60%VirustotalBrowse
      TEiot52yrz.exe100%AviraTR/AD.MeterpreterSC.zrtjs

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://upx.sf.net0%URL Reputationsafe
      http://116.198.231.169:63222/jquery-3.3.2.slim.min.js0%Avira URL Cloudsafe
      http://code.jquery.com/G0%Avira URL Cloudsafe
      http://code.jquery.com/SioE0%Avira URL Cloudsafe
      http://code.jquery.com/0%Avira URL Cloudsafe
      https://116.198.231.169:63222/l0%Avira URL Cloudsafe
      http://code.jquery.com/1%VirustotalBrowse
      http://code.jquery.com/G0%VirustotalBrowse
      https://116.198.231.169:63222/O0%Avira URL Cloudsafe
      http://code.jquery.com/B0%Avira URL Cloudsafe
      https://116.198.231.169:63222/$0%Avira URL Cloudsafe
      https://116.198.231.169:63222/sk0%Avira URL Cloudsafe
      https://116.198.231.169:63222/jquery-3.3.2.slim.min.js0%Avira URL Cloudsafe
      https://116.198.231.169:63222/0%Avira URL Cloudsafe
      http://code.jquery.com/B0%VirustotalBrowse
      https://116.198.231.169:63222/~0%Avira URL Cloudsafe
      https://116.198.231.169:63222/jquery-3.3.2.slim.min.js0%VirustotalBrowse
      https://116.198.231.169:63222/jquery-3.3.2.slim.min.jsr0%Avira URL Cloudsafe
      http://code.jquery.com/V0%Avira URL Cloudsafe
      http://116.198.231.169:63222/jquery-3.3.2.slim.min.js0%VirustotalBrowse
      https://116.198.231.169:63222/0%VirustotalBrowse
      https://116.198.231.169/0%Avira URL Cloudsafe
      https://116.198.231.169:63222/ntdesk0%Avira URL Cloudsafe
      http://116.198.231.169/jquery-3.3.2.slim.min.js0%Avira URL Cloudsafe
      https://116.198.231.169/0%VirustotalBrowse
      https://116.198.231.169/Gl40%Avira URL Cloudsafe
      http://code.jquery.com/V0%VirustotalBrowse
      https://116.198.231.169:63222/~0%VirustotalBrowse

      Domains and IPs

      Contacted Domains

      No contacted domains info

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://116.198.231.169:63222/jquery-3.3.2.slim.min.jstrue
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      http://116.198.231.169/jquery-3.3.2.slim.min.jstrue
      • Avira URL Cloud: safe
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://116.198.231.169:63222/lTEiot52yrz.exe, 00000000.00000003.1660193942.0000021B456F2000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000003.1550425603.0000021B456F2000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://code.jquery.com/TEiot52yrz.exe, 00000000.00000002.2172690846.0000021B456F2000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000003.1591223618.0000021B45724000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000003.1636439563.0000021B45724000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000003.1615500987.0000021B45724000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000002.2172690846.0000021B45724000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000003.1550406186.0000021B45724000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000002.2172455610.000000E1057AE000.00000040.00000010.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000003.1681843568.0000021B45724000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000003.1528198264.0000021B45724000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000003.1570868288.0000021B45724000.00000004.00000020.00020000.00000000.sdmptrue
      • 1%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      http://code.jquery.com/GTEiot52yrz.exe, 00000000.00000003.1636439563.0000021B45724000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000003.1615500987.0000021B45724000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      http://code.jquery.com/SioETEiot52yrz.exe, 00000000.00000003.1660193942.0000021B456F2000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000003.1550425603.0000021B456F2000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000002.2172690846.0000021B456F2000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169:63222/OTEiot52yrz.exe, 00000000.00000003.1660193942.0000021B456F2000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://code.jquery.com/BTEiot52yrz.exe, 00000000.00000003.1660155451.0000021B45724000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000003.1636439563.0000021B45724000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000003.1615500987.0000021B45724000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000002.2172690846.0000021B45724000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000003.1681843568.0000021B45724000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169:63222/$TEiot52yrz.exe, 00000000.00000002.2172690846.0000021B456D4000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000003.1660193942.0000021B456D4000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169:63222/skTEiot52yrz.exe, 00000000.00000003.1550425603.0000021B456D5000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169:63222/jquery-3.3.2.slim.min.jsTEiot52yrz.exe, 00000000.00000002.2172633122.0000021B4569C000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169:63222/TEiot52yrz.exe, 00000000.00000002.2172690846.0000021B456D4000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000003.1660193942.0000021B456D4000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000003.1550425603.0000021B456D5000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169:63222/~TEiot52yrz.exe, 00000000.00000003.1550425603.0000021B456F2000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      http://upx.sf.netAmcache.hve.13.drfalse
      • URL Reputation: safe
      		unknown
      https://116.198.231.169:63222/jquery-3.3.2.slim.min.jsrTEiot52yrz.exe, 00000000.00000002.2172633122.0000021B4569C000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://code.jquery.com/VTEiot52yrz.exe, 00000000.00000003.1660193942.0000021B456F2000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000003.1550425603.0000021B456F2000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000002.2172690846.0000021B456F2000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169/TEiot52yrz.exe, 00000000.00000003.1660193942.0000021B45706000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000002.2172690846.0000021B45706000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000003.1550425603.0000021B45706000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169:63222/ntdeskTEiot52yrz.exe, 00000000.00000002.2172690846.0000021B456D4000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000003.1660193942.0000021B456D4000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://116.198.231.169/Gl4TEiot52yrz.exe, 00000000.00000003.1660193942.0000021B45706000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000002.2172690846.0000021B45706000.00000004.00000020.00020000.00000000.sdmp, TEiot52yrz.exe, 00000000.00000003.1550425603.0000021B45706000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown

      World Map of Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public IPs

      IPDomainCountryFlagASNASN NameMalicious
      116.198.231.169
      		unknownChina
      		137699CHINATELECOM-JIANGSU-SUQIAN-IDCCHINATELECOMJiangsuSuqiantrue

      General Information

      Joe Sandbox version:40.0.0 Tourmaline
      Analysis ID:1508525
      Start date and time:2024-09-10 10:58:49 +02:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 4m 57s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Run name:Run with higher sleep bypass
      Number of analysed new started processes analysed:20
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:TEiot52yrz.exe
      renamed because original name is a hash value
      Original Sample Name:915cc233f5c3b36f2aa5a9a0aa2fcd28b8ee406e42c08b71177dab901c219d41.exe
      Detection:MAL
      Classification:mal96.troj.winEXE@2/5@0/1
      EGA Information:
      • Successful, ratio: 100%
      HCA Information:
      • Successful, ratio: 57%
      • Number of executed functions: 3
      • Number of non-executed functions: 11
      Cookbook Comments:
      • Found application associated with file extension: .exe
      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

      Warnings

      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
      • Excluded IPs from analysis (whitelisted): 20.42.73.29
      • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
      • Not all processes where analyzed, report is missing behavior information

      Simulations

      Behavior and APIs

      No simulations

      Joe Sandbox View / Context

      IPs

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      116.198.231.169LtmV2sDcTK.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
        QT2hJT3Syn.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
          2PSj0qX4W6.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
            LtmV2sDcTK.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
              QT2hJT3Syn.exeGet hashmaliciousCobaltStrike, MetasploitBrowse

                Domains

                No context

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                CHINATELECOM-JIANGSU-SUQIAN-IDCCHINATELECOMJiangsuSuqianLtmV2sDcTK.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                • 116.198.231.169
                QT2hJT3Syn.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                • 116.198.231.169
                2PSj0qX4W6.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                • 116.198.231.169
                LtmV2sDcTK.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                • 116.198.231.169
                QT2hJT3Syn.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                • 116.198.231.169
                gOEF4WOJ3c.elfGet hashmaliciousUnknownBrowse
                • 116.198.238.210

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_TEiot52yrz.exe_2714b4b2d07e7c82202e7568b15aa71dbc91f2_8fd4efbb_65b56a23-ade3-47d4-9527-560feaa0e927\Report.wer

                Download File
                Process:C:\Windows\System32\WerFault.exe
                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:dropped
                Size (bytes):65536
                Entropy (8bit):0.9251117719939682
                Encrypted:false
                SSDEEP:96:08KFch54fs4hqKeoh7Ru6NbQXIDcQWc6zcEZcw37diG+HbHg/JgWlB8sKa9bATFd:y2hGfUn0I3D8jcoTzuiFQZ24lO81
                MD5:EF451BBBC610FAB97E4FDF3A69CF34C5
                SHA1:6A646600AE3CECA3337AAEC63F4FBB113AF51050
                SHA-256:666C47B30C8EA3C832A9FE7ECB6D7313AEB05C29B844E853D40CD3BA98D7683F
                SHA-512:4ED4FB5108145102075C5ACE2BF7217DB2C5EAFB7D36E1CD1155899D5D4C2396485AC0C2483BDC05ADA5938F3C994564C27181D4D0AAAE5C11FEB098FF7597B4
                Malicious:true
                Reputation:low
                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.0.4.3.9.2.1.7.3.0.5.4.9.8.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.0.4.3.9.2.1.7.6.1.7.9.3.9.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.5.b.5.6.a.2.3.-.a.d.e.3.-.4.7.d.4.-.9.5.2.7.-.5.6.0.f.e.a.a.0.e.9.2.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.e.d.b.9.3.4.2.-.1.d.4.d.-.4.b.4.8.-.8.d.f.c.-.1.a.5.0.7.1.f.6.5.c.2.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.T.E.i.o.t.5.2.y.r.z...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.5.4.-.0.0.0.1.-.0.0.1.4.-.8.a.9.9.-.2.a.c.6.5.f.0.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.8.0.0.7.2.f.0.1.5.e.8.9.b.6.b.4.5.f.8.7.8.a.2.5.c.5.7.b.f.f.9.0.0.0.0.f.f.f.f.!.0.0.0.0.c.6.e.7.4.c.6.8.a.1.1.a.9.d.3.1.8.1.3.7.a.b.a.8.9.5.f.2.b.c.d.e.8.9.d.4.2.f.2.b.!.T.E.i.o.t.5.2.y.r.z...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.6././.2.1.:.1.4.

                C:\ProgramData\Microsoft\Windows\WER\Temp\WER319B.tmp.dmp

                Download File
                Process:C:\Windows\System32\WerFault.exe
                File Type:Mini DuMP crash report, 14 streams, Tue Sep 10 10:53:37 2024, 0x1205a4 type
                Category:dropped
                Size (bytes):143164
                Entropy (8bit):1.4890973548404032
                Encrypted:false
                SSDEEP:768:VS0dRtXD6tvQWrlzLiSwcl+ajiFcUAM00Ycs05:VtGWSwcl+ajiFcUAM00Ycs05
                MD5:758F8C737E871E435EAC81934EDD67D5
                SHA1:6D0F9AC2B28DC02E5C54045BAB6C20CB7E0A684A
                SHA-256:6EFB72D06EDD829B89F9A71F7658A588D4CEB9C3CDE52D21A5FD13D86D33FC70
                SHA-512:7B4A5124D4FF8F60392E32A4D054E7C914456D65EBE0FB22407E7EE28DE3B4E118F54228EB98271F4255B664774DA6BCCA9DB5DDBC86E2AF3181A73C443F40F8
                Malicious:false
                Yara Hits:
                • Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER319B.tmp.dmp, Author: unknown
                • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER319B.tmp.dmp, Author: unknown
                Reputation:low
                Preview:MDMP..a..... .......1%.f........................................,S..........T.......8...........T...........x...............P...........<...............................................................................eJ..............Lw......................T.......T...}..f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\ProgramData\Microsoft\Windows\WER\Temp\WER3248.tmp.WERInternalMetadata.xml

                Download File
                Process:C:\Windows\System32\WerFault.exe
                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:dropped
                Size (bytes):8904
                Entropy (8bit):3.7022527896205872
                Encrypted:false
                SSDEEP:192:R6l7wVeJ5Pfm6YNlPU9WgmfO5pDa89b9Qkf/J/m:R6lXJhfm6YvPU9WgmfOv97fE
                MD5:6BB548B09CDC80C99113CD04121FAA58
                SHA1:4E292F35C8DFB3C85B1F2F042CEDD4FE10E65DB9
                SHA-256:C8FA248ABE06263ED2EC43E1BA9DDD6C218A9143C20CEB31F09C814E54FC18F2
                SHA-512:ED972BB85D10DBC9C104B1F19C39BD9D35C12B50732B8327A4262A402E3BB8B05EAE96CD761897EA0F45636D3FBEA57FD30F773C0F36BE79FA36034DBE81EB50
                Malicious:false
                Reputation:low
                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.4.0.<./.P.i.

                C:\ProgramData\Microsoft\Windows\WER\Temp\WER3268.tmp.xml

                Download File
                Process:C:\Windows\System32\WerFault.exe
                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):4800
                Entropy (8bit):4.479614085306091
                Encrypted:false
                SSDEEP:48:cvIwWl8zshaJg771I9vrD8WpW8VYlYm8M4JK6OO1FfB6Fmyq8vG6OOnETx1d:uIjfhoI7Ux7V1JKB64FmWGBLTx1d
                MD5:705F0242C2E10DA316E7F0CF08ACBB1E
                SHA1:6D2CA6326BB4FC626C5FDC7E6536B68E9A49E4E4
                SHA-256:037E27635AB1111604AB4FB10120378FB226F8A5956B54AD02EF9BCF930A9BE9
                SHA-512:D9781985A74A21FF6CA36B302DDF63ACBE9DE710136D06D3CFB87C3E91A7F8849A3110B303FAAACD90B1F5F9A70411568CB01E8FFFAB2C1205EA7BF2CB5C7A6F
                Malicious:false
                Reputation:low
                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="494036" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                C:\Windows\appcompat\Programs\Amcache.hve

                Download File
                Process:C:\Windows\System32\WerFault.exe
                File Type:MS Windows registry file, NT/2000 or above
                Category:dropped
                Size (bytes):1835008
                Entropy (8bit):4.416758848885135
                Encrypted:false
                SSDEEP:6144:Tcifpi6ceLPL9skLmb0mVSWSPtaJG8nAgex285i2MMhA20X4WABlGuN45+:Ii58VSWIZBk2MM6AFBWo
                MD5:EBD339429AB5788DC4184CB9A47FEE41
                SHA1:2563E222E87E1D971B1222AA44D333B5E81E7A38
                SHA-256:C60881FEE778E08EA70701FDA5A7AF1235DA64A31FB5F0EDC1150F3E3F961ED9
                SHA-512:962638F5A144BEF13D5045A4212C1772E02D29F6BE22109EC647EECB671A1739AEA1F9F886EE9C45769B91CAA2A82227C46D247ABA642113C1B8C5F302D80215
                Malicious:false
                Reputation:low
                Preview:regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm:"W.o.................................................................................................................................................................................................................................................................................................................................................@.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                Static File Info

                General

                File type:PE32+ executable (GUI) x86-64, for MS Windows
                Entropy (8bit):6.5071715281779605
                TrID:
                • Win64 Executable GUI (202006/5) 92.65%
                • Win64 Executable (generic) (12005/4) 5.51%
                • Generic Win/DOS Executable (2004/3) 0.92%
                • DOS Executable Generic (2002/1) 0.92%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:TEiot52yrz.exe
                File size:53'760 bytes
                MD5:fa332de9a0e7da5e975173ee47246172
                SHA1:c6e74c68a11a9d318137aba895f2bcde89d42f2b
                SHA256:915cc233f5c3b36f2aa5a9a0aa2fcd28b8ee406e42c08b71177dab901c219d41
                SHA512:d929f944ebf93719ff6762bcfc56927a29418d71f72636be72b443f6c7d1e04dc6de6e56f8077e2c435f0d7afedf511e99c5768083c243f5f763587ec4158546
                SSDEEP:1536:zli07qgtT9e0uLwwpX996H810S4oqiedINb:zli07qgtg0uLwwp6HGgGb
                TLSH:F633394BEB5256F4F0BBE234C1A2B23BF9F139A45631AB0F96D555030B22770A43E749
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:n6\[.e\[.e\[.eU#.eP[.e...dX[.e...dV[.e...dG[.e...dZ[.e.#.dY[.e\[.e.[.eO..d_[.eO..d][.eRich\[.e........................PE..d..

                File Icon

                Icon Hash:00928e8e8686b000

                Static PE Info

                General

                Entrypoint:0x1400032f8
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x140000000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                Time Stamp:0x66758E29 [Fri Jun 21 14:28:57 2024 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:6
                OS Version Minor:0
                File Version Major:6
                File Version Minor:0
                Subsystem Version Major:6
                Subsystem Version Minor:0
                Import Hash:bd1e68ad73a2d648185022e899d7f29c

                Entrypoint Preview

                Instruction
                dec eax
                sub esp, 28h
                call 00007F14B9364E68h
                dec eax
                add esp, 28h
                jmp 00007F14B9364767h
                int3
                int3
                jmp 00007F14B936509Eh
                int3
                int3
                int3
                dec eax
                and dword ptr [ecx+10h], 00000000h
                dec eax
                lea eax, dword ptr [00005090h]
                dec eax
                mov dword ptr [ecx+08h], eax
                dec eax
                lea eax, dword ptr [00005075h]
                dec eax
                mov dword ptr [ecx], eax
                dec eax
                mov eax, ecx
                ret
                int3
                int3
                dec eax
                sub esp, 48h
                dec eax
                lea ecx, dword ptr [esp+20h]
                call 00007F14B93648C7h
                dec eax
                lea edx, dword ptr [000099EFh]
                dec eax
                lea ecx, dword ptr [esp+20h]
                call 00007F14B9364FBAh
                int3
                dec eax
                sub esp, 48h
                dec eax
                lea ecx, dword ptr [esp+20h]
                call 00007F14B93627FBh
                dec eax
                lea edx, dword ptr [00009A9Fh]
                dec eax
                lea ecx, dword ptr [esp+20h]
                call 00007F14B9364F9Ah
                int3
                dec eax
                mov dword ptr [esp+10h], ebx
                dec eax
                mov dword ptr [esp+18h], esi
                push ebp
                push edi
                inc ecx
                push esi
                dec eax
                mov ebp, esp
                dec eax
                sub esp, 10h
                xor eax, eax
                xor ecx, ecx
                cpuid
                inc esp
                mov eax, ecx
                inc esp
                mov edx, edx
                inc ecx
                xor edx, 49656E69h
                inc ecx
                xor eax, 6C65746Eh
                inc esp
                mov ecx, ebx
                inc esp
                mov esi, eax
                xor ecx, ecx
                mov eax, 00000001h
                cpuid
                inc ebp
                or edx, eax
                mov dword ptr [ebp-10h], eax
                inc ecx
                xor ecx, 756E6547h

                Rich Headers

                Programming Language:
                • [IMP] VS2008 SP1 build 30729

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0xce240xf0.rdata
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0xf0000x630.pdata
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x100000x6c.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0xc2f00x38.rdata
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xc1b00x140.rdata
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x10000x64320x66008759b1b67f2b54eac6557e9c4522457eFalse0.36278339460784315Macintosh HFS Extended version -16056 data (mounted) last mounted by: 'H\20', created: Fri Aug 26 02:24:04 2078, last modified: Sun Mar 11 23:42:58 2057, last backup: Mon Dec 18 02:10:29 2028, block size: -1064976267, number of blocks: -616002748, free blocks: 6092412275.60729868940022IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .rdata0x80000x5b700x5c007092854450d6513858403ce1ddf23e97False0.6414741847826086data7.175727936294308IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .data0xe0000x7a00x200a762b3a5c773f37ff67e8e610aabbdceFalse0.251953125DOS executable (block device driver)2.236712118068703IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .pdata0xf0000x6300x800200a12bd55e0318e3d7585101f49e6d3False0.3828125data3.4957689526148887IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .reloc0x100000x6c0x2007068c81aba75ebf8f944a190333902ffFalse0.220703125data1.3343316886712333IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                Imports

                DLLImport
                KERNEL32.dllGetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcessId, QueryPerformanceCounter, GetModuleHandleW, IsDebuggerPresent, LoadLibraryA, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, InitializeSListHead, IsProcessorFeaturePresent, VirtualProtect
                MSVCP140.dll?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ, ?flags@ios_base@std@@QEBAHXZ, ?width@ios_base@std@@QEBA_JXZ, ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, ?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ, ?uncaught_exception@std@@YA_NXZ, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ?width@ios_base@std@@QEAA_J_J@Z, ?_Xlength_error@std@@YAXPEBD@Z, ?good@ios_base@std@@QEBA_NXZ
                CRYPT32.dllCertEnumSystemStore
                VCRUNTIME140_1.dll__CxxFrameHandler4
                VCRUNTIME140.dllmemcpy, __std_exception_destroy, __std_exception_copy, memchr, memset, __C_specific_handler, _CxxThrowException, __current_exception, __current_exception_context
                api-ms-win-crt-string-l1-1-0.dllisalnum, strlen
                api-ms-win-crt-runtime-l1-1-0.dll_c_exit, _register_thread_local_exe_atexit_callback, __p___argv, _get_initial_narrow_environment, terminate, _register_onexit_function, _exit, exit, _crt_atexit, _initialize_narrow_environment, _initterm, _configure_narrow_argv, _set_app_type, _initterm_e, _invalid_parameter_noinfo_noreturn, _cexit, __p___argc, _seh_filter_exe, _initialize_onexit_table
                api-ms-win-crt-heap-l1-1-0.dllmalloc, free, _set_new_mode, _callnewh
                api-ms-win-crt-math-l1-1-0.dll__setusermatherr
                api-ms-win-crt-stdio-l1-1-0.dll__p__commode, _set_fmode
                api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale

                Network Behavior

                Suricata IDS Alerts

                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                2024-09-10T10:59:46.099185+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.749699116.198.231.16963222TCP
                2024-09-10T10:59:50.318619+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.749702116.198.231.16963222TCP
                2024-09-10T10:59:54.697952+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.749705116.198.231.16963222TCP
                2024-09-10T10:59:59.017704+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.749708116.198.231.16963222TCP
                2024-09-10T11:00:03.146814+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.749713116.198.231.16963222TCP
                2024-09-10T11:00:07.587572+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.749718116.198.231.16963222TCP
                2024-09-10T11:00:11.860949+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.749721116.198.231.16963222TCP
                2024-09-10T11:00:16.128098+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.749724116.198.231.16963222TCP
                2024-09-10T11:00:20.591162+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.749727116.198.231.16963222TCP
                2024-09-10T11:00:25.056689+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.749730116.198.231.16963222TCP

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Sep 10, 2024 10:59:43.972151995 CEST4969963222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:43.977313995 CEST6322249699116.198.231.169192.168.2.7
                Sep 10, 2024 10:59:43.977458954 CEST4969963222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:43.991163015 CEST4969963222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:43.996651888 CEST6322249699116.198.231.169192.168.2.7
                Sep 10, 2024 10:59:46.099113941 CEST6322249699116.198.231.169192.168.2.7
                Sep 10, 2024 10:59:46.099184990 CEST4969963222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:46.099423885 CEST4969963222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:46.099953890 CEST4970063222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:46.104733944 CEST6322249699116.198.231.169192.168.2.7
                Sep 10, 2024 10:59:46.105032921 CEST6322249700116.198.231.169192.168.2.7
                Sep 10, 2024 10:59:46.105102062 CEST4970063222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:46.105573893 CEST4970063222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:46.110395908 CEST6322249700116.198.231.169192.168.2.7
                Sep 10, 2024 10:59:48.151405096 CEST6322249700116.198.231.169192.168.2.7
                Sep 10, 2024 10:59:48.151539087 CEST4970063222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:48.151684999 CEST4970063222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:48.152153015 CEST4970163222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:48.156481981 CEST6322249700116.198.231.169192.168.2.7
                Sep 10, 2024 10:59:48.157078981 CEST6322249701116.198.231.169192.168.2.7
                Sep 10, 2024 10:59:48.157314062 CEST4970163222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:48.157366991 CEST4970163222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:48.166421890 CEST6322249701116.198.231.169192.168.2.7
                Sep 10, 2024 10:59:48.166537046 CEST4970163222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:48.172611952 CEST4970263222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:48.179253101 CEST6322249702116.198.231.169192.168.2.7
                Sep 10, 2024 10:59:48.179580927 CEST4970263222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:48.179897070 CEST4970263222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:48.185365915 CEST6322249702116.198.231.169192.168.2.7
                Sep 10, 2024 10:59:50.318541050 CEST6322249702116.198.231.169192.168.2.7
                Sep 10, 2024 10:59:50.318619013 CEST4970263222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:50.318698883 CEST4970263222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:50.319192886 CEST4970363222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:50.323503017 CEST6322249702116.198.231.169192.168.2.7
                Sep 10, 2024 10:59:50.323982954 CEST6322249703116.198.231.169192.168.2.7
                Sep 10, 2024 10:59:50.324048042 CEST4970363222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:50.324383974 CEST4970363222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:50.329168081 CEST6322249703116.198.231.169192.168.2.7
                Sep 10, 2024 10:59:52.520307064 CEST6322249703116.198.231.169192.168.2.7
                Sep 10, 2024 10:59:52.520411968 CEST4970363222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:52.520508051 CEST4970363222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:52.521123886 CEST4970463222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:52.527534962 CEST6322249703116.198.231.169192.168.2.7
                Sep 10, 2024 10:59:52.527661085 CEST6322249704116.198.231.169192.168.2.7
                Sep 10, 2024 10:59:52.527739048 CEST4970463222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:52.527868032 CEST4970463222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:52.530951977 CEST4970563222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:52.535240889 CEST6322249704116.198.231.169192.168.2.7
                Sep 10, 2024 10:59:52.535312891 CEST4970463222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:52.538208961 CEST6322249705116.198.231.169192.168.2.7
                Sep 10, 2024 10:59:52.538311958 CEST4970563222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:52.538573027 CEST4970563222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:52.545279026 CEST6322249705116.198.231.169192.168.2.7
                Sep 10, 2024 10:59:54.697649002 CEST6322249705116.198.231.169192.168.2.7
                Sep 10, 2024 10:59:54.697952032 CEST4970563222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:54.697952032 CEST4970563222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:54.699110031 CEST4970663222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:54.702986956 CEST6322249705116.198.231.169192.168.2.7
                Sep 10, 2024 10:59:54.704154968 CEST6322249706116.198.231.169192.168.2.7
                Sep 10, 2024 10:59:54.704430103 CEST4970663222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:54.704484940 CEST4970663222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:54.709484100 CEST6322249706116.198.231.169192.168.2.7
                Sep 10, 2024 10:59:56.756551027 CEST6322249706116.198.231.169192.168.2.7
                Sep 10, 2024 10:59:56.756675005 CEST4970663222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:56.756788969 CEST4970663222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:56.757324934 CEST4970763222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:56.761663914 CEST6322249706116.198.231.169192.168.2.7
                Sep 10, 2024 10:59:56.762231112 CEST6322249707116.198.231.169192.168.2.7
                Sep 10, 2024 10:59:56.762334108 CEST4970763222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:56.762609005 CEST4970763222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:56.767800093 CEST6322249707116.198.231.169192.168.2.7
                Sep 10, 2024 10:59:56.767811060 CEST4970863222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:56.767884970 CEST4970763222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:56.772756100 CEST6322249708116.198.231.169192.168.2.7
                Sep 10, 2024 10:59:56.772840023 CEST4970863222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:56.773192883 CEST4970863222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:56.778187037 CEST6322249708116.198.231.169192.168.2.7
                Sep 10, 2024 10:59:59.017549992 CEST6322249708116.198.231.169192.168.2.7
                Sep 10, 2024 10:59:59.017704010 CEST4970863222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:59.018088102 CEST4970863222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:59.018752098 CEST4970963222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:59.024022102 CEST6322249708116.198.231.169192.168.2.7
                Sep 10, 2024 10:59:59.024771929 CEST6322249709116.198.231.169192.168.2.7
                Sep 10, 2024 10:59:59.024857044 CEST4970963222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:59.025238037 CEST4970963222192.168.2.7116.198.231.169
                Sep 10, 2024 10:59:59.030251980 CEST6322249709116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:01.049603939 CEST6322249709116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:01.049693108 CEST4970963222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:01.049894094 CEST4970963222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:01.050647020 CEST4971263222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:01.054769039 CEST6322249709116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:01.055771112 CEST6322249712116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:01.055845022 CEST4971263222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:01.056022882 CEST4971263222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:01.061100006 CEST6322249712116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:01.061155081 CEST4971263222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:01.061166048 CEST4971363222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:01.066019058 CEST6322249713116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:01.066124916 CEST4971363222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:01.066514969 CEST4971363222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:01.071779966 CEST6322249713116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:03.143757105 CEST6322249713116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:03.146814108 CEST4971363222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:03.148253918 CEST4971363222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:03.148775101 CEST4971663222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:03.153038025 CEST6322249713116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:03.153706074 CEST6322249716116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:03.153776884 CEST4971663222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:03.154088020 CEST4971663222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:03.158961058 CEST6322249716116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:05.434926033 CEST6322249716116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:05.434993982 CEST4971663222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:05.435138941 CEST4971663222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:05.435676098 CEST4971763222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:05.440125942 CEST6322249716116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:05.440861940 CEST6322249717116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:05.440939903 CEST4971763222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:05.441046953 CEST4971763222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:05.442179918 CEST4971863222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:05.446335077 CEST6322249717116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:05.446394920 CEST4971763222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:05.447007895 CEST6322249718116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:05.447069883 CEST4971863222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:05.447288990 CEST4971863222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:05.452447891 CEST6322249718116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:07.587426901 CEST6322249718116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:07.587572098 CEST4971863222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:07.587656021 CEST4971863222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:07.590481043 CEST4971963222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:07.592910051 CEST6322249718116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:07.596303940 CEST6322249719116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:07.596380949 CEST4971963222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:07.596662045 CEST4971963222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:07.601563931 CEST6322249719116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:09.816725016 CEST6322249719116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:09.816843987 CEST4971963222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:09.816936970 CEST4971963222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:09.820101976 CEST4972063222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:09.821743965 CEST6322249719116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:09.824927092 CEST6322249720116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:09.825016022 CEST4972063222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:09.825126886 CEST4972063222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:09.827548027 CEST4972163222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:09.830112934 CEST6322249720116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:09.830193996 CEST4972063222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:09.832587004 CEST6322249721116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:09.832662106 CEST4972163222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:09.832873106 CEST4972163222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:09.838016033 CEST6322249721116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:11.860795021 CEST6322249721116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:11.860949039 CEST4972163222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:11.861026049 CEST4972163222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:11.865348101 CEST4972263222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:11.865828991 CEST6322249721116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:11.871022940 CEST6322249722116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:11.871112108 CEST4972263222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:11.871618986 CEST4972263222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:11.877341032 CEST6322249722116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:14.081623077 CEST6322249722116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:14.081718922 CEST4972263222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:14.081842899 CEST4972263222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:14.086638927 CEST6322249722116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:14.091692924 CEST4972363222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:14.096596003 CEST6322249723116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:14.096662045 CEST4972363222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:14.096729040 CEST4972363222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:14.098356009 CEST4972463222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:14.101869106 CEST6322249723116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:14.101919889 CEST4972363222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:14.103277922 CEST6322249724116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:14.103333950 CEST4972463222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:14.103593111 CEST4972463222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:14.108494043 CEST6322249724116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:16.127887011 CEST6322249724116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:16.128098011 CEST4972463222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:16.128550053 CEST4972463222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:16.130781889 CEST4972563222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:16.133354902 CEST6322249724116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:16.135687113 CEST6322249725116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:16.135792017 CEST4972563222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:16.136075974 CEST4972563222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:16.140858889 CEST6322249725116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:18.163306952 CEST6322249725116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:18.163461924 CEST4972563222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:18.163582087 CEST4972563222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:18.167049885 CEST4972663222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:18.168477058 CEST6322249725116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:18.171889067 CEST6322249726116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:18.172049046 CEST4972663222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:18.172187090 CEST4972663222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:18.173966885 CEST4972763222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:18.177504063 CEST6322249726116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:18.177592993 CEST4972663222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:18.178792953 CEST6322249727116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:18.178858042 CEST4972763222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:18.179099083 CEST4972763222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:18.183881044 CEST6322249727116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:20.591058016 CEST6322249727116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:20.591161966 CEST4972763222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:20.591257095 CEST4972763222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:20.591325045 CEST6322249727116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:20.591372967 CEST4972763222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:20.593662024 CEST4972863222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:20.596359968 CEST6322249727116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:20.598519087 CEST6322249728116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:20.598618031 CEST4972863222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:20.599016905 CEST4972863222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:20.603828907 CEST6322249728116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:22.684892893 CEST6322249728116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:22.685106993 CEST4972863222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:22.685138941 CEST4972863222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:22.688007116 CEST4972963222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:22.691412926 CEST6322249728116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:22.692833900 CEST6322249729116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:22.692923069 CEST4972963222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:22.693108082 CEST4972963222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:22.695633888 CEST4973063222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:22.698731899 CEST6322249729116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:22.698800087 CEST4972963222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:22.700431108 CEST6322249730116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:22.700503111 CEST4973063222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:22.700844049 CEST4973063222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:22.705663919 CEST6322249730116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:25.056629896 CEST6322249730116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:25.056689024 CEST4973063222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:25.056796074 CEST4973063222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:25.056905985 CEST6322249730116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:25.056943893 CEST4973063222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:25.061747074 CEST6322249730116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:25.070270061 CEST4973163222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:25.075108051 CEST6322249731116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:25.075193882 CEST4973163222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:25.075467110 CEST4973163222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:25.080230951 CEST6322249731116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:27.225442886 CEST6322249731116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:27.225560904 CEST4973163222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:27.225641966 CEST4973163222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:27.230053902 CEST4973263222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:27.230480909 CEST6322249731116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:27.234925985 CEST6322249732116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:27.235027075 CEST4973263222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:27.236588001 CEST4973263222192.168.2.7116.198.231.169
                Sep 10, 2024 11:00:27.241586924 CEST6322249732116.198.231.169192.168.2.7
                Sep 10, 2024 11:00:27.241638899 CEST4973263222192.168.2.7116.198.231.169

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:04:59:41
                Start date:10/09/2024
                Path:C:\Users\user\Desktop\TEiot52yrz.exe
                Wow64 process (32bit):false
                Commandline:"C:\Users\user\Desktop\TEiot52yrz.exe"
                Imagebase:0x7ff629540000
                File size:53'760 bytes
                MD5 hash:FA332DE9A0E7DA5E975173EE47246172
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.2172455610.000000E1057AE000.00000040.00000010.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2172455610.000000E1057AE000.00000040.00000010.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000002.2172455610.000000E1057AE000.00000040.00000010.00020000.00000000.sdmp, Author: unknown
                • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.2172455610.000000E1057AE000.00000040.00000010.00020000.00000000.sdmp, Author: unknown
                Reputation:low
                Has exited:true

                General

                Target ID:13
                Start time:06:53:37
                Start date:10/09/2024
                Path:C:\Windows\System32\WerFault.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\WerFault.exe -u -p 6740 -s 1100
                Imagebase:0x7ff671c80000
                File size:570'736 bytes
                MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                Disassembly

                Reset < >

                  Execution Graph

                  Execution Coverage:10.7%
                  Dynamic/Decrypted Code Coverage:0.5%
                  Signature Coverage:8.3%
                  Total number of Nodes:375
                  Total number of Limit Nodes:1
                  execution_graph 1773 7ff629543098 1774 7ff6295430a8 1773->1774 1786 7ff629542ec8 1774->1786 1776 7ff62954365c 9 API calls 1777 7ff62954314d 1776->1777 1778 7ff6295430cc _RTC_Initialize 1784 7ff62954312f 1778->1784 1794 7ff629543928 InitializeSListHead 1778->1794 1784->1776 1785 7ff62954313d 1784->1785 1787 7ff629542ed9 1786->1787 1792 7ff629542f0b 1786->1792 1788 7ff629542f48 1787->1788 1789 7ff629542ede __scrt_acquire_startup_lock 1787->1789 1790 7ff62954365c 9 API calls 1788->1790 1789->1792 1793 7ff629542efb _initialize_onexit_table 1789->1793 1791 7ff629542f52 1790->1791 1792->1778 1793->1792 1795 7ff629541198 1800 7ff629541130 __std_exception_destroy 1795->1800 1797 7ff6295411af 1798 7ff6295411c9 1797->1798 1799 7ff629542b40 Concurrency::details::ResourceManager::CreateNodeTopology free 1797->1799 1799->1798 1800->1797 1801 7ff62954129c 1806 7ff6295412d8 1801->1806 1803 7ff6295412cd 1805 7ff629542b40 Concurrency::details::ResourceManager::CreateNodeTopology free 1805->1803 1809 7ff62954124c 1806->1809 1812 7ff629541130 __std_exception_destroy 1809->1812 1811 7ff62954125f 1811->1803 1811->1805 1812->1811 1813 7ff62954739c 1814 7ff629541524 Concurrency::details::ResourceManager::CreateNodeTopology 2 API calls 1813->1814 1815 7ff6295473ae 1814->1815 1816 7ff62954131c 1819 7ff629541354 1816->1819 1822 7ff6295410d4 __std_exception_copy 1819->1822 1821 7ff629541339 1822->1821 1826 7ff629543160 1830 7ff629543804 SetUnhandledExceptionFilter 1826->1830 1842 7ff6295432aa 1843 7ff6295437b0 GetModuleHandleW 1842->1843 1844 7ff6295432b1 1843->1844 1845 7ff6295432f0 _exit 1844->1845 1846 7ff6295432b5 1844->1846 1847 7ff629546ef1 1848 7ff629546e81 1847->1848 1849 7ff629546f06 1848->1849 1850 7ff629546eb9 memset 1848->1850 1851 7ff6295415ac 15 API calls 1849->1851 1853 7ff62954253c 31 API calls 1850->1853 1852 7ff629546f18 1851->1852 1854 7ff629542b40 Concurrency::details::ResourceManager::CreateNodeTopology free 1852->1854 1855 7ff629546ede ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 1853->1855 1856 7ff629546f2d 1854->1856 1855->1849 1857 7ff629542b40 Concurrency::details::ResourceManager::CreateNodeTopology free 1856->1857 1858 7ff629546f6d 1857->1858 1859 7ff62954154c memcpy 1858->1859 1860 7ff629546fae 1859->1860 1861 7ff629541524 Concurrency::details::ResourceManager::CreateNodeTopology 2 API calls 1860->1861 1862 7ff629546fc6 Concurrency::details::_UnrealizedChore::_UnstructuredChoreWrapper 1861->1862 1863 7ff629541524 Concurrency::details::ResourceManager::CreateNodeTopology 2 API calls 1862->1863 1864 7ff629546fe2 1863->1864 1865 7ff629542b20 8 API calls 1864->1865 1866 7ff629546ffa 1865->1866 1867 7ff629541030 1868 7ff629541047 Concurrency::details::_UnrealizedChore::_UnstructuredChoreWrapper 1867->1868 1869 7ff629541061 1868->1869 1870 7ff629542b40 Concurrency::details::ResourceManager::CreateNodeTopology free 1868->1870 1870->1869 1871 7ff6295472ee 1872 7ff629542914 3 API calls 1871->1872 1873 7ff629547300 1872->1873 1874 7ff6295428b4 ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12 1875 7ff6295471b4 1876 7ff6295471ec __GSHandlerCheckCommon 1875->1876 1877 7ff629547218 1876->1877 1878 7ff629547207 __CxxFrameHandler4 1876->1878 1878->1877 1882 7ff6295432f8 1885 7ff629543874 1882->1885 1886 7ff629543897 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 1885->1886 1887 7ff629543301 1885->1887 1886->1887 1412 7ff62954317c 1413 7ff629543195 1412->1413 1414 7ff62954319d __scrt_acquire_startup_lock 1413->1414 1415 7ff6295432d3 1413->1415 1417 7ff6295432dd 1414->1417 1422 7ff6295431bb __scrt_release_startup_lock 1414->1422 1448 7ff62954365c IsProcessorFeaturePresent 1415->1448 1418 7ff62954365c 9 API calls 1417->1418 1419 7ff6295432e8 1418->1419 1421 7ff6295432f0 _exit 1419->1421 1420 7ff6295431e0 1422->1420 1423 7ff629543266 _get_initial_narrow_environment __p___argv __p___argc 1422->1423 1427 7ff62954325e _register_thread_local_exe_atexit_callback 1422->1427 1432 7ff629546afc 1423->1432 1427->1423 1429 7ff629543293 1430 7ff629543298 _cexit 1429->1430 1431 7ff62954329d 1429->1431 1430->1431 1431->1420 1433 7ff629546b11 1432->1433 1454 7ff6295415ac 1433->1454 1439 7ff629546bb7 1492 7ff629547008 1439->1492 1442 7ff629541524 Concurrency::details::ResourceManager::CreateNodeTopology 2 API calls 1443 7ff629546c9c 1442->1443 1496 7ff629542b20 1443->1496 1446 7ff6295437b0 GetModuleHandleW 1447 7ff62954328f 1446->1447 1447->1419 1447->1429 1449 7ff629543682 1448->1449 1450 7ff629543690 memset RtlCaptureContext RtlLookupFunctionEntry 1449->1450 1451 7ff629543706 memset IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 1450->1451 1452 7ff6295436ca RtlVirtualUnwind 1450->1452 1453 7ff629543786 1451->1453 1452->1451 1453->1417 1455 7ff6295415cb 1454->1455 1505 7ff629541abc strlen 1455->1505 1457 7ff6295415d6 Concurrency::details::WorkQueue::IsStructuredEmpty 1506 7ff629541d58 1457->1506 1460 7ff629546cc0 1578 7ff629546700 1460->1578 1462 7ff629546d0a Concurrency::details::WorkQueue::IsStructuredEmpty 1463 7ff629546d56 memcpy 1462->1463 1464 7ff629546d7d Concurrency::details::WorkQueue::IsStructuredEmpty 1463->1464 1465 7ff629546daf memcpy 1464->1465 1466 7ff629546dd5 1465->1466 1596 7ff629543de8 1466->1596 1470 7ff629546f06 1471 7ff6295415ac 15 API calls 1470->1471 1472 7ff629546f18 1471->1472 1612 7ff629542b40 1472->1612 1475 7ff629546eb9 memset 1615 7ff62954253c 1475->1615 1476 7ff629546f2d 1479 7ff629542b40 Concurrency::details::ResourceManager::CreateNodeTopology free 1476->1479 1480 7ff629546f6d 1479->1480 1481 7ff62954154c memcpy 1480->1481 1482 7ff629546fae 1481->1482 1483 7ff629541524 Concurrency::details::ResourceManager::CreateNodeTopology _invalid_parameter_noinfo_noreturn free 1482->1483 1484 7ff629546fc6 Concurrency::details::_UnrealizedChore::_UnstructuredChoreWrapper 1483->1484 1485 7ff629541524 Concurrency::details::ResourceManager::CreateNodeTopology _invalid_parameter_noinfo_noreturn free 1484->1485 1486 7ff629546fe2 1485->1486 1487 7ff629542b20 8 API calls 1486->1487 1488 7ff629546bac 1487->1488 1489 7ff629541524 1488->1489 1764 7ff629541680 1489->1764 1491 7ff629541537 Concurrency::details::ResourceManager::CreateNodeTopology 1491->1439 1493 7ff629547036 strlen 1492->1493 1494 7ff629546c49 LoadLibraryA VirtualProtect CertEnumSystemStore 1493->1494 1495 7ff629547029 1493->1495 1494->1442 1495->1493 1498 7ff629542b29 1496->1498 1497 7ff629542ba8 IsProcessorFeaturePresent 1500 7ff629542bc0 1497->1500 1498->1497 1499 7ff629542b34 1498->1499 1499->1446 1768 7ff629542da0 RtlCaptureContext 1500->1768 1505->1457 1524 7ff62954223c 1506->1524 1510 7ff629541d9d Concurrency::details::WorkQueue::IsStructuredEmpty 1511 7ff629541dd9 1510->1511 1512 7ff629541e48 1510->1512 1529 7ff629541ad8 memcpy 1511->1529 1514 7ff62954223c 8 API calls 1512->1514 1515 7ff629541e52 1514->1515 1530 7ff62954218c 1515->1530 1519 7ff629542b20 8 API calls 1521 7ff6295415f0 1519->1521 1520 7ff629541e7b Concurrency::details::WorkQueue::IsStructuredEmpty 1537 7ff629541ad8 memcpy 1520->1537 1521->1460 1523 7ff629541e11 Concurrency::details::WorkQueue::IsStructuredEmpty Concurrency::details::ResourceManager::CreateNodeTopology 1523->1519 1525 7ff62954225e Concurrency::details::WorkQueue::IsStructuredEmpty _Min_value _Max_value 1524->1525 1526 7ff629542b20 8 API calls 1525->1526 1527 7ff629541d8e 1526->1527 1527->1510 1528 7ff62954146c ?_Xlength_error@std@@YAXPEBD 1527->1528 1528->1510 1529->1523 1531 7ff6295421c8 _Max_value 1530->1531 1532 7ff629542b20 8 API calls 1531->1532 1533 7ff629541e67 1532->1533 1534 7ff629542368 1533->1534 1538 7ff6295423bc 1534->1538 1537->1523 1541 7ff6295423e4 1538->1541 1542 7ff6295423fc allocator 1541->1542 1545 7ff62954240c 1542->1545 1546 7ff629542398 1545->1546 1547 7ff629542421 1545->1547 1546->1520 1548 7ff629542438 1547->1548 1549 7ff62954242c 1547->1549 1560 7ff62954138c 1548->1560 1552 7ff629542460 1549->1552 1553 7ff629542483 1552->1553 1556 7ff629542488 1552->1556 1563 7ff6295412f4 1553->1563 1555 7ff62954138c allocator 2 API calls 1557 7ff629542493 1555->1557 1556->1555 1558 7ff6295424a2 _invalid_parameter_noinfo_noreturn 1557->1558 1559 7ff6295424b5 1557->1559 1558->1557 1558->1558 1559->1546 1568 7ff629542e14 1560->1568 1566 7ff629541268 1563->1566 1565 7ff629541302 _CxxThrowException 1565->1556 1567 7ff629541282 std::bad_alloc::bad_alloc 1566->1567 1567->1565 1569 7ff629542e2e malloc 1568->1569 1570 7ff62954139f 1569->1570 1571 7ff629542e1f 1569->1571 1570->1546 1571->1569 1572 7ff629542e3e 1571->1572 1573 7ff629542e49 allocator 1572->1573 1575 7ff629543334 1572->1575 1576 7ff629543314 std::bad_alloc::bad_alloc 1575->1576 1577 7ff629543342 _CxxThrowException 1576->1577 1583 7ff629546732 1578->1583 1579 7ff629546a6d 1638 7ff62954154c 1579->1638 1582 7ff629541524 Concurrency::details::ResourceManager::CreateNodeTopology 2 API calls 1585 7ff629546a94 1582->1585 1586 7ff629546913 1583->1586 1642 7ff629546ab4 isalnum 1583->1642 1644 7ff629541484 1583->1644 1648 7ff6295414fc 1583->1648 1587 7ff629542b20 8 API calls 1585->1587 1586->1579 1591 7ff62954695f 1586->1591 1651 7ff629542c7c 1586->1651 1590 7ff629546aa9 1587->1590 1589 7ff629541484 memchr 1589->1591 1590->1462 1591->1589 1593 7ff62954699d 1591->1593 1592 7ff6295414fc 16 API calls 1592->1593 1593->1579 1593->1592 1598 7ff629543e13 1596->1598 1599 7ff629543e0e 1596->1599 1597 7ff629543e59 memcpy memcpy 1597->1599 1598->1597 1598->1599 1600 7ff629543ac8 1599->1600 1601 7ff629543aed 1600->1601 1602 7ff629543af2 1600->1602 1601->1470 1601->1475 1602->1601 1603 7ff629543c30 1602->1603 1607 7ff629543b3b 1602->1607 1608 7ff629543d33 1603->1608 1609 7ff629543c3e 1603->1609 1605 7ff62954487c 9 API calls 1605->1608 1607->1601 1610 7ff629543bc8 memcpy 1607->1610 1721 7ff62954487c 1607->1721 1608->1601 1608->1605 1609->1601 1611 7ff629543ccb memcpy 1609->1611 1729 7ff629544e94 1609->1729 1610->1607 1611->1609 1613 7ff62954330c free 1612->1613 1746 7ff629541abc strlen 1615->1746 1617 7ff62954256e ?width@ios_base@std@ 1618 7ff6295425fd 1617->1618 1619 7ff62954259e ?width@ios_base@std@ 1617->1619 1747 7ff629542968 1618->1747 1619->1618 1620 7ff6295425cb ?width@ios_base@std@ 1619->1620 1620->1618 1622 7ff629542622 1623 7ff629542644 ?flags@ios_base@std@ 1622->1623 1624 7ff629542634 1622->1624 1631 7ff629542678 1623->1631 1636 7ff62954270a 1623->1636 1625 7ff629542855 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N 1624->1625 1754 7ff629542914 ?uncaught_exception@std@ 1625->1754 1627 7ff629542723 ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2 ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J 1635 7ff629542770 1627->1635 1628 7ff629542693 ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@ ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2 ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD 1628->1631 1630 7ff62954282a ?width@ios_base@std@@QEAA_J_J 1630->1625 1631->1628 1631->1636 1632 7ff629542b20 8 API calls 1633 7ff6295428ac ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 1632->1633 1633->1470 1634 7ff6295427a1 ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@ ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2 ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD 1634->1635 1635->1630 1635->1634 1637 7ff629542818 1635->1637 1636->1627 1636->1635 1637->1630 1639 7ff629541564 Concurrency::details::WorkQueue::IsStructuredEmpty 1638->1639 1654 7ff629541868 1639->1654 1641 7ff6295415a1 1641->1582 1643 7ff629546acd 1642->1643 1643->1583 1645 7ff6295414a3 Concurrency::details::WorkQueue::IsStructuredEmpty 1644->1645 1658 7ff629541c78 1645->1658 1663 7ff629541730 1648->1663 1650 7ff629541517 1650->1583 1711 7ff629542c90 IsProcessorFeaturePresent 1651->1711 1655 7ff629541897 Concurrency::details::WorkQueue::IsStructuredEmpty 1654->1655 1656 7ff6295418a9 memcpy 1655->1656 1657 7ff6295418e8 Concurrency::details::ResourceManager::CreateNodeTopology 1656->1657 1657->1641 1659 7ff6295414be 1658->1659 1660 7ff629541c9c 1658->1660 1659->1583 1662 7ff629542304 memchr 1660->1662 1662->1659 1664 7ff6295417c1 1663->1664 1666 7ff62954175c Concurrency::details::WorkQueue::IsStructuredEmpty Concurrency::details::ResourceManager::CreateNodeTopology 1663->1666 1667 7ff629541f14 1664->1667 1666->1650 1668 7ff62954223c 8 API calls 1667->1668 1669 7ff629541f66 1668->1669 1670 7ff629541f7a 1669->1670 1685 7ff62954146c ?_Xlength_error@std@@YAXPEBD 1669->1685 1686 7ff629542158 1670->1686 1673 7ff629541fb3 Concurrency::details::WorkQueue::IsStructuredEmpty 1674 7ff629542368 4 API calls 1673->1674 1675 7ff629541fd9 Concurrency::details::WorkQueue::IsStructuredEmpty Concurrency::details::ResourceManager::CreateNodeTopology 1674->1675 1676 7ff62954207a 1675->1676 1678 7ff62954201b Concurrency::details::WorkQueue::IsStructuredEmpty 1675->1678 1677 7ff6295417f4 memcpy 1676->1677 1682 7ff62954206b 1677->1682 1691 7ff6295417f4 1678->1691 1680 7ff629542057 1694 7ff629541b40 1680->1694 1683 7ff629542b20 8 API calls 1682->1683 1684 7ff6295420cc 1683->1684 1684->1666 1685->1670 1687 7ff62954223c 8 API calls 1686->1687 1688 7ff629542170 1687->1688 1689 7ff62954218c 8 API calls 1688->1689 1690 7ff629542186 1689->1690 1690->1673 1697 7ff629541ad8 memcpy 1691->1697 1693 7ff629541820 Concurrency::details::ResourceManager::CreateNodeTopology 1693->1680 1698 7ff629541c08 1694->1698 1697->1693 1701 7ff629542118 1698->1701 1702 7ff629542140 1701->1702 1703 7ff629542131 1701->1703 1705 7ff629542b40 Concurrency::details::ResourceManager::CreateNodeTopology free 1702->1705 1707 7ff6295413a4 1703->1707 1706 7ff629541b6d 1705->1706 1706->1682 1708 7ff629541408 1707->1708 1709 7ff62954141a _invalid_parameter_noinfo_noreturn 1708->1709 1710 7ff62954142d 1708->1710 1709->1708 1709->1709 1710->1702 1712 7ff629542ca7 1711->1712 1717 7ff629542d30 RtlCaptureContext RtlLookupFunctionEntry 1712->1717 1718 7ff629542d60 RtlVirtualUnwind 1717->1718 1719 7ff629542cbb 1717->1719 1718->1719 1720 7ff629542b74 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 1719->1720 1722 7ff6295448a7 1721->1722 1723 7ff6295448a2 1721->1723 1724 7ff6295448b8 1722->1724 1727 7ff6295448db 1722->1727 1723->1607 1736 7ff6295454a4 1724->1736 1726 7ff6295449fb 1726->1607 1727->1723 1727->1726 1728 7ff629544c89 memcpy 1727->1728 1728->1723 1730 7ff629544ebf 1729->1730 1734 7ff629544eba 1729->1734 1731 7ff629544ed0 1730->1731 1733 7ff629544ef3 1730->1733 1741 7ff629545d5c 1731->1741 1733->1734 1735 7ff62954529b memcpy 1733->1735 1734->1609 1735->1734 1738 7ff6295454d3 1736->1738 1737 7ff629542b20 8 API calls 1740 7ff629545d4f 1737->1740 1738->1737 1739 7ff6295457a4 1738->1739 1739->1723 1740->1723 1742 7ff629545d8b 1741->1742 1743 7ff629546059 1742->1743 1744 7ff629542b20 8 API calls 1742->1744 1743->1734 1745 7ff6295465fe 1744->1745 1745->1734 1746->1617 1760 7ff629542a98 ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2 1747->1760 1750 7ff6295429b8 ?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2 1751 7ff6295429ad 1750->1751 1752 7ff6295429e5 1750->1752 1751->1622 1752->1751 1753 7ff6295429fc ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12 ?good@ios_base@std@ 1752->1753 1753->1751 1755 7ff62954292a 1754->1755 1756 7ff629542947 ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@ 1755->1756 1757 7ff629542956 1755->1757 1756->1757 1762 7ff629542a3c ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2 1757->1762 1761 7ff629542985 ?good@ios_base@std@ 1760->1761 1761->1750 1761->1751 1763 7ff62954289a 1762->1763 1763->1632 1766 7ff62954169d Concurrency::details::WorkQueue::IsStructuredEmpty Concurrency::details::ResourceManager::CreateNodeTopology 1764->1766 1765 7ff6295416d9 Concurrency::details::ResourceManager::CreateNodeTopology 1765->1491 1766->1765 1767 7ff629541b40 Concurrency::details::ResourceManager::CreateNodeTopology 2 API calls 1766->1767 1767->1765 1769 7ff629542dba RtlLookupFunctionEntry 1768->1769 1770 7ff629542bd3 1769->1770 1771 7ff629542dd0 RtlVirtualUnwind 1769->1771 1772 7ff629542b74 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 1770->1772 1771->1769 1771->1770 1897 7ff629541000 1898 7ff6295415ac 15 API calls 1897->1898 1899 7ff629541017 1898->1899 1900 7ff629544b3f 1901 7ff629544b49 1900->1901 1902 7ff629544c89 memcpy 1901->1902 1903 7ff629544b57 1901->1903 1904 7ff629544ccf 1902->1904 1905 7ff62954737e _seh_filter_exe 1906 7ff629545785 1907 7ff62954578f 1906->1907 1908 7ff6295457a4 1907->1908 1909 7ff629542b20 8 API calls 1907->1909 1910 7ff629545d4f 1909->1910 1410 e1057ae24b HttpOpenRequestA 1411 e1057ae272 1410->1411 1911 7ff629542b48 1912 7ff629542b6a 1911->1912 1913 7ff629542b60 1911->1913 1914 7ff629542b40 Concurrency::details::ResourceManager::CreateNodeTopology free 1913->1914 1914->1912 1915 7ff629547306 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N 1924 7ff62954734e 1925 7ff629542a3c ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2 1924->1925 1926 7ff629547360 1925->1926 1927 7ff629541915 1929 7ff62954191f Concurrency::details::WorkQueue::IsStructuredEmpty Concurrency::details::ResourceManager::CreateNodeTopology 1927->1929 1928 7ff629541926 Concurrency::details::ResourceManager::CreateNodeTopology 1929->1928 1931 7ff629541ad8 memcpy 1929->1931 1931->1928

                  Executed Functions

                  Function 00007FF629546AFC Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 99librarymemoryencryptionCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  Strings
                  • W9UKQW5ltwlY8AGQc4nGwxhRPfHnsqCu, xrefs: 00007FF629546B4A
                  • W9UKQW5ltwlY8AGQc4nGwxhRPfHnsqCu, xrefs: 00007FF629546B66
                  • fTk0IXs+RsZrY9epOUeq1oQ0l4RoVPjlVJoEuMX3zPeE+je8GdHrJUcxFZpepdr4SDRVKa6s7ouAvVNOqjbmDXauHJGPlOuvClVpjZvRyLdC2d6h5WF7twqC1kX9nIKWgL9KaawEYPrhgpcPJeSSnLatPbvLnYxgng2QCJQ8DmxkwRBosnzlWeW39pnWOJcwZvMht1Ue7ys35aku9WPa2jr1RTE8qRhrprEAHTM+xpPpcOmcTSt4aUDyEbOtWv6EV/1G, xrefs: 00007FF629546B2E
                  • kernel32.dll, xrefs: 00007FF629546C49
                  Memory Dump Source
                  • Source File: 00000000.00000002.2172836020.00007FF629541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF629540000, based on PE: true
                  • Associated: 00000000.00000002.2172821940.00007FF629540000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2172851575.00007FF629548000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2172866695.00007FF62954E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2172881719.00007FF62954F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff629540000_TEiot52yrz.jbxd
                  Similarity
                  • API ID: Concurrency::details::EmptyQueue::StructuredWorkmemcpy$CertEnumLibraryLoadProtectStoreSystemVirtual
                  • String ID: W9UKQW5ltwlY8AGQc4nGwxhRPfHnsqCu$W9UKQW5ltwlY8AGQc4nGwxhRPfHnsqCu$fTk0IXs+RsZrY9epOUeq1oQ0l4RoVPjlVJoEuMX3zPeE+je8GdHrJUcxFZpepdr4SDRVKa6s7ouAvVNOqjbmDXauHJGPlOuvClVpjZvRyLdC2d6h5WF7twqC1kX9nIKWgL9KaawEYPrhgpcPJeSSnLatPbvLnYxgng2QCJQ8DmxkwRBosnzlWeW39pnWOJcwZvMht1Ue7ys35aku9WPa2jr1RTE8qRhrprEAHTM+xpPpcOmcTSt4aUDyEbOtWv6EV/1G$kernel32.dll
                  • API String ID: 1274391132-1474288648
                  • Opcode ID: 0021a513d3075bfe4559da1246eef3f31aed97dd76e4d3ed1e31a3c18aea7553
                  • Instruction ID: b486d0924aa4444396b04851f23d3558a3ef8f2dda9494821d4b2efedd4f040d
                  • Opcode Fuzzy Hash: 0021a513d3075bfe4559da1246eef3f31aed97dd76e4d3ed1e31a3c18aea7553
                  • Instruction Fuzzy Hash: BC41442271DAC595DEA0DF10E8503EA67A1FBD8384F801132E68DD3BA9EE2CD519DF01
                  Function 00007FF62954317C Relevance: 12.1, APIs: 8, Instructions: 94COMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.2172836020.00007FF629541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF629540000, based on PE: true
                  • Associated: 00000000.00000002.2172821940.00007FF629540000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2172851575.00007FF629548000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2172866695.00007FF62954E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2172881719.00007FF62954F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff629540000_TEiot52yrz.jbxd
                  Similarity
                  • API ID: __p___argc__p___argv__scrt_acquire_startup_lock__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
                  • String ID:
                  • API String ID: 1133592946-0
                  • Opcode ID: b8b73077751ae62d481563376bd79326efdf3318ec70507a033230f709591385
                  • Instruction ID: a492abc1a09cdffeca92ecd9d5474bc0032bb6046ac42a2f9da273c51fd7c6a2
                  • Opcode Fuzzy Hash: b8b73077751ae62d481563376bd79326efdf3318ec70507a033230f709591385
                  • Instruction Fuzzy Hash: E2314B21B0C15342FED4AF65BE513B92291AFC5784F446434E64EA72F7DE3DE424AE02
                  Function 000000E1057AE24B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99networkCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 74 e1057ae24b-e1057ae271 HttpOpenRequestA 75 e1057ae272-e1057ae2ae 74->75 78 e1057ae2b4-e1057ae2b7 75->78 79 e1057ae451-e1057ae472 75->79 80 e1057ae449-e1057ae44a 78->80 81 e1057ae2bd 78->81 83 e1057ae474-e1057ae491 79->83 80->79 81->75 83->80 85 e1057ae493-e1057ae49b 83->85 85->83 86 e1057ae49d-e1057ae4a7 85->86
                  APIs
                  • HttpOpenRequestA.WININET(00000000,00000000,84C03200,00000000), ref: 000000E1057AE266
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2172455610.000000E1057AE000.00000040.00000010.00020000.00000000.sdmp, Offset: 000000E1057AE000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_e1057ae000_TEiot52yrz.jbxd
                  Yara matches
                  Similarity
                  • API ID: HttpOpenRequest
                  • String ID: U.;
                  • API String ID: 1984915467-4213443877
                  • Opcode ID: ab09341529980e95ac1e803047b3985bc20a26ea9b837d55d995e7e224907264
                  • Instruction ID: 4026e91d0868342a8665c3115d9968d5ffcada5904e453a22f2d639fbac57f4f
                  • Opcode Fuzzy Hash: ab09341529980e95ac1e803047b3985bc20a26ea9b837d55d995e7e224907264
                  • Instruction Fuzzy Hash: 3411BE7034880D0BF62941ADBC5673621CBD3C8715F24813FB50ED33C6DCA4CC82555A

                  Non-executed Functions

                  Function 00007FF62954365C Relevance: 13.6, APIs: 9, Instructions: 71COMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.2172836020.00007FF629541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF629540000, based on PE: true
                  • Associated: 00000000.00000002.2172821940.00007FF629540000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2172851575.00007FF629548000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2172866695.00007FF62954E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2172881719.00007FF62954F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff629540000_TEiot52yrz.jbxd
                  Similarity
                  • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                  • String ID:
                  • API String ID: 313767242-0
                  • Opcode ID: 7335fbb8426a945ac828c7077c8e300b3c8bd9ec95d4022230abd3d7a7f75a14
                  • Instruction ID: 8658e0dff06bf7b94e78f67a2587082843cc3696e60d162166858b5a035b3668
                  • Opcode Fuzzy Hash: 7335fbb8426a945ac828c7077c8e300b3c8bd9ec95d4022230abd3d7a7f75a14
                  • Instruction Fuzzy Hash: B6313B72719A8186EBA09F60E8403ED7360FB84744F04503ADB4E97B94EF3CD658DB11
                  Function 00007FF629543DE8 Relevance: 6.6, APIs: 2, Strings: 2, Instructions: 581COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 195 7ff629543de8-7ff629543e0c 196 7ff629543e0e 195->196 197 7ff629543e13-7ff629543e1b 195->197 198 7ff62954486e-7ff629544875 196->198 199 7ff629543e36-7ff629543e3e 197->199 200 7ff629543e1d-7ff629543e25 197->200 202 7ff629543e59-7ff629543ef9 memcpy * 2 199->202 203 7ff629543e40-7ff629543e48 199->203 200->199 201 7ff629543e27-7ff629543e2f 200->201 201->199 204 7ff629543e31 201->204 206 7ff629543f07-7ff629543f16 202->206 207 7ff629543efb-7ff629543f00 202->207 203->202 205 7ff629543e4a-7ff629543e52 203->205 204->198 205->202 210 7ff629543e54 205->210 208 7ff629543f18-7ff629543f20 206->208 209 7ff629543f22-7ff629543f31 206->209 211 7ff629543f61-7ff629543f70 207->211 212 7ff629543f02-7ff629543fa0 207->212 213 7ff629543f4d-7ff629543f5f 208->213 214 7ff629543f3d 209->214 215 7ff629543f33-7ff629543f3b 209->215 210->198 216 7ff629543f7c 211->216 217 7ff629543f72-7ff629543f7a 211->217 220 7ff629543faa-7ff629543fcd 212->220 213->220 219 7ff629543f45-7ff629543f49 214->219 215->219 221 7ff629543f84-7ff629543f96 216->221 217->221 219->213 222 7ff629543fd9-7ff629543feb 220->222 221->220 223 7ff629543fed-7ff629543ff5 222->223 224 7ff629544031-7ff629544039 222->224 226 7ff629544001-7ff629544009 223->226 225 7ff629544045-7ff629544057 224->225 229 7ff629544059-7ff629544061 225->229 230 7ff6295440a0-7ff6295440fc 225->230 227 7ff62954400b-7ff62954402d 226->227 228 7ff62954402f 226->228 227->226 228->222 233 7ff62954406d-7ff629544075 229->233 234 7ff629544108-7ff629544110 230->234 235 7ff629544077-7ff62954409c 233->235 236 7ff62954409e 233->236 237 7ff629544116-7ff6295441be 234->237 238 7ff6295441c3-7ff6295441d3 234->238 235->233 236->225 237->234 239 7ff6295441e9-7ff6295441f1 238->239 243 7ff6295441f7-7ff6295441ff 239->243 244 7ff6295442d3 239->244 243->244 245 7ff629544205-7ff6295442ce 243->245 246 7ff6295442db-7ff6295442e3 244->246 245->239 248 7ff6295442e9-7ff6295443f4 246->248 249 7ff62954475e-7ff629544766 246->249 250 7ff6295443f6-7ff6295443fe 248->250 251 7ff62954446a-7ff629544472 248->251 252 7ff629544772-7ff629544784 249->252 253 7ff629544406-7ff62954440e 250->253 256 7ff62954447a-7ff629544487 251->256 254 7ff62954478a-7ff629544792 252->254 255 7ff629544862-7ff62954486a 252->255 257 7ff629544410-7ff629544463 253->257 258 7ff629544465 253->258 259 7ff62954479e-7ff6295447a6 254->259 255->198 260 7ff629544489-7ff6295444dc 256->260 261 7ff6295444de-7ff6295445e2 256->261 257->253 262 7ff629544645-7ff62954466b 258->262 263 7ff62954485d 259->263 264 7ff6295447ac-7ff629544858 259->264 260->256 265 7ff6295445e6-7ff6295445ee 261->265 270 7ff629544759 262->270 271 7ff629544671-7ff629544679 262->271 263->252 264->259 265->262 266 7ff6295445f0-7ff629544643 265->266 266->265 270->246 271->270 272 7ff62954467f-7ff629544754 271->272
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2172836020.00007FF629541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF629540000, based on PE: true
                  • Associated: 00000000.00000002.2172821940.00007FF629540000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2172851575.00007FF629548000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2172866695.00007FF62954E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2172881719.00007FF62954F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff629540000_TEiot52yrz.jbxd
                  Similarity
                  • API ID:
                  • String ID: $
                  • API String ID: 0-227171996
                  • Opcode ID: d8bd270e9d87edd875d7f9d873967e908e7bfa0f1dd1a07bdc383474c52699a2
                  • Instruction ID: 4841806a01c5ef58ade828d272e32f7421cdc8d132d706bf74b9d18214a63791
                  • Opcode Fuzzy Hash: d8bd270e9d87edd875d7f9d873967e908e7bfa0f1dd1a07bdc383474c52699a2
                  • Instruction Fuzzy Hash: 7152E872609A81CADBB4CF19E88076AB7A1F7C8B45F045236E68E97B58CB3CD551DF00
                  Function 00007FF629543874 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.2172836020.00007FF629541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF629540000, based on PE: true
                  • Associated: 00000000.00000002.2172821940.00007FF629540000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2172851575.00007FF629548000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2172866695.00007FF62954E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2172881719.00007FF62954F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff629540000_TEiot52yrz.jbxd
                  Similarity
                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                  • String ID:
                  • API String ID: 2933794660-0
                  • Opcode ID: 9b69f90bbb091b32707effc177f545cd80205cc59f5ac2c3711d41dd0f4641bd
                  • Instruction ID: 4141f0472805c2735af0acf874d02a9738f967ca248574ffba79e66354daaa40
                  • Opcode Fuzzy Hash: 9b69f90bbb091b32707effc177f545cd80205cc59f5ac2c3711d41dd0f4641bd
                  • Instruction Fuzzy Hash: 53117022B14F018AEF40CF60EC442B933A4F758758F041E31DA6D927A4DF7CE1689741
                  Function 00007FF6295454A4 Relevance: .6, Instructions: 556COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2172836020.00007FF629541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF629540000, based on PE: true
                  • Associated: 00000000.00000002.2172821940.00007FF629540000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2172851575.00007FF629548000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2172866695.00007FF62954E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2172881719.00007FF62954F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff629540000_TEiot52yrz.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 114221cd8fb83a4d1b3f4e9c07f063070523e9746f19f36e16c9c60b1fbf2ef1
                  • Instruction ID: b455985ec65b032a2dc14119f3f0c92eabb689d7ce8db0cdc6d785a60c0b6cb5
                  • Opcode Fuzzy Hash: 114221cd8fb83a4d1b3f4e9c07f063070523e9746f19f36e16c9c60b1fbf2ef1
                  • Instruction Fuzzy Hash: D0421A72318A818ADB54CF1DE89163ABBA1F7C8B84F445126E78EC3B69DA3CD551DF00
                  Function 00007FF629545D5C Relevance: .6, Instructions: 556COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2172836020.00007FF629541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF629540000, based on PE: true
                  • Associated: 00000000.00000002.2172821940.00007FF629540000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2172851575.00007FF629548000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2172866695.00007FF62954E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2172881719.00007FF62954F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff629540000_TEiot52yrz.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 54a46b35d7a26a7fb26f39faf249998ab39fdfcee5fcf209b6738682e87834f0
                  • Instruction ID: 5886f532a9bb8be2fe59ef379529b8a4f132de7dc7c069faa2ae967c610546fb
                  • Opcode Fuzzy Hash: 54a46b35d7a26a7fb26f39faf249998ab39fdfcee5fcf209b6738682e87834f0
                  • Instruction Fuzzy Hash: EF422B72319A818ADB55CF1DE8A163AB7A1F7C8B90F444126E78EC3B69CA3CD551DF00
                  Function 00007FF629545785 Relevance: .1, Instructions: 137COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2172836020.00007FF629541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF629540000, based on PE: true
                  • Associated: 00000000.00000002.2172821940.00007FF629540000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2172851575.00007FF629548000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2172866695.00007FF62954E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2172881719.00007FF62954F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff629540000_TEiot52yrz.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4f29163b5e8fdaf0dc49c2304f5fe647261e8bcf9fb33c4e691343a0f95705ad
                  • Instruction ID: fb27e2df86bd2df515c15f63a9d66e2d1a15e4a4fa92d48b5e65334833609dfc
                  • Opcode Fuzzy Hash: 4f29163b5e8fdaf0dc49c2304f5fe647261e8bcf9fb33c4e691343a0f95705ad
                  • Instruction Fuzzy Hash: 6B6161B26189818BDB64CF18E89067AB3A2FBCC740F455635E34AC7B59DA3CE610DF00
                  Function 00007FF62954603A Relevance: .1, Instructions: 137COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2172836020.00007FF629541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF629540000, based on PE: true
                  • Associated: 00000000.00000002.2172821940.00007FF629540000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2172851575.00007FF629548000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2172866695.00007FF62954E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2172881719.00007FF62954F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff629540000_TEiot52yrz.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 92bf19dc8cd86aff032756dfb13700223f95881ed97291965757eed8e9fc06d6
                  • Instruction ID: 4ab9bef5ec9e8daf4e38ba8ce9160778064339987464da54566b6d1875f66f41
                  • Opcode Fuzzy Hash: 92bf19dc8cd86aff032756dfb13700223f95881ed97291965757eed8e9fc06d6
                  • Instruction Fuzzy Hash: 456163B26189818BDB64CF08E89067AB3A2FBCCB45F445635E34A87B59CA3CE550DF00
                  Function 00007FF629543804 Relevance: .0, Instructions: 2COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2172836020.00007FF629541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF629540000, based on PE: true
                  • Associated: 00000000.00000002.2172821940.00007FF629540000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2172851575.00007FF629548000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2172866695.00007FF62954E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2172881719.00007FF62954F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff629540000_TEiot52yrz.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 43b4fbbec666916b0587e8a13de0dadc5ecbb71f9984410eb9ff46545bbfccba
                  • Instruction ID: 52528133312f5e6f59409702937aac08cf818a86a77e50214ff6a11085785b79
                  • Opcode Fuzzy Hash: 43b4fbbec666916b0587e8a13de0dadc5ecbb71f9984410eb9ff46545bbfccba
                  • Instruction Fuzzy Hash: C2A00121A19882D0EE948F00EE50021A370AB90300B556871C50DA20609E3CA568AA23
                  Function 00007FF62954253C Relevance: 21.2, APIs: 14, Instructions: 201COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 87 7ff62954253c-7ff62954259c call 7ff629541abc ?width@ios_base@std@@QEBA_JXZ 90 7ff6295425fd 87->90 91 7ff62954259e-7ff6295425c9 ?width@ios_base@std@@QEBA_JXZ 87->91 93 7ff629542606-7ff629542632 call 7ff629542968 call 7ff629542904 90->93 91->90 92 7ff6295425cb-7ff6295425fb ?width@ios_base@std@@QEBA_JXZ 91->92 92->93 98 7ff629542644-7ff629542672 ?flags@ios_base@std@@QEBAHXZ 93->98 99 7ff629542634-7ff62954263f 93->99 101 7ff629542678 98->101 102 7ff62954271c-7ff629542721 98->102 100 7ff629542855-7ff6295428b0 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z call 7ff629542914 call 7ff629542b20 99->100 106 7ff629542687-7ff62954268d 101->106 104 7ff62954277b-7ff629542780 102->104 105 7ff629542723-7ff62954276e ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z 102->105 110 7ff629542786 104->110 111 7ff62954282a-7ff629542853 ?width@ios_base@std@@QEAA_J_J@Z 104->111 105->104 109 7ff629542770-7ff629542777 105->109 106->102 107 7ff629542693-7ff629542708 ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z call 7ff629542504 call 7ff62954250c 106->107 123 7ff629542717 107->123 124 7ff62954270a-7ff629542715 107->124 109->104 114 7ff629542795-7ff62954279b 110->114 111->100 114->111 117 7ff6295427a1-7ff629542816 ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z call 7ff629542504 call 7ff62954250c 114->117 127 7ff629542818-7ff629542823 117->127 128 7ff629542825 117->128 123->106 124->102 127->111 128->114
                  APIs
                    • Part of subcall function 00007FF629541ABC: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00007FF6295415D6,?,?,?,?,?,?,00007FF629541017), ref: 00007FF629541ACA
                  • ?width@ios_base@std@@QEBA_JXZ.MSVCP140 ref: 00007FF629542593
                  • ?width@ios_base@std@@QEBA_JXZ.MSVCP140 ref: 00007FF6295425BE
                  • ?width@ios_base@std@@QEBA_JXZ.MSVCP140 ref: 00007FF6295425EB
                  • ?flags@ios_base@std@@QEBAHXZ.MSVCP140 ref: 00007FF629542664
                  • ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ.MSVCP140 ref: 00007FF6295426B3
                  • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP140 ref: 00007FF6295426DA
                  • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF6295426E9
                  • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP140 ref: 00007FF629542743
                  • ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140 ref: 00007FF629542759
                  • ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ.MSVCP140 ref: 00007FF6295427C1
                  • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP140 ref: 00007FF6295427E8
                  • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF6295427F7
                  • ?width@ios_base@std@@QEAA_J_J@Z.MSVCP140 ref: 00007FF62954284C
                  • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF62954287C
                  Memory Dump Source
                  • Source File: 00000000.00000002.2172836020.00007FF629541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF629540000, based on PE: true
                  • Associated: 00000000.00000002.2172821940.00007FF629540000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2172851575.00007FF629548000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2172866695.00007FF62954E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2172881719.00007FF62954F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff629540000_TEiot52yrz.jbxd
                  Similarity
                  • API ID: U?$char_traits@$D@std@@@std@@$?width@ios_base@std@@$?rdbuf@?$basic_ios@D@std@@@2@V?$basic_streambuf@$?fill@?$basic_ios@?sputc@?$basic_streambuf@$?flags@ios_base@std@@?setstate@?$basic_ios@?sputn@?$basic_streambuf@strlen
                  • String ID:
                  • API String ID: 207065933-0
                  • Opcode ID: f4bc5cb1901ef092bd8a86ad73b7320c61d8d2db2b875ebc753e22042a0a0f00
                  • Instruction ID: ea76850606f8cf646f5abc4a20268e71c283088d46c8a4013123401e624e6843
                  • Opcode Fuzzy Hash: f4bc5cb1901ef092bd8a86ad73b7320c61d8d2db2b875ebc753e22042a0a0f00
                  • Instruction Fuzzy Hash: 2BA1E936B09B8586DEA4DF56E89436AB7A0FBC8B85F009035DA8ED7764DE3CD0149F01
                  Function 00007FF629546CC0 Relevance: 9.2, APIs: 6, Instructions: 166COMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.2172836020.00007FF629541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF629540000, based on PE: true
                  • Associated: 00000000.00000002.2172821940.00007FF629540000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2172851575.00007FF629548000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2172866695.00007FF62954E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2172881719.00007FF62954F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff629540000_TEiot52yrz.jbxd
                  Similarity
                  • API ID: Concurrency::details::EmptyQueue::StructuredV01@Workmemcpy$??6?$basic_ostream@D@std@@@std@@U?$char_traits@V01@@memset
                  • String ID:
                  • API String ID: 2816322446-0
                  • Opcode ID: b9c5c220a8161afe00995a3b5838346bc2764bb80acdb38bfd23fd1c6c53baac
                  • Instruction ID: 2810d6782709569ca38b50ec0a6295ab62e3f339d54b59665c7b86b8a03aab4d
                  • Opcode Fuzzy Hash: b9c5c220a8161afe00995a3b5838346bc2764bb80acdb38bfd23fd1c6c53baac
                  • Instruction Fuzzy Hash: 6681E73261DA8585DAA0DF15F8903AEB7A0FBC5780F502026EA8E93B69DF3CD054DF01
                  Function 00007FF629542968 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 00007FF629542A98: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP140(?,?,?,?,?,?,00007FF629542985), ref: 00007FF629542ADA
                  • ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF6295429A0
                  • ?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ.MSVCP140 ref: 00007FF6295429D2
                  Memory Dump Source
                  • Source File: 00000000.00000002.2172836020.00007FF629541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF629540000, based on PE: true
                  • Associated: 00000000.00000002.2172821940.00007FF629540000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2172851575.00007FF629548000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2172866695.00007FF62954E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2172881719.00007FF62954F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff629540000_TEiot52yrz.jbxd
                  Similarity
                  • API ID: U?$char_traits@$D@std@@@2@D@std@@@std@@$?good@ios_base@std@@?rdbuf@?$basic_ios@?tie@?$basic_ios@V?$basic_ostream@V?$basic_streambuf@
                  • String ID:
                  • API String ID: 3792166412-0
                  • Opcode ID: 61c6c2cae3a07f63e2bf5b4d9e59194abfd40384aa0aa098eae079579a8cfedb
                  • Instruction ID: 8a80ca00c31502ae5c772a893b6b3b5998c4cb646b33f35058f22d30c488caf5
                  • Opcode Fuzzy Hash: 61c6c2cae3a07f63e2bf5b4d9e59194abfd40384aa0aa098eae079579a8cfedb
                  • Instruction Fuzzy Hash: 5721B92670DB8581DE54DF1AE894229ABB0FBC9B84F509026EF8D93728DF3DD494DB01