Edit tour

Windows Analysis Report
7RDTQuL8WF.exe

Overview

General Information

Sample name:	7RDTQuL8WF.exe renamed because original name is a hash value
Original sample name:	12c98ce7a4c92244ae122acc5d50745ee3d2de3e02d9b1b8a7e53a7b142f652f.exe
Analysis ID:	1568430
MD5:	49a605ac3166562ecf0eb2d9e81947af
SHA1:	3084f7f84f00c3484a5c81b285976d98ddcf17ad
SHA256:	12c98ce7a4c92244ae122acc5d50745ee3d2de3e02d9b1b8a7e53a7b142f652f
Tags:	exeuser-JAMESWT_MHT
Infos:

Detection

CobaltStrike

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected CobaltStrike

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Detected potential crypto function

Internet Provider seen in connection with other malware

PE file contains an invalid checksum

PE file does not import any functions

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Classification

Process Tree

System is w10x64

7RDTQuL8WF.exe (PID: 6832 cmdline: "C:\Users\user\Desktop\7RDTQuL8WF.exe" MD5: 49A605AC3166562ECF0EB2D9E81947AF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Cobalt Strike, CobaltStrike	Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.	APT 29 APT32 APT41 AQUATIC PANDA Anunak Cobalt Codoso CopyKittens DarkHydrus Earth Baxia FIN6 FIN7 Leviathan Mustang Panda Shell Crew Stone Panda TianWu UNC1878 UNC2452 Winnti Umbrella	http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems http://blog.nsfocus.net/murenshark http://stillu.cc/assets/slides/2023-08-Unmasking%20CamoFei.pdf http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa http://www.secureworks.com/research/threat-profiles/gold-drake	https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"BeaconType": ["HTTPS"], "Port": 443, "SleepTime": 18500, "MaxGetSize": 2140839, "Jitter": 35, "C2Server": "163.5.169.26,/broadcast", "HttpPostUri": "/1/events/com.amazon.csm.csa.prod", "Malleable_C2_Instructions": ["Remove 1308 bytes from the end", "Remove 1 bytes from the end", "Remove 194 bytes from the beginning", "Base64 decode"], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\wermgr.exe", "Spawnto_x64": "%windir%\\sysnative\\wermgr.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 12345, "bStageCleanup": "True", "bCFGCaution": "True", "KillDate": 0, "bProcInject_StartRWX": "False", "bProcInject_UseRWX": "False", "bProcInject_MinAllocSize": 24576, "ProcInject_PrependAppend_x86": ["REBLQ0xIkGaQDx8AZg8fBAAPHwQADx8ADx8A", "Empty"], "ProcInject_PrependAppend_x64": ["REBLQ0xIkGaQDx8AZg8fBAAPHwQADx8ADx8A", "Empty"], "ProcInject_Execute": ["ntdll.dll:RtlUserThreadStart", "SetThreadContext", "NtQueueApcThread-s", "kernel32.dll:LoadLibraryA", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "NtMapViewOfSection", "bUsesCookies": "False", "HostHeader": ""}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.3068161539.0000023C9BBDC000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000003.1857422783.0000023C9BADD000.00000020.00000001.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
Process Memory Space: 7RDTQuL8WF.exe PID: 6832	JoeSecurity_CobaltStrike_2	Yara detected CobaltStrike	Joe Security
Process Memory Space: 7RDTQuL8WF.exe PID: 6832	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.3.7RDTQuL8WF.exe.23c9bac0000.0.unpack	JoeSecurity_CobaltStrike_2	Yara detected CobaltStrike	Joe Security
0.3.7RDTQuL8WF.exe.23c9bac0000.0.unpack	JoeSecurity_CobaltStrike_4	Yara detected CobaltStrike	Joe Security
0.3.7RDTQuL8WF.exe.23c9bac0000.0.unpack	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security

Suricata Signatures

ET JA3 Hash - [Abuse.ch] Possible Dridex

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-04T16:09:00.179962+0100	2028765	3	Unknown Traffic	192.168.2.4	49851	163.5.169.26	443	TCP
2024-12-04T16:09:55.985370+0100	2028765	3	Unknown Traffic	192.168.2.4	49738	163.5.169.26	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000003.1857422783.0000023C9BB1C000.00000020.00000001.00020000.00000000.sdmp

Malware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTPS"], "Port": 443, "SleepTime": 18500, "MaxGetSize": 2140839, "Jitter": 35, "C2Server": "163.5.169.26,/broadcast", "HttpPostUri": "/1/events/com.amazon.csm.csa.prod", "Malleable_C2_Instructions": ["Remove 1308 bytes from the end", "Remove 1 bytes from the end", "Remove 194 bytes from the beginning", "Base64 decode"], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\wermgr.exe", "Spawnto_x64": "%windir%\\sysnative\\wermgr.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 12345, "bStageCleanup": "True", "bCFGCaution": "True", "KillDate": 0, "bProcInject_StartRWX": "False", "bProcInject_UseRWX": "False", "bProcInject_MinAllocSize": 24576, "ProcInject_PrependAppend_x86": ["REBLQ0xIkGaQDx8AZg8fBAAPHwQADx8ADx8A", "Empty"], "ProcInject_PrependAppend_x64": ["REBLQ0xIkGaQDx8AZg8fBAAPHwQADx8ADx8A", "Empty"], "ProcInject_Execute": ["ntdll.dll:RtlUserThreadStart", "SetThreadContext", "NtQueueApcThread-s", "kernel32.dll:LoadLibraryA", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "NtMapViewOfSection", "bUsesCookies": "False", "HostHeader": ""}

Multi AV Scanner detection for submitted file

Source: 7RDTQuL8WF.exe

ReversingLabs: Detection: 57%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Source: 7RDTQuL8WF.exe

Static PE information: certificate valid

Source: 7RDTQuL8WF.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 163.5.169.26

Source: Joe Sandbox View

ASN Name: EPITECHFR EPITECHFR

Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49738 -> 163.5.169.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49851 -> 163.5.169.26:443

Source: unknown	TCP traffic detected without corresponding DNS query: 163.5.169.26
Source: unknown	TCP traffic detected without corresponding DNS query: 163.5.169.26
Source: unknown	TCP traffic detected without corresponding DNS query: 163.5.169.26
Source: unknown	TCP traffic detected without corresponding DNS query: 163.5.169.26
Source: unknown	TCP traffic detected without corresponding DNS query: 163.5.169.26
Source: unknown	TCP traffic detected without corresponding DNS query: 163.5.169.26
Source: unknown	TCP traffic detected without corresponding DNS query: 163.5.169.26
Source: unknown	TCP traffic detected without corresponding DNS query: 163.5.169.26
Source: unknown	TCP traffic detected without corresponding DNS query: 163.5.169.26
Source: unknown	TCP traffic detected without corresponding DNS query: 163.5.169.26
Source: unknown	TCP traffic detected without corresponding DNS query: 163.5.169.26
Source: unknown	TCP traffic detected without corresponding DNS query: 163.5.169.26
Source: unknown	TCP traffic detected without corresponding DNS query: 163.5.169.26
Source: unknown	TCP traffic detected without corresponding DNS query: 163.5.169.26
Source: unknown	TCP traffic detected without corresponding DNS query: 163.5.169.26
Source: unknown	TCP traffic detected without corresponding DNS query: 163.5.169.26
Source: unknown	TCP traffic detected without corresponding DNS query: 163.5.169.26

Source: 7RDTQuL8WF.exe	String found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
Source: 7RDTQuL8WF.exe	String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0Q
Source: 7RDTQuL8WF.exe	String found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
Source: 7RDTQuL8WF.exe	String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0
Source: 7RDTQuL8WF.exe	String found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
Source: 7RDTQuL8WF.exe	String found in binary or memory: http://ocsps.ssl.com0
Source: 7RDTQuL8WF.exe	String found in binary or memory: http://ocsps.ssl.com0?
Source: 7RDTQuL8WF.exe	String found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
Source: 7RDTQuL8WF.exe, 00000000.00000003.2741530343.0000023C9BA3F000.00000004.00000020.00020000.00000000.sdmp, 7RDTQuL8WF.exe, 00000000.00000002.3067894286.0000023C9BA57000.00000004.00000020.00020000.00000000.sdmp, 7RDTQuL8WF.exe, 00000000.00000002.3067894286.0000023C9BA2A000.00000004.00000020.00020000.00000000.sdmp, 7RDTQuL8WF.exe, 00000000.00000002.3067894286.0000023C9B9CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://163.5.169.26/
Source: 7RDTQuL8WF.exe, 00000000.00000002.3067894286.0000023C9B9CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://163.5.169.26/H
Source: 7RDTQuL8WF.exe, 00000000.00000002.3067894286.0000023C9BA2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://163.5.169.26/b
Source: 7RDTQuL8WF.exe, 00000000.00000002.3067894286.0000023C9BA08000.00000004.00000020.00020000.00000000.sdmp, 7RDTQuL8WF.exe, 00000000.00000002.3067894286.0000023C9BA57000.00000004.00000020.00020000.00000000.sdmp, 7RDTQuL8WF.exe, 00000000.00000002.3067894286.0000023C9BA1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://163.5.169.26/broadcast
Source: 7RDTQuL8WF.exe, 00000000.00000002.3067894286.0000023C9BA08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://163.5.169.26/broadcastCB
Source: 7RDTQuL8WF.exe, 00000000.00000002.3067894286.0000023C9BA57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://163.5.169.26/broadcastl
Source: 7RDTQuL8WF.exe, 00000000.00000002.3067894286.0000023C9BA1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://163.5.169.26/broadcastoT
Source: 7RDTQuL8WF.exe, 00000000.00000002.3067894286.0000023C9BA1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://163.5.169.26/broadcastpT
Source: 7RDTQuL8WF.exe, 00000000.00000002.3067894286.0000023C9BA08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://163.5.169.26/broadcastse
Source: 7RDTQuL8WF.exe, 00000000.00000002.3067894286.0000023C9BA54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com
Source: 7RDTQuL8WF.exe, 00000000.00000003.2741530343.0000023C9BA2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.comp
Source: 7RDTQuL8WF.exe	String found in binary or memory: https://www.ssl.com/repository0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC50460 NtClose,NtUnmapViewOfSection,NtOpenSection,NtMapViewOfSection,	0_2_00007FF72BC50460
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC5AF10 NtProtectVirtualMemory,NtProtectVirtualMemory,	0_2_00007FF72BC5AF10
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC65700 NtReadFile,	0_2_00007FF72BC65700
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC64300 NtWriteFile,	0_2_00007FF72BC64300
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC69A00 NtCreateFile,	0_2_00007FF72BC69A00
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC2A1C0 VirtualAlloc,VirtualProtect,LdrLoadDll,NtCreateThreadEx,NtClose,	0_2_00007FF72BC2A1C0
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC5F240 NtAllocateVirtualMemory,NtProtectVirtualMemory,NtCreateThreadEx,	0_2_00007FF72BC5F240

Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC26BF0	0_2_00007FF72BC26BF0
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC68A70	0_2_00007FF72BC68A70
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC28660	0_2_00007FF72BC28660
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC50460	0_2_00007FF72BC50460
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC29690	0_2_00007FF72BC29690
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC5AF10	0_2_00007FF72BC5AF10
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC5A290	0_2_00007FF72BC5A290
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC29500	0_2_00007FF72BC29500
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC65700	0_2_00007FF72BC65700
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC64300	0_2_00007FF72BC64300
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC69A00	0_2_00007FF72BC69A00
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC60520	0_2_00007FF72BC60520
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC2A1C0	0_2_00007FF72BC2A1C0
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC5F240	0_2_00007FF72BC5F240
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC5DD40	0_2_00007FF72BC5DD40
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC24D70	0_2_00007FF72BC24D70
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC237F0	0_2_00007FF72BC237F0
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC40AF0	0_2_00007FF72BC40AF0
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC3D1F0	0_2_00007FF72BC3D1F0
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC60C70	0_2_00007FF72BC60C70
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC25060	0_2_00007FF72BC25060
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC4AB60	0_2_00007FF72BC4AB60
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC55260	0_2_00007FF72BC55260
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC6A960	0_2_00007FF72BC6A960
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC21190	0_2_00007FF72BC21190
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC34610	0_2_00007FF72BC34610
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC5A410	0_2_00007FF72BC5A410
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC6E178	0_2_00007FF72BC6E178
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC21300	0_2_00007FF72BC21300
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC21000	0_2_00007FF72BC21000
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC25DB0	0_2_00007FF72BC25DB0
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC377B0	0_2_00007FF72BC377B0
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC5F0B0	0_2_00007FF72BC5F0B0
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC463A0	0_2_00007FF72BC463A0
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC2EF20	0_2_00007FF72BC2EF20
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC5C820	0_2_00007FF72BC5C820
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC214D0	0_2_00007FF72BC214D0
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC24ED0	0_2_00007FF72BC24ED0
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC381D0	0_2_00007FF72BC381D0
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC2C550	0_2_00007FF72BC2C550
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC5DF50	0_2_00007FF72BC5DF50
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC66AD0	0_2_00007FF72BC66AD0
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC2E440	0_2_00007FF72BC2E440
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC2C3C0	0_2_00007FF72BC2C3C0
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC36640	0_2_00007FF72BC36640
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC32240	0_2_00007FF72BC32240
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Code function: 0_2_00007FF72BC484C0	0_2_00007FF72BC484C0

Source: 7RDTQuL8WF.exe

Static PE information: No import functions for PE file found

Source: 7RDTQuL8WF.exe	Binary or memory string: OriginalFilename vs 7RDTQuL8WF.exe
Source: 7RDTQuL8WF.exe, 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameiisexpress.exe\ vs 7RDTQuL8WF.exe
Source: 7RDTQuL8WF.exe	Binary or memory string: OriginalFilenameiisexpress.exe\ vs 7RDTQuL8WF.exe

Source: classification engine

Classification label: mal92.troj.evad.winEXE@1/1@0/1

Source: 7RDTQuL8WF.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\7RDTQuL8WF.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 7RDTQuL8WF.exe

ReversingLabs: Detection: 57%

Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	Section loaded: schannel.dll	Jump to behavior

Source: C:\Users\user\Desktop\7RDTQuL8WF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: 7RDTQuL8WF.exe

Static PE information: certificate valid

Source: 7RDTQuL8WF.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 7RDTQuL8WF.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 7RDTQuL8WF.exe

Static PE information: real checksum: 0x1012fe should be: 0xfbf95

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: 7RDTQuL8WF.exe, 00000000.00000002.3067894286.0000023C9BA48000.00000004.00000020.00020000.00000000.sdmp, 7RDTQuL8WF.exe, 00000000.00000002.3067894286.0000023C9B9CB000.00000004.00000020.00020000.00000000.sdmp, 7RDTQuL8WF.exe, 00000000.00000003.2741530343.0000023C9BA48000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\7RDTQuL8WF.exe

Code function: 0_2_00007FF72BC2A1C0 VirtualAlloc,VirtualProtect,LdrLoadDll,NtCreateThreadEx,NtClose,

0_2_00007FF72BC2A1C0

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\7RDTQuL8WF.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	NtAllocateVirtualMemory: Direct from: 0x7FF72BC2B54D	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	NtAllocateVirtualMemory: Direct from: 0x7FF72BC60A32	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	NtAllocateVirtualMemory: Direct from: 0x23C9BB9F67D	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	NtClose: Direct from: 0x23C9BBA01D0
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	NtDelayExecution: Direct from: 0x7FF72BC27C52	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	NtProtectVirtualMemory: Direct from: 0x7FF72BC5B18B	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	NtProtectVirtualMemory: Direct from: 0x23C9BB9F716	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	NtQuerySystemInformation: Direct from: 0x23C9BADCD31	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	NtProtectVirtualMemory: Direct from: 0x7FF72BC2B634	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	NtProtectVirtualMemory: Direct from: 0x7FF72BC60AC4	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	NtAllocateVirtualMemory: Direct from: 0x7FF72BC5FCAF	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	NtClose: Direct from: 0x7FF72BC52A33
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	NtProtectVirtualMemory: Direct from: 0x7FF72BC5BEAF	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	NtDelayExecution: Direct from: 0x7FF72BC29BB8	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	NtCreateFile: Direct from: 0x7FF72BC6A38D	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	NtQueryInformationToken: Direct from: 0x23C9BB9FA82	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	NtQuerySystemInformation: Direct from: 0x23C9BBA020B	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	NtProtectVirtualMemory: Direct from: 0x23C9BADD169	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	NtQueryInformationToken: Direct from: 0x23C9BBA7DB0	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	NtProtectVirtualMemory: Direct from: 0x23C9BBA00E6	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	NtSetSecurityObject: Direct from: 0x7FFE221C26A1	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	NtProtectVirtualMemory: Direct from: 0x23C9BADD0DC	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	NtProtectVirtualMemory: Direct from: 0x23C9BB911BE	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	NtCreateThreadEx: Direct from: 0x7FF72BC2BCF5	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	NtAllocateVirtualMemory: Direct from: 0x23C9BBC94C3	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	NtCreateThreadEx: Direct from: 0x7FF72BC603A7	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	NtWriteFile: Direct from: 0x7FF72BC64B46	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	NtProtectVirtualMemory: Direct from: 0x7FF72BC2B680	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	NtClose: Direct from: 0x7FF72BC2BD18
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	NtProtectVirtualMemory: Direct from: 0x23C9BB9FB61	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	NtProtectVirtualMemory: Direct from: 0x7FF72BC6032D	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	NtReadFile: Direct from: 0x7FF72BC65F79	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	NtAllocateVirtualMemory: Direct from: 0x23C9BADCBBB	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	NtUnmapViewOfSection: Direct from: 0x7FF72BC536B7	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	NtDeviceIoControlFile: Direct from: 0x23C9BBA0141	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	NtProtectVirtualMemory: Direct from: 0x23C9BADD1B2	Jump to behavior
Source: C:\Users\user\Desktop\7RDTQuL8WF.exe	NtAllocateVirtualMemory: Direct from: 0x7FF72BC5CF17	Jump to behavior

Source: C:\Users\user\Desktop\7RDTQuL8WF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Remote Access Functionality

Yara detected CobaltStrike

Source: Yara match	File source: 0.3.7RDTQuL8WF.exe.23c9bac0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3068161539.0000023C9BBDC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1857422783.0000023C9BADD000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7RDTQuL8WF.exe PID: 6832, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	LSASS Memory	2 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	11 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
7RDTQuL8WF.exe	58%	ReversingLabs	Win64.Trojan.CobaltStrike

Source	Detection	Scanner	Label
https://163.5.169.26/broadcastCB	0%	Avira URL Cloud	safe
https://163.5.169.26/broadcastl	0%	Avira URL Cloud	safe
https://163.5.169.26/broadcastpT	0%	Avira URL Cloud	safe
https://163.5.169.26/H	0%	Avira URL Cloud	safe
https://163.5.169.26/broadcastoT	0%	Avira URL Cloud	safe
163.5.169.26	0%	Avira URL Cloud	safe
https://163.5.169.26/b	0%	Avira URL Cloud	safe
https://163.5.169.26/	0%	Avira URL Cloud	safe
https://www.amazon.comp	0%	Avira URL Cloud	safe
https://163.5.169.26/broadcast	0%	Avira URL Cloud	safe
https://163.5.169.26/broadcastse	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
163.5.169.26	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://163.5.169.26/b	7RDTQuL8WF.exe, 00000000.00000002.3067894286.0000023C9BA2A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://163.5.169.26/broadcastCB	7RDTQuL8WF.exe, 00000000.00000002.3067894286.0000023C9BA08000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crls.ssl.com/ssl.com-rsa-RootCA.crl0	7RDTQuL8WF.exe	false		high
http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0Q	7RDTQuL8WF.exe	false		high
http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0	7RDTQuL8WF.exe	false		high
https://163.5.169.26/H	7RDTQuL8WF.exe, 00000000.00000002.3067894286.0000023C9B9CB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://163.5.169.26/broadcast	7RDTQuL8WF.exe, 00000000.00000002.3067894286.0000023C9BA08000.00000004.00000020.00020000.00000000.sdmp, 7RDTQuL8WF.exe, 00000000.00000002.3067894286.0000023C9BA57000.00000004.00000020.00020000.00000000.sdmp, 7RDTQuL8WF.exe, 00000000.00000002.3067894286.0000023C9BA1E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.amazon.com	7RDTQuL8WF.exe, 00000000.00000002.3067894286.0000023C9BA54000.00000004.00000020.00020000.00000000.sdmp	false		high
https://163.5.169.26/broadcastpT	7RDTQuL8WF.exe, 00000000.00000002.3067894286.0000023C9BA1E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://163.5.169.26/broadcastoT	7RDTQuL8WF.exe, 00000000.00000002.3067894286.0000023C9BA1E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.amazon.comp	7RDTQuL8WF.exe, 00000000.00000003.2741530343.0000023C9BA2A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ssl.com/repository0	7RDTQuL8WF.exe	false		high
http://ocsps.ssl.com0?	7RDTQuL8WF.exe	false		high
http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0	7RDTQuL8WF.exe	false		high
http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q	7RDTQuL8WF.exe	false		high
http://ocsps.ssl.com0	7RDTQuL8WF.exe	false		high
https://163.5.169.26/	7RDTQuL8WF.exe, 00000000.00000003.2741530343.0000023C9BA3F000.00000004.00000020.00020000.00000000.sdmp, 7RDTQuL8WF.exe, 00000000.00000002.3067894286.0000023C9BA57000.00000004.00000020.00020000.00000000.sdmp, 7RDTQuL8WF.exe, 00000000.00000002.3067894286.0000023C9BA2A000.00000004.00000020.00020000.00000000.sdmp, 7RDTQuL8WF.exe, 00000000.00000002.3067894286.0000023C9B9CB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://163.5.169.26/broadcastl	7RDTQuL8WF.exe, 00000000.00000002.3067894286.0000023C9BA57000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0	7RDTQuL8WF.exe	false		high
https://163.5.169.26/broadcastse	7RDTQuL8WF.exe, 00000000.00000002.3067894286.0000023C9BA08000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
163.5.169.26	unknown	France		56339	EPITECHFR	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1568430
Start date and time:	2024-12-04 16:08:01 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	7RDTQuL8WF.exe renamed because original name is a hash value
Original Sample Name:	12c98ce7a4c92244ae122acc5d50745ee3d2de3e02d9b1b8a7e53a7b142f652f.exe
Detection:	MAL
Classification:	mal92.troj.evad.winEXE@1/1@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 90% Number of executed functions: 15 Number of non-executed functions: 32
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 7RDTQuL8WF.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
EPITECHFR	botx.spc.elf	Get hash	malicious	Mirai	Browse	163.5.176.64
	spc.elf	Get hash	malicious	Mirai	Browse	163.5.130.180
	m68k.elf	Get hash	malicious	Mirai	Browse	163.5.176.71
	sora.sh4.elf	Get hash	malicious	Mirai	Browse	163.5.152.99
	SecuriteInfo.com.Win32.MalwareX-gen.20028.17631.exe	Get hash	malicious	AsyncRAT	Browse	163.5.160.86
	jNA5BK2z12.exe	Get hash	malicious	AsyncRAT	Browse	163.5.160.86
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	163.5.63.254
	https://zupimages.net/up/24/42/ol13.jpg?d6mSMvU0ZvpGwffnuqPHYMR7NvlxIzVjDfTD4YJjdRSCOcc	Get hash	malicious	Unknown	Browse	163.5.194.37
	Farahexperiences.com_Report_52288.pdf	Get hash	malicious	Unknown	Browse	163.5.194.34
	https://swiftclaimairdropmeta.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	163.5.194.33

Process:	C:\Users\user\Desktop\7RDTQuL8WF.exe
File Type:	data
Category:	dropped
Size (bytes):	401408
Entropy (8bit):	7.356601554259918
Encrypted:	false
SSDEEP:	6144:TKgKkUNPz7zpvVwelmAoyYwCir7b/6kgU/Dn+N1RUp7WdAlRU:HKkI3FvC8k98ukgTAp7DlRU
MD5:	29668B20F3B0E24C35893F6B1CE2D5FF
SHA1:	7B24C9C52D8282582815CA0B4BF9F14CBC92CFA7
SHA-256:	FC34CAF0910FB3A289293B0A7361DD4B3766AACFC8793BBEE8A5C6EE946CCE5B
SHA-512:	04CE6E06E9972ADAEF15AEF658F5FCE46D235FE2205EC4DAAB07693E540FA8D027F1C624AC72DC34C1994B55DE02CCAC35C7927FDBC6E42C1BABF5BD55737229
Malicious:	false
Reputation:	low
Preview:	L..>.IY.Xk........[DF.t..b..........i..xk.DF.'%xk......xc.....Ovk... `.4..X.h.....k.`.....b.u...K.y.!..X/._.l...E...%..xk....O....\|.c!...\|......\|......\|x.....\|......\|.......\|......\|......\|.c .Z..\|.....\|......\|......\|S......\|...xk......xk......xk...Q..x.".....k......x.......xk......xk...Em.xk.......j......xk......xk......xk......xk......xi.l....xk......xk......xk......xk......x{...1l.x2...G.x.......xk......x.......xk....(.xo......xk......xk......xk......xk....P.x.......xk......x.......xk......xk......xk.../.......c{.xk....\|.xk......xk......xK.../.......,.xkd.....xk......xk......x+.../.......!.xkd.....xk:.....xk......x+.../..........xkd.....xkN.....xk......x+.../.........xkT.....xk......xk......x+......xk......xk......xk......xk......xk......xk......xk......xk......xk......xk......xk......xk......xk......xk......xk......xk......xk......xk......xk......xk......xk......xk......xk......xk......xk......xk......xk......xk......xk......xk......xk......xk......xk......xk...

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.431426649521118
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	7RDTQuL8WF.exe
File size:	1'029'440 bytes
MD5:	49a605ac3166562ecf0eb2d9e81947af
SHA1:	3084f7f84f00c3484a5c81b285976d98ddcf17ad
SHA256:	12c98ce7a4c92244ae122acc5d50745ee3d2de3e02d9b1b8a7e53a7b142f652f
SHA512:	994ba0956c04b4d1c25d4423f0922dbb8ce18a7514564d6142635bdc928787a3ced94245d18d3eada8da44bf40317d7e0420d9505c5f77904ec16701c1c4c992
SSDEEP:	24576:DI6wmsYRC2WqlRq7eK6U63WO362ojBTptPRlDPUPh9KjFvrkiukg0Z/rkhhZ/:D1RC2WdUR8kiu/0Z/r2d
TLSH:	A6257C6169625F6DF82BE23A087A574085B03C3825E4F9F302D051F97F129B1D78DABB
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....V(e.........."......T...8.................@..........................................`........................................

File Icon


Icon Hash:	1a1de1e5e1239e38

Static PE Info

General

Entrypoint:	0x14003a290
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x652856A4 [Thu Oct 12 20:27:16 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=SSL.com Code Signing Intermediate CA RSA R1, O=SSL Corp, L=Houston, S=Texas, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	28/08/2023 16:28:27 27/08/2024 16:28:27
Subject Chain	CN=Rigveda Ltd, O=Rigveda Ltd, L=Epping, C=GB
Version:	3
Thumbprint MD5:	55B0A51331045F41E64A167E984DE201
Thumbprint SHA-1:	754AC4AD446D76B2A788453030E6845E7A9EFC33
Thumbprint SHA-256:	1800C61C65A35F0BAB77929315D0B0AE81609296ED0F33EF6661A8B0E3852F7B
Serial:	70AACF510F5C8A893C5104B2DB315633

Entrypoint Preview

Instruction
inc ecx
push edi
inc ecx
push esi
inc ecx
push ebp
inc ecx
push esp
push esi
push edi
push ebp
push ebx
dec eax
sub esp, 48h
xorps xmm0, xmm0
movaps esp+30h, dqword ptr [xmm0]
mov eax, dword ptr [000A616Ah]
cmp dword ptr [000A6167h], 0Ah
setl cl
lea edx, dword ptr [eax+01h]
imul edx, eax
test dl, 00000001h
sete al
mov edx, ecx
and dl, al
mov byte ptr [esp+2Eh], dl
xor cl, al
mov byte ptr [esp+2Fh], cl
inc ecx
mov esi, 00001E27h
mov edi, dword ptr [esp+30h]
inc esp
xor edi, esi
mov dword ptr [esp+30h], edi
mov ebx, dword ptr [esp+38h]
inc esp
xor ebx, esi
mov dword ptr [esp+38h], ebx
mov ebp, dword ptr [esp+3Ch]
inc esp
xor ebp, esi
mov dword ptr [esp+3Ch], ebp
mov dword ptr [esp+40h], 00001E27h
mov eax, 00002E15h
inc ecx
mov ah, 01h
inc ebp
xor ebp, ebp
inc ecx
mov edi, 000036D3h
inc esp
mov esi, esi
xor esi, 0000601Ch
nop dword ptr [eax+eax+00h]
cmp eax, 00007793h
jnle 00007F7564C28DEBh
cmp eax, 000028D2h
je 00007F7564C28E87h
cmp eax, 00002E15h
jne 00007F7564C28DB9h
jmp 00007F7564C28E37h
nop dword ptr [eax+eax+00h]
cmp eax, 00007794h
je 00007F7564C28E17h
cmp eax, 00007E1Dh
jne 00007F7564C28DA4h
xor ecx, ecx
call 00007F7564BF8C40h
mov eax, dword ptr [00000059h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe4000	0x1b758	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x4be78	0x39c	.text
IMAGE_DIRECTORY_ENTRY_SECURITY	0xf9000	0x2540	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x100000	0x2c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x55840	0x140	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x552cc	0x55400	cb7ab40cfa2f99ea5f6b24d7fb692252	False	0.34418530058651026	data	5.800423100467681	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x57000	0x8b0dc	0x87c00	158c9b0636472e5d8002a85776914b13	False	0.34027717829189685	data	6.14244711834025	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.sdata	0xe3000	0xbc	0x200	b10bacce8b03a9fa144cfe406fb19b97	False	0.154296875	data	1.4321792905111919	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xe4000	0x1b758	0x1b800	2fb90a977cd07374e15516df06e081ce	False	0.8856001420454546	data	7.577454365616855	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x100000	0x2c	0x200	4ecf097c9fcb6981c28965343b617d1b	False	0.10546875	data	0.5376283829017994	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xe46e8	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.3445121951219512
RT_ICON	0xe4d50	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.5067204301075269
RT_ICON	0xe5038	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	English	United States	0.5676229508196722
RT_ICON	0xe5220	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.625
RT_ICON	0xe5348	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.6284648187633263
RT_ICON	0xe61f0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.7766245487364621
RT_ICON	0xe6a98	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	English	United States	0.8358294930875576
RT_ICON	0xe7160	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.5939306358381503
RT_ICON	0xe76c8	0x13b8e	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9997895570795474
RT_ICON	0xfb258	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.5776970954356846
RT_ICON	0xfd800	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.6177298311444653
RT_ICON	0xfe8a8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.6778688524590164
RT_ICON	0xff230	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.6879432624113475
RT_GROUP_ICON	0xff698	0xbc	data	English	United States	0.6170212765957447
RT_VERSION	0xe4340	0x3a4	data	English	United States	0.45493562231759654

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-04T16:09:00.179962+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49851	163.5.169.26	443	TCP
2024-12-04T16:09:55.985370+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49738	163.5.169.26	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 4, 2024 16:09:11.862112999 CET	49738	443	192.168.2.4	163.5.169.26
Dec 4, 2024 16:09:11.862150908 CET	443	49738	163.5.169.26	192.168.2.4
Dec 4, 2024 16:09:11.862297058 CET	49738	443	192.168.2.4	163.5.169.26
Dec 4, 2024 16:09:11.976213932 CET	49738	443	192.168.2.4	163.5.169.26
Dec 4, 2024 16:09:11.976234913 CET	443	49738	163.5.169.26	192.168.2.4
Dec 4, 2024 16:09:55.985276937 CET	443	49738	163.5.169.26	192.168.2.4
Dec 4, 2024 16:09:55.985369921 CET	49738	443	192.168.2.4	163.5.169.26
Dec 4, 2024 16:09:55.985506058 CET	49738	443	192.168.2.4	163.5.169.26
Dec 4, 2024 16:09:55.985521078 CET	443	49738	163.5.169.26	192.168.2.4
Dec 4, 2024 16:09:55.987988949 CET	49741	443	192.168.2.4	163.5.169.26
Dec 4, 2024 16:09:55.988028049 CET	443	49741	163.5.169.26	192.168.2.4
Dec 4, 2024 16:09:55.988100052 CET	49741	443	192.168.2.4	163.5.169.26
Dec 4, 2024 16:09:55.988328934 CET	49741	443	192.168.2.4	163.5.169.26
Dec 4, 2024 16:09:55.988339901 CET	443	49741	163.5.169.26	192.168.2.4
Dec 4, 2024 16:10:40.048012972 CET	443	49741	163.5.169.26	192.168.2.4
Dec 4, 2024 16:10:40.048140049 CET	49741	443	192.168.2.4	163.5.169.26
Dec 4, 2024 16:10:40.048294067 CET	49741	443	192.168.2.4	163.5.169.26
Dec 4, 2024 16:10:40.048319101 CET	443	49741	163.5.169.26	192.168.2.4
Dec 4, 2024 16:10:40.051310062 CET	49823	443	192.168.2.4	163.5.169.26
Dec 4, 2024 16:10:40.051354885 CET	443	49823	163.5.169.26	192.168.2.4
Dec 4, 2024 16:10:40.051425934 CET	49823	443	192.168.2.4	163.5.169.26
Dec 4, 2024 16:10:40.051512003 CET	49823	443	192.168.2.4	163.5.169.26
Dec 4, 2024 16:10:40.051549911 CET	443	49823	163.5.169.26	192.168.2.4
Dec 4, 2024 16:10:40.051599026 CET	49823	443	192.168.2.4	163.5.169.26
Dec 4, 2024 16:10:53.310642958 CET	49851	443	192.168.2.4	163.5.169.26
Dec 4, 2024 16:10:53.310672045 CET	443	49851	163.5.169.26	192.168.2.4
Dec 4, 2024 16:10:53.310739040 CET	49851	443	192.168.2.4	163.5.169.26
Dec 4, 2024 16:10:53.311053991 CET	49851	443	192.168.2.4	163.5.169.26
Dec 4, 2024 16:10:53.311072111 CET	443	49851	163.5.169.26	192.168.2.4

Target ID:	0
Start time:	10:09:06
Start date:	04/12/2024
Path:	C:\Users\user\Desktop\7RDTQuL8WF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\7RDTQuL8WF.exe"
Imagebase:	0x7ff72bc20000
File size:	1'029'440 bytes
MD5 hash:	49A605AC3166562ECF0EB2D9E81947AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3068161539.0000023C9BBDC000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000003.1857422783.0000023C9BADD000.00000020.00000001.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	13.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	93.8%
Total number of Nodes:	16
Total number of Limit Nodes:	3

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00007FF72BC2A1C0 Relevance: 33.3, APIs: 5, Strings: 13, Instructions: 1793COMMON

Download Yara Rule

Strings

\, xrefs: 00007FF72BC2B736
i, xrefs: 00007FF72BC2B71E
t, xrefs: 00007FF72BC2B6F6
l, xrefs: 00007FF72BC2B716
%c%c%c%c%c%c%c%c%c%c%c%c%cslot-%d, xrefs: 00007FF72BC2AF00, 00007FF72BC2B750
., xrefs: 00007FF72BC2B73E
dll, xrefs: 00007FF72BC2ABD3, 00007FF72BC2B423
o, xrefs: 00007FF72BC2B6FE
\, xrefs: 00007FF72BC2B6EE
m, xrefs: 00007FF72BC2B72E
s, xrefs: 00007FF72BC2B70E
l, xrefs: 00007FF72BC2B706
a, xrefs: 00007FF72BC2B726

Memory Dump Source

Source File: 00000000.00000002.3068354061.00007FF72BC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72BC20000, based on PE: true

Associated: 00000000.00000002.3068334449.00007FF72BC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BC77000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BCD3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72bc20000_7RDTQuL8WF.jbxd

Similarity

API ID:
String ID: %c%c%c%c%c%c%c%c%c%c%c%c%cslot-%d$.$\$\$a$dll$i$l$l$m$o$s$t
API String ID: 0-3301015146
Opcode ID: dc8e1d0431761e4becce917131b4550b6664291b9e6e9e6d070bfabe1cef3c34
Instruction ID: ad8f39e69394ff077481ad81222e38bb033e8b640be097bd8861520736263b71
Opcode Fuzzy Hash: dc8e1d0431761e4becce917131b4550b6664291b9e6e9e6d070bfabe1cef3c34
Instruction Fuzzy Hash: 42037F36A08B858EEB749F7DDC953E973A0E748788F504035DA4D8B7A5DF38E6818B10

Function 00007FF72BC50460 Relevance: 25.1, APIs: 4, Strings: 8, Instructions: 4087COMMON

Download Yara Rule

Strings

t>F, xrefs: 00007FF72BC51FB2
t>F, xrefs: 00007FF72BC51E7E
t>F, xrefs: 00007FF72BC54C68
74?t, xrefs: 00007FF72BC51B18
s>F, xrefs: 00007FF72BC532D0
74?t, xrefs: 00007FF72BC52AFF
74?t, xrefs: 00007FF72BC54F69
64?t, xrefs: 00007FF72BC5494E

Memory Dump Source

Source File: 00000000.00000002.3068354061.00007FF72BC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72BC20000, based on PE: true

Associated: 00000000.00000002.3068334449.00007FF72BC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BC77000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BCD3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72bc20000_7RDTQuL8WF.jbxd

Similarity

API ID:
String ID: 64?t$74?t$74?t$74?t$s>F$t>F$t>F$t>F
API String ID: 0-1607135101
Opcode ID: d0dffb069883ba90592c3829e3a22f9838631d5595f33513bb57e5c7962b53f8
Instruction ID: a4688b38c7d4cb5668fc14db969f90782158ab50a7e7da01c54c6f11f784b47b
Opcode Fuzzy Hash: d0dffb069883ba90592c3829e3a22f9838631d5595f33513bb57e5c7962b53f8
Instruction Fuzzy Hash: 51937F36A046868FEB799F2CCC953E977A5E744B88F504435DA0D9B7A4CF3CE6848B10

Function 00007FF72BC60520 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 458
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\??\, xrefs: 00007FF72BC60855, 00007FF72BC60B2B
dll, xrefs: 00007FF72BC60705, 00007FF72BC609E0

Memory Dump Source

Source File: 00000000.00000002.3068354061.00007FF72BC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72BC20000, based on PE: true

Associated: 00000000.00000002.3068334449.00007FF72BC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BC77000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BCD3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72bc20000_7RDTQuL8WF.jbxd

Similarity

API ID:
String ID: \??\$dll
API String ID: 0-3700238756
Opcode ID: 856e0263ee4bbf85a731cac2c8d7ee03aa954b3ae0637c92e9654325608a4992
Instruction ID: da61921e44e5f44c777ca7aa4e6415eda6f4fd77c6336593adda6f4c3e15b923
Opcode Fuzzy Hash: 856e0263ee4bbf85a731cac2c8d7ee03aa954b3ae0637c92e9654325608a4992
Instruction Fuzzy Hash: 46020772F14581CAF714ABBAEC823AE6670EB58788F508035DE4C47B55DE38D6D28F50

Function 00007FF72BC5F240 Relevance: 5.6, APIs: 3, Instructions: 1080
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3068354061.00007FF72BC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72BC20000, based on PE: true

Associated: 00000000.00000002.3068334449.00007FF72BC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BC77000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BCD3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72bc20000_7RDTQuL8WF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c98fb52d06793c2a24ce5387dbf8083220f8010d7c98bdc35a4c957f257bc4d2
Instruction ID: 7a9892e3b3117263897314e453cdff81544b4e79e0434d572d5802b4beac5f8a
Opcode Fuzzy Hash: c98fb52d06793c2a24ce5387dbf8083220f8010d7c98bdc35a4c957f257bc4d2
Instruction Fuzzy Hash: A0B2B036A04B858EEB649F3CD8913ED73A1F788798F508135DA5D877A4CF38E5858B10

Function 00007FF72BC69A00 Relevance: 4.4, APIs: 1, Strings: 1, Instructions: 895
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`, xrefs: 00007FF72BC6A35D

Memory Dump Source

Source File: 00000000.00000002.3068354061.00007FF72BC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72BC20000, based on PE: true

Associated: 00000000.00000002.3068334449.00007FF72BC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BC77000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BCD3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72bc20000_7RDTQuL8WF.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 4adc26f4d8cb2ff7831972cd92cd0470ba0fe5df39649da4ce3a6f1323786c38
Instruction ID: 2fcaa475986f0c9e67774102ddb3731afa707d23b9e412d60bdd3012098c28b7
Opcode Fuzzy Hash: 4adc26f4d8cb2ff7831972cd92cd0470ba0fe5df39649da4ce3a6f1323786c38
Instruction Fuzzy Hash: E9929E32A097858EE7149F3DC8913ED77A0FB88788F508039EA4C877A5DF38E5858B50

Function 00007FF72BC5AF10 Relevance: 4.4, APIs: 2, Instructions: 1378nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL ref: 00007FF72BC5B189

Memory Dump Source

Source File: 00000000.00000002.3068354061.00007FF72BC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72BC20000, based on PE: true

Associated: 00000000.00000002.3068334449.00007FF72BC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BC77000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BCD3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72bc20000_7RDTQuL8WF.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 267820f8e0ff7e545abf8be32ac946d79b33f91e74ab600288b49f26f4ce61e6
Instruction ID: a7f41757d7122fd9e9758aedeb676a78b36c25039e9264ace7adce96e6040865
Opcode Fuzzy Hash: 267820f8e0ff7e545abf8be32ac946d79b33f91e74ab600288b49f26f4ce61e6
Instruction Fuzzy Hash: 8AE27F76A04A858EEB649F3DDC913ED77A0F748788F508035DA5D8B7A4DF38E6848B10

Function 00007FF72BC26BF0 Relevance: 3.0, APIs: 1, Instructions: 1457COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3068354061.00007FF72BC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72BC20000, based on PE: true

Associated: 00000000.00000002.3068334449.00007FF72BC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BC77000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BCD3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72bc20000_7RDTQuL8WF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dacafdd2c1475177fe6bfc327c72029776a093b77fc6f319c8e097c12d9c31ce
Instruction ID: 768804be2ced70deb52ad63c9d43ff091dc4a388239bdead21d5aca4635f6aef
Opcode Fuzzy Hash: dacafdd2c1475177fe6bfc327c72029776a093b77fc6f319c8e097c12d9c31ce
Instruction Fuzzy Hash: 06E29436A086868FEB24AF2CCC953E977A1EB54748F508435CA0D877A4DF7CE9859F10

Function 00007FF72BC64300 Relevance: 2.6, APIs: 1, Instructions: 1126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3068354061.00007FF72BC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72BC20000, based on PE: true

Associated: 00000000.00000002.3068334449.00007FF72BC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BC77000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BCD3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72bc20000_7RDTQuL8WF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e61ca4e72ab20905fb452e13589ae53cc2b2b78522999c28a16f60dabf323b1
Instruction ID: e70fe6e303edb16dbfa13054e6fff5c1c12619bcf7ef10ac794b1fe2a909337e
Opcode Fuzzy Hash: 6e61ca4e72ab20905fb452e13589ae53cc2b2b78522999c28a16f60dabf323b1
Instruction Fuzzy Hash: F4B29532A086858FEB649F3CDC917E973A1E788748F548439DA4D877A8DF7CE5848B10

Function 00007FF72BC65700 Relevance: 2.6, APIs: 1, Instructions: 1103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3068354061.00007FF72BC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72BC20000, based on PE: true

Associated: 00000000.00000002.3068334449.00007FF72BC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BC77000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BCD3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72bc20000_7RDTQuL8WF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e89529a76cdad1e104b952576b0afe56fc4d7188e0f28ad5f5b4e507062d96c9
Instruction ID: c4b7259ebb1893974fc3493b04147c7fe19d94793cce37341e5aacd09079a658
Opcode Fuzzy Hash: e89529a76cdad1e104b952576b0afe56fc4d7188e0f28ad5f5b4e507062d96c9
Instruction Fuzzy Hash: 43B27132A086868EFB649F2CDC917ED73A1E788748F508439DA4D877A5DF3CE5858B10

Function 00007FF72BC29690 Relevance: 2.2, APIs: 1, Instructions: 694
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3068354061.00007FF72BC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72BC20000, based on PE: true

Associated: 00000000.00000002.3068334449.00007FF72BC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BC77000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BCD3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72bc20000_7RDTQuL8WF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ca93b157ca0a7455bc877537fd3d40719e1a17e6b8b29baadaf75ed155fe26e
Instruction ID: 8de0f07e302a730fcd456a20a13f9f1c09733d0de42dcfecccf54742bff880d9
Opcode Fuzzy Hash: 0ca93b157ca0a7455bc877537fd3d40719e1a17e6b8b29baadaf75ed155fe26e
Instruction Fuzzy Hash: 3F62BC36E08A458FFB149F7DD8812AD77A1EB58788F508535EE0D937A4DF38A5C18B10

Function 00007FF72BC68A70 Relevance: .9, Instructions: 911
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3068354061.00007FF72BC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72BC20000, based on PE: true

Associated: 00000000.00000002.3068334449.00007FF72BC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BC77000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BCD3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72bc20000_7RDTQuL8WF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 942def8aaf54a673c83e6908b09a1be8e6d79f14e7fe5f64c7a3c3f014d245ca
Instruction ID: 5925566801f471f2f28a6e2bc5e97cb3b84fe260d183bc121d87f5dc0924e59b
Opcode Fuzzy Hash: 942def8aaf54a673c83e6908b09a1be8e6d79f14e7fe5f64c7a3c3f014d245ca
Instruction Fuzzy Hash: E0928F32A087858EEB149F3DD8813ED77A1F798788F508139EA4D877A5DF38E5818B50

Function 00007FF72BC28660 Relevance: .9, Instructions: 851
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3068354061.00007FF72BC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72BC20000, based on PE: true

Associated: 00000000.00000002.3068334449.00007FF72BC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BC77000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BCD3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72bc20000_7RDTQuL8WF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f8422fdc7444ae0c79b16563a61ddb9463beb7a3a1b094ebf561e5ed28fa97f
Instruction ID: 0cb6a6fdf032343d3292bc0474fb6f333787547c9083a1b5d315097d0f5156ee
Opcode Fuzzy Hash: 7f8422fdc7444ae0c79b16563a61ddb9463beb7a3a1b094ebf561e5ed28fa97f
Instruction Fuzzy Hash: F6827E36A086868FEB289F3CCC953E977A1EB44788F508435DA0D877A4DF7DE5848B10

Function 00007FF72BC5DD40 Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3068354061.00007FF72BC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72BC20000, based on PE: true

Associated: 00000000.00000002.3068334449.00007FF72BC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BC77000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BCD3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72bc20000_7RDTQuL8WF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75319890694192d2587bdd6bbbe7b77d1138ecc64bf81fd4571e3304b89a6fe9
Instruction ID: b7e4d6916b00fb7b531e0eb46c0bfeed5ea3e188c842c613e1d113ee05122d7f
Opcode Fuzzy Hash: 75319890694192d2587bdd6bbbe7b77d1138ecc64bf81fd4571e3304b89a6fe9
Instruction Fuzzy Hash: AD51F362F182818BF704AF78DD856BA76A0FB58348F405434DE09677A1DB3DA6D28F60

Function 00007FF72BC29500 Relevance: .1, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3068354061.00007FF72BC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72BC20000, based on PE: true

Associated: 00000000.00000002.3068334449.00007FF72BC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BC77000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BCD3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72bc20000_7RDTQuL8WF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17e1944332c87aa00044a2880b2e8a9afc11ba51767c19cf11893bc7bd56dbf0
Instruction ID: d96e648cbd64064ebb56ed3c7fc1039d40b751bcaa94e7241977e5d916ac4315
Opcode Fuzzy Hash: 17e1944332c87aa00044a2880b2e8a9afc11ba51767c19cf11893bc7bd56dbf0
Instruction Fuzzy Hash: 2241E332A0C1828BF7199B2DEC9456BF7D1FB89350F909435EE49872A4DA7DE881CF50

Function 00007FF72BC5A290 Relevance: .1, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3068354061.00007FF72BC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72BC20000, based on PE: true

Associated: 00000000.00000002.3068334449.00007FF72BC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BC77000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BCD3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72bc20000_7RDTQuL8WF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a6242faaab756d7701002780e61419f95eb4ff5a8e4e06cbe8bff927ad0f8de
Instruction ID: e8f410e2063870858c10dceb3b66cb9d3ac577a4e854c72cb1241a6d4a780a7d
Opcode Fuzzy Hash: 6a6242faaab756d7701002780e61419f95eb4ff5a8e4e06cbe8bff927ad0f8de
Instruction Fuzzy Hash: AC312733A0C1858BF7149E2DACC016BF791FB89358F909435FE56976A4CA3DE8898F40

Non-executed Functions

Function 00007FF72BC463A0 Relevance: 8.0, Strings: 5, Instructions: 1800COMMON

Download Yara Rule

Strings

-}"d, xrefs: 00007FF72BC47E04
-}"d, xrefs: 00007FF72BC47AF4
,}"d, xrefs: 00007FF72BC48219
-}"d, xrefs: 00007FF72BC46472
-}"d, xrefs: 00007FF72BC483DE

Memory Dump Source

Source File: 00000000.00000002.3068354061.00007FF72BC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72BC20000, based on PE: true

Associated: 00000000.00000002.3068334449.00007FF72BC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BC77000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BCD3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72bc20000_7RDTQuL8WF.jbxd

Similarity

API ID:
String ID: ,}"d$-}"d$-}"d$-}"d$-}"d
API String ID: 0-1273328114
Opcode ID: ac84c06dd5559046ea988fb16623ec5c3ce1d7547c6605d542f776737c2f2220
Instruction ID: 609d94a6723b0c155358d4416943f4185dda32260410989ece784156d1babc7e
Opcode Fuzzy Hash: ac84c06dd5559046ea988fb16623ec5c3ce1d7547c6605d542f776737c2f2220
Instruction Fuzzy Hash: 250350766087858EEB649F2CCC953E973B1E748748F508436CA4D8B7A8DF3DE6858B10

Function 00007FF72BC55260 Relevance: 6.1, Strings: 4, Instructions: 1122COMMON

Download Yara Rule

Strings

}k%`, xrefs: 00007FF72BC5663A
|k%`, xrefs: 00007FF72BC55854
}k%`, xrefs: 00007FF72BC55D55
}k%`, xrefs: 00007FF72BC56001

Memory Dump Source

Source File: 00000000.00000002.3068354061.00007FF72BC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72BC20000, based on PE: true

Associated: 00000000.00000002.3068334449.00007FF72BC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BC77000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BCD3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72bc20000_7RDTQuL8WF.jbxd

Similarity

API ID:
String ID: |k%`$}k%`$}k%`$}k%`
API String ID: 0-3463582048
Opcode ID: 375ddb0a6dedf979fb23dd17de43c97b6d10ab704bf8ef0ef2e2ca5fc6c9e876
Instruction ID: eb04865273bb3beadabddf78a5ac22db546837bf5cfe8a468a4ee7d198206d1d
Opcode Fuzzy Hash: 375ddb0a6dedf979fb23dd17de43c97b6d10ab704bf8ef0ef2e2ca5fc6c9e876
Instruction Fuzzy Hash: BCC27032A08B858EEB649F3CDC953F973A1E744788F908435DA4D8B7A5DF38E5858B10

Function 00007FF72BC5A410 Relevance: 4.4, Strings: 3, Instructions: 665
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

&, xrefs: 00007FF72BC5A9C2
&, xrefs: 00007FF72BC5A9BA
&, xrefs: 00007FF72BC5A9B2

Memory Dump Source

Source File: 00000000.00000002.3068354061.00007FF72BC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72BC20000, based on PE: true

Associated: 00000000.00000002.3068334449.00007FF72BC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BC77000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BCD3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72bc20000_7RDTQuL8WF.jbxd

Similarity

API ID:
String ID: &$&$&
API String ID: 0-3101051865
Opcode ID: d7cf0028cdebc437f788ed184b8408e8110bbb8e244b1da4cb1ae4522f148f2e
Instruction ID: 672d5838232057278079eb0e5278fa9942cf7296da0b79846d02330dc956e533
Opcode Fuzzy Hash: d7cf0028cdebc437f788ed184b8408e8110bbb8e244b1da4cb1ae4522f148f2e
Instruction Fuzzy Hash: 6C52B632A0C6C18BE3249F2DA89036BF7D2F7C9344F545035EA99477A5DA3DE8898F10

Function 00007FF72BC6E178 Relevance: 4.0, Instructions: 4020
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3068354061.00007FF72BC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72BC20000, based on PE: true

Associated: 00000000.00000002.3068334449.00007FF72BC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BC77000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BCD3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72bc20000_7RDTQuL8WF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b084abbc5d28e6e90e63e18352fe4c4f173507f311b54ac35f28db14f04edc8
Instruction ID: bd8dd2a4128b3c24f5ba2c285c5a1976c93bffd49590e44596ffdbd8742ffe66
Opcode Fuzzy Hash: 9b084abbc5d28e6e90e63e18352fe4c4f173507f311b54ac35f28db14f04edc8
Instruction Fuzzy Hash: AB8360A784EBC15BD7034E345DB925C3F7042AA90AB9E89CBC7C2C26C7E14D5869D723

Function 00007FF72BC6A960 Relevance: 3.5, Strings: 2, Instructions: 1026COMMON

Download Yara Rule

Strings

-v, xrefs: 00007FF72BC6B769
-v, xrefs: 00007FF72BC6B080

Memory Dump Source

Source File: 00000000.00000002.3068354061.00007FF72BC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72BC20000, based on PE: true

Associated: 00000000.00000002.3068334449.00007FF72BC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BC77000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BCD3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72bc20000_7RDTQuL8WF.jbxd

Similarity

API ID:
String ID: -v$-v
API String ID: 0-1800815129
Opcode ID: 25f5ac68a7368a6820bc2d42bf8e38d48af42bd4cecaf727b94bbffe9843d24e
Instruction ID: 4087f36c6ae7abe363052665d64e7de6ad6f3e4ea233ba933c2efb9698ecfbde
Opcode Fuzzy Hash: 25f5ac68a7368a6820bc2d42bf8e38d48af42bd4cecaf727b94bbffe9843d24e
Instruction Fuzzy Hash: A3A28132A086868EEB649F2CDC917ED73A1E788748F508439DA4D877A4DF7CE5C58B10

Function 00007FF72BC40AF0 Relevance: 3.2, Strings: 1, Instructions: 1995COMMON

Download Yara Rule

Strings

;Se, xrefs: 00007FF72BC4297B

Memory Dump Source

Source File: 00000000.00000002.3068354061.00007FF72BC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72BC20000, based on PE: true

Associated: 00000000.00000002.3068334449.00007FF72BC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BC77000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BCD3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72bc20000_7RDTQuL8WF.jbxd

Similarity

API ID:
String ID: ;Se
API String ID: 0-2939129927
Opcode ID: 2cc615824dfe39dd82a0b4034de342c0a9db734c9374e1aa32a5a416d134a466
Instruction ID: 10c3ab9003d56e3de00b31e3e27f214c741916f7b3f98a6efd717dcf3a6aa9e8
Opcode Fuzzy Hash: 2cc615824dfe39dd82a0b4034de342c0a9db734c9374e1aa32a5a416d134a466
Instruction Fuzzy Hash: 88236232A186868EEB689F2CCC957ED77A1E744748F904435CA4DCB7A4DF3DE6848B10

Function 00007FF72BC34610 Relevance: 2.0, Strings: 1, Instructions: 763
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Ug%, xrefs: 00007FF72BC34F88

Memory Dump Source

Source File: 00000000.00000002.3068354061.00007FF72BC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72BC20000, based on PE: true

Associated: 00000000.00000002.3068334449.00007FF72BC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BC77000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BCD3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72bc20000_7RDTQuL8WF.jbxd

Similarity

API ID:
String ID: Ug%
API String ID: 0-546358282
Opcode ID: 9994d626bda172cbf28bf3604078678a175dc472d1749bc7bfc6d931bcdfad2b
Instruction ID: c84f0f7d0246181fa0f05afc6357652181c61558d1ac9f63e5fd31a6fcc96f85
Opcode Fuzzy Hash: 9994d626bda172cbf28bf3604078678a175dc472d1749bc7bfc6d931bcdfad2b
Instruction Fuzzy Hash: 2672B236A086428FFB189F2CD8942AD77A1EB45748F944436DA0DC77A4CB3DE989CF50

Function 00007FF72BC36640 Relevance: 1.0, Instructions: 990COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3068354061.00007FF72BC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72BC20000, based on PE: true

Associated: 00000000.00000002.3068334449.00007FF72BC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BC77000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BCD3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72bc20000_7RDTQuL8WF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f2589b3fbcc3f74be30f2cffe10aa6646850d16c2abb5526766708014d43639
Instruction ID: 5c7ffd4398fa13428a5db27d055d5165a258964a66d4cfcefe973305b831a27e
Opcode Fuzzy Hash: 9f2589b3fbcc3f74be30f2cffe10aa6646850d16c2abb5526766708014d43639
Instruction Fuzzy Hash: EBA2A332A097858AEB64AF2CDC907E977A1F744748F918436DA4D877A4CF3DE588CB10

Function 00007FF72BC5DF50 Relevance: 1.0, Instructions: 973COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3068354061.00007FF72BC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72BC20000, based on PE: true

Associated: 00000000.00000002.3068334449.00007FF72BC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BC77000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BCD3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72bc20000_7RDTQuL8WF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfb5f083b44e379b3cbc8ff5290e37d85d0cf6e5a704faff1fd7723c4d1a9190
Instruction ID: 866cb38732ad263fe53fc708b90a14e50c37360cf292224a067cbf8db5e22752
Opcode Fuzzy Hash: dfb5f083b44e379b3cbc8ff5290e37d85d0cf6e5a704faff1fd7723c4d1a9190
Instruction Fuzzy Hash: DAA29E72A086868EEB649F6CDCD53F973A1EB44788F508435DA0D977A4DF3CE5848B20

Function 00007FF72BC484C0 Relevance: .9, Instructions: 930COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3068354061.00007FF72BC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72BC20000, based on PE: true

Associated: 00000000.00000002.3068334449.00007FF72BC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BC77000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BCD3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72bc20000_7RDTQuL8WF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0939dc54e2433b09e06aab324518756b384b0f2180bf7bd4b6525484e94fb6cf
Instruction ID: 1aa966ec6b50d7c3b48814467c28ad4398f89094b485dbc716adbea087c32c1a
Opcode Fuzzy Hash: 0939dc54e2433b09e06aab324518756b384b0f2180bf7bd4b6525484e94fb6cf
Instruction Fuzzy Hash: 74929632A086868EFB68AF3CDC543E977A2EB45748F504435DA4DC77A4CB3DE6848B11

Function 00007FF72BC25DB0 Relevance: .8, Instructions: 832COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3068354061.00007FF72BC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72BC20000, based on PE: true

Associated: 00000000.00000002.3068334449.00007FF72BC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BC77000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BCD3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72bc20000_7RDTQuL8WF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec00e93e098311ee427c9320d00b1ab3a1edd3160c411fc34de2ce941d6005e9
Instruction ID: 96ee5ebb71e79304ecfdd1060690220471420ab58fd028432d40b3101d6b2cc9
Opcode Fuzzy Hash: ec00e93e098311ee427c9320d00b1ab3a1edd3160c411fc34de2ce941d6005e9
Instruction Fuzzy Hash: D3827372A086868FEB249F6CDC943B977A0EB44748F904435DA4DC77A5DF3CE9858B20

Function 00007FF72BC2EF20 Relevance: .8, Instructions: 832
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3068354061.00007FF72BC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72BC20000, based on PE: true

Associated: 00000000.00000002.3068334449.00007FF72BC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BC77000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BCD3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72bc20000_7RDTQuL8WF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ca51c85a0c8b91149ee6531806d1af20e1f02e386008f7612efd5ac65d482d5
Instruction ID: 28bb8d9d6eeb618b7d9c9f594ed505b6520158c2409b6c2262337e532d280e6b
Opcode Fuzzy Hash: 7ca51c85a0c8b91149ee6531806d1af20e1f02e386008f7612efd5ac65d482d5
Instruction Fuzzy Hash: 0982A272A0874A8FFB549F3CC8543AD7BA2EB44788F558531DA0C877A4CB3DE9858B50

Function 00007FF72BC381D0 Relevance: .8, Instructions: 798
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3068354061.00007FF72BC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72BC20000, based on PE: true

Associated: 00000000.00000002.3068334449.00007FF72BC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BC77000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BCD3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72bc20000_7RDTQuL8WF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4cc1d2b468c47ec096b6f358a967a72a8998be749d8d1436bef50e1aaf87f65
Instruction ID: 92a7230db31508f282d8973a97325b2e72af52719a532cd60edb2818e2d91769
Opcode Fuzzy Hash: b4cc1d2b468c47ec096b6f358a967a72a8998be749d8d1436bef50e1aaf87f65
Instruction Fuzzy Hash: D7729172A086428FFB549F2CC8942ED77A1EB44788F948435DA0E877A4DF3DF5898B50

Function 00007FF72BC32240 Relevance: .7, Instructions: 700
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3068354061.00007FF72BC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72BC20000, based on PE: true

Associated: 00000000.00000002.3068334449.00007FF72BC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BC77000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BCD3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72bc20000_7RDTQuL8WF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0127a53e1e21b91e6bfef04051f5f1b031efdcda4a8a9f08791ce2806e70bcbb
Instruction ID: bf2aaa88169b287dab84cf34de867e2c7ef89cb1566fdb5844711d311f052956
Opcode Fuzzy Hash: 0127a53e1e21b91e6bfef04051f5f1b031efdcda4a8a9f08791ce2806e70bcbb
Instruction Fuzzy Hash: 8262A932A046858EFF54DF2CDC842AD77A1FB44748F958431DA499B7A8CB3CE9898F50

Function 00007FF72BC2E440 Relevance: .7, Instructions: 681COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3068354061.00007FF72BC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72BC20000, based on PE: true

Associated: 00000000.00000002.3068334449.00007FF72BC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BC77000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BCD3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72bc20000_7RDTQuL8WF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f199fe86371d69f6da377e0296d46640a3cdbd74e6175d27f5670a80bf089ae
Instruction ID: 79bc6ccdcbf21ba49c430e5bd615ab33efd389aab42cddddb948b2eb5416c93d
Opcode Fuzzy Hash: 4f199fe86371d69f6da377e0296d46640a3cdbd74e6175d27f5670a80bf089ae
Instruction Fuzzy Hash: 0362AE72A086468FFB18DF3CC8952AD77A1EB48788F508435DA0D977A4DF3DE5858B10

Function 00007FF72BC377B0 Relevance: .6, Instructions: 624COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3068354061.00007FF72BC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72BC20000, based on PE: true

Associated: 00000000.00000002.3068334449.00007FF72BC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BC77000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BCD3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72bc20000_7RDTQuL8WF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89255a0115c516acb5d978a6ed6b7a7ab4414f4924143cf20324837a00d9077e
Instruction ID: bf9b4b164eb113253f96b79bfc3cd46717a86a25e7747fe548c81973ab8ecaed
Opcode Fuzzy Hash: 89255a0115c516acb5d978a6ed6b7a7ab4414f4924143cf20324837a00d9077e
Instruction Fuzzy Hash: D852B132A086468FFB149F3CD8946AD77A1EB54748F918436DE09977A4CF3CE5898F10

Function 00007FF72BC237F0 Relevance: .6, Instructions: 616COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3068354061.00007FF72BC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72BC20000, based on PE: true

Associated: 00000000.00000002.3068334449.00007FF72BC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BC77000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BCD3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72bc20000_7RDTQuL8WF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1719648dca22182727251fb4fd90e63db1de05986ac300e50a70e017eb0809b3
Instruction ID: 5d92e56a888da8a36298183122a13df85446f0c90c7e51f79b8697ae8ffc3790
Opcode Fuzzy Hash: 1719648dca22182727251fb4fd90e63db1de05986ac300e50a70e017eb0809b3
Instruction Fuzzy Hash: B852DF32A086828FFB149F3CC8552ED77A1EB98348F548535EE4D93BA4DB3DE5858B10

Function 00007FF72BC2C550 Relevance: .6, Instructions: 613COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3068354061.00007FF72BC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72BC20000, based on PE: true

Associated: 00000000.00000002.3068334449.00007FF72BC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BC77000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BCD3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72bc20000_7RDTQuL8WF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b10b849d836722ac95d487a4df8f4a5b6fd5f89ec76a54104b977d5027cd024
Instruction ID: 9160981f5b607118577f61cfe2ced76f656845ae52a98309d0985937ca15c8d3
Opcode Fuzzy Hash: 7b10b849d836722ac95d487a4df8f4a5b6fd5f89ec76a54104b977d5027cd024
Instruction Fuzzy Hash: D342BE32E086428FFB14DF7CCD952AE7BB0EB54348F649435DE09977A4CB38A9858B50

Function 00007FF72BC3D1F0 Relevance: .6, Instructions: 612COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3068354061.00007FF72BC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72BC20000, based on PE: true

Associated: 00000000.00000002.3068334449.00007FF72BC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BC77000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BCD3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72bc20000_7RDTQuL8WF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb246353296e6419daf0f102a478318d96a2a3ce449e9a9b0ac3097952a99eb0
Instruction ID: ec9559070700183c494617d2879bad22d5558332dab763a9e17c59373a41124a
Opcode Fuzzy Hash: fb246353296e6419daf0f102a478318d96a2a3ce449e9a9b0ac3097952a99eb0
Instruction Fuzzy Hash: 1752C132A08A858EF7549F7CC8812ED77B1EB58748F908535EE4D837A4CF38E5948B10

Function 00007FF72BC214D0 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3068354061.00007FF72BC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72BC20000, based on PE: true

Associated: 00000000.00000002.3068334449.00007FF72BC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BC77000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BCD3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72bc20000_7RDTQuL8WF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b226df3e58c3d57c34da082a2a0d0003aa4b604147f3c3427f62eafcad9d7eae
Instruction ID: 4954f537e629ba77de73c9c018fe796eda5885d52e7b00d8161212e3166fd877
Opcode Fuzzy Hash: b226df3e58c3d57c34da082a2a0d0003aa4b604147f3c3427f62eafcad9d7eae
Instruction Fuzzy Hash: 6B51F333A0C1814BE314AF2DE8502ABF7D2EB89784F559035EA89877A5DE7CE5C58F10

Function 00007FF72BC4AB60 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3068354061.00007FF72BC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72BC20000, based on PE: true

Associated: 00000000.00000002.3068334449.00007FF72BC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BC77000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BCD3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72bc20000_7RDTQuL8WF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90a16014b36fdd87dcbdb799de490b59d836b5d92d88310baf84d007ee4e2bd9
Instruction ID: a14c44ba55ef4c40eaed6b98f37dd97386473569978b7e1cc63cee4bccead5f8
Opcode Fuzzy Hash: 90a16014b36fdd87dcbdb799de490b59d836b5d92d88310baf84d007ee4e2bd9
Instruction Fuzzy Hash: B251D732B096818AF704AF7CDD552AE76A6EB18788F448035EE4C877A1DA3DD6D18B10

Function 00007FF72BC21300 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3068354061.00007FF72BC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72BC20000, based on PE: true

Associated: 00000000.00000002.3068334449.00007FF72BC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BC77000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BCD3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72bc20000_7RDTQuL8WF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeef04360cee111890be80a9e38b82605250ee18bd4db396a82be6bcd0ec04e1
Instruction ID: 99dedfd74359aeeba00389dde182eeb94d2fd067a441b6aec3207f150ad1bf01
Opcode Fuzzy Hash: eeef04360cee111890be80a9e38b82605250ee18bd4db396a82be6bcd0ec04e1
Instruction Fuzzy Hash: 8641F432A0C1858BE714AB1CEC9016BF7E6FB84784F505039EA89877A5DE7DE8C18F50

Function 00007FF72BC25060 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3068354061.00007FF72BC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72BC20000, based on PE: true

Associated: 00000000.00000002.3068334449.00007FF72BC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BC77000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BCD3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72bc20000_7RDTQuL8WF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 384ba4e293cefdc7a02e68922b3cd1b9c696611850886d8396c3708dd6f7e3b1
Instruction ID: 8af50a6dc4910adcc5abe19cc9295dbb0ab084d030a5d812e070fe7d2fcb40af
Opcode Fuzzy Hash: 384ba4e293cefdc7a02e68922b3cd1b9c696611850886d8396c3708dd6f7e3b1
Instruction Fuzzy Hash: E741E433A1C1818BE7149F1DECA012BF7A2FBC8384F505035EE49876A5DA7DE8818F00

Function 00007FF72BC24ED0 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3068354061.00007FF72BC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72BC20000, based on PE: true

Associated: 00000000.00000002.3068334449.00007FF72BC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BC77000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BCD3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72bc20000_7RDTQuL8WF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72a9c7586afd2ef2599ccfe5ad40d4dfc8718a041d9f438f8276e207615b0a30
Instruction ID: f210bf455b66514a11e6c67877fa47cab8d5b673370b8613f8ae1fe3a3178a90
Opcode Fuzzy Hash: 72a9c7586afd2ef2599ccfe5ad40d4dfc8718a041d9f438f8276e207615b0a30
Instruction Fuzzy Hash: 9E41E133A1C5828BE3159B1DEC9026BF792FBC8754F545035FA8987AA4DA7DE8818F00

Function 00007FF72BC5F0B0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3068354061.00007FF72BC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72BC20000, based on PE: true

Associated: 00000000.00000002.3068334449.00007FF72BC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BC77000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BCD3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72bc20000_7RDTQuL8WF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8dc2d7ddd0433deb228c0051bf8439e695b951aba1dec188b1565e71eb16927
Instruction ID: ee4a37455e124ee9176866403b930a4198794f3de826b6f594f13ba5baa86dd3
Opcode Fuzzy Hash: d8dc2d7ddd0433deb228c0051bf8439e695b951aba1dec188b1565e71eb16927
Instruction Fuzzy Hash: E441C732A181428BE714AB6DEC8457BB692FB84354F505439E94A877A0DE7DE8C28F10

Function 00007FF72BC21000 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3068354061.00007FF72BC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72BC20000, based on PE: true

Associated: 00000000.00000002.3068334449.00007FF72BC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BC77000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BCD3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72bc20000_7RDTQuL8WF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 548c2de2cc97c83f2c5267ec1c43c749931048fb69737a4f9d8c29a4e8b1510c
Instruction ID: a1cd5959274d53caf5903177df96b95cdffa7e82bda71932d4ae8c1968e8a233
Opcode Fuzzy Hash: 548c2de2cc97c83f2c5267ec1c43c749931048fb69737a4f9d8c29a4e8b1510c
Instruction Fuzzy Hash: 2C410633B0C2858BE3188E1CE89162BB7D2E798384F564435EE88477A4DA3DD9D18F40

Function 00007FF72BC2C3C0 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3068354061.00007FF72BC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72BC20000, based on PE: true

Associated: 00000000.00000002.3068334449.00007FF72BC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BC77000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BCD3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72bc20000_7RDTQuL8WF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd96711795e67de28fb6b42ef0ff10fe7fb2361a67f41461e34c1721a0d9892c
Instruction ID: 12424f3bd0ce6e4c58774a8af575a8c0bb49c004674da1c430bf8cea625f71fd
Opcode Fuzzy Hash: bd96711795e67de28fb6b42ef0ff10fe7fb2361a67f41461e34c1721a0d9892c
Instruction Fuzzy Hash: 41412532A0C2C18BE311DB2CEC8177BFBD1E798344F549435EA8447AA5D67EE8858F40

Function 00007FF72BC24D70 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3068354061.00007FF72BC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72BC20000, based on PE: true

Associated: 00000000.00000002.3068334449.00007FF72BC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BC77000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BCD3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72bc20000_7RDTQuL8WF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91d32a67e1b52933e8b8bb00317f7ea94ed49780fc2a9b169afa2ffa2c114470
Instruction ID: c0877f28148694bca1dd2fe1b1642b320e4b65c119882920de39dfb74663ec49
Opcode Fuzzy Hash: 91d32a67e1b52933e8b8bb00317f7ea94ed49780fc2a9b169afa2ffa2c114470
Instruction Fuzzy Hash: B9313932A1C1828BF7199F2DEC9051BF692FB95344F845039EE49877A0DA7DE8C18F10

Function 00007FF72BC60C70 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3068354061.00007FF72BC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72BC20000, based on PE: true

Associated: 00000000.00000002.3068334449.00007FF72BC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BC77000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BCD3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72bc20000_7RDTQuL8WF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86f85af95fa0a9e8be005597ae2e407bc96c02a647bb53d37df6094cfe1f0d5e
Instruction ID: 747f5645477c85208bf178ab2961f443200babe38ac76ba0b3afdbbf07239e4e
Opcode Fuzzy Hash: 86f85af95fa0a9e8be005597ae2e407bc96c02a647bb53d37df6094cfe1f0d5e
Instruction Fuzzy Hash: F6310873D0C29186E311DB18E881A5AFA90FB883A4F565975DE8817AA0D67DACD18F80

Function 00007FF72BC21190 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3068354061.00007FF72BC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72BC20000, based on PE: true

Associated: 00000000.00000002.3068334449.00007FF72BC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BC77000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BCD3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72bc20000_7RDTQuL8WF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbdecc30e06f9810e538044afd1d238b43cbe878b3fa9ccdc65ae3045be4c7b2
Instruction ID: 7d100e4ea15a2e6b6d19c59600c1728e1ab41d7af297d47782bcde44134449e7
Opcode Fuzzy Hash: cbdecc30e06f9810e538044afd1d238b43cbe878b3fa9ccdc65ae3045be4c7b2
Instruction Fuzzy Hash: D631ED32A1C2858BE7149F2DEC8052BF6A1FB88391F905435FA49977A0DA7DE8C18F10

Function 00007FF72BC5C820 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3068354061.00007FF72BC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72BC20000, based on PE: true

Associated: 00000000.00000002.3068334449.00007FF72BC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BC77000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BCD3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72bc20000_7RDTQuL8WF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4584f6b45db6f14ad41b3f36dcf7d3d009ccd906f093af987d1fc89c4591586
Instruction ID: dce4505b1f67ba4c5116d751d2386c362b943acd86d96d1a11cdaa0a5a68cd21
Opcode Fuzzy Hash: d4584f6b45db6f14ad41b3f36dcf7d3d009ccd906f093af987d1fc89c4591586
Instruction Fuzzy Hash: 6741C032A08AC29AF7188FACF8522FE77B5FB14308F545139EA4A93254DF384195C700

Function 00007FF72BC66AD0 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3068354061.00007FF72BC21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72BC20000, based on PE: true

Associated: 00000000.00000002.3068334449.00007FF72BC20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BC77000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068386094.00007FF72BCD3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3068437483.00007FF72BD03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72bc20000_7RDTQuL8WF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66688c1c46eb8dce7d08fdf7cab384a397133348fa351911d3b49fa6e2b3c75a
Instruction ID: ad72b4f132a4aa3bbccca243bbb8291551bc2df878b9dc13a5886abf53daae1b
Opcode Fuzzy Hash: 66688c1c46eb8dce7d08fdf7cab384a397133348fa351911d3b49fa6e2b3c75a
Instruction Fuzzy Hash: 5831A032A08AC29AF7288FACE8527FD77B5FB54308F548139EA4A86654DF385295C740

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 7RDTQuL8WF.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: CobaltStrike

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\Mailslot\slot-9258

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

System Behavior

Windows Analysis Report
7RDTQuL8WF.exe

Function 00007FF72BC60520 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 458
COMMON

Function 00007FF72BC5F240 Relevance: 5.6, APIs: 3, Instructions: 1080
COMMON

Function 00007FF72BC69A00 Relevance: 4.4, APIs: 1, Strings: 1, Instructions: 895
COMMON

Function 00007FF72BC29690 Relevance: 2.2, APIs: 1, Instructions: 694
COMMON

Function 00007FF72BC68A70 Relevance: .9, Instructions: 911
COMMON

Function 00007FF72BC28660 Relevance: .9, Instructions: 851
COMMON

Function 00007FF72BC5DD40 Relevance: .1, Instructions: 141
COMMON

Function 00007FF72BC29500 Relevance: .1, Instructions: 110
COMMON

Function 00007FF72BC5A290 Relevance: .1, Instructions: 107
COMMON

Function 00007FF72BC5A410 Relevance: 4.4, Strings: 3, Instructions: 665
COMMON

Function 00007FF72BC6E178 Relevance: 4.0, Instructions: 4020
COMMON

Function 00007FF72BC34610 Relevance: 2.0, Strings: 1, Instructions: 763
COMMON

Function 00007FF72BC2EF20 Relevance: .8, Instructions: 832
COMMON

Function 00007FF72BC381D0 Relevance: .8, Instructions: 798
COMMON

Function 00007FF72BC32240 Relevance: .7, Instructions: 700
COMMON