Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
5Uvn8Uyob8.exe

Overview

General Information

Sample name:5Uvn8Uyob8.exe
renamed because original name is a hash value
Original sample name:32c91c1331de77b1cf565aff5b4c758ea851eb2e0b6dcec36990b9a282147589.exe
Analysis ID:1502167
MD5:db0bcc378f0895c40ad9bd5f9f7f0b11
SHA1:70f09e0bc1ecc343ef963fc40e3371162091cee5
SHA256:32c91c1331de77b1cf565aff5b4c758ea851eb2e0b6dcec36990b9a282147589
Tags:119-45-147-28exe
Infos:

Detection

CobaltStrike, Metasploit
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
Yara detected Metasploit Payload
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found large amount of non-executed APIs
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 5Uvn8Uyob8.exe (PID: 7496 cmdline: "C:\Users\user\Desktop\5Uvn8Uyob8.exe" MD5: DB0BCC378F0895C40AD9BD5F9F7F0B11)
    • conhost.exe (PID: 7504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Cobalt Strike, CobaltStrikeCobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.
  • APT 29
  • APT32
  • APT41
  • AQUATIC PANDA
  • Anunak
  • Cobalt
  • Codoso
  • CopyKittens
  • DarkHydrus
  • FIN6
  • FIN7
  • Leviathan
  • Mustang Panda
  • Shell Crew
  • Stone Panda
  • TianWu
  • UNC1878
  • UNC2452
  • Winnti Umbrella
https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"C2Server": "http://119.45.147.28:443/jquery-3.3.2.slim.min.js", "User Agent": "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.130 Safari/537.36\r\n"}

Threatname: Metasploit

{"Headers": "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nReferer: http://code.jquery.com/\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.130 Safari/537.36\r\n", "Type": "Metasploit Download", "URL": "http://119.45.147.28/jquery-3.3.2.slim.min.js"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2955965491.0000021DEDA70000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
    00000000.00000002.2955965491.0000021DEDA70000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_CobaltStrike_3Yara detected CobaltStrikeJoe Security
      00000000.00000002.2955965491.0000021DEDA70000.00000020.00001000.00020000.00000000.sdmpWindows_Trojan_Metasploit_7bc0f998Identifies the API address lookup function leverage by metasploit shellcodeunknown
      • 0x11:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
      00000000.00000002.2955965491.0000021DEDA70000.00000020.00001000.00020000.00000000.sdmpWindows_Trojan_Metasploit_c9773203Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.unknown
      • 0x7d:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
      00000000.00000002.2955823037.0000002214F2C000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
        Click to see the 3 entries

        Sigma Signatures

        No Sigma rule has matched

        Suricata Signatures

        Timestamp:2024-08-31T11:46:33.050339+0200
        SID:2028765
        Severity:3
        Source Port:49730
        Destination Port:443
        Protocol:TCP
        Classtype:Unknown Traffic
        Timestamp:2024-08-31T11:47:37.191366+0200
        SID:2028765
        Severity:3
        Source Port:49739
        Destination Port:443
        Protocol:TCP
        Classtype:Unknown Traffic
        Timestamp:2024-08-31T11:47:05.128391+0200
        SID:2028765
        Severity:3
        Source Port:49737
        Destination Port:443
        Protocol:TCP
        Classtype:Unknown Traffic
        Timestamp:2024-08-31T11:45:55.503206+0200
        SID:2028765
        Severity:3
        Source Port:49740
        Destination Port:443
        Protocol:TCP
        Classtype:Unknown Traffic

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Found malware configuration
        Source: 00000000.00000002.2955965491.0000021DEDA70000.00000020.00001000.00020000.00000000.sdmpMalware Configuration Extractor: CobaltStrike {"C2Server": "http://119.45.147.28:443/jquery-3.3.2.slim.min.js", "User Agent": "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.130 Safari/537.36\r\n"}
        Source: 00000000.00000002.2955965491.0000021DEDA70000.00000020.00001000.00020000.00000000.sdmpMalware Configuration Extractor: Metasploit {"Headers": "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nReferer: http://code.jquery.com/\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.130 Safari/537.36\r\n", "Type": "Metasploit Download", "URL": "http://119.45.147.28/jquery-3.3.2.slim.min.js"}
        Multi AV Scanner detection for submitted file
        Source: 5Uvn8Uyob8.exeReversingLabs: Detection: 31%
        Source: 5Uvn8Uyob8.exeVirustotal: Detection: 32%Perma Link
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.8% probability
        Source: 5Uvn8Uyob8.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Source: C:\Users\user\Desktop\5Uvn8Uyob8.exeCode function: 0_2_00007FF6872ED440 FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00007FF6872ED440
        Source: C:\Users\user\Desktop\5Uvn8Uyob8.exeCode function: 0_2_00007FF6872ED2BC FindFirstFileExW,0_2_00007FF6872ED2BC

        Networking

        barindex
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorURLs: http://119.45.147.28:443/jquery-3.3.2.slim.min.js
        Source: Malware configuration extractorURLs: http://119.45.147.28/jquery-3.3.2.slim.min.js
        Source: Joe Sandbox ViewASN Name: CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa
        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49730 -> 119.45.147.28:443
        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49737 -> 119.45.147.28:443
        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49739 -> 119.45.147.28:443
        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49740 -> 119.45.147.28:443
        Source: unknownTCP traffic detected without corresponding DNS query: 119.45.147.28
        Source: unknownTCP traffic detected without corresponding DNS query: 119.45.147.28
        Source: unknownTCP traffic detected without corresponding DNS query: 119.45.147.28
        Source: unknownTCP traffic detected without corresponding DNS query: 119.45.147.28
        Source: unknownTCP traffic detected without corresponding DNS query: 119.45.147.28
        Source: unknownTCP traffic detected without corresponding DNS query: 119.45.147.28
        Source: unknownTCP traffic detected without corresponding DNS query: 119.45.147.28
        Source: unknownTCP traffic detected without corresponding DNS query: 119.45.147.28
        Source: unknownTCP traffic detected without corresponding DNS query: 119.45.147.28
        Source: unknownTCP traffic detected without corresponding DNS query: 119.45.147.28
        Source: unknownTCP traffic detected without corresponding DNS query: 119.45.147.28
        Source: unknownTCP traffic detected without corresponding DNS query: 119.45.147.28
        Source: unknownTCP traffic detected without corresponding DNS query: 119.45.147.28
        Source: unknownTCP traffic detected without corresponding DNS query: 119.45.147.28
        Source: unknownTCP traffic detected without corresponding DNS query: 119.45.147.28
        Source: 5Uvn8Uyob8.exe, 00000000.00000002.2955965491.0000021DEDA70000.00000020.00001000.00020000.00000000.sdmp, 5Uvn8Uyob8.exe, 00000000.00000002.2955823037.0000002214F2C000.00000004.00000010.00020000.00000000.sdmp, 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDB0C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.jquery.com/
        Source: 5Uvn8Uyob8.exe, 00000000.00000003.2028666595.0000021DEDB0C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.jquery.com/Rs
        Source: 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDB2E000.00000004.00000020.00020000.00000000.sdmp, 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDABB000.00000004.00000020.00020000.00000000.sdmp, 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDB0C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://119.45.147.28/
        Source: 5Uvn8Uyob8.exe, 00000000.00000003.2028666595.0000021DEDB0C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://119.45.147.28/F
        Source: 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDB2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://119.45.147.28/e
        Source: 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDB0C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://119.45.147.28/jquery-3.3.2.slim.min.js
        Source: 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDB2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://119.45.147.28/jquery-3.3.2.slim.min.jsM
        Source: 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDB2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://119.45.147.28/jquery-3.3.2.slim.min.jsY
        Source: 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDB0C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://119.45.147.28/jquery-3.3.2.slim.min.jsd4_
        Source: 5Uvn8Uyob8.exe, 00000000.00000003.2028666595.0000021DEDB0C000.00000004.00000020.00020000.00000000.sdmp, 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDB0C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://119.45.147.28/jquery-3.3.2.slim.min.jsi
        Source: 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDABB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://119.45.147.28/jquery-3.3.2.slim.min.jsm:
        Source: 5Uvn8Uyob8.exe, 00000000.00000003.2349419346.0000021DEDB2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://119.45.147.28/jquery-3.3.2.slim.min.jsu
        Source: 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDB0C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://119.45.147.28/query-3.3.2.slim.min.js1
        Source: 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDB2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://119.45.147.28/su
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
        Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
        Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
        Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 00000000.00000002.2955965491.0000021DEDA70000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
        Source: 00000000.00000002.2955965491.0000021DEDA70000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
        Source: 00000000.00000002.2955823037.0000002214F2C000.00000004.00000010.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
        Source: 00000000.00000002.2955823037.0000002214F2C000.00000004.00000010.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
        Source: C:\Users\user\Desktop\5Uvn8Uyob8.exeCode function: 0_2_00007FF6872E4F60 NtDelayExecution,0_2_00007FF6872E4F60
        Source: C:\Users\user\Desktop\5Uvn8Uyob8.exeCode function: 0_2_00007FF6872E549A NtAllocateVirtualMemory,NtProtectVirtualMemory,CreateFiber,0_2_00007FF6872E549A
        Source: C:\Users\user\Desktop\5Uvn8Uyob8.exeCode function: 0_2_00007FF6872F3F980_2_00007FF6872F3F98
        Source: C:\Users\user\Desktop\5Uvn8Uyob8.exeCode function: 0_2_00007FF6872ED4400_2_00007FF6872ED440
        Source: C:\Users\user\Desktop\5Uvn8Uyob8.exeCode function: 0_2_00007FF6872E82B40_2_00007FF6872E82B4
        Source: C:\Users\user\Desktop\5Uvn8Uyob8.exeCode function: 0_2_00007FF6872ED2BC0_2_00007FF6872ED2BC
        Source: C:\Users\user\Desktop\5Uvn8Uyob8.exeCode function: 0_2_0000021DEDA7010C0_2_0000021DEDA7010C
        Source: 5Uvn8Uyob8.exeStatic PE information: invalid certificate
        Source: 5Uvn8Uyob8.exeBinary or memory string: OriginalFilename vs 5Uvn8Uyob8.exe
        Source: 5Uvn8Uyob8.exe, 00000000.00000002.2956288285.00007FF687308000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamemsedge.exe> vs 5Uvn8Uyob8.exe
        Source: 5Uvn8Uyob8.exeBinary or memory string: OriginalFilenamemsedge.exe> vs 5Uvn8Uyob8.exe
        Source: 00000000.00000002.2955965491.0000021DEDA70000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
        Source: 00000000.00000002.2955965491.0000021DEDA70000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
        Source: 00000000.00000002.2955823037.0000002214F2C000.00000004.00000010.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
        Source: 00000000.00000002.2955823037.0000002214F2C000.00000004.00000010.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
        Source: classification engineClassification label: mal88.troj.winEXE@2/0@0/1
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7504:120:WilError_03
        Source: 5Uvn8Uyob8.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\5Uvn8Uyob8.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: 5Uvn8Uyob8.exeReversingLabs: Detection: 31%
        Source: 5Uvn8Uyob8.exeVirustotal: Detection: 32%
        Source: unknownProcess created: C:\Users\user\Desktop\5Uvn8Uyob8.exe "C:\Users\user\Desktop\5Uvn8Uyob8.exe"
        Source: C:\Users\user\Desktop\5Uvn8Uyob8.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\5Uvn8Uyob8.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\5Uvn8Uyob8.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\Desktop\5Uvn8Uyob8.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\5Uvn8Uyob8.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\5Uvn8Uyob8.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\5Uvn8Uyob8.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\5Uvn8Uyob8.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\5Uvn8Uyob8.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\5Uvn8Uyob8.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\Desktop\5Uvn8Uyob8.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\Desktop\5Uvn8Uyob8.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\Desktop\5Uvn8Uyob8.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\5Uvn8Uyob8.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\Desktop\5Uvn8Uyob8.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\5Uvn8Uyob8.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\5Uvn8Uyob8.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\5Uvn8Uyob8.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Users\user\Desktop\5Uvn8Uyob8.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
        Source: 5Uvn8Uyob8.exeStatic PE information: Image base 0x140000000 > 0x60000000
        Source: 5Uvn8Uyob8.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Source: 5Uvn8Uyob8.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
        Source: 5Uvn8Uyob8.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
        Source: 5Uvn8Uyob8.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
        Source: 5Uvn8Uyob8.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
        Source: 5Uvn8Uyob8.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
        Source: 5Uvn8Uyob8.exeStatic PE information: section name: .00cfg
        Source: 5Uvn8Uyob8.exeStatic PE information: section name: .gxfg
        Source: 5Uvn8Uyob8.exeStatic PE information: section name: .retplne
        Source: 5Uvn8Uyob8.exeStatic PE information: section name: _RDATA
        Source: C:\Users\user\Desktop\5Uvn8Uyob8.exeCode function: 0_2_0000021DEDA7012B push eax; ret 0_2_0000021DEDA70387
        Source: C:\Users\user\Desktop\5Uvn8Uyob8.exeCode function: 0_2_0000021DEDA7010C push eax; ret 0_2_0000021DEDA70387
        Source: C:\Users\user\Desktop\5Uvn8Uyob8.exeAPI coverage: 7.2 %
        Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe TID: 7500Thread sleep time: -30000s >= -30000sJump to behavior
        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\5Uvn8Uyob8.exeCode function: 0_2_00007FF6872ED440 FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00007FF6872ED440
        Source: C:\Users\user\Desktop\5Uvn8Uyob8.exeCode function: 0_2_00007FF6872ED2BC FindFirstFileExW,0_2_00007FF6872ED2BC
        Source: C:\Users\user\Desktop\5Uvn8Uyob8.exeCode function: 0_2_00007FF6872E4BF0 GetSystemInfo,0_2_00007FF6872E4BF0
        Source: 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDB2E000.00000004.00000020.00020000.00000000.sdmp, 5Uvn8Uyob8.exe, 00000000.00000003.2028666595.0000021DEDB2E000.00000004.00000020.00020000.00000000.sdmp, 5Uvn8Uyob8.exe, 00000000.00000003.2349419346.0000021DEDB2E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDAF0000.00000004.00000020.00020000.00000000.sdmp, 5Uvn8Uyob8.exe, 00000000.00000003.2028666595.0000021DEDAF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@j
        Source: C:\Users\user\Desktop\5Uvn8Uyob8.exeCode function: 0_2_00007FF6872EAEA8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6872EAEA8
        Source: C:\Users\user\Desktop\5Uvn8Uyob8.exeCode function: 0_2_00007FF6872E97E4 GetProcessHeap,0_2_00007FF6872E97E4
        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
        Source: C:\Users\user\Desktop\5Uvn8Uyob8.exeCode function: 0_2_00007FF6872EAEA8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6872EAEA8
        Source: C:\Users\user\Desktop\5Uvn8Uyob8.exeCode function: 0_2_00007FF6872E5F18 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF6872E5F18
        Source: C:\Users\user\Desktop\5Uvn8Uyob8.exeCode function: 0_2_00007FF6872E65A4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6872E65A4
        Source: C:\Users\user\Desktop\5Uvn8Uyob8.exeCode function: 0_2_00007FF6872E6594 SetUnhandledExceptionFilter,0_2_00007FF6872E6594
        Source: C:\Users\user\Desktop\5Uvn8Uyob8.exeMemory allocated: page read and write | page guardJump to behavior
        Source: C:\Users\user\Desktop\5Uvn8Uyob8.exeCode function: 0_2_00007FF6872F3DB0 cpuid 0_2_00007FF6872F3DB0
        Source: C:\Users\user\Desktop\5Uvn8Uyob8.exeCode function: 0_2_00007FF6872E8C8C GetSystemTimeAsFileTime,0_2_00007FF6872E8C8C

        Remote Access Functionality

        barindex
        Yara detected CobaltStrike
        Source: Yara matchFile source: 00000000.00000002.2955965491.0000021DEDA70000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2955823037.0000002214F2C000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
        Yara detected Metasploit Payload
        Source: Yara matchFile source: 00000000.00000002.2955965491.0000021DEDA70000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2955823037.0000002214F2C000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
        DLL Side-Loading        		1
        Process Injection        		1
        Virtualization/Sandbox Evasion        		OS Credential Dumping1
        System Time Discovery        		Remote Services1
        Archive Collected Data        		12
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
        DLL Side-Loading        		1
        Disable or Modify Tools        		LSASS Memory21
        Security Software Discovery        		Remote Desktop ProtocolData from Removable Media11
        Application Layer Protocol        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
        Process Injection        		Security Account Manager1
        Virtualization/Sandbox Evasion        		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
        DLL Side-Loading        		NTDS1
        File and Directory Discovery        		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        Obfuscated Files or Information        		LSA Secrets13
        System Information Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        5Uvn8Uyob8.exe32%ReversingLabsWin64.Backdoor.Cobeacon
        5Uvn8Uyob8.exe33%VirustotalBrowse

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        https://119.45.147.28/jquery-3.3.2.slim.min.jsm:0%Avira URL Cloudsafe
        http://code.jquery.com/Rs0%Avira URL Cloudsafe
        http://code.jquery.com/0%Avira URL Cloudsafe
        https://119.45.147.28/F0%Avira URL Cloudsafe
        https://119.45.147.28/jquery-3.3.2.slim.min.jsi0%Avira URL Cloudsafe
        https://119.45.147.28/jquery-3.3.2.slim.min.js0%Avira URL Cloudsafe
        https://119.45.147.28/su0%Avira URL Cloudsafe
        http://code.jquery.com/1%VirustotalBrowse
        https://119.45.147.28/F2%VirustotalBrowse
        https://119.45.147.28/jquery-3.3.2.slim.min.jsd4_0%Avira URL Cloudsafe
        http://119.45.147.28/jquery-3.3.2.slim.min.js0%Avira URL Cloudsafe
        https://119.45.147.28/jquery-3.3.2.slim.min.jsM0%Avira URL Cloudsafe
        http://119.45.147.28:443/jquery-3.3.2.slim.min.js0%Avira URL Cloudsafe
        https://119.45.147.28/jquery-3.3.2.slim.min.js1%VirustotalBrowse
        https://119.45.147.28/jquery-3.3.2.slim.min.jsY0%Avira URL Cloudsafe
        https://119.45.147.28/query-3.3.2.slim.min.js10%Avira URL Cloudsafe
        https://119.45.147.28/0%Avira URL Cloudsafe
        http://119.45.147.28:443/jquery-3.3.2.slim.min.js1%VirustotalBrowse
        https://119.45.147.28/e0%Avira URL Cloudsafe
        https://119.45.147.28/jquery-3.3.2.slim.min.jsu0%Avira URL Cloudsafe
        https://119.45.147.28/2%VirustotalBrowse

        Domains and IPs

        Contacted Domains

        No contacted domains info

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://119.45.147.28/jquery-3.3.2.slim.min.jstrue
        • Avira URL Cloud: safe
        		unknown
        http://119.45.147.28:443/jquery-3.3.2.slim.min.jstrue
        • 1%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://119.45.147.28/F5Uvn8Uyob8.exe, 00000000.00000003.2028666595.0000021DEDB0C000.00000004.00000020.00020000.00000000.sdmpfalse
        • 2%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://code.jquery.com/5Uvn8Uyob8.exe, 00000000.00000002.2955965491.0000021DEDA70000.00000020.00001000.00020000.00000000.sdmp, 5Uvn8Uyob8.exe, 00000000.00000002.2955823037.0000002214F2C000.00000004.00000010.00020000.00000000.sdmp, 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDB0C000.00000004.00000020.00020000.00000000.sdmptrue
        • 1%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        https://119.45.147.28/jquery-3.3.2.slim.min.jsi5Uvn8Uyob8.exe, 00000000.00000003.2028666595.0000021DEDB0C000.00000004.00000020.00020000.00000000.sdmp, 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDB0C000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://119.45.147.28/jquery-3.3.2.slim.min.jsm:5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDABB000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://code.jquery.com/Rs5Uvn8Uyob8.exe, 00000000.00000003.2028666595.0000021DEDB0C000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://119.45.147.28/jquery-3.3.2.slim.min.js5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDB0C000.00000004.00000020.00020000.00000000.sdmpfalse
        • 1%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        https://119.45.147.28/su5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDB2E000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://119.45.147.28/jquery-3.3.2.slim.min.jsd4_5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDB0C000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://119.45.147.28/jquery-3.3.2.slim.min.jsM5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDB2E000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://119.45.147.28/jquery-3.3.2.slim.min.jsY5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDB2E000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://119.45.147.28/query-3.3.2.slim.min.js15Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDB0C000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://119.45.147.28/5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDB2E000.00000004.00000020.00020000.00000000.sdmp, 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDABB000.00000004.00000020.00020000.00000000.sdmp, 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDB0C000.00000004.00000020.00020000.00000000.sdmpfalse
        • 2%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        https://119.45.147.28/e5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDB2E000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://119.45.147.28/jquery-3.3.2.slim.min.jsu5Uvn8Uyob8.exe, 00000000.00000003.2349419346.0000021DEDB2E000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        119.45.147.28
        		unknownChina
        		45090CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompatrue

        General Information

        Joe Sandbox version:40.0.0 Tourmaline
        Analysis ID:1502167
        Start date and time:2024-08-31 11:45:06 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 3m 50s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:6
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:5Uvn8Uyob8.exe
        renamed because original name is a hash value
        Original Sample Name:32c91c1331de77b1cf565aff5b4c758ea851eb2e0b6dcec36990b9a282147589.exe
        Detection:MAL
        Classification:mal88.troj.winEXE@2/0@0/1
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:
        • Successful, ratio: 92%
        • Number of executed functions: 10
        • Number of non-executed functions: 30
        Cookbook Comments:
        • Found application associated with file extension: .exe

        Warnings

        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
        • Not all processes where analyzed, report is missing behavior information

        Simulations

        Behavior and APIs

        TimeTypeDescription
        05:45:59API Interceptor1x Sleep call for process: 5Uvn8Uyob8.exe modified

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompalinux_amd64.elfGet hashmaliciousUnknownBrowse
        • 119.29.233.208
        SecuriteInfo.com.Linux.Siggen.9999.28377.24731.elfGet hashmaliciousMiraiBrowse
        • 152.136.47.156
        BjdhvHE9Lu.exeGet hashmaliciousUnknownBrowse
        • 122.51.240.117
        SecuriteInfo.com.Trojan.DownLoader46.48074.21382.27832.exeGet hashmaliciousUnknownBrowse
        • 106.53.77.23
        firmware.m68k.elfGet hashmaliciousUnknownBrowse
        • 140.143.139.193
        KKveTTgaAAsecNNaaaa.sh4.elfGet hashmaliciousUnknownBrowse
        • 146.56.230.81
        KKveTTgaAAsecNNaaaa.spc.elfGet hashmaliciousUnknownBrowse
        • 120.53.107.161
        KKveTTgaAAsecNNaaaa.mpsl.elfGet hashmaliciousUnknownBrowse
        • 118.28.5.155
        kovENvYM9C.elfGet hashmaliciousUnknownBrowse
        • 134.175.132.160
        pzGt29I16y.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
        • 111.229.0.18

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        No created / dropped files found

        Static File Info

        General

        File type:PE32+ executable (console) x86-64, for MS Windows
        Entropy (8bit):6.629282802894755
        TrID:
        • Win64 Executable Console (202006/5) 92.65%
        • Win64 Executable (generic) (12005/4) 5.51%
        • Generic Win/DOS Executable (2004/3) 0.92%
        • DOS Executable Generic (2002/1) 0.92%
        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
        File name:5Uvn8Uyob8.exe
        File size:226'256 bytes
        MD5:db0bcc378f0895c40ad9bd5f9f7f0b11
        SHA1:70f09e0bc1ecc343ef963fc40e3371162091cee5
        SHA256:32c91c1331de77b1cf565aff5b4c758ea851eb2e0b6dcec36990b9a282147589
        SHA512:a50740204343ecab987b187621f4bc8ff700302ab7c65e882ebe413bc2557bf3682db7985061eaf49bfc116a8bafc4becaa53b739eceb6472590ecd0bb06cded
        SSDEEP:3072:LAjRP/MfsdCZyF3M0AqW8HaCbpWKWpkFMu02VFMzFj8e5BV0rUniyimyzO:OEIw43M0G/2vW76Mzie5v0rURyi
        TLSH:37249D07B6A974FCE42AD770C4648A4697B7BD7013608BDF13A4963A2F636D48D38F60
        File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...^F.f.........."......:...........a.........@..........................................`........................................

        File Icon

        Icon Hash:0703053232670f1f

        Static PE Info

        General

        Entrypoint:0x1400061ac
        Entrypoint Section:.text
        Digitally signed:true
        Imagebase:0x140000000
        Subsystem:windows cui
        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Time Stamp:0x66A3465E [Fri Jul 26 06:46:54 2024 UTC]
        TLS Callbacks:
        CLR (.Net) Version:
        OS Version Major:6
        OS Version Minor:0
        File Version Major:6
        File Version Minor:0
        Subsystem Version Major:6
        Subsystem Version Minor:0
        Import Hash:2f8c554b630188631a1d0ca244d99595

        Authenticode Signature

        Signature Valid:false
        Signature Issuer:CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
        Signature Validation Error:The digital signature of the object did not verify
        Error Number:-2146869232
        Not Before, Not After
        • 16/02/2023 20:10:05 31/01/2024 20:10:05
        Subject Chain
        • CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
        Version:3
        Thumbprint MD5:1501CB08D08AB9513578ECAA0534F741
        Thumbprint SHA-1:7E9572FFDB0BE9E618862EB6463B2C0782FC2DB9
        Thumbprint SHA-256:8C32CB33A6114A9BA3B33916F4146581287BD0FC647D7773636E45E8BAE07730
        Serial:330000033C2B0A49D9D2917EAC00000000033C

        Entrypoint Preview

        Instruction
        dec eax
        sub esp, 28h
        call 00007F82A125DFA0h
        dec eax
        add esp, 28h
        jmp 00007F82A125DBB7h
        int3
        int3
        dec eax
        sub esp, 28h
        call 00007F82A125DD54h
        dec eax
        neg eax
        sbb eax, eax
        neg eax
        dec eax
        dec eax
        add esp, 28h
        ret
        int3
        inc eax
        push ebx
        dec eax
        sub esp, 20h
        dec eax
        cmp dword ptr [0001B0E2h], FFFFFFFFh
        dec eax
        mov ebx, ecx
        jne 00007F82A125DD49h
        call 00007F82A125FDF9h
        jmp 00007F82A125DD51h
        dec eax
        mov edx, ebx
        dec eax
        lea ecx, dword ptr [0001B0CCh]
        call 00007F82A125FD5Ch
        xor edx, edx
        test eax, eax
        dec eax
        cmove edx, ebx
        dec eax
        mov eax, edx
        dec eax
        add esp, 20h
        pop ebx
        ret
        int3
        int3
        dec eax
        sub esp, 18h
        dec esp
        mov eax, ecx
        mov eax, 00005A4Dh
        cmp word ptr [FFFF9DD9h], ax
        jne 00007F82A125DDBAh
        dec eax
        arpl word ptr [FFFF9E0Ch], cx
        dec eax
        lea edx, dword ptr [FFFF9DC9h]
        dec eax
        add ecx, edx
        cmp dword ptr [ecx], 00004550h
        jne 00007F82A125DDA1h
        mov eax, 0000020Bh
        cmp word ptr [ecx+18h], ax
        jne 00007F82A125DD96h
        dec esp
        sub eax, edx
        movzx edx, word ptr [ecx+14h]
        dec eax
        add edx, 18h
        dec eax
        add edx, ecx
        movzx eax, word ptr [ecx+06h]
        dec eax
        lea ecx, dword ptr [eax+eax*4]
        dec esp
        lea ecx, dword ptr [edx+ecx*8]
        dec eax
        mov dword ptr [esp], edx
        dec ecx
        cmp edx, ecx
        je 00007F82A125DD5Ah
        mov ecx, dword ptr [edx+0Ch]

        Data Directories

        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IMPORT0x1cd500x3c.rdata
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x290000x11ee8.rsrc
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x220000x10e0.pdata
        IMAGE_DIRECTORY_ENTRY_SECURITY0x34c000x27d0.rsrc
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x3b0000xaf0.reloc
        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x155000x140.rdata
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x1d0380x2a8.rdata
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

        Sections

        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x10000x138c60x13a0060f3629cabfe0abd874ad05a40b87577False0.5606215167197452data6.584536629813981IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .rdata0x150000x986c0x9a005d333f8442902b3a8093f8ce540365a0False0.43458299512987014data4.86337784910343IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .data0x1f0000x2f100x1e00ad7e1a9305e9ddb27b8eca8606404bf3False0.25755208333333335data5.737923723877776IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .pdata0x220000x10e00x1200a447b277bf3b1d6de9fa21a32db1ab94False0.4583333333333333data4.76952083248037IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .00cfg0x240000x380x200e0133a52597151a998cd929afa56b858False0.072265625data0.4362466220649174IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .gxfg0x250000x11300x12004cce2d84947c5dce6432b89d096694d7False0.4166666666666667PGP symmetric key encrypted data - Plaintext or unencrypted data4.916929673040231IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .retplne0x270000x8c0x2008c950f651287cbc1296bcb4e8cd7e990False0.126953125data1.050583247971927
        _RDATA0x280000x15c0x200e1d1d4f94013776182cbf8ff6d4994dbFalse0.380859375data2.7683496218709203IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .rsrc0x290000x11ee80x120009e753d0f5e1af5a353b1cf45f31941daFalse0.6406114366319444data6.746377184180407IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .reloc0x3b0000xaf00xc00d243eac38353c64c2238153010a8033cFalse0.4934895833333333data5.283610684883323IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

        Resources

        NameRVASizeTypeLanguageCountryZLIB Complexity
        RT_ICON0x295c80x6fd1PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9973449781659388
        RT_ICON0x305a00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.36620217288615964
        RT_ICON0x347c80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.4182572614107884
        RT_ICON0x36d700x1a68Device independent bitmap graphic, 40 x 80 x 32, image size 6720EnglishUnited States0.4485207100591716
        RT_ICON0x387d80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.5117260787992496
        RT_ICON0x398800x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.5745901639344262
        RT_ICON0x3a2080x6b8Device independent bitmap graphic, 20 x 40 x 32, image size 1680EnglishUnited States0.6540697674418605
        RT_ICON0x3a8c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.7145390070921985
        RT_GROUP_ICON0x3ad280x76dataEnglishUnited States0.7542372881355932
        RT_VERSION0x292900x334dataEnglishUnited States0.43414634146341463
        RT_MANIFEST0x3ada00x143XML 1.0 document, ASCII textEnglishUnited States0.628482972136223

        Imports

        DLLImport
        KERNEL32.dllCloseHandle, CompareStringW, ConvertThreadToFiber, CreateFiber, CreateFileA, CreateFileW, DeleteCriticalSection, DeviceIoControl, EncodePointer, EnterCriticalSection, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlsAlloc, FlsFree, FlsGetValue, FlsSetValue, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileType, GetLastError, GetModuleFileNameW, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemInfo, GetSystemTimeAsFileTime, GetTickCount64, GlobalMemoryStatusEx, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, RtlCaptureContext, RtlLookupFunctionEntry, RtlPcToFileHeader, RtlUnwindEx, RtlVirtualUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SwitchToFiber, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WideCharToMultiByte, WriteConsoleW, WriteFile
        USER32.dllGetForegroundWindow, ShowWindow

        Possible Origin

        Language of compilation systemCountry where language is spokenMap
        EnglishUnited States

        Network Behavior

        Suricata IDS Alerts

        TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
        2024-08-31T11:46:33.050339+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex349730443192.168.2.4119.45.147.28
        2024-08-31T11:47:37.191366+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex349739443192.168.2.4119.45.147.28
        2024-08-31T11:47:05.128391+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex349737443192.168.2.4119.45.147.28
        2024-08-31T11:45:55.503206+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex349740443192.168.2.4119.45.147.28

        Network Port Distribution

        TCP Packets

        TimestampSource PortDest PortSource IPDest IP
        Aug 31, 2024 11:46:00.942668915 CEST49730443192.168.2.4119.45.147.28
        Aug 31, 2024 11:46:00.942689896 CEST44349730119.45.147.28192.168.2.4
        Aug 31, 2024 11:46:00.942790031 CEST49730443192.168.2.4119.45.147.28
        Aug 31, 2024 11:46:00.951280117 CEST49730443192.168.2.4119.45.147.28
        Aug 31, 2024 11:46:00.951292992 CEST44349730119.45.147.28192.168.2.4
        Aug 31, 2024 11:46:33.050338984 CEST49730443192.168.2.4119.45.147.28
        Aug 31, 2024 11:46:33.067934036 CEST49737443192.168.2.4119.45.147.28
        Aug 31, 2024 11:46:33.067975998 CEST44349737119.45.147.28192.168.2.4
        Aug 31, 2024 11:46:33.068058014 CEST49737443192.168.2.4119.45.147.28
        Aug 31, 2024 11:46:33.068358898 CEST49737443192.168.2.4119.45.147.28
        Aug 31, 2024 11:46:33.068372965 CEST44349737119.45.147.28192.168.2.4
        Aug 31, 2024 11:47:05.128391027 CEST49737443192.168.2.4119.45.147.28
        Aug 31, 2024 11:47:05.136425018 CEST49739443192.168.2.4119.45.147.28
        Aug 31, 2024 11:47:05.136467934 CEST44349739119.45.147.28192.168.2.4
        Aug 31, 2024 11:47:05.136534929 CEST49739443192.168.2.4119.45.147.28
        Aug 31, 2024 11:47:05.136831999 CEST49739443192.168.2.4119.45.147.28
        Aug 31, 2024 11:47:05.136847973 CEST44349739119.45.147.28192.168.2.4
        Aug 31, 2024 11:47:37.191365957 CEST49739443192.168.2.4119.45.147.28
        Aug 31, 2024 11:47:37.198266983 CEST49740443192.168.2.4119.45.147.28
        Aug 31, 2024 11:47:37.198333025 CEST44349740119.45.147.28192.168.2.4
        Aug 31, 2024 11:47:37.198436975 CEST49740443192.168.2.4119.45.147.28
        Aug 31, 2024 11:47:37.198756933 CEST49740443192.168.2.4119.45.147.28
        Aug 31, 2024 11:47:37.198781013 CEST44349740119.45.147.28192.168.2.4

        Statistics

        CPU Usage

        Click to jump to process

        Memory Usage

        Click to jump to process

        Behavior

        Click to jump to process

        System Behavior

        General

        Target ID:0
        Start time:05:45:59
        Start date:31/08/2024
        Path:C:\Users\user\Desktop\5Uvn8Uyob8.exe
        Wow64 process (32bit):false
        Commandline:"C:\Users\user\Desktop\5Uvn8Uyob8.exe"
        Imagebase:0x7ff6872e0000
        File size:226'256 bytes
        MD5 hash:DB0BCC378F0895C40AD9BD5F9F7F0B11
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Yara matches:
        • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.2955965491.0000021DEDA70000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
        • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2955965491.0000021DEDA70000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
        • Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000002.2955965491.0000021DEDA70000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
        • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.2955965491.0000021DEDA70000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
        • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.2955823037.0000002214F2C000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
        • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2955823037.0000002214F2C000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
        • Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000002.2955823037.0000002214F2C000.00000004.00000010.00020000.00000000.sdmp, Author: unknown
        • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.2955823037.0000002214F2C000.00000004.00000010.00020000.00000000.sdmp, Author: unknown
        Reputation:low
        Has exited:false

        General

        Target ID:1
        Start time:05:45:59
        Start date:31/08/2024
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff7699e0000
        File size:862'208 bytes
        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:false

        Disassembly

        Reset < >

          Execution Graph

          Execution Coverage:3%
          Dynamic/Decrypted Code Coverage:1.1%
          Signature Coverage:5.7%
          Total number of Nodes:371
          Total number of Limit Nodes:7
          execution_graph 7604 7ff6872e6030 7631 7ff6872e630c 7604->7631 7607 7ff6872e6051 __scrt_acquire_startup_lock 7610 7ff6872e6191 7607->7610 7619 7ff6872e606f __CxxCallCatchBlock __scrt_release_startup_lock 7607->7619 7608 7ff6872e6187 7669 7ff6872e65a4 IsProcessorFeaturePresent 7608->7669 7611 7ff6872e65a4 7 API calls 7610->7611 7612 7ff6872e619c 7611->7612 7676 7ff6872e7a14 7612->7676 7615 7ff6872e6094 7618 7ff6872e611a 7639 7ff6872e8604 7618->7639 7619->7615 7619->7618 7645 7ff6872e7a4c 7619->7645 7622 7ff6872e611f 7623 7ff6872e613c 7622->7623 7650 7ff6872e6538 GetModuleHandleW 7623->7650 7626 7ff6872e6147 7627 7ff6872e6151 7626->7627 7652 7ff6872e7a2c 7626->7652 7663 7ff6872e6358 7627->7663 7698 7ff6872e67c4 7631->7698 7634 7ff6872e633b 7700 7ff6872e78f8 7634->7700 7638 7ff6872e6049 7638->7607 7638->7608 7640 7ff6872e8614 7639->7640 7644 7ff6872e8629 7639->7644 7640->7644 7743 7ff6872e86d4 7640->7743 7644->7622 7646 7ff6872e7a63 7645->7646 7647 7ff6872e7a84 7645->7647 7646->7618 8289 7ff6872e8d44 7647->8289 7651 7ff6872e6143 7650->7651 7651->7612 7651->7626 7653 7ff6872e7b5c 7652->7653 7654 7ff6872e7b81 GetModuleHandleW 7653->7654 7655 7ff6872e7bcb 7653->7655 7654->7655 7661 7ff6872e7b8e 7654->7661 8299 7ff6872e7cf0 7655->8299 7661->7655 8294 7ff6872e7a94 GetModuleHandleExW 7661->8294 7664 7ff6872e6369 7663->7664 7665 7ff6872e615a 7664->7665 8324 7ff6872e790c 7664->8324 7665->7615 7667 7ff6872e6372 7668 7ff6872e6d3c __scrt_initialize_crt 7 API calls 7667->7668 7668->7665 7670 7ff6872e65ca __CxxCallCatchBlock 7669->7670 7671 7ff6872e65e9 RtlCaptureContext RtlLookupFunctionEntry 7670->7671 7672 7ff6872e6612 RtlVirtualUnwind 7671->7672 7673 7ff6872e664e __CxxCallCatchBlock 7671->7673 7672->7673 7674 7ff6872e6680 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 7673->7674 7675 7ff6872e66d2 __CxxCallCatchBlock 7674->7675 7675->7610 7677 7ff6872e7b5c 7676->7677 7678 7ff6872e7b81 GetModuleHandleW 7677->7678 7679 7ff6872e7bcb 7677->7679 7678->7679 7685 7ff6872e7b8e 7678->7685 7680 7ff6872e7cf0 __CxxCallCatchBlock 11 API calls 7679->7680 7681 7ff6872e7c07 7680->7681 7682 7ff6872e61a3 7681->7682 7683 7ff6872e7b28 __CxxCallCatchBlock 11 API calls 7681->7683 7687 7ff6872e7a20 7682->7687 7684 7ff6872e7c20 7683->7684 7685->7679 7686 7ff6872e7a94 __CxxCallCatchBlock 3 API calls 7685->7686 7686->7679 7688 7ff6872e7b5c 7687->7688 7689 7ff6872e7b81 GetModuleHandleW 7688->7689 7690 7ff6872e7bcb 7688->7690 7689->7690 7695 7ff6872e7b8e 7689->7695 7691 7ff6872e7cf0 __CxxCallCatchBlock 11 API calls 7690->7691 7692 7ff6872e7c07 7691->7692 7693 7ff6872e61ab 7692->7693 7694 7ff6872e7b28 __CxxCallCatchBlock 11 API calls 7692->7694 7696 7ff6872e7c20 7694->7696 7695->7690 7697 7ff6872e7a94 __CxxCallCatchBlock 3 API calls 7695->7697 7697->7690 7699 7ff6872e632e __scrt_dllmain_crt_thread_attach 7698->7699 7699->7634 7699->7638 7701 7ff6872ead64 7700->7701 7702 7ff6872e6340 7701->7702 7710 7ff6872e9ee4 7701->7710 7702->7638 7704 7ff6872e6d3c 7702->7704 7705 7ff6872e6d44 7704->7705 7706 7ff6872e6d4e 7704->7706 7722 7ff6872e8f5c 7705->7722 7706->7638 7721 7ff6872e97ac EnterCriticalSection 7710->7721 7712 7ff6872e9ef4 7713 7ff6872ee368 60 API calls 7712->7713 7714 7ff6872e9efd 7713->7714 7715 7ff6872e9f0b 7714->7715 7716 7ff6872e9f60 62 API calls 7714->7716 7717 7ff6872e97c8 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 7715->7717 7718 7ff6872e9f06 7716->7718 7719 7ff6872e9f17 7717->7719 7720 7ff6872ea050 GetStdHandle GetFileType 7718->7720 7719->7701 7720->7715 7723 7ff6872e8f6b 7722->7723 7724 7ff6872e6d49 7722->7724 7730 7ff6872ee518 7723->7730 7726 7ff6872e916c 7724->7726 7727 7ff6872e9197 7726->7727 7728 7ff6872e917a DeleteCriticalSection 7727->7728 7729 7ff6872e919b 7727->7729 7728->7727 7729->7706 7734 7ff6872ee660 7730->7734 7735 7ff6872ee53f TlsFree 7734->7735 7736 7ff6872ee6a4 __vcrt_InitializeCriticalSectionEx 7734->7736 7736->7735 7737 7ff6872ee6d2 LoadLibraryExW 7736->7737 7740 7ff6872ee769 GetProcAddress 7736->7740 7742 7ff6872ee715 LoadLibraryExW 7736->7742 7738 7ff6872ee6f3 GetLastError 7737->7738 7739 7ff6872ee749 7737->7739 7738->7736 7739->7740 7741 7ff6872ee760 FreeLibrary 7739->7741 7740->7735 7741->7740 7742->7736 7742->7739 7744 7ff6872e86ed 7743->7744 7750 7ff6872ea174 7744->7750 7751 7ff6872ea181 7750->7751 7755 7ff6872e86f2 7750->7755 7795 7ff6872e9940 7751->7795 7756 7ff6872edbe4 GetEnvironmentStringsW 7755->7756 7757 7ff6872edc14 7756->7757 7758 7ff6872e86f7 7756->7758 7759 7ff6872edb04 WideCharToMultiByte 7757->7759 7776 7ff6872e8808 7758->7776 7760 7ff6872edc65 7759->7760 7761 7ff6872edc6c FreeEnvironmentStringsW 7760->7761 7762 7ff6872ec550 12 API calls 7760->7762 7761->7758 7763 7ff6872edc7f 7762->7763 7764 7ff6872edc90 7763->7764 7765 7ff6872edc87 7763->7765 7767 7ff6872edb04 WideCharToMultiByte 7764->7767 7766 7ff6872ead28 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7765->7766 7768 7ff6872edc8e 7766->7768 7769 7ff6872edcb3 7767->7769 7768->7761 7770 7ff6872edcc1 7769->7770 7771 7ff6872edcb7 7769->7771 7773 7ff6872ead28 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7770->7773 7772 7ff6872ead28 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7771->7772 7774 7ff6872edcbf FreeEnvironmentStringsW 7772->7774 7773->7774 7774->7758 7777 7ff6872e882d 7776->7777 7778 7ff6872ec4d8 _set_fmode 11 API calls 7777->7778 7790 7ff6872e8863 7778->7790 7779 7ff6872e886b 7780 7ff6872ead28 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7779->7780 7782 7ff6872e8872 7780->7782 7781 7ff6872e88de 7783 7ff6872ead28 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7781->7783 7783->7782 7784 7ff6872ec4d8 _set_fmode 11 API calls 7784->7790 7785 7ff6872e88cd 8283 7ff6872e8780 7785->8283 7789 7ff6872e8903 7792 7ff6872eae60 _invalid_parameter_noinfo 17 API calls 7789->7792 7790->7779 7790->7781 7790->7784 7790->7785 7790->7789 7793 7ff6872ead28 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7790->7793 8274 7ff6872e90c4 7790->8274 7791 7ff6872ead28 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7791->7779 7794 7ff6872e8916 7792->7794 7793->7790 7796 7ff6872e9951 FlsGetValue 7795->7796 7797 7ff6872e996c FlsSetValue 7795->7797 7798 7ff6872e995e 7796->7798 7799 7ff6872e9966 7796->7799 7797->7798 7800 7ff6872e9979 7797->7800 7802 7ff6872e9964 7798->7802 7856 7ff6872e8ebc 7798->7856 7799->7797 7838 7ff6872ec4d8 7800->7838 7815 7ff6872ea700 7802->7815 7806 7ff6872e99a6 FlsSetValue 7809 7ff6872e99c4 7806->7809 7810 7ff6872e99b2 FlsSetValue 7806->7810 7807 7ff6872e9996 FlsSetValue 7808 7ff6872e999f 7807->7808 7845 7ff6872ead28 7808->7845 7851 7ff6872e9bf4 7809->7851 7810->7808 8049 7ff6872ea648 7815->8049 7817 7ff6872ea735 8082 7ff6872ea530 7817->8082 7821 7ff6872ea763 7822 7ff6872ea76b 7821->7822 7824 7ff6872ea77a 7821->7824 7823 7ff6872ead28 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7822->7823 7837 7ff6872ea752 7823->7837 7824->7824 8096 7ff6872ea270 7824->8096 7827 7ff6872ea876 7828 7ff6872ebb04 _set_fmode 11 API calls 7827->7828 7829 7ff6872ea87b 7828->7829 7832 7ff6872ead28 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7829->7832 7830 7ff6872ea8d1 7831 7ff6872ea938 7830->7831 8107 7ff6872eab58 7830->8107 7836 7ff6872ead28 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7831->7836 7832->7837 7833 7ff6872ea890 7833->7830 7834 7ff6872ead28 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7833->7834 7834->7830 7836->7837 7837->7755 7842 7ff6872ec4e9 _set_fmode 7838->7842 7839 7ff6872ec53a 7870 7ff6872ebb04 7839->7870 7840 7ff6872ec51e RtlAllocateHeap 7841 7ff6872e9988 7840->7841 7840->7842 7841->7806 7841->7807 7842->7839 7842->7840 7867 7ff6872eb294 7842->7867 7846 7ff6872ead2d HeapFree 7845->7846 7850 7ff6872ead5c 7845->7850 7847 7ff6872ead48 GetLastError 7846->7847 7846->7850 7848 7ff6872ead55 Concurrency::details::SchedulerProxy::DeleteThis 7847->7848 7849 7ff6872ebb04 _set_fmode 9 API calls 7848->7849 7849->7850 7850->7798 7896 7ff6872e9dbc 7851->7896 7910 7ff6872eb334 7856->7910 7873 7ff6872eb2dc 7867->7873 7879 7ff6872e99e4 GetLastError 7870->7879 7872 7ff6872ebb0d 7872->7841 7878 7ff6872e97ac EnterCriticalSection 7873->7878 7880 7ff6872e9a25 FlsSetValue 7879->7880 7881 7ff6872e9a08 7879->7881 7882 7ff6872e9a37 7880->7882 7894 7ff6872e9a15 7880->7894 7881->7880 7881->7894 7884 7ff6872ec4d8 _set_fmode 5 API calls 7882->7884 7883 7ff6872e9a91 SetLastError 7883->7872 7885 7ff6872e9a46 7884->7885 7886 7ff6872e9a64 FlsSetValue 7885->7886 7887 7ff6872e9a54 FlsSetValue 7885->7887 7888 7ff6872e9a82 7886->7888 7889 7ff6872e9a70 FlsSetValue 7886->7889 7890 7ff6872e9a5d 7887->7890 7891 7ff6872e9bf4 _set_fmode 5 API calls 7888->7891 7889->7890 7892 7ff6872ead28 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7890->7892 7893 7ff6872e9a8a 7891->7893 7892->7894 7895 7ff6872ead28 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7893->7895 7894->7883 7895->7883 7908 7ff6872e97ac EnterCriticalSection 7896->7908 7946 7ff6872eb5e0 7910->7946 7951 7ff6872e97ac EnterCriticalSection 7946->7951 8050 7ff6872ea66b 8049->8050 8051 7ff6872ea675 8050->8051 8122 7ff6872e97ac EnterCriticalSection 8050->8122 8054 7ff6872ea6e7 8051->8054 8055 7ff6872e8ebc __CxxCallCatchBlock 59 API calls 8051->8055 8054->7817 8057 7ff6872ea6ff 8055->8057 8059 7ff6872ea648 69 API calls 8057->8059 8061 7ff6872ea735 8059->8061 8062 7ff6872ea530 69 API calls 8061->8062 8063 7ff6872ea73c 8062->8063 8064 7ff6872ea752 8063->8064 8065 7ff6872ec550 12 API calls 8063->8065 8064->7817 8066 7ff6872ea763 8065->8066 8067 7ff6872ea76b 8066->8067 8069 7ff6872ea77a 8066->8069 8068 7ff6872ead28 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 8067->8068 8068->8064 8069->8069 8070 7ff6872ea270 69 API calls 8069->8070 8071 7ff6872ea86d 8070->8071 8072 7ff6872ea876 8071->8072 8078 7ff6872ea890 8071->8078 8073 7ff6872ebb04 _set_fmode 11 API calls 8072->8073 8074 7ff6872ea87b 8073->8074 8077 7ff6872ead28 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 8074->8077 8075 7ff6872ea8d1 8076 7ff6872ea938 8075->8076 8080 7ff6872eab58 59 API calls 8075->8080 8081 7ff6872ead28 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 8076->8081 8077->8064 8078->8075 8079 7ff6872ead28 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 8078->8079 8079->8075 8080->8076 8081->8064 8123 7ff6872ea1d4 8082->8123 8085 7ff6872ea562 8087 7ff6872ea567 GetACP 8085->8087 8088 7ff6872ea577 8085->8088 8086 7ff6872ea550 GetOEMCP 8086->8088 8087->8088 8088->7837 8089 7ff6872ec550 8088->8089 8090 7ff6872ec55f _set_fmode 8089->8090 8091 7ff6872ec59b 8089->8091 8090->8091 8092 7ff6872ec582 HeapAlloc 8090->8092 8095 7ff6872eb294 _set_fmode 2 API calls 8090->8095 8093 7ff6872ebb04 _set_fmode 11 API calls 8091->8093 8092->8090 8094 7ff6872ec599 8092->8094 8093->8094 8094->7821 8095->8090 8097 7ff6872ea530 67 API calls 8096->8097 8098 7ff6872ea29d 8097->8098 8099 7ff6872ea3f3 8098->8099 8100 7ff6872ea2da IsValidCodePage 8098->8100 8106 7ff6872ea2f4 __CxxCallCatchBlock 8098->8106 8101 7ff6872e5c90 _log10_special 8 API calls 8099->8101 8100->8099 8102 7ff6872ea2eb 8100->8102 8103 7ff6872ea514 8101->8103 8104 7ff6872ea31a GetCPInfo 8102->8104 8102->8106 8103->7827 8103->7833 8104->8099 8104->8106 8187 7ff6872ea970 8106->8187 8273 7ff6872e97ac EnterCriticalSection 8107->8273 8124 7ff6872ea1f8 8123->8124 8125 7ff6872ea1f3 8123->8125 8124->8125 8126 7ff6872e986c __CxxCallCatchBlock 59 API calls 8124->8126 8125->8085 8125->8086 8127 7ff6872ea213 8126->8127 8131 7ff6872eed40 8127->8131 8132 7ff6872eed55 8131->8132 8133 7ff6872ea236 8131->8133 8132->8133 8139 7ff6872ecb30 8132->8139 8135 7ff6872eed74 8133->8135 8136 7ff6872eed9c 8135->8136 8137 7ff6872eed89 8135->8137 8136->8125 8137->8136 8152 7ff6872ea158 8137->8152 8140 7ff6872e986c __CxxCallCatchBlock 59 API calls 8139->8140 8141 7ff6872ecb3f 8140->8141 8142 7ff6872ecb8a 8141->8142 8151 7ff6872e97ac EnterCriticalSection 8141->8151 8142->8133 8153 7ff6872e986c __CxxCallCatchBlock 59 API calls 8152->8153 8154 7ff6872ea161 8153->8154 8155 7ff6872ea675 8154->8155 8186 7ff6872e97ac EnterCriticalSection 8154->8186 8158 7ff6872ea6e7 8155->8158 8159 7ff6872e8ebc __CxxCallCatchBlock 59 API calls 8155->8159 8158->8136 8161 7ff6872ea6ff 8159->8161 8163 7ff6872ea648 69 API calls 8161->8163 8165 7ff6872ea735 8163->8165 8166 7ff6872ea530 69 API calls 8165->8166 8167 7ff6872ea73c 8166->8167 8168 7ff6872ea752 8167->8168 8169 7ff6872ec550 12 API calls 8167->8169 8168->8136 8170 7ff6872ea763 8169->8170 8171 7ff6872ea76b 8170->8171 8173 7ff6872ea77a 8170->8173 8172 7ff6872ead28 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 8171->8172 8172->8168 8173->8173 8174 7ff6872ea270 69 API calls 8173->8174 8175 7ff6872ea86d 8174->8175 8176 7ff6872ea876 8175->8176 8182 7ff6872ea890 8175->8182 8177 7ff6872ebb04 _set_fmode 11 API calls 8176->8177 8178 7ff6872ea87b 8177->8178 8181 7ff6872ead28 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 8178->8181 8179 7ff6872ea8d1 8180 7ff6872ea938 8179->8180 8184 7ff6872eab58 59 API calls 8179->8184 8185 7ff6872ead28 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 8180->8185 8181->8168 8182->8179 8183 7ff6872ead28 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 8182->8183 8183->8179 8184->8180 8185->8168 8188 7ff6872ea9ad GetCPInfo 8187->8188 8197 7ff6872eaaa3 8187->8197 8194 7ff6872ea9c0 8188->8194 8188->8197 8189 7ff6872e5c90 _log10_special 8 API calls 8191 7ff6872eab42 8189->8191 8191->8099 8198 7ff6872ec5dc 8194->8198 8197->8189 8199 7ff6872ea1d4 68 API calls 8198->8199 8200 7ff6872ec61e 8199->8200 8218 7ff6872ec76c 8200->8218 8219 7ff6872ec775 MultiByteToWideChar 8218->8219 8275 7ff6872e90d1 8274->8275 8276 7ff6872e90db 8274->8276 8275->8276 8281 7ff6872e90f6 8275->8281 8277 7ff6872ebb04 _set_fmode 11 API calls 8276->8277 8278 7ff6872e90e2 8277->8278 8279 7ff6872eae40 _invalid_parameter_noinfo 59 API calls 8278->8279 8280 7ff6872e90ee 8279->8280 8280->7790 8281->8280 8282 7ff6872ebb04 _set_fmode 11 API calls 8281->8282 8282->8278 8287 7ff6872e8785 8283->8287 8288 7ff6872e87b6 8283->8288 8284 7ff6872e87ae 8286 7ff6872ead28 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 8284->8286 8285 7ff6872ead28 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 8285->8287 8286->8288 8287->8284 8287->8285 8288->7791 8290 7ff6872e986c __CxxCallCatchBlock 59 API calls 8289->8290 8293 7ff6872e8d4d 8290->8293 8291 7ff6872e8ebc __CxxCallCatchBlock 59 API calls 8292 7ff6872e8d6d 8291->8292 8293->8291 8295 7ff6872e7ada 8294->8295 8296 7ff6872e7ac8 GetProcAddress 8294->8296 8297 7ff6872e7afd 8295->8297 8298 7ff6872e7af6 FreeLibrary 8295->8298 8296->8295 8297->7655 8298->8297 8313 7ff6872e97ac EnterCriticalSection 8299->8313 8326 7ff6872e7914 8324->8326 8328 7ff6872e792a 8324->8328 8325 7ff6872e7923 8325->7667 8326->8325 8329 7ff6872eb628 8326->8329 8328->7667 8330 7ff6872eb790 8329->8330 8332 7ff6872eb88c 8330->8332 8339 7ff6872e97ac EnterCriticalSection 8332->8339 8340 7ff6872e532b 8343 7ff6872e4bf0 GetSystemInfo 8340->8343 8344 7ff6872e4c6c 8343->8344 8345 21deda7010c InternetConnectA 8346 21deda701a4 8345->8346 8349 21deda7012b HttpOpenRequestA 8346->8349 8350 21deda70152 8349->8350 8351 7ff6872e549a 8360 7ff6872e4f60 8351->8360 8352 7ff6872e54a6 __GSHandlerCheck_EH 8353 7ff6872e55b8 NtAllocateVirtualMemory 8352->8353 8354 7ff6872e55f2 NtProtectVirtualMemory 8353->8354 8356 7ff6872e570e CreateFiber 8354->8356 8358 7ff6872e574b 8356->8358 8361 7ff6872e4f9f NtDelayExecution 8360->8361 8363 7ff6872e500e 8361->8363 8364 7ff6872e53bc 8367 7ff6872e4da0 GlobalMemoryStatusEx 8364->8367 8368 7ff6872e4e30 8367->8368

          Executed Functions

          Function 00007FF6872E549A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 155nativememoryCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2956185592.00007FF6872E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6872E0000, based on PE: true
          • Associated: 00000000.00000002.2956171676.00007FF6872E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956205933.00007FF6872F5000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956223363.00007FF6872FF000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956247695.00007FF687300000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687302000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687305000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956288285.00007FF687308000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff6872e0000_5Uvn8Uyob8.jbxd
          Similarity
          • API ID: MemoryVirtual$AllocateCreateFiberProtect
          • String ID: ntdll.dll$yDCKduM3$yromeMlautriVetacollAtN$yromeMlautriVtcetorPtN
          • API String ID: 3037940793-2108580085
          • Opcode ID: 2031e2c05c080561949802c509867ad2593e4060f4c0c3de34152a42e3e76bd8
          • Instruction ID: 08c3583b270d0e78646e6de0b22bceb4d74f75a8407ed4006f150a755138bec4
          • Opcode Fuzzy Hash: 2031e2c05c080561949802c509867ad2593e4060f4c0c3de34152a42e3e76bd8
          • Instruction Fuzzy Hash: 8B617BA5B48A45C3EE18DB5AEC507AA6321FF89BC4F40403ACE6D97725EE3CD155C305
          Function 00007FF6872E4F60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85nativeCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 25 7ff6872e4f60-7ff6872e5004 NtDelayExecution 30 7ff6872e500e-7ff6872e50dd 25->30 32 7ff6872e50ec 30->32 32->32
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2956185592.00007FF6872E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6872E0000, based on PE: true
          • Associated: 00000000.00000002.2956171676.00007FF6872E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956205933.00007FF6872F5000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956223363.00007FF6872FF000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956247695.00007FF687300000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687302000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687305000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956288285.00007FF687308000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff6872e0000_5Uvn8Uyob8.jbxd
          Similarity
          • API ID: DelayExecution
          • String ID: NtDelayExecution$ntdll.dll
          • API String ID: 1249177460-521143355
          • Opcode ID: 409558210b666fed8c28811cee71abdbc0e23a51507d2bab28c2f06e3be5c30c
          • Instruction ID: 300ced974182bb1c11540edc96442fd061b9d72de7f35812b086b33b15989b43
          • Opcode Fuzzy Hash: 409558210b666fed8c28811cee71abdbc0e23a51507d2bab28c2f06e3be5c30c
          • Instruction Fuzzy Hash: 7131E3A1B54A46D9DA10DF2AEC402DA2761FF047C4F88413ADE1DA3724CE3CC549C301
          Function 0000021DEDA7010C Relevance: 1.8, APIs: 1, Instructions: 250networkCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 129 21deda7010c-21deda701a4 InternetConnectA call 21deda7012b 132 21deda701a9-21deda701ac 129->132 133 21deda70213-21deda70217 132->133 134 21deda701ae 132->134 135 21deda70281-21deda70283 133->135 136 21deda70219 133->136 137 21deda701b0-21deda701b7 134->137 138 21deda70229-21deda7022d 134->138 139 21deda70288 135->139 136->139 140 21deda7021a-21deda70222 136->140 143 21deda701b9-21deda701c8 137->143 144 21deda70225 137->144 141 21deda7022f-21deda70233 138->141 142 21deda7029c-21deda702a1 138->142 145 21deda702ff-21deda70300 139->145 146 21deda7028b-21deda70290 139->146 147 21deda70294-21deda70296 140->147 148 21deda70224 140->148 149 21deda70235-21deda70239 141->149 150 21deda702a3 142->150 151 21deda70308-21deda7030b 142->151 143->136 152 21deda701ca-21deda701fe 143->152 144->138 154 21deda70302 145->154 146->147 147->154 155 21deda70298-21deda70299 147->155 148->144 156 21deda7023a-21deda7023b 149->156 157 21deda702a5-21deda702a6 150->157 153 21deda7030c 151->153 152->156 158 21deda70200-21deda70204 152->158 159 21deda7030d-21deda70311 153->159 165 21deda70303-21deda70306 154->165 160 21deda7029b 155->160 161 21deda702c7 155->161 162 21deda7023d-21deda70245 156->162 163 21deda7027a 156->163 157->159 164 21deda702a8 157->164 158->149 166 21deda70206-21deda7020c 158->166 173 21deda70313-21deda70319 159->173 174 21deda7037c-21deda70387 159->174 160->142 171 21deda702e9 161->171 172 21deda702c9 161->172 175 21deda702bc-21deda702c4 162->175 176 21deda70248-21deda7024d 162->176 167 21deda702e1-21deda702e8 163->167 168 21deda7027c 163->168 177 21deda702aa-21deda702ae 164->177 178 21deda702d7-21deda702db 164->178 165->151 169 21deda7027e 166->169 170 21deda7020e-21deda7020f 166->170 167->171 168->169 179 21deda702f7-21deda702fa 168->179 169->135 170->133 183 21deda702ea-21deda702f4 171->183 172->165 180 21deda702cb-21deda702d5 172->180 181 21deda7031e 173->181 175->161 184 21deda702b0-21deda702b3 176->184 185 21deda7024f-21deda70269 176->185 177->183 177->184 178->153 182 21deda702dd 178->182 189 21deda702fc-21deda702fe 179->189 190 21deda7036b-21deda70371 179->190 180->178 181->175 187 21deda7031f-21deda7032a 181->187 188 21deda702e0 182->188 183->179 184->181 192 21deda702b5-21deda702b9 184->192 185->157 191 21deda7026b-21deda7026e 185->191 195 21deda70331-21deda70352 187->195 188->167 189->145 193 21deda70373-21deda7037b 190->193 194 21deda70329-21deda7032a 190->194 191->188 196 21deda70270-21deda70276 191->196 192->175 197 21deda70354-21deda70364 193->197 198 21deda7037d-21deda70387 193->198 194->195 195->197 196->163 197->190
          APIs
          • InternetConnectA.WININET(00000003,00000003,00000002,00000001), ref: 0000021DEDA70127
            • Part of subcall function 0000021DEDA7012B: HttpOpenRequestA.WININET(00000000,00000000,84C03200,00000000), ref: 0000021DEDA70146
          Memory Dump Source
          • Source File: 00000000.00000002.2955965491.0000021DEDA70000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021DEDA70000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_21deda70000_5Uvn8Uyob8.jbxd
          Yara matches
          Similarity
          • API ID: ConnectHttpInternetOpenRequest
          • String ID:
          • API String ID: 1341064763-0
          • Opcode ID: 873df9c4afc2546a1442a618fe62eac0c09bbb6f8c60467f1a24664f2a33bf3d
          • Instruction ID: aa2dcb717ec28553764361aefd092e9a858e8857b392f1a6fcfa5a962e731744
          • Opcode Fuzzy Hash: 873df9c4afc2546a1442a618fe62eac0c09bbb6f8c60467f1a24664f2a33bf3d
          • Instruction Fuzzy Hash: 7A816C32618A548EEB259B34855D3937FE5DB3630BF18019DD5808F0E3C5659A42C7AF
          Function 00007FF6872E4BF0 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 200 7ff6872e4bf0-7ff6872e4c69 GetSystemInfo 201 7ff6872e4c6c-7ff6872e4d6a 200->201
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.2956185592.00007FF6872E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6872E0000, based on PE: true
          • Associated: 00000000.00000002.2956171676.00007FF6872E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956205933.00007FF6872F5000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956223363.00007FF6872FF000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956247695.00007FF687300000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687302000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687305000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956288285.00007FF687308000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff6872e0000_5Uvn8Uyob8.jbxd
          Similarity
          • API ID: InfoSystem
          • String ID:
          • API String ID: 31276548-0
          • Opcode ID: 54bab74d9da5c1d26424cc67c36e2f8160a532d74c76cf465e49ef357f147bc2
          • Instruction ID: 1ec59d9e17213d4b41a7fba28e17b6b17f9c5e0dbcd6384f53e75d1f76ea210a
          • Opcode Fuzzy Hash: 54bab74d9da5c1d26424cc67c36e2f8160a532d74c76cf465e49ef357f147bc2
          • Instruction Fuzzy Hash: EB11E761B1869EE2EA518F66ED4075A7770FB04B88F481122DE1E43324DD7CC556C701
          Function 00007FF6872E6030 Relevance: 4.6, APIs: 3, Instructions: 94COMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.2956185592.00007FF6872E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6872E0000, based on PE: true
          • Associated: 00000000.00000002.2956171676.00007FF6872E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956205933.00007FF6872F5000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956223363.00007FF6872FF000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956247695.00007FF687300000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687302000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687305000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956288285.00007FF687308000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff6872e0000_5Uvn8Uyob8.jbxd
          Similarity
          • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
          • String ID:
          • API String ID: 3058843127-0
          • Opcode ID: 9853429bb4da60e513ee4a38914f9be8eab5f557b6240c10b12d17fb9ec0640e
          • Instruction ID: 8dd9d4847282c14ea89036d60fd2cb7831146c65cc2f1b39d9ab1dd4a226a89c
          • Opcode Fuzzy Hash: 9853429bb4da60e513ee4a38914f9be8eab5f557b6240c10b12d17fb9ec0640e
          • Instruction Fuzzy Hash: 5A310722A8C24AC2FA15AB3596723FD1291BF86784F44503CE94DCB3D7DE2DB844C311
          Function 0000021DEDA7012B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99networkCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 94 21deda7012b-21deda70151 HttpOpenRequestA 95 21deda70152-21deda7018e 94->95 98 21deda70194-21deda70197 95->98 99 21deda70331-21deda70352 95->99 100 21deda7019d 98->100 101 21deda70329-21deda7032a 98->101 103 21deda70354-21deda70371 99->103 100->95 101->99 103->101 105 21deda70373-21deda7037b 103->105 105->103 106 21deda7037d-21deda70387 105->106
          APIs
          • HttpOpenRequestA.WININET(00000000,00000000,84C03200,00000000), ref: 0000021DEDA70146
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2955965491.0000021DEDA70000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021DEDA70000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_21deda70000_5Uvn8Uyob8.jbxd
          Yara matches
          Similarity
          • API ID: HttpOpenRequest
          • String ID: U.;
          • API String ID: 1984915467-4213443877
          • Opcode ID: ab09341529980e95ac1e803047b3985bc20a26ea9b837d55d995e7e224907264
          • Instruction ID: e087b6582dd7641505117206ca85e76557b31635338ed0e022fef37eabc7a82f
          • Opcode Fuzzy Hash: ab09341529980e95ac1e803047b3985bc20a26ea9b837d55d995e7e224907264
          • Instruction Fuzzy Hash: 0B11906034890D1BF62C819D7C5A77621CAD3E8719F24813FB54EC73D6DC58CC82402E
          Function 00007FF6872E4DA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 107 7ff6872e4da0-7ff6872e4e2d GlobalMemoryStatusEx 108 7ff6872e4e30-7ff6872e4f12 107->108
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2956185592.00007FF6872E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6872E0000, based on PE: true
          • Associated: 00000000.00000002.2956171676.00007FF6872E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956205933.00007FF6872F5000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956223363.00007FF6872FF000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956247695.00007FF687300000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687302000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687305000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956288285.00007FF687308000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff6872e0000_5Uvn8Uyob8.jbxd
          Similarity
          • API ID: GlobalMemoryStatus
          • String ID: @
          • API String ID: 1890195054-2766056989
          • Opcode ID: 257b1fae18b893981f2c28362606997fc1754c08e9b46928f53875603ac60ae2
          • Instruction ID: c02c7eed59b5ed945cbf7461c5b1ab680b43f73b5a434f6ef1801984b2624461
          • Opcode Fuzzy Hash: 257b1fae18b893981f2c28362606997fc1754c08e9b46928f53875603ac60ae2
          • Instruction Fuzzy Hash: D1216AA2B14B69A2EB50CF26E84168A7B60F784B88F484125EF8E43714DF7CD547C304
          Function 00007FF6872EA050 Relevance: 3.1, APIs: 2, Instructions: 71COMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.2956185592.00007FF6872E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6872E0000, based on PE: true
          • Associated: 00000000.00000002.2956171676.00007FF6872E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956205933.00007FF6872F5000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956223363.00007FF6872FF000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956247695.00007FF687300000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687302000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687305000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956288285.00007FF687308000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff6872e0000_5Uvn8Uyob8.jbxd
          Similarity
          • API ID: FileHandleType
          • String ID:
          • API String ID: 3000768030-0
          • Opcode ID: b0527c7f6ce1a788535b61d80c7c4ba8f409d06ac750c36eb78f9f21eec98787
          • Instruction ID: 3db4e74cd8487618a372f7b78bd8894386319bae7c6c999f8b112f42d3a727e0
          • Opcode Fuzzy Hash: b0527c7f6ce1a788535b61d80c7c4ba8f409d06ac750c36eb78f9f21eec98787
          • Instruction Fuzzy Hash: E2317422958B59C2DB608B3596A01BD6A60FF45BB0F64136DDB5E873E1CF38E451E340
          Function 00007FF6872EE368 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.2956185592.00007FF6872E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6872E0000, based on PE: true
          • Associated: 00000000.00000002.2956171676.00007FF6872E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956205933.00007FF6872F5000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956223363.00007FF6872FF000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956247695.00007FF687300000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687302000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687305000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956288285.00007FF687308000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff6872e0000_5Uvn8Uyob8.jbxd
          Similarity
          • API ID: _invalid_parameter_noinfo
          • String ID:
          • API String ID: 3215553584-0
          • Opcode ID: 8d1c89a91b2cbf7bcb4be2c56b967f6a19fa459e3375c4f3d383e19f75ea9b85
          • Instruction ID: a276017ebf41cb9d5ca8f88940bf21bb1068269cb62b68a0fad6fe5bbd0069b2
          • Opcode Fuzzy Hash: 8d1c89a91b2cbf7bcb4be2c56b967f6a19fa459e3375c4f3d383e19f75ea9b85
          • Instruction Fuzzy Hash: 46115833D8864AC2F210AB24A6615BDB3A5FF44B80F45043DEA8DC76A7DE7CE810CB11
          Function 00007FF6872EC4D8 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
          Download Yara Rule

          Control-flow Graph

          APIs
          • RtlAllocateHeap.NTDLL(?,?,00000000,00007FF6872E9A46,?,?,?,00007FF6872EBB0D,?,?,?,?,00007FF6872E8C40), ref: 00007FF6872EC52D
          Memory Dump Source
          • Source File: 00000000.00000002.2956185592.00007FF6872E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6872E0000, based on PE: true
          • Associated: 00000000.00000002.2956171676.00007FF6872E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956205933.00007FF6872F5000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956223363.00007FF6872FF000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956247695.00007FF687300000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687302000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687305000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956288285.00007FF687308000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff6872e0000_5Uvn8Uyob8.jbxd
          Similarity
          • API ID: AllocateHeap
          • String ID:
          • API String ID: 1279760036-0
          • Opcode ID: 28eda23e1da9b668524483bb04f09af6a39cd26f9ef756103597628c970101cd
          • Instruction ID: 818fdedb7c182f455248b4dc71a737aba2524d95ea62f3e519f187d2e406c109
          • Opcode Fuzzy Hash: 28eda23e1da9b668524483bb04f09af6a39cd26f9ef756103597628c970101cd
          • Instruction Fuzzy Hash: B1F04942B8964AC1FE5567FA6A712F902807F88B84F48543CCC0EE6293DD2CE4D1C220

          Non-executed Functions

          Function 00007FF6872E65A4 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.2956185592.00007FF6872E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6872E0000, based on PE: true
          • Associated: 00000000.00000002.2956171676.00007FF6872E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956205933.00007FF6872F5000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956223363.00007FF6872FF000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956247695.00007FF687300000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687302000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687305000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956288285.00007FF687308000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff6872e0000_5Uvn8Uyob8.jbxd
          Similarity
          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
          • String ID:
          • API String ID: 3140674995-0
          • Opcode ID: 9f5952405ada2f1ef1f081ed3776218acde1d10bcce88289bb4f44ae842eef6b
          • Instruction ID: 918b257f17025c330c32a8208a465c4364145302b281dbd30d84dab23bc8e040
          • Opcode Fuzzy Hash: 9f5952405ada2f1ef1f081ed3776218acde1d10bcce88289bb4f44ae842eef6b
          • Instruction Fuzzy Hash: 0C316C72658B81CAEB609F60E9603EA7360FB85744F44413EDA4E87B99EF7CD648C700
          Function 00007FF6872EAEA8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.2956185592.00007FF6872E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6872E0000, based on PE: true
          • Associated: 00000000.00000002.2956171676.00007FF6872E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956205933.00007FF6872F5000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956223363.00007FF6872FF000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956247695.00007FF687300000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687302000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687305000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956288285.00007FF687308000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff6872e0000_5Uvn8Uyob8.jbxd
          Similarity
          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
          • String ID:
          • API String ID: 1239891234-0
          • Opcode ID: 4c3534951b222c2d301418ca145ecc3f1c25be2e415c2cc7f55dc37a4a711186
          • Instruction ID: a54a16f87588744f5dc27d704eb9bcbe5a9145587cae3f8fe1371f9226bf68a5
          • Opcode Fuzzy Hash: 4c3534951b222c2d301418ca145ecc3f1c25be2e415c2cc7f55dc37a4a711186
          • Instruction Fuzzy Hash: DA317F32658B81C6D760CB35E9602EE73A4FF89754F54023AEA8D83B59DF38D145CB00
          Function 00007FF6872ED440 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236fileCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2956185592.00007FF6872E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6872E0000, based on PE: true
          • Associated: 00000000.00000002.2956171676.00007FF6872E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956205933.00007FF6872F5000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956223363.00007FF6872FF000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956247695.00007FF687300000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687302000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687305000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956288285.00007FF687308000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff6872e0000_5Uvn8Uyob8.jbxd
          Similarity
          • API ID: Find$CloseFile$FirstNext
          • String ID: C:\Users\user\Desktop\5Uvn8Uyob8.exe
          • API String ID: 1164774033-1647006284
          • Opcode ID: 1fe4684158f74cda44948dfc92cb60db8ecb20c392f3c3d8fa5fc7b83eeb46f6
          • Instruction ID: 4ef5d73acc20033d41afe0807f7fda382036bfaec69be8ced6dd5463cc7e87fd
          • Opcode Fuzzy Hash: 1fe4684158f74cda44948dfc92cb60db8ecb20c392f3c3d8fa5fc7b83eeb46f6
          • Instruction Fuzzy Hash: 6FA1E723B4C68AC9FB209B75A6602FD6BA0BF41794F14423DDE9DA7696DE3CE441C700
          Function 00007FF6872ED2BC Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 230COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 00007FF6872EC4D8: RtlAllocateHeap.NTDLL(?,?,00000000,00007FF6872E9A46,?,?,?,00007FF6872EBB0D,?,?,?,?,00007FF6872E8C40), ref: 00007FF6872EC52D
            • Part of subcall function 00007FF6872F1800: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6872F1833
          • FindFirstFileExW.KERNEL32 ref: 00007FF6872ED5B0
            • Part of subcall function 00007FF6872EAD28: HeapFree.KERNEL32(?,?,?,00007FF6872EC4C2,?,?,?,00007FF6872EC3C3,?,?,00000000,00007FF6872ECB21,?,?,?,00007FF6872ECA2B), ref: 00007FF6872EAD3E
            • Part of subcall function 00007FF6872EAD28: GetLastError.KERNEL32(?,?,?,00007FF6872EC4C2,?,?,?,00007FF6872EC3C3,?,?,00000000,00007FF6872ECB21,?,?,?,00007FF6872ECA2B), ref: 00007FF6872EAD48
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2956185592.00007FF6872E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6872E0000, based on PE: true
          • Associated: 00000000.00000002.2956171676.00007FF6872E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956205933.00007FF6872F5000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956223363.00007FF6872FF000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956247695.00007FF687300000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687302000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687305000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956288285.00007FF687308000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff6872e0000_5Uvn8Uyob8.jbxd
          Similarity
          • API ID: Heap$AllocateErrorFileFindFirstFreeLast_invalid_parameter_noinfo
          • String ID: C:\Users\user\Desktop\5Uvn8Uyob8.exe
          • API String ID: 3501618255-1647006284
          • Opcode ID: d3f56129abb2ea3a0148b5554a5ed10f9a72e27476d555955d9271061a735555
          • Instruction ID: d4c3355c99c6b70f00fd0e2c4a5466b0fb47c3b091d05190c47985881f8273df
          • Opcode Fuzzy Hash: d3f56129abb2ea3a0148b5554a5ed10f9a72e27476d555955d9271061a735555
          • Instruction Fuzzy Hash: E481E523B4C689C5EA20DB72A6602FEA7A1FF45790F544239EE9D97796DE3CE041C700
          Function 00007FF6872F3F98 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.2956185592.00007FF6872E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6872E0000, based on PE: true
          • Associated: 00000000.00000002.2956171676.00007FF6872E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956205933.00007FF6872F5000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956223363.00007FF6872FF000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956247695.00007FF687300000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687302000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687305000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956288285.00007FF687308000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff6872e0000_5Uvn8Uyob8.jbxd
          Similarity
          • API ID: ExceptionRaise_clrfp
          • String ID:
          • API String ID: 15204871-0
          • Opcode ID: 319957773a4b6c49a8854eac7231239fa5d015cde11ab57704c72a19d288f1a7
          • Instruction ID: 7d31262b0bd8cdaaebee1715ea6809e4f7a9bb23babd93066b430bd87165d25f
          • Opcode Fuzzy Hash: 319957773a4b6c49a8854eac7231239fa5d015cde11ab57704c72a19d288f1a7
          • Instruction Fuzzy Hash: B1B15D73604B89CBEB25CF29C9563AC7BA0FB84B48F158929DA5D837A4CFB9D451C700
          Function 00007FF6872E8C8C Relevance: 1.5, APIs: 1, Instructions: 28timeCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.2956185592.00007FF6872E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6872E0000, based on PE: true
          • Associated: 00000000.00000002.2956171676.00007FF6872E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956205933.00007FF6872F5000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956223363.00007FF6872FF000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956247695.00007FF687300000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687302000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687305000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956288285.00007FF687308000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff6872e0000_5Uvn8Uyob8.jbxd
          Similarity
          • API ID: Time$FileSystem
          • String ID:
          • API String ID: 2086374402-0
          • Opcode ID: c85922ad66918478065214e27a300c087a3c63a3148e193683f32f0588677a36
          • Instruction ID: ebc671e366cc8015f2034db1acef03ac2c61c57e6ad455ecc310e3d552a91924
          • Opcode Fuzzy Hash: c85922ad66918478065214e27a300c087a3c63a3148e193683f32f0588677a36
          • Instruction Fuzzy Hash: 53F0E9D2B2968C42EE24872595203A45281AF5CBE4F007335ED7D4E7CAEE1CD1508300
          Function 00007FF6872E97E4 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.2956185592.00007FF6872E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6872E0000, based on PE: true
          • Associated: 00000000.00000002.2956171676.00007FF6872E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956205933.00007FF6872F5000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956223363.00007FF6872FF000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956247695.00007FF687300000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687302000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687305000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956288285.00007FF687308000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff6872e0000_5Uvn8Uyob8.jbxd
          Similarity
          • API ID: HeapProcess
          • String ID:
          • API String ID: 54951025-0
          • Opcode ID: 25117d0311a12bd40d744b9fcaf880e2cf2b231910dbf5512aa6001f24dd187c
          • Instruction ID: 5a18c86cb74fd4fdc3b43d2f8a17e04cb73c22eeea807f3c774efb3fe0ab656a
          • Opcode Fuzzy Hash: 25117d0311a12bd40d744b9fcaf880e2cf2b231910dbf5512aa6001f24dd187c
          • Instruction Fuzzy Hash: 62B09224E4BA02C2EB496B256C9221922A47F88700F98003CC00C91320DE2C21F5DB41
          Function 00007FF6872E82B4 Relevance: .1, Instructions: 126COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.2956185592.00007FF6872E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6872E0000, based on PE: true
          • Associated: 00000000.00000002.2956171676.00007FF6872E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956205933.00007FF6872F5000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956223363.00007FF6872FF000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956247695.00007FF687300000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687302000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687305000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956288285.00007FF687308000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff6872e0000_5Uvn8Uyob8.jbxd
          Similarity
          • API ID: ErrorFreeHeapLast
          • String ID:
          • API String ID: 485612231-0
          • Opcode ID: 7f2571df184d58ebb62d50973f5af77e1d9e9b47f33f48f0fbac23a951d31448
          • Instruction ID: 3444a71279d735ad9374960a03c318bad9eb7bafc3a4ac4644a031d3ceb0528e
          • Opcode Fuzzy Hash: 7f2571df184d58ebb62d50973f5af77e1d9e9b47f33f48f0fbac23a951d31448
          • Instruction Fuzzy Hash: BD41C272714A5982EF44CF7ADA641A973A1BB48FD0B89A13ADE4DD7B54DE3CD442C300
          Function 00007FF6872F3DB0 Relevance: .0, Instructions: 32COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.2956185592.00007FF6872E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6872E0000, based on PE: true
          • Associated: 00000000.00000002.2956171676.00007FF6872E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956205933.00007FF6872F5000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956223363.00007FF6872FF000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956247695.00007FF687300000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687302000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687305000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956288285.00007FF687308000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff6872e0000_5Uvn8Uyob8.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: c179c1fbef7ab172046c019bade7dfacfd4c36c3269e835407e988fe18b5ddca
          • Instruction ID: c28b930d0e59dfa1b1f4319f1158684a32d79add54cb61ad00352d8d8317ee35
          • Opcode Fuzzy Hash: c179c1fbef7ab172046c019bade7dfacfd4c36c3269e835407e988fe18b5ddca
          • Instruction Fuzzy Hash: 36F04F71A59295CBEBAA8F28A8426297790FB083C0B90813DD68DC3A44DA3C90A1CF04
          Function 00007FF6872E6594 Relevance: .0, Instructions: 2COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.2956185592.00007FF6872E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6872E0000, based on PE: true
          • Associated: 00000000.00000002.2956171676.00007FF6872E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956205933.00007FF6872F5000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956223363.00007FF6872FF000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956247695.00007FF687300000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687302000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687305000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956288285.00007FF687308000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff6872e0000_5Uvn8Uyob8.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 73d2e78e815dc5e8534a363ce4552653f9307a60e10e6ad512d1a30309413990
          • Instruction ID: 9bba0ac506eea115a89d3412519e2a5e75c0e29a808133b5a69956d301412e8a
          • Opcode Fuzzy Hash: 73d2e78e815dc5e8534a363ce4552653f9307a60e10e6ad512d1a30309413990
          • Instruction Fuzzy Hash: BAA0012699C906D5EA548F11AA700A06230BF51300B400239D00D820A2DE6CA840C680
          Function 00007FF6872E9570 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 117libraryloaderCOMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • FreeLibrary.KERNEL32(?,?,?,00007FF6872E9540,?,?,00000000,00007FF6872EBC4B,?,?,00000003,00007FF6872E7B0D), ref: 00007FF6872E96EC
          • GetProcAddress.KERNEL32(?,?,?,00007FF6872E9540,?,?,00000000,00007FF6872EBC4B,?,?,00000003,00007FF6872E7B0D), ref: 00007FF6872E96F8
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2956185592.00007FF6872E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6872E0000, based on PE: true
          • Associated: 00000000.00000002.2956171676.00007FF6872E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956205933.00007FF6872F5000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956223363.00007FF6872FF000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956247695.00007FF687300000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687302000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687305000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956288285.00007FF687308000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff6872e0000_5Uvn8Uyob8.jbxd
          Similarity
          • API ID: AddressFreeLibraryProc
          • String ID: MZx$api-ms-$ext-ms-
          • API String ID: 3013587201-2431898299
          • Opcode ID: 8eda1bae14f8adc22642466ad391952a1057da3069b3b83bffa599ad567745eb
          • Instruction ID: 43e11285da3d13b42d448c147220226a000dbcd3a727be4baae08195031b14a8
          • Opcode Fuzzy Hash: 8eda1bae14f8adc22642466ad391952a1057da3069b3b83bffa599ad567745eb
          • Instruction Fuzzy Hash: 84411122B99A06C2EA25CB669A345F92391BF55BE0F08423FDD6DC7395EE3CE445C301
          Function 00007FF6872F0B74 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2956185592.00007FF6872E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6872E0000, based on PE: true
          • Associated: 00000000.00000002.2956171676.00007FF6872E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956205933.00007FF6872F5000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956223363.00007FF6872FF000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956247695.00007FF687300000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687302000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687305000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956288285.00007FF687308000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff6872e0000_5Uvn8Uyob8.jbxd
          Similarity
          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
          • String ID: csm$csm$csm
          • API String ID: 849930591-393685449
          • Opcode ID: c1a3aecb3b3289eb416bdbb1e26ab85292b09fd065f402c156b3009761bb52c2
          • Instruction ID: 3291a212662fb05272d806840cbc605f87dc7c61c61fd8f9d446e3b2b0425c70
          • Opcode Fuzzy Hash: c1a3aecb3b3289eb416bdbb1e26ab85292b09fd065f402c156b3009761bb52c2
          • Instruction Fuzzy Hash: 8BE17D72A48785CAEB309B65D6A02ED37A0FF44798F501139EE9D97B5ACF78E180C740
          Function 00007FF6872EE660 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 88libraryloaderCOMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • LoadLibraryExW.KERNEL32(?,?,?,00007FF6872EE4F5,?,?,00000000,00007FF6872E8F24), ref: 00007FF6872EE6E5
          • GetLastError.KERNEL32(?,?,?,00007FF6872EE4F5,?,?,00000000,00007FF6872E8F24), ref: 00007FF6872EE6F3
          • LoadLibraryExW.KERNEL32(?,?,?,00007FF6872EE4F5,?,?,00000000,00007FF6872E8F24), ref: 00007FF6872EE71D
          • FreeLibrary.KERNEL32(?,?,?,00007FF6872EE4F5,?,?,00000000,00007FF6872E8F24), ref: 00007FF6872EE763
          • GetProcAddress.KERNEL32(?,?,?,00007FF6872EE4F5,?,?,00000000,00007FF6872E8F24), ref: 00007FF6872EE76F
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2956185592.00007FF6872E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6872E0000, based on PE: true
          • Associated: 00000000.00000002.2956171676.00007FF6872E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956205933.00007FF6872F5000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956223363.00007FF6872FF000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956247695.00007FF687300000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687302000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687305000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956288285.00007FF687308000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff6872e0000_5Uvn8Uyob8.jbxd
          Similarity
          • API ID: Library$Load$AddressErrorFreeLastProc
          • String ID: MZx$api-ms-
          • API String ID: 2559590344-259127448
          • Opcode ID: cd5d17ca6bcb98f021bc07e73c6cc5b27bf57e70ec9fda1240f66a7719b305e7
          • Instruction ID: 5acbafb87021faf088f3b8d90842564b49341c8864a6e7688e510a678e67259f
          • Opcode Fuzzy Hash: cd5d17ca6bcb98f021bc07e73c6cc5b27bf57e70ec9fda1240f66a7719b305e7
          • Instruction Fuzzy Hash: A831D232E5E646C1FF219B22AA205F52394BF58BA4F5A0639DD2D86392EF7CE441C310
          Function 00007FF6872E986C Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.2956185592.00007FF6872E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6872E0000, based on PE: true
          • Associated: 00000000.00000002.2956171676.00007FF6872E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956205933.00007FF6872F5000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956223363.00007FF6872FF000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956247695.00007FF687300000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687302000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687305000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956288285.00007FF687308000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff6872e0000_5Uvn8Uyob8.jbxd
          Similarity
          • API ID: Value$ErrorLast
          • String ID:
          • API String ID: 2506987500-0
          • Opcode ID: c796d71ac1c9eb43b8b4e215c8a0916cd603519f55a0d776d6edca8c277946bc
          • Instruction ID: 20853146e91b43fcf11e2b35927f7a21ed1a7d4cd4324ae81c9fc0383b666cda
          • Opcode Fuzzy Hash: c796d71ac1c9eb43b8b4e215c8a0916cd603519f55a0d776d6edca8c277946bc
          • Instruction Fuzzy Hash: 3E21AC22E8D24AC2FB68A3B167751BD12467F547B0F04473ED8BE867E7DE2CA440C202
          Function 00007FF6872F3284 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2956185592.00007FF6872E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6872E0000, based on PE: true
          • Associated: 00000000.00000002.2956171676.00007FF6872E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956205933.00007FF6872F5000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956223363.00007FF6872FF000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956247695.00007FF687300000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687302000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687305000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956288285.00007FF687308000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff6872e0000_5Uvn8Uyob8.jbxd
          Similarity
          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
          • String ID: CONOUT$
          • API String ID: 3230265001-3130406586
          • Opcode ID: 7cf2b1ecb743e03eda428414b294aaf79c65f1c301ed6cb0cd3cda8bd998986b
          • Instruction ID: cb7cc2e05fa254ed28a7e212ba37a0d614a0f5bc2e27b28b4ccc6ff81fa0041f
          • Opcode Fuzzy Hash: 7cf2b1ecb743e03eda428414b294aaf79c65f1c301ed6cb0cd3cda8bd998986b
          • Instruction Fuzzy Hash: 23119031B58A81C7E7608B12E96436962A0FF88BE4F100238EA5EC7B94CFBCD954C744
          Function 00007FF6872E99E4 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • GetLastError.KERNEL32(?,?,?,00007FF6872EBB0D,?,?,?,?,00007FF6872E8C40,?,?,?,?,00007FF6872E5F68), ref: 00007FF6872E99F3
          • FlsSetValue.KERNEL32(?,?,?,00007FF6872EBB0D,?,?,?,?,00007FF6872E8C40,?,?,?,?,00007FF6872E5F68), ref: 00007FF6872E9A29
          • FlsSetValue.KERNEL32(?,?,?,00007FF6872EBB0D,?,?,?,?,00007FF6872E8C40,?,?,?,?,00007FF6872E5F68), ref: 00007FF6872E9A56
          • FlsSetValue.KERNEL32(?,?,?,00007FF6872EBB0D,?,?,?,?,00007FF6872E8C40,?,?,?,?,00007FF6872E5F68), ref: 00007FF6872E9A67
          • FlsSetValue.KERNEL32(?,?,?,00007FF6872EBB0D,?,?,?,?,00007FF6872E8C40,?,?,?,?,00007FF6872E5F68), ref: 00007FF6872E9A78
          • SetLastError.KERNEL32(?,?,?,00007FF6872EBB0D,?,?,?,?,00007FF6872E8C40,?,?,?,?,00007FF6872E5F68), ref: 00007FF6872E9A93
          Memory Dump Source
          • Source File: 00000000.00000002.2956185592.00007FF6872E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6872E0000, based on PE: true
          • Associated: 00000000.00000002.2956171676.00007FF6872E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956205933.00007FF6872F5000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956223363.00007FF6872FF000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956247695.00007FF687300000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687302000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687305000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956288285.00007FF687308000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff6872e0000_5Uvn8Uyob8.jbxd
          Similarity
          • API ID: Value$ErrorLast
          • String ID:
          • API String ID: 2506987500-0
          • Opcode ID: 3fa8ad1f752b43342f51d9b5bd0934216f437454695e4e022fec278f041b9d31
          • Instruction ID: 257b134eb10028942f50696f116defa2813247cedc1599a7b0e2d7565bcfab95
          • Opcode Fuzzy Hash: 3fa8ad1f752b43342f51d9b5bd0934216f437454695e4e022fec278f041b9d31
          • Instruction Fuzzy Hash: C2115C22A8D24AC2FB58A3B157750BD62527F587B0F44473ED8FE867D7DE2CA441C202
          Function 00007FF6872EF3A0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 299fileCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2956185592.00007FF6872E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6872E0000, based on PE: true
          • Associated: 00000000.00000002.2956171676.00007FF6872E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956205933.00007FF6872F5000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956223363.00007FF6872FF000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956247695.00007FF687300000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687302000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687305000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956288285.00007FF687308000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff6872e0000_5Uvn8Uyob8.jbxd
          Similarity
          • API ID: FileWrite$ConsoleErrorLastOutput
          • String ID: MZx
          • API String ID: 2718003287-2575928145
          • Opcode ID: c502685082263bfd7f79b411efd95184d61cdd1abc277d354517d13caa344854
          • Instruction ID: 0af3ca68afe5e4b22ed0edef90231c0031040cf6d598a580e0024cf558227a17
          • Opcode Fuzzy Hash: c502685082263bfd7f79b411efd95184d61cdd1abc277d354517d13caa344854
          • Instruction Fuzzy Hash: 08D1CD33B18A95CAE750CF79D6502EC3BA1FB54798B10423ADE5E97B9ADE38D506C300
          Function 00007FF6872E6990 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2956185592.00007FF6872E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6872E0000, based on PE: true
          • Associated: 00000000.00000002.2956171676.00007FF6872E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956205933.00007FF6872F5000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956223363.00007FF6872FF000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956247695.00007FF687300000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687302000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687305000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956288285.00007FF687308000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff6872e0000_5Uvn8Uyob8.jbxd
          Similarity
          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
          • String ID: csm$f
          • API String ID: 2395640692-629598281
          • Opcode ID: 166b3ae7a50ef0955c775bcac24f19ce5c5692b3e500cec8d74ad421588e0b25
          • Instruction ID: cc58e4ecbd2d6c7aefde1e3a933486b96e87e3212c7ada5966a7b5297d15643e
          • Opcode Fuzzy Hash: 166b3ae7a50ef0955c775bcac24f19ce5c5692b3e500cec8d74ad421588e0b25
          • Instruction Fuzzy Hash: 4C51DE33A49646CADB14CF25E664AA83795FF41B98F50803CEA5E9778ADF78F841C700
          Function 00007FF6872E7A94 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2956185592.00007FF6872E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6872E0000, based on PE: true
          • Associated: 00000000.00000002.2956171676.00007FF6872E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956205933.00007FF6872F5000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956223363.00007FF6872FF000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956247695.00007FF687300000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687302000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687305000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956288285.00007FF687308000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff6872e0000_5Uvn8Uyob8.jbxd
          Similarity
          • API ID: AddressFreeHandleLibraryModuleProc
          • String ID: CorExitProcess$mscoree.dll
          • API String ID: 4061214504-1276376045
          • Opcode ID: e963c6a543e4ccfee78c2e43468ed3092b133d64ccd72fa6b4c2660d98899525
          • Instruction ID: 11d1b9fb64efb5bc6ca8bf9ddf8a3c9c7223cff0b025b31fa30c49b9120452f6
          • Opcode Fuzzy Hash: e963c6a543e4ccfee78c2e43468ed3092b133d64ccd72fa6b4c2660d98899525
          • Instruction Fuzzy Hash: 0DF06262A59A06C1EB248B34E9743BA6320FF85761F54033DC96E863F4CF6CD249C700
          Function 00007FF6872F3BC0 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.2956185592.00007FF6872E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6872E0000, based on PE: true
          • Associated: 00000000.00000002.2956171676.00007FF6872E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956205933.00007FF6872F5000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956223363.00007FF6872FF000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956247695.00007FF687300000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687302000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687305000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956288285.00007FF687308000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff6872e0000_5Uvn8Uyob8.jbxd
          Similarity
          • API ID: _set_statfp
          • String ID:
          • API String ID: 1156100317-0
          • Opcode ID: 52608bc6d143c9dc7bfa0a8c4855f078bb6d55b13afd5a83babe45fd19c9ed63
          • Instruction ID: 6943c861a36c5a829b5f901ee0896c465be97063dcae7854fef7ae74ad3cf880
          • Opcode Fuzzy Hash: 52608bc6d143c9dc7bfa0a8c4855f078bb6d55b13afd5a83babe45fd19c9ed63
          • Instruction Fuzzy Hash: 73116062E98A13C5F6781B68E7763F910507F54770E180A3CE57ED62D7CEEDA860C200
          Function 00007FF6872E9AAC Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • FlsGetValue.KERNEL32(?,?,?,00007FF6872EB187,?,?,00000000,00007FF6872EB036,?,?,?,?,?,00007FF6872EB24A), ref: 00007FF6872E9ACB
          • FlsSetValue.KERNEL32(?,?,?,00007FF6872EB187,?,?,00000000,00007FF6872EB036,?,?,?,?,?,00007FF6872EB24A), ref: 00007FF6872E9AEA
          • FlsSetValue.KERNEL32(?,?,?,00007FF6872EB187,?,?,00000000,00007FF6872EB036,?,?,?,?,?,00007FF6872EB24A), ref: 00007FF6872E9B12
          • FlsSetValue.KERNEL32(?,?,?,00007FF6872EB187,?,?,00000000,00007FF6872EB036,?,?,?,?,?,00007FF6872EB24A), ref: 00007FF6872E9B23
          • FlsSetValue.KERNEL32(?,?,?,00007FF6872EB187,?,?,00000000,00007FF6872EB036,?,?,?,?,?,00007FF6872EB24A), ref: 00007FF6872E9B34
          Memory Dump Source
          • Source File: 00000000.00000002.2956185592.00007FF6872E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6872E0000, based on PE: true
          • Associated: 00000000.00000002.2956171676.00007FF6872E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956205933.00007FF6872F5000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956223363.00007FF6872FF000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956247695.00007FF687300000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687302000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687305000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956288285.00007FF687308000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff6872e0000_5Uvn8Uyob8.jbxd
          Similarity
          • API ID: Value
          • String ID:
          • API String ID: 3702945584-0
          • Opcode ID: c43a1d17f02fd6d809238d725c752f21079af4e0e7cbf77f0b02c1cdc299ef2f
          • Instruction ID: 56bda70c701a20b7051c1bd2b864352b925240b7ee6f3b3a2bd13d8ea372c9ca
          • Opcode Fuzzy Hash: c43a1d17f02fd6d809238d725c752f21079af4e0e7cbf77f0b02c1cdc299ef2f
          • Instruction Fuzzy Hash: B2116D22B8D24AC2FB5893B266615BD22467F643B0F48433ED4BD867D7DE2CA441C202
          Function 00007FF6872E9940 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.2956185592.00007FF6872E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6872E0000, based on PE: true
          • Associated: 00000000.00000002.2956171676.00007FF6872E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956205933.00007FF6872F5000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956223363.00007FF6872FF000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956247695.00007FF687300000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687302000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687305000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956288285.00007FF687308000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff6872e0000_5Uvn8Uyob8.jbxd
          Similarity
          • API ID: Value
          • String ID:
          • API String ID: 3702945584-0
          • Opcode ID: 06772123256836631eac754668c55dd1f5969a784bb1f6e52a2e9bf604fecc7c
          • Instruction ID: d619ab8d8de7cfc8096fabb11776145dc4172f8b69c082311510b6ea10dbf4a3
          • Opcode Fuzzy Hash: 06772123256836631eac754668c55dd1f5969a784bb1f6e52a2e9bf604fecc7c
          • Instruction Fuzzy Hash: D5111822A8920EC6FA68A3B556715FD12497F65330F08573ED8BD8A2D3ED2CB541C212
          Function 00007FF6872F1120 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2956185592.00007FF6872E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6872E0000, based on PE: true
          • Associated: 00000000.00000002.2956171676.00007FF6872E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956205933.00007FF6872F5000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956223363.00007FF6872FF000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956247695.00007FF687300000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687302000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687305000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956288285.00007FF687308000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff6872e0000_5Uvn8Uyob8.jbxd
          Similarity
          • API ID: CallEncodePointerTranslator
          • String ID: MOC$RCC
          • API String ID: 3544855599-2084237596
          • Opcode ID: e9d8a88209c07a61c9d1dd3debb84daeffa10c840c1233951791325237c46664
          • Instruction ID: 0ebfc3dfac2b39c6a16ee6e3ec23acb42ac4b07d0c5fd337a35538209be007a3
          • Opcode Fuzzy Hash: e9d8a88209c07a61c9d1dd3debb84daeffa10c840c1233951791325237c46664
          • Instruction Fuzzy Hash: CB614733A08A85CAE720CFA5D5503ED77A0FB44B88F545229EE4D93B99CF78E155C700
          Function 00007FF6872F0534 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2956185592.00007FF6872E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6872E0000, based on PE: true
          • Associated: 00000000.00000002.2956171676.00007FF6872E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956205933.00007FF6872F5000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956223363.00007FF6872FF000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956247695.00007FF687300000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687302000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687305000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956288285.00007FF687308000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff6872e0000_5Uvn8Uyob8.jbxd
          Similarity
          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
          • String ID: csm$csm
          • API String ID: 3896166516-3733052814
          • Opcode ID: cb704a66e7be1a5ba522131f2496a9f209fb6fefd1e7ae97345dc8007b045222
          • Instruction ID: c9e140aa37563da6ed434032f12222d469f24dfcccdb44f1f8445dc9782c3aa6
          • Opcode Fuzzy Hash: cb704a66e7be1a5ba522131f2496a9f209fb6fefd1e7ae97345dc8007b045222
          • Instruction Fuzzy Hash: 5F518132948286C6EB748F25D6643B87791FF54BA8F144139DAAC87B96CF7CE590CB00
          Function 00007FF6872EEF78 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
          Download Yara Rule
          APIs
          • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00007FF6872EF38B), ref: 00007FF6872EF094
          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00007FF6872EF38B), ref: 00007FF6872EF11F
          Memory Dump Source
          • Source File: 00000000.00000002.2956185592.00007FF6872E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6872E0000, based on PE: true
          • Associated: 00000000.00000002.2956171676.00007FF6872E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956205933.00007FF6872F5000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956223363.00007FF6872FF000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956247695.00007FF687300000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687302000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687305000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956288285.00007FF687308000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff6872e0000_5Uvn8Uyob8.jbxd
          Similarity
          • API ID: ConsoleErrorLastMode
          • String ID:
          • API String ID: 953036326-0
          • Opcode ID: c00c5e49ffc8e72db89ae86e27f22d02f60acb1b3f547771fcdf52787a963b75
          • Instruction ID: e38609f3cada7e192b0daf50cc04bfcca49ea8e41396490ba27ed4bba74fc3c8
          • Opcode Fuzzy Hash: c00c5e49ffc8e72db89ae86e27f22d02f60acb1b3f547771fcdf52787a963b75
          • Instruction Fuzzy Hash: 4A91C323E486AAC5F7A08B75D6602FD2BA0BF45B88F54513DDE0E97A96CF38D481C710
          Function 00007FF6872F067C Relevance: 6.2, APIs: 4, Instructions: 202COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.2956185592.00007FF6872E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6872E0000, based on PE: true
          • Associated: 00000000.00000002.2956171676.00007FF6872E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956205933.00007FF6872F5000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956223363.00007FF6872FF000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956247695.00007FF687300000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687302000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687305000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956288285.00007FF687308000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff6872e0000_5Uvn8Uyob8.jbxd
          Similarity
          • API ID: AdjustPointer
          • String ID:
          • API String ID: 1740715915-0
          • Opcode ID: ad951c82f903116c12849aadc4f0baf7a869fadc68eaa4632fadd1048cacca6d
          • Instruction ID: 963234732c30f0de20322646ec17a374b6bcd535918c73afac996c52e76f7816
          • Opcode Fuzzy Hash: ad951c82f903116c12849aadc4f0baf7a869fadc68eaa4632fadd1048cacca6d
          • Instruction Fuzzy Hash: D371D122A8A646C1FA759B11D7A06BC6390FF44FA0F09403DDE6D87B86DEBCE481C740
          Function 00007FF6872E6410 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.2956185592.00007FF6872E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6872E0000, based on PE: true
          • Associated: 00000000.00000002.2956171676.00007FF6872E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956205933.00007FF6872F5000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956223363.00007FF6872FF000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956247695.00007FF687300000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687302000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687305000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956288285.00007FF687308000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff6872e0000_5Uvn8Uyob8.jbxd
          Similarity
          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
          • String ID:
          • API String ID: 2933794660-0
          • Opcode ID: 285e00c4d3f54fedbeb5e4d165c2997d3663a2a25e7a979b1a8c52f2ff1d236e
          • Instruction ID: bc729191ef3ad7e4e0b69d76480abd8ceff82bab9cbb413bf76005daef0612e0
          • Opcode Fuzzy Hash: 285e00c4d3f54fedbeb5e4d165c2997d3663a2a25e7a979b1a8c52f2ff1d236e
          • Instruction Fuzzy Hash: 15117C26B58F05CAEB50CF70E8A42B933A4FB19758F441E39DA6D827A4EF78D194C340
          Function 00007FF6872ECD68 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 180COMMON
          Download Yara Rule
          APIs
          • _invalid_parameter_noinfo.LIBCMT ref: 00007FF6872ECDA0
            • Part of subcall function 00007FF6872EAE60: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF6872EB0D7,?,?,?,?,?,00007FF6872EB24A), ref: 00007FF6872EAE69
            • Part of subcall function 00007FF6872EAE60: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6872EB0D7,?,?,?,?,?,00007FF6872EB24A), ref: 00007FF6872EAE8E
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2956185592.00007FF6872E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6872E0000, based on PE: true
          • Associated: 00000000.00000002.2956171676.00007FF6872E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956205933.00007FF6872F5000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956223363.00007FF6872FF000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956247695.00007FF687300000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687302000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687305000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956288285.00007FF687308000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff6872e0000_5Uvn8Uyob8.jbxd
          Similarity
          • API ID: CurrentFeaturePresentProcessProcessor_invalid_parameter_noinfo
          • String ID: *?$C:\Users\user\Desktop\5Uvn8Uyob8.exe
          • API String ID: 4036615347-4131929451
          • Opcode ID: a633fbf2a8584894ada7dd3ce4bf7a99a6fd6fe1b81d5eafd89ec87b4ba9ec55
          • Instruction ID: 6e53ccaf7ab476a76cbdf91e3f3913329fd184bbe9333d008520627b433e019a
          • Opcode Fuzzy Hash: a633fbf2a8584894ada7dd3ce4bf7a99a6fd6fe1b81d5eafd89ec87b4ba9ec55
          • Instruction Fuzzy Hash: F851B763F8869AC5EB119BB596212FC26A1BF44BE4F084539DE0D87B87DE3CE481D300
          Function 00007FF6872EFA38 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2956185592.00007FF6872E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6872E0000, based on PE: true
          • Associated: 00000000.00000002.2956171676.00007FF6872E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956205933.00007FF6872F5000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956223363.00007FF6872FF000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956247695.00007FF687300000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687302000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687305000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956288285.00007FF687308000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff6872e0000_5Uvn8Uyob8.jbxd
          Similarity
          • API ID: ErrorFileLastWrite
          • String ID: U
          • API String ID: 442123175-4171548499
          • Opcode ID: f0cfd3164ff96798f14fc08c4734987f505c93e07409a734ac5a42f3e19d2525
          • Instruction ID: 91b624bb746783bc7891c2fb3e207ae689f40f045a2aa862060c6896945e84ed
          • Opcode Fuzzy Hash: f0cfd3164ff96798f14fc08c4734987f505c93e07409a734ac5a42f3e19d2525
          • Instruction Fuzzy Hash: 5E41B123A18A95C6DB60CF25E9643EA67A0FB88794F844139EE8DC7799EF3CD441C740
          Function 00007FF6872F2A50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2956185592.00007FF6872E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6872E0000, based on PE: true
          • Associated: 00000000.00000002.2956171676.00007FF6872E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956205933.00007FF6872F5000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956223363.00007FF6872FF000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956247695.00007FF687300000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687302000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956260227.00007FF687305000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2956288285.00007FF687308000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff6872e0000_5Uvn8Uyob8.jbxd
          Similarity
          • API ID: ExceptionFileHeaderRaise
          • String ID: csm
          • API String ID: 2573137834-1018135373
          • Opcode ID: a272fe822553b65e5748a6350f742528e835165645c66372dbd7efeddf2a5ac6
          • Instruction ID: 9d23c66c6f74f99ae690115732e328209a9a7c62ff028ab4afa921eb8d07ddbc
          • Opcode Fuzzy Hash: a272fe822553b65e5748a6350f742528e835165645c66372dbd7efeddf2a5ac6
          • Instruction Fuzzy Hash: B0114932619B4182EB208B15F5502A9B7E1FF88B94F184234DA8C47759DF7CC591CB40