Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
esphvcionattkingstoreff5.exe

Overview

General Information

Sample name:esphvcionattkingstoreff5.exe
Analysis ID:1592717
MD5:fbfdd5efc5b915ba4751b4f2cdf666f9
SHA1:1a92ab15a8c7efc9a8f2d4ddbc030bb681305dcd
SHA256:37860e55357e590e6eca89247ee3d94869e54053a89453693a54397fa3f30b3c
Tags:exemalwaretrojanuser-Joker
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)

Classification

Process Tree

  • System is w10x64
  • esphvcionattkingstoreff5.exe (PID: 7612 cmdline: "C:\Users\user\Desktop\esphvcionattkingstoreff5.exe" MD5: FBFDD5EFC5B915BA4751B4F2CDF666F9)
    • conhost.exe (PID: 7620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: esphvcionattkingstoreff5.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: esphvcionattkingstoreff5.exeVirustotal: Detection: 62%Perma Link
Source: esphvcionattkingstoreff5.exeReversingLabs: Detection: 57%
Machine Learning detection for sample
Source: esphvcionattkingstoreff5.exeJoe Sandbox ML: detected
Source: esphvcionattkingstoreff5.exe, 00000000.00000000.1311627992.00007FF636ADF000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_b4ca54da-a
Source: esphvcionattkingstoreff5.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Revendedores Painel\KingStore\HVCI ON VALORANT\esp\x64\Release\Google Chrome.pdb source: esphvcionattkingstoreff5.exe
Source: Binary string: 9D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Revendedores Painel\KingStore\HVCI ON VALORANT\esp\x64\Release\Google Chrome.pdb source: esphvcionattkingstoreff5.exe
Source: esphvcionattkingstoreff5.exeString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: esphvcionattkingstoreff5.exeString found in binary or memory: https://github.com/googlefonts/lexend)6_ju
Source: esphvcionattkingstoreff5.exeString found in binary or memory: https://scripts.sil.org/OFLThis
Source: esphvcionattkingstoreff5.exeString found in binary or memory: https://scripts.sil.org/OFLhttps://www.lexend.comBonnie
Source: esphvcionattkingstoreff5.exeBinary string: 8\Device\microsoftAudioDriver\DosDevices\microsoftAudioDriverKmdfLibraryDriverEntry failed 0x%x for driver %wZ
Source: classification engineClassification label: mal64.evad.winEXE@2/0@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7620:120:WilError_03
Source: esphvcionattkingstoreff5.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\esphvcionattkingstoreff5.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: esphvcionattkingstoreff5.exeVirustotal: Detection: 62%
Source: esphvcionattkingstoreff5.exeReversingLabs: Detection: 57%
Source: esphvcionattkingstoreff5.exeString found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExA\/AddDllDirectory
Source: unknownProcess created: C:\Users\user\Desktop\esphvcionattkingstoreff5.exe "C:\Users\user\Desktop\esphvcionattkingstoreff5.exe"
Source: C:\Users\user\Desktop\esphvcionattkingstoreff5.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\esphvcionattkingstoreff5.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\esphvcionattkingstoreff5.exeSection loaded: d3dx11_43.dllJump to behavior
Source: C:\Users\user\Desktop\esphvcionattkingstoreff5.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Users\user\Desktop\esphvcionattkingstoreff5.exeSection loaded: d3dcompiler_43.dllJump to behavior
Source: C:\Users\user\Desktop\esphvcionattkingstoreff5.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\Desktop\esphvcionattkingstoreff5.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\esphvcionattkingstoreff5.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\esphvcionattkingstoreff5.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\esphvcionattkingstoreff5.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Users\user\Desktop\esphvcionattkingstoreff5.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\Desktop\esphvcionattkingstoreff5.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Users\user\Desktop\esphvcionattkingstoreff5.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\Desktop\esphvcionattkingstoreff5.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Users\user\Desktop\esphvcionattkingstoreff5.exeSection loaded: vcruntime140.dllJump to behavior
Source: esphvcionattkingstoreff5.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: esphvcionattkingstoreff5.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: esphvcionattkingstoreff5.exeStatic file information: File size 4214272 > 1048576
Source: esphvcionattkingstoreff5.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x11d800
Source: esphvcionattkingstoreff5.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x28de00
Source: esphvcionattkingstoreff5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: esphvcionattkingstoreff5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: esphvcionattkingstoreff5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: esphvcionattkingstoreff5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: esphvcionattkingstoreff5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: esphvcionattkingstoreff5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: esphvcionattkingstoreff5.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: esphvcionattkingstoreff5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Revendedores Painel\KingStore\HVCI ON VALORANT\esp\x64\Release\Google Chrome.pdb source: esphvcionattkingstoreff5.exe
Source: Binary string: 9D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Revendedores Painel\KingStore\HVCI ON VALORANT\esp\x64\Release\Google Chrome.pdb source: esphvcionattkingstoreff5.exe
Source: esphvcionattkingstoreff5.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: esphvcionattkingstoreff5.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: esphvcionattkingstoreff5.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: esphvcionattkingstoreff5.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: esphvcionattkingstoreff5.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Malware Analysis System Evasion

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: esphvcionattkingstoreff5.exeBinary or memory string: PROCESSHACKER.EXE
Source: esphvcionattkingstoreff5.exeBinary or memory string: PROCMON.EXE
Source: esphvcionattkingstoreff5.exeBinary or memory string: [ %.FM ] HEALTH RENDERED][ CR][V4L0R4NT PLUS]CPLUSPLUSEXAMPLE/1.0GETKEYAUTH.WIN980C8DE97FFFFAD4C5E27B1E48A37561DDA18BD70D38E6D40AE0AC84529DAB4FDIEC.EXEDWNEJFE.EXEWIN64.EXESYSTEMINFORMER.EXEPROCESSHACKER.EXEFILEALYZER2.EXERESOURCEHACKER.EXEDEPENDS.EXEPEXPLORER.EXEDIEL.EXEDIE.EXEPE-BEAR.EXELORDPE.EXEWIRESHARK.EXETCPVIEW.EXEPROCEXP64.EXEPROCEXP.EXEREGMON.EXEFILEMON.EXEPROCMON.EXESCYLLA_X86.EXESCYLLA_X64.EXEOLLYDUMPEX_SA64.EXEOLLYDUMPEX_SA32.EXEHXD.EXEIMMUNITYDEBUGGER.EXEWINDBG.EXEX96DBG.EXEX64DBG.EXEX32DBG.EXEOLLYDBG.EXEIDA64.EXEDOTPEEK64.EXEIDA32.EXEIDA.EXERECLASS.NET.EXERECLASS.EXEHEYRAYS.EXELIGHTHOUSE.EXECHEATENGINE-X86_64.EXECLASSINFORMER.EXEIDA-X86EMU.EXECFFEXPLORER.EXEWINHEX.EXEHIEW.EXEFIDDLER.EXEHTTPDEBUGGER.EXEHTTPDEBUGGERPRO.EXESCYLLA.EXECHEAT ENGINE.EXEDNSPY.EXEDNSPY.CONSOLE.EXECLS
Source: esphvcionattkingstoreff5.exeBinary or memory string: OLLYDBG.EXE
Source: esphvcionattkingstoreff5.exeBinary or memory string: X64DBG.EXE
Source: esphvcionattkingstoreff5.exeBinary or memory string: REGMON.EXE
Source: esphvcionattkingstoreff5.exeBinary or memory string: WINDBG.EXE
Source: esphvcionattkingstoreff5.exeBinary or memory string: IDAQ.EXEH
Source: esphvcionattkingstoreff5.exeBinary or memory string: FIDDLER.EXE
Source: esphvcionattkingstoreff5.exeBinary or memory string: PEID.EXEH
Source: esphvcionattkingstoreff5.exeBinary or memory string: IDAG.EXEH
Source: esphvcionattkingstoreff5.exeBinary or memory string: WIRESHARK.EXE
Source: esphvcionattkingstoreff5.exeBinary or memory string: FILEMON.EXE
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\esphvcionattkingstoreff5.exeCode function: 0_2_00007FF636ADC060 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF636ADC060
Source: esphvcionattkingstoreff5.exe, 00000000.00000000.1311627992.00007FF636ADF000.00000002.00000001.01000000.00000003.sdmp, esphvcionattkingstoreff5.exe, 00000000.00000002.2579747058.00007FF636AE0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: procmon.exe
Source: esphvcionattkingstoreff5.exe, 00000000.00000000.1311627992.00007FF636ADF000.00000002.00000001.01000000.00000003.sdmp, esphvcionattkingstoreff5.exe, 00000000.00000002.2579747058.00007FF636AE0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OLLYDBG.exe
Source: esphvcionattkingstoreff5.exe, 00000000.00000000.1311627992.00007FF636ADF000.00000002.00000001.01000000.00000003.sdmp, esphvcionattkingstoreff5.exe, 00000000.00000002.2579747058.00007FF636AE0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: wireshark.exe
Source: esphvcionattkingstoreff5.exe, 00000000.00000000.1311627992.00007FF636ADF000.00000002.00000001.01000000.00000003.sdmp, esphvcionattkingstoreff5.exe, 00000000.00000002.2579747058.00007FF636AE0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: procexp.exe
Source: esphvcionattkingstoreff5.exe, 00000000.00000000.1311627992.00007FF636ADF000.00000002.00000001.01000000.00000003.sdmp, esphvcionattkingstoreff5.exe, 00000000.00000002.2579747058.00007FF636AE0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: LordPE.exe
Source: esphvcionattkingstoreff5.exe, 00000000.00000000.1311627992.00007FF636ADF000.00000002.00000001.01000000.00000003.sdmp, esphvcionattkingstoreff5.exe, 00000000.00000002.2579747058.00007FF636AE0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: Tcpview.exe
Source: esphvcionattkingstoreff5.exe, 00000000.00000000.1311627992.00007FF636ADF000.00000002.00000001.01000000.00000003.sdmp, esphvcionattkingstoreff5.exe, 00000000.00000002.2579747058.00007FF636AE0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: regmon.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		1
Process Injection		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		Data ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
DLL Side-Loading		LSASS Memory11
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager2
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
esphvcionattkingstoreff5.exe62%VirustotalBrowse
esphvcionattkingstoreff5.exe58%ReversingLabsWin64.Trojan.Generic
esphvcionattkingstoreff5.exe100%AviraHEUR/AGEN.1363336
esphvcionattkingstoreff5.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://scripts.sil.org/OFLhttps://www.lexend.comBonnie0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s-part-0017.t-0009.t-msedge.net
13.107.246.45
truefalse
    		high

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://github.com/googlefonts/lexend)6_juesphvcionattkingstoreff5.exefalse
      		high
      https://scripts.sil.org/OFLThisesphvcionattkingstoreff5.exefalse
        		high
        https://scripts.sil.org/OFLhttps://www.lexend.comBonnieesphvcionattkingstoreff5.exefalse
        • Avira URL Cloud: safe
        		unknown
        https://curl.haxx.se/docs/http-cookies.htmlesphvcionattkingstoreff5.exefalse
          		high

          World Map of Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox version:42.0.0 Malachite
          Analysis ID:1592717
          Start date and time:2025-01-16 13:15:13 +01:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 4m 27s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:7
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:esphvcionattkingstoreff5.exe
          Detection:MAL
          Classification:mal64.evad.winEXE@2/0@0/0
          EGA Information:Failed
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 0
          • Number of non-executed functions: 1
          Cookbook Comments:
          • Found application associated with file extension: .exe

          Warnings

          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
          • Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.12.23.50
          • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
          • Execution Graph export aborted for target esphvcionattkingstoreff5.exe, PID 7612 because there are no executed function
          • Not all processes where analyzed, report is missing behavior information

          Simulations

          Behavior and APIs

          No simulations

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          s-part-0017.t-0009.t-msedge.netRFQ # PC25-1301_1.xlsxGet hashmaliciousUnknownBrowse
          • 13.107.246.45
          U23BGA2025REQ.exeGet hashmaliciousMassLogger RATBrowse
          • 13.107.246.45
          RFQ # PC25-1301_1.xlsxGet hashmaliciousUnknownBrowse
          • 13.107.246.45
          http://magentacloud.de/s/DeFCB6g8NjbfYpYGet hashmaliciousUnknownBrowse
          • 13.107.246.45
          3j4TuJYz12.exeGet hashmaliciousFog, XmrigBrowse
          • 13.107.246.45
          vXn4pan2US.exeGet hashmaliciousUnknownBrowse
          • 13.107.246.45
          OC1025QPR.docx.docGet hashmaliciousUnknownBrowse
          • 13.107.246.45
          nome_desejado.batGet hashmaliciousUnknownBrowse
          • 13.107.246.45
          https://varennesvauzelles-my.sharepoint.com/:o:/g/personal/anaelle_bissonnier_ville-varennes-vauzelles_fr/Es1tTo210KNJh_Ty-pj8UFMB_EEkzwj8t026ZTq8dvrqyg?e=bm0BI7Get hashmaliciousUnknownBrowse
          • 13.107.246.45
          doc.batGet hashmaliciousUnknownBrowse
          • 13.107.246.45

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          No created / dropped files found

          Static File Info

          General

          File type:PE32+ executable (console) x86-64, for MS Windows
          Entropy (8bit):7.676981718842848
          TrID:
          • Win64 Executable Console (202006/5) 92.65%
          • Win64 Executable (generic) (12005/4) 5.51%
          • Generic Win/DOS Executable (2004/3) 0.92%
          • DOS Executable Generic (2002/1) 0.92%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:esphvcionattkingstoreff5.exe
          File size:4'214'272 bytes
          MD5:fbfdd5efc5b915ba4751b4f2cdf666f9
          SHA1:1a92ab15a8c7efc9a8f2d4ddbc030bb681305dcd
          SHA256:37860e55357e590e6eca89247ee3d94869e54053a89453693a54397fa3f30b3c
          SHA512:2fa3156c581ffc3fd6770bd650a9eca18d43e131b70c3476d9ffb5c2f75bb99a2c769a2fda721b13558c71245149830719827f876017abdcc1633032fa5f3c93
          SSDEEP:98304:RN/tpTUmAttYDpDo4CyZwg562/K5a6e6c8hDkDeRV:RNVXOYNoryEJg6cYV
          TLSH:81160187A3A441E9C167C13C8647971BE77574091B20ABDB67E48E6A3F13BE12F3A350
          File Content Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$............i...i...i....i..i.......i.......i.......i.......i.......i..N....i..K....i.......i.......i.......i...;f..i...i...k.......i.

          File Icon

          Icon Hash:90cececece8e8eb0

          Static PE Info

          General

          Entrypoint:0x14011b928
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x140000000
          Subsystem:windows cui
          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
          Time Stamp:0x676B0BF5 [Tue Dec 24 19:31:01 2024 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:6
          OS Version Minor:0
          File Version Major:6
          File Version Minor:0
          Subsystem Version Major:6
          Subsystem Version Minor:0
          Import Hash:da017d1a84ea0dddfaa3c989b0839a38

          Entrypoint Preview

          Instruction
          dec eax
          sub esp, 28h
          call 00007F2A40B0FEC4h
          dec eax
          add esp, 28h
          jmp 00007F2A40B0F607h
          int3
          int3
          dec eax
          sub esp, 28h
          dec ebp
          mov eax, dword ptr [ecx+38h]
          dec eax
          mov ecx, edx
          dec ecx
          mov edx, ecx
          call 00007F2A40B0F7A2h
          mov eax, 00000001h
          dec eax
          add esp, 28h
          ret
          int3
          int3
          int3
          inc eax
          push ebx
          inc ebp
          mov ebx, dword ptr [eax]
          dec eax
          mov ebx, edx
          inc ecx
          and ebx, FFFFFFF8h
          dec esp
          mov ecx, ecx
          inc ecx
          test byte ptr [eax], 00000004h
          dec esp
          mov edx, ecx
          je 00007F2A40B0F7A5h
          inc ecx
          mov eax, dword ptr [eax+08h]
          dec ebp
          arpl word ptr [eax+04h], dx
          neg eax
          dec esp
          add edx, ecx
          dec eax
          arpl ax, cx
          dec esp
          and edx, ecx
          dec ecx
          arpl bx, ax
          dec edx
          mov edx, dword ptr [eax+edx]
          dec eax
          mov eax, dword ptr [ebx+10h]
          mov ecx, dword ptr [eax+08h]
          dec eax
          mov eax, dword ptr [ebx+08h]
          test byte ptr [ecx+eax+03h], 0000000Fh
          je 00007F2A40B0F79Dh
          movzx eax, byte ptr [ecx+eax+03h]
          and eax, FFFFFFF0h
          dec esp
          add ecx, eax
          dec esp
          xor ecx, edx
          dec ecx
          mov ecx, ecx
          pop ebx
          jmp 00007F2A40B0F82Eh
          int3
          dec eax
          mov eax, esp
          dec eax
          mov dword ptr [eax+08h], ebx
          dec eax
          mov dword ptr [eax+10h], ebp
          dec eax
          mov dword ptr [eax+18h], esi
          dec eax
          mov dword ptr [eax+20h], edi
          inc ecx
          push esi
          dec eax
          sub esp, 20h
          dec ecx
          mov ebx, dword ptr [ecx+38h]
          dec eax
          mov esi, edx
          dec ebp
          mov esi, eax
          dec eax
          mov ebp, ecx
          dec ecx
          mov edx, ecx
          dec eax
          mov ecx, esi
          dec ecx
          mov edi, ecx
          dec esp
          lea eax, dword ptr [ebx+04h]
          call 00007F2A40B0F701h

          Rich Headers

          Programming Language:
          • [IMP] VS2008 SP1 build 30729

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0x1664680x26c.rdata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0x4070000x1e8.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x3fa0000xccd8.pdata
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x4080000x12b4.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0x1521700x70.rdata
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x1522000x28.rdata
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1520300x140.rdata
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x11f0000xeb8.rdata
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000x11d7300x11d800ad20d241fd1027174232fd143b2b6804False0.5483954274299475data6.485290974834862IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .rdata0x11f0000x4af760x4b00057f130c782d357d4679443fa8ac0fb0eFalse0.448935546875data6.23065418334246IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .data0x16a0000x28f2200x28de000a76d8caefc71022ff8ae631e95f01a0unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .pdata0x3fa0000xccd80xce007256082334fec3c6c817ccd897f099fcFalse0.4791603458737864data6.156244862407985IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .rsrc0x4070000x1e80x2006c544b08d1bbe21a32683a2e8aa0bbfbFalse0.5390625data4.772037401703051IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .reloc0x4080000x12b40x1400bc0f62f1a4e36549e3071226fa340fa4False0.403515625data5.28141923945884IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountryZLIB Complexity
          RT_MANIFEST0x4070600x188XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5892857142857143

          Imports

          DLLImport
          d3dx11_43.dllD3DX11CreateShaderResourceViewFromMemory
          d3d11.dllD3D11CreateDeviceAndSwapChain
          D3DCOMPILER_43.dllD3DCompile
          KERNEL32.dllGetFileSizeEx, CreateFileMappingA, PeekNamedPipe, ReadFile, GetFileType, GetEnvironmentVariableA, InitializeCriticalSectionEx, DeleteCriticalSection, GetCurrentProcess, VirtualProtect, CreateFileMappingW, MapViewOfFile, UnmapViewOfFile, GetModuleFileNameA, GetModuleHandleW, QueryPerformanceCounter, FreeLibrary, VerSetConditionMask, WaitForSingleObjectEx, HeapFree, OutputDebugStringW, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, WakeAllConditionVariable, SleepConditionVariableSRW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, GetProcAddress, QueryPerformanceFrequency, LoadLibraryA, GetModuleHandleA, GlobalUnlock, GlobalLock, GlobalFree, GlobalAlloc, GetFileAttributesW, lstrcmpiW, GetConsoleWindow, WideCharToMultiByte, CreateThread, CloseHandle, Process32FirstW, CreateFileA, Process32NextW, GetLastError, Sleep, MoveFileExA, GetTickCount, VerifyVersionInfoA, GetSystemDirectoryA, SleepEx, LeaveCriticalSection, EnterCriticalSection, CreateFileW, WaitForMultipleObjects, HeapDestroy, HeapAlloc, HeapSize, MultiByteToWideChar, CreateToolhelp32Snapshot, SetConsoleWindowInfo, TerminateProcess, DeviceIoControl, GetStdHandle, SetConsoleScreenBufferSize, SetConsoleTitleA, SetConsoleTextAttribute, HeapReAlloc, IsDebuggerPresent, QueryFullProcessImageNameW, SetLastError, FormatMessageA, LocalFree, GetProcessHeap
          USER32.dllOpenClipboard, CloseClipboard, SetCursorPos, EmptyClipboard, SetClipboardData, GetKeyState, GetWindow, DestroyWindow, SetCursor, LoadCursorW, GetCursorPos, UpdateWindow, FindWindowA, GetClientRect, FindWindowW, TranslateMessage, GetClipboardData, SetLayeredWindowAttributes, GetForegroundWindow, MessageBoxA, PeekMessageW, ScreenToClient, ClientToScreen, DispatchMessageW, GetAsyncKeyState, SetWindowLongPtrW, ShowWindow, GetSystemMetrics, SetWindowPos, GetWindowLongPtrW
          ADVAPI32.dllRegQueryValueExA, RegCloseKey, OpenServiceW, StartServiceW, ControlService, DeleteService, OpenSCManagerW, CloseServiceHandle, QueryServiceStatus, CreateServiceW, OpenProcessToken, AddAccessAllowedAce, GetLengthSid, GetTokenInformation, InitializeAcl, IsValidSid, CryptEncrypt, CryptImportKey, CryptDestroyKey, CryptDestroyHash, CryptHashData, CryptCreateHash, CryptGenRandom, CryptGetHashParam, CryptReleaseContext, CryptAcquireContextA, ConvertSidToStringSidA, CopySid, SetSecurityInfo, RegOpenKeyExA
          SHELL32.dllShellExecuteA
          MSVCP140.dll?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ, ?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ, ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z, ?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z, ?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ, ?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z, ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@M@Z, ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z, ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z, ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAM@Z, ?getloc@ios_base@std@@QEBA?AVlocale@2@XZ, ?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ??1?$codecvt@_WDU_Mbstatet@@@std@@MEAA@XZ, ??0?$codecvt@_WDU_Mbstatet@@@std@@QEAA@_K@Z, ?in@?$codecvt@_WDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEA_W3AEAPEA_W@Z, ?always_noconv@codecvt_base@std@@QEBA_NXZ, ?_Addfac@_Locimp@locale@std@@AEAAXPEAVfacet@23@_K@Z, ?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ, ?_Incref@facet@locale@std@@UEAAXXZ, ??Bid@locale@std@@QEAA_KXZ, ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ, ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z, ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z, ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ, _Mtx_unlock, _Thrd_join, _Xtime_get_ticks, ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z, _Query_perf_counter, ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z, ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z, ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ, _Thrd_id, _Thrd_sleep, _Cnd_do_broadcast_at_thread_exit, _Mtx_init_in_situ, _Mtx_lock, ?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ, ?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??4?$_Yarn@D@std@@QEAAAEAV01@PEBD@Z, ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, _Mtx_destroy_in_situ, ?id@?$codecvt@_WDU_Mbstatet@@@std@@2V0locale@2@A, ?id@?$ctype@D@std@@2V0locale@2@A, ?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z, ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z, ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z, ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A, ?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?_Xout_of_range@std@@YAXPEBD@Z, ?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A, ?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z, ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ, ?_New_Locimp@_Locimp@locale@std@@CAPEAV123@AEBV123@@Z, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?uncaught_exceptions@std@@YAHXZ, ?_Throw_Cpp_error@std@@YAXH@Z, ??0_Lockit@std@@QEAA@H@Z, ??1_Lockit@std@@QEAA@XZ, _Query_perf_frequency, ?_Xlength_error@std@@YAXPEBD@Z, ?_Xbad_function_call@std@@YAXXZ
          dwmapi.dllDwmExtendFrameIntoClientArea
          WINHTTP.dllWinHttpReceiveResponse, WinHttpOpen, WinHttpOpenRequest, WinHttpCloseHandle, WinHttpSendRequest, WinHttpQueryOption, WinHttpConnect
          CRYPT32.dllCertCreateCertificateChainEngine, CryptQueryObject, CertGetNameStringA, CertFreeCertificateChainEngine, CertGetCertificateChain, CertFindExtension, CertAddCertificateContextToStore, CryptDecodeObjectEx, PFXImportCertStore, CryptStringToBinaryA, CertFindCertificateInStore, CertEnumCertificatesInStore, CertCloseStore, CertOpenStore, CertGetCertificateContextProperty, CertFreeCertificateChain, CertFreeCertificateContext
          IMM32.dllImmReleaseContext, ImmSetCompositionWindow, ImmGetContext, ImmSetCandidateWindow
          Normaliz.dllIdnToAscii
          WLDAP32.dll
          WS2_32.dllgetaddrinfo, __WSAFDIsSet, bind, ioctlsocket, listen, htonl, accept, recvfrom, WSACleanup, WSAStartup, WSAIoctl, WSASetLastError, sendto, gethostname, ntohl, socket, setsockopt, ntohs, htons, getsockopt, getsockname, getpeername, connect, select, WSAGetLastError, send, freeaddrinfo, recv, closesocket
          RPCRT4.dllUuidToStringA, RpcStringFreeA, UuidCreate
          PSAPI.DLLGetModuleInformation
          USERENV.dllUnloadUserProfile
          VCRUNTIME140_1.dll__CxxFrameHandler4
          VCRUNTIME140.dll__current_exception_context, __current_exception, __C_specific_handler, longjmp, strrchr, strchr, memset, __intrinsic_setjmp, memcpy, memcmp, _CxxThrowException, strstr, __std_terminate, __std_exception_copy, __std_exception_destroy, memmove, memchr
          api-ms-win-crt-runtime-l1-1-0.dllexit, _invalid_parameter_noinfo_noreturn, terminate, strerror, __sys_nerr, _invalid_parameter_noinfo, _resetstkoflw, system, _getpid, _beginthreadex, _register_thread_local_exe_atexit_callback, _c_exit, __p___argv, __p___argc, _exit, _initterm_e, _initterm, _get_initial_narrow_environment, _set_app_type, _seh_filter_exe, _cexit, _crt_atexit, _register_onexit_function, _initialize_onexit_table, _initialize_narrow_environment, _configure_narrow_argv, _errno
          api-ms-win-crt-stdio-l1-1-0.dllfclose, __p__commode, __acrt_iob_func, _lseeki64, __stdio_common_vsprintf_s, fgetc, fflush, _read, feof, fputs, fopen, _write, _close, _open, __stdio_common_vfprintf, fputc, _pclose, fgets, fwrite, _set_fmode, __stdio_common_vsscanf, _wfopen, __stdio_common_vsprintf, fseek, ftell, _get_stream_buffer_pointers, _fseeki64, fread, fsetpos, ungetc, fgetpos, setvbuf, _popen
          api-ms-win-crt-heap-l1-1-0.dllfree, realloc, malloc, calloc, _callnewh, _set_new_mode
          api-ms-win-crt-math-l1-1-0.dllfmodf, ceilf, _dclass, atanf, asinf, acosf, __setusermatherr, cos, cosf, powf, roundf, sin, sinf, sqrtf, tanf
          api-ms-win-crt-string-l1-1-0.dllstrncmp, strncpy, isupper, tolower, strpbrk, strcmp, _strdup, strspn, strcspn
          api-ms-win-crt-time-l1-1-0.dll_localtime64_s, _gmtime64, strftime, _time64
          api-ms-win-crt-convert-l1-1-0.dllatoi, strtod, strtoll, strtoull, strtoul, strtol
          api-ms-win-crt-utility-l1-1-0.dllqsort, rand
          api-ms-win-crt-filesystem-l1-1-0.dll_access, _fstat64, _unlink, _unlock_file, _lock_file, _stat64
          api-ms-win-crt-locale-l1-1-0.dlllocaleconv, _configthreadlocale

          Possible Origin

          Language of compilation systemCountry where language is spokenMap
          EnglishUnited States

          Network Behavior

          DNS Answers

          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
          Jan 16, 2025 13:16:08.929455042 CET1.1.1.1192.168.2.100x5986No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
          Jan 16, 2025 13:16:08.929455042 CET1.1.1.1192.168.2.100x5986No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:07:16:10
          Start date:16/01/2025
          Path:C:\Users\user\Desktop\esphvcionattkingstoreff5.exe
          Wow64 process (32bit):false
          Commandline:"C:\Users\user\Desktop\esphvcionattkingstoreff5.exe"
          Imagebase:0x7ff6369c0000
          File size:4'214'272 bytes
          MD5 hash:FBFDD5EFC5B915BA4751B4F2CDF666F9
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:false

          General

          Target ID:1
          Start time:07:16:10
          Start date:16/01/2025
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff620390000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:false

          Disassembly

          Reset < >

            Non-executed Functions

            Function 00007FF636ADC060 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2579619681.00007FF6369C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6369C0000, based on PE: true
            • Associated: 00000000.00000002.2579596564.00007FF6369C0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2579719504.00007FF636ADF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2579747058.00007FF636AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2579786628.00007FF636B2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2579806457.00007FF636B2B000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2580001624.00007FF636DBA000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6369c0000_esphvcionattkingstoreff5.jbxd
            Similarity
            • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
            • String ID:
            • API String ID: 2933794660-0
            • Opcode ID: e26fce6f3fc10f841e2ab6b7fb7d9afe18c155cd656be98dbdd9ac6f1d53fa47
            • Instruction ID: 554b27acda2a626d172690f04f1a04c405a802f581b85a426b5ac715ab406c9a
            • Opcode Fuzzy Hash: e26fce6f3fc10f841e2ab6b7fb7d9afe18c155cd656be98dbdd9ac6f1d53fa47
            • Instruction Fuzzy Hash: 51112A26B14F418AFB00CF60E8656B933B4FB19758F440E35DE6D867A4DF78D1A48340