Windows Analysis Report
8R2YjBA8nI.exe

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3224:120:WilError_03

Source: 8R2YjBA8nI.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\8R2YjBA8nI.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\Desktop\8R2YjBA8nI.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: 8R2YjBA8nI.exe

ReversingLabs: Detection: 43%

Source: C:\Users\user\Desktop\8R2YjBA8nI.exe

File read: C:\Users\user\Desktop\8R2YjBA8nI.exe

Source: unknown	Process created: C:\Users\user\Desktop\8R2YjBA8nI.exe "C:\Users\user\Desktop\8R2YjBA8nI.exe"
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\Update.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\Bilite\Axialis\Update.exe C:\Users\Public\Bilite\Axialis\Update.exe
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\Update.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\Bilite\Axialis\Update.exe C:\Users\Public\Bilite\Axialis\Update.exe	Jump to behavior

Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: update.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32

Source: ldplayer9_ld_6000_ld.exe.lnk.4.dr

LNK file: ..\..\Public\Bilite\ldplayer9_ld_6000_ld.exe

Source: 8R2YjBA8nI.exe

Static file information: File size 77302708 > 1048576

Source:	Binary string: H:\trunk_download\downloader_cn\downloader\bin\ldplayerinst.pdb source: 8R2YjBA8nI.exe, 00000000.00000003.2135435614.0000000002C43000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr
Source:	Binary string: C:\Users\Administrator\Desktop\MFCLibrary_YSS\Release\Update.pdb source: 8R2YjBA8nI.exe, 00000000.00000003.2135435614.0000000002BB2000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000004.00000002.2143704154.000000006C36D000.00000002.00000001.01000000.00000006.sdmp, Update.dll.0.dr
Source:	Binary string: E:\agent\workspace\p-e3cf6c00cb1d4f41832c02872427999a\src\Ufo4WinMac\GamerUFO\ufo4Desktop\Output\bin\Release\UpdateApp.pdb source: 8R2YjBA8nI.exe, 00000000.00000003.2135435614.0000000002BB2000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000004.00000002.2143000631.0000000000132000.00000002.00000001.01000000.00000005.sdmp, Update.exe, 00000004.00000000.2139108528.0000000000132000.00000002.00000001.01000000.00000005.sdmp, Update.exe.0.dr
Source:	Binary string: E:\agent\workspace\p-e3cf6c00cb1d4f41832c02872427999a\src\Ufo4WinMac\GamerUFO\ufo4Desktop\Output\bin\Release\UpdateApp.pdb((& source: 8R2YjBA8nI.exe, 00000000.00000003.2135435614.0000000002BB2000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000004.00000002.2143000631.0000000000132000.00000002.00000001.01000000.00000005.sdmp, Update.exe, 00000004.00000000.2139108528.0000000000132000.00000002.00000001.01000000.00000005.sdmp, Update.exe.0.dr
Source:	Binary string: H:\trunk_download\downloader_cn\downloader\bin\ldplayerinst.pdbo source: 8R2YjBA8nI.exe, 00000000.00000003.2135435614.0000000002C43000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr

Source: C:\Users\user\Desktop\8R2YjBA8nI.exe

Code function: 0_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,

0_2_00406D5D

Source: Update.dll.0.dr

Static PE information: section name: .00cfg

Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Code function: 0_2_00411C20 push eax; ret		0_2_00411C4E
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 4_2_6C34CAF7 push ecx; ret		4_2_6C34CB0A

Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	File created: C:\Users\Public\Bilite\Axialis\Update.dll	Jump to dropped file
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	File created: C:\Users\Public\Bilite\Axialis\Update.exe	Jump to dropped file
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	File created: C:\Users\Public\Bilite\ldplayer9_ld_6000_ld.exe	Jump to dropped file

Source: C:\Users\user\Desktop\8R2YjBA8nI.exe

Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\8R2YjBA8nI.exe

Dropped PE file which has not been started: C:\Users\Public\Bilite\ldplayer9_ld_6000_ld.exe

Jump to dropped file

Source: C:\Users\Public\Bilite\Axialis\Update.exe TID: 1164

Thread sleep time: -73000s >= -30000s

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Code function: 0_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	0_2_0040301A
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Code function: 0_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_00402B79
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 4_2_6C35F888 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	4_2_6C35F888
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 4_2_6C35F7D7 FindFirstFileExW,	4_2_6C35F7D7

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Thread delayed: delay time: 73000

Source: spyqizkn.png.0.dr

Binary or memory string: HgFs/

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Process information queried: ProcessInformation

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 4_2_001315D0 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_001315D0

Source: C:\Users\user\Desktop\8R2YjBA8nI.exe

Code function: 0_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,

0_2_00406D5D

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 4_2_00131A8F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00131A8F
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 4_2_001315D0 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_001315D0
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 4_2_00131764 SetUnhandledExceptionFilter,	4_2_00131764
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 4_2_6C34C85A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6C34C85A
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 4_2_6C353AAF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6C353AAF
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 4_2_6C34C4ED SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_6C34C4ED

Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\Update.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\Bilite\Axialis\Update.exe C:\Users\Public\Bilite\Axialis\Update.exe			Jump to behavior

Source: 8R2YjBA8nI.exe, 00000000.00000003.2135435614.0000000002C43000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr

Binary or memory string: .lnkutility::usystem::resolveShortcutFromFileresolveShortcutFromFile buffer is too smallShell_TrayWndnot traywndutility::usystem::getSystBarHeightit is pcutility::usystem::isNoteBookPCit is notebookutility::usystem::isNoteBookPCShcore.dllGetDpiForMonitorldenvAccept: */*

Source: C:\Users\user\Desktop\8R2YjBA8nI.exe

Code function: 0_2_0040D72E cpuid

0_2_0040D72E

Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,	0_2_00401F9D
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: EnumSystemLocalesW,	4_2_6C35CEBE
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: GetLocaleInfoW,	4_2_6C36682C
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_6C3668D3
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: GetLocaleInfoW,	4_2_6C3669D9
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: GetLocaleInfoW,	4_2_6C35C9C3
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	4_2_6C36645A
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: EnumSystemLocalesW,	4_2_6C3666AD
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: GetLocaleInfoW,	4_2_6C36670C
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: EnumSystemLocalesW,	4_2_6C3667E1
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	4_2_6C36616E
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: EnumSystemLocalesW,	4_2_6C3663BF

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\8R2YjBA8nI.exe

Code function: 0_2_00401626 ??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLocalTime,SystemTimeToFileTime,??2@YAPAXI@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,

0_2_00401626

Source: C:\Users\user\Desktop\8R2YjBA8nI.exe

Code function: 0_2_00404FAA GetVersionExW,GetCommandLineW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,memset,ShellExecuteExW,WaitForSingleObject,CloseHandle,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA,

0_2_00404FAA

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	12 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Virtualization/Sandbox Evasion	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	12 Process Injection	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	35 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
8R2YjBA8nI.exe	43%	ReversingLabs	Win32.Trojan.Generic

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\Public\Bilite\Axialis\Update.exe	0%	ReversingLabs
C:\Users\Public\Bilite\ldplayer9_ld_6000_ld.exe	4%	ReversingLabs

Source	Detection	Scanner	Label
https://www.ldmnq.com/?n=6120&bd_vid=logidUrlnewTypepost	0%	Avira URL Cloud	safe
https://www.ldmnq.com/ldy/xukeXieyi.htmldownloader_jumplink_addresshttps://wpa1.qq.com/V7XjWRDy?_typ	0%	Avira URL Cloud	safe
http://www.ijg.org	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	8R2YjBA8nI.exe, 00000000.00000003.2135435614.0000000002BB2000.00000004.00000020.00020000.00000000.sdmp, Update.dll.0.dr	false		high
https://ldapi.ldmnq.com/common/baidu/ocpcbaidu	8R2YjBA8nI.exe, 00000000.00000003.2135435614.0000000002C43000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	false		high
https://sectigo.com/CPS0	8R2YjBA8nI.exe, 00000000.00000003.2135435614.0000000002BB2000.00000004.00000020.00020000.00000000.sdmp, Update.dll.0.dr	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	8R2YjBA8nI.exe, 00000000.00000003.2135435614.0000000002BB2000.00000004.00000020.00020000.00000000.sdmp, Update.dll.0.dr	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	8R2YjBA8nI.exe, 00000000.00000003.2135435614.0000000002BB2000.00000004.00000020.00020000.00000000.sdmp, Update.dll.0.dr	false		high
http://ocsp.sectigo.com0	8R2YjBA8nI.exe, 00000000.00000003.2135435614.0000000002BB2000.00000004.00000020.00020000.00000000.sdmp, Update.dll.0.dr	false		high
https://www.ldmnq.com/ldy/xukeXieyi.htmldownloader_jumplink_addresshttps://wpa1.qq.com/V7XjWRDy?_typ	8R2YjBA8nI.exe, 00000000.00000003.2135435614.0000000002C43000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	8R2YjBA8nI.exe, 00000000.00000003.2135435614.0000000002BB2000.00000004.00000020.00020000.00000000.sdmp, Update.dll.0.dr	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	8R2YjBA8nI.exe, 00000000.00000003.2135435614.0000000002BB2000.00000004.00000020.00020000.00000000.sdmp, Update.dll.0.dr	false		high
https://middledata.ldmnq.com/collection/biz/uploadreport	8R2YjBA8nI.exe, 00000000.00000003.2135435614.0000000002C43000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	8R2YjBA8nI.exe, 00000000.00000003.2135435614.0000000002BB2000.00000004.00000020.00020000.00000000.sdmp, Update.dll.0.dr	false		high
https://www.ldmnq.com/?n=6120&bd_vid=logidUrlnewTypepost	8R2YjBA8nI.exe, 00000000.00000003.2135435614.0000000002C43000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://ldapi.ldmnq.com/common/baidu/ocpc	8R2YjBA8nI.exe, 00000000.00000003.2135435614.0000000002C43000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	false		high
https://middledata.ldmnq.com/collection/biz/upload	8R2YjBA8nI.exe, 00000000.00000003.2135435614.0000000002C43000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	false		high
http://www.ijg.org	8R2YjBA8nI.exe, 00000000.00000003.2135435614.0000000002C43000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://ldapi.ldmnq.com/mnq/properties?openid=&packageName=https://encdn.ldmnq.com/player_files/open	8R2YjBA8nI.exe, 00000000.00000003.2135435614.0000000002C43000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	false		high
https://curl.haxx.se/docs/http-cookies.html	8R2YjBA8nI.exe, 00000000.00000003.2135435614.0000000002C43000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	false		high
https://res.ldmnq.com/ld/leidianexhttps://res.ldmnq.com/download/release/ldinst4.0.exehttps://res.ld	8R2YjBA8nI.exe, 00000000.00000003.2135435614.0000000002C43000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583412
Start date and time:	2025-01-02 17:26:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	8R2YjBA8nI.exe renamed because original name is a hash value
Original Sample Name:	15D3E848E744AA25B6EDBAEFDF57BF3F.exe
Detection:	MAL
Classification:	mal52.winEXE@6/6@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 68 Number of non-executed functions: 109
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 8R2YjBA8nI.exe

Simulations

Behavior and APIs

Time	Type	Description
11:27:11	API Interceptor	1x Sleep call for process: Update.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\Public\Bilite\Axialis\Update.exe	6f0slJzOrF.exe	Get hash	malicious	GhostRat	Browse
	6f0slJzOrF.exe	Get hash	malicious	Unknown	Browse
	zPJUOck9wt.exe	Get hash	malicious	GhostRat	Browse
	zPJUOck9wt.exe	Get hash	malicious	Unknown	Browse
	MEuu1a2o6n.exe	Get hash	malicious	GhostRat	Browse
	MEuu1a2o6n.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\Public\Bilite\Axialis\IiViS

Process:	C:\Users\user\Desktop\8R2YjBA8nI.exe
File Type:	openssl enc'd data with salted password, base64 encoded
Category:	dropped
Size (bytes):	64
Entropy (8bit):	5.189464015923012
Encrypted:	false
SSDEEP:	3:iqkaVf3EpDvlLWzdPds1:ilkgDvR0dO1
MD5:	E0B9F50885C9027A8479809E48773FB5
SHA1:	CD1DDCE77B76428A8377DA9DB6C98CD17D26B4A5
SHA-256:	D4100BD47861860EE5B974DA6D1526300EFAD0BEA07A2147DE050F5AB4901AE7
SHA-512:	62FD97F720A6FE77E4A5AFD9AEC2C7B5C537A37F44A6F9D60F44A9EE1783FE8BB3A27EEDE5B8671DACCA8E6057F1CF8A839CEEEEB45065BC08C524E83E36D562
Malicious:	false
Reputation:	low
Preview:	U2FsdGVkX19ed6jSWQZ87x5UTzuvDSxWy4TvJSbGs4rG0n3V8HGyYgGC1a8KQsHZ

C:\Users\Public\Bilite\Axialis\Update.dll

Process:	C:\Users\user\Desktop\8R2YjBA8nI.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	340760
Entropy (8bit):	6.542973942124912
Encrypted:	false
SSDEEP:	6144:H66LUtNhlhaEDW8zn0iuAhzRgd5KrS8a1GJAlExz30/KUaCcM:H66LUtNrIAzCKzRgDKrSeRUalM
MD5:	6CDF82D8FE534D835FAB242751200383
SHA1:	72074E82596FBD085BED96EE7F84B291722ECDA3
SHA-256:	144F9C2EB947F7DA86D77FE62B2CA893F8C794CDF5E76AFF8B471DC4220599A9
SHA-512:	E43B6DFFC19BE693502DF47FB1A009B30D3E45370BDC65604689D2D52517041C163F52450915C69EF48CDB6667A013A52724EE6A50185C7DE6EC1D9DFDCD44F5
Malicious:	false
Reputation:	low
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....mg...........!.........L......Y........................................p............@..........................t..O....t..........p6...............)...@...&...r.......................4.......................w...............................text............................... ..`.rdata..............................@..@.data....!..........................@....00cfg..............................@..@.tls................................@....rsrc...p6.......8..................@..@.reloc...&...@...(..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Bilite\Axialis\Update.exe

Process:	C:\Users\user\Desktop\8R2YjBA8nI.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	395368
Entropy (8bit):	5.090673225697451
Encrypted:	false
SSDEEP:	6144:I0acLF3rgypB1Grf/TRfiJ7BePaEvLJggZy:Y/TRfi3ePtJRg
MD5:	FB325C945A08D06FE91681179BDCCC66
SHA1:	F5D91B7D75D34E156066AB4099E0FD0DF9227B32
SHA-256:	0C2CC4513EC9101A28A7988C72A46175EFD82F387BB3BCFB2612E808804282B5
SHA-512:	2BB588EBE2FA35D03652AEC4E5D51DABD3A24E996336A4D5EC9C762D6084862D5CD5F530F1DA0B98D2887BA88F4E077697D128071FF497D2967F9F42ADC2F533
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 6f0slJzOrF.exe, Detection: malicious, Browse Filename: 6f0slJzOrF.exe, Detection: malicious, Browse Filename: zPJUOck9wt.exe, Detection: malicious, Browse Filename: zPJUOck9wt.exe, Detection: malicious, Browse Filename: MEuu1a2o6n.exe, Detection: malicious, Browse Filename: MEuu1a2o6n.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:..[...[...[...#l..[.......[.......[.......[.......[..b....[..e....[...0...[...[...[..e....[..e....[...[h..[..e....[..Rich.[..........................PE..L...X..e............................\........ ....@..................................8....@.................................D(.......@..................h(...........!..T............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0.......$..............@....rsrc........@.......&..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

C:\Users\Public\Bilite\Axialis\spyqizkn.png

Process:	C:\Users\user\Desktop\8R2YjBA8nI.exe
File Type:	data
Category:	dropped
Size (bytes):	73389290
Entropy (8bit):	7.9999949696309285
Encrypted:	true
SSDEEP:	1572864:4vucsY3Q3QOIErZwXrel/HeIk/o2u1wSkOQJAdq0H8TJZy:4vuc5MpVZwXilWIior1ZEA00cTzy
MD5:	1308BAC0A9357B506C13B7861B422E1F
SHA1:	BC58C688070CCCF07BFE8F1BDE8D1A7173F8EFA2
SHA-256:	93FD6B7AD279A5AB9B86BE7813D5510512EF51F7D93671773C13211CE26FDF92
SHA-512:	14F5A66A2149553B2F867B42CC5FA218EDF2648F3281B4FD06BD38C28503AF8BF6668348024A2F4552EDC2654EBB97AAF08389C8478D84CC3D3A73457D08F822
Malicious:	false
Reputation:	low
Preview:	..>..9..x...@..A.xE..._.g..1.Plj.@...........QP.'......b.c.xd.[...M...4Ct..w...~.-M.f`.Fp.+Xq%.}....;d....$.....5(..A..o].......n..3O..4.u..u4.{.........`yRc......#......$...?.$...oa.Cv ...6...3..[L..^.U....2...`..I..E.D....../........Ilc...efn.u..:sHf..'.......@D.V.o..~.."...a....7ABB.......4....).r2...&...g..d.~c.../.PWcp.&...`9..KtU9.I...'.:y.X. PEd5p-.-.]..1D.(.V#L`1,.........w.2...y:.j..~....*.....i.......c.D:sg.6......\|K..!4..i..0^T.I?A8..[.sxZ.I.#.r.i....S1U.......;<.%....[.....U../.=s..&...bf.\I....R.C.p.....+...C..6.9.$..C_..y.exD..k.2i.-...5..5B...6.g}.}.../".xe4...3t.&N.Q=\|.y.R.. t.wGj.S....o..s.R.8.W...lJ. ..?..."0.!.`J...O.....2..):-../...J.)&%.(...AH`hSck..6..}P....4c.SU.3...X.B.!...v....... _....K...+.^.l..{4...%.S....[.[K.1.69..a...B...:..!lZ+W..Q...)....#....ZP..{._,...47...n.G..P........h?.?D...PY.J4.~..K5..^..T..!.P.=j.3.5...S,..:.2.?.X....o...x.....l..+.S.. .d..cj...<..W..?..6.....G.A.:9..>.Y....(sv

C:\Users\Public\Bilite\ldplayer9_ld_6000_ld.exe

Process:	C:\Users\user\Desktop\8R2YjBA8nI.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4540512
Entropy (8bit):	7.278249613007746
Encrypted:	false
SSDEEP:	98304:vevwfTovd3ZIdCCFQfUfQ8aA78VREwBwMu:meol3ZIdCxujaAqRgMu
MD5:	EC1580551A183D46B8BE885B7519F1D5
SHA1:	4D5B0038633B92A11C3AAFD33DAAFF54D354FD91
SHA-256:	D0B485BCBD919FA05653281A9F1AB5B574D19A47AACBFAD89D411B946763FA1A
SHA-512:	759C4266DFA1168C6E91791AF71B946F3EE0E217B3CFFDD670BD6E7A811CBB2BECA0F5D9CE7ED06A40BE75C9FE735BBDD767E8A5F1AC6F61F61DB7FA47532D05
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........r.................E1............n........J............n.....n............n....n.......n.......n...................n.....Rich...........PE..L....:eg.................."..D#...............#...@..........................pF.......E...@..................................K.\|....p,..............D.`R... E..D....#.8............................7).@.............#..............................text...V."......."................. ..`.rdata...d....#..f....#.............@..@.data...............h*.............@....rsrc.......p,.......+.............@..@.reloc...D... E..F....C.............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\ldplayer9_ld_6000_ld.exe.lnk

Process:	C:\Users\Public\Bilite\Axialis\Update.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Jan 2 15:27:10 2025, mtime=Thu Jan 2 15:27:11 2025, atime=Tue Dec 24 02:25:35 2024, length=4540512, window=hide
Category:	dropped
Size (bytes):	1101
Entropy (8bit):	4.686386355501527
Encrypted:	false
SSDEEP:	12:8mWNY0UYZCECHqXlm4XCFACmqUxyVu2g9fojAZicTzGT9fBav0hbJP4t2YZ/elFH:8mWO0VLAsfsAZnWfov0hbJFqygm
MD5:	85B2DC159C3D0B347AACE7587BF6EEB8
SHA1:	E1FE997008C325470CE02A73C4FCFCDCC7688F67
SHA-256:	7E302DCB42AADE38CCFDD047B51721511F2942E0974B8F62CEF334026D24DFA7
SHA-512:	0F9482FF93D29822F71DC03E1D257767D6ED2037B039EBAF08369595E5957A261C2D1A0C451D49A046626BCA8C4F51BA6E5884A227B5945D365EA070F6B9BBB2
Malicious:	false
Preview:	L..................F.... ....q.,3]..Np.,3]....~.U..`HE..........................P.O. .:i.....+00.../C:\...................x.1.....DW(m..Users.d......OwH"Z].....................:.....NvM.U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....\|.1....."Z`...Public..f......O.I"Zf.....+...............<......]..P.u.b.l.i.c...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.6.....T.1....."Zf...Bilite..>......"Z`."Zf............................~..B.i.l.i.t.e.....~.2.`HE..Y2. .LDPLAY~1.EXE..b......"Zf."Zf.............................c.l.d.p.l.a.y.e.r.9._.l.d._.6.0.0.0._.l.d...e.x.e.......^...............-.......]............f{<.....C:\Users\Public\Bilite\ldplayer9_ld_6000_ld.exe..,.....\.....\.P.u.b.l.i.c.\.B.i.l.i.t.e.\.l.d.p.l.a.y.e.r.9._.l.d._.6.0.0.0._.l.d...e.x.e..........v..*.cM.jVD.Es.!...`.......X.......878411...........hT..CrF.f4... .S.2=.b...,...W..hT..CrF.f4... .S.2=.b...,...W..............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.999896618565362
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	8R2YjBA8nI.exe
File size:	77'302'708 bytes
MD5:	15d3e848e744aa25b6edbaefdf57bf3f
SHA1:	d6c429733e1f23b522b908aeb8a47d644f27d3b3
SHA256:	27aaa78d661532a8c2702640a43496f1fa3f19b3af31d2f3d8110860ff2a9a01
SHA512:	c6c93121a6a98ce4b857cde3544189c8f9a3312f3a3ade9e7366fb26e625abb2860cca8ac1a9200b8a0982ce22b34962ef09746d43caa580b51ae381085606e5
SSDEEP:	1572864:9X0PbA0443v1abVn91uAsrTKaCSMehPEHz7FMosCyx7ry1PVsyw80Zbn9CIrQme:eTAVmaJjsrTKpSMehc7FMohyx7ry19PX
TLSH:	DC0833C9B708BB77C410DFB2AADCFB8B21F6D91015159D5E5AA14C47ACDE306036A2CB
File Content Preview:	MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...~.&L.....................................0....@..........................@...............................................P.......................b...).

File Icon


Icon Hash:	01e0f2ccd4d4c400

Static PE Info

General

Entrypoint:	0x411def
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4C26F87E [Sun Jun 27 07:06:38 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b5a014d7eeb4c2042897567e1288a095

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	18/07/2022 02:00:00 18/07/2024 01:59:59
Subject Chain	CN=Incredibuild Software Ltd., O=Incredibuild Software Ltd., S=Tel Aviv, C=IL
Version:	3
Thumbprint MD5:	8164525B12F9B6829CCD5054865F2D41
Thumbprint SHA-1:	583F01EE72450A9945FB1CFA539BAAB983D3F1D9
Thumbprint SHA-256:	2EBD549CFBD28201F8773F370E920A21BB010F577BA74B4726332D2CE7836F69
Serial:	7098774ED29B0565AB114EF2F2871CF7

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00414C50h
push 00411F80h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [00413184h]
pop ecx
or dword ptr [00419924h], FFFFFFFFh
or dword ptr [00419928h], FFFFFFFFh
call dword ptr [00413188h]
mov ecx, dword ptr [0041791Ch]
mov dword ptr [eax], ecx
call dword ptr [0041318Ch]
mov ecx, dword ptr [00417918h]
mov dword ptr [eax], ecx
mov eax, dword ptr [00413190h]
mov eax, dword ptr [eax]
mov dword ptr [00419920h], eax
call 00007FA4A4B9B6D2h
cmp dword ptr [00417710h], ebx
jne 00007FA4A4B9B5BEh
push 00411F78h
call dword ptr [00413194h]
pop ecx
call 00007FA4A4B9B6A4h
push 00417048h
push 00417044h
call 00007FA4A4B9B68Fh
mov eax, dword ptr [00417914h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [00417910h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [0041319Ch]
push 00417040h
push 00417000h
call 00007FA4A4B9B65Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x150dc	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1a000	0x190d7	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x49b629c	0x2918
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x13000	0x310	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x11317	0x11400	797279c5ab1a163aed1f2a528f9fe3ce	False	0.6174988677536232	data	6.576987441854239	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x13000	0x30ea	0x3200	1359639b02bcb8f0a8743e6ead1c0030	False	0.43828125	data	5.549434098115495	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x17000	0x292c	0x800	9415c9c8dea3245d6d73c23393e27d8e	False	0.431640625	data	3.6583182363171756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1a000	0x190d7	0x19200	aedf42f084dabb70902985d8cb8d4f42	False	0.14223802860696516	data	4.481844282645869	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1a208	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Russian	Russia	0.42819148936170215
RT_ICON	0x1a670	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Russian	Russia	0.2767354596622889
RT_ICON	0x1b718	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Russian	Russia	0.2513485477178423
RT_ICON	0x1dcc0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	Russian	Russia	0.17170524326877656
RT_ICON	0x21ee8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	Russian	Russia	0.09922512717378446
RT_GROUP_ICON	0x32710	0x4c	data	Russian	Russia	0.7763157894736842
RT_VERSION	0x3275c	0x350	data	English	United States	0.47523584905660377
RT_VERSION	0x32aac	0x3b0	data	Chinese	China	0.4523305084745763
RT_MANIFEST	0x32e5c	0x27b	ASCII text, with very long lines (635), with no line terminators	English	United States	0.5118110236220472

Imports

DLL	Import
COMCTL32.dll
KERNEL32.dll	GetFileAttributesW, CreateDirectoryW, WriteFile, GetStdHandle, VirtualFree, GetModuleHandleW, GetProcAddress, LoadLibraryA, LockResource, LoadResource, SizeofResource, FindResourceExA, MulDiv, GlobalFree, GlobalAlloc, lstrcmpiA, GetSystemDefaultLCID, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, MultiByteToWideChar, GetLocaleInfoW, lstrlenA, lstrcmpiW, GetEnvironmentVariableW, lstrcmpW, GlobalMemoryStatusEx, VirtualAlloc, WideCharToMultiByte, ExpandEnvironmentStringsW, RemoveDirectoryW, FindClose, FindNextFileW, DeleteFileW, FindFirstFileW, SetThreadLocale, GetLocalTime, GetSystemTimeAsFileTime, lstrlenW, GetTempPathW, SetEnvironmentVariableW, CloseHandle, CreateFileW, GetDriveTypeW, SetCurrentDirectoryW, GetModuleFileNameW, GetCommandLineW, GetVersionExW, CreateEventW, SetEvent, ResetEvent, InitializeCriticalSection, TerminateThread, ResumeThread, SuspendThread, IsBadReadPtr, LocalFree, lstrcpyW, FormatMessageW, GetSystemDirectoryW, DeleteCriticalSection, GetFileSize, SetFilePointer, ReadFile, SetFileTime, SetEndOfFile, EnterCriticalSection, LeaveCriticalSection, WaitForMultipleObjects, GetModuleHandleA, SystemTimeToFileTime, GetLastError, CreateThread, WaitForSingleObject, GetExitCodeThread, Sleep, SetLastError, SetFileAttributesW, GetDiskFreeSpaceExW, lstrcatW, ExitProcess, CompareFileTime, GetStartupInfoA
USER32.dll	CharUpperW, EndDialog, DestroyWindow, KillTimer, ReleaseDC, DispatchMessageW, GetMessageW, SetTimer, CreateWindowExW, ScreenToClient, GetWindowRect, wsprintfW, GetParent, GetSystemMenu, EnableMenuItem, EnableWindow, MessageBeep, LoadIconW, LoadImageW, wvsprintfW, IsWindow, DefWindowProcW, CallWindowProcW, DrawIconEx, DialogBoxIndirectParamW, GetWindow, ClientToScreen, GetDC, DrawTextW, ShowWindow, SystemParametersInfoW, SetFocus, SetWindowLongW, GetSystemMetrics, GetClientRect, GetDlgItem, GetKeyState, MessageBoxA, wsprintfA, SetWindowTextW, GetSysColor, GetWindowTextLengthW, GetWindowTextW, GetClassNameA, GetWindowLongW, GetMenu, SetWindowPos, CopyImage, SendMessageW, GetWindowDC
GDI32.dll	GetCurrentObject, StretchBlt, SetStretchBltMode, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, GetObjectW, GetDeviceCaps, DeleteObject, CreateFontIndirectW, DeleteDC
SHELL32.dll	SHGetFileInfoW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetMalloc, ShellExecuteExW, SHGetSpecialFolderPathW, ShellExecuteW
ole32.dll	CoInitialize, CreateStreamOnHGlobal, CoCreateInstance
OLEAUT32.dll	VariantClear, OleLoadPicture, SysAllocString
MSVCRT.dll	__set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ??1type_info@@UAE@XZ, _onexit, __dllonexit, _CxxThrowException, _beginthreadex, _EH_prolog, memset, _wcsnicmp, strncmp, malloc, memmove, _wtol, memcpy, free, memcmp, _purecall, ??2@YAPAXI@Z, ??3@YAXPAX@Z, _except_handler3, _controlfp

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
English	United States
Chinese	China

Target ID:	0
Start time:	11:26:59
Start date:	02/01/2025
Path:	C:\Users\user\Desktop\8R2YjBA8nI.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\8R2YjBA8nI.exe"
Imagebase:	0x400000
File size:	77'302'708 bytes
MD5 hash:	15D3E848E744AA25B6EDBAEFDF57BF3F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	11:27:11
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\Update.exe
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	3
Start time:	11:27:11
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	4
Start time:	11:27:11
Start date:	02/01/2025
Path:	C:\Users\Public\Bilite\Axialis\Update.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Bilite\Axialis\Update.exe
Imagebase:	0x130000
File size:	395'368 bytes
MD5 hash:	FB325C945A08D06FE91681179BDCCC66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true