Edit tour

Windows Analysis Report
SAMPLE_1.exe.bin.exe

Overview

General Information

Sample name:	SAMPLE_1.exe.bin.exe
Analysis ID:	1589195
MD5:	f02542574ac338840d4b35d2ee561054
SHA1:	7db77726c130fc3a9c2cfd5d8104814d057d984a
SHA256:	8db2fa5d8f7fb779c30dc96a1b2822243cc3b08bd596744fa7a62adc80a46fcc
Tags:	diablonetexeuser-notscamguru
Infos:

Detection

STRRAT

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected STRRAT

AI detected suspicious sample

Contains functionality to query CPU information (cpuid)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found potential string decryption / allocating functions

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SAMPLE_1.exe.bin.exe (PID: 6948 cmdline: "C:\Users\user\Desktop\SAMPLE_1.exe.bin.exe" MD5: F02542574AC338840D4B35D2EE561054)

javaw.exe (PID: 6996 cmdline: "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\Desktop\SAMPLE_1.exe.bin.exe" MD5: 6E0F4F812AE02FBCB744A929E74A04B8)

icacls.exe (PID: 7152 cmdline: C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M MD5: 2E49585E4E08565F52090B144062F97E)

conhost.exe (PID: 7132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: javaw.exe PID: 6996	JoeSecurity_STRRAT	Yara detected STRRAT	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SAMPLE_1.exe.bin.exe	ReversingLabs: Detection: 79%
Source: SAMPLE_1.exe.bin.exe	Virustotal: Detection: 67%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 80.5% probability

Source: SAMPLE_1.exe.bin.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: SAMPLE_1.exe.bin.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: s3.timeweb.cloud

Source: javaw.exe, 00000001.00000002.1714718163.0000000004400000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HTTP://WWW.CHAMBERSIGN.ORG
Source: javaw.exe, 00000001.00000002.1714718163.0000000004400000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.0000000009969000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: javaw.exe, 00000001.00000002.1715443108.00000000099FF000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.000000000999A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
Source: javaw.exe, 00000001.00000002.1715443108.000000000999A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: javaw.exe, 00000001.00000002.1715443108.00000000099FF000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.000000000999A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt
Source: javaw.exe, 00000001.00000002.1715443108.0000000009969000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: javaw.exe, 00000001.00000002.1715443108.00000000099FF000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.000000000999A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: javaw.exe, 00000001.00000002.1715443108.000000000999A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: javaw.exe, 00000001.00000002.1715443108.0000000009C50000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.0000000009B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html
Source: javaw.exe, 00000001.00000002.1714718163.00000000048AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: javaw.exe, 00000001.00000002.1715443108.0000000009C50000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.0000000009B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl
Source: javaw.exe, 00000001.00000002.1714718163.00000000048AA000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.0000000009B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: javaw.exe, 00000001.00000002.1714718163.00000000048AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificat
Source: javaw.exe, 00000001.00000002.1715443108.0000000009C57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
Source: javaw.exe, 00000001.00000002.1714718163.00000000048AA000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.0000000009B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: javaw.exe, 00000001.00000002.1715443108.0000000009B0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: javaw.exe, 00000001.00000002.1714718163.00000000048AA000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.0000000009B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: javaw.exe, 00000001.00000002.1715443108.0000000009C57000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.0000000009B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: javaw.exe, 00000001.00000002.1714718163.00000000048AA000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.0000000009B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: javaw.exe, 00000001.00000002.1715443108.000000000999A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.0000000009A09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
Source: javaw.exe, 00000001.00000002.1715443108.000000000999A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: javaw.exe, 00000001.00000002.1715443108.000000000999A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.0000000009A09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl
Source: javaw.exe, 00000001.00000002.1715443108.000000000999A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1714718163.0000000004400000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.0000000009969000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: javaw.exe, 00000001.00000002.1715443108.0000000009A10000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.000000000999A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: javaw.exe, 00000001.00000002.1715443108.000000000999A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: javaw.exe, 00000001.00000002.1715443108.000000000999A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1714718163.0000000004400000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.oracle.com/
Source: javaw.exe, 00000001.00000002.1715443108.0000000009B0C000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1717292928.0000000014E66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://null.oracle.com/
Source: javaw.exe, 00000001.00000002.1715443108.00000000099FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com
Source: javaw.exe, 00000001.00000002.1715443108.000000000999A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: javaw.exe, 00000001.00000002.1715443108.000000000999A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: javaw.exe, 00000001.00000002.1715443108.000000000999A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.0000000009969000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: javaw.exe, 00000001.00000002.1715443108.0000000009B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com
Source: javaw.exe, 00000001.00000002.1714718163.00000000048AA000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1717292928.0000000014F78000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.0000000009B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: javaw.exe, 00000001.00000002.1715443108.0000000009B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: javaw.exe, 00000001.00000002.1714718163.00000000048AA000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1714718163.0000000004400000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1714718163.00000000047ED000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.0000000009B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: javaw.exe, 00000001.00000002.1714718163.00000000048AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/;
Source: javaw.exe, 00000001.00000002.1714718163.0000000004400000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.0000000009B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org
Source: javaw.exe, 00000001.00000002.1714718163.00000000048AA000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.0000000009B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: javaw.exe, 00000001.00000002.1714718163.0000000004400000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.0000000009C50000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.0000000009B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm
Source: javaw.exe, 00000001.00000002.1714718163.00000000048AA000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1714718163.0000000004400000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.0000000009B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: javaw.exe, 00000001.00000002.1714718163.0000000004400000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm3
Source: javaw.exe, 00000001.00000002.1714718163.0000000004400000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.0000000009C50000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.0000000009B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: javaw.exe, 00000001.00000002.1714718163.00000000048AA000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1714718163.0000000004400000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.0000000009B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: javaw.exe, 00000001.00000002.1714718163.0000000004400000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps;
Source: javaw.exe, 00000001.00000002.1714718163.0000000004400000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.0000000009C50000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.0000000009B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com
Source: javaw.exe, 00000001.00000002.1714718163.00000000048AA000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1714718163.0000000004400000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.0000000009B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: javaw.exe, 00000001.00000002.1715443108.0000000009B0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu
Source: javaw.exe, 00000001.00000002.1714718163.00000000048AA000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.0000000009B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu0
Source: javaw.exe, 00000001.00000002.1714718163.0000000004699000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://s3.timeweb.cloud
Source: javaw.exe, 00000001.00000002.1715443108.0000000009A25000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1714718163.0000000004699000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://s3.timeweb.cloud/dfd5ba43-9bd2500b-6a85-46a4-9e9c-1edaaf0ff6b9/latest.jar

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: C:\Users\user\Desktop\SAMPLE_1.exe.bin.exe

Code function: 0_2_00B98FD0

0_2_00B98FD0

Source: C:\Users\user\Desktop\SAMPLE_1.exe.bin.exe

Code function: String function: 00B9B758 appears 40 times

Source: SAMPLE_1.exe.bin.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: classification engine

Classification label: mal60.troj.winEXE@6/3@1/1

Source: C:\Users\user\Desktop\SAMPLE_1.exe.bin.exe

Code function: 0_2_00B91F36 GetLastError,fprintf,FormatMessageA,fprintf,strcat,strcat,LocalFree,fprintf,ShellExecuteA,

0_2_00B91F36

Source: C:\Users\user\Desktop\SAMPLE_1.exe.bin.exe

Code function: 0_2_00B9206E fprintf,FindResourceExA,LoadResource,LockResource,fprintf,SetLastError,fputs,

0_2_00B9206E

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\83aa4cc77f591dfc2374580bbd95f6ba_9e146be9-c76a-4720-bcdb-53011b87bd06

Jump to behavior

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7132:120:WilError_03

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

File created: C:\Users\user\AppData\Local\Temp\hsperfdata_user

Jump to behavior

Source: SAMPLE_1.exe.bin.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SAMPLE_1.exe.bin.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SAMPLE_1.exe.bin.exe	ReversingLabs: Detection: 79%
Source: SAMPLE_1.exe.bin.exe	Virustotal: Detection: 67%

Source: unknown	Process created: C:\Users\user\Desktop\SAMPLE_1.exe.bin.exe "C:\Users\user\Desktop\SAMPLE_1.exe.bin.exe"
Source: C:\Users\user\Desktop\SAMPLE_1.exe.bin.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\Desktop\SAMPLE_1.exe.bin.exe"
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SAMPLE_1.exe.bin.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\Desktop\SAMPLE_1.exe.bin.exe"	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M	Jump to behavior

Source: C:\Users\user\Desktop\SAMPLE_1.exe.bin.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: SAMPLE_1.exe.bin.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

Source: SAMPLE_1.exe.bin.exe

Static PE information: real checksum: 0x1f2cc should be: 0x189d9

Source: SAMPLE_1.exe.bin.exe

Static PE information: section name: .eh_fram

Source: C:\Users\user\Desktop\SAMPLE_1.exe.bin.exe	Code function: 0_2_00B91803 push edi; mov dword ptr [esp], ebx	0_2_00B91842
Source: C:\Users\user\Desktop\SAMPLE_1.exe.bin.exe	Code function: 0_2_00B91803 push eax; mov dword ptr [esp], 00000000h	0_2_00B91A6A
Source: C:\Users\user\Desktop\SAMPLE_1.exe.bin.exe	Code function: 0_2_00B91803 push ebx; mov dword ptr [esp], eax	0_2_00B91AEB
Source: C:\Users\user\Desktop\SAMPLE_1.exe.bin.exe	Code function: 0_2_00B91803 push esi; mov dword ptr [esp], ebx	0_2_00B91BC8
Source: C:\Users\user\Desktop\SAMPLE_1.exe.bin.exe	Code function: 0_2_00B9E827 push esi; ret	0_2_00B9E83A
Source: C:\Users\user\Desktop\SAMPLE_1.exe.bin.exe	Code function: 0_2_00B915D0 push eax; mov dword ptr [esp], 00000000h	0_2_00B916BB
Source: C:\Users\user\Desktop\SAMPLE_1.exe.bin.exe	Code function: 0_2_00B9F96A push ebx; ret	0_2_00B9F96B
Source: C:\Users\user\Desktop\SAMPLE_1.exe.bin.exe	Code function: 0_2_00B91F36 push ecx; mov dword ptr [esp], 00BA9168h	0_2_00B91FF7
Source: C:\Users\user\Desktop\SAMPLE_1.exe.bin.exe	Code function: 0_2_00B9DB23 push es; iretd	0_2_00B9DC34
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_02302608 push es; retn 0024h	1_2_0230260B
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_022F8A11 push cs; retf	1_2_022F8A31
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_022FD07B push es; retn 0001h	1_2_022FD17F
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_0225D8F7 push 00000000h; mov dword ptr [esp], esp	1_2_0225D921
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_0225A20A push ecx; ret	1_2_0225A21A
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_0225A21B push ecx; ret	1_2_0225A225
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_0225BB67 push 00000000h; mov dword ptr [esp], esp	1_2_0225BB8D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_0225B3B7 push 00000000h; mov dword ptr [esp], esp	1_2_0225B3DD
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_0225D8E0 push 00000000h; mov dword ptr [esp], esp	1_2_0225D921
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_0225B947 push 00000000h; mov dword ptr [esp], esp	1_2_0225B96D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_0225C477 push 00000000h; mov dword ptr [esp], esp	1_2_0225C49D

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Source: javaw.exe, 00000001.00000003.1682187273.000000001486B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: javaw.exe, 00000001.00000003.1682187273.000000001486B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: javaw.exe, 00000001.00000002.1714200579.0000000000978000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [Ljava/lang/VirtualMachineError;
Source: javaw.exe, 00000001.00000003.1682187273.000000001486B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: javaw.exe, 00000001.00000002.1714200579.0000000000978000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cjava/lang/VirtualMachineError
Source: javaw.exe, 00000001.00000003.1682187273.000000001486B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: java/lang/VirtualMachineError.classPK
Source: javaw.exe, 00000001.00000002.1714200579.0000000000978000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SAMPLE_1.exe.bin.exe

Code function: 0_2_00B91180 SetUnhandledExceptionFilter,GetCommandLineA,_iob,_setmode,_setmode,_setmode,__p__fmode,__p__environ,_cexit,ExitProcess,__getmainargs,

0_2_00B91180

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Memory protected: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\SAMPLE_1.exe.bin.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\Desktop\SAMPLE_1.exe.bin.exe"			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M			Jump to behavior

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Code function: 1_2_022503C0 cpuid

1_2_022503C0

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\6996 VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\rt.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\charsets.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation	Jump to behavior

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected STRRAT

Source: Yara match

File source: Process Memory Space: javaw.exe PID: 6996, type: MEMORYSTR

Remote Access Functionality

Yara detected STRRAT

Source: Yara match

File source: Process Memory Space: javaw.exe PID: 6996, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Services File Permissions Weakness	11 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Services File Permissions Weakness	1 Disable or Modify Tools	LSASS Memory	22 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Services File Permissions Weakness	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SAMPLE_1.exe.bin.exe	79%	ReversingLabs	Win32.Trojan.Generic
SAMPLE_1.exe.bin.exe	68%	Virustotal		Browse

Source	Detection	Scanner	Label
HTTP://WWW.CHAMBERSIGN.ORG	0%	Avira URL Cloud	safe
http://repository.swisssign.com/;	0%	Avira URL Cloud	safe
http://www.quovadis.bm3	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s3.timeweb.cloud	217.78.234.244	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.xrampsecurity.com/XGCA.crl	javaw.exe, 00000001.00000002.1715443108.0000000009C57000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.0000000009B98000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.chambersign.org/chambersroot.crl0	javaw.exe, 00000001.00000002.1714718163.00000000048AA000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.0000000009B98000.00000004.00000800.00020000.00000000.sdmp	false		high
https://repository.luxtrust.lu0	javaw.exe, 00000001.00000002.1714718163.00000000048AA000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.0000000009B98000.00000004.00000800.00020000.00000000.sdmp	false		high
http://bugreport.sun.com/bugreport/	javaw.exe, 00000001.00000002.1714718163.0000000004400000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.0000000009969000.00000004.00000800.00020000.00000000.sdmp	false		high
http://cps.chambersign.org/cps/chambersroot.html0	javaw.exe, 00000001.00000002.1714718163.00000000048AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://s3.timeweb.cloud	javaw.exe, 00000001.00000002.1714718163.0000000004699000.00000004.00000800.00020000.00000000.sdmp	false		high
http://java.oracle.com/	javaw.exe, 00000001.00000002.1715443108.000000000999A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1714718163.0000000004400000.00000004.00000800.00020000.00000000.sdmp	false		high
http://null.oracle.com/	javaw.exe, 00000001.00000002.1715443108.0000000009B0C000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1717292928.0000000014E66000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.chambersign.org1	javaw.exe, 00000001.00000002.1714718163.00000000048AA000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.0000000009B98000.00000004.00000800.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/0	javaw.exe, 00000001.00000002.1714718163.00000000048AA000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1714718163.0000000004400000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1714718163.00000000047ED000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.0000000009B98000.00000004.00000800.00020000.00000000.sdmp	false		high
HTTP://WWW.CHAMBERSIGN.ORG	javaw.exe, 00000001.00000002.1714718163.0000000004400000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://policy.camerfirma.com	javaw.exe, 00000001.00000002.1715443108.0000000009B98000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ocsp.quovadisoffshore.com	javaw.exe, 00000001.00000002.1714718163.0000000004400000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.0000000009C50000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.0000000009B98000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/STCA.crl0	javaw.exe, 00000001.00000002.1714718163.00000000048AA000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.0000000009B98000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.quovadisglobal.com/cps	javaw.exe, 00000001.00000002.1714718163.0000000004400000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.0000000009C50000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.0000000009B98000.00000004.00000800.00020000.00000000.sdmp	false		high
http://cps.chambersign.org/cps/chambersroot.html	javaw.exe, 00000001.00000002.1715443108.0000000009C50000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.0000000009B98000.00000004.00000800.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/;	javaw.exe, 00000001.00000002.1714718163.00000000048AA000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.securetrust.com/STCA.crl	javaw.exe, 00000001.00000002.1715443108.0000000009B0C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://repository.luxtrust.lu	javaw.exe, 00000001.00000002.1715443108.0000000009B0C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.quovadisglobal.com/cps;	javaw.exe, 00000001.00000002.1714718163.0000000004400000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.quovadisglobal.com/cps0	javaw.exe, 00000001.00000002.1714718163.00000000048AA000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1714718163.0000000004400000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.0000000009B98000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.xrampsecurity.com/XGCA.crl0	javaw.exe, 00000001.00000002.1714718163.00000000048AA000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.0000000009B98000.00000004.00000800.00020000.00000000.sdmp	false		high
https://s3.timeweb.cloud/dfd5ba43-9bd2500b-6a85-46a4-9e9c-1edaaf0ff6b9/latest.jar	javaw.exe, 00000001.00000002.1715443108.0000000009A25000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1714718163.0000000004699000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.quovadis.bm3	javaw.exe, 00000001.00000002.1714718163.0000000004400000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.quovadis.bm	javaw.exe, 00000001.00000002.1714718163.0000000004400000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.0000000009C50000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.0000000009B98000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.quovadis.bm0	javaw.exe, 00000001.00000002.1714718163.00000000048AA000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1714718163.0000000004400000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.0000000009B98000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ocsp.quovadisoffshore.com0	javaw.exe, 00000001.00000002.1714718163.00000000048AA000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1714718163.0000000004400000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.0000000009B98000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.chambersign.org/chambersroot.crl	javaw.exe, 00000001.00000002.1715443108.0000000009C50000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.0000000009B98000.00000004.00000800.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/	javaw.exe, 00000001.00000002.1715443108.0000000009B98000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.chambersign.org	javaw.exe, 00000001.00000002.1714718163.0000000004400000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.0000000009B98000.00000004.00000800.00020000.00000000.sdmp	false		high
http://policy.camerfirma.com0	javaw.exe, 00000001.00000002.1714718163.00000000048AA000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1717292928.0000000014F78000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1715443108.0000000009B98000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
217.78.234.244	s3.timeweb.cloud	Russian Federation		197349	SKYLINEWIMAXRU	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589195
Start date and time:	2025-01-11 16:23:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SAMPLE_1.exe.bin.exe
Detection:	MAL
Classification:	mal60.troj.winEXE@6/3@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 90% Number of executed functions: 37 Number of non-executed functions: 44
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Execution Graph export aborted for target javaw.exe, PID 6996 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
217.78.234.244	https://s3.timeweb.cloud/8df544ea-67s89du678we90alkfdxzmndeoiewzxcfd/unlimitedscalabilitypossibilities%20/staff-payroll-review.html#sbarnes@clc.org.au	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s3.timeweb.cloud	https://s3.timeweb.cloud/8df544ea-67s89du678we90alkfdxzmndeoiewzxcfd/unlimitedscalabilitypossibilities%20/staff-payroll-review.html#sbarnes@clc.org.au	Get hash	malicious	Unknown	Browse	217.78.234.244
	https://zapp-p.com/qouta/#test@test.com	Get hash	malicious	Unknown	Browse	217.78.234.243
	https://tas-pe.com/ahowe@europait.net#ahowe@europait.net	Get hash	malicious	HTMLPhisher	Browse	217.78.234.243
	https://s3.timeweb.cloud/d2247a8d-ceb09c71-57ee-4411-a590-e4de8ca5cf86/Contract/contract.htm#andrew.wise@arrowbank.com	Get hash	malicious	HTMLPhisher	Browse	217.78.234.243

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SKYLINEWIMAXRU	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	91.105.196.145
	https://s3.timeweb.cloud/8df544ea-67s89du678we90alkfdxzmndeoiewzxcfd/unlimitedscalabilitypossibilities%20/staff-payroll-review.html#sbarnes@clc.org.au	Get hash	malicious	Unknown	Browse	217.78.234.244
	https://zapp-p.com/qouta/#test@test.com	Get hash	malicious	Unknown	Browse	217.78.234.243
	https://tas-pe.com/ahowe@europait.net#ahowe@europait.net	Get hash	malicious	HTMLPhisher	Browse	217.78.234.243
	https://s3.timeweb.cloud/d2247a8d-ceb09c71-57ee-4411-a590-e4de8ca5cf86/Contract/contract.htm#andrew.wise@arrowbank.com	Get hash	malicious	HTMLPhisher	Browse	217.78.234.243
	http://storage.googleapis.com/dfg153erh35ef1gdr/dfgremjflmgr.html#file.html?cbbbbcccXBYFczBrVcdc9kc8cJhS7ckzFcbbbbc	Get hash	malicious	Unknown	Browse	217.78.233.205
	http://decreesling.com	Get hash	malicious	Unknown	Browse	217.78.233.53
	fps-booster.exe	Get hash	malicious	StormKitty	Browse	217.78.239.114
	gO6RAJaFXe.elf	Get hash	malicious	Mirai	Browse	91.105.196.153
	https://sbatlahfirahfoudggetgd.blob.core.windows.net/sbatlahfirahfoudggetgd/1.html?4x7m3FDkTJEczP1p2GRZZoiIdhHjYH24UjAz6N4wmzBMUGDTAWle1uoy4RUBNdG4utah6kZSk2nPrPIYhawSIHt5qk2ermrWyswH#cl/26427_md/7/21449/5023/19036/1614238	Get hash	malicious	HTMLPhisher	Browse	217.78.233.95

Process:	C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	52
Entropy (8bit):	4.950063756436211
Encrypted:	false
SSDEEP:	3:oFj4I5vpm4USIr4vn:oJ5bIr4v
MD5:	EDC5292C8C0EBA0E4F3E13DD7280672D
SHA1:	6FBAF9759C05C0074A14FC0BC8A3D92CFE4CFC0C
SHA-256:	3B0377DC5D6D63397A833F6014956E3AF31E37E06E1F70890652A711D675F14D
SHA-512:	AFB9E1277115CA1BDF688B28A78627FB5872725ED6D1B1FB47EEABC23F0FC78454749089C57B29A2990A910A7FC682FD7F927C3FB904357367CDD68A56AD86D7
Malicious:	false
Reputation:	low
Preview:	C:\Program Files (x86)\Java\jre-1.8..1736609037522..

C:\Users\user\AppData\Local\Temp\hsperfdata_user\6996

Download File

Process:	C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2841784882305851
Encrypted:	false
SSDEEP:	96:X/9VrhX8Gic8ksGiD6BEMlwxUA6erQeSTTHG1bowm:X/h8Gic8ksGiD6bAkFfHGd
MD5:	19F3AA9F412CDCE00116ACD12B22CE6B
SHA1:	81A8BDE03043B0922FC32C89E033BCC9F7DF9898
SHA-256:	75A50F67EBC90515D1805195A68F829A75F8B4614C95252D86911A07DAABA3E0
SHA-512:	E0FBB1665A27CDE447E046E6A4F8CCE31BE232A5D6A42D79A1A10B434FCF9CC3F62810735EA6B83863534D82708E659E4189D932C50053A9BCDF412BD69373AF
Malicious:	false
Reputation:	low
Preview:	.........9........?..... .......8...........J...0...sun.rt._sync_Inflations.............8...........J...0...sun.rt._sync_Deflations.............@...........J...8...sun.rt._sync_ContendedLockAttempts..........8...........J...0...sun.rt._sync_FutileWakeups..........0...........J...(...sun.rt._sync_Parks..........@...........J...8...sun.rt._sync_EmptyNotifications.............8...........J...0...sun.rt._sync_Notifications..........8...........J...0...sun.rt._sync_SlowEnter..............8...........J...0...sun.rt._sync_SlowExit...............8...........J...0...sun.rt._sync_SlowNotify.............8...........J...0...sun.rt._sync_SlowNotifyAll..........8...........J...0...sun.rt._sync_FailedSpins............@...........J...8...sun.rt._sync_SuccessfulSpins................8...........J...0...sun.rt._sync_PrivateA...............8...........J...0...sun.rt._sync_PrivateB...............@...........J...8...sun.rt._sync_MonInCirculation...............8...........J...0...sun.rt._sync_MonScavenged...

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\83aa4cc77f591dfc2374580bbd95f6ba_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe
File Type:	data
Category:	dropped
Size (bytes):	45
Entropy (8bit):	0.9111711733157262
Encrypted:	false
SSDEEP:	3:/lwlt7n:WNn
MD5:	C8366AE350E7019AEFC9D1E6E6A498C6
SHA1:	5731D8A3E6568A5F2DFBBC87E3DB9637DF280B61
SHA-256:	11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238
SHA-512:	33C980D5A638BFC791DE291EBF4B6D263B384247AB27F261A54025108F2F85374B579A026E545F81395736DD40FA4696F2163CA17640DD47F1C42BC9971B18CD
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................J2SE.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.379871493676221
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SAMPLE_1.exe.bin.exe
File size:	69'759 bytes
MD5:	f02542574ac338840d4b35d2ee561054
SHA1:	7db77726c130fc3a9c2cfd5d8104814d057d984a
SHA256:	8db2fa5d8f7fb779c30dc96a1b2822243cc3b08bd596744fa7a62adc80a46fcc
SHA512:	909d152a058310c12c783a2b9ef3606707c748a582d6c577b697c1e5a7e4f89b31a991ac5ab74484ae1246eb71dbfe43ac1b982a3ac08b12d35d1b82278ef607
SSDEEP:	1536:ir3rob4nqB6veqHnq+Pgm5NN9vbDTc+1vIQ/E0+:m7PEg3qcv5PvB/Eh
TLSH:	34637D0AFA07A0F6EF37513445CFE67F8638A612C421DD6AFF0E6B59F9235526818213
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O=wg...............".....R....................@.......................................@... ............................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x401590
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH
Time Stamp:	0x67773D4F [Fri Jan 3 01:28:47 2025 UTC]
TLS Callbacks:	0x404fe0, 0x404f90
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	1f2702872592229d2f4cb1162cfbc55b

Entrypoint Preview

Instruction
sub esp, 1Ch
mov dword ptr [esp], 00000002h
call dword ptr [0041A36Ch]
call 00007F3F7C7EB480h
lea esi, dword ptr [esi+00h]
lea edi, dword ptr [edi+00000000h]
mov eax, dword ptr [0041A3B4h]
jmp eax
mov esi, esi
lea edi, dword ptr [edi+00000000h]
mov eax, dword ptr [0041A398h]
jmp eax
nop
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
sub esp, 18h
cmp dword ptr [0041000Ch], 00000000h
je 00007F3F7C7EB932h
mov eax, dword ptr [0040C000h]
test eax, eax
jne 00007F3F7C7EB8FEh
mov eax, dword ptr [00410A24h]
mov dword ptr [esp+04h], 00000000h
mov dword ptr [0041000Ch], 00000000h
mov dword ptr [esp], eax
call 00007F3F7C7F5C02h
cmp dword ptr [00410A20h], 00000000h
push eax
push eax
je 00007F3F7C7EB8FBh
cmp dword ptr [00410A28h], 00000000h
je 00007F3F7C7EB8F2h
mov eax, dword ptr [ebp+08h]
mov dword ptr [esp+04h], 00000001h
mov dword ptr [esp], eax
call 00007F3F7C7F5C1Bh
push eax
push eax
call 00007F3F7C7EC1A2h
mov dword ptr [esp], 00000000h
call 00007F3F7C7F5BF0h
push eax
jmp 00007F3F7C7EB8C9h
sub eax, 64h
cmp dword ptr [00410A20h], 00000000h
mov dword ptr [0040C000h], eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1a000	0xe28	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1d000	0x4e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1e000	0x714	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1c004	0x18	.tls
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1a29c	0x210	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xab20	0xac00	a8d7ee6c93480cc7f0558d955ddad8a6	False	0.5515307049418605	data	6.253230225914212	IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xc000	0x28	0x200	5a57f321ae6f68794e78fba852a0ca30	False	0.08203125	data	0.3124291846600516	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xd000	0xf18	0x1000	38fcaadbc82d759c822735974f5e0045	False	0.426025390625	data	5.553999411863391	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.eh_fram	0xe000	0x1d10	0x1e00	9e2ddb9db862af03aae6cf976d81070c	False	0.33359375	data	4.882088912516699	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss	0x10000	0x9668	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x1a000	0xe28	0x1000	f3f34beb12ab4e6fa44d8ec2bd39e3b3	False	0.369873046875	PGP symmetric key encrypted data - Plaintext or unencrypted data	4.922852717723951	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x1b000	0x18	0x200	680b5a97669538b6c270dcf63aeae555	False	0.04296875	data	0.11446338125913882	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x1c000	0x20	0x200	1d22717eb27005d2f0f43537e6a1e267	False	0.05859375	data	0.2044881574398449	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1d000	0x4e0	0x600	bd00a480ffee7c64641e8527e855c647	False	0.3665364583333333	data	3.8151140241026646	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x1e000	0x714	0x800	01dcc9956cb8440cd1d331bd3ac2957f	False	0.78271484375	data	6.201148186844163	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_RCDATA	0x1d1f0	0x26	data	1.2105263157894737
RT_RCDATA	0x1d218	0x6	data	2.3333333333333335
RT_RCDATA	0x1d220	0x5	ASCII text, with no line terminators	2.6
RT_RCDATA	0x1d228	0x3	ASCII text, with no line terminators	3.6666666666666665
RT_RCDATA	0x1d230	0x32	data	1.16
RT_RCDATA	0x1d268	0x36	data	1.1296296296296295
RT_RCDATA	0x1d2a0	0x35	ASCII text, with no line terminators	1.1320754716981132
RT_RCDATA	0x1d2d8	0x68	data	0.875
RT_MANIFEST	0x1d340	0x19d	XML 1.0 document, ASCII text	0.5520581113801453

Imports

DLL	Import
advapi32.dll	RegCloseKey, RegEnumKeyExA, RegOpenKeyExA, RegQueryValueExA
kernel32.dll	CloseHandle, CreateMutexA, CreatePipe, CreateProcessA, DeleteCriticalSection, EnterCriticalSection, ExitProcess, FindResourceExA, FormatMessageA, GetCommandLineA, GetCurrentDirectoryA, GetCurrentProcess, GetEnvironmentVariableA, GetExitCodeProcess, GetLastError, GetModuleFileNameA, GetModuleHandleA, GetProcAddress, GetStartupInfoA, GlobalMemoryStatusEx, InitializeCriticalSection, InterlockedExchange, IsDBCSLeadByteEx, LeaveCriticalSection, LoadResource, LocalFree, LockResource, MultiByteToWideChar, ReadFile, SetEnvironmentVariableA, SetHandleInformation, SetLastError, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery, WaitForSingleObject, WideCharToMultiByte
msvcrt.dll	_strdup, _stricoll
msvcrt.dll	__getmainargs, __mb_cur_max, __p__environ, __p__fmode, __set_app_type, _cexit, _chdir, _close, _errno, _findclose, _findfirst, _findnext, _fullpath, _iob, _itoa, _onexit, _open, _read, _setmode, _stat64, _stricmp, abort, atexit, atoi, calloc, fclose, fopen, fprintf, fputc, fputs, free, fwrite, getenv, isspace, localeconv, malloc, mbstowcs, memcpy, printf, puts, realloc, setlocale, signal, strcat, strchr, strcmp, strcoll, strcpy, strlen, strncat, strncpy, strpbrk, strrchr, strstr, strtok, tolower, vfprintf, wcslen, wcstombs
shell32.dll	ShellExecuteA
user32.dll	CreateWindowExA, DispatchMessageA, EnumWindows, FindWindowExA, GetMessageA, GetSystemMetrics, GetWindowLongA, GetWindowRect, GetWindowTextA, GetWindowThreadProcessId, KillTimer, LoadImageA, MessageBoxA, PostQuitMessage, SendMessageA, SetForegroundWindow, SetTimer, SetWindowPos, ShowWindow, TranslateMessage, UpdateWindow

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 16:24:00.063337088 CET	49730	443	192.168.2.4	217.78.234.244
Jan 11, 2025 16:24:00.063391924 CET	443	49730	217.78.234.244	192.168.2.4
Jan 11, 2025 16:24:00.063509941 CET	49730	443	192.168.2.4	217.78.234.244
Jan 11, 2025 16:24:00.189841032 CET	49730	443	192.168.2.4	217.78.234.244
Jan 11, 2025 16:24:00.189862967 CET	443	49730	217.78.234.244	192.168.2.4
Jan 11, 2025 16:24:00.882973909 CET	443	49730	217.78.234.244	192.168.2.4
Jan 11, 2025 16:24:00.883064032 CET	49730	443	192.168.2.4	217.78.234.244
Jan 11, 2025 16:24:00.903944969 CET	49730	443	192.168.2.4	217.78.234.244
Jan 11, 2025 16:24:00.903976917 CET	443	49730	217.78.234.244	192.168.2.4
Jan 11, 2025 16:24:00.978401899 CET	49730	443	192.168.2.4	217.78.234.244
Jan 11, 2025 16:24:00.978418112 CET	443	49730	217.78.234.244	192.168.2.4
Jan 11, 2025 16:24:00.978609085 CET	49730	443	192.168.2.4	217.78.234.244
Jan 11, 2025 16:24:00.978852987 CET	443	49730	217.78.234.244	192.168.2.4
Jan 11, 2025 16:24:00.978923082 CET	49730	443	192.168.2.4	217.78.234.244

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 16:24:00.052258968 CET	60066	53	192.168.2.4	1.1.1.1
Jan 11, 2025 16:24:00.060075998 CET	53	60066	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 16:24:00.052258968 CET	192.168.2.4	1.1.1.1	0xba1	Standard query (0)	s3.timeweb.cloud	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 16:24:00.060075998 CET	1.1.1.1	192.168.2.4	0xba1	No error (0)	s3.timeweb.cloud		217.78.234.244	A (IP address)	IN (0x0001)	false
Jan 11, 2025 16:24:00.060075998 CET	1.1.1.1	192.168.2.4	0xba1	No error (0)	s3.timeweb.cloud		217.78.234.243	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	10:23:56
Start date:	11/01/2025
Path:	C:\Users\user\Desktop\SAMPLE_1.exe.bin.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SAMPLE_1.exe.bin.exe"
Imagebase:	0xb90000
File size:	69'759 bytes
MD5 hash:	F02542574AC338840D4B35D2EE561054
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	10:23:57
Start date:	11/01/2025
Path:	C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\Desktop\SAMPLE_1.exe.bin.exe"
Imagebase:	0x450000
File size:	257'664 bytes
MD5 hash:	6E0F4F812AE02FBCB744A929E74A04B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:23:57
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Imagebase:	0x850000
File size:	29'696 bytes
MD5 hash:	2E49585E4E08565F52090B144062F97E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:23:57
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.1%
Total number of Nodes:	1404
Total number of Limit Nodes:	40

Executed Functions

Function 00B91180 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00B911B5
GetCommandLineA.KERNEL32 ref: 00B911D4

Strings

", xrefs: 00B914E0

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: CommandExceptionFilterLineUnhandled
String ID: "
API String ID: 3189701131-123907689
Opcode ID: 3f62b84786dc569236daeaa5c9a58d9f83c5e232de710c89f80a01d7f5435f54
Instruction ID: c155eaf34e3df0d40192cc4e59689398e3fea6e78d75661522a06851192402a2
Opcode Fuzzy Hash: 3f62b84786dc569236daeaa5c9a58d9f83c5e232de710c89f80a01d7f5435f54
Instruction Fuzzy Hash: 9791BE70E083068FDF20EFACC98576EBBE1EB99350F0989B9D449C7341E77498459B12

Function 00B91803 Relevance: 54.5, APIs: 22, Strings: 9, Instructions: 258
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShowWindow.USER32 ref: 00B9183B
SetForegroundWindow.USER32(00000000), ref: 00B91845

Part of subcall function 00B91D21: fclose.MSVCRT ref: 00B91D33

strstr.MSVCRT ref: 00B9187E
strstr.MSVCRT ref: 00B918C7
CreateWindowExA.USER32 ref: 00B91945
atoi.MSVCRT ref: 00B91985
strstr.MSVCRT ref: 00B919CD
LoadImageA.USER32 ref: 00B91A1B

Strings

@, xrefs: 00B919EB
--l4j-no-splash, xrefs: 00B91873
--l4j-no-splash-err, xrefs: 00B919C2
--l4j-dont-wait, xrefs: 00B918BC
d, xrefs: 00B91B16
Exit code:%d, restarting the application!, xrefs: 00B91BF3
Exit code:0, xrefs: 00B91B7B
STATIC, xrefs: 00B91936
Exit code:%d, xrefs: 00B91C2D

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: Windowstrstr$CreateForegroundImageLoadShowatoifclose
String ID: --l4j-dont-wait$--l4j-no-splash$--l4j-no-splash-err$@$Exit code:%d$Exit code:%d, restarting the application!$Exit code:0$STATIC$d
API String ID: 326098631-3010709316
Opcode ID: d1104ae2bce292b91d34bf2ea1c2f65bb04e61cff9f60839e020e21397f8f63e
Instruction ID: f2a6a8bd270ab7b1215424b64a0a485457cf863b70812144a8e8599ae92cb839
Opcode Fuzzy Hash: d1104ae2bce292b91d34bf2ea1c2f65bb04e61cff9f60839e020e21397f8f63e
Instruction Fuzzy Hash: 3CB157B05193069FEB10FF69DA9571EBBE4EF84304F018CBDE4849B251DBB98844EB52

Function 00B9449F Relevance: 38.7, APIs: 14, Strings: 8, Instructions: 160
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fputs.MSVCRT ref: 00B944CE
fputs.MSVCRT ref: 00B94512
fprintf.MSVCRT ref: 00B9457B
strtok.MSVCRT(00000001,00000000,000000B7,?,00B94874,?,?,00000000,?,00B91822), ref: 00B94591
strrchr.MSVCRT ref: 00B945B6
strrchr.MSVCRT ref: 00B945C8
_stricmp.MSVCRT(00000001,00000000,000000B7,?,00B94874,?,?,00000000,?,00B91822), ref: 00B945E2
_stricmp.MSVCRT(00000001,00000000,000000B7,?,00B94874,?,?,00000000,?,00B91822), ref: 00B94608
strncpy.MSVCRT ref: 00B94624
strcpy.MSVCRT(00000001,00000000,000000B7,?,00B94874,?,?,00000000,?,00B91822), ref: 00B94632
strcpy.MSVCRT(00000001,00000000,000000B7,?,00B94874,?,?,00000000,?,00B91822), ref: 00B94669
strncpy.MSVCRT ref: 00B94685
strcpy.MSVCRT ref: 00B946F2
strtok.MSVCRT(00000001,00000000,000000B7,?,00B94874,?,?,00000000,?,00B91822), ref: 00B9470D

Strings

C:\Program Files (x86)\Java\jre-1.8, xrefs: 00B946DD
JRE paths:%s, xrefs: 00B94570
JRE:Cannot use 64-bit runtime on 32-bit OS., xrefs: 00B9450B
pathJreSearch(), xrefs: 00B944C7
/bin, xrefs: 00B945FD
", xrefs: 00B94637
:, xrefs: 00B94655
\bin, xrefs: 00B945D7

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: strcpy$_stricmpfputsstrncpystrrchrstrtok$fprintf
String ID: "$/bin$:$C:\Program Files (x86)\Java\jre-1.8$JRE paths:%s$JRE:Cannot use 64-bit runtime on 32-bit OS.$\bin$pathJreSearch()
API String ID: 851780383-1987966701
Opcode ID: adfb7cfbfdfa09e12cce9432e9812a7d87704f896a6b08ac03b1a73539c9a973
Instruction ID: 0feb05f8a2a7b55ccf640a2ae207d6f847386d698e53927b998d6341388cbccc
Opcode Fuzzy Hash: adfb7cfbfdfa09e12cce9432e9812a7d87704f896a6b08ac03b1a73539c9a973
Instruction Fuzzy Hash: 316158B15097049BDF10AF65D684A69BBE0FF49744F0188FDE4C887211DB78D986CF52

Function 00B95880 Relevance: 31.9, APIs: 17, Strings: 1, Instructions: 448
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strlen.MSVCRT ref: 00B95894
memcpy.MSVCRT ref: 00B958B8

Part of subcall function 00B95F50: setlocale.MSVCRT ref: 00B95F6B
Part of subcall function 00B95F50: _strdup.MSVCRT ref: 00B95F79
Part of subcall function 00B95F50: setlocale.MSVCRT ref: 00B95F8F
Part of subcall function 00B95F50: wcstombs.MSVCRT ref: 00B95FB4
Part of subcall function 00B95F50: realloc.MSVCRT ref: 00B95FC8
Part of subcall function 00B95F50: wcstombs.MSVCRT ref: 00B95FE1
Part of subcall function 00B95F50: setlocale.MSVCRT ref: 00B95FF1
Part of subcall function 00B95F50: free.MSVCRT ref: 00B95FF9

Part of subcall function 00B954D0: malloc.MSVCRT ref: 00B954ED

strlen.MSVCRT ref: 00B95944
_strdup.MSVCRT ref: 00B9598C

Strings

\, xrefs: 00B95E43

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: setlocale$_strdupstrlenwcstombs$freemallocmemcpyrealloc
String ID: \
API String ID: 1024038994-2967466578
Opcode ID: da90e0c67056dd01a88ecb7fc55e7a5d58667241552077ce2ddc202f01351434
Instruction ID: 8bd3aafcce3cfb83bd7786aea7d890afc66e686b8a1439615bc191dcf5182c29
Opcode Fuzzy Hash: da90e0c67056dd01a88ecb7fc55e7a5d58667241552077ce2ddc202f01351434
Instruction Fuzzy Hash: F602AC71A48B188FDF25DFA8D4847ADBBF1EF49300F1885B9E885AB346E7349841CB51

Function 00B95F50 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 282
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setlocale.MSVCRT ref: 00B95F6B
_strdup.MSVCRT ref: 00B95F79
setlocale.MSVCRT ref: 00B95F8F
wcstombs.MSVCRT ref: 00B95FB4
realloc.MSVCRT ref: 00B95FC8
wcstombs.MSVCRT ref: 00B95FE1
setlocale.MSVCRT ref: 00B95FF1
free.MSVCRT ref: 00B95FF9

Strings

/, xrefs: 00B9630C

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: setlocale$wcstombs$_strdupfreerealloc
String ID: /
API String ID: 2293806352-2043925204
Opcode ID: 9cacd5619bc5f0850fcef367972c77eb4db01cfa7fa31b704a8c3739afe9e277
Instruction ID: 6c09aa133f63438f1bab54fa07d5370efde46bab2823ac10de1d5cdd8fff126f
Opcode Fuzzy Hash: 9cacd5619bc5f0850fcef367972c77eb4db01cfa7fa31b704a8c3739afe9e277
Instruction Fuzzy Hash: 65B15971904229CBCF20AFA8C485AAEFBF1FF48740F5585BEE485A7251E3759C81CB61

Function 00B91D3A Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 75
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentVariableA.KERNEL32(?,00000000,?,?,00B948EF,?,?,00000000,?,00B91822), ref: 00B91D7A
strstr.MSVCRT ref: 00B91D8D
strstr.MSVCRT ref: 00B91DA1
strstr.MSVCRT ref: 00B91DCD
strstr.MSVCRT ref: 00B91DE6
fprintf.MSVCRT ref: 00B91E14
fprintf.MSVCRT ref: 00B91E35

Strings

3.50, xrefs: 00B91E01
debug, xrefs: 00B91D96
debug-all, xrefs: 00B91DDB
Launch4j, xrefs: 00B91D73
Version:%s, xrefs: 00B91E09
--l4j-debug, xrefs: 00B91D82
--l4j-debug-all, xrefs: 00B91DC2
CmdLine:%s %s, xrefs: 00B91E2A

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: strstr$fprintf$EnvironmentVariable
String ID: Version:%s$--l4j-debug$--l4j-debug-all$3.50$CmdLine:%s %s$Launch4j$debug$debug-all
API String ID: 1078084263-4240183270
Opcode ID: 93c889d32692d83db93f98794837d306b1a7360826ee6909064f4da4a100320a
Instruction ID: cd2a7ab003fdb0cebc22f382604f35e5c0e2d29f3083336b17acbe9c6fe2f313
Opcode Fuzzy Hash: 93c889d32692d83db93f98794837d306b1a7360826ee6909064f4da4a100320a
Instruction Fuzzy Hash: AB217AB15187029BCF10AF3ADA8556EBBE4EF84740F01CCBDE88887300DB74D8459B52

Function 00B94890 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B91C58: GetModuleHandleA.KERNEL32 ref: 00B91C6D
Part of subcall function 00B91C58: strcpy.MSVCRT ref: 00B91C8B

fprintf.MSVCRT ref: 00B94920
fprintf.MSVCRT ref: 00B9498C

Strings

Launcher:%s, xrefs: 00B94A6B
JNI:%s, xrefs: 00B9490E
Startup error message not defined., xrefs: 00B94979
Launcher args:%s, xrefs: 00B94A8C
Args length:%d/32768 chars, xrefs: 00B94AB2
Yes, xrefs: 00B94904
-jar "C:\Users\user\Desktop\SAMPLE_1.exe.bin.exe", xrefs: 00B94A04, 00B94A37, 00B94A84, 00B94AA6
Error:%s, xrefs: 00B94981

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: fprintf$HandleModulestrcpy
String ID: -jar "C:\Users\user\Desktop\SAMPLE_1.exe.bin.exe"$Args length:%d/32768 chars$Error:%s$JNI:%s$Launcher args:%s$Launcher:%s$Startup error message not defined.$Yes
API String ID: 3713479259-718770430
Opcode ID: ada656a6a73661fa6f18661f4c1488cae3e05f1e815e27ebb79adb6ec746696d
Instruction ID: 23e6e13cba1930cf828daee0e5317b8e5be78bd552f15dcf105faaccfa09bf9c
Opcode Fuzzy Hash: ada656a6a73661fa6f18661f4c1488cae3e05f1e815e27ebb79adb6ec746696d
Instruction Fuzzy Hash: 935167B19087019BDF10BF75C981A1EBAE4EF85750F1189BDE8C88B351DBB4C986CB52

Function 00B93E88 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 128
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fprintf.MSVCRT ref: 00B93ECC
RegOpenKeyExA.ADVAPI32 ref: 00B93EFC
RegEnumKeyExA.ADVAPI32 ref: 00B93F83
strcpy.MSVCRT ref: 00B93FA3
fprintf.MSVCRT ref: 00B93FCC
strcpy.MSVCRT ref: 00B9401D
fprintf.MSVCRT ref: 00B94042
fprintf.MSVCRT ref: 00B94067
RegCloseKey.ADVAPI32 ref: 00B9408A

Strings

Match:%s, xrefs: 00B94037
%s-bit search:%s..., xrefs: 00B93EC1
Ignore:%s, xrefs: 00B9405C
Check:%s, xrefs: 00B93FC1

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: fprintf$strcpy$CloseEnumOpen
String ID: %s-bit search:%s...$Check:%s$Ignore:%s$Match:%s
API String ID: 3338988320-103288940
Opcode ID: 8ed59a61a3a7da2d6eb38528c857487351fc78854cc0aa8e897d6b4e30f33a08
Instruction ID: 854f9091ad05a9419194c34e02082e08ddc83a297da06988271e8d2a2591b965
Opcode Fuzzy Hash: 8ed59a61a3a7da2d6eb38528c857487351fc78854cc0aa8e897d6b4e30f33a08
Instruction Fuzzy Hash: 7D5118B19083149BCB10EF65D58569EBBF4FF88704F4188BDE88897311D7749A85CF82

Function 00B940F7 Relevance: 22.8, APIs: 3, Strings: 10, Instructions: 61
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fputs.MSVCRT ref: 00B9411A
strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00B9487D,?,?,00000000,?), ref: 00B941CE
fprintf.MSVCRT ref: 00B94208

Strings

C:\Program Files (x86)\Java\jre-1.8, xrefs: 00B941C3
SOFTWARE\IBM\Java Development Kit, xrefs: 00B9417F, 00B941A9
SOFTWARE\JavaSoft\JRE, xrefs: 00B94149
SOFTWARE\JavaSoft\Java Development Kit, xrefs: 00B94134
SOFTWARE\JavaSoft\Java Runtime Environment, xrefs: 00B94128
SOFTWARE\IBM\Java Runtime Environment, xrefs: 00B94173
SOFTWARE\JavaSoft\JDK, xrefs: 00B94155
findRegistryJavaHome(), xrefs: 00B94113
SOFTWARE\IBM\Java2 Runtime Environment, xrefs: 00B9419D
Runtime used:%s (%s-bit), xrefs: 00B941FD

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: fprintffputsstrcpy
String ID: C:\Program Files (x86)\Java\jre-1.8$Runtime used:%s (%s-bit)$SOFTWARE\IBM\Java Development Kit$SOFTWARE\IBM\Java Runtime Environment$SOFTWARE\IBM\Java2 Runtime Environment$SOFTWARE\JavaSoft\JDK$SOFTWARE\JavaSoft\JRE$SOFTWARE\JavaSoft\Java Development Kit$SOFTWARE\JavaSoft\Java Runtime Environment$findRegistryJavaHome()
API String ID: 1909795467-2117825052
Opcode ID: 2a4f71a160adc2247e23e918922a7ea95ad197882581ccdc99a6eb526b34c7b5
Instruction ID: 8289aff9581d17237d862935611ebf9bc300a42871e3cf3ffb32211bdb5c1a48
Opcode Fuzzy Hash: 2a4f71a160adc2247e23e918922a7ea95ad197882581ccdc99a6eb526b34c7b5
Instruction Fuzzy Hash: 32213C715193048EDF147F65D406B187BE0EB56318F4289BCA5C457652DFB844C5CF12

Function 00B92657 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 165
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcpy.MSVCRT ref: 00B9269E
_stat64.MSVCRT ref: 00B926B8
fprintf.MSVCRT ref: 00B927C0
SetLastError.KERNEL32 ref: 00B927D0
strcpy.MSVCRT ref: 00B927FA
_stat64.MSVCRT ref: 00B9281C
fprintf.MSVCRT ref: 00B92924

Strings

Check launcher:%s %s, xrefs: 00B927B5
Check javac:%s %s, xrefs: 00B92919
(not found), xrefs: 00B927A5, 00B92909
(OK), xrefs: 00B9279E, 00B92902
bin\javac.exe, xrefs: 00B927FF

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: _stat64fprintfstrcpy$ErrorLast
String ID: (OK)$(not found)$Check javac:%s %s$Check launcher:%s %s$bin\javac.exe
API String ID: 2531230949-2473518738
Opcode ID: 4ce279bde88609066b6f272bf536a23ab8b01eaf3972ba552185b46a89932603
Instruction ID: 2b7251e43662fe5647f90969c9b39d6e17d889cfb1d9ca1520053c3f68cdeb3b
Opcode Fuzzy Hash: 4ce279bde88609066b6f272bf536a23ab8b01eaf3972ba552185b46a89932603
Instruction Fuzzy Hash: A2810274D056289BCF60DF29C888699B7F1EF98310F1086E9E84CA3354EB749E85DF41

Function 00B94726 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fputs.MSVCRT ref: 00B9474A
fprintf.MSVCRT ref: 00B94788
fprintf.MSVCRT ref: 00B947C6
fprintf.MSVCRT ref: 00B9480F
fprintf.MSVCRT ref: 00B94858

Strings

Requires JDK:%s, xrefs: 00B9477D
Java max ver:%s, xrefs: 00B9484D
Java min ver:%s, xrefs: 00B94804
jreSearch(), xrefs: 00B94743
Requires 64-Bit: %s, xrefs: 00B947BB
Yes, xrefs: 00B9476C, 00B947AA

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: fprintf$fputs
String ID: Java max ver:%s$Java min ver:%s$Requires 64-Bit: %s$Requires JDK:%s$Yes$jreSearch()
API String ID: 1801251168-2968954267
Opcode ID: 54731310bd895bf04f6442b0e4f5046a97a15b2db43976679e84fcf494937caa
Instruction ID: 0b66b81a756685b8ff4dff56e2357342fee53fa3ff360e361d15ff0cad1a547f
Opcode Fuzzy Hash: 54731310bd895bf04f6442b0e4f5046a97a15b2db43976679e84fcf494937caa
Instruction Fuzzy Hash: 89312BB16193049FDF04BFB9D545A2EBAE4EF86704F1088BCE4988B751EB78C841CB12

Function 00B92E9D Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 109
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B9206E: fprintf.MSVCRT ref: 00B9209D
Part of subcall function 00B9206E: FindResourceExA.KERNEL32 ref: 00B920C1
Part of subcall function 00B9206E: LoadResource.KERNEL32 ref: 00B920D9
Part of subcall function 00B9206E: LockResource.KERNEL32 ref: 00B920E7
Part of subcall function 00B9206E: fprintf.MSVCRT ref: 00B92124

strcat.MSVCRT ref: 00B92ED1
strncpy.MSVCRT ref: 00B92F02
strcat.MSVCRT ref: 00B92F12
_open.MSVCRT ref: 00B92F22
fprintf.MSVCRT ref: 00B92F4C
_read.MSVCRT ref: 00B92F82
strcat.MSVCRT ref: 00B92FE3
_close.MSVCRT ref: 00B92FF1

Strings

Loading:%s, xrefs: 00B92F41
l4j.ini, xrefs: 00B92F07

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: Resourcefprintfstrcat$FindLoadLock_close_open_readstrncpy
String ID: Loading:%s$l4j.ini
API String ID: 1951458220-28774081
Opcode ID: 65f8b6ab321c19bfb9af0320196c090609fda076d786f245a18047ee17dae575
Instruction ID: bb464f92c4946abb67c662629b0461e0729349be964a6ee2494bde14522bffe5
Opcode Fuzzy Hash: 65f8b6ab321c19bfb9af0320196c090609fda076d786f245a18047ee17dae575
Instruction Fuzzy Hash: EA41A271D08704ABDF109F74D5847AEBBE0EB85350F1589BDE8889B381D778D8808B92

Function 00B963F0 Relevance: 16.6, APIs: 11, Instructions: 149
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_fullpath.MSVCRT ref: 00B96427
malloc.MSVCRT ref: 00B96479
memcpy.MSVCRT ref: 00B9649C
_findfirst.MSVCRT ref: 00B964AF
strncpy.MSVCRT ref: 00B9651C
_errno.MSVCRT ref: 00B965F1
_errno.MSVCRT ref: 00B96622

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: _errno$_findfirst_fullpathmallocmemcpystrncpy
String ID:
API String ID: 114964343-0
Opcode ID: 617703f76fd749dff74b2c6018ee418b6078d3074324700df7586d43ea141d78
Instruction ID: 2be24919a08d8fb9840cb89b6d25f414fed7ad3c09a5d81b19dc58117e88ac12
Opcode Fuzzy Hash: 617703f76fd749dff74b2c6018ee418b6078d3074324700df7586d43ea141d78
Instruction Fuzzy Hash: 3C51A0B01047048FDB20DF68C88579AB7E1EF89300F498ABDE4D9C7255E778E884CB52

Function 00B93A11 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77
stringprocesssynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcpy.MSVCRT ref: 00B93A69
strcat.MSVCRT ref: 00B93A79
strcat.MSVCRT ref: 00B93A89
strcat.MSVCRT ref: 00B93A99
CreateProcessA.KERNEL32 ref: 00B93AE6
WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,00000000,?,00B91B58), ref: 00B93B08
GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 00B93B1B

Part of subcall function 00B939ED: CloseHandle.KERNEL32 ref: 00B939FB
Part of subcall function 00B939ED: CloseHandle.KERNEL32(00000000), ref: 00B93A09

Strings

D, xrefs: 00B93A48
-jar "C:\Users\user\Desktop\SAMPLE_1.exe.bin.exe", xrefs: 00B93A8E

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: strcat$CloseHandleProcess$CodeCreateExitObjectSingleWaitstrcpy
String ID: -jar "C:\Users\user\Desktop\SAMPLE_1.exe.bin.exe"$D
API String ID: 3105771607-2552213272
Opcode ID: 710d6ec9df540c7ee16fedede21152fbaebda433385fc053d40fe7c22d07e697
Instruction ID: b1080a52377796b619d4fdec0616b777837df1bec128d0f6b040da8a73207263
Opcode Fuzzy Hash: 710d6ec9df540c7ee16fedede21152fbaebda433385fc053d40fe7c22d07e697
Instruction Fuzzy Hash: F731A2B1409304DFDB10AF14D58475EFBE4FB85724F4089ADE4885B340CB759649CF92

Function 00B96640 Relevance: 10.6, APIs: 7, Instructions: 109
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_errno.MSVCRT ref: 00B9666F
_findnext.MSVCRT ref: 00B96687
strncpy.MSVCRT ref: 00B966E2
strlen.MSVCRT ref: 00B966EE
GetLastError.KERNEL32 ref: 00B9675F
_errno.MSVCRT ref: 00B9676B
_errno.MSVCRT ref: 00B9678D

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: _errno$ErrorLast_findnextstrlenstrncpy
String ID:
API String ID: 2306919634-0
Opcode ID: 91a493b97e1567579b3ad9968e914a421ba7be3c6a2e9bf5d9fabaac9b9aaaf8
Instruction ID: 49d7b3fc014d680615eff7b957050c5a8a3ed40614bb08cf1bc9cb7ec43d352b
Opcode Fuzzy Hash: 91a493b97e1567579b3ad9968e914a421ba7be3c6a2e9bf5d9fabaac9b9aaaf8
Instruction Fuzzy Hash: C6415B756042018BCF10DFA8C5C569ABBE1EF85318F1986B9EC488F346D738DD45CBA2

Function 00B912B9 Relevance: 10.6, APIs: 7, Instructions: 97COMMON

Download Yara Rule

APIs

_setmode.MSVCRT ref: 00B913AB
_setmode.MSVCRT ref: 00B913BF
_setmode.MSVCRT ref: 00B913D3
__p__fmode.MSVCRT ref: 00B913D8
__p__environ.MSVCRT ref: 00B913F2
_cexit.MSVCRT ref: 00B91415
ExitProcess.KERNEL32 ref: 00B9141D
__getmainargs.MSVCRT ref: 00B9153C

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: _setmode$ExitProcess__getmainargs__p__environ__p__fmode_cexit
String ID:
API String ID: 2438820944-0
Opcode ID: 55b7f865036942288a5f7755d87b8eb8580f25884ddd16a5d3e3e26469a52574
Instruction ID: 312b223e8486f5b990080cce90b9d9d48bb9ad1279e99167b4bdb16d90b1aeb5
Opcode Fuzzy Hash: 55b7f865036942288a5f7755d87b8eb8580f25884ddd16a5d3e3e26469a52574
Instruction Fuzzy Hash: 68414774E153058FDF60EF69D981B5EBBE1EB99310F0A89B9E848C7311EB349840DB12

Function 00B9293E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00B92992
RegQueryValueExA.ADVAPI32 ref: 00B929F2
RegCloseKey.ADVAPI32 ref: 00B92A1C
strcpy.MSVCRT(00000000), ref: 00B92A31

Strings

C:\Program Files (x86)\Java\jre-1.8, xrefs: 00B92A2A
JavaHome, xrefs: 00B929DD

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: CloseOpenQueryValuestrcpy
String ID: C:\Program Files (x86)\Java\jre-1.8$JavaHome
API String ID: 1410419071-2792304130
Opcode ID: 179a35c42cf1bd21b90a478ff6f0e0d559b6e4e3203c48616acb991fbafca404
Instruction ID: 2acb252433f312be28edf6064972d6a1c2e8723d0c1187f8c7a54bb8fb4e3e4d
Opcode Fuzzy Hash: 179a35c42cf1bd21b90a478ff6f0e0d559b6e4e3203c48616acb991fbafca404
Instruction Fuzzy Hash: 8A217171909319AFDF20DF68D88479AFBF4EB48304F0084BDE98897201D7709A888F92

Function 00B92E1F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 00B92E36

Part of subcall function 00B92CCE: fprintf.MSVCRT ref: 00B92D81
Part of subcall function 00B92CCE: fprintf.MSVCRT ref: 00B92DC3
Part of subcall function 00B92CCE: strcat.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,00B92E6A), ref: 00B92DD5
Part of subcall function 00B92CCE: _itoa.MSVCRT ref: 00B92DFC

Strings

@, xrefs: 00B92E2F
-Xms, xrefs: 00B92E4D
-Xmx, xrefs: 00B92E73

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: fprintf$GlobalMemoryStatus_itoastrcat
String ID: -Xms$-Xmx$@
API String ID: 1064291243-2676391021
Opcode ID: d57c4b041cf42196409a1331823de75b3eab5bf64ba3e316b01768f781b08447
Instruction ID: 60ddf123f6a22305919ea589125a419a4ec239c0048053b71e26288d72090b1a
Opcode Fuzzy Hash: d57c4b041cf42196409a1331823de75b3eab5bf64ba3e316b01768f781b08447
Instruction Fuzzy Hash: 350180B0909309AFDB00EF55D185A8EFBF4EF88308F50886CE588A7340D3B499499B56

Function 00B95E70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B954D0: malloc.MSVCRT ref: 00B954ED

strlen.MSVCRT ref: 00B95EC1
_strdup.MSVCRT ref: 00B95F0B

Strings

glob-1.0-mingw32, xrefs: 00B95E7F, 00B95E8E

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: _strdupmallocstrlen
String ID: glob-1.0-mingw32
API String ID: 3776109042-3253302226
Opcode ID: e9f8f8359af05a6e336df1f4b2dc35b06bb979f03f132406ae931d0df05d57f2
Instruction ID: 477121202564cf44ae54c58e9b1e23276485ccd81c12446760265a2a9ac226c4
Opcode Fuzzy Hash: e9f8f8359af05a6e336df1f4b2dc35b06bb979f03f132406ae931d0df05d57f2
Instruction Fuzzy Hash: D2115EB2A54A044BCF21AF69D88129DBBE1EF51310F5845F9EC9047346E3329A45C7A1

Function 00B9BA30 Relevance: 4.6, APIs: 3, Instructions: 80COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 00B9BA48
GetStartupInfoA.KERNEL32 ref: 00B9BA55
GetModuleHandleA.KERNEL32 ref: 00B9BABB

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: CommandHandleInfoLineModuleStartup
String ID:
API String ID: 1628297973-0
Opcode ID: 24ab8eb71bb645cf36de499fa8a534a93647ab79a2c1463b5c0ad30472aac9a0
Instruction ID: 8425b8e9033cd6c07a7139d64c6fa861a9b7a135918ec7d51c61e8a1f307a7aa
Opcode Fuzzy Hash: 24ab8eb71bb645cf36de499fa8a534a93647ab79a2c1463b5c0ad30472aac9a0
Instruction Fuzzy Hash: 572107B284432849DF305BA9BBC5BF8BFE1DB16310F8400FADCD046195EB615986D66B

Function 00B967A0 Relevance: 4.5, APIs: 3, Instructions: 23COMMON

Download Yara Rule

APIs

_findclose.MSVCRT ref: 00B967B6
free.MSVCRT ref: 00B967C4
_errno.MSVCRT ref: 00B967D1

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: _errno_findclosefree
String ID:
API String ID: 531968878-0
Opcode ID: c384672c9782469b7d01815495fe31bd96caf040fa83a3d94504463f27ecc95e
Instruction ID: 2775f22003250b58ec5c250b50c2d37653c12a8474f68d1bb573d77b08a4efc4
Opcode Fuzzy Hash: c384672c9782469b7d01815495fe31bd96caf040fa83a3d94504463f27ecc95e
Instruction Fuzzy Hash: C6E04F756063544BCF107EA8A9D1A6677D4AB45764F160BF8EC848B282E73C8C008761

Function 00B94214 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00B94237

Strings

registryJreSearch(), xrefs: 00B94230

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: fputs
String ID: registryJreSearch()
API String ID: 1795875747-1180825924
Opcode ID: 4323711717822b72b35fb9e2216574406d4b6d025ac59fd8c7b41061df7c968b
Instruction ID: 47480eff331f9d426d15c0b41801a7643e10809df1e78b02a755a80b908b43d8
Opcode Fuzzy Hash: 4323711717822b72b35fb9e2216574406d4b6d025ac59fd8c7b41061df7c968b
Instruction Fuzzy Hash: 48E08C215243418FEB107FBA9906B257BE4AB09704F8448FDA5C0C32A1DBB8C882CB22

Function 00B9BAE9 Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00B9BABB

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c8171771f55805592ee4753954c1db0c6697d052e603e55c123443acfda92c2c
Instruction ID: 8a04d0efe737ab2824dd14dd324a9454fd9528a24dc4e3fb3af95caca7246ebf
Opcode Fuzzy Hash: c8171771f55805592ee4753954c1db0c6697d052e603e55c123443acfda92c2c
Instruction Fuzzy Hash: 3E01F4B3C083684DDF305B69A6857F8BFE0EB06300F8844EAECD556186D7751985EB52

Function 00B91590 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 00B9159A

Part of subcall function 00B91180: SetUnhandledExceptionFilter.KERNEL32 ref: 00B911B5
Part of subcall function 00B91180: GetCommandLineA.KERNEL32 ref: 00B911D4

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: CommandExceptionFilterLineUnhandled__set_app_type
String ID:
API String ID: 3309298700-0
Opcode ID: bb18bae7cf66ee7ad3bb2fb4a23018036787893b722fc14b32e48946aaa12cff
Instruction ID: 6be9e8d424601d3a483a3d7efce66ee435a1899d523f162e37c6f2a7c2349e44
Opcode Fuzzy Hash: bb18bae7cf66ee7ad3bb2fb4a23018036787893b722fc14b32e48946aaa12cff
Instruction Fuzzy Hash: F4C04C314005169BCB007F24D406355B7E4BF01344F414958D59527011C77435158BA6

Non-executed Functions

Function 00B91F36 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 66stringwindowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00B91F3D
fprintf.MSVCRT ref: 00B91F60
FormatMessageA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B91F9F
fprintf.MSVCRT ref: 00B91FC2
strcat.MSVCRT ref: 00B91FD6
strcat.MSVCRT ref: 00B91FE9
LocalFree.KERNEL32 ref: 00B91FF1
fprintf.MSVCRT ref: 00B92028
ShellExecuteA.SHELL32 ref: 00B9205C

Strings

Open URL:%s, xrefs: 00B9201D
open, xrefs: 00B9204D
Error msg:%s, xrefs: 00B91F55
Error:%s, xrefs: 00B91FB3

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: fprintf$strcat$ErrorExecuteFormatFreeLastLocalMessageShell
String ID: Error msg:%s$Error:%s$Open URL:%s$open
API String ID: 623906192-1000128352
Opcode ID: b458de0c7df4d4b9e308ddc6947591c8969b6af5dea3ac5e8c8e39e90113a5a6
Instruction ID: 1ccb976ef5793048f09e4abc5c70fd1c656efea92779ec0a5062a61ea930d104
Opcode Fuzzy Hash: b458de0c7df4d4b9e308ddc6947591c8969b6af5dea3ac5e8c8e39e90113a5a6
Instruction Fuzzy Hash: 213119B1908306AFDB00FF65D58971EBBE4EF85744F0088BCE5D46B251C7B48848DB52

Function 00B9206E Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 75COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00B9209D
FindResourceExA.KERNEL32 ref: 00B920C1
LoadResource.KERNEL32 ref: 00B920D9
LockResource.KERNEL32 ref: 00B920E7
fprintf.MSVCRT ref: 00B92124
SetLastError.KERNEL32 ref: 00B92132
fputs.MSVCRT ref: 00B9215A

Strings

%s, xrefs: 00B92119
<NULL>, xrefs: 00B92153
Resource %d:, xrefs: 00B92092

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: Resource$fprintf$ErrorFindLastLoadLockfputs
String ID: %s$<NULL>$Resource %d:
API String ID: 2361679423-125972688
Opcode ID: 1cebc2ba232b9dbb4d35826d5c3437eeac5e353f6e67b762761e32e829cf82ae
Instruction ID: 8e26e2915fe4cf74757bf84fcc6867d360aa7ba4e51aae7a0040a81ebc3cab14
Opcode Fuzzy Hash: 1cebc2ba232b9dbb4d35826d5c3437eeac5e353f6e67b762761e32e829cf82ae
Instruction Fuzzy Hash: 2B218171914324AFEF10BF69DA85B2A7BE5EB49740F0484BDE68897311E7B48841CB52

Function 00B98FD0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 1317COMMON

Download Yara Rule

Strings

, xrefs: 00B9A36C
Infinity, xrefs: 00B99150
NaN, xrefs: 00B9911C
9, xrefs: 00B9A34F

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID:
String ID: $9$Infinity$NaN
API String ID: 0-197352145
Opcode ID: 97c57375b0a8b4440b1a7619e7d182b4d2c9a8534e05e7c221f3f7c7148b4f0a
Instruction ID: eabeb719a637e0fbd17cb4d1751ebb234e2092ef25e283c46f92700434515777
Opcode Fuzzy Hash: 97c57375b0a8b4440b1a7619e7d182b4d2c9a8534e05e7c221f3f7c7148b4f0a
Instruction Fuzzy Hash: 1FC222B1A083418FCB55DF29C58431ABBE0FF84384F258DADE89997252E776D944CF82

Function 00B934B3 Relevance: 49.2, APIs: 20, Strings: 8, Instructions: 243stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B92168: strcmp.MSVCRT ref: 00B92198

Part of subcall function 00B9206E: fprintf.MSVCRT ref: 00B9209D
Part of subcall function 00B9206E: FindResourceExA.KERNEL32 ref: 00B920C1
Part of subcall function 00B9206E: LoadResource.KERNEL32 ref: 00B920D9
Part of subcall function 00B9206E: LockResource.KERNEL32 ref: 00B920E7
Part of subcall function 00B9206E: fprintf.MSVCRT ref: 00B92124

Part of subcall function 00B9206E: SetLastError.KERNEL32 ref: 00B92132
Part of subcall function 00B9206E: fputs.MSVCRT ref: 00B9215A

fprintf.MSVCRT ref: 00B93566
fputs.MSVCRT ref: 00B93593
strcat.MSVCRT(?,00000000,?,?,00B94A4F,?,?,00000000,?,00B91822), ref: 00B935C7
strtok.MSVCRT(?,00000000,?,?,00B94A4F,?,?,00000000,?,00B91822), ref: 00B9360B
fprintf.MSVCRT ref: 00B93632
strpbrk.MSVCRT ref: 00B93642
strrchr.MSVCRT ref: 00B9365A
strncpy.MSVCRT ref: 00B93684
_findfirst.MSVCRT(?,00000000,?,?,00B94A4F,?,?,00000000,?,00B91822), ref: 00B936A7
strncpy.MSVCRT ref: 00B93735
strcpy.MSVCRT(?,00000000,?,?,00B94A4F,?,?,00000000,?,00B91822), ref: 00B93747
fprintf.MSVCRT ref: 00B93774
_findnext.MSVCRT(?,00000000,?,?,00B94A4F,?,?,00000000,?,00B91822), ref: 00B93786
_findclose.MSVCRT ref: 00B937A4
strncpy.MSVCRT ref: 00B9381A
strcat.MSVCRT(?,00000000,?,?,00B94A4F,?,?,00000000,?,00B91822), ref: 00B9387A
strcat.MSVCRT(?,00000000,?,?,00B94A4F,?,?,00000000,?,00B91822), ref: 00B938A0
strcat.MSVCRT(?,00000000,?,?,00B94A4F,?,?,00000000,?,00B91822), ref: 00B938B0
strcat.MSVCRT(?,00000000,?,?,00B94A4F,?,?,00000000,?,00B91822), ref: 00B938B7
strncat.MSVCRT ref: 00B938D1

Part of subcall function 00B925E6: strcat.MSVCRT(?,?,?,?,00B93151,?,?), ref: 00B92612

Strings

Info:Classpath not defined., xrefs: 00B9358C
\, xrefs: 00B9364F
Add classpath:%s, xrefs: 00B93627
Main class:%s, xrefs: 00B9355B
" :%s, xrefs: 00B93769
-classpath ", xrefs: 00B935B8
-jar ", xrefs: 00B9388F
-jar "C:\Users\user\Desktop\SAMPLE_1.exe.bin.exe", xrefs: 00B935C0, 00B935EE, 00B93750, 00B93836, 00B93858, 00B9386A, 00B93897, 00B938A9, 00B938C6, 00B938DA, 00B938ED

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: strcat$fprintf$Resourcestrncpy$fputs$ErrorFindLastLoadLock_findclose_findfirst_findnextstrcmpstrcpystrncatstrpbrkstrrchrstrtok
String ID: " :%s$-classpath "$-jar "$-jar "C:\Users\user\Desktop\SAMPLE_1.exe.bin.exe"$Add classpath:%s$Info:Classpath not defined.$Main class:%s$\
API String ID: 613304418-1310111744
Opcode ID: eb9e57ce23849cd14dad1d85e4a2cf3689906ca8617fae2d1660e9b863db8435
Instruction ID: 95b0a29a5d744663b77a2735a6817f00490e1e6b3032c92c711ca2d9d200b24f
Opcode Fuzzy Hash: eb9e57ce23849cd14dad1d85e4a2cf3689906ca8617fae2d1660e9b863db8435
Instruction Fuzzy Hash: 10B1E6B59193189BCB20AF25C984999FBF0BF89714F0189EDE4C8A7311E7B496C4CF52

Function 00B92A7B Relevance: 43.9, APIs: 16, Strings: 9, Instructions: 152stringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 00B92ACE
strchr.MSVCRT ref: 00B92AFD
strncat.MSVCRT ref: 00B92B25
strncat.MSVCRT ref: 00B92B4D
strcmp.MSVCRT ref: 00B92B6A
strncat.MSVCRT ref: 00B92B84
strcmp.MSVCRT ref: 00B92B99
strcmp.MSVCRT ref: 00B92BB5
GetCurrentDirectoryA.KERNEL32 ref: 00B92BC9
strcmp.MSVCRT ref: 00B92BE0
strcat.MSVCRT ref: 00B92C7F
fprintf.MSVCRT ref: 00B92CA0
strcat.MSVCRT(?,00000000,?,?,00B94563,00000001,00000000,000000B7,?,00B94874,?,?,00000000,?,00B91822), ref: 00B92CB8

Strings

Substitute:%s = %s, xrefs: 00B92C95
C:\Program Files (x86)\Java\jre-1.8, xrefs: 00B92C0A
OLDPWD, xrefs: 00B92BD5
HKEY, xrefs: 00B92C14
PWD, xrefs: 00B92BAA
EXEFILE, xrefs: 00B92B8E
JREHOMEDIR, xrefs: 00B92BF6
%, xrefs: 00B92AE6
EXEDIR, xrefs: 00B92B59

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: strcmp$strncat$strcatstrchr$CurrentDirectoryfprintf
String ID: %$C:\Program Files (x86)\Java\jre-1.8$EXEDIR$EXEFILE$HKEY$JREHOMEDIR$OLDPWD$PWD$Substitute:%s = %s
API String ID: 54753763-1518370859
Opcode ID: 1bb7d783e38966fb11fc4f5663e42bf44967d560fb82067d6dd1c8cfc46cab4e
Instruction ID: bb8637654861624e78cee8bec40f2c055059f871f94fad48e31d635ffd686c4c
Opcode Fuzzy Hash: 1bb7d783e38966fb11fc4f5663e42bf44967d560fb82067d6dd1c8cfc46cab4e
Instruction Fuzzy Hash: 8A5127B0909305ABDF60AF25DA8466EFBF4FF84740F11C8BDE48897211DB70D9889B52

Function 00B921DE Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 105stringregistryCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 00B921F5
strstr.MSVCRT ref: 00B92209
strstr.MSVCRT ref: 00B9221D
strstr.MSVCRT ref: 00B92231
strstr.MSVCRT ref: 00B92247
strchr.MSVCRT ref: 00B92280
strrchr.MSVCRT ref: 00B92293
RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00B922C6
RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,00000000,?,?,00B94563,00000001,00000000,000000B7,?), ref: 00B922F2
RegQueryValueExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00B94563), ref: 00B9232B
RegCloseKey.ADVAPI32 ref: 00B92343

Strings

HKEY_LOCAL_MACHINE, xrefs: 00B92212
\, xrefs: 00B92288
HKEY_CLASSES_ROOT, xrefs: 00B921EA
HKEY_USERS, xrefs: 00B92226
HKEY_CURRENT_CONFIG, xrefs: 00B9223A
HKEY_CURRENT_USER, xrefs: 00B921FE

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: strstr$Open$CloseQueryValuestrchrstrrchr
String ID: HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$\
API String ID: 356245303-3439841907
Opcode ID: 5807f8dc781117a259231e98cf6554669b82b49b858d5401e3285f5b8c393346
Instruction ID: caa50b615e8cd027c6e04043c2655e29a26ff0e04c73eab1c9aac8341705ced2
Opcode Fuzzy Hash: 5807f8dc781117a259231e98cf6554669b82b49b858d5401e3285f5b8c393346
Instruction Fuzzy Hash: F5413BB1909315EFDF10AFA5D98475EFBE4AF44740F0189BEE88497211D77898488F92

Function 00B9425D Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 135stringpipeCOMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00B942BA
CreatePipe.KERNEL32 ref: 00B94302
fputs.MSVCRT ref: 00B94322
SetHandleInformation.KERNEL32(?,?,?,?,00B94874,?,?,00000000,?,00B91822), ref: 00B94347
fputs.MSVCRT ref: 00B94367
CloseHandle.KERNEL32 ref: 00B94375
strcpy.MSVCRT ref: 00B943AC
fputs.MSVCRT ref: 00B94405
CloseHandle.KERNEL32(?,?,?,?,?,?,?,00B94874,?,?,00000000,?,00B91822), ref: 00B94413
CloseHandle.KERNEL32(?,?,?,?,?,?,?,00B94874,?,?,00000000,?,00B91822), ref: 00B94464

Strings

Cannot set handle information, xrefs: 00B94360
Cannot create pipe, xrefs: 00B9431B
Cannot run java(w) -version, xrefs: 00B943FE
Check Java Version: %s min=%s max=%s, xrefs: 00B942AF
"%s" -version, xrefs: 00B943C3

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: Handle$Closefputs$CreateInformationPipefprintfstrcpy
String ID: "%s" -version$Cannot create pipe$Cannot run java(w) -version$Cannot set handle information$Check Java Version: %s min=%s max=%s
API String ID: 571126077-3734277957
Opcode ID: 768d1252b6845df3f5635df276d2f91c1f337df7b4d1d979faba240324978c7f
Instruction ID: 4edfd25b10c14e4847caad5a5558f9e767da836399a2ae7d5c27ad924a686771
Opcode Fuzzy Hash: 768d1252b6845df3f5635df276d2f91c1f337df7b4d1d979faba240324978c7f
Instruction Fuzzy Hash: D75107B1919B149BCF10AF25D945A9DBBF4FF48740F00C8BDE888A7300DB749A858F92

Function 00B923B8 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 141stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT(?,?,?,?,?,?,?,00000000,000000B7,?,00B947F3,?,?,00000000,?,00B91822), ref: 00B923CF

Part of subcall function 00B92356: strchr.MSVCRT ref: 00B92377
Part of subcall function 00B92356: strchr.MSVCRT ref: 00B92389

strncpy.MSVCRT ref: 00B9243B
strcpy.MSVCRT(?,?,?,?,?,?,?,00000000,000000B7,?,00B947F3,?,?,00000000,?,00B91822), ref: 00B92462
strcat.MSVCRT(?,?,?,?,?,?,?,00000000,000000B7,?,00B947F3,?,?,00000000,?,00B91822), ref: 00B92481
strcat.MSVCRT(?,?,?,?,?,?,?,00000000,000000B7,?,00B947F3,?,?,00000000,?,00B91822), ref: 00B924A7
strcat.MSVCRT(?,?,?,?,?,?,?,00000000,000000B7,?,00B947F3,?,?,00000000,?,00B91822), ref: 00B924C3
strcat.MSVCRT(?,?,?,?,?,?,?,00000000,000000B7,?,00B947F3,?,?,00000000,?,00B91822), ref: 00B924E9
strcat.MSVCRT(?,?,?,?,?,?,?,00000000,000000B7,?,00B947F3,?,?,00000000,?,00B91822), ref: 00B924FE
fputs.MSVCRT ref: 00B92545
strcat.MSVCRT(?,?,?,?,?,?,?,00000000,000000B7,?,00B947F3,?,?,00000000,?,00B91822), ref: 00B9255E
strcat.MSVCRT(?,?,?,?,?,?,?,00000000,000000B7,?,00B947F3,?,?,00000000,?,00B91822), ref: 00B9256E
strcat.MSVCRT(?,?,?,?,?,?,?,00000000,000000B7,?,00B947F3,?,?,00000000,?,00B91822), ref: 00B9257E
strcat.MSVCRT(?,?,?,?,?,?,?,00000000,000000B7,?,00B947F3,?,?,00000000,?,00B91822), ref: 00B9258E

Strings

1.0_, xrefs: 00B92457

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: strcat$strchrstrcpy$fputsstrncpy
String ID: 1.0_
API String ID: 2030749601-2140295588
Opcode ID: 743f45fd53ca106c7deec1319de1378f45511c5a2b48b23a97745165dd8561a2
Instruction ID: 2e87dba32d17741f53f798f6a17db4071481370cb51bd2de6146146ea1f7e31a
Opcode Fuzzy Hash: 743f45fd53ca106c7deec1319de1378f45511c5a2b48b23a97745165dd8561a2
Instruction Fuzzy Hash: 16513471905208AFCF00EF75C9859AEBBF1EF88314F5189BDE895AB242D7349845CF51

Function 00B93B64 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 99stringfileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32 ref: 00B93BAA
fprintf.MSVCRT ref: 00B93BED
strchr.MSVCRT ref: 00B93C03
strchr.MSVCRT ref: 00B93C34
fputs.MSVCRT ref: 00B93C6E
strstr.MSVCRT ref: 00B93C8E
strstr.MSVCRT ref: 00B93CA7

Strings

Cannot get version string: cannot find quote, xrefs: 00B93C1D
64-bit, xrefs: 00B93C9C
Java version output: %s, xrefs: 00B93BE2
Cannot get version string: missing end quote, xrefs: 00B93C4A
64-Bit, xrefs: 00B93C83
Cannot get version string: data too large, xrefs: 00B93C67
", xrefs: 00B93C29

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: strchrstrstr$FileReadfprintffputs
String ID: "$64-Bit$64-bit$Cannot get version string: cannot find quote$Cannot get version string: data too large$Cannot get version string: missing end quote$Java version output: %s
API String ID: 654744459-1675060857
Opcode ID: c7a1f95d946435eebb2f94e8cab0168badfac92d34cc9c8f7bb71bdd81bad2d5
Instruction ID: f610de37c335aebc52ebaf7833940f34d1b153c53ad941e45f3eea8bfe78a9e3
Opcode Fuzzy Hash: c7a1f95d946435eebb2f94e8cab0168badfac92d34cc9c8f7bb71bdd81bad2d5
Instruction Fuzzy Hash: 3D413CB15087059BDF10AF39D981B5ABBF4EF44B44F4188BDE884A7310E774EA84CB92

Function 00B95C6C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 227stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00B95944
_strdup.MSVCRT ref: 00B9598C
strlen.MSVCRT ref: 00B95A47

Strings

\, xrefs: 00B959E0

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: strlen$_strdup
String ID: \
API String ID: 2848476203-2967466578
Opcode ID: 3e7a5f8df12acd887e948c71022f6dcbc80a5968c812c8bb9e7b8b0c9b255bab
Instruction ID: c9c9bfe439dfed324240d5eaf32a96ebfef05a452d250e782cf2f586e97283cf
Opcode Fuzzy Hash: 3e7a5f8df12acd887e948c71022f6dcbc80a5968c812c8bb9e7b8b0c9b255bab
Instruction Fuzzy Hash: 369157B1A45B188FDF25DFA8D4817ADBBF1EF48710F1485B8E885AB341E734A841CB91

Function 00B94B90 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 87memoryfileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00B94BBC
vfprintf.MSVCRT ref: 00B94BD0
abort.MSVCRT(?,?,?,00B90000,?,00B94CC3), ref: 00B94BD5
VirtualQuery.KERNEL32 ref: 00B94C01
memcpy.MSVCRT ref: 00B94C24
VirtualProtect.KERNEL32 ref: 00B94C55
memcpy.MSVCRT ref: 00B94C6E
VirtualProtect.KERNEL32 ref: 00B94C9B

Strings

@, xrefs: 00B94C40
Mingw runtime failure:, xrefs: 00B94BAE

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: Virtual$Protectmemcpy$Queryabortfwritevfprintf
String ID: @$Mingw runtime failure:
API String ID: 978211760-2549925133
Opcode ID: 0fa5c42d3f8d116a14e838c1b28955979fa402947f4e2644367c6baebf29f816
Instruction ID: 5e1182e97e81a133713d84c9cda9f9ff2ab84b259d8835c04d7b62d3ceb81eae
Opcode Fuzzy Hash: 0fa5c42d3f8d116a14e838c1b28955979fa402947f4e2644367c6baebf29f816
Instruction Fuzzy Hash: 9A3107B5909304AFDB00EFA9E58199EFBF4FF88350F40896EE888A3211D7749845CF52

Function 00B93CC0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 74processCOMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00B93D21
CreateProcessA.KERNEL32 ref: 00B93D6C
fprintf.MSVCRT ref: 00B93D92
CloseHandle.KERNEL32 ref: 00B93D9F
CloseHandle.KERNEL32(00000000), ref: 00B93DAB
CloseHandle.KERNEL32(?,00000000), ref: 00B93DB7

Strings

Create process: %s, xrefs: 00B93D13
Cannot create process %s, xrefs: 00B93D87
D, xrefs: 00B93CF0

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: CloseHandle$fprintf$CreateProcess
String ID: Cannot create process %s$Create process: %s$D
API String ID: 991247836-3672066502
Opcode ID: e08b2e95fe5a63660566d0038b3154663e1373fd3f6394e8cd0f35a1905067ed
Instruction ID: da2716a5ca6b7c58a566432b87aeb8a7a456c35ab705cfadaf01d5adcd27fd5b
Opcode Fuzzy Hash: e08b2e95fe5a63660566d0038b3154663e1373fd3f6394e8cd0f35a1905067ed
Instruction Fuzzy Hash: BD31E7B19043059BDB00EF69D494B5EFBF4EF88704F00897DE99897341D77599488F92

Function 00B93903 Relevance: 15.1, APIs: 7, Strings: 3, Instructions: 63stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B9206E: fprintf.MSVCRT ref: 00B9209D
Part of subcall function 00B9206E: FindResourceExA.KERNEL32 ref: 00B920C1
Part of subcall function 00B9206E: LoadResource.KERNEL32 ref: 00B920D9
Part of subcall function 00B9206E: LockResource.KERNEL32 ref: 00B920E7
Part of subcall function 00B9206E: fprintf.MSVCRT ref: 00B92124

strcat.MSVCRT(?,00000000,?,?,00B94A5A,?,?,00000000,?,00B91822), ref: 00B93950
strcat.MSVCRT(?,00000000,?,?,00B94A5A,?,?,00000000,?,00B91822), ref: 00B93960
strcpy.MSVCRT(?,00000000,?,?,00B94A5A,?,?,00000000,?,00B91822), ref: 00B93971
strstr.MSVCRT ref: 00B93981
strchr.MSVCRT ref: 00B93997
strcat.MSVCRT ref: 00B939CD
strcat.MSVCRT ref: 00B939DD

Strings

, xrefs: 00B9398C
-jar "C:\Users\user\Desktop\SAMPLE_1.exe.bin.exe", xrefs: 00B93949, 00B93959, 00B939C6, 00B939D6
--l4j-, xrefs: 00B93976

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: strcat$Resource$fprintf$FindLoadLockstrchrstrcpystrstr
String ID: $--l4j-$-jar "C:\Users\user\Desktop\SAMPLE_1.exe.bin.exe"
API String ID: 3962799999-984385548
Opcode ID: 1724c6949ef7c32082737a4e49f00833a8778e3209f0683afedd21b838f36aec
Instruction ID: b6a41a7be0123279c7e591fd4079b8ec80c653d72c918cc0469541a27454e8b5
Opcode Fuzzy Hash: 1724c6949ef7c32082737a4e49f00833a8778e3209f0683afedd21b838f36aec
Instruction Fuzzy Hash: BD214FB140D3049ADF20BF25954971DFBE0EF81B10F0588FDA4C987241D7B49A88DB63

Function 00B9600C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

mbstowcs.MSVCRT ref: 00B96026
mbstowcs.MSVCRT ref: 00B9605A
wcstombs.MSVCRT ref: 00B96136
realloc.MSVCRT ref: 00B9614A
wcstombs.MSVCRT ref: 00B96164
wcstombs.MSVCRT ref: 00B96249
setlocale.MSVCRT ref: 00B96262
free.MSVCRT ref: 00B9626A

Strings

/, xrefs: 00B9610A

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: wcstombs$mbstowcs$freereallocsetlocale
String ID: /
API String ID: 2027400679-2043925204
Opcode ID: e7dbd48533100895c2d00fa346662685d63153b07653d11aff1b8fd14f5ef817
Instruction ID: c0c2b18cdec5eae653d4c724ba13a0656ae1ef5bff4f509e343a71aecef55106
Opcode Fuzzy Hash: e7dbd48533100895c2d00fa346662685d63153b07653d11aff1b8fd14f5ef817
Instruction Fuzzy Hash: 634117759043198BCF24EFA8C1816AEFBF1FF88700F4585AEE888A7251E73498418B65

Function 00B91E4D Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00B91E5B
GetProcAddress.KERNEL32 ref: 00B91E6C
GetCurrentProcess.KERNEL32 ref: 00B91E79
fprintf.MSVCRT ref: 00B91EBA

Strings

IsWow64Process, xrefs: 00B91E61
kernel32, xrefs: 00B91E54
Yes, xrefs: 00B91E9E
WOW64:%s, xrefs: 00B91EA8

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: AddressCurrentHandleModuleProcProcessfprintf
String ID: IsWow64Process$WOW64:%s$Yes$kernel32
API String ID: 24026888-2598006572
Opcode ID: 706cd17ac688cf1afae428b54481dcdab800800f8d6e7af2bf57626980105bf8
Instruction ID: 9a4e382f9baa94b3c94d8e2eb62b9f2eb027c6508e27fcdd9f016a8f88ff1bba
Opcode Fuzzy Hash: 706cd17ac688cf1afae428b54481dcdab800800f8d6e7af2bf57626980105bf8
Instruction Fuzzy Hash: 76F062B16183489BDF00BF7EDA86E2A76E8EB85704F10C8BCE48487201D771DC419B62

Function 00B9319C Relevance: 13.6, APIs: 7, Strings: 2, Instructions: 55stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B9206E: fprintf.MSVCRT ref: 00B9209D
Part of subcall function 00B9206E: FindResourceExA.KERNEL32 ref: 00B920C1
Part of subcall function 00B9206E: LoadResource.KERNEL32 ref: 00B920D9
Part of subcall function 00B9206E: LockResource.KERNEL32 ref: 00B920E7
Part of subcall function 00B9206E: fprintf.MSVCRT ref: 00B92124

strcat.MSVCRT ref: 00B931D6
strcat.MSVCRT ref: 00B931EA
strcat.MSVCRT ref: 00B93207
strcat.MSVCRT ref: 00B9321B
strcat.MSVCRT ref: 00B93238
strcat.MSVCRT ref: 00B9327E
strcat.MSVCRT ref: 00B9328E

Strings

(64-bit), xrefs: 00B93229
- , xrefs: 00B931F8

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: strcat$Resource$fprintf$FindLoadLock
String ID: (64-bit)$ -
API String ID: 2267084178-2895498852
Opcode ID: d33e16ef5ce8c61b3cad7c9bb8016adb6452900012074ddd898bb56273f8322c
Instruction ID: 0f48d53eb8e0fdca9cc6dc532da16406398a95c7f74be5c47970e1d2640209e6
Opcode Fuzzy Hash: d33e16ef5ce8c61b3cad7c9bb8016adb6452900012074ddd898bb56273f8322c
Instruction Fuzzy Hash: 282129B180E305ABDB107F55D60976EBBF4EBC2704F0188EDA2C42B241DBB85484EB23

Function 00B933D0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 63stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B9206E: fprintf.MSVCRT ref: 00B9209D
Part of subcall function 00B9206E: FindResourceExA.KERNEL32 ref: 00B920C1
Part of subcall function 00B9206E: LoadResource.KERNEL32 ref: 00B920D9
Part of subcall function 00B9206E: LockResource.KERNEL32 ref: 00B920E7
Part of subcall function 00B9206E: fprintf.MSVCRT ref: 00B92124

strtok.MSVCRT(?,00000000,?,?,00B949E7,?,?,00000000,?,00B91822), ref: 00B93424
strchr.MSVCRT ref: 00B9343A

Part of subcall function 00B92A7B: strchr.MSVCRT ref: 00B92ACE
Part of subcall function 00B92A7B: strchr.MSVCRT ref: 00B92AFD
Part of subcall function 00B92A7B: strncat.MSVCRT ref: 00B92B25
Part of subcall function 00B92A7B: strncat.MSVCRT ref: 00B92B4D
Part of subcall function 00B92A7B: strcmp.MSVCRT ref: 00B92B6A
Part of subcall function 00B92A7B: strncat.MSVCRT ref: 00B92B84
Part of subcall function 00B92A7B: strcmp.MSVCRT ref: 00B92B99
Part of subcall function 00B92A7B: strcat.MSVCRT ref: 00B92C7F
Part of subcall function 00B92A7B: fprintf.MSVCRT ref: 00B92CA0
Part of subcall function 00B92A7B: strcat.MSVCRT(?,00000000,?,?,00B94563,00000001,00000000,000000B7,?,00B94874,?,?,00000000,?,00B91822), ref: 00B92CB8

fprintf.MSVCRT ref: 00B93480
SetEnvironmentVariableA.KERNEL32(?,?), ref: 00B9348C
strtok.MSVCRT(?,?), ref: 00B934A2

Strings

Set var:%s = %s, xrefs: 00B93475
=, xrefs: 00B9342F

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: fprintf$Resourcestrchrstrncat$strcatstrcmpstrtok$EnvironmentFindLoadLockVariable
String ID: =$Set var:%s = %s
API String ID: 3861738652-24686798
Opcode ID: 6fbe47e8dc1e5399632b5addd3862b1da4ac9d9bea4cf9ec6125f77417c123de
Instruction ID: 8d761684afbac4e145dd758459c368b3abd4b97d344aea42f634abc7cee5b77d
Opcode Fuzzy Hash: 6fbe47e8dc1e5399632b5addd3862b1da4ac9d9bea4cf9ec6125f77417c123de
Instruction Fuzzy Hash: AB212F71809718ABCB11AF25D584A4EFBF4FF84B50F01C8BDE48897301D7B49A45DB92

Function 00B93001 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00B9206E: fprintf.MSVCRT ref: 00B9209D
Part of subcall function 00B9206E: FindResourceExA.KERNEL32 ref: 00B920C1
Part of subcall function 00B9206E: LoadResource.KERNEL32 ref: 00B920D9
Part of subcall function 00B9206E: LockResource.KERNEL32 ref: 00B920E7
Part of subcall function 00B9206E: fprintf.MSVCRT ref: 00B92124

fprintf.MSVCRT ref: 00B9305A
CreateMutexA.KERNEL32 ref: 00B93092
GetLastError.KERNEL32 ref: 00B9309A
fprintf.MSVCRT ref: 00B930C7

Strings

Create mutex:%s, xrefs: 00B9304F
Instance already exists., xrefs: 00B930B4
Error:%s, xrefs: 00B930BC

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: fprintf$Resource$CreateErrorFindLastLoadLockMutex
String ID: Create mutex:%s$Error:%s$Instance already exists.
API String ID: 891584312-2614424452
Opcode ID: 6a80cdac9537d14f9aa555174c408721154370786834da75eadf9c8926e09a07
Instruction ID: 782b679900d2fcaa47ead535a7b04ebdc72a655b80dc17778cbca99bdf3069ec
Opcode Fuzzy Hash: 6a80cdac9537d14f9aa555174c408721154370786834da75eadf9c8926e09a07
Instruction Fuzzy Hash: 78111C719083049BEF20AF65D94574DFBF5EF84704F0088BDD08CA7251DBB59A89CB42

Function 00B92CCE Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 103stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B921AB: atoi.MSVCRT ref: 00B921D3

fprintf.MSVCRT ref: 00B92D81
fprintf.MSVCRT ref: 00B92DC3
strcat.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,00B92E6A), ref: 00B92DD5
_itoa.MSVCRT ref: 00B92DFC

Strings

Heap %s:Requested %d MB / %d%%, Available: %d MB, Heap size: %d MB, xrefs: 00B92DB4
Heap limit:Reduced %d MB heap size to 32-bit maximum %d MB, xrefs: 00B92D76

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: fprintf$_itoaatoistrcat
String ID: Heap %s:Requested %d MB / %d%%, Available: %d MB, Heap size: %d MB$Heap limit:Reduced %d MB heap size to 32-bit maximum %d MB
API String ID: 2922754228-3040617333
Opcode ID: 70a05de111d17bfb4aedb6148955d8b58f8038d30a850139e1283b42e8b21a6b
Instruction ID: 7003780212af8fc3e964fa0ae3192c22f4b56fb60925f737339252f854d23705
Opcode Fuzzy Hash: 70a05de111d17bfb4aedb6148955d8b58f8038d30a850139e1283b42e8b21a6b
Instruction Fuzzy Hash: 074113B5E047099BCB00EF69D58469EFBF4EF88360F10887EE858A7350D73898418FA1

Function 00B915D0 Relevance: 10.6, APIs: 7, Instructions: 62timewindowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32 ref: 00B91606
KillTimer.USER32(00000000,00000000), ref: 00B9162D

Part of subcall function 00B91F36: GetLastError.KERNEL32 ref: 00B91F3D
Part of subcall function 00B91F36: fprintf.MSVCRT ref: 00B91F60
Part of subcall function 00B91F36: FormatMessageA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B91F9F
Part of subcall function 00B91F36: fprintf.MSVCRT ref: 00B91FC2
Part of subcall function 00B91F36: strcat.MSVCRT ref: 00B91FD6
Part of subcall function 00B91F36: strcat.MSVCRT ref: 00B91FE9
Part of subcall function 00B91F36: LocalFree.KERNEL32 ref: 00B91FF1
Part of subcall function 00B91F36: fprintf.MSVCRT ref: 00B92028
Part of subcall function 00B91F36: ShellExecuteA.SHELL32 ref: 00B9205C

PostQuitMessage.USER32(00000000), ref: 00B91640
EnumWindows.USER32 ref: 00B91668
GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 00B9167F
KillTimer.USER32 ref: 00B916B4
PostQuitMessage.USER32(00000000), ref: 00B916C2

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: Messagefprintf$KillPostQuitTimerstrcat$CodeEnumErrorExecuteExitFormatFreeLastLocalProcessShellShowWindowWindows
String ID:
API String ID: 3625041480-0
Opcode ID: d8ea80ef34fa9cf9d45c189b02cf228ab6d2e830c15fd81643aa52588feff6ed
Instruction ID: 456b9306b6488f026612d0112d71357c0561bf3db8a7bdc0dcfee29c709518b0
Opcode Fuzzy Hash: d8ea80ef34fa9cf9d45c189b02cf228ab6d2e830c15fd81643aa52588feff6ed
Instruction Fuzzy Hash: F22133B0425305DFEF20BF18E956F2A77E8EB05749F0549BDE48097261DBB89884DF22

Function 00B93352 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT ref: 00B9337C
strcat.MSVCRT ref: 00B9338C

Part of subcall function 00B932B9: GetEnvironmentVariableA.KERNEL32(?,00000000,?,?,00B93399), ref: 00B932F5
Part of subcall function 00B932B9: strcat.MSVCRT(?,?,00B93399), ref: 00B93324
Part of subcall function 00B932B9: strcat.MSVCRT(?,?,00B93399), ref: 00B93333
Part of subcall function 00B932B9: SetEnvironmentVariableA.KERNEL32(?,?,00B93399), ref: 00B93343

fprintf.MSVCRT ref: 00B933BE

Strings

appendToPathVar failed., xrefs: 00B933AB
\bin, xrefs: 00B93381
Error:%s, xrefs: 00B933B3

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: strcat$EnvironmentVariable$fprintfstrcpy
String ID: Error:%s$\bin$appendToPathVar failed.
API String ID: 4002749114-3685084685
Opcode ID: d27c6f8cb95b8813312061d6905662534dea2c4308854a7f888362c435e4a4c1
Instruction ID: d78972fb26eaf81d5c79b91c76f13756c5f835f0d199ada4def45db2e3e94624
Opcode Fuzzy Hash: d27c6f8cb95b8813312061d6905662534dea2c4308854a7f888362c435e4a4c1
Instruction Fuzzy Hash: 08F0627250C3044BDF10AF75D9456BDB7E1ABC1704F4189BCE8885B700DBB899499B86

Function 00B91000 Relevance: 9.1, APIs: 6, Instructions: 80COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 00B91034
signal.MSVCRT ref: 00B91091
signal.MSVCRT ref: 00B910C9
signal.MSVCRT ref: 00B91112

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: signal
String ID:
API String ID: 1946981877-0
Opcode ID: aeec0c4a87c07f7c9f5ab1529ee77c8b59e66693d593f2f0f948f8b159f4556e
Instruction ID: 323b012f5c3282a82309eb9470ebb6d9a02803c59b9229aa978738bd41bf3587
Opcode Fuzzy Hash: aeec0c4a87c07f7c9f5ab1529ee77c8b59e66693d593f2f0f948f8b159f4556e
Instruction Fuzzy Hash: 8B211E701082428AEF106F7D858572AB6D0EF45368F114EB9E5E8C72D1C7BBD8D4AB53

Function 00B93DC7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 60stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00B93DEA
strcmp.MSVCRT ref: 00B93E09
fprintf.MSVCRT ref: 00B93E79

Strings

Ignore, xrefs: 00B93E46
Version string: %s / %s-Bit (%s), xrefs: 00B93E6E

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: strcmp$fprintf
String ID: Ignore$Version string: %s / %s-Bit (%s)
API String ID: 512415533-1929821993
Opcode ID: dddc6df7767e73fdfa7989bce0ad3d55b788d65345d7821c8527e165efbd56cd
Instruction ID: ba47aa1ff33fb7031b80e49a860bde75f0519b63fa32e2ba26a90438f39062ff
Opcode Fuzzy Hash: dddc6df7767e73fdfa7989bce0ad3d55b788d65345d7821c8527e165efbd56cd
Instruction Fuzzy Hash: 2A11E772205B419BDF245F6B9585317BBE4EFD1B08F0584BDE48887350DBB1CD848B92

Function 00B932B9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49stringCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(?,00000000,?,?,00B93399), ref: 00B932F5
strcat.MSVCRT(?,?,00B93399), ref: 00B93324
strcat.MSVCRT(?,?,00B93399), ref: 00B93333
SetEnvironmentVariableA.KERNEL32(?,?,00B93399), ref: 00B93343

Strings

Path, xrefs: 00B932EE, 00B9333C

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: EnvironmentVariablestrcat
String ID: Path
API String ID: 194762557-2875597873
Opcode ID: bb43c17848dcfdb823a3bd35f071c35f57897bc5f05725b08eae84cf20b9f0da
Instruction ID: 088199fcc9d5672f15563e69b402a9007da29dabe75131adf68aa750222307b9
Opcode Fuzzy Hash: bb43c17848dcfdb823a3bd35f071c35f57897bc5f05725b08eae84cf20b9f0da
Instruction Fuzzy Hash: 5B0192769093189BCF10BF3AD98545EBBE8EF84760F01857DF88C97241CB7499448B92

Function 00B930D5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32 ref: 00B9310E

Part of subcall function 00B9206E: fprintf.MSVCRT ref: 00B9209D
Part of subcall function 00B9206E: FindResourceExA.KERNEL32 ref: 00B920C1
Part of subcall function 00B9206E: LoadResource.KERNEL32 ref: 00B920D9
Part of subcall function 00B9206E: LockResource.KERNEL32 ref: 00B920E7
Part of subcall function 00B9206E: fprintf.MSVCRT ref: 00B92124

strncpy.MSVCRT ref: 00B93140

Part of subcall function 00B925E6: strcat.MSVCRT(?,?,?,?,00B93151,?,?), ref: 00B92612

_chdir.MSVCRT ref: 00B93154
fprintf.MSVCRT ref: 00B93171

Strings

Working dir:%s, xrefs: 00B93166

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: Resourcefprintf$CurrentDirectoryFindLoadLock_chdirstrcatstrncpy
String ID: Working dir:%s
API String ID: 3319590416-1807235602
Opcode ID: 8d183d44318cb0b6e9841d0242b81328ac7ca8fcd46861936705d290c3349f71
Instruction ID: c8543acf9df624ad2ea1350ebe3825c1a199c529a94d2d58bc00d0e6b4a47a1b
Opcode Fuzzy Hash: 8d183d44318cb0b6e9841d0242b81328ac7ca8fcd46861936705d290c3349f71
Instruction Fuzzy Hash: 00111EB1508308AFDB10AF69D98199EFBF4FF84740F418CBDE58897211D7B49984CB52

Function 00B95AFC Relevance: 7.6, APIs: 5, Instructions: 100COMMON

Download Yara Rule

APIs

_strdup.MSVCRT ref: 00B95B2B
_stricoll.MSVCRT ref: 00B95B91
malloc.MSVCRT ref: 00B95BB1
free.MSVCRT ref: 00B95C27
free.MSVCRT ref: 00B95C3C

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: free$_strdup_stricollmalloc
String ID:
API String ID: 1482192206-0
Opcode ID: 351a2a8870e22f0329fc654e75e7251c6513b7c51ff2b9e5253af2975e1597e5
Instruction ID: c7b760313bc0e4cf070fde02860b7c24e620b85ef7406813e1f9c36f747124a0
Opcode Fuzzy Hash: 351a2a8870e22f0329fc654e75e7251c6513b7c51ff2b9e5253af2975e1597e5
Instruction Fuzzy Hash: CE4112B1E05A188FCF259FA4E9807ADBBF1FF54700F1585A9E895AB301E730A8408B90

Function 00B9A880 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32 ref: 00B9A8D3
InitializeCriticalSection.KERNEL32 ref: 00B9A8E6
InitializeCriticalSection.KERNEL32 ref: 00B9A8F5
EnterCriticalSection.KERNEL32 ref: 00B9A920

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: CriticalSection$Initialize$EnterExchangeInterlocked
String ID:
API String ID: 33273390-0
Opcode ID: a4abf06330a88c220f22b472a07ec592420a6ddd727b4306794bb99e059bd807
Instruction ID: 7b0c59e7a8ee94f6b75e0fc0849fb5491f7ce115ee25b56c68a82989b0f78948
Opcode Fuzzy Hash: a4abf06330a88c220f22b472a07ec592420a6ddd727b4306794bb99e059bd807
Instruction Fuzzy Hash: EB016DB1D152008AEF90FF78E2CB61F7AF5EB81348F5245B8C48147616EB749989CB93

Function 00B98B61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 119stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 00B98BA6
strchr.MSVCRT ref: 00B98BB6
atoi.MSVCRT ref: 00B98BCD

Strings

., xrefs: 00B98BAB

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: 9d0f3f49ce8ab93ddfcb6de35196ba47d70909b61849004233df5efe9c77d558
Instruction ID: de5f4e37252c908e42fb500a14cd0ecc0ec75eaa8394be187241600a6d8fb48c
Opcode Fuzzy Hash: 9d0f3f49ce8ab93ddfcb6de35196ba47d70909b61849004233df5efe9c77d558
Instruction Fuzzy Hash: 3B41C5B5A093158FCB10DFA9D88461BFBE4EF85750F05497EE998C7300EBB5D8448B92

Function 00B98E79 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 00B98E9C
strchr.MSVCRT ref: 00B98EAC
atoi.MSVCRT ref: 00B98EBB

Strings

., xrefs: 00B98EA1

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: 117eead6f37c0bbe73012532780501a4045d8e88fe6430b389612fa80619fbde
Instruction ID: c9e4c7ef2d3cc6a56cae0bad4b80e1b12aa26f8bf28046d4a02ab47b52301494
Opcode Fuzzy Hash: 117eead6f37c0bbe73012532780501a4045d8e88fe6430b389612fa80619fbde
Instruction Fuzzy Hash: E04150766083048FCB109FA9D88476AF7E5EB96350F1948BEF888C7350EB75D844CB51

Function 00B98AD0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 00B98B04
strchr.MSVCRT ref: 00B98B14
atoi.MSVCRT(?,?,?,?,?,?,?,?,?,?,00B97590), ref: 00B98B25

Strings

., xrefs: 00B98B09

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: 1fc3fc44cc01f8236a8a0a37798216e9a42a5699351d436fad5dbfb6ac74c3c5
Instruction ID: ce829ebc4c411d65093504001f43ee93f778e889169450302c81a405aed9c2f0
Opcode Fuzzy Hash: 1fc3fc44cc01f8236a8a0a37798216e9a42a5699351d436fad5dbfb6ac74c3c5
Instruction Fuzzy Hash: A50113B5A083008FCB00AF29E58561BFBE4BFCA700F01882EE888C7310D775D800CB52

Function 00B98CE0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 00B98D06
strchr.MSVCRT ref: 00B98D16
atoi.MSVCRT ref: 00B98D27

Strings

., xrefs: 00B98D0B

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: 75b7116c53a2db0d16ce417eb108e9c4dac7e4639156e91237afbcb7b777befb
Instruction ID: 53ba5514faeb569c8f251905292fcfc68275538fb52dddcc002011b9ca204f8a
Opcode Fuzzy Hash: 75b7116c53a2db0d16ce417eb108e9c4dac7e4639156e91237afbcb7b777befb
Instruction Fuzzy Hash: AC01C4B5A093009FCB00AF28E58561BBBE4BF8A700F00896DF889C7351EB75D844CB52

Function 00B98E00 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 00B98E2D
strchr.MSVCRT ref: 00B98E3D
atoi.MSVCRT ref: 00B98E4E

Strings

., xrefs: 00B98E32

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: c3dbea6b3d49c5049a22a89bbd4f100fad72ead125856031ce5aa0dd7309d424
Instruction ID: 4cbeaa305229f2a3fff5005e01f31774a50fbe64cb8f330a13902f25c821a007
Opcode Fuzzy Hash: c3dbea6b3d49c5049a22a89bbd4f100fad72ead125856031ce5aa0dd7309d424
Instruction Fuzzy Hash: DAF049B2A097009FDB10AF6AE58661BFBE8FFD5700F41886EF48487251DB74D840DB92

Function 00B91CC3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25stringfileCOMMON

Download Yara Rule

APIs

strncpy.MSVCRT ref: 00B91CF3
strcat.MSVCRT ref: 00B91D03
fopen.MSVCRT ref: 00B91D13

Strings

\launch4j.log, xrefs: 00B91CFB

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: fopenstrcatstrncpy
String ID: \launch4j.log
API String ID: 1410583167-1044402884
Opcode ID: d0ba1f5a5681ca94d4fe178d04e28dc2d53395e3233fde303ed3c7b6064d5eec
Instruction ID: 18f9b95ffd2d5d5f11b2fd1569dbb857ed1722582373f5bda248d888fa60ceb6
Opcode Fuzzy Hash: d0ba1f5a5681ca94d4fe178d04e28dc2d53395e3233fde303ed3c7b6064d5eec
Instruction Fuzzy Hash: 5CF01CB55043089FCB20AF69E54169DFBE4AFD4704F0188ADA48C97312D7B4A9958B92

Function 00B98950 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 00B989A1
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B98B5A), ref: 00B989E0
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B98B5A), ref: 00B98A80

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: Byte$CharMultiWide$Lead
String ID:
API String ID: 2933009993-0
Opcode ID: c01dad700cd316040131830a86ddead0c57abd91402bd1c3d1d49247e91733aa
Instruction ID: acbcacf11545372ef88cd272fc54b8c0a8f7f708fc6ebcaefdf6346c44ae8e98
Opcode Fuzzy Hash: c01dad700cd316040131830a86ddead0c57abd91402bd1c3d1d49247e91733aa
Instruction Fuzzy Hash: 8A414970A083059FDF10DF69D48479EBBE0EF46364F0085AEE8988B381D775DA94CB92

Function 00B967F0 Relevance: 6.1, APIs: 4, Instructions: 87stringCOMMON

Download Yara Rule

APIs

_findclose.MSVCRT ref: 00B9680D
_errno.MSVCRT ref: 00B96816
_findfirst.MSVCRT ref: 00B96841
strncpy.MSVCRT ref: 00B96898

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: _errno_findclose_findfirststrncpy
String ID:
API String ID: 1756046557-0
Opcode ID: 233afb7bb0cc25fe4f15c6f6278a5643bd76a5286e5f1e42dbedadc7c72b6943
Instruction ID: 97c201512f0b38e9fee19fce5e9c7871f57ea0b9971815f2bd2b5eb270e76f65
Opcode Fuzzy Hash: 233afb7bb0cc25fe4f15c6f6278a5643bd76a5286e5f1e42dbedadc7c72b6943
Instruction Fuzzy Hash: 56311AB19143018BDB10DF68D5C1696BBE1AF88314F1546BAEC888B386E774D944CBA2

Function 00B98150 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 57stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00B98172
wcslen.MSVCRT ref: 00B986BD

Strings

(null), xrefs: 00B9882B
(null), xrefs: 00B986AB

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: strlenwcslen
String ID: (null)$(null)
API String ID: 803329031-1601437019
Opcode ID: aa3ebec8526963f1434d547be5fdf31c9daf946d82b097f048cfe6bb6faf08b3
Instruction ID: c10faf38d6cd47068fbb25cb332fb52ae22193700562adedc823ef866aa0821f
Opcode Fuzzy Hash: aa3ebec8526963f1434d547be5fdf31c9daf946d82b097f048cfe6bb6faf08b3
Instruction Fuzzy Hash: 73114F702083558FCB10DF24C5D066BB7E1EB8A340F504ABDE9959B352DB35E90A8B52

Function 00B9173C Relevance: 6.1, APIs: 4, Instructions: 53stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B9206E: fprintf.MSVCRT ref: 00B9209D
Part of subcall function 00B9206E: FindResourceExA.KERNEL32 ref: 00B920C1
Part of subcall function 00B9206E: LoadResource.KERNEL32 ref: 00B920D9
Part of subcall function 00B9206E: LockResource.KERNEL32 ref: 00B920E7
Part of subcall function 00B9206E: fprintf.MSVCRT ref: 00B92124

FindWindowExA.USER32 ref: 00B9179D
GetWindowTextA.USER32 ref: 00B917BA
strstr.MSVCRT ref: 00B917C9
FindWindowExA.USER32 ref: 00B917ED

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: FindResourceWindow$fprintf$LoadLockTextstrstr
String ID:
API String ID: 2277964966-0
Opcode ID: 95a9f5b95524026365e8c7ac09c65ee1ba0843219f0e1703a3545d923de10726
Instruction ID: c7d9f277dfc80b3e93d7bf7e33a6ce3f9bb3a2a7449596bd46a443240d2e3245
Opcode Fuzzy Hash: 95a9f5b95524026365e8c7ac09c65ee1ba0843219f0e1703a3545d923de10726
Instruction Fuzzy Hash: 5A11A3B15083069ADB106FA8D54539FFFF4EF84344F008CBDE58857211D77899489B92

Function 00B94BE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00B94C01
memcpy.MSVCRT ref: 00B94C24
VirtualProtect.KERNEL32 ref: 00B94C55
memcpy.MSVCRT ref: 00B94C6E
VirtualProtect.KERNEL32 ref: 00B94C9B

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 00B94CB7

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: Virtual$Protectmemcpy$Query
String ID: VirtualQuery failed for %d bytes at address %p
API String ID: 228986436-2206166143
Opcode ID: 77eef2e4cc31c0581867387027ae200e9cdf75528de93c7318440654cad50449
Instruction ID: 00627946565579ad21d31e5a78dde5fc4b827c2d831f9876c2d32a00aed10a6a
Opcode Fuzzy Hash: 77eef2e4cc31c0581867387027ae200e9cdf75528de93c7318440654cad50449
Instruction Fuzzy Hash: 0E014B719153059FDB00AF69D581B9EFBF8FB84744F40887EE98893201D770E8058B92

Function 00B91ED3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25windowCOMMON

Download Yara Rule

APIs

printf.MSVCRT ref: 00B91F01
MessageBoxA.USER32 ref: 00B91F2C

Strings

%s: %s, xrefs: 00B91EFA

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: Messageprintf
String ID: %s: %s
API String ID: 351756659-482213395
Opcode ID: 8f6e69da11abe9f253231421aacaa515d301d89f955e4a896808675c9981fd73
Instruction ID: 42ce1f9a469f6da3112af0cb3a5083ba29e25790827898772859e0e5c9b4aa4a
Opcode Fuzzy Hash: 8f6e69da11abe9f253231421aacaa515d301d89f955e4a896808675c9981fd73
Instruction Fuzzy Hash: 2CF08C7140C309EFCF10AF28D14A35EBFE0AB42388F50C8ADE4894B241D7B48488EB93

Function 00B91C58 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23stringCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00B91C6D
strcpy.MSVCRT ref: 00B91C8B

Strings

Launch4j, xrefs: 00B91C7C

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: HandleModulestrcpy
String ID: Launch4j
API String ID: 122033455-841392896
Opcode ID: 07535e81e10ea47550d4f5900f0f17132bc580a8982c946a57936ce48075a6a0
Instruction ID: 51ddcc8adf28df8b43220222cda9798dccce025cbecb2c343f718bceca0f43cb
Opcode Fuzzy Hash: 07535e81e10ea47550d4f5900f0f17132bc580a8982c946a57936ce48075a6a0
Instruction Fuzzy Hash: 78F06DB05453048BEB10AF29E95671A7BF4E702304F40486DD8808B391EFB98488EFE2

Function 00B925A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22stringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,?,00000000,?,00B91822), ref: 00B925BE
strrchr.MSVCRT ref: 00B925D5

Strings

\, xrefs: 00B925CA

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: FileModuleNamestrrchr
String ID: \
API String ID: 3219412323-2967466578
Opcode ID: 6c25ae0de2238cd972aa39a5d180827187f3ff1cb184da868f783a5507607426
Instruction ID: 150b52530d585f1e343d225b4b5e68e0a2117554d52c636dbeadab3f9c3a1f3c
Opcode Fuzzy Hash: 6c25ae0de2238cd972aa39a5d180827187f3ff1cb184da868f783a5507607426
Instruction Fuzzy Hash: 47E048B0904305ABCF00FF39DAC5509BFE4AB44754F01857DED9587286D770D944DB62

Function 00B95180 Relevance: 5.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00B951A7
free.MSVCRT ref: 00B951EF
LeaveCriticalSection.KERNEL32 ref: 00B951FB

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: CriticalSection$EnterLeavefree
String ID:
API String ID: 4020351045-0
Opcode ID: c2a692334fd9294751f091000675dc4734fb9c6171207b68848cc22073b38b06
Instruction ID: cbd4e36eb32335bc2a0924725329b3aec97ac459b8d66a457451393d77558f95
Opcode Fuzzy Hash: c2a692334fd9294751f091000675dc4734fb9c6171207b68848cc22073b38b06
Instruction Fuzzy Hash: 2A014C7075420A8FCF24FF79E9C1A29BBE5AB45308F1585F8D94997202EB30ED84DB52

Function 00B95080 Relevance: 5.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00B9508F
TlsGetValue.KERNEL32 ref: 00B950A6
GetLastError.KERNEL32 ref: 00B950B0
LeaveCriticalSection.KERNEL32 ref: 00B950D3

Memory Dump Source

Source File: 00000000.00000002.1680997293.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1680568556.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681042903.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681063794.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681137484.0000000000BAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681158014.0000000000BAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SAMPLE_1.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: f59718c743259bfa57642a5f9fc172f98e92054d471ed2b37ef30339645de513
Instruction ID: 73420c9cf01282c71f4b1167ea5cdcfed0aa90eabf274bd923ec10c45d43b468
Opcode Fuzzy Hash: f59718c743259bfa57642a5f9fc172f98e92054d471ed2b37ef30339645de513
Instruction Fuzzy Hash: 52F090729147098B9F20BFB8E6C6A6A7BE8DE05340F0104B8DE844B206E730A808C7D3

Analysis Process: javaw.exePID: 6996, Parent PID: 6948COMMON

Executed Functions

Function 0225D8F7 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1714330918.0000000002252000.00000040.00000800.00020000.00000000.sdmp, Offset: 02252000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2252000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abdd01ce2e31ab367519a29c30f9eb595e5f148c53a716ba42d1360a204ae690
Instruction ID: b7563ebb0a1a3f8ca0f0d8af5d2c659a5dd6c9f25e5474bf09c47154619ebd2e
Opcode Fuzzy Hash: abdd01ce2e31ab367519a29c30f9eb595e5f148c53a716ba42d1360a204ae690
Instruction Fuzzy Hash: B5A1BA71A20612DFDB18CFA4C484BAAFBB1FF49314F08C199DD1A4B389C774A845CB91

Function 0225D8E0 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1714330918.0000000002252000.00000040.00000800.00020000.00000000.sdmp, Offset: 02252000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2252000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70bd1b0c6f19152187b33611b112004ae167423ebbfb83ef925b7d441cc802fb
Instruction ID: b180736693884da922cf7fdc18a4ab1e2dd6b0a50701628939243e5bb4ba1907
Opcode Fuzzy Hash: 70bd1b0c6f19152187b33611b112004ae167423ebbfb83ef925b7d441cc802fb
Instruction Fuzzy Hash: DC61BA71620652DFEB18CF60C494BAAFBB1FB49714F08C19DEC1A4B389C774A885CB91

Function 02250672 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1714330918.0000000002250000.00000040.00000800.00020000.00000000.sdmp, Offset: 02250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2250000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fae3b5dc420c2e90ff036e4bbd6f1fc8d2e4bea11970e70002aa4c0cb60baf18
Instruction ID: b27ed1e575f377653949b1f60d054c8af8bb61ee9063eb1aa170e660a63beaae
Opcode Fuzzy Hash: fae3b5dc420c2e90ff036e4bbd6f1fc8d2e4bea11970e70002aa4c0cb60baf18
Instruction Fuzzy Hash: B11149BA91023BDFCF14CF88C8854ADB7B0FB9C314B568525DC65A3349D3346A60CB90

Function 02250722 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1714330918.0000000002250000.00000040.00000800.00020000.00000000.sdmp, Offset: 02250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2250000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a77ed7bbc9490546ac115a7c9256c203d92bf7029e0d4201081d47e65d74b7e5
Instruction ID: a260e5ce39583c0cde8cca10abd6b8d12c41188b006e44b98ef23476f9a2c094
Opcode Fuzzy Hash: a77ed7bbc9490546ac115a7c9256c203d92bf7029e0d4201081d47e65d74b7e5
Instruction Fuzzy Hash: AEF01576C0022ADB8B14DF88C8410EDB7B1FB48318B1AC496DC2837385D332AE62CF91

Function 02264B78 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1714330918.0000000002252000.00000040.00000800.00020000.00000000.sdmp, Offset: 02252000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2252000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9804491a6be265c21f066c8a34e1ba9637122086eb74b87403f7b5a302f2d110
Instruction ID: 8d243dc6ca498d297f5775d6ac54a249624985d835633db766a465354963b955
Opcode Fuzzy Hash: 9804491a6be265c21f066c8a34e1ba9637122086eb74b87403f7b5a302f2d110
Instruction Fuzzy Hash: C2F079B6A00A16EBDB258F61C5447DAFBB4BB88718F14821AD82C67350D778B4698BC0

Function 0225A793 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1714330918.0000000002252000.00000040.00000800.00020000.00000000.sdmp, Offset: 02252000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2252000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fe337c69a24e20d7fd75aabed95a402f5a17eebc0c30dc64d5f3fccd76a35b2
Instruction ID: b8038bead2c5feca6ee81811cc646210d10dc61e7111bd8ebbff0fa4ee9c43b4
Opcode Fuzzy Hash: 4fe337c69a24e20d7fd75aabed95a402f5a17eebc0c30dc64d5f3fccd76a35b2
Instruction Fuzzy Hash: A5F09BB6A04A16EBDB25CF61C5447CAFBB4BB88714F54821AC82C67350C778B46ACBC0

Function 0225EC1C Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1714330918.0000000002252000.00000040.00000800.00020000.00000000.sdmp, Offset: 02252000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2252000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02cd0c64ba38daaaaa0490e501c43b0a5d571bbdc335ecaa7e4f67e0d159b53a
Instruction ID: d9121b4a59725d4783032b2d705f71f1fcd9e88a3585954c748c1e2e075c1c91
Opcode Fuzzy Hash: 02cd0c64ba38daaaaa0490e501c43b0a5d571bbdc335ecaa7e4f67e0d159b53a
Instruction Fuzzy Hash: EDF0F2B5A00A06EBDB15CF60C0047DAFBB0BB88714F04420AC42C63310C3787469CBC0

Function 02266495 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1714330918.0000000002252000.00000040.00000800.00020000.00000000.sdmp, Offset: 02252000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2252000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71edf5fa9be310c4122f321afcf3d1eee803e65ef87c5508a936fe4ad26270e5
Instruction ID: 3fe352fbf0f5702fe898b72e0e0f08e7450957e48897f118a283d10a5055223a
Opcode Fuzzy Hash: 71edf5fa9be310c4122f321afcf3d1eee803e65ef87c5508a936fe4ad26270e5
Instruction Fuzzy Hash: EAF09BB6A00A16EBDB25CF65C5447CAFBB4BB88718F54821AC82C67350D778B469CFC0

Function 0225DA35 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1714330918.0000000002252000.00000040.00000800.00020000.00000000.sdmp, Offset: 02252000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2252000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7790f62720a028b3fe890bc7a5fccb6687b2d299a5cb43dab37ead666829ba57
Instruction ID: 37011e38e7edbe4529f47b925d5b20bca5ff1dc5994a234a146ccb7a9c0c88fb
Opcode Fuzzy Hash: 7790f62720a028b3fe890bc7a5fccb6687b2d299a5cb43dab37ead666829ba57
Instruction Fuzzy Hash: 2FF0C2B6D00A16ABDB248F61C5447DAFBB4BB48714F14821AC42D63310D3787469CBC0

Function 022649AA Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1714330918.0000000002252000.00000040.00000800.00020000.00000000.sdmp, Offset: 02252000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2252000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13d4dfa39ea062b59cb4a23f191e907b94fa3ac0cac7b3c1397acd3edd22cc57
Instruction ID: 3c7a0370253762d3e18e699ee150eb8d79ae5522e36dd1e77f8e7d3d0edf12df
Opcode Fuzzy Hash: 13d4dfa39ea062b59cb4a23f191e907b94fa3ac0cac7b3c1397acd3edd22cc57
Instruction Fuzzy Hash: 28F0C2B6D00A16ABDB248F61C5447CAFBB4BB48714F14821AC42C67750D3787569CBC0

Function 0225DE6E Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1714330918.0000000002252000.00000040.00000800.00020000.00000000.sdmp, Offset: 02252000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2252000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6df46181704cfa03c1717ba86d96aa210a6918da0e4c8be452d25b7bba2709c
Instruction ID: d9998976a7e60c54caf6481ae3623d4c75950cffc546e51b29d5f4a0975ee4a3
Opcode Fuzzy Hash: c6df46181704cfa03c1717ba86d96aa210a6918da0e4c8be452d25b7bba2709c
Instruction Fuzzy Hash: 8DF0CAB6D00A16ABDB258F61C5447CAFBB4BB88714F14821AC82C67720C778B4A9CBC0

Function 02263C76 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1714330918.0000000002252000.00000040.00000800.00020000.00000000.sdmp, Offset: 02252000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2252000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebbf1a7566da7d36deab00e8df207c1b6d46233ae398fa65c3a79f4bb42f4ac1
Instruction ID: 207e1fa55bfa6f9968c637f2c3e2d9d259751860d199470a74ab0582c61f9b26
Opcode Fuzzy Hash: ebbf1a7566da7d36deab00e8df207c1b6d46233ae398fa65c3a79f4bb42f4ac1
Instruction Fuzzy Hash: 5FF0C2B6D00A16EBDB248FA1C5447CAFBB4BB48714F14821AC42C67310D3787469CBC0

Function 022645E9 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1714330918.0000000002252000.00000040.00000800.00020000.00000000.sdmp, Offset: 02252000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2252000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad1fb086912432efcf9e94868c8b408ac7f472657367f3ba3ba1642e84ff08ad
Instruction ID: c05dcc5e1b7d8a9e2417d3bd3f0a12f32f357810d11a898ee0146b8963e0047c
Opcode Fuzzy Hash: ad1fb086912432efcf9e94868c8b408ac7f472657367f3ba3ba1642e84ff08ad
Instruction Fuzzy Hash: 74F0C2B6D00A16ABDB258F61C5447CAFBB4BB48714F18821AC92C63310D3787469CBC0

Non-executed Functions

Function 022503C0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1714330918.0000000002250000.00000040.00000800.00020000.00000000.sdmp, Offset: 02250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2250000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a012a9fb5cf5d9e1554885d89a3030425dd9bcc3e3bcfa4e280c99466c7885fc
Instruction ID: eb872bb57dc3666d2e68c1b4e0f0030092c3fdce29bb4313657cab48196c2f55
Opcode Fuzzy Hash: a012a9fb5cf5d9e1554885d89a3030425dd9bcc3e3bcfa4e280c99466c7885fc
Instruction Fuzzy Hash: 332106BA5142669FDB358F588C403D9B7E5FB08314F21882EDEC9EB710D3346B898B54

Description:	Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Process: Process Creation, Service: Service Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SAMPLE_1.exe.bin.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Oracle\Java\.oracle_jre_usage\b5820291038aa69c.timestamp

C:\Users\user\AppData\Local\Temp\hsperfdata_user\6996

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\83aa4cc77f591dfc2374580bbd95f6ba_9e146be9-c76a-4720-bcdb-53011b87bd06

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
SAMPLE_1.exe.bin.exe

Function 00B91180 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 230
COMMON

Function 00B91803 Relevance: 54.5, APIs: 22, Strings: 9, Instructions: 258
stringCOMMON

Function 00B9449F Relevance: 38.7, APIs: 14, Strings: 8, Instructions: 160
stringCOMMON

Function 00B95880 Relevance: 31.9, APIs: 17, Strings: 1, Instructions: 448
stringCOMMON

Function 00B95F50 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 282
COMMON

Function 00B91D3A Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 75
stringCOMMON

Function 00B94890 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 143
COMMON

Function 00B93E88 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 128
registrystringCOMMON

Function 00B940F7 Relevance: 22.8, APIs: 3, Strings: 10, Instructions: 61
stringCOMMON

Function 00B92657 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 165
stringCOMMON

Function 00B94726 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 84
COMMON

Function 00B92E9D Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 109
stringCOMMON

Function 00B963F0 Relevance: 16.6, APIs: 11, Instructions: 149
stringCOMMON

Function 00B93A11 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77
stringprocesssynchronizationCOMMON

Function 00B96640 Relevance: 10.6, APIs: 7, Instructions: 109
stringCOMMON