Windows Analysis Report
cJX8BV8LYG.exe

Overview

General Information

Sample name: cJX8BV8LYG.exe
renamed because original name is a hash value
Original sample name: 528D3EF48415F22BD277A9759D83A859.exe
Analysis ID: 1501450
MD5: 528d3ef48415f22bd277a9759d83a859
SHA1: 4ee7ed36eeaceca51e91952d25136f7260be6eab
SHA256: 7c5bd51d549520223a57177f6dde2feea2a8e48077a36d73b1c96701360a68a6
Tags: AZORultexe
Infos:

Detection

Azorult
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Azorult
Yara detected Azorult Info Stealer
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Found API chain indicative of sandbox detection
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
OS version to string mapping found (often used in BOTs)
PE file contains sections with non-standard names
PE file does not import any functions
Potential key logger detected (key state polling based)
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara detected Keylogger Generic
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Azorult AZORult is a credential and payment card information stealer. Among other things, version 2 added support for .bit-domains. It has been observed in conjunction with Chthonic as well as being dropped by Ramnit.
  • The Gorgon Group
 https://malpedia.caad.fkie.fraunhofer.de/details/win.azorult

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://ln6b9.shop/LN341/index.php Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000000.00000002.1707421227.0000000001E50000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Azorult {"C2 url": "http://ln6b9.shop/LN341/index.php"}
Multi AV Scanner detection for submitted file
Source: cJX8BV8LYG.exe ReversingLabs: Detection: 68%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: cJX8BV8LYG.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_004094C4 CryptUnprotectData,LocalFree, 1_2_004094C4
Uses 32bit PE files
Source: cJX8BV8LYG.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-locale-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-runtime-l1-1-0.dll.1.dr
Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, mozglue.dll.1.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss3.pdb source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.1.dr
Source: Binary string: ucrtbase.pdb source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, ucrtbase.dll.1.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-file-l1-2-0.dll.1.dr
Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-memory-l1-1-0.dll.1.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, freebl3.dll.1.dr
Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-debug-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-filesystem-l1-1-0.dll.1.dr
Source: Binary string: wntdll.pdb source: cJX8BV8LYG.exe, 00000000.00000003.1704325941.0000000003960000.00000004.00001000.00020000.00000000.sdmp, cJX8BV8LYG.exe, 00000000.00000003.1705553215.0000000003B00000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-stdio-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-heap-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-util-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-synch-l1-1-0.dll.1.dr
Source: Binary string: vcruntime140.i386.pdbGCTL source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, vcruntime140.dll.1.dr
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-environment-l1-1-0.dll.1.dr
Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb11 source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, mozglue.dll.1.dr
Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-errorhandling-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-0.dll.1.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, freebl3.dll.1.dr
Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-console-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-file-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-private-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-convert-l1-1-0.dll.1.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, softokn3.dll.1.dr
Source: Binary string: msvcp140.i386.pdb source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, msvcp140.dll.1.dr
Source: Binary string: ucrtbase.pdbUGP source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, ucrtbase.dll.1.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-profile-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-time-l1-1-0.dll.1.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, nssdbm3.dll.1.dr
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-handle-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-synch-l1-2-0.dll.1.dr
Source: Binary string: wntdll.pdbUGP source: cJX8BV8LYG.exe, 00000000.00000003.1704325941.0000000003960000.00000004.00001000.00020000.00000000.sdmp, cJX8BV8LYG.exe, 00000000.00000003.1705553215.0000000003B00000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-datetime-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-localization-l1-2-0.dll.1.dr
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-math-l1-1-0.dll.1.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, softokn3.dll.1.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.1.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.1.dr
Source: Binary string: vcruntime140.i386.pdb source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, vcruntime140.dll.1.dr
Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-multibyte-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-utility-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-rtlsupport-l1-1-0.dll.1.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, nssdbm3.dll.1.dr
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-timezone-l1-1-0.dll.1.dr
Source: Binary string: msvcp140.i386.pdbGCTL source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, msvcp140.dll.1.dr
Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-string-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-file-l2-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-process-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-libraryloader-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-interlocked-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-heap-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-string-l1-1-0.dll.1.dr
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007EDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 0_2_007EDBBE
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007F68EE FindFirstFileW,FindClose, 0_2_007F68EE
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007F698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 0_2_007F698F
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007ED076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_007ED076
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007ED3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_007ED3A9
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007F9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_007F9642
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007F979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_007F979D
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007F9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_007F9B2B
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007F5C97 FindFirstFileW,FindNextFileW,FindClose, 0_2_007F5C97
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_004098A0 FindFirstFileW,FindNextFileW,FindClose, 1_2_004098A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0040D0A0 FindFirstFileW, 1_2_0040D0A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00414408 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose, 1_2_00414408
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00408D44 FindFirstFileW,GetFileAttributesW,FindNextFileW, 1_2_00408D44
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00415610 FindFirstFileW,FindNextFileW,FindClose, 1_2_00415610
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_004087DC FreeLibrary,FindFirstFileW,DeleteFileW,FindNextFileW,SetCurrentDirectoryW,RemoveDirectoryW, 1_2_004087DC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0040D06E FindFirstFileW, 1_2_0040D06E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0041303C FindFirstFileW,FindNextFileW,FindClose, 1_2_0041303C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0040989F FindFirstFileW,FindNextFileW,FindClose, 1_2_0040989F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_004111C4 FindFirstFileW,FindNextFileW,FindClose, 1_2_004111C4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00414408 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose, 1_2_00414408
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00415610 FindFirstFileW,FindNextFileW,FindClose, 1_2_00415610
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00412D70 FindFirstFileW,FindNextFileW,FindClose, 1_2_00412D70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00412D70 FindFirstFileW,FindNextFileW,FindClose, 1_2_00412D70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00408D3C FindFirstFileW,GetFileAttributesW,FindNextFileW, 1_2_00408D3C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00412D70 FindFirstFileW,FindNextFileW,FindClose, 1_2_00412D70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0041158C FindFirstFileW,FindNextFileW,FindClose, 1_2_0041158C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00411590 FindFirstFileW,FindNextFileW,FindClose, 1_2_00411590
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00412D9C FindFirstFileW,FindNextFileW,FindClose, 1_2_00412D9C

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2029467 - Severity 1 - ET MALWARE Win32/AZORult V3.3 Client Checkin M14 : 192.168.2.4:49730 -> 172.67.128.117:80
Source: Network traffic Suricata IDS: 2810276 - Severity 1 - ETPRO MALWARE AZORult CnC Beacon M1 : 192.168.2.4:49730 -> 172.67.128.117:80
Source: Network traffic Suricata IDS: 2029136 - Severity 1 - ET MALWARE AZORult v3.3 Server Response M1 : 172.67.128.117:80 -> 192.168.2.4:49730
Source: Network traffic Suricata IDS: 2029467 - Severity 1 - ET MALWARE Win32/AZORult V3.3 Client Checkin M14 : 192.168.2.4:49731 -> 172.67.128.117:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 172.67.128.117 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://ln6b9.shop/LN341/index.php
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /LN341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: ln6b9.shopContent-Length: 105Cache-Control: no-cacheData Raw: 00 00 00 45 14 8b 30 62 ef 26 66 9a 26 66 9a 46 70 9d 35 70 9c 47 70 9d 3a 70 9d 37 70 9d 32 70 9d 37 70 9d 3a 70 9d 33 70 9d 34 14 8b 31 11 8b 30 6d ef 47 70 9d 3b 70 9d 35 70 9d 34 70 9d 3b 13 8b 31 11 8b 30 65 8b 30 64 8b 30 6d eb 47 16 ed 26 66 97 26 67 ea 40 70 9d 30 70 9d 37 14 8b 30 61 e8 26 66 9e 26 66 97 Data Ascii: E0b&f&fFp5pGp:p7p2p7p:p3p410mGp;p5p4p;10e0d0mG&f&g@p0p70a&f&f
Source: global traffic HTTP traffic detected: POST /LN341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: ln6b9.shopContent-Length: 32713Cache-Control: no-cache
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007FCE44 InternetReadFile,SetEvent,GetLastError,SetEvent, 0_2_007FCE44
Source: global traffic DNS traffic detected: DNS query: ln6b9.shop
Source: unknown HTTP traffic detected: POST /LN341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: ln6b9.shopContent-Length: 105Cache-Control: no-cacheData Raw: 00 00 00 45 14 8b 30 62 ef 26 66 9a 26 66 9a 46 70 9d 35 70 9c 47 70 9d 3a 70 9d 37 70 9d 32 70 9d 37 70 9d 3a 70 9d 33 70 9d 34 14 8b 31 11 8b 30 6d ef 47 70 9d 3b 70 9d 35 70 9d 34 70 9d 3b 13 8b 31 11 8b 30 65 8b 30 64 8b 30 6d eb 47 16 ed 26 66 97 26 67 ea 40 70 9d 30 70 9d 37 14 8b 30 61 e8 26 66 9e 26 66 97 Data Ascii: E0b&f&fFp5pGp:p7p2p7p:p3p410mGp;p5p4p;10e0d0mG&f&g@p0p70a&f&f
Source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, nssdbm3.dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, nssdbm3.dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, nssdbm3.dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, nssdbm3.dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, nssdbm3.dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, nssdbm3.dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, nssdbm3.dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: cJX8BV8LYG.exe, 00000000.00000002.1707421227.0000000001E50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1812372698.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://ip-api.com/json
Source: svchost.exe, 00000001.00000002.1813419702.0000000003612000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1815335312.0000000005200000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ln6b9.shop/LN341/index.php
Source: svchost.exe, 00000001.00000002.1815335312.0000000005200000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ln6b9.shop/LN341/index.phpA
Source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, nssdbm3.dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, nssdbm3.dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, nssdbm3.dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://ocsp.thawte.com0
Source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, nssdbm3.dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, nssdbm3.dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, nssdbm3.dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: mozglue.dll.1.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, nssdbm3.dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://www.mozilla.com0
Source: cJX8BV8LYG.exe, 00000000.00000002.1707421227.0000000001E50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1812372698.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: https://dotbit.me/a/
Source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf
Source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1814289197.000000000365F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1813546210.0000000003631000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: svchost.exe, 00000001.00000002.1816447346.00000000062C0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf8
Source: svchost.exe, 00000001.00000002.1813546210.0000000003631000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: svchost.exe, 00000001.00000002.1814354136.0000000003679000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1814289197.000000000365F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: svchost.exe, 00000001.00000002.1816447346.00000000062C0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfjfile://192.168.2.1/all/Professional2019Retail.img
Source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, nssdbm3.dll.1.dr, softokn3.dll.1.dr String found in binary or memory: https://www.digicert.com/CPS0
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007FEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_007FEAFF
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007FED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_007FED6A
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007FEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_007FEAFF
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007EAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput, 0_2_007EAA57
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_00819576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_00819576
Yara detected Keylogger Generic
Source: Yara match File source: Process Memory Space: cJX8BV8LYG.exe PID: 5016, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Azorult Payload Author: kevoreilly
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.cJX8BV8LYG.exe.1e50000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 0.2.cJX8BV8LYG.exe.1e50000.1.unpack, type: UNPACKEDPE Matched rule: Azorult Payload Author: kevoreilly
Source: 0.2.cJX8BV8LYG.exe.1e50000.1.unpack, type: UNPACKEDPE Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.cJX8BV8LYG.exe.1e50000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 0.2.cJX8BV8LYG.exe.1e50000.1.raw.unpack, type: UNPACKEDPE Matched rule: Azorult Payload Author: kevoreilly
Source: 0.2.cJX8BV8LYG.exe.1e50000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Azorult Payload Author: kevoreilly
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.svchost.exe.684a82d.6.raw.unpack, type: UNPACKEDPE Matched rule: OlympicDestroyer Payload Author: kevoreilly
Source: 1.2.svchost.exe.68b5f7e.5.raw.unpack, type: UNPACKEDPE Matched rule: OlympicDestroyer Payload Author: kevoreilly
Source: 1.2.svchost.exe.6828840.4.raw.unpack, type: UNPACKEDPE Matched rule: OlympicDestroyer Payload Author: kevoreilly
Source: 00000001.00000002.1812372698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 00000001.00000002.1812372698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Azorult Payload Author: kevoreilly
Source: 00000001.00000002.1812372698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1707421227.0000000001E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 00000000.00000002.1707421227.0000000001E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Azorult Payload Author: kevoreilly
Source: 00000000.00000002.1707421227.0000000001E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Binary is likely a compiled AutoIt script file
Source: cJX8BV8LYG.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: cJX8BV8LYG.exe, 00000000.00000000.1640302007.0000000000842000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_44c36978-2
Source: cJX8BV8LYG.exe, 00000000.00000000.1640302007.0000000000842000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_66f7cd72-5
Source: cJX8BV8LYG.exe String found in binary or memory: This is a third-party compiled AutoIt script. memstr_fa8d29f7-7
Source: cJX8BV8LYG.exe String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_213b5097-2
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007ED5EB: CreateFileW,DeviceIoControl,CloseHandle, 0_2_007ED5EB
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007E1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_007E1201
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007EE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 0_2_007EE8F6
Detected potential crypto function
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_00788060 0_2_00788060
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007F2046 0_2_007F2046
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007E8298 0_2_007E8298
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007BE4FF 0_2_007BE4FF
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007B676B 0_2_007B676B
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_00814873 0_2_00814873
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_0078CAF0 0_2_0078CAF0
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007ACAA0 0_2_007ACAA0
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_0079CC39 0_2_0079CC39
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007B6DD9 0_2_007B6DD9
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_0079B119 0_2_0079B119
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007891C0 0_2_007891C0
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007A1394 0_2_007A1394
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007A1706 0_2_007A1706
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007A781B 0_2_007A781B
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_0079997D 0_2_0079997D
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_00787920 0_2_00787920
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007A19B0 0_2_007A19B0
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007A7A4A 0_2_007A7A4A
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007A1C77 0_2_007A1C77
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007A7CA7 0_2_007A7CA7
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007B9EEE 0_2_007B9EEE
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_0080BE44 0_2_0080BE44
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007A1F32 0_2_007A1F32
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_01E435F0 0_2_01E435F0
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 00403B98 appears 44 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 00404E64 appears 33 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 00404E3C appears 87 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 004062D8 appears 34 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 004034E4 appears 36 times
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: String function: 0079F9F2 appears 31 times
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: String function: 007A0A30 appears 46 times
PE file does not import any functions
Source: api-ms-win-core-handle-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-private-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: cJX8BV8LYG.exe, 00000000.00000003.1705790864.0000000003A83000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs cJX8BV8LYG.exe
Source: cJX8BV8LYG.exe, 00000000.00000003.1704442789.0000000003C2D000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs cJX8BV8LYG.exe
Uses 32bit PE files
Source: cJX8BV8LYG.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.cJX8BV8LYG.exe.1e50000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 0.2.cJX8BV8LYG.exe.1e50000.1.unpack, type: UNPACKEDPE Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 0.2.cJX8BV8LYG.exe.1e50000.1.unpack, type: UNPACKEDPE Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.cJX8BV8LYG.exe.1e50000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 0.2.cJX8BV8LYG.exe.1e50000.1.raw.unpack, type: UNPACKEDPE Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 0.2.cJX8BV8LYG.exe.1e50000.1.raw.unpack, type: UNPACKEDPE Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.svchost.exe.684a82d.6.raw.unpack, type: UNPACKEDPE Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: 1.2.svchost.exe.68b5f7e.5.raw.unpack, type: UNPACKEDPE Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: 1.2.svchost.exe.6828840.4.raw.unpack, type: UNPACKEDPE Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: 00000001.00000002.1812372698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 00000001.00000002.1812372698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 00000001.00000002.1812372698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1707421227.0000000001E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 00000000.00000002.1707421227.0000000001E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 00000000.00000002.1707421227.0000000001E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winEXE@8/53@1/1
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007F37B5 GetLastError,FormatMessageW, 0_2_007F37B5
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007E10BF AdjustTokenPrivileges,CloseHandle, 0_2_007E10BF
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007E16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 0_2_007E16C3
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007F51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 0_2_007F51CD
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_0080A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 0_2_0080A67C
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007F648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize, 0_2_007F648E
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007842A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 0_2_007842A2
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5740:120:WilError_03
Source: C:\Windows\SysWOW64\svchost.exe Mutant created: \Sessions\1\BaseNamedObjects\AFA7A44E6-9414907A-8AD8678F-018EDCC9-C34A4F09
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe File created: C:\Users\user\AppData\Local\Temp\aut31FB.tmp Jump to behavior
Source: cJX8BV8LYG.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\svchost.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, softokn3.dll.1.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.1.dr Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, softokn3.dll.1.dr Binary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, softokn3.dll.1.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.1.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.1.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.1.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, softokn3.dll.1.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, softokn3.dll.1.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, softokn3.dll.1.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, softokn3.dll.1.dr Binary or memory string: SELECT ALL id FROM %s;
Source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, softokn3.dll.1.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, softokn3.dll.1.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.1.dr Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.1.dr Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.1.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.1.dr Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
Source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.1.dr Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, softokn3.dll.1.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: svchost.exe, 00000001.00000003.1765945641.0000000003671000.00000004.00000020.00020000.00000000.sdmp, 65132962348398743035428.tmp.1.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: cJX8BV8LYG.exe ReversingLabs: Detection: 68%
Source: unknown Process created: C:\Users\user\Desktop\cJX8BV8LYG.exe "C:\Users\user\Desktop\cJX8BV8LYG.exe"
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\cJX8BV8LYG.exe"
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "svchost.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe C:\Windows\system32\timeout.exe 3
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\cJX8BV8LYG.exe" Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "svchost.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe C:\Windows\system32\timeout.exe 3 Jump to behavior
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Jump to behavior
Source: cJX8BV8LYG.exe Static file information: File size 1320960 > 1048576
Source: cJX8BV8LYG.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: cJX8BV8LYG.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: cJX8BV8LYG.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: cJX8BV8LYG.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: cJX8BV8LYG.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: cJX8BV8LYG.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: cJX8BV8LYG.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-locale-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-runtime-l1-1-0.dll.1.dr
Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, mozglue.dll.1.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss3.pdb source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, nss3.dll.1.dr
Source: Binary string: ucrtbase.pdb source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, ucrtbase.dll.1.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-file-l1-2-0.dll.1.dr
Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-memory-l1-1-0.dll.1.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, freebl3.dll.1.dr
Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-debug-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-filesystem-l1-1-0.dll.1.dr
Source: Binary string: wntdll.pdb source: cJX8BV8LYG.exe, 00000000.00000003.1704325941.0000000003960000.00000004.00001000.00020000.00000000.sdmp, cJX8BV8LYG.exe, 00000000.00000003.1705553215.0000000003B00000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-stdio-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-heap-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-util-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-synch-l1-1-0.dll.1.dr
Source: Binary string: vcruntime140.i386.pdbGCTL source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, vcruntime140.dll.1.dr
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-environment-l1-1-0.dll.1.dr
Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb11 source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, mozglue.dll.1.dr
Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-errorhandling-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-0.dll.1.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, freebl3.dll.1.dr
Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-console-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-file-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-private-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-convert-l1-1-0.dll.1.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, softokn3.dll.1.dr
Source: Binary string: msvcp140.i386.pdb source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, msvcp140.dll.1.dr
Source: Binary string: ucrtbase.pdbUGP source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, ucrtbase.dll.1.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-profile-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-time-l1-1-0.dll.1.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, nssdbm3.dll.1.dr
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-handle-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-synch-l1-2-0.dll.1.dr
Source: Binary string: wntdll.pdbUGP source: cJX8BV8LYG.exe, 00000000.00000003.1704325941.0000000003960000.00000004.00001000.00020000.00000000.sdmp, cJX8BV8LYG.exe, 00000000.00000003.1705553215.0000000003B00000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-datetime-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-localization-l1-2-0.dll.1.dr
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-math-l1-1-0.dll.1.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, softokn3.dll.1.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.1.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.1.dr
Source: Binary string: vcruntime140.i386.pdb source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, vcruntime140.dll.1.dr
Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-multibyte-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-utility-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-rtlsupport-l1-1-0.dll.1.dr
Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, nssdbm3.dll.1.dr
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-timezone-l1-1-0.dll.1.dr
Source: Binary string: msvcp140.i386.pdbGCTL source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, msvcp140.dll.1.dr
Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-string-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-file-l2-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-process-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-libraryloader-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-interlocked-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-heap-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: svchost.exe, 00000001.00000002.1816474676.0000000006708000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-string-l1-1-0.dll.1.dr
Source: cJX8BV8LYG.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: cJX8BV8LYG.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: cJX8BV8LYG.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: cJX8BV8LYG.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: cJX8BV8LYG.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Binary contains a suspicious time stamp
Source: ucrtbase.dll.1.dr Static PE information: 0x9E3394C7 [Sun Feb 8 16:22:31 2054 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_007842DE
PE file contains sections with non-standard names
Source: msvcp140.dll.1.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007A0A76 push ecx; ret 0_2_007A0A89
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0040D86E push 0040D89Ch; ret 1_2_0040D894
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0040D870 push 0040D89Ch; ret 1_2_0040D894
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_004140C0 push 004140ECh; ret 1_2_004140E4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_004108C8 push 004108F4h; ret 1_2_004108EC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0040B0F7 push 0040B124h; ret 1_2_0040B11C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0040B0F8 push 0040B124h; ret 1_2_0040B11C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00408080 push 004080B8h; ret 1_2_004080B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00408158 push 00408196h; ret 1_2_0040818E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00408970 push 004089E4h; ret 1_2_004089DC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00408994 push 004089E4h; ret 1_2_004089DC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_004089AC push 004089E4h; ret 1_2_004089DC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00415208 push 0041528Ch; ret 1_2_00415284
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0040CA0C push 0040CA3Ch; ret 1_2_0040CA34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0040CA10 push 0040CA3Ch; ret 1_2_0040CA34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00417AEC push 00417B18h; ret 1_2_00417B10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00404BC0 push 00404C11h; ret 1_2_00404C09
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0040D3C0 push 0040D3ECh; ret 1_2_0040D3E4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0040A3E4 push 0040A410h; ret 1_2_0040A408
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0040C390 push 0040C3C0h; ret 1_2_0040C3B8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0040C394 push 0040C3C0h; ret 1_2_0040C3B8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0040A3AC push 0040A3D8h; ret 1_2_0040A3D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0040DC44 push 0040DCA3h; ret 1_2_0040DC9B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0040DC0C push 0040DC38h; ret 1_2_0040DC30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0040B41E push 0040B44Ch; ret 1_2_0040B444
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0040B420 push 0040B44Ch; ret 1_2_0040B444
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0040A438 push 0040A464h; ret 1_2_0040A45C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0041A4F4 push 0041A51Ah; ret 1_2_0041A512
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00414C80 push 00414CACh; ret 1_2_00414CA4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00409488 push 004094B8h; ret 1_2_004094B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0041A4AC push 0041A4E8h; ret 1_2_0041A4E0
Drops PE files
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-datetime-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\softokn3.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-console-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\ucrtbase.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-errorhandling-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-file-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\mozglue.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\vcruntime140.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\nss3.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-crt-private-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-debug-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\freebl3.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\nssdbm3.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\msvcp140.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_0079F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_0079F98E
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_00811C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 0_2_00811C41
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00417B1A LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 1_2_00417B1A
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found API chain indicative of sandbox detection
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe API/Special instruction interceptor: Address: 1E43214
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00416B94 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,GetCurrentProcessId, 1_2_00416B94
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-errorhandling-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-datetime-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CFBCB28B\softokn3.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-file-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-console-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CFBCB28B\nss3.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-crt-private-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-debug-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CFBCB28B\freebl3.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CFBCB28B\nssdbm3.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CFBCB28B\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe API coverage: 4.0 %
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007EDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 0_2_007EDBBE
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007F68EE FindFirstFileW,FindClose, 0_2_007F68EE
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007F698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 0_2_007F698F
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007ED076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_007ED076
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007ED3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_007ED3A9
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007F9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_007F9642
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007F979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_007F979D
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007F9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_007F9B2B
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007F5C97 FindFirstFileW,FindNextFileW,FindClose, 0_2_007F5C97
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_004098A0 FindFirstFileW,FindNextFileW,FindClose, 1_2_004098A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0040D0A0 FindFirstFileW, 1_2_0040D0A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00414408 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose, 1_2_00414408
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00408D44 FindFirstFileW,GetFileAttributesW,FindNextFileW, 1_2_00408D44
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00415610 FindFirstFileW,FindNextFileW,FindClose, 1_2_00415610
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_004087DC FreeLibrary,FindFirstFileW,DeleteFileW,FindNextFileW,SetCurrentDirectoryW,RemoveDirectoryW, 1_2_004087DC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0040D06E FindFirstFileW, 1_2_0040D06E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0041303C FindFirstFileW,FindNextFileW,FindClose, 1_2_0041303C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0040989F FindFirstFileW,FindNextFileW,FindClose, 1_2_0040989F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_004111C4 FindFirstFileW,FindNextFileW,FindClose, 1_2_004111C4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00414408 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose, 1_2_00414408
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00415610 FindFirstFileW,FindNextFileW,FindClose, 1_2_00415610
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00412D70 FindFirstFileW,FindNextFileW,FindClose, 1_2_00412D70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00412D70 FindFirstFileW,FindNextFileW,FindClose, 1_2_00412D70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00408D3C FindFirstFileW,GetFileAttributesW,FindNextFileW, 1_2_00408D3C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00412D70 FindFirstFileW,FindNextFileW,FindClose, 1_2_00412D70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_0041158C FindFirstFileW,FindNextFileW,FindClose, 1_2_0041158C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00411590 FindFirstFileW,FindNextFileW,FindClose, 1_2_00411590
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00412D9C FindFirstFileW,FindNextFileW,FindClose, 1_2_00412D9C
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_007842DE
Source: svchost.exe, 00000001.00000002.1814289197.000000000365F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000001.00000002.1813546210.0000000003631000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW(
Source: svchost.exe, 00000001.00000002.1814354136.0000000003679000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWMSAFD L2CAP [Bluetooth]NativeFontCtl H
Source: C:\Windows\SysWOW64\svchost.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007FEAA2 BlockInput, 0_2_007FEAA2
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007B2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_007B2622
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00416B94 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,GetCurrentProcessId, 1_2_00416B94
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_007842DE
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007A4CE8 mov eax, dword ptr fs:[00000030h] 0_2_007A4CE8
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_01E434E0 mov eax, dword ptr fs:[00000030h] 0_2_01E434E0
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_01E43480 mov eax, dword ptr fs:[00000030h] 0_2_01E43480
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_01E41E70 mov eax, dword ptr fs:[00000030h] 0_2_01E41E70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 1_2_00407A34 mov eax, dword ptr fs:[00000030h] 1_2_00407A34
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007E0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 0_2_007E0B62
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007B2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_007B2622
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007A083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_007A083F
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007A09D5 SetUnhandledExceptionFilter, 0_2_007A09D5
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007A0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_007A0C21

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 172.67.128.117 80 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 30F6008 Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007E1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_007E1201
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007C2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_007C2BA5
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007EB226 SendInput,keybd_event, 0_2_007EB226
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_008022DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event, 0_2_008022DA
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\cJX8BV8LYG.exe" Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "svchost.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe C:\Windows\system32\timeout.exe 3 Jump to behavior
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007E0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 0_2_007E0B62
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007E1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 0_2_007E1663
Source: cJX8BV8LYG.exe Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: cJX8BV8LYG.exe Binary or memory string: Shell_TrayWnd
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007A0698 cpuid 0_2_007A0698
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\svchost.exe Code function: GetLocaleInfoA, 1_2_00416FB8
Source: C:\Windows\SysWOW64\svchost.exe Code function: GetLocaleInfoA, 1_2_00404B4C
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Windows\SysWOW64\svchost.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007F8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW, 0_2_007F8195
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007DD27A GetUserNameW, 0_2_007DD27A
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007BBB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 0_2_007BBB6F
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_007842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_007842DE
Source: C:\Windows\SysWOW64\svchost.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Azorult
Source: Yara match File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.cJX8BV8LYG.exe.1e50000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.cJX8BV8LYG.exe.1e50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.1816447346.00000000062C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1812372698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1707421227.0000000001E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1816856617.0000000006C60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: cJX8BV8LYG.exe PID: 5016, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 4940, type: MEMORYSTR
Yara detected Azorult Info Stealer
Source: Yara match File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.cJX8BV8LYG.exe.1e50000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.cJX8BV8LYG.exe.1e50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.1812372698.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1707421227.0000000001E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: cJX8BV8LYG.exe PID: 5016, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 4940, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: svchost.exe, 00000001.00000002.1816447346.00000000062C0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: electrum.dat
Source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: %appdata%\Electrum\wallets\
Source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: %APPDATA%\Jaxx\Local Storage\
Source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: %APPDATA%\Exodus\
Source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: %APPDATA%\Jaxx\Local Storage\
Source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: %APPDATA%\Ethereum\keystore\
Source: svchost.exe, 00000001.00000002.1816447346.00000000062C0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: %APPDATA%\Exodus Eden\
Source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: %APPDATA%\Ethereum\keystore\
Source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: %APPDATA%\Ethereum\keystore\
Source: svchost.exe, 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: %appdata%\Electrum-LTC\wallets\
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\monero-project\monero-core Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Roaming\filezilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Roaming\ElectrumG\wallets\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Roaming\Electrum-btcp\wallets\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Roaming\Exodus Eden\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Roaming\Jaxx\Local Storage\ Jump to behavior
Tries to steal Instant Messenger accounts or passwords
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
OS version to string mapping found (often used in BOTs)
Source: cJX8BV8LYG.exe Binary or memory string: WIN_81
Source: cJX8BV8LYG.exe Binary or memory string: WIN_XP
Source: cJX8BV8LYG.exe Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: cJX8BV8LYG.exe Binary or memory string: WIN_XPe
Source: cJX8BV8LYG.exe Binary or memory string: WIN_VISTA
Source: cJX8BV8LYG.exe Binary or memory string: WIN_7
Source: cJX8BV8LYG.exe Binary or memory string: WIN_8
Yara detected Credential Stealer
Source: Yara match File source: 1.2.svchost.exe.684a82d.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.svchost.exe.68b5f7e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.svchost.exe.6828840.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.1816558459.0000000006810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: svchost.exe PID: 4940, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_00801204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket, 0_2_00801204
Source: C:\Users\user\Desktop\cJX8BV8LYG.exe Code function: 0_2_00801806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_00801806
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1501450 Sample: cJX8BV8LYG.exe Startdate: 29/08/2024 Architecture: WINDOWS Score: 100 31 ln6b9.shop 2->31 35 Suricata IDS alerts for network traffic 2->35 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 8 other signatures 2->41 9 cJX8BV8LYG.exe 4 2->9         started        signatures3 process4 signatures5 43 Binary is likely a compiled AutoIt script file 9->43 45 Found API chain indicative of sandbox detection 9->45 47 Writes to foreign memory regions 9->47 49 2 other signatures 9->49 12 svchost.exe 63 9->12         started        process6 dnsIp7 33 ln6b9.shop 172.67.128.117, 49730, 49731, 80 CLOUDFLARENETUS United States 12->33 23 C:\Users\user\AppData\...\vcruntime140.dll, PE32 12->23 dropped 25 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 12->25 dropped 27 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 12->27 dropped 29 45 other files (none is malicious) 12->29 dropped 51 System process connects to network (likely due to code injection or exploit) 12->51 53 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->53 55 Tries to steal Instant Messenger accounts or passwords 12->55 57 6 other signatures 12->57 17 cmd.exe 1 12->17         started        file8 signatures9 process10 process11 19 conhost.exe 17->19         started        21 timeout.exe 1 17->21         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.128.117
 ln6b9.shop United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
ln6b9.shop 172.67.128.117 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://ln6b9.shop/LN341/index.php true
  • Avira URL Cloud: malware
 unknown