Play interactive tour

Edit tour

Windows Analysis Report duLT5gkRjy.exe

Overview

General Information

Sample Name:	duLT5gkRjy.exe
Analysis ID:	528744
MD5:	d42456f7afc812628a9ff67d8c9340eb
SHA1:	30f49d0f3d46cc9ccf8733247a0709555ad2099f
SHA256:	a5b981c10065983578a2bca4399f901bd5a4e87b4ebe2d05c1f9971fb9fb36ac
Tags:	exeSocelars
Infos:
Most interesting Screenshot:

Detection

Socelars

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Socelars

Multi AV Scanner detection for domain / URL

May check the online IP address of the machine

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

PE file contains executable resources (Code or Archives)

IP address seen in connection with other malware

Enables debug privileges

AV process strings found (often used to terminate AV products)

Enables driver privileges

PE file contains strange resources

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Enables security privileges

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Classification

Process Tree

System is w10x64

duLT5gkRjy.exe (PID: 5068 cmdline: "C:\Users\user\Desktop\duLT5gkRjy.exe" MD5: D42456F7AFC812628A9FF67D8C9340EB)

WerFault.exe (PID: 4060 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 1932 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Socelars

{"C2 url": "http://ngdatas.pw/"}

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
duLT5gkRjy.exe	JoeSecurity_Socelars	Yara detected Socelars	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp	JoeSecurity_Socelars	Yara detected Socelars	Joe Security
00000001.00000000.250943662.000000000146A000.00000002.00020000.sdmp	JoeSecurity_Socelars	Yara detected Socelars	Joe Security
00000001.00000000.244816151.000000000146A000.00000002.00020000.sdmp	JoeSecurity_Socelars	Yara detected Socelars	Joe Security
00000001.00000000.251852996.000000000146A000.00000002.00020000.sdmp	JoeSecurity_Socelars	Yara detected Socelars	Joe Security
Process Memory Space: duLT5gkRjy.exe PID: 5068	JoeSecurity_Socelars	Yara detected Socelars	Joe Security

Unpacked PEs

Source	Rule	Description	Author
1.2.duLT5gkRjy.exe.1350000.0.unpack	JoeSecurity_Socelars	Yara detected Socelars	Joe Security
1.0.duLT5gkRjy.exe.1350000.2.unpack	JoeSecurity_Socelars	Yara detected Socelars	Joe Security
1.0.duLT5gkRjy.exe.1350000.0.unpack	JoeSecurity_Socelars	Yara detected Socelars	Joe Security
1.0.duLT5gkRjy.exe.1350000.1.unpack	JoeSecurity_Socelars	Yara detected Socelars	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: duLT5gkRjy.exe

Malware Configuration Extractor: Socelars {"C2 url": "http://ngdatas.pw/"}

Multi AV Scanner detection for submitted file

Show sources

Source: duLT5gkRjy.exe	Virustotal: Detection: 62%			Perma Link
Source: duLT5gkRjy.exe	ReversingLabs: Detection: 59%

Multi AV Scanner detection for domain / URL

Show sources

Source: www.listincode.com

Virustotal: Detection: 9%

Perma Link

Source: duLT5gkRjy.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: unknown	HTTPS traffic detected: 149.28.253.196:443 -> 192.168.2.7:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.9.162.45:443 -> 192.168.2.7:49737 version: TLS 1.2

Source: duLT5gkRjy.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

May check the online IP address of the machine

Show sources

Source: C:\Users\user\Desktop\duLT5gkRjy.exe

DNS query: name: iplogger.org

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://ngdatas.pw/

Source: Joe Sandbox View

ASN Name: AS-CHOOPAUS AS-CHOOPAUS

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Joe Sandbox View	IP Address: 149.28.253.196 149.28.253.196
Source: Joe Sandbox View	IP Address: 5.9.162.45 5.9.162.45
Source: Joe Sandbox View	IP Address: 5.9.162.45 5.9.162.45

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Host: www.listincode.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1GWfv7 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Host: iplogger.orgCache-Control: no-cache

Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: duLT5gkRjy.exe

String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)

Source: duLT5gkRjy.exe	String found in binary or memory: http://ngdatas.pw/
Source: duLT5gkRjy.exe	String found in binary or memory: http://ngdatas.pw/https://www.listincode.com/0.0.0.0%d.%d.%d.%dhttp-1ZIP
Source: Amcache.hve.3.dr	String found in binary or memory: http://upx.sf.net
Source: duLT5gkRjy.exe	String found in binary or memory: http://www.channelinfo.pw/index.php/Home/Index/getExe
Source: duLT5gkRjy.exe	String found in binary or memory: http://www.channelinfo.pw/index.php/Home/Index/getExeidnameexe_urlexe_namerun_valuecountry_codeaband
Source: duLT5gkRjy.exe	String found in binary or memory: http://www.ecgbg.com
Source: duLT5gkRjy.exe	String found in binary or memory: http://www.ecgbg.com/Home/Index/getdata
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/143up7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/14Jup7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/14Qju7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/14ePy7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/169Bx7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/16ajh7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/16xjh7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1746b7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1756b7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/19iM77
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1BBCf7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1CDGu7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1CUGu7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1Cr3a7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1DE477
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1G7Sc7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1GWfv7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1GaLz7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1Gbzj7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1Gczj7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1Ghzj7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1GiLz7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1Gjzj7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1H3Fa7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1KyTy7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1O2BH
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1OXFG
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1OZVH
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1OhAG
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1Pdet7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1RWXp7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1SWks7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1Smzs7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1Sxzs7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1T79i7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1T89i7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1TBch7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1TCch7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1TW3i7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1TXch7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1Tkij7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1UKG97
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1UpU57
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1Uts87
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1X8M97
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1XJq97
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1XKq97
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1XSq97
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1Z7qd7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1aaVp7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1b4887
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1bV787
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1fHtp7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1lcZz
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1mxKf7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1pdxr7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1q6Jt7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1rDMq7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1rDMq785https://iplogger.org/1rd8N686https://iplogger.org/1spuy788https://iplog
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1rd8N6
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1rqRg7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1s4qp7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1s5qp7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1spuy7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1uS4i7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1uW6i7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1wnqn7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1x5bg7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1yXwr7
Source: duLT5gkRjy.exe	String found in binary or memory: https://prntscr.com/upload.php
Source: duLT5gkRjy.exe	String found in binary or memory: https://prntscr.com/upload.phphttps://prntscr.com/upload.php
Source: duLT5gkRjy.exe	String found in binary or memory: https://sm.ms/api/v2/upload?inajax=1
Source: duLT5gkRjy.exe	String found in binary or memory: https://www.amazon.com/
Source: duLT5gkRjy.exe	String found in binary or memory: https://www.aol.com
Source: duLT5gkRjy.exe	String found in binary or memory: https://www.google.com
Source: duLT5gkRjy.exe	String found in binary or memory: https://www.google.com/search?q=admob&oq=admob
Source: duLT5gkRjy.exe	String found in binary or memory: https://www.listincode.com/

Source: unknown

DNS traffic detected: queries for: www.listincode.com

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Host: www.listincode.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1GWfv7 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Host: iplogger.orgCache-Control: no-cache

Source: unknown	HTTPS traffic detected: 149.28.253.196:443 -> 192.168.2.7:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.9.162.45:443 -> 192.168.2.7:49737 version: TLS 1.2

Source: duLT5gkRjy.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\duLT5gkRjy.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 1932

Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 1_2_0144095E	1_2_0144095E
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 1_2_013665C0	1_2_013665C0
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 1_2_0135A460	1_2_0135A460
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 1_2_014428C0	1_2_014428C0
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 1_2_013650B0	1_2_013650B0
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 1_2_0135CB60	1_2_0135CB60
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 1_2_01361B40	1_2_01361B40
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 1_2_013623A0	1_2_013623A0
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 1_2_01352380	1_2_01352380
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 1_2_0135B3F0	1_2_0135B3F0
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 1_2_01357A30	1_2_01357A30
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 1_2_01358E60	1_2_01358E60

Source: C:\Users\user\Desktop\duLT5gkRjy.exe

Code function: String function: 01357720 appears 47 times

Source: duLT5gkRjy.exe

Static PE information: Resource name: ZIP type: Zip archive data, at least v1.0 to extract

Source: C:\Users\user\Desktop\duLT5gkRjy.exe

Process token adjusted: Load Driver

Jump to behavior

Source: duLT5gkRjy.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: duLT5gkRjy.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: duLT5gkRjy.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\duLT5gkRjy.exe

Process token adjusted: Security

Jump to behavior

Source: duLT5gkRjy.exe	Virustotal: Detection: 62%
Source: duLT5gkRjy.exe	ReversingLabs: Detection: 59%

Source: C:\Users\user\Desktop\duLT5gkRjy.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\duLT5gkRjy.exe "C:\Users\user\Desktop\duLT5gkRjy.exe"
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 1932

Source: C:\Users\user\Desktop\duLT5gkRjy.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7933.tmp

Jump to behavior

Source: classification engine

Classification label: mal80.troj.winEXE@2/6@2/2

Source: duLT5gkRjy.exe, 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000001.00000000.244816151.000000000146A000.00000002.00020000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: duLT5gkRjy.exe, 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000001.00000000.244816151.000000000146A000.00000002.00020000.sdmp	Binary or memory string: SELECT host,name,value,expiry FROM moz_cookies where host='.facebook.com';
Source: duLT5gkRjy.exe, 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000001.00000000.244816151.000000000146A000.00000002.00020000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: duLT5gkRjy.exe, 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000001.00000000.244816151.000000000146A000.00000002.00020000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: duLT5gkRjy.exe, 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000001.00000000.244816151.000000000146A000.00000002.00020000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5068
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Mutant created: \Sessions\1\BaseNamedObjects\patatoes

Source: C:\Users\user\Desktop\duLT5gkRjy.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: duLT5gkRjy.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: duLT5gkRjy.exe

Static file information: File size 1552896 > 1048576

Source: duLT5gkRjy.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x112400

Source: duLT5gkRjy.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: duLT5gkRjy.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: duLT5gkRjy.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: duLT5gkRjy.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: duLT5gkRjy.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: duLT5gkRjy.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: duLT5gkRjy.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: duLT5gkRjy.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: duLT5gkRjy.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: duLT5gkRjy.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: duLT5gkRjy.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: duLT5gkRjy.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: duLT5gkRjy.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: duLT5gkRjy.exe	Static PE information: section name: .ogtrfyj
Source: duLT5gkRjy.exe	Static PE information: section name: .ogtrfyj

Source: C:\Windows\SysWOW64\WerFault.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware-42 35 44 6e 75 85 11 47-bd a2 bb ed 21 43 9f 89
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Users\user\Desktop\duLT5gkRjy.exe

Code function: 1_2_0143B8A6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_0143B8A6

Source: C:\Users\user\Desktop\duLT5gkRjy.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 1_2_014524F8 mov eax, dword ptr fs:[00000030h]		1_2_014524F8
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 1_2_014483D7 mov eax, dword ptr fs:[00000030h]		1_2_014483D7

Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 1_2_0143B8A6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		1_2_0143B8A6
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 1_2_01434F72 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		1_2_01434F72

Source: duLT5gkRjy.exe, 00000001.00000000.251065160.0000000001AF0000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000001.00000000.252030450.0000000001AF0000.00000002.00020000.sdmp	Binary or memory string: uProgram Manager
Source: duLT5gkRjy.exe, 00000001.00000000.251065160.0000000001AF0000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000001.00000000.252030450.0000000001AF0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: duLT5gkRjy.exe, 00000001.00000000.251065160.0000000001AF0000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000001.00000000.252030450.0000000001AF0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: duLT5gkRjy.exe, 00000001.00000000.251065160.0000000001AF0000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000001.00000000.252030450.0000000001AF0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\duLT5gkRjy.exe

Code function: 1_2_01436304 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_01436304

Source: C:\Users\user\Desktop\duLT5gkRjy.exe

Code function: 1_2_014529E0 _free,_free,_free,GetTimeZoneInformation,_free,

1_2_014529E0

Source: Amcache.hve.3.dr

Binary or memory string: c:\program files\windows defender\msmpeng.exe

Stealing of Sensitive Information:

Yara detected Socelars

Show sources

Source: Yara match	File source: duLT5gkRjy.exe, type: SAMPLE
Source: Yara match	File source: 1.2.duLT5gkRjy.exe.1350000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.duLT5gkRjy.exe.1350000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.duLT5gkRjy.exe.1350000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.duLT5gkRjy.exe.1350000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.250943662.000000000146A000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.244816151.000000000146A000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.251852996.000000000146A000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: duLT5gkRjy.exe PID: 5068, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	LSASS Driver1	Process Injection2	Virtualization/Sandbox Evasion1	OS Credential Dumping	System Time Discovery2	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	LSASS Driver1	Process Injection2	LSASS Memory	Query Registry1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Deobfuscate/Decode Files or Information1	Security Account Manager	Security Software Discovery31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	Virtualization/Sandbox Evasion1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol113	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Process Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Network Configuration Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery2	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
duLT5gkRjy.exe	62%	Virustotal		Browse
duLT5gkRjy.exe	59%	ReversingLabs	Win32.Adware.ExtInstaller

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
www.listincode.com	10%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.channelinfo.pw/index.php/Home/Index/getExe	0%	URL Reputation	safe
http://ngdatas.pw/https://www.listincode.com/0.0.0.0%d.%d.%d.%dhttp-1ZIP	0%	URL Reputation	safe
http://www.ecgbg.com	0%	Virustotal		Browse
http://www.ecgbg.com	0%	Avira URL Cloud	safe
https://www.listincode.com/	0%	URL Reputation	safe
http://www.ecgbg.com/Home/Index/getdata	0%	Avira URL Cloud	safe
http://www.channelinfo.pw/index.php/Home/Index/getExeidnameexe_urlexe_namerun_valuecountry_codeaband	0%	URL Reputation	safe
http://ngdatas.pw/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
iplogger.org	5.9.162.45	true	false		high
www.listincode.com	149.28.253.196	true	true	10%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://iplogger.org/1GWfv7	false		high
https://www.listincode.com/	true	URL Reputation: safe	unknown
http://ngdatas.pw/	true	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://iplogger.org/1KyTy7	duLT5gkRjy.exe	false		high
https://iplogger.org/14Qju7	duLT5gkRjy.exe	false		high
https://iplogger.org/1Gjzj7	duLT5gkRjy.exe	false		high
https://iplogger.org/1756b7	duLT5gkRjy.exe	false		high
https://iplogger.org/1Gbzj7	duLT5gkRjy.exe	false		high
https://iplogger.org/1TBch7	duLT5gkRjy.exe	false		high
https://iplogger.org/1Cr3a7	duLT5gkRjy.exe	false		high
https://iplogger.org/1spuy7	duLT5gkRjy.exe	false		high
https://iplogger.org/1UKG97	duLT5gkRjy.exe	false		high
http://www.channelinfo.pw/index.php/Home/Index/getExe	duLT5gkRjy.exe	false	URL Reputation: safe	unknown
https://iplogger.org/1fHtp7	duLT5gkRjy.exe	false		high
https://iplogger.org/1XJq97	duLT5gkRjy.exe	false		high
https://iplogger.org/1BBCf7	duLT5gkRjy.exe	false		high
http://ngdatas.pw/https://www.listincode.com/0.0.0.0%d.%d.%d.%dhttp-1ZIP	duLT5gkRjy.exe	true	URL Reputation: safe	unknown
https://iplogger.org/143up7	duLT5gkRjy.exe	false		high
https://iplogger.org/1DE477	duLT5gkRjy.exe	false		high
https://iplogger.org/1Tkij7	duLT5gkRjy.exe	false		high
https://iplogger.org/1T79i7	duLT5gkRjy.exe	false		high
https://www.google.com	duLT5gkRjy.exe	false		high
http://www.ecgbg.com	duLT5gkRjy.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://iplogger.org/1s5qp7	duLT5gkRjy.exe	false		high
https://iplogger.org/1Uts87	duLT5gkRjy.exe	false		high
https://iplogger.org/1TCch7	duLT5gkRjy.exe	false		high
https://iplogger.org/1G7Sc7	duLT5gkRjy.exe	false		high
https://iplogger.org/1OhAG	duLT5gkRjy.exe	false		high
https://iplogger.org/1b4887	duLT5gkRjy.exe	false		high
https://iplogger.org/1pdxr7	duLT5gkRjy.exe	false		high
https://iplogger.org/1rqRg7	duLT5gkRjy.exe	false		high
https://iplogger.org/1aaVp7	duLT5gkRjy.exe	false		high
http://www.ecgbg.com/Home/Index/getdata	duLT5gkRjy.exe	false	Avira URL Cloud: safe	unknown
https://iplogger.org/1H3Fa7	duLT5gkRjy.exe	false		high
https://iplogger.org/1OZVH	duLT5gkRjy.exe	false		high
https://iplogger.org/1UpU57	duLT5gkRjy.exe	false		high
https://iplogger.org/1rd8N6	duLT5gkRjy.exe	false		high
https://iplogger.org/1O2BH	duLT5gkRjy.exe	false		high
https://iplogger.org/1Pdet7	duLT5gkRjy.exe	false		high
http://www.channelinfo.pw/index.php/Home/Index/getExeidnameexe_urlexe_namerun_valuecountry_codeaband	duLT5gkRjy.exe	false	URL Reputation: safe	unknown
https://iplogger.org/1x5bg7	duLT5gkRjy.exe	false		high
https://iplogger.org/1XKq97	duLT5gkRjy.exe	false		high
https://iplogger.org/1XSq97	duLT5gkRjy.exe	false		high
https://iplogger.org/1746b7	duLT5gkRjy.exe	false		high
https://iplogger.org/19iM77	duLT5gkRjy.exe	false		high
https://iplogger.org/169Bx7	duLT5gkRjy.exe	false		high
https://iplogger.org/1T89i7	duLT5gkRjy.exe	false		high
https://iplogger.org/1rDMq785https://iplogger.org/1rd8N686https://iplogger.org/1spuy788https://iplog	duLT5gkRjy.exe	false		high
https://iplogger.org/1s4qp7	duLT5gkRjy.exe	false		high
https://iplogger.org/1uS4i7	duLT5gkRjy.exe	false		high
https://iplogger.org/1uW6i7	duLT5gkRjy.exe	false		high
https://iplogger.org/16ajh7	duLT5gkRjy.exe	false		high
https://iplogger.org/14ePy7	duLT5gkRjy.exe	false		high
https://iplogger.org/16xjh7	duLT5gkRjy.exe	false		high
https://iplogger.org/1wnqn7	duLT5gkRjy.exe	false		high
https://iplogger.org/1X8M97	duLT5gkRjy.exe	false		high
https://www.amazon.com/	duLT5gkRjy.exe	false		high
https://iplogger.org/1Ghzj7	duLT5gkRjy.exe	false		high
https://iplogger.org/1rDMq7	duLT5gkRjy.exe	false		high
http://upx.sf.net	Amcache.hve.3.dr	false		high
https://iplogger.org/1lcZz	duLT5gkRjy.exe	false		high
https://iplogger.org/1TW3i7	duLT5gkRjy.exe	false		high
https://iplogger.org/1Z7qd7	duLT5gkRjy.exe	false		high
https://iplogger.org/1q6Jt7	duLT5gkRjy.exe	false		high
https://iplogger.org/1mxKf7	duLT5gkRjy.exe	false		high
https://iplogger.org/1CUGu7	duLT5gkRjy.exe	false		high
https://iplogger.org/1OXFG	duLT5gkRjy.exe	false		high
https://iplogger.org/1bV787	duLT5gkRjy.exe	false		high
https://prntscr.com/upload.php	duLT5gkRjy.exe	false		high
https://sm.ms/api/v2/upload?inajax=1	duLT5gkRjy.exe	false		high
https://www.google.com/search?q=admob&oq=admob	duLT5gkRjy.exe	false		high
https://iplogger.org/14Jup7	duLT5gkRjy.exe	false		high
https://iplogger.org/1SWks7	duLT5gkRjy.exe	false		high
https://iplogger.org/1TXch7	duLT5gkRjy.exe	false		high
https://iplogger.org/1Gczj7	duLT5gkRjy.exe	false		high
https://iplogger.org/1Sxzs7	duLT5gkRjy.exe	false		high
https://iplogger.org/1GiLz7	duLT5gkRjy.exe	false		high
https://prntscr.com/upload.phphttps://prntscr.com/upload.php	duLT5gkRjy.exe	false		high
https://iplogger.org/1GaLz7	duLT5gkRjy.exe	false		high
https://iplogger.org/1Smzs7	duLT5gkRjy.exe	false		high
https://www.aol.com	duLT5gkRjy.exe	false		high
https://iplogger.org/1CDGu7	duLT5gkRjy.exe	false		high
https://iplogger.org/1yXwr7	duLT5gkRjy.exe	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
149.28.253.196	www.listincode.com	United States		20473	AS-CHOOPAUS	true
5.9.162.45	iplogger.org	Germany		24940	HETZNER-ASDE	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	528744
Start date:	25.11.2021
Start time:	18:22:22
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	duLT5gkRjy.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.troj.winEXE@2/6@2/2
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, BackgroundTransferHost.exe, WerFault.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 20.54.110.249, 23.203.70.208, 96.16.150.73, 52.168.117.173, 40.112.88.60 Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, arc.msn.com, e11290.dspg.akamaiedge.net, e13551.dscg.akamaiedge.net, msagfx.live.com-6.edgekey.net, authgfx.msa.akadns6.net, go.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, www.msftconnecttest.com, watson.telemetry.microsoft.com, www.bing.com, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, go.microsoft.com.edgekey.net, blobcollector.events.data.trafficmanager.net, clientconfig.passport.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
18:23:31	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
149.28.253.196	EaCmG75WxF.exe	Get hash	malicious	Browse
	EaCmG75WxF.exe	Get hash	malicious	Browse
	OPKyR75fJn.exe	Get hash	malicious	Browse
	LZxr7xI4nc.exe	Get hash	malicious	Browse
	3E8869030B9C89B8C43E9F8A6730A516E3945AB1272E3.exe	Get hash	malicious	Browse
	5A15ECE1649A5EF54B70B95D9D413BAD068B8C1C932E2.exe	Get hash	malicious	Browse
	23062BA932165210EBB3FFCD15474E79F19E6AD74869F.exe	Get hash	malicious	Browse
	6D2FF3CC83EA214E33E4105CCB1051CD85B82E052F615.exe	Get hash	malicious	Browse
	FhP4JYCU7J.exe	Get hash	malicious	Browse
	FhP4JYCU7J.exe	Get hash	malicious	Browse
	44E401AAF0B52528AA033257C1A1B8A09A2B10EDF26ED.exe	Get hash	malicious	Browse
	77012C024869BA2639B54B959FAB1E10EBAAF8EBB9BFC.exe	Get hash	malicious	Browse
	WQRrng5aiw.exe	Get hash	malicious	Browse
	WQRrng5aiw.exe	Get hash	malicious	Browse
	22BA4262D93379DE524029DAFC7528E431E56A22CB293.exe	Get hash	malicious	Browse
	kq5Of3SOMZ.exe	Get hash	malicious	Browse
	QABYgAqa5Z.exe	Get hash	malicious	Browse
	aBGNeDS7yM.exe	Get hash	malicious	Browse
	aBGNeDS7yM.exe	Get hash	malicious	Browse
	zMvP34LhcZ.exe	Get hash	malicious	Browse
5.9.162.45	VDnn1698j5.exe	Get hash	malicious	Browse	iplogger.org/1YLyj7
	TEiwRyJ2v1.exe	Get hash	malicious	Browse	iplogger.org/1YLyj7
	sBz6zVtsB1.exe	Get hash	malicious	Browse	iplogger.org/1YLyj7
	qTtykpVyaY.exe	Get hash	malicious	Browse	iplogger.org/1YLyj7
	mXLL1BHUQh.exe	Get hash	malicious	Browse	iplogger.org/1YLyj7
	EVhIUVrKx8.exe	Get hash	malicious	Browse	iplogger.org/2A2xh6
	pQscpg84Lh.exe	Get hash	malicious	Browse	iplogger.org/1PZN77
	pl8c1emoOu.exe	Get hash	malicious	Browse	iplogger.org/1juiu7
	RmzVjXQ0a6.exe	Get hash	malicious	Browse	iplogger.org/1juiu7
	fMo9q56dnX.exe	Get hash	malicious	Browse	iplogger.org/1juiu7
	Screenshot00112021.scr.exe	Get hash	malicious	Browse	iplogger.org/1BwFn7.gz
	SAlxtNmHFR.exe	Get hash	malicious	Browse	iplogger.org/1BTpm7

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
iplogger.org	EaCmG75WxF.exe	Get hash	malicious	Browse	5.9.162.45
	EaCmG75WxF.exe	Get hash	malicious	Browse	5.9.162.45
	5A15ECE1649A5EF54B70B95D9D413BAD068B8C1C932E2.exe	Get hash	malicious	Browse	5.9.162.45
	6D2FF3CC83EA214E33E4105CCB1051CD85B82E052F615.exe	Get hash	malicious	Browse	5.9.162.45
	j0UcwcqjvM.exe	Get hash	malicious	Browse	5.9.162.45
	0K31jgS20G.exe	Get hash	malicious	Browse	5.9.162.45
	vAsfZhw32P.exe	Get hash	malicious	Browse	5.9.162.45
	FhP4JYCU7J.exe	Get hash	malicious	Browse	5.9.162.45
	FhP4JYCU7J.exe	Get hash	malicious	Browse	5.9.162.45
	WQRrng5aiw.exe	Get hash	malicious	Browse	5.9.162.45
	WQRrng5aiw.exe	Get hash	malicious	Browse	5.9.162.45
	e8rimWGicH.exe	Get hash	malicious	Browse	5.9.162.45
	kq5Of3SOMZ.exe	Get hash	malicious	Browse	5.9.162.45
	RtpLhZOyaf.exe	Get hash	malicious	Browse	5.9.162.45
	vWNrGi9qLx.exe	Get hash	malicious	Browse	5.9.162.45
	VDnn1698j5.exe	Get hash	malicious	Browse	5.9.162.45
	TEiwRyJ2v1.exe	Get hash	malicious	Browse	5.9.162.45
	iIrI72Motw.exe	Get hash	malicious	Browse	5.9.162.45
	sBz6zVtsB1.exe	Get hash	malicious	Browse	5.9.162.45
	eJV3ZMQ2Go.exe	Get hash	malicious	Browse	5.9.162.45
www.listincode.com	EaCmG75WxF.exe	Get hash	malicious	Browse	149.28.253.196
	EaCmG75WxF.exe	Get hash	malicious	Browse	149.28.253.196
	5A15ECE1649A5EF54B70B95D9D413BAD068B8C1C932E2.exe	Get hash	malicious	Browse	149.28.253.196
	6D2FF3CC83EA214E33E4105CCB1051CD85B82E052F615.exe	Get hash	malicious	Browse	149.28.253.196
	FhP4JYCU7J.exe	Get hash	malicious	Browse	149.28.253.196
	FhP4JYCU7J.exe	Get hash	malicious	Browse	149.28.253.196
	WQRrng5aiw.exe	Get hash	malicious	Browse	149.28.253.196
	WQRrng5aiw.exe	Get hash	malicious	Browse	149.28.253.196
	kq5Of3SOMZ.exe	Get hash	malicious	Browse	149.28.253.196
	aBGNeDS7yM.exe	Get hash	malicious	Browse	149.28.253.196
	aBGNeDS7yM.exe	Get hash	malicious	Browse	149.28.253.196
	f4gxrcTDkV.exe	Get hash	malicious	Browse	149.28.253.196
	SOO6hKZ7M0.exe	Get hash	malicious	Browse	149.28.253.196
	SOO6hKZ7M0.exe	Get hash	malicious	Browse	149.28.253.196
	f4gxrcTDkV.exe	Get hash	malicious	Browse	149.28.253.196
	I6erIt5Uil.exe	Get hash	malicious	Browse	149.28.253.196
	I6erIt5Uil.exe	Get hash	malicious	Browse	149.28.253.196
	B4A1AFA93C65EBA3AB6EFEB4624DCC8D65DBDEFEFE682.exe	Get hash	malicious	Browse	149.28.253.196
	fXlJhe5OGb.exe	Get hash	malicious	Browse	149.28.253.196
	vgVQ5S6MxN.exe	Get hash	malicious	Browse	149.28.253.196

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-CHOOPAUS	EaCmG75WxF.exe	Get hash	malicious	Browse	149.28.253.196
	EaCmG75WxF.exe	Get hash	malicious	Browse	149.28.253.196
	EzCOXP6oxy.dll	Get hash	malicious	Browse	66.42.57.149
	IkroV40UrZ.dll	Get hash	malicious	Browse	66.42.57.149
	C1Q17Dg4RT.dll	Get hash	malicious	Browse	66.42.57.149
	MakbLShaqA.dll	Get hash	malicious	Browse	66.42.57.149
	MakbLShaqA.dll	Get hash	malicious	Browse	66.42.57.149
	OPKyR75fJn.exe	Get hash	malicious	Browse	149.28.253.196
	Ljm7n1QDZe	Get hash	malicious	Browse	68.232.173.117
	Jx35I5pwgd	Get hash	malicious	Browse	66.42.54.65
	tUJXpPwU27.dll	Get hash	malicious	Browse	66.42.57.149
	LZxr7xI4nc.exe	Get hash	malicious	Browse	149.28.253.196
	3E8869030B9C89B8C43E9F8A6730A516E3945AB1272E3.exe	Get hash	malicious	Browse	149.28.253.196
	5A15ECE1649A5EF54B70B95D9D413BAD068B8C1C932E2.exe	Get hash	malicious	Browse	149.28.253.196
	asbestos_safety_and_eradication_agency_enterprise_agreement 41573 .js	Get hash	malicious	Browse	45.76.154.237
	23062BA932165210EBB3FFCD15474E79F19E6AD74869F.exe	Get hash	malicious	Browse	149.28.253.196
	DA8063D9EB60622915D492542A6A8AE318BC87B4C5F89.exe	Get hash	malicious	Browse	155.138.201.103
	asbestos_safety_and_eradication_agency_enterprise_agreement 64081 .js	Get hash	malicious	Browse	45.76.154.237
	pYebrdRKvR.dll	Get hash	malicious	Browse	66.42.57.149
	pPX9DaPVYj.dll	Get hash	malicious	Browse	66.42.57.149
HETZNER-ASDE	EaCmG75WxF.exe	Get hash	malicious	Browse	5.9.162.45
	8p2NlqFgew.exe	Get hash	malicious	Browse	49.12.42.56
	EaCmG75WxF.exe	Get hash	malicious	Browse	5.9.162.45
	EzCOXP6oxy.dll	Get hash	malicious	Browse	78.47.204.80
	IkroV40UrZ.dll	Get hash	malicious	Browse	78.47.204.80
	C1Q17Dg4RT.dll	Get hash	malicious	Browse	78.47.204.80
	ff0231.exe	Get hash	malicious	Browse	5.9.96.94
	MakbLShaqA.dll	Get hash	malicious	Browse	78.47.204.80
	MakbLShaqA.dll	Get hash	malicious	Browse	78.47.204.80
	Zr26f1rL6r.exe	Get hash	malicious	Browse	88.99.22.5
	OPKyR75fJn.exe	Get hash	malicious	Browse	5.9.162.45
	meerkat.arm7	Get hash	malicious	Browse	148.251.220.118
	oQANZnrt9d	Get hash	malicious	Browse	135.181.142.151
	tUJXpPwU27.dll	Get hash	malicious	Browse	78.47.204.80
	LZxr7xI4nc.exe	Get hash	malicious	Browse	5.9.162.45
	3E8869030B9C89B8C43E9F8A6730A516E3945AB1272E3.exe	Get hash	malicious	Browse	5.9.162.45
	5A15ECE1649A5EF54B70B95D9D413BAD068B8C1C932E2.exe	Get hash	malicious	Browse	5.9.162.45
	23062BA932165210EBB3FFCD15474E79F19E6AD74869F.exe	Get hash	malicious	Browse	5.9.162.45
	exe.exe	Get hash	malicious	Browse	116.202.203.61
	J73PTzDghy.exe	Get hash	malicious	Browse	94.130.138.146

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	EaCmG75WxF.exe	Get hash	malicious	Browse	149.28.253.196 5.9.162.45
	fpvN6iDp5r.msi	Get hash	malicious	Browse	149.28.253.196 5.9.162.45
	EaCmG75WxF.exe	Get hash	malicious	Browse	149.28.253.196 5.9.162.45
	Se adjunta el pedido, proforma.exe	Get hash	malicious	Browse	149.28.253.196 5.9.162.45
	Statement.html	Get hash	malicious	Browse	149.28.253.196 5.9.162.45
	Michal November 23, 2021.html	Get hash	malicious	Browse	149.28.253.196 5.9.162.45
	survey-1384723731.xls	Get hash	malicious	Browse	149.28.253.196 5.9.162.45
	Wfedtqxbgeorkwcgiehsnsjbdjghrpjtlr.exe	Get hash	malicious	Browse	149.28.253.196 5.9.162.45
	survey-1378794827.xls	Get hash	malicious	Browse	149.28.253.196 5.9.162.45
	Zr26f1rL6r.exe	Get hash	malicious	Browse	149.28.253.196 5.9.162.45
	mN2NobuuDv.exe	Get hash	malicious	Browse	149.28.253.196 5.9.162.45
	cs.exe	Get hash	malicious	Browse	149.28.253.196 5.9.162.45
	ORDINE + DDT A.M.F SpA.exe	Get hash	malicious	Browse	149.28.253.196 5.9.162.45
	mal1.html	Get hash	malicious	Browse	149.28.253.196 5.9.162.45
	5A15ECE1649A5EF54B70B95D9D413BAD068B8C1C932E2.exe	Get hash	malicious	Browse	149.28.253.196 5.9.162.45
	DOC5629.htm	Get hash	malicious	Browse	149.28.253.196 5.9.162.45
	Racun je u prilogu.exe	Get hash	malicious	Browse	149.28.253.196 5.9.162.45
	exe.exe	Get hash	malicious	Browse	149.28.253.196 5.9.162.45
	INF-BRdocsx.NDVDELDKRS.msi	Get hash	malicious	Browse	149.28.253.196 5.9.162.45
	2GEg45PlG9.exe	Get hash	malicious	Browse	149.28.253.196 5.9.162.45

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_duLT5gkRjy.exe_1716a7dbaca25d22b8ce403b85cf2c886155787b_b69a8483_0f8f88d3\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0267413680848108
Encrypted:	false
SSDEEP:	192:c/IiK8oB+HBUZMXAjmH6v8/u7sZS274Itp1:cgiUB2BUZMXAj18/u7sZX4Itp
MD5:	9791D257D822DD8019C1C1BEFBFE0783
SHA1:	583B3EE02BC9562DC54A72DD591E673E24A8B66A
SHA-256:	37F9FE2C1EFBFD972E7CED4ACAFB817ED25F9BA27190691205311A3973372C9B
SHA-512:	EDEB1E8982642E2DF92E8A8B9E93939012569DD76140009D53480B979840FD67F798CBE9B93D468A64013AD6C5E2A3B26FADB91C65AA9808B7D9F2599FA73A8F
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.2.3.6.7.0.0.7.4.9.3.2.6.4.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.2.3.6.7.0.1.0.4.9.3.2.4.3.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.2.a.0.0.7.a.c.-.b.d.b.c.-.4.3.e.b.-.b.a.0.d.-.b.4.0.d.9.0.e.6.2.3.9.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.9.f.f.2.8.5.9.-.0.e.5.d.-.4.6.7.3.-.b.0.7.3.-.a.8.0.7.7.f.9.e.b.5.1.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.d.u.L.T.5.g.k.R.j.y...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.c.c.-.0.0.0.1.-.0.0.1.7.-.1.1.d.9.-.2.8.9.5.6.c.e.2.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.c.8.5.b.f.e.1.d.6.f.e.f.d.b.d.a.c.0.f.9.1.5.3.d.0.2.f.9.b.5.5.0.0.0.0.0.9.0.4.!.0.0.0.0.3.0.f.4.9.d.0.f.3.d.4.6.c.c.9.c.c.f.8.7.3.3.2.4.7.a.0.7.0.9.5.5.5.a.d.2.0.9.9.f.!.d.u.L.T.5.g.k.R.j.y...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7933.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Nov 26 02:23:28 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	131814
Entropy (8bit):	1.9804120841231585
Encrypted:	false
SSDEEP:	384:WiL1p0Q6GlRScvwmIEGVQMW/wraE7twJuQeToI1UJTqeDKOKF:L6GWcvw9EGVQUraEGssIdyKOC
MD5:	CD7BD168A73892B70C6E43607A74B806
SHA1:	9FD336BDCAAE2D099311BA3E1180A6F3CFC27BC1
SHA-256:	D3D80F7D4301E3CB2BA187FA536EFE2AC1AE85F0CA2108F4FEA24B4C1F51E771
SHA-512:	11636149461575803FB1620EC75E2DBFFA976A528F5CC75217A386B9B78CA67AE2348274846CC191A19823E3CD5FBEBB35ACB901E3377E4581C6AD9A85A001D1
Malicious:	false
Reputation:	low
Preview:	MDMP....... ....... E.a............D...........,...L............Q..........T.......8...........T............K..6...........x#..........d%...................................................................U...........B.......%......GenuineIntelW...........T............E.a.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER80A6.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8296
Entropy (8bit):	3.7008050316408068
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiDd6GKC6YgDSUdoJgmffSVCprB89b/Asf+1m:RrlsNi56G/6YUSUdoJgmffSD/Tft
MD5:	DE019634757A2E498589659AABE2FA25
SHA1:	C9FEF1E6A406C902924989176DE108134D3BC0F9
SHA-256:	8DBAD734D69208DDC814C03F34B460BA87FAE5456C55A61FE221B38E2F9AE649
SHA-512:	2813EB0BB2DE93A09654AA10DE0A7BAD1147E14E3CEAF7CDAE5CCDA59B1AF572425E721A3779F5775E4F41B946E33A6FE116E8E22EC45DE96A9CD48F70E40B47
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.0.6.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8328.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4563
Entropy (8bit):	4.475311563035437
Encrypted:	false
SSDEEP:	48:cvIwSD8zsUJgtWI9+AWSC8B08fm8M4JnCfBifsFy7+q8OxuDOl+mtdF0q03d:uITfSt5SNnJnC8NXQjmtdF0q03d
MD5:	1AB2EC2741530EB35DE688CF7BB89B06
SHA1:	067F6C95C9B2F97CFCC061D40B70DDE4D4C24564
SHA-256:	FD2F2AA348EDA2BC9759C175309B360CA294EFA0E1787D0F589846CB53214793
SHA-512:	FF0F60EB939DE7A449388D90BFDA99ADC36EB6ACC1B16B233880009016FF53962C47B3EE10CB63C0C58CECBB6AC417140FE0467040D4F27C6719CF3828BBB8B7
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1270774" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Windows\appcompat\Programs\Amcache.hve Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.277985648101297
Encrypted:	false
SSDEEP:	12288:d5ujz4qQswYDf9MTryEn6zDoTd00Fg6cYKuvrlRIw4oYqFvKEf:Pmz4qQswYDf9MTTWC0o
MD5:	6E2BD6B0FBF1D4BA46D0FC6C25511830
SHA1:	4194EA0B60BD71B986E5DA6D7CEF76CA3093B0C9
SHA-256:	5DF90C277F31BB2E17449C2803535D49FB975B0272839C8FE771623FA04A3644
SHA-512:	B71C200247774063831205B55999CF2A3066D09D6B5DC5869E91B011F4715B21B838FDDB64223EDF36168CFB5ED4BB11F0BA5C00AD06948B2F10407B93E44078
Malicious:	false
Reputation:	low
Preview:	regfX...X...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm./..l................................................................................................................................................................................................................................................................................................................................................N..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1 Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	4.07512415013091
Encrypted:	false
SSDEEP:	384:JVSKQpIFg53EDxxkeRu3xxvYdnq9SaPDSpafYzI+yD+hBzpfIVjQOU6XadYV7i+t:JEKe3Gxkau3xdYduSaPupafYzTyDefIX
MD5:	A3C48A0B657AB5E9A93804801E47146B
SHA1:	8BCE5C32FEB8733974C2027DF0FAEB88A05E15A9
SHA-256:	1FB6140D42DB3FE71530F5DFEB7E5B429F56293008EA1AC5158235207267C568
SHA-512:	2B76B6C020F6605A913D566E7B4CDCDAE55CC443778D01CB7F1AB17431E8FD3DE55AF3599E17BFCBFAB4D12A9BC7A491466B4A85409E1BB4874585932151077E
Malicious:	false
Reputation:	low
Preview:	regfW...W...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm./..l................................................................................................................................................................................................................................................................................................................................................N..HvLE.^......W.............y./.V/....nn..................0......................hbin................p.\..,..........nk,.....l....... ........................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk .....l....... ...........8~.............. .......Z.......................Root........lf......Root....nk .....l.................................. ...............*...............DeviceCensus.......................vk..................WritePermissions

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.685246086092563
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	duLT5gkRjy.exe
File size:	1552896
MD5:	d42456f7afc812628a9ff67d8c9340eb
SHA1:	30f49d0f3d46cc9ccf8733247a0709555ad2099f
SHA256:	a5b981c10065983578a2bca4399f901bd5a4e87b4ebe2d05c1f9971fb9fb36ac
SHA512:	02de7cd71c5155ac5d08f7e432f5f3a138a6800d74479c4696cf877bbcf8fc99bbbf972a50991ca978b5416b89d76b6ab652a9d7315bc61b1baf23aacfdbd755
SSDEEP:	24576:+CjpXA4U35ozW03XRp/hESVE5uU2xbVN6pZVnoYLRZgUQs8n:rpTJxPNlcPVnoYLRZvz8n
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........@...............-.......+.w.....+..............-.......&..............(......./......./.7.....*.......+....................

File Icon


Icon Hash:	c8d8d8b6f0f83c58

Static PE Info

General
Entrypoint:	0x4e5eb3
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x619F64CF [Thu Nov 25 10:26:23 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	d69e4c13e25f0ad622344ac56118c0df

Entrypoint Preview

Instruction
call 00007F0638C4FC0Eh
jmp 00007F0638C4F5E9h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 00528BCCh
mov dword ptr [ecx], 0051A510h
ret
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F0638C4F74Fh
push 00543C5Ch
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F0638C515F3h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F0638BFF695h
push 0053FF54h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F0638C515D6h
int3
int3
push 004E9EA0h
push dword ptr fs:[00000000h]
mov eax, dword ptr [esp+10h]
mov dword ptr [esp+10h], ebp
lea ebp, dword ptr [esp+10h]
sub esp, eax
push ebx
push esi
push edi
mov eax, dword ptr [00546944h]
xor dword ptr [ebp-04h], eax
xor eax, ebp
push eax
mov dword ptr [ebp-18h], esp
push dword ptr [ebp-08h]
mov eax, dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFEh
mov dword ptr [ebp-08h], eax
lea eax, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], eax
ret
push ebp
mov ebp, esp
and dword ptr [0054C488h], 00000000h
sub esp, 24h
or dword ptr [00546960h], 01h
push 0000000Ah
call dword ptr [0051A1D4h]
test eax, eax
je 00007F0638C4F91Fh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1445f4	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14f000	0x2c550	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x17c000	0x8098	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x13d910	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x13da40	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x13d948	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x11a000	0x30c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1122a1	0x112400	False	0.505059964676	data	6.55728577412	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.ogtrfyj	0x114000	0x580a	0x5a00	False	0.466579861111	data	5.981573238	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x11a000	0x2b7b2	0x2b800	False	0.447607983118	data	5.81232244285	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x146000	0x77a4	0x2e00	False	0.252802309783	data	3.89020136245	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ogtrfyj	0x14e000	0x50	0x200	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x14f000	0x2c550	0x2c600	False	0.68740096831	data	6.50827273455	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x17c000	0x8098	0x8200	False	0.705498798077	data	6.64096530369	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
ZIP	0x16f100	0xc2ce	Zip archive data, at least v1.0 to extract	Chinese	China
RT_ICON	0x14f360	0x668	data	Chinese	China
RT_ICON	0x14f9c8	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2541320505, next used block 1153431	Chinese	China
RT_ICON	0x14fcb0	0x128	GLS_BINARY_LSB_FIRST	Chinese	China
RT_ICON	0x14fdd8	0xea8	data	Chinese	China
RT_ICON	0x150c80	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 15757402, next used block 15166820	Chinese	China
RT_ICON	0x151528	0x568	GLS_BINARY_LSB_FIRST	Chinese	China
RT_ICON	0x151a90	0x9160	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Chinese	China
RT_ICON	0x15abf0	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0	Chinese	China
RT_ICON	0x16b418	0x25a8	data	Chinese	China
RT_ICON	0x16d9c0	0x10a8	data	Chinese	China
RT_ICON	0x16ea68	0x468	GLS_BINARY_LSB_FIRST	Chinese	China
RT_GROUP_ICON	0x16eed0	0xa0	data	Chinese	China
RT_VERSION	0x16ef70	0x18c	PGP symmetric key encrypted data - Plaintext or unencrypted data	Chinese	China
RT_MANIFEST	0x17b3d0	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	GetComputerNameW, GetModuleFileNameA, GetCurrentProcessId, OpenProcess, GetModuleFileNameW, SetLastError, WaitForSingleObject, CreateEventW, FreeLibrary, WinExec, GetPrivateProfileStringW, CopyFileW, SetStdHandle, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetOEMCP, LocalFree, LocalAlloc, LoadResource, FindResourceW, SizeofResource, LockResource, GetTickCount, GetCurrentThread, Sleep, GetProcessHeap, HeapAlloc, GetLastError, GetTempPathA, SetCurrentDirectoryW, GetShortPathNameA, LoadLibraryW, GetProcAddress, WideCharToMultiByte, MultiByteToWideChar, SystemTimeToFileTime, DosDateTimeToFileTime, GetCurrentProcess, DuplicateHandle, CloseHandle, WriteFile, SetFileTime, SetFilePointer, ReadFile, GetFileType, CreateFileW, CreateDirectoryW, TerminateProcess, GetCurrentDirectoryW, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, GetTimeZoneInformation, GetFileSizeEx, GetConsoleOutputCP, SetFilePointerEx, ReadConsoleW, GetConsoleMode, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, CompareStringW, GetCommandLineW, GetCommandLineA, GetStdHandle, ExitProcess, GetModuleHandleExW, FreeLibraryAndExitThread, ExitThread, CreateThread, LoadLibraryExW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, RtlUnwind, RaiseException, GetStringTypeW, WriteConsoleW, GetCPInfo, CompareStringEx, LCMapStringEx, DecodePointer, EncodePointer, InitializeCriticalSectionEx, InitializeSListHead, GetStartupInfoW, IsDebuggerPresent, GetModuleHandleW, ResetEvent, SetEvent, InitializeCriticalSectionAndSpinCount, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, FlushFileBuffers, QueryPerformanceCounter, MapViewOfFile, CreateFileMappingW, AreFileApisANSI, TryEnterCriticalSection, HeapCreate, HeapFree, EnterCriticalSection, GetFullPathNameW, GetDiskFreeSpaceW, OutputDebugStringA, LockFile, LeaveCriticalSection, InitializeCriticalSection, GetFullPathNameA, SetEndOfFile, UnlockFileEx, GetTempPathW, CreateMutexW, GetFileAttributesW, GetCurrentThreadId, UnmapViewOfFile, HeapValidate, HeapSize, FormatMessageW, GetDiskFreeSpaceA, GetFileAttributesA, GetFileAttributesExW, OutputDebugStringW, FlushViewOfFile, CreateFileA, LoadLibraryA, WaitForSingleObjectEx, DeleteFileA, DeleteFileW, HeapReAlloc, GetSystemInfo, HeapCompact, HeapDestroy, UnlockFile, LockFileEx, GetFileSize, DeleteCriticalSection, GetSystemTimeAsFileTime, GetSystemTime, FormatMessageA
ADVAPI32.dll	LookupPrivilegeValueW, AdjustTokenPrivileges, LookupAccountNameW, SetSecurityDescriptorOwner, SetSecurityDescriptorGroup, SetSecurityDescriptorDacl, IsValidSecurityDescriptor, InitializeSecurityDescriptor, InitializeAcl, GetTokenInformation, GetLengthSid, FreeSid, EqualSid, DuplicateToken, AllocateAndInitializeSid, AddAccessAllowedAce, AccessCheck, OpenThreadToken, OpenProcessToken
SHELL32.dll	ShellExecuteExA
ole32.dll	CoInitializeEx, CoGetObject, CoUninitialize
WININET.dll	InternetGetCookieExA
NETAPI32.dll	Netbios
ntdll.dll	RtlInitUnicodeString, NtFreeVirtualMemory, LdrEnumerateLoadedModules, RtlEqualUnicodeString, RtlAcquirePebLock, NtAllocateVirtualMemory, RtlReleasePebLock, RtlNtStatusToDosError, RtlCreateHeap, RtlDestroyHeap, RtlAllocateHeap, RtlFreeHeap, NtClose, NtOpenKey, NtEnumerateValueKey, NtQueryValueKey

Version Infos

Description	Data
LegalCopyright	Copyright (C) 2019
FileVersion	1.0.0.1
ProductVersion	1.0.0.1
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2021 18:23:23.236825943 CET	49736	443	192.168.2.7	149.28.253.196
Nov 25, 2021 18:23:23.236877918 CET	443	49736	149.28.253.196	192.168.2.7
Nov 25, 2021 18:23:23.236985922 CET	49736	443	192.168.2.7	149.28.253.196
Nov 25, 2021 18:23:23.254667044 CET	49736	443	192.168.2.7	149.28.253.196
Nov 25, 2021 18:23:23.254709005 CET	443	49736	149.28.253.196	192.168.2.7
Nov 25, 2021 18:23:23.678935051 CET	443	49736	149.28.253.196	192.168.2.7
Nov 25, 2021 18:23:23.679128885 CET	49736	443	192.168.2.7	149.28.253.196
Nov 25, 2021 18:23:24.118453979 CET	49736	443	192.168.2.7	149.28.253.196
Nov 25, 2021 18:23:24.118484974 CET	443	49736	149.28.253.196	192.168.2.7
Nov 25, 2021 18:23:24.119082928 CET	443	49736	149.28.253.196	192.168.2.7
Nov 25, 2021 18:23:24.119179010 CET	49736	443	192.168.2.7	149.28.253.196
Nov 25, 2021 18:23:24.123270035 CET	49736	443	192.168.2.7	149.28.253.196
Nov 25, 2021 18:23:24.164880037 CET	443	49736	149.28.253.196	192.168.2.7
Nov 25, 2021 18:23:24.261063099 CET	443	49736	149.28.253.196	192.168.2.7
Nov 25, 2021 18:23:24.261141062 CET	443	49736	149.28.253.196	192.168.2.7
Nov 25, 2021 18:23:24.261146069 CET	49736	443	192.168.2.7	149.28.253.196
Nov 25, 2021 18:23:24.261193991 CET	49736	443	192.168.2.7	149.28.253.196
Nov 25, 2021 18:23:24.261558056 CET	49736	443	192.168.2.7	149.28.253.196
Nov 25, 2021 18:23:24.261589050 CET	443	49736	149.28.253.196	192.168.2.7
Nov 25, 2021 18:23:24.391877890 CET	49737	443	192.168.2.7	5.9.162.45
Nov 25, 2021 18:23:24.391947985 CET	443	49737	5.9.162.45	192.168.2.7
Nov 25, 2021 18:23:24.392024994 CET	49737	443	192.168.2.7	5.9.162.45
Nov 25, 2021 18:23:24.393194914 CET	49737	443	192.168.2.7	5.9.162.45
Nov 25, 2021 18:23:24.393209934 CET	443	49737	5.9.162.45	192.168.2.7
Nov 25, 2021 18:23:24.478566885 CET	443	49737	5.9.162.45	192.168.2.7
Nov 25, 2021 18:23:24.478698015 CET	49737	443	192.168.2.7	5.9.162.45
Nov 25, 2021 18:23:24.486087084 CET	49737	443	192.168.2.7	5.9.162.45
Nov 25, 2021 18:23:24.486105919 CET	443	49737	5.9.162.45	192.168.2.7
Nov 25, 2021 18:23:24.486495018 CET	443	49737	5.9.162.45	192.168.2.7
Nov 25, 2021 18:23:24.486587048 CET	49737	443	192.168.2.7	5.9.162.45
Nov 25, 2021 18:23:24.514153957 CET	49737	443	192.168.2.7	5.9.162.45
Nov 25, 2021 18:23:24.546324968 CET	443	49737	5.9.162.45	192.168.2.7
Nov 25, 2021 18:23:24.546471119 CET	49737	443	192.168.2.7	5.9.162.45
Nov 25, 2021 18:23:24.546494961 CET	443	49737	5.9.162.45	192.168.2.7
Nov 25, 2021 18:23:24.546592951 CET	49737	443	192.168.2.7	5.9.162.45
Nov 25, 2021 18:23:24.564376116 CET	49737	443	192.168.2.7	5.9.162.45
Nov 25, 2021 18:23:24.564426899 CET	443	49737	5.9.162.45	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2021 18:23:23.197443008 CET	55411	53	192.168.2.7	8.8.8.8
Nov 25, 2021 18:23:23.218777895 CET	53	55411	8.8.8.8	192.168.2.7
Nov 25, 2021 18:23:24.350204945 CET	63668	53	192.168.2.7	8.8.8.8
Nov 25, 2021 18:23:24.388041973 CET	53	63668	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 25, 2021 18:23:23.197443008 CET	192.168.2.7	8.8.8.8	0x1b0c	Standard query (0)	www.listincode.com	A (IP address)	IN (0x0001)
Nov 25, 2021 18:23:24.350204945 CET	192.168.2.7	8.8.8.8	0x2312	Standard query (0)	iplogger.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 25, 2021 18:23:23.218777895 CET	8.8.8.8	192.168.2.7	0x1b0c	No error (0)	www.listincode.com		149.28.253.196	A (IP address)	IN (0x0001)
Nov 25, 2021 18:23:24.388041973 CET	8.8.8.8	192.168.2.7	0x2312	No error (0)	iplogger.org		5.9.162.45	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.listincode.com

iplogger.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.7	49736	149.28.253.196	443	C:\Users\user\Desktop\duLT5gkRjy.exe

Timestamp	Direction	Data
2021-11-25 17:23:24 UTC	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Host: www.listincode.com Cache-Control: no-cache
2021-11-25 17:23:24 UTC	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 25 Nov 2021 17:23:24 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 2 Connection: close X-Powered-By: PHP/5.6.40 Access-Control-Allow-Origin: *
2021-11-25 17:23:24 UTC	IN	Data Raw: 47 42 Data Ascii: GB

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.7	49737	5.9.162.45	443	C:\Users\user\Desktop\duLT5gkRjy.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-25 17:23:24 UTC	0	OUT	GET /1GWfv7 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Host: iplogger.org Cache-Control: no-cache
2021-11-25 17:23:24 UTC	0	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 25 Nov 2021 17:23:24 GMT Content-Type: image/png Transfer-Encoding: chunked Connection: close Set-Cookie: clhf03028ja=84.17.52.63; expires=Wed, 18-Jul-2029 05:49:51 GMT; Max-Age=241187187; path=/ Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ Cache-Control: no-store, no-cache, must-revalidate Expires: Thu, 25 Nov 2021 17:23:24 +0000 Answers: whoami: dd7a5982e8b1de9b0cc7da7fe0ec7879c44089276a00308f59743c09424407f5 Strict-Transport-Security: max-age=31536000; preload X-Frame-Options: DENY
2021-11-25 17:23:24 UTC	1	IN	Data Raw: 37 34 0d 0a 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 01 00 00 00 01 01 03 00 00 00 25 db 56 ca 00 00 00 03 50 4c 54 45 00 00 00 a7 7a 3d da 00 00 00 01 74 52 4e 53 00 40 e6 d8 66 00 00 00 09 70 48 59 73 00 00 0e c4 00 00 0e c4 01 95 2b 0e 1b 00 00 00 0a 49 44 41 54 08 99 63 60 00 00 00 02 00 01 f4 71 64 a6 00 00 00 00 49 45 4e 44 ae 42 60 82 0d 0a 30 0d 0a 0d 0a Data Ascii: 74PNGIHDR%VPLTEz=tRNS@fpHYs+IDATc`qdIENDB`0

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: duLT5gkRjy.exe PID: 5068 Parent PID: 5916

General

Start time:	18:23:21
Start date:	25/11/2021
Path:	C:\Users\user\Desktop\duLT5gkRjy.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\duLT5gkRjy.exe"
Imagebase:	0x1350000
File size:	1552896 bytes
MD5 hash:	D42456F7AFC812628A9FF67D8C9340EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Socelars, Description: Yara detected Socelars, Source: 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Socelars, Description: Yara detected Socelars, Source: 00000001.00000000.250943662.000000000146A000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Socelars, Description: Yara detected Socelars, Source: 00000001.00000000.244816151.000000000146A000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Socelars, Description: Yara detected Socelars, Source: 00000001.00000000.251852996.000000000146A000.00000002.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: WerFault.exe PID: 4060 Parent PID: 5068

General

Start time:	18:23:26
Start date:	25/11/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 1932
Imagebase:	0xad0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: duLT5gkRjy.exe PID: 5068 Parent PID: 5916 duLT5gkRjy.exeCOMMON

Executed Functions

Function 013E9440, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

allocator.LIBCONCRTD ref: 013E94AF

Memory Dump Source

Source File: 00000001.00000002.265896087.0000000001351000.00000020.00020000.sdmp, Offset: 01350000, based on PE: true

Associated: 00000001.00000002.265891653.0000000001350000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266051982.0000000001496000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266057520.000000000149B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266064702.000000000149F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266079436.00000000014BA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: allocator
String ID:
API String ID: 3447690668-0
Opcode ID: bef7da50135db4b6f07e9aad96f62ab267a28c66a76e4a131f1b2e531e7f4634
Instruction ID: 27f96f74eb2fdad4d1c85e5b3e1c835ce14b6f9f97866f4167a15cbfc6814b43
Opcode Fuzzy Hash: bef7da50135db4b6f07e9aad96f62ab267a28c66a76e4a131f1b2e531e7f4634
Instruction Fuzzy Hash: 10113DB5D0020A9BCB04DF98D951BBFBBF9EF58208F204169D405A73D1DB35AE00CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01437D6F, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL(E06D7363,00000001,00000003,01435F0E,?,?,?,01435F0E,013FD863,0148FF54,013FD863), ref: 01437DCF

Memory Dump Source

Source File: 00000001.00000002.265896087.0000000001351000.00000020.00020000.sdmp, Offset: 01350000, based on PE: true

Associated: 00000001.00000002.265891653.0000000001350000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266051982.0000000001496000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266057520.000000000149B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266064702.000000000149F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266079436.00000000014BA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 64acff019a50848966e6cbecb3842c0d63c33a8fe594d207157869e5edad38dc
Instruction ID: 42c0f2de5774e9905e62b38305550f887a88467833d8f842a1412709b54e27fd
Opcode Fuzzy Hash: 64acff019a50848966e6cbecb3842c0d63c33a8fe594d207157869e5edad38dc
Instruction Fuzzy Hash: 6801F272900208ABDB01DF5CD884BAEBFF8FF88314F10405AEA44AB3A0D770A901CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0144D77C, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,013FD863,00000000,?,0144D3A3,00000001,00000364,00000006,000000FF,?,00000000,?,0143F02E,0144D4F0), ref: 0144D7BD

Memory Dump Source

Source File: 00000001.00000002.265896087.0000000001351000.00000020.00020000.sdmp, Offset: 01350000, based on PE: true

Associated: 00000001.00000002.265891653.0000000001350000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266051982.0000000001496000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266057520.000000000149B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266064702.000000000149F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266079436.00000000014BA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6646e994495aeef0c00532a87b9ef86a50a02f00164202d875e18db78cae91ef
Instruction ID: 008f67af405397bc3126b170d451a34027d94229ef91efafc226c55374636d9c
Opcode Fuzzy Hash: 6646e994495aeef0c00532a87b9ef86a50a02f00164202d875e18db78cae91ef
Instruction Fuzzy Hash: 59F0E931E045656BFB61DEEB9844A6B3B58AF71A74B084117E905A62B8CB30D80186E1

Uniqueness

Uniqueness Score: -1.00%

Function 0144D4AD, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,?,?,0143518C,00000000,00000000,013F41D7,00000008), ref: 0144D4DF

Memory Dump Source

Source File: 00000001.00000002.265896087.0000000001351000.00000020.00020000.sdmp, Offset: 01350000, based on PE: true

Associated: 00000001.00000002.265891653.0000000001350000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266051982.0000000001496000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266057520.000000000149B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266064702.000000000149F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266079436.00000000014BA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8093739610bf486dcb7c0fde50c4bc70db419541b846f7319347b86ef3ceffd6
Instruction ID: e29570fea560f8a1ab2e39f439a2629b198fd7bf73f8c5a5ac71b17b37bb242a
Opcode Fuzzy Hash: 8093739610bf486dcb7c0fde50c4bc70db419541b846f7319347b86ef3ceffd6
Instruction Fuzzy Hash: C0E06531A0451577FA3166FE9D14BDB7A48ABB26B0F050137DD55962B0CB70F80182F1

Uniqueness

Uniqueness Score: -1.00%

Function 014166B0, Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

~.LIBCPMTD ref: 014166BA

Part of subcall function 014154F0: task.LIBCPMTD ref: 014154FD
Part of subcall function 014154F0: task.LIBCPMTD ref: 01415505

Memory Dump Source

Source File: 00000001.00000002.265896087.0000000001351000.00000020.00020000.sdmp, Offset: 01350000, based on PE: true

Associated: 00000001.00000002.265891653.0000000001350000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266051982.0000000001496000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266057520.000000000149B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266064702.000000000149F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266079436.00000000014BA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: task
String ID:
API String ID: 1384045349-0
Opcode ID: 9ca2555333049010c302972ccba1c3836043f5c5a7a10c09bd8a30ff8fbb1b08
Instruction ID: c3e014e403a2825e66a26ee8dd9568e616c433aadf1871d8edd95a9be3e8f6e5
Opcode Fuzzy Hash: 9ca2555333049010c302972ccba1c3836043f5c5a7a10c09bd8a30ff8fbb1b08
Instruction Fuzzy Hash: B2D0C271A14108A7C704DB8DD812D5EB7689B65210F00015AE9085B310D532EF10D794

Uniqueness

Uniqueness Score: -1.00%

Function 0143BBB8, Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0143BBCB

Part of subcall function 0144D7D9: RtlFreeHeap.NTDLL(00000000,00000000,?,01455667,?,00000000,?,?,?,0145590A,?,00000007,?,?,01455F00,?), ref: 0144D7EF
Part of subcall function 0144D7D9: GetLastError.KERNEL32(?,?,01455667,?,00000000,?,?,?,0145590A,?,00000007,?,?,01455F00,?,?), ref: 0144D801

Memory Dump Source

Source File: 00000001.00000002.265896087.0000000001351000.00000020.00020000.sdmp, Offset: 01350000, based on PE: true

Associated: 00000001.00000002.265891653.0000000001350000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266051982.0000000001496000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266057520.000000000149B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266064702.000000000149F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266079436.00000000014BA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: 5c07b94d7deb13df39564b4785ba310e6ef333d7d5c5a94b49bdf3203c9c6419
Instruction ID: 364636d78661b7354b81c5b25bc6ee26470e6dde53db24e5e99e11634233e872
Opcode Fuzzy Hash: 5c07b94d7deb13df39564b4785ba310e6ef333d7d5c5a94b49bdf3203c9c6419
Instruction Fuzzy Hash: 18C08C31400208BBDB00DB82D806A4E7BB8DBA0264F200049E40217650CBB1EE00A680

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01361B40, Relevance: 8.0, Strings: 6, Instructions: 491COMMON

Download Yara Rule

Strings

-wal, xrefs: 01361D0D
immutable, xrefs: 01361F1F
cannot open file, xrefs: 01361ED5
%s at line %d of [%.10s], xrefs: 01361EDA
1a584e499906b5c87ec7d43d4abce641fdf017c42125b083109bc77c4de48827, xrefs: 01361ECB
nolock, xrefs: 01361DB6

Memory Dump Source

Source File: 00000001.00000002.265896087.0000000001351000.00000020.00020000.sdmp, Offset: 01350000, based on PE: true

Associated: 00000001.00000002.265891653.0000000001350000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266051982.0000000001496000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266057520.000000000149B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266064702.000000000149F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266079436.00000000014BA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: %s at line %d of [%.10s]$-wal$1a584e499906b5c87ec7d43d4abce641fdf017c42125b083109bc77c4de48827$cannot open file$immutable$nolock
API String ID: 0-3103482366
Opcode ID: 27f76388fdb58619e2af3e6bf2f8220a2f16bda076b62133b566e1dd640407de
Instruction ID: b1f5fb95666286c1a9a82f438b0e05153b39c9278960ee20a165e407ba4ccf83
Opcode Fuzzy Hash: 27f76388fdb58619e2af3e6bf2f8220a2f16bda076b62133b566e1dd640407de
Instruction Fuzzy Hash: CD022971A003059FDB14CF68C850BAFBBF5EF99318F14826DD8599B386D736A905CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014529E0, Relevance: 7.8, APIs: 5, Instructions: 330timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 01452A9D
_free.LIBCMT ref: 01452C69
_free.LIBCMT ref: 01452CE1
GetTimeZoneInformation.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,?,?,?,01452EA2,?,?,00000000), ref: 01452CF3

Memory Dump Source

Source File: 00000001.00000002.265896087.0000000001351000.00000020.00020000.sdmp, Offset: 01350000, based on PE: true

Associated: 00000001.00000002.265891653.0000000001350000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266051982.0000000001496000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266057520.000000000149B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266064702.000000000149F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266079436.00000000014BA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free$InformationTimeZone
String ID:
API String ID: 597776487-0
Opcode ID: aec8760d93931cc0b00d60958f3b9c00edf613cbfb5e576438fae6b2b036c10c
Instruction ID: 6ae77ffe5d54d1b3d522d810f668287731de2d0d8ec3f9734abf6c5744830ed8
Opcode Fuzzy Hash: aec8760d93931cc0b00d60958f3b9c00edf613cbfb5e576438fae6b2b036c10c
Instruction Fuzzy Hash: 26A12671D00216EBDB21AF69CC81EAF7B79EF64250F14412BED01AB276E7B09E41C790

Uniqueness

Uniqueness Score: -1.00%

Function 013623A0, Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 389COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 013627C9

Part of subcall function 01362140: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01362225

Strings

cannot open file, xrefs: 013624FE
%s at line %d of [%.10s], xrefs: 01362503
1a584e499906b5c87ec7d43d4abce641fdf017c42125b083109bc77c4de48827, xrefs: 013624F4

Memory Dump Source

Source File: 00000001.00000002.265896087.0000000001351000.00000020.00020000.sdmp, Offset: 01350000, based on PE: true

Associated: 00000001.00000002.265891653.0000000001350000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266051982.0000000001496000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266057520.000000000149B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266064702.000000000149F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266079436.00000000014BA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: %s at line %d of [%.10s]$1a584e499906b5c87ec7d43d4abce641fdf017c42125b083109bc77c4de48827$cannot open file
API String ID: 885266447-3209268730
Opcode ID: 159538d5ed0166de14c33bda38c3ff4da3928f7fd0a4d51d07dfc3b87b35451f
Instruction ID: 50c446834c19ef29c67806195925cbe95b1ddaea169c9b07091558055924f258
Opcode Fuzzy Hash: 159538d5ed0166de14c33bda38c3ff4da3928f7fd0a4d51d07dfc3b87b35451f
Instruction Fuzzy Hash: EEE1E570A04342AFE725CF2CC850B6BBBE8BF84318F05865DE5599B295D7B4E850CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 0143B8A6, Relevance: 4.6, APIs: 3, Instructions: 77COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0143B99E
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0143B9A8
UnhandledExceptionFilter.KERNEL32(?), ref: 0143B9B5

Memory Dump Source

Source File: 00000001.00000002.265896087.0000000001351000.00000020.00020000.sdmp, Offset: 01350000, based on PE: true

Associated: 00000001.00000002.265891653.0000000001350000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266051982.0000000001496000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266057520.000000000149B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266064702.000000000149F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266079436.00000000014BA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 27674ce0339eebfce77c2d377e23888301bb548bdbe38e3c41069d901badc2b2
Instruction ID: edfaeb5ea639b4fca32865fd89d363bab69e44160dffa45f6df133fc76c1f624
Opcode Fuzzy Hash: 27674ce0339eebfce77c2d377e23888301bb548bdbe38e3c41069d901badc2b2
Instruction Fuzzy Hash: FB31C57490122DABCB21DF69D8887CDBBB4FF58310F5041EAE40CA72A0EB709B858F45

Uniqueness

Uniqueness Score: -1.00%

Function 014483D7, Relevance: 4.5, APIs: 3, Instructions: 20COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,014483D6,00000000,?,00000000,00000000,00000000,00000000), ref: 014483F9
TerminateProcess.KERNEL32(00000000,?,014483D6,00000000,?,00000000,00000000,00000000,00000000), ref: 01448400
ExitProcess.KERNEL32 ref: 01448412

Memory Dump Source

Source File: 00000001.00000002.265896087.0000000001351000.00000020.00020000.sdmp, Offset: 01350000, based on PE: true

Associated: 00000001.00000002.265891653.0000000001350000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266051982.0000000001496000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266057520.000000000149B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266064702.000000000149F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266079436.00000000014BA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: c413c976acc486f7dd64007246a00ac412910485ea3d15ae1bbd881d4f6cbae2
Instruction ID: 1888b7abd7c53699b27e162fd8aaacbcf298007e6cb4a27f7e721dd1126ec555
Opcode Fuzzy Hash: c413c976acc486f7dd64007246a00ac412910485ea3d15ae1bbd881d4f6cbae2
Instruction Fuzzy Hash: 72E08C31000609EFDF226F98D80C98A3F68FB51285B10442AF806AB232DB35EC92DB41

Uniqueness

Uniqueness Score: -1.00%

Function 014428C0, Relevance: 3.4, APIs: 2, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.265896087.0000000001351000.00000020.00020000.sdmp, Offset: 01350000, based on PE: true

Associated: 00000001.00000002.265891653.0000000001350000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266051982.0000000001496000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266057520.000000000149B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266064702.000000000149F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266079436.00000000014BA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fbf0c3c63a637c419a535c86fc4d261a80a9a02937f433d8af929c6e9bcacd5
Instruction ID: 2c3ee66caf0b61e365daa112888e9209fac8c2b724f0d79767ac989d41bc82ba
Opcode Fuzzy Hash: 6fbf0c3c63a637c419a535c86fc4d261a80a9a02937f433d8af929c6e9bcacd5
Instruction Fuzzy Hash: ADF15171E002199FEF14CFA9D880AAEFBB1FF48314F15826AE915AB351D7709A01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 013665C0, Relevance: 2.0, APIs: 1, Instructions: 512COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 0136699F

Memory Dump Source

Source File: 00000001.00000002.265896087.0000000001351000.00000020.00020000.sdmp, Offset: 01350000, based on PE: true

Associated: 00000001.00000002.265891653.0000000001350000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266051982.0000000001496000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266057520.000000000149B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266064702.000000000149F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266079436.00000000014BA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __allrem
String ID:
API String ID: 2933888876-0
Opcode ID: 911d5517044c8a2f226032828c5ded0f7c4b8c7e1d2ce75321c10b70c568bebe
Instruction ID: da7eb8d6cb603e5d36446e7da2a1d74b469ff7f4985b1ef490955651da317407
Opcode Fuzzy Hash: 911d5517044c8a2f226032828c5ded0f7c4b8c7e1d2ce75321c10b70c568bebe
Instruction Fuzzy Hash: F8127DB1E002099FDB14CFADD881BADBBF9BF48358F148129E909AB345D774AC51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0135A460, Relevance: 1.5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

Strings

winUnlockReadLock, xrefs: 0135A6D5

Memory Dump Source

Source File: 00000001.00000002.265896087.0000000001351000.00000020.00020000.sdmp, Offset: 01350000, based on PE: true

Associated: 00000001.00000002.265891653.0000000001350000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266051982.0000000001496000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266057520.000000000149B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266064702.000000000149F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266079436.00000000014BA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: winUnlockReadLock
API String ID: 0-4244601998
Opcode ID: 91fb55c3c99e624a72dc98929ad566da770dce780c2200721bd92507f63c8213
Instruction ID: 128327e31c35de760734bd74f2f21117449596c1b9a887b31a3ce06394ff8315
Opcode Fuzzy Hash: 91fb55c3c99e624a72dc98929ad566da770dce780c2200721bd92507f63c8213
Instruction Fuzzy Hash: 6491E971E0030A9BEB60CFA9C845FAEBBF5FF58719F104619ED45A7290D7B195808F90

Uniqueness

Uniqueness Score: -1.00%

Function 01357A30, Relevance: .4, Instructions: 432COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.265896087.0000000001351000.00000020.00020000.sdmp, Offset: 01350000, based on PE: true

Associated: 00000001.00000002.265891653.0000000001350000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266051982.0000000001496000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266057520.000000000149B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266064702.000000000149F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266079436.00000000014BA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae391c8bd8e20a5126e03ade05866552e46c54101318e3a4d36f03e69229ff3e
Instruction ID: 85d0c2b1b56782e70a6853ec44aa5e313ff0e585925a4f86e908a1726e7b350b
Opcode Fuzzy Hash: ae391c8bd8e20a5126e03ade05866552e46c54101318e3a4d36f03e69229ff3e
Instruction Fuzzy Hash: BDE19C735182828FD756CF3CC4806A9BFD2DF95214F584A69DCE58B783D238D909C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 01352380, Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.265896087.0000000001351000.00000020.00020000.sdmp, Offset: 01350000, based on PE: true

Associated: 00000001.00000002.265891653.0000000001350000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266051982.0000000001496000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266057520.000000000149B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266064702.000000000149F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266079436.00000000014BA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22486fc00e2a9d4b54f78f05a3a39f827fbb3cb0ac1ec08d6034ec8167fae811
Instruction ID: fa046d464efadcf21a58402a293bc5f3122fd6a19c3d1d4dd7ee00c5e5cd43f3
Opcode Fuzzy Hash: 22486fc00e2a9d4b54f78f05a3a39f827fbb3cb0ac1ec08d6034ec8167fae811
Instruction Fuzzy Hash: 70D148B0A00606CFDB65CF68C490BABBBF5BF48B18F14846DD94A97346DB74E941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013650B0, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.265896087.0000000001351000.00000020.00020000.sdmp, Offset: 01350000, based on PE: true

Associated: 00000001.00000002.265891653.0000000001350000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266051982.0000000001496000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266057520.000000000149B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266064702.000000000149F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266079436.00000000014BA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bb32aba774563ec016288f69416fe5591b0f64703a01680bc7a263a283942eb
Instruction ID: 65d4cb2b215da07950828a7c7fd88b4efd1b4e4c045ac0a141dc4dbdbda116ed
Opcode Fuzzy Hash: 6bb32aba774563ec016288f69416fe5591b0f64703a01680bc7a263a283942eb
Instruction Fuzzy Hash: 16A18FB1A083028FC710DF18D880A2BBBE9BFD8748F14493DF98997315E770D9458B92

Uniqueness

Uniqueness Score: -1.00%

Function 0135B3F0, Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.265896087.0000000001351000.00000020.00020000.sdmp, Offset: 01350000, based on PE: true

Associated: 00000001.00000002.265891653.0000000001350000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266051982.0000000001496000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266057520.000000000149B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266064702.000000000149F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266079436.00000000014BA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b18545252ee64a385f9e0f85845fbd83501eea4b32f06f2d83cb786252af19f
Instruction ID: 6f560a6fd5c24fbafe04929cc3f1e22047187aafb13c8f5b88f161dc926e7ac9
Opcode Fuzzy Hash: 8b18545252ee64a385f9e0f85845fbd83501eea4b32f06f2d83cb786252af19f
Instruction Fuzzy Hash: B1619C71A00709CBDB60CF69C880BAAFBB5EF08B58F158558ED05AB259E7B4D800CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0135CB60, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.265896087.0000000001351000.00000020.00020000.sdmp, Offset: 01350000, based on PE: true

Associated: 00000001.00000002.265891653.0000000001350000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266051982.0000000001496000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266057520.000000000149B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266064702.000000000149F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266079436.00000000014BA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28a65dbd076e2c81e7bcd442a87cfabcda69a8a1f3a7fb3a5d9fa374ef1372e0
Instruction ID: f1763e3789bf1b69d0294f1ad5c9fbc9dbf86d8578d8ef405fcd225090b09afc
Opcode Fuzzy Hash: 28a65dbd076e2c81e7bcd442a87cfabcda69a8a1f3a7fb3a5d9fa374ef1372e0
Instruction Fuzzy Hash: 8551D63020D3A10ACB2ACF38C49453FBBE6BE8D99576945BFD496CE443E126D64BC781

Uniqueness

Uniqueness Score: -1.00%

Function 0144095E, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.265896087.0000000001351000.00000020.00020000.sdmp, Offset: 01350000, based on PE: true

Associated: 00000001.00000002.265891653.0000000001350000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266051982.0000000001496000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266057520.000000000149B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266064702.000000000149F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266079436.00000000014BA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dd028cca51dcb0a9ce8e1b7b517d940cc06647a0eff984a25aff3c88d84d55f
Instruction ID: 1acf248cee9c409d1d394772962f1fe7e9226180df6df73816f3f2f4d8324e75
Opcode Fuzzy Hash: 2dd028cca51dcb0a9ce8e1b7b517d940cc06647a0eff984a25aff3c88d84d55f
Instruction Fuzzy Hash: 0A517071E00219AFEF05CF99C980AEEBBB2EF98300F19815DE515AB351C7349E51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01358E60, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.265896087.0000000001351000.00000020.00020000.sdmp, Offset: 01350000, based on PE: true

Associated: 00000001.00000002.265891653.0000000001350000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266051982.0000000001496000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266057520.000000000149B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266064702.000000000149F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266079436.00000000014BA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b63d64401bd7e6c0b9e96cbe20f5ac7b232a30cab2b22ebf5df1188a7b10d86
Instruction ID: d3c76cd25cdf43b77788d67330e1d51c18b92b4cf41d1d2f51b34e7135796a67
Opcode Fuzzy Hash: 1b63d64401bd7e6c0b9e96cbe20f5ac7b232a30cab2b22ebf5df1188a7b10d86
Instruction Fuzzy Hash: 9321E541E1A2A84BEB01593ED890782BFC1C796729F2CD3F0D9588FBCED514A40AC3E0

Uniqueness

Uniqueness Score: -1.00%

Function 014524F8, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.265896087.0000000001351000.00000020.00020000.sdmp, Offset: 01350000, based on PE: true

Associated: 00000001.00000002.265891653.0000000001350000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266051982.0000000001496000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266057520.000000000149B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266064702.000000000149F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266079436.00000000014BA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 858e7b9b8f89abda53e995bf705560342153d45e2927cfa6cabf3195b3abe9c3
Instruction ID: 8dac1541bf2a7875f4719363429bba57194634512cb9f448f4388bb74604e113
Opcode Fuzzy Hash: 858e7b9b8f89abda53e995bf705560342153d45e2927cfa6cabf3195b3abe9c3
Instruction Fuzzy Hash: 30E0B672911228EBCB26DB998954D9AB6ECEB45A54B1544ABEA02E3261C2B4DE00C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 01351D50, Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 270COMMON

Download Yara Rule

APIs

_Smanip.LIBCPMTD ref: 01352129

Strings

8, xrefs: 01351FB0
6, xrefs: 01351F3B
1, xrefs: 01352001
7, xrefs: 01351F7F
1, xrefs: 01351DDC
20211125182615, xrefs: 01352135
2, xrefs: 01351E3E
0, xrefs: 01352094
?, xrefs: 01352021
9, xrefs: 01351FCD
0, xrefs: 01351FE7
3, xrefs: 01351E82
1, xrefs: 01351E21
4, xrefs: 01351EB3
5, xrefs: 01351EF7

Memory Dump Source

Source File: 00000001.00000002.265896087.0000000001351000.00000020.00020000.sdmp, Offset: 01350000, based on PE: true

Associated: 00000001.00000002.265891653.0000000001350000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266051982.0000000001496000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266057520.000000000149B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266064702.000000000149F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266079436.00000000014BA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Smanip
String ID: 0$0$1$1$1$2$20211125182615$3$4$5$6$7$8$9$?
API String ID: 2140389272-3902516752
Opcode ID: 452f98457da061d5700839942b789e275c22cd75517ccb694478a2a730f43032
Instruction ID: d545248502f5a2e468b0a53c0e58b028595a0c9c965ffb4db87def25d1dbb042
Opcode Fuzzy Hash: 452f98457da061d5700839942b789e275c22cd75517ccb694478a2a730f43032
Instruction Fuzzy Hash: 02B1293090D0D669E70A4A7840A87FFEFB78B53748F1C81E9C4965FB93C17A4A96C391

Uniqueness

Uniqueness Score: -1.00%

Function 01351360, Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 270COMMON

Download Yara Rule

APIs

_Smanip.LIBCPMTD ref: 01351739

Strings

6, xrefs: 0135154B
0, xrefs: 013515F7
9, xrefs: 013515DD
7, xrefs: 0135158F
5, xrefs: 01351507
1, xrefs: 013513EC
?, xrefs: 01351631
0, xrefs: 013516A4
1, xrefs: 01351611
2, xrefs: 0135144E
4, xrefs: 013514C3
20211125182607, xrefs: 01351745
8, xrefs: 013515C0
3, xrefs: 01351492
1, xrefs: 01351431

Memory Dump Source

Source File: 00000001.00000002.265896087.0000000001351000.00000020.00020000.sdmp, Offset: 01350000, based on PE: true

Associated: 00000001.00000002.265891653.0000000001350000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266051982.0000000001496000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266057520.000000000149B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266064702.000000000149F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266079436.00000000014BA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Smanip
String ID: 0$0$1$1$1$2$20211125182607$3$4$5$6$7$8$9$?
API String ID: 2140389272-3556083766
Opcode ID: 1f645264f2408bacc347101242446963397a3676d3eaad79a17c8a1e61ddfbd2
Instruction ID: a49cfbc267112b8653e188e5e52767f75051eaa2a5253a4b0767f2e6fd4c0d9b
Opcode Fuzzy Hash: 1f645264f2408bacc347101242446963397a3676d3eaad79a17c8a1e61ddfbd2
Instruction Fuzzy Hash: 4EB1181090C0D569E70B8E7880A47FEAFB75B53758F1C85E9C8925FB93C1BA8E86C351

Uniqueness

Uniqueness Score: -1.00%

Function 013540C0, Relevance: 23.2, APIs: 6, Strings: 7, Instructions: 403COMMON

Download Yara Rule

Strings

%02d, xrefs: 013542B8, 013543EB
%04d, xrefs: 01354572
%lld, xrefs: 013544E4
W, xrefs: 013543BE
string or blob too big, xrefs: 0135460B
%06.3f, xrefs: 0135430B
%.16g, xrefs: 01354481

Memory Dump Source

Source File: 00000001.00000002.265896087.0000000001351000.00000020.00020000.sdmp, Offset: 01350000, based on PE: true

Associated: 00000001.00000002.265891653.0000000001350000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266051982.0000000001496000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266057520.000000000149B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266064702.000000000149F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266079436.00000000014BA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: %.16g$%02d$%04d$%06.3f$%lld$W$string or blob too big
API String ID: 0-4289744004
Opcode ID: cb9548ab50f2990d16256fbd4a0f776db6ffaa69cde398333cdd7cd3a4b96acb
Instruction ID: 636de2e76397db69461b09a9d415ed1d1a9970ceaf037b8621692db4aca52385
Opcode Fuzzy Hash: cb9548ab50f2990d16256fbd4a0f776db6ffaa69cde398333cdd7cd3a4b96acb
Instruction Fuzzy Hash: 12E153719083919BD3698F2CC800F6EBBE5AF95B18F054A0CFCD967291E731D8858B92

Uniqueness

Uniqueness Score: -1.00%

Function 01454F12, Relevance: 19.6, APIs: 13, Instructions: 88COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 01454F2F

Part of subcall function 0144D7D9: RtlFreeHeap.NTDLL(00000000,00000000,?,01455667,?,00000000,?,?,?,0145590A,?,00000007,?,?,01455F00,?), ref: 0144D7EF
Part of subcall function 0144D7D9: GetLastError.KERNEL32(?,?,01455667,?,00000000,?,?,?,0145590A,?,00000007,?,?,01455F00,?,?), ref: 0144D801

_free.LIBCMT ref: 01454F41
_free.LIBCMT ref: 01454F53
_free.LIBCMT ref: 01454F65
_free.LIBCMT ref: 01454F77
_free.LIBCMT ref: 01454F89
_free.LIBCMT ref: 01454F9B
_free.LIBCMT ref: 01454FAD
_free.LIBCMT ref: 01454FBF
_free.LIBCMT ref: 01454FD1
_free.LIBCMT ref: 01454FE3
_free.LIBCMT ref: 01454FF5
_free.LIBCMT ref: 01455007

Memory Dump Source

Source File: 00000001.00000002.265896087.0000000001351000.00000020.00020000.sdmp, Offset: 01350000, based on PE: true

Associated: 00000001.00000002.265891653.0000000001350000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266051982.0000000001496000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266057520.000000000149B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266064702.000000000149F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266079436.00000000014BA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: cc819f4cfb3dbb4169fb982dbd4e0e4b987fb2a61b0c0ce923e796783cfcaee2
Instruction ID: 02005de0200f99d83723e1c38e9a0a4335255ba118503a5cb2c17ebff4a8800c
Opcode Fuzzy Hash: cc819f4cfb3dbb4169fb982dbd4e0e4b987fb2a61b0c0ce923e796783cfcaee2
Instruction Fuzzy Hash: B6212D73508241AF9770DAADF0D9C1777F9AB31310B65080BE546DBE66DB34F8808B64

Uniqueness

Uniqueness Score: -1.00%

Function 01455D69, Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 01455DA2

Part of subcall function 0144D7D9: RtlFreeHeap.NTDLL(00000000,00000000,?,01455667,?,00000000,?,?,?,0145590A,?,00000007,?,?,01455F00,?), ref: 0144D7EF
Part of subcall function 0144D7D9: GetLastError.KERNEL32(?,?,01455667,?,00000000,?,?,?,0145590A,?,00000007,?,?,01455F00,?,?), ref: 0144D801

Part of subcall function 01454F12: _free.LIBCMT ref: 01454F2F
Part of subcall function 01454F12: _free.LIBCMT ref: 01454F41
Part of subcall function 01454F12: _free.LIBCMT ref: 01454F53
Part of subcall function 01454F12: _free.LIBCMT ref: 01454F65
Part of subcall function 01454F12: _free.LIBCMT ref: 01454F77
Part of subcall function 01454F12: _free.LIBCMT ref: 01454F89
Part of subcall function 01454F12: _free.LIBCMT ref: 01454F9B
Part of subcall function 01454F12: _free.LIBCMT ref: 01454FAD
Part of subcall function 01454F12: _free.LIBCMT ref: 01454FBF
Part of subcall function 01454F12: _free.LIBCMT ref: 01454FD1
Part of subcall function 01454F12: _free.LIBCMT ref: 01454FE3
Part of subcall function 01454F12: _free.LIBCMT ref: 01454FF5
Part of subcall function 01454F12: _free.LIBCMT ref: 01455007

_free.LIBCMT ref: 01455DC4
_free.LIBCMT ref: 01455DD9
_free.LIBCMT ref: 01455DE4
_free.LIBCMT ref: 01455E06
_free.LIBCMT ref: 01455E19
_free.LIBCMT ref: 01455E27
_free.LIBCMT ref: 01455E32
_free.LIBCMT ref: 01455E6A
_free.LIBCMT ref: 01455E71
_free.LIBCMT ref: 01455E8E
_free.LIBCMT ref: 01455EA6

Memory Dump Source

Source File: 00000001.00000002.265896087.0000000001351000.00000020.00020000.sdmp, Offset: 01350000, based on PE: true

Associated: 00000001.00000002.265891653.0000000001350000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266051982.0000000001496000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266057520.000000000149B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266064702.000000000149F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266079436.00000000014BA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f9aa942bd28600b46013d10520c34957210b3401d130b6958d348970107fb3b3
Instruction ID: 33875543e1abb1e995bc51770e4fd7d7597ab7257e94d4a8fde7f04a3c438ec2
Opcode Fuzzy Hash: f9aa942bd28600b46013d10520c34957210b3401d130b6958d348970107fb3b3
Instruction Fuzzy Hash: 70314F329007419FFB61AB7DD884B6777E9AF31220F14841FE94ADB672DB30A885DB10

Uniqueness

Uniqueness Score: -1.00%

Function 0144EB80, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMON

Download Yara Rule

Strings

api-ms-, xrefs: 0144EBD7
ext-ms-, xrefs: 0144EBEB

Memory Dump Source

Source File: 00000001.00000002.265896087.0000000001351000.00000020.00020000.sdmp, Offset: 01350000, based on PE: true

Associated: 00000001.00000002.265891653.0000000001350000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266051982.0000000001496000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266057520.000000000149B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266064702.000000000149F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266079436.00000000014BA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 81d2d48f9ada53d7bff40ee141072e2f7978375baf73f56d99fc812b9b95f5a5
Instruction ID: 566cb3aa80cea83eb59feb167996b1f572dec838185bd251368c590b2d05842c
Opcode Fuzzy Hash: 81d2d48f9ada53d7bff40ee141072e2f7978375baf73f56d99fc812b9b95f5a5
Instruction Fuzzy Hash: F021EB71E01610EBFB328A78DC85A5B7B54BF01660F250613ED56B73B1D634E801C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 014558F1, Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 0145563D: _free.LIBCMT ref: 01455662

_free.LIBCMT ref: 0145593F

Part of subcall function 0144D7D9: RtlFreeHeap.NTDLL(00000000,00000000,?,01455667,?,00000000,?,?,?,0145590A,?,00000007,?,?,01455F00,?), ref: 0144D7EF
Part of subcall function 0144D7D9: GetLastError.KERNEL32(?,?,01455667,?,00000000,?,?,?,0145590A,?,00000007,?,?,01455F00,?,?), ref: 0144D801

_free.LIBCMT ref: 0145594A
_free.LIBCMT ref: 01455955
_free.LIBCMT ref: 014559A9
_free.LIBCMT ref: 014559B4
_free.LIBCMT ref: 014559BF
_free.LIBCMT ref: 014559CA

Memory Dump Source

Source File: 00000001.00000002.265896087.0000000001351000.00000020.00020000.sdmp, Offset: 01350000, based on PE: true

Associated: 00000001.00000002.265891653.0000000001350000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266051982.0000000001496000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266057520.000000000149B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266064702.000000000149F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266079436.00000000014BA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 972a98a7fd839b63507dc3b78452d3b7c6ee51e1fc223362a214e362c0fc8e57
Instruction ID: 972eed976df415bfbba0fcb8a986d05095153e2b6500aa3918ab03cb64f65e8f
Opcode Fuzzy Hash: 972a98a7fd839b63507dc3b78452d3b7c6ee51e1fc223362a214e362c0fc8e57
Instruction Fuzzy Hash: 60116D31940B85AAE660F7B2DC45FDB77AC5F31740F40081FA69E6B472EB74A5058660

Uniqueness

Uniqueness Score: -1.00%

Function 01447D08, Relevance: 9.3, APIs: 6, Instructions: 270COMMON

Download Yara Rule

APIs

Part of subcall function 01447BDE: CloseHandle.KERNEL32(?,?,?,01447D15,?,?,013579A9,00000000), ref: 01447C0F
Part of subcall function 01447BDE: FreeLibraryAndExitThread.KERNEL32(?,?,?,?,01447D15,?,?,013579A9,00000000), ref: 01447C25
Part of subcall function 01447BDE: ExitThread.KERNEL32 ref: 01447C2E

__allrem.LIBCMT ref: 01447E9E
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01447EBA
__allrem.LIBCMT ref: 01447ED1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01447EEF
__allrem.LIBCMT ref: 01447F06
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01447F24

Memory Dump Source

Source File: 00000001.00000002.265896087.0000000001351000.00000020.00020000.sdmp, Offset: 01350000, based on PE: true

Associated: 00000001.00000002.265891653.0000000001350000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266051982.0000000001496000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266057520.000000000149B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266064702.000000000149F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266079436.00000000014BA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@$ExitThread$CloseFreeHandleLibrary
String ID:
API String ID: 1885649644-0
Opcode ID: e367ace3abe78447e7299370a9459d1cc3c9eb8354e912311c34a5635fed5eea
Instruction ID: 6da507cdd3b2085e27ea55d94bf205bac48b6e89ddf1875d1170e28eb659bd03
Opcode Fuzzy Hash: e367ace3abe78447e7299370a9459d1cc3c9eb8354e912311c34a5635fed5eea
Instruction Fuzzy Hash: 1681F8B2600B07AFF7209F79CC40B6BB3A9AF64325F24462FE551D63A1E770D9028750

Uniqueness

Uniqueness Score: -1.00%

Function 0140FB90, Relevance: 9.2, APIs: 6, Instructions: 244COMMON

Download Yara Rule

APIs

allocator.LIBCONCRTD ref: 0140FBEE
allocator.LIBCONCRTD ref: 0140FC44

Memory Dump Source

Source File: 00000001.00000002.265896087.0000000001351000.00000020.00020000.sdmp, Offset: 01350000, based on PE: true

Associated: 00000001.00000002.265891653.0000000001350000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266051982.0000000001496000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266057520.000000000149B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266064702.000000000149F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266079436.00000000014BA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: allocator
String ID:
API String ID: 3447690668-0
Opcode ID: 52443afd2e94e572dbb62dd2572b7e863fc1425f57d111bcdbc7c46bcf44ec87
Instruction ID: 69af82f8483368ffab7766871004cafcaaf72ef3d20c3f0f8454e23cba325f30
Opcode Fuzzy Hash: 52443afd2e94e572dbb62dd2572b7e863fc1425f57d111bcdbc7c46bcf44ec87
Instruction Fuzzy Hash: 7EA10974A00209AFDB05DF59C490AAEBBB1BF98354F14C169EC4A9F392C735ED85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01448419, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,0144840E,00000000,?,014483D6,00000000,?,00000000), ref: 0144842E
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 01448441
FreeLibrary.KERNEL32(00000000,?,?,0144840E,00000000,?,014483D6,00000000,?,00000000), ref: 01448464

Strings

CorExitProcess, xrefs: 01448439
mscoree.dll, xrefs: 01448427

Memory Dump Source

Source File: 00000001.00000002.265896087.0000000001351000.00000020.00020000.sdmp, Offset: 01350000, based on PE: true

Associated: 00000001.00000002.265891653.0000000001350000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266051982.0000000001496000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266057520.000000000149B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266064702.000000000149F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266079436.00000000014BA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: bbc4ade5e0025bd047c3f64df8724c105ff12c734d1b0e8f7b562c82a069ba45
Instruction ID: f19713a1600d400ef2fc255bf107e79d7b77409bb6712aec724c1030ad8be568
Opcode Fuzzy Hash: bbc4ade5e0025bd047c3f64df8724c105ff12c734d1b0e8f7b562c82a069ba45
Instruction Fuzzy Hash: 59F08231500619FBEB219FA5DC09BDE7F74EB0075AF204065E601B21B0DB748E00DB91

Uniqueness

Uniqueness Score: -1.00%

Function 014553C6, Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 014553DE

Part of subcall function 0144D7D9: RtlFreeHeap.NTDLL(00000000,00000000,?,01455667,?,00000000,?,?,?,0145590A,?,00000007,?,?,01455F00,?), ref: 0144D7EF
Part of subcall function 0144D7D9: GetLastError.KERNEL32(?,?,01455667,?,00000000,?,?,?,0145590A,?,00000007,?,?,01455F00,?,?), ref: 0144D801

_free.LIBCMT ref: 014553F0
_free.LIBCMT ref: 01455402
_free.LIBCMT ref: 01455414
_free.LIBCMT ref: 01455426

Memory Dump Source

Source File: 00000001.00000002.265896087.0000000001351000.00000020.00020000.sdmp, Offset: 01350000, based on PE: true

Associated: 00000001.00000002.265891653.0000000001350000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266051982.0000000001496000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266057520.000000000149B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266064702.000000000149F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266079436.00000000014BA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9d272e39d4672cf53108fed3dc9ab4bed72feacacbd4971a1d1d6ed2ae01a165
Instruction ID: a0e1506e9864751070e9eb61b023e18a3a409c196eb2448fa30a8fd1877bef54
Opcode Fuzzy Hash: 9d272e39d4672cf53108fed3dc9ab4bed72feacacbd4971a1d1d6ed2ae01a165
Instruction Fuzzy Hash: D8F06832910250ABA770EB59F1D0C2B7BE9AB32711B55481BF50ADBE33C734F8808754

Uniqueness

Uniqueness Score: -1.00%

Function 0135A230, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 97COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 0135A26B

Strings

winTruncate1, xrefs: 0135A2D7
winSeekFile, xrefs: 0135A2BA
winTruncate2, xrefs: 0135A305

Memory Dump Source

Source File: 00000001.00000002.265896087.0000000001351000.00000020.00020000.sdmp, Offset: 01350000, based on PE: true

Associated: 00000001.00000002.265891653.0000000001350000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266051982.0000000001496000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266057520.000000000149B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266064702.000000000149F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266079436.00000000014BA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __allrem
String ID: winSeekFile$winTruncate1$winTruncate2
API String ID: 2933888876-2471937615
Opcode ID: e318c46ad4312f693bf103dd133578f8152c3dd54051574a85fa8ea1a5ec3fc4
Instruction ID: 20398efd698972578cb9e5d8ae9f4f8c522bbd7e6e6641525db8b765aa62895c
Opcode Fuzzy Hash: e318c46ad4312f693bf103dd133578f8152c3dd54051574a85fa8ea1a5ec3fc4
Instruction Fuzzy Hash: 3531A0712043059FD760DF29D881E1BB7E5FB84B28B048A2EFD56C7690E770E8009B62

Uniqueness

Uniqueness Score: -1.00%

Function 013593B0, Relevance: 6.1, APIs: 4, Instructions: 117COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 013593DA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 013593FC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0135944D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01359497

Memory Dump Source

Source File: 00000001.00000002.265896087.0000000001351000.00000020.00020000.sdmp, Offset: 01350000, based on PE: true

Associated: 00000001.00000002.265891653.0000000001350000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266051982.0000000001496000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266057520.000000000149B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266064702.000000000149F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266079436.00000000014BA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$__aulldiv
String ID:
API String ID: 3650730422-0
Opcode ID: 3758f4f8d86c60f8b9e256b8a50f170e0918f8824a274ebfe6d6b9702ab5db16
Instruction ID: 7b082d673f2f3fb987c28470591d023532a452514d8477cefdba73f6efd145e0
Opcode Fuzzy Hash: 3758f4f8d86c60f8b9e256b8a50f170e0918f8824a274ebfe6d6b9702ab5db16
Instruction Fuzzy Hash: 203126F2600255E7EFA4C99EAC80F6E7F59DB90E2CF24417EEE18F7250E6258C404390

Uniqueness

Uniqueness Score: -1.00%

Function 0144D201, Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000,00000000,0144B690,?,?,01452D85,?,00000000,00000040,00000000,00000000,00000040,?,00000000,00000080), ref: 0144D206
_free.LIBCMT ref: 0144D263
_free.LIBCMT ref: 0144D299
SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,01452D85,?,00000000,00000040,00000000,00000000,00000040,?,00000000,00000080,00000000), ref: 0144D2A4

Memory Dump Source

Source File: 00000001.00000002.265896087.0000000001351000.00000020.00020000.sdmp, Offset: 01350000, based on PE: true

Associated: 00000001.00000002.265891653.0000000001350000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266051982.0000000001496000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266057520.000000000149B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266064702.000000000149F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266079436.00000000014BA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 8ecd79df3d30697aa9a8aaad696ccad044ecde9834701f0d3a71d09fed964232
Instruction ID: 3d6036f51a68663fd96d7749c381edd812722d1479408a19a1c8b0e141469c6c
Opcode Fuzzy Hash: 8ecd79df3d30697aa9a8aaad696ccad044ecde9834701f0d3a71d09fed964232
Instruction Fuzzy Hash: DB11CA76A046122BF6217BFA6C80D2B2959BBF16B4725063BF215A32F4DE75CC018310

Uniqueness

Uniqueness Score: -1.00%

Function 0144D358, Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,?,0143F02E,0144D4F0,?,?,0143518C,00000000,00000000,013F41D7,00000008), ref: 0144D35D
_free.LIBCMT ref: 0144D3BA
_free.LIBCMT ref: 0144D3F0
SetLastError.KERNEL32(00000000,00000006,000000FF,?,00000000,?,0143F02E,0144D4F0,?,?,0143518C,00000000,00000000,013F41D7,00000008), ref: 0144D3FB

Memory Dump Source

Source File: 00000001.00000002.265896087.0000000001351000.00000020.00020000.sdmp, Offset: 01350000, based on PE: true

Associated: 00000001.00000002.265891653.0000000001350000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266051982.0000000001496000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266057520.000000000149B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266064702.000000000149F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266079436.00000000014BA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 672a9d3becc411d2710fda71aa737a3f7019e590e025cc04bd55bc4cfcf78613
Instruction ID: 5eb2c96079a44beb03ba239ff16899a6bc8d7ab72abd887b905bf06c1e9b639c
Opcode Fuzzy Hash: 672a9d3becc411d2710fda71aa737a3f7019e590e025cc04bd55bc4cfcf78613
Instruction Fuzzy Hash: EA11CC76B046122BF721A6FE6C90D2B2959EBF16B5B35023FF615A31F5DF758C018210

Uniqueness

Uniqueness Score: -1.00%

Function 0143582B, Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

SleepConditionVariableCS.KERNELBASE(?,014357C8,00000064), ref: 0143584E
LeaveCriticalSection.KERNEL32(0149C460,?,?,014357C8,00000064,?,?,?,013FD838,0149B130,9BD2D611,?,0145FAD1,000000FF,?,01351068), ref: 01435858
WaitForSingleObjectEx.KERNEL32(?,00000000,?,014357C8,00000064,?,?,?,013FD838,0149B130,9BD2D611,?,0145FAD1,000000FF,?,01351068), ref: 01435869
EnterCriticalSection.KERNEL32(0149C460,?,014357C8,00000064,?,?,?,013FD838,0149B130,9BD2D611,?,0145FAD1,000000FF,?,01351068), ref: 01435870

Memory Dump Source

Source File: 00000001.00000002.265896087.0000000001351000.00000020.00020000.sdmp, Offset: 01350000, based on PE: true

Associated: 00000001.00000002.265891653.0000000001350000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266051982.0000000001496000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266057520.000000000149B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266064702.000000000149F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266079436.00000000014BA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID:
API String ID: 3269011525-0
Opcode ID: e5ebe52f39022d8304582b868279ebdf9ff183bc3aa89d0e39021f63ee7506b6
Instruction ID: 39df70bee29bbd96d9723b46752349930eeed612bf290f1061931ac1dafc31d9
Opcode Fuzzy Hash: e5ebe52f39022d8304582b868279ebdf9ff183bc3aa89d0e39021f63ee7506b6
Instruction Fuzzy Hash: 46E09235781534A7CB211F51ED48AA93F14AB48B54B244036F60577238CB7128108BE6

Uniqueness

Uniqueness Score: -1.00%

Function 01360500, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 303COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0136060C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0136065A

Strings

recovered %d pages from %s, xrefs: 01360807

Memory Dump Source

Source File: 00000001.00000002.265896087.0000000001351000.00000020.00020000.sdmp, Offset: 01350000, based on PE: true

Associated: 00000001.00000002.265891653.0000000001350000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266051982.0000000001496000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266057520.000000000149B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266064702.000000000149F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266079436.00000000014BA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: recovered %d pages from %s
API String ID: 885266447-1623757624
Opcode ID: 2db4e613521f500ae721d5513f32b889ffe310005bf82ee0890e3258799c7d3c
Instruction ID: 5bdd3deb46b11e92291b92dc64fefac0f956d522d52ed3f4203e153f7e2cfefb
Opcode Fuzzy Hash: 2db4e613521f500ae721d5513f32b889ffe310005bf82ee0890e3258799c7d3c
Instruction Fuzzy Hash: DEB1BF71E002169FDF29CF68C881AAEB7B9FF48318F148128E955A7345E734AD41CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 01351190, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

_Smanip.LIBCPMTD ref: 013511F7

Strings

User-Agent, xrefs: 013511CB
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36, xrefs: 013511C6

Memory Dump Source

Source File: 00000001.00000002.265896087.0000000001351000.00000020.00020000.sdmp, Offset: 01350000, based on PE: true

Associated: 00000001.00000002.265891653.0000000001350000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266051982.0000000001496000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266057520.000000000149B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.266064702.000000000149F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.266079436.00000000014BA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Smanip
String ID: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36$User-Agent
API String ID: 2140389272-3885995274
Opcode ID: f3e6b66bc1470f240972262537a68b624d349ede210493077665efc12a5c6e3a
Instruction ID: d98ef57e2717e25e53b530f9ff13c05e68440054359574048bbf61dbf07369e6
Opcode Fuzzy Hash: f3e6b66bc1470f240972262537a68b624d349ede210493077665efc12a5c6e3a
Instruction Fuzzy Hash: B211E3B1944249ABCB10DBD5DC41FDEB7B8FB64714F10822EF4056B2E4EBB45604CB51

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report duLT5gkRjy.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Socelars

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets