Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
olPUTAxpzu

Overview

General Information

Sample Name:olPUTAxpzu (renamed file extension from none to exe)
Analysis ID:612097
MD5:8a0e3e9d2d00b456539face1b95f5e49
SHA1:a3e08ca002b4046da36c1d05f079db9ccba567ff
SHA256:1e9a3a5e2e8da03cb6949e0aa8c169c3e095a7144ac74d87a74450faa83f027d
Tags:32exetrojan
Infos:

Detection

Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Hides threads from debuggers
Tries to detect sandboxes and other dynamic analysis tools (window names)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Machine Learning detection for sample
PE file contains section with special chars
Sample file is different than original file name gathered from version info
One or more processes crash
PE file contains an invalid checksum
PE file contains strange resources
Checks if the current process is being debugged
PE file contains sections with non-standard names
Binary contains a suspicious time stamp
Contains capabilities to detect virtual machines
Launches processes in debugging mode, may be used to hinder debugging
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Entry point lies outside standard sections

Classification

Process Tree

  • System is w10x64
  • olPUTAxpzu.exe (PID: 4912 cmdline: "C:\Users\user\Desktop\olPUTAxpzu.exe" MD5: 8A0E3E9D2D00B456539FACE1B95F5E49)
    • WerFault.exe (PID: 6644 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 1240 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 5856 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 1240 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: olPUTAxpzu.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: olPUTAxpzu.exeReversingLabs: Detection: 61%
Antivirus detection for URL or domain
Source: https://api.brutalhax.net/Avira URL Cloud: Label: malware
Machine Learning detection for sample
Source: olPUTAxpzu.exeJoe Sandbox ML: detected
Source: Binary string: PresentationFramework.Aero2.pdbl source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: PresentationFramework.pdb source: olPUTAxpzu.exe, 00000000.00000002.419132716.0000000003B31000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.375588504.0000000003B31000.00000004.00000800.00020000.00000000.sdmp, WER6D9B.tmp.dmp.4.dr
Source: Binary string: sBase.pdbX source: olPUTAxpzu.exe, 00000000.00000002.417796226.0000000001568000.00000004.00000010.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.374118192.0000000001568000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Core.ni.pdbRSDSD source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: System.Xml.ni.pdb source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: WindowsBase.ni.pdb source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: System.ni.pdbRSDS source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: j8C:\Windows\WindowsBase.pdb source: olPUTAxpzu.exe, 00000000.00000002.417796226.0000000001568000.00000004.00000010.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.374118192.0000000001568000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: WindowsBase.ni.pdbRSDS source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: System.Configuration.ni.pdb source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: System.Configuration.pdb source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: System.Xml.pdb source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: System.pdb source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: WindowsBase.pdb"b source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: System.Core.ni.pdb source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: mscorlib.pdb\?jk`rkH]o source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: symbols\dll\WindowsBase.pdb source: olPUTAxpzu.exe, 00000000.00000002.417796226.0000000001568000.00000004.00000010.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.374118192.0000000001568000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: PresentationFramework.ni.pdbRSDS~J source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: PresentationCore.ni.pdbRSDS source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: System.Xaml.pdbjRjj source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: WindowsBase.pdb source: olPUTAxpzu.exe, 00000000.00000002.417796226.0000000001568000.00000004.00000010.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.374118192.0000000001568000.00000004.00000010.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000002.419132716.0000000003B31000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.375588504.0000000003B31000.00000004.00000800.00020000.00000000.sdmp, WER6D9B.tmp.dmp.4.dr
Source: Binary string: System.Xaml.ni.pdb source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: mscorlib.pdb source: olPUTAxpzu.exe, 00000000.00000002.419132716.0000000003B31000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.375588504.0000000003B31000.00000004.00000800.00020000.00000000.sdmp, WER6D9B.tmp.dmp.4.dr
Source: Binary string: System.Xaml.ni.pdbRSDS| source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: PresentationFramework.Aero2.ni.pdb source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: PresentationCore.ni.pdb source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: System.Xaml.pdb source: olPUTAxpzu.exe, 00000000.00000002.419132716.0000000003B31000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.375588504.0000000003B31000.00000004.00000800.00020000.00000000.sdmp, WER6D9B.tmp.dmp.4.dr
Source: Binary string: PresentationFramework.Aero2.ni.pdbRSDSl source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: mscorlib.ni.pdb source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: PresentationFramework.Aero2.pdb source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: System.Core.pdb source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: WindowsBase.pdbwsBase.pdbpdbase.pdbSIL\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.pdb source: olPUTAxpzu.exe, 00000000.00000002.417796226.0000000001568000.00000004.00000010.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.374118192.0000000001568000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: Z:\Oreans Projects\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: olPUTAxpzu.exe, 00000000.00000002.413914180.000000000097A000.00000040.00000001.01000000.00000003.sdmp, olPUTAxpzu.exe, 00000000.00000000.371137448.000000000097A000.00000040.00000001.01000000.00000003.sdmp, olPUTAxpzu.exe, 00000000.00000000.378546350.000000000097A000.00000040.00000001.01000000.00000003.sdmp
Source: Binary string: .pdb source: olPUTAxpzu.exe, 00000000.00000002.417796226.0000000001568000.00000004.00000010.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.374118192.0000000001568000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Xml.ni.pdbRSDS source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: PresentationFramework.ni.pdb source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: C:\Users\WaterSmoke\source\repos\BHLoaderNew\BHLoaderNew\obj\Release\BHLoaderNew.pdb source: olPUTAxpzu.exe
Source: Binary string: PresentationCore.pdb source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: System.ni.pdb source: WER6D9B.tmp.dmp.4.dr
Source: olPUTAxpzu.exe, 00000000.00000002.419132716.0000000003B31000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.375588504.0000000003B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/Login.xaml
Source: olPUTAxpzu.exe, 00000000.00000002.419132716.0000000003B31000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.375588504.0000000003B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/bhicon.png
Source: olPUTAxpzu.exe, 00000000.00000002.419132716.0000000003B31000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.375588504.0000000003B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/Login.xaml
Source: olPUTAxpzu.exe, 00000000.00000002.419132716.0000000003B31000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.375588504.0000000003B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/bhicon.png
Source: olPUTAxpzu.exe, 00000000.00000002.419132716.0000000003B31000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.375588504.0000000003B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/login.baml
Source: olPUTAxpzu.exe, 00000000.00000002.419132716.0000000003B31000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.375588504.0000000003B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bhicon.png
Source: olPUTAxpzu.exeString found in binary or memory: http://pki-crl.symauth.com/ca_d409a5cb737dc0768fd08ed5256f3633/LatestCRL.crl07
Source: olPUTAxpzu.exeString found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
Source: olPUTAxpzu.exeString found in binary or memory: http://pki-ocsp.symauth.com0
Source: olPUTAxpzu.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: olPUTAxpzu.exeString found in binary or memory: http://s.symcd.com06
Source: olPUTAxpzu.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: olPUTAxpzu.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: olPUTAxpzu.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: olPUTAxpzu.exeString found in binary or memory: https://api.brutal-hax.net/Driver/Driver1.8_x64.sys
Source: olPUTAxpzu.exeString found in binary or memory: https://api.brutal-hax.net/Online/get_online_users.php?username=
Source: olPUTAxpzu.exeString found in binary or memory: https://api.brutal-hax.net/Online/set_online_status.php?username=
Source: olPUTAxpzu.exeString found in binary or memory: https://api.brutal-hax.net/info/cheat_status.php?hack_id=
Source: olPUTAxpzu.exeString found in binary or memory: https://api.brutal-hax.net/loader_authentification_new.php?username=
Source: olPUTAxpzu.exeString found in binary or memory: https://api.brutal-hax.net/loader_cheat_info_ex.php?index=
Source: olPUTAxpzu.exeString found in binary or memory: https://api.brutal-hax.net/loader_get_cheats.php?username=
Source: olPUTAxpzu.exeString found in binary or memory: https://api.brutal-hax.net/loader_statut_new.php
Source: olPUTAxpzu.exeString found in binary or memory: https://api.brutal-hax.net/loader_version.php
Source: olPUTAxpzu.exeString found in binary or memory: https://api.brutal-hax.net/notification.txt
Source: olPUTAxpzu.exeString found in binary or memory: https://api.brutalhax.net/
Source: olPUTAxpzu.exeString found in binary or memory: https://brutal-hax.net/
Source: olPUTAxpzu.exeString found in binary or memory: https://d.symcb.com/cps0%
Source: olPUTAxpzu.exeString found in binary or memory: https://d.symcb.com/rpa0
Source: olPUTAxpzu.exeString found in binary or memory: https://d.symcb.com/rpa0.
Source: olPUTAxpzu.exeString found in binary or memory: https://discord.gg/brutal-hax
Source: olPUTAxpzu.exeString found in binary or memory: https://help.ea.com/en/help/faq/how-to-clean-boot-your-pc/

System Summary

barindex
PE file contains section with special chars
Source: olPUTAxpzu.exeStatic PE information: section name:
Source: olPUTAxpzu.exeStatic PE information: section name:
Source: olPUTAxpzu.exeStatic PE information: section name:
Source: olPUTAxpzu.exe, 00000000.00000000.378336036.0000000000950000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBHLoaderNew.exe8 vs olPUTAxpzu.exe
Source: olPUTAxpzu.exe, 00000000.00000000.355628336.0000000000970000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBHLoaderNew.exe8 vs olPUTAxpzu.exe
Source: olPUTAxpzu.exeBinary or memory string: OriginalFilenameBHLoaderNew.exe8 vs olPUTAxpzu.exe
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 1240
Source: olPUTAxpzu.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: olPUTAxpzu.exeStatic PE information: Section: ZLIB complexity 0.997523986382
Source: olPUTAxpzu.exeStatic PE information: Section: ZLIB complexity 1.53333333333
Source: olPUTAxpzu.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: olPUTAxpzu.exeReversingLabs: Detection: 61%
Source: C:\Users\user\Desktop\olPUTAxpzu.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\olPUTAxpzu.exe "C:\Users\user\Desktop\olPUTAxpzu.exe"
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 1240
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 1240
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 1240Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\InprocServer32Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4912
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER6D9B.tmpJump to behavior
Source: olPUTAxpzu.exeString found in binary or memory: https://api.brutal-hax.net/loader_statut_new.php
Source: olPUTAxpzu.exeString found in binary or memory: https://api.brutal-hax.net/loader_version.php
Source: olPUTAxpzu.exeString found in binary or memory: https://api.brutal-hax.net/loader_authentification_new.php?username=
Source: olPUTAxpzu.exeString found in binary or memory: https://api.brutal-hax.net/loader_get_cheats.php?username=
Source: olPUTAxpzu.exeString found in binary or memory: https://api.brutal-hax.net/loader_cheat_info_ex.php?index=
Source: classification engineClassification label: mal88.evad.winEXE@5/4@0/0
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: olPUTAxpzu.exeStatic file information: File size 9184276 > 1048576
Source: olPUTAxpzu.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x58b200
Source: olPUTAxpzu.exeStatic PE information: Raw size of .boot is bigger than: 0x100000 < 0x313400
Source: Binary string: PresentationFramework.Aero2.pdbl source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: PresentationFramework.pdb source: olPUTAxpzu.exe, 00000000.00000002.419132716.0000000003B31000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.375588504.0000000003B31000.00000004.00000800.00020000.00000000.sdmp, WER6D9B.tmp.dmp.4.dr
Source: Binary string: sBase.pdbX source: olPUTAxpzu.exe, 00000000.00000002.417796226.0000000001568000.00000004.00000010.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.374118192.0000000001568000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Core.ni.pdbRSDSD source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: System.Xml.ni.pdb source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: WindowsBase.ni.pdb source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: System.ni.pdbRSDS source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: j8C:\Windows\WindowsBase.pdb source: olPUTAxpzu.exe, 00000000.00000002.417796226.0000000001568000.00000004.00000010.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.374118192.0000000001568000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: WindowsBase.ni.pdbRSDS source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: System.Configuration.ni.pdb source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: System.Configuration.pdb source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: System.Xml.pdb source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: System.pdb source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: WindowsBase.pdb"b source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: System.Core.ni.pdb source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: mscorlib.pdb\?jk`rkH]o source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: symbols\dll\WindowsBase.pdb source: olPUTAxpzu.exe, 00000000.00000002.417796226.0000000001568000.00000004.00000010.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.374118192.0000000001568000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: PresentationFramework.ni.pdbRSDS~J source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: PresentationCore.ni.pdbRSDS source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: System.Xaml.pdbjRjj source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: WindowsBase.pdb source: olPUTAxpzu.exe, 00000000.00000002.417796226.0000000001568000.00000004.00000010.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.374118192.0000000001568000.00000004.00000010.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000002.419132716.0000000003B31000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.375588504.0000000003B31000.00000004.00000800.00020000.00000000.sdmp, WER6D9B.tmp.dmp.4.dr
Source: Binary string: System.Xaml.ni.pdb source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: mscorlib.pdb source: olPUTAxpzu.exe, 00000000.00000002.419132716.0000000003B31000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.375588504.0000000003B31000.00000004.00000800.00020000.00000000.sdmp, WER6D9B.tmp.dmp.4.dr
Source: Binary string: System.Xaml.ni.pdbRSDS| source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: PresentationFramework.Aero2.ni.pdb source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: PresentationCore.ni.pdb source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: System.Xaml.pdb source: olPUTAxpzu.exe, 00000000.00000002.419132716.0000000003B31000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.375588504.0000000003B31000.00000004.00000800.00020000.00000000.sdmp, WER6D9B.tmp.dmp.4.dr
Source: Binary string: PresentationFramework.Aero2.ni.pdbRSDSl source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: mscorlib.ni.pdb source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: PresentationFramework.Aero2.pdb source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: System.Core.pdb source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: WindowsBase.pdbwsBase.pdbpdbase.pdbSIL\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.pdb source: olPUTAxpzu.exe, 00000000.00000002.417796226.0000000001568000.00000004.00000010.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.374118192.0000000001568000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: Z:\Oreans Projects\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: olPUTAxpzu.exe, 00000000.00000002.413914180.000000000097A000.00000040.00000001.01000000.00000003.sdmp, olPUTAxpzu.exe, 00000000.00000000.371137448.000000000097A000.00000040.00000001.01000000.00000003.sdmp, olPUTAxpzu.exe, 00000000.00000000.378546350.000000000097A000.00000040.00000001.01000000.00000003.sdmp
Source: Binary string: .pdb source: olPUTAxpzu.exe, 00000000.00000002.417796226.0000000001568000.00000004.00000010.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.374118192.0000000001568000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Xml.ni.pdbRSDS source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: PresentationFramework.ni.pdb source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: C:\Users\WaterSmoke\source\repos\BHLoaderNew\BHLoaderNew\obj\Release\BHLoaderNew.pdb source: olPUTAxpzu.exe
Source: Binary string: PresentationCore.pdb source: WER6D9B.tmp.dmp.4.dr
Source: Binary string: System.ni.pdb source: WER6D9B.tmp.dmp.4.dr
Source: olPUTAxpzu.exeStatic PE information: real checksum: 0x8c502e should be: 0x8c35cf
Source: olPUTAxpzu.exeStatic PE information: section name:
Source: olPUTAxpzu.exeStatic PE information: section name:
Source: olPUTAxpzu.exeStatic PE information: section name:
Source: olPUTAxpzu.exeStatic PE information: section name: .imports
Source: olPUTAxpzu.exeStatic PE information: section name: .themida
Source: olPUTAxpzu.exeStatic PE information: section name: .boot
Source: olPUTAxpzu.exeStatic PE information: section name: .taggant
Source: olPUTAxpzu.exeStatic PE information: 0xA8C7FB17 [Thu Sep 25 01:17:11 2059 UTC]
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: initial sampleStatic PE information: section name: .taggant entropy: 6.83505846314
Source: C:\Windows\SysWOW64\WerFault.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\olPUTAxpzu.exeSystem information queried: FirmwareTableInformationJump to behavior
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\olPUTAxpzu.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeSystem information queried: ModuleInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\olPUTAxpzu.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\olPUTAxpzu.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\olPUTAxpzu.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\olPUTAxpzu.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\olPUTAxpzu.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\olPUTAxpzu.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\olPUTAxpzu.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 1240Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 1240Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts2
Command and Scripting Interpreter		Path Interception11
Process Injection		32
Virtualization/Sandbox Evasion		OS Credential Dumping1
Query Registry		Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts11
Disable or Modify Tools		LSASS Memory42
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)2
Software Packing		Security Account Manager32
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
Process Injection		NTDS3
System Information Discovery		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
Timestomp		LSA Secrets1
Remote System Discovery		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common2
Obfuscated Files or Information		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
olPUTAxpzu.exe62%ReversingLabsWin32.Trojan.Emotet
olPUTAxpzu.exe100%AviraHEUR/AGEN.1211770
olPUTAxpzu.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://api.brutal-hax.net/notification.txt0%Avira URL Cloudsafe
https://api.brutal-hax.net/Online/get_online_users.php?username=0%Avira URL Cloudsafe
https://api.brutal-hax.net/loader_authentification_new.php?username=0%Avira URL Cloudsafe
https://api.brutal-hax.net/loader_statut_new.php0%Avira URL Cloudsafe
http://pki-ocsp.symauth.com00%URL Reputationsafe
https://api.brutal-hax.net/Driver/Driver1.8_x64.sys0%Avira URL Cloudsafe
https://discord.gg/brutal-hax0%Avira URL Cloudsafe
http://foo/bhicon.png0%Avira URL Cloudsafe
http://defaultcontainer/Login.xaml0%Avira URL Cloudsafe
https://api.brutal-hax.net/loader_cheat_info_ex.php?index=0%Avira URL Cloudsafe
https://api.brutal-hax.net/loader_get_cheats.php?username=0%Avira URL Cloudsafe
https://brutal-hax.net/0%Avira URL Cloudsafe
http://defaultcontainer/bhicon.png0%Avira URL Cloudsafe
http://foo/bar/bhicon.png0%Avira URL Cloudsafe
https://api.brutal-hax.net/loader_version.php0%Avira URL Cloudsafe
http://foo/bar/login.baml0%Avira URL Cloudsafe
https://api.brutal-hax.net/Online/set_online_status.php?username=0%Avira URL Cloudsafe
https://api.brutal-hax.net/info/cheat_status.php?hack_id=0%Avira URL Cloudsafe
http://foo/Login.xaml0%Avira URL Cloudsafe
https://api.brutalhax.net/100%Avira URL Cloudmalware

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://api.brutal-hax.net/notification.txtolPUTAxpzu.exefalse
  • Avira URL Cloud: safe
unknown
https://api.brutal-hax.net/Online/get_online_users.php?username=olPUTAxpzu.exefalse
  • Avira URL Cloud: safe
unknown
https://api.brutal-hax.net/loader_authentification_new.php?username=olPUTAxpzu.exefalse
  • Avira URL Cloud: safe
unknown
https://api.brutal-hax.net/loader_statut_new.phpolPUTAxpzu.exefalse
  • Avira URL Cloud: safe
unknown
https://help.ea.com/en/help/faq/how-to-clean-boot-your-pc/olPUTAxpzu.exefalse
    		high
    http://pki-ocsp.symauth.com0olPUTAxpzu.exefalse
    • URL Reputation: safe
    		unknown
    https://api.brutal-hax.net/Driver/Driver1.8_x64.sysolPUTAxpzu.exefalse
    • Avira URL Cloud: safe
    		unknown
    https://discord.gg/brutal-haxolPUTAxpzu.exefalse
    • Avira URL Cloud: safe
    		unknown
    http://foo/bhicon.pngolPUTAxpzu.exe, 00000000.00000002.419132716.0000000003B31000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.375588504.0000000003B31000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		low
    http://defaultcontainer/Login.xamlolPUTAxpzu.exe, 00000000.00000002.419132716.0000000003B31000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.375588504.0000000003B31000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		low
    https://api.brutal-hax.net/loader_cheat_info_ex.php?index=olPUTAxpzu.exefalse
    • Avira URL Cloud: safe
    		unknown
    http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.crolPUTAxpzu.exefalse
      		high
      https://api.brutal-hax.net/loader_get_cheats.php?username=olPUTAxpzu.exefalse
      • Avira URL Cloud: safe
      		unknown
      https://brutal-hax.net/olPUTAxpzu.exefalse
      • Avira URL Cloud: safe
      		unknown
      http://defaultcontainer/bhicon.pngolPUTAxpzu.exe, 00000000.00000002.419132716.0000000003B31000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.375588504.0000000003B31000.00000004.00000800.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		low
      http://foo/bar/bhicon.pngolPUTAxpzu.exe, 00000000.00000002.419132716.0000000003B31000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.375588504.0000000003B31000.00000004.00000800.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		low
      https://api.brutal-hax.net/loader_version.phpolPUTAxpzu.exefalse
      • Avira URL Cloud: safe
      		unknown
      http://foo/bar/login.bamlolPUTAxpzu.exe, 00000000.00000002.419132716.0000000003B31000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.375588504.0000000003B31000.00000004.00000800.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		low
      https://api.brutal-hax.net/Online/set_online_status.php?username=olPUTAxpzu.exefalse
      • Avira URL Cloud: safe
      		unknown
      https://api.brutal-hax.net/info/cheat_status.php?hack_id=olPUTAxpzu.exefalse
      • Avira URL Cloud: safe
      		unknown
      http://foo/Login.xamlolPUTAxpzu.exe, 00000000.00000002.419132716.0000000003B31000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.375588504.0000000003B31000.00000004.00000800.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		low
      http://pki-crl.symauth.com/ca_d409a5cb737dc0768fd08ed5256f3633/LatestCRL.crl07olPUTAxpzu.exefalse
        		high
        https://api.brutalhax.net/olPUTAxpzu.exetrue
        • Avira URL Cloud: malware
        		unknown

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox Version:34.0.0 Boulder Opal
        Analysis ID:612097
        Start date and time: 20/04/202215:07:512022-04-20 15:07:51 +02:00
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 6m 27s
        Hypervisor based Inspection enabled:false
        Report type:full
        Sample file name:olPUTAxpzu (renamed file extension from none to exe)
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
        Number of analysed new started processes analysed:21
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • HDC enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Detection:MAL
        Classification:mal88.evad.winEXE@5/4@0/0
        EGA Information:Failed
        HDC Information:Failed
        HCA Information:Failed
        Cookbook Comments:
        • Adjust boot time
        • Enable AMSI

        Warnings

        • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
        • Excluded IPs from analysis (whitelisted): 52.182.143.212
        • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, fp-afd.azureedge.net, ctldl.windowsupdate.com, b-ring.msedge.net, arc.msn.com, ris.api.iris.microsoft.com, fp-as-nocache.azureedge.net, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com
        • Execution Graph export aborted for target olPUTAxpzu.exe, PID 4912 because it is empty
        • Not all processes where analyzed, report is missing behavior information
        • Report size getting too big, too many NtSetInformationFile calls found.
        • VT rate limit hit for: olPUTAxpzu.exe

        Simulations

        Behavior and APIs

        TimeTypeDescription
        15:09:31API Interceptor1x Sleep call for process: WerFault.exe modified

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_olPUTAxpzu.exe_e22b91f83659b5e64951010ad9cc6d1b32c47_5da1df81_19bd84ad\Report.wer

        Download File
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):1.1863439765835455
        Encrypted:false
        SSDEEP:192:tbkwke3QjHBUZMXIjAJRIlYDNgH/u7slS274ItAzm:hZAjBUZMXIj/jH/u7slX4ItAa
        MD5:87CF111429976089097D3B92EC1E2C2B
        SHA1:73B040E8F1BB9B9DC766536B91A991C3E30A0BCB
        SHA-256:1517B1F72600E5C37D8D4F64F25763F11C5D2803C4C208F117C01BF23421B5DB
        SHA-512:1E4216F4967BA472A72888923D44A6F38F7DD70682D341B56D53336AF62DA85CADFB7D50631368AC3387922906120FF9BE37BAC4966436DFDBF4BCA342C2F4B2
        Malicious:true
        Reputation:low
        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.4.9.6.6.1.6.6.0.6.3.4.8.8.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.4.9.6.6.1.7.0.5.1.6.5.6.4.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.0.6.a.b.f.a.9.-.8.b.d.6.-.4.3.1.0.-.8.4.f.5.-.e.4.e.4.f.3.0.9.2.3.7.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.2.2.c.c.c.8.8.-.b.e.e.0.-.4.c.2.8.-.a.1.2.3.-.3.1.4.1.a.8.c.4.8.e.9.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.o.l.P.U.T.A.x.p.z.u...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.B.H.L.o.a.d.e.r.N.e.w...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.3.0.-.0.0.0.1.-.0.0.1.8.-.1.3.b.b.-.9.b.3.f.0.3.5.5.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.1.4.0.f.e.a.1.4.1.b.9.7.2.5.4.d.0.d.b.2.e.f.8.2.d.5.6.2.7.3.3.0.0.0.0.0.0.0.0.!.0.0.0.0.a.3.e.0.8.c.a.0.0.2.b.4.0.4.6.d.a.3.6.c.1.d.0.5.f.0.7.9.d.b.9.c.c.

        C:\ProgramData\Microsoft\Windows\WER\Temp\WER6D9B.tmp.dmp

        Download File
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:Mini DuMP crash report, 14 streams, Wed Apr 20 22:09:27 2022, 0x1205a4 type
        Category:dropped
        Size (bytes):330359
        Entropy (8bit):4.897602717187476
        Encrypted:false
        SSDEEP:3072:EFxgTGD38x5q03DZqOuzBCbjd+p4Ovrgg41JorjlJ5VSo9gIOgF5h8EWSTzX0g93:yxHT03Dczp3r2wjlb9RpD6EW8PTjKNW
        MD5:9A131578021BBC95551EDC60AF9ECFFE
        SHA1:9B8FB4CA4AFF37931BC6A8520A1E7BD2A6DE5C04
        SHA-256:EFBDC378D28A9540A3720C8968E847DC486BEA2907783364BFE5C8CA9B159101
        SHA-512:28146F125C333816D827C59414FF26086A41B5B5A882B4A97ADE599877036B41475D90E481DAEBE16996D73136F6430906719AE5474289DD20EC8486707FC34D
        Malicious:false
        Reputation:low
        Preview:MDMP....... .........`b............T...............\.......tM...D..........T.......8...........T............2..............."...........$...................................................................U...........B......x%......GenuineIntelW...........T.......0.....`b.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\ProgramData\Microsoft\Windows\WER\Temp\WER759B.tmp.WERInternalMetadata.xml

        Download File
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
        Category:dropped
        Size (bytes):8436
        Entropy (8bit):3.699069204390515
        Encrypted:false
        SSDEEP:192:Rrl7r3GLNizI6l6YpuSU3BXqgmfZAhSY+Cprg89bFNsfG3m:RrlsNic6l6YQSUx6gmf6hSOFGf3
        MD5:07E4FF0A524A2BE229C89AA525CB1DE9
        SHA1:1B5DFD9A21A7CCD9561F960C40E36E0B70339CED
        SHA-256:64313A9A787AA2E53E1E7F6B1268E44F70B24529DF8998E03442B65FDC06F402
        SHA-512:B2257F95B10ECBE96AB43E667F45F942984BA2C5D7771B4F4CEBC0D6114A6A9492B30807EAC2F5A865C4D02EF6931F7BE710927B45760AF4D5782D3716016B4C
        Malicious:false
        Reputation:low
        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.9.1.2.<./.P.i.d.>.......

        C:\ProgramData\Microsoft\Windows\WER\Temp\WER7732.tmp.xml

        Download File
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):4789
        Entropy (8bit):4.525491805157971
        Encrypted:false
        SSDEEP:48:cvIwSD8zsmJgtWI9RMkWgc8sqYja8fm8M4J5vFIu+q8vRkby+nXd:uITf8a8grsqYjJxK6bySXd
        MD5:6037B86AB69764B102EFA73C1385849F
        SHA1:37E028F5FFA53C8B6BD2296653A47A157B4DAC6E
        SHA-256:855DDE9BEECDC1B972A77149B652DC84372A103240756A081CD7BD984A0CCFB8
        SHA-512:850E47387B0FB30BB3B5176F95B8B611074D1D6498BE71F2E0F3A758CD466DA2D81044CD180152D1F13302492A03ED66E7EF2BE5FC13018BE5F5C97065C3BD90
        Malicious:false
        Reputation:low
        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1480760" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

        Static File Info

        General

        File type:PE32 executable (GUI) Intel 80386, for MS Windows
        Entropy (8bit):7.977228853039723
        TrID:
        • Win32 Executable (generic) a (10002005/4) 99.96%
        • Generic Win/DOS Executable (2004/3) 0.02%
        • DOS Executable Generic (2002/1) 0.02%
        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
        File name:olPUTAxpzu.exe
        File size:9184276
        MD5:8a0e3e9d2d00b456539face1b95f5e49
        SHA1:a3e08ca002b4046da36c1d05f079db9ccba567ff
        SHA256:1e9a3a5e2e8da03cb6949e0aa8c169c3e095a7144ac74d87a74450faa83f027d
        SHA512:d35530bdfa27a2164221ee042a040184c61a05caf631b0545e414dbd12925031c682933e509220aa68f05243f06a70e74188b29a707d1cac5e5178db92f537b7
        SSDEEP:196608:k1E3uOIPaV+mW+8w7802hv0ZFoj7J0U53jSXINWe/jgz:XVma6+8Ku0bwJ0U5zIIFji
        TLSH:5696334A2631A528C3DA3F30AEA7C37326764C1FD5223D4A259AFDEF71674C4E825319
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0...X..........@... ....X...@.. ...............................P....`................................

        File Icon

        Icon Hash:a6d2d4d294b6b200

        Static PE Info

        General

        Entrypoint:0x1224000
        Entrypoint Section:.taggant
        Digitally signed:false
        Imagebase:0x400000
        Subsystem:windows gui
        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
        DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, HIGH_ENTROPY_VA
        Time Stamp:0xA8C7FB17 [Thu Sep 25 01:17:11 2059 UTC]
        TLS Callbacks:
        CLR (.Net) Version:
        OS Version Major:4
        OS Version Minor:0
        File Version Major:4
        File Version Minor:0
        Subsystem Version Major:4
        Subsystem Version Minor:0
        Import Hash:4328f7206db519cd4e82283211d98e83

        Entrypoint Preview

        Instruction
        jmp 00007F1740A4A92Ah

        Data Directories

        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IMPORT0x5ac03a0x50.imports
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x5ae0000x1ba68.rsrc
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

        Sections

        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
        0x20000x58c0000x58b200unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        0x58e0000x1ba6c0x5859False0.997523986382data7.94073553338IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        0x5aa0000xc0xfFalse1.53333333333data3.90689059561IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
        .imports0x5ac0000x20000x200False0.16796875data1.14864242974IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
        .rsrc0x5ae0000x1bc000x1bc00False0.199394707207data3.11295029714IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .themida0x5ca0000x5460000x0unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        .boot0xb100000x3134000x313400unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        .taggant0xe240000x22000x2014False0.596931320019DOS executable (COM)6.83505846314IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

        Resources

        NameRVASizeTypeLanguageCountry
        RT_ICON0x5ae1a00x21eePNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
        RT_ICON0x5b03a00x10828dBase III DBT, version number 0, next free block index 40
        RT_ICON0x5c0bd80x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
        RT_ICON0x5c4e100x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
        RT_ICON0x5c73c80x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
        RT_ICON0x5c84800x468GLS_BINARY_LSB_FIRST
        RT_GROUP_ICON0x5c88f80x5adata
        RT_VERSION0x5c89640x32cdata
        RT_MANIFEST0x5c8ca00xdc7XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminatorsEnglishUnited States

        Imports

        DLLImport
        kernel32.dllGetModuleHandleA
        mscoree.dll_CorExeMain

        Version Infos

        DescriptionData
        Translation0x0000 0x04b0
        LegalCopyrightCopyright 2022
        Assembly Version1.0.0.0
        InternalNameBHLoaderNew.exe
        FileVersion1.0.0.0
        CompanyName
        LegalTrademarks
        Comments
        ProductNameBHLoaderNew
        ProductVersion1.0.0.0
        FileDescriptionBHLoaderNew
        OriginalFilenameBHLoaderNew.exe

        Possible Origin

        Language of compilation systemCountry where language is spokenMap
        EnglishUnited States

        Network Behavior

        No network behavior found

        Statistics

        CPU Usage

        Click to jump to process

        Memory Usage

        Click to jump to process

        High Level Behavior Distribution

        Click to dive into process behavior distribution

        Behavior

        Click to jump to process

        System Behavior

        General

        Target ID:0
        Start time:15:09:05
        Start date:20/04/2022
        Path:C:\Users\user\Desktop\olPUTAxpzu.exe
        Wow64 process (32bit):true
        Commandline:"C:\Users\user\Desktop\olPUTAxpzu.exe"
        Imagebase:0x3b0000
        File size:9184276 bytes
        MD5 hash:8A0E3E9D2D00B456539FACE1B95F5E49
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:.Net C# or VB.NET
        Reputation:low

        General

        Target ID:4
        Start time:15:09:24
        Start date:20/04/2022
        Path:C:\Windows\SysWOW64\WerFault.exe
        Wow64 process (32bit):true
        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 1240
        Imagebase:0xa70000
        File size:434592 bytes
        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:.Net C# or VB.NET
        Reputation:high

        General

        Target ID:6
        Start time:15:09:26
        Start date:20/04/2022
        Path:C:\Windows\SysWOW64\WerFault.exe
        Wow64 process (32bit):true
        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 1240
        Imagebase:0xa70000
        File size:434592 bytes
        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Disassembly

        Reset < >

          Executed Functions

          Function 034A00E4 Relevance: .4, Instructions: 444COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.418840346.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_34a0000_olPUTAxpzu.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 147fbd78765ccc5531713515709580f238ca7fad55282205ce919d49b0cca75e
          • Instruction ID: 8d8bea2871a880e80b293f04eeab3fcd98f6dbda9bb3d296f567a1864f8bb96f
          • Opcode Fuzzy Hash: 147fbd78765ccc5531713515709580f238ca7fad55282205ce919d49b0cca75e
          • Instruction Fuzzy Hash: FBF024A6B0D3E51BE717233458B135D3F694B93251F1A089BC082CB2C7DA1D4A4187D3
          Uniqueness

          Uniqueness Score: -1.00%

          Function 034A04D0 Relevance: .1, Instructions: 78COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.418840346.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_34a0000_olPUTAxpzu.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: c4ea6c2f95376312d7ee1cc0df812b43a04c99e89e9cb53ccfd467bf2ebe1f0b
          • Instruction ID: be830fb0c657c109afe38315de49dca5b2913e9e5fcbb56c5b5f50c7f81967ef
          • Opcode Fuzzy Hash: c4ea6c2f95376312d7ee1cc0df812b43a04c99e89e9cb53ccfd467bf2ebe1f0b
          • Instruction Fuzzy Hash: 9821A171B002055FDB58DF69D881BAFB7EAFF88200F04816EE506DB341EB30E8058BA5
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01A1D054 Relevance: .1, Instructions: 77COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.418499222.0000000001A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A1D000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_1a1d000_olPUTAxpzu.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: a3648df3270308fe34c4e880c3468c08948e03f7a5649b5d3c7cba48c25cfff3
          • Instruction ID: c8acb4faacc900c50de589c4d5a4ca03cfeb4587d6d38a3db40ba384e404e8de
          • Opcode Fuzzy Hash: a3648df3270308fe34c4e880c3468c08948e03f7a5649b5d3c7cba48c25cfff3
          • Instruction Fuzzy Hash: 71212B75504340EFCF15DF54D8C4B16BB65FB88324F24C569EA094F24AC336D816CB61
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01A1D5AC Relevance: .1, Instructions: 75COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.418499222.0000000001A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A1D000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_1a1d000_olPUTAxpzu.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: d81d43db262b348844ef09b89f3971557701dc21e8a07aec7cc3d86594664404
          • Instruction ID: c6e66c361da94c340f1260a98c195376edbae7ab45e316cc8e16d1376b96f993
          • Opcode Fuzzy Hash: d81d43db262b348844ef09b89f3971557701dc21e8a07aec7cc3d86594664404
          • Instruction Fuzzy Hash: 942125B1504244EFDB05DF64D8C4B26BF66FB88328F248969E9094B24AC736D856CBB1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01A1D698 Relevance: .1, Instructions: 75COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.418499222.0000000001A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A1D000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_1a1d000_olPUTAxpzu.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: c1d350c7deecc360c5ecbd03017b997409a06dc2531c9543834d74d94814d6cb
          • Instruction ID: 16d8a27d82b59f18598f4e20709411d845bbfa8a36df095349580db252367208
          • Opcode Fuzzy Hash: c1d350c7deecc360c5ecbd03017b997409a06dc2531c9543834d74d94814d6cb
          • Instruction Fuzzy Hash: 9E2107B5504280EFDB05DF54D9C8B27BF65FB88318F24896DE9094B24AC336D856CBA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 034A04CE Relevance: .1, Instructions: 75COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.418840346.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_34a0000_olPUTAxpzu.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 637d1a650ab2f1528a4440851710001a14051739d65873ff79e51adcee2b6a78
          • Instruction ID: e77414892477b360fda6a6fe4a31969fc207124d9a25112de3b234e5fa23fcd3
          • Opcode Fuzzy Hash: 637d1a650ab2f1528a4440851710001a14051739d65873ff79e51adcee2b6a78
          • Instruction Fuzzy Hash: 8821B071B002055FDB48DF68D980BAF77EABF98200F04816EE506DB740EB30E90587A5
          Uniqueness

          Uniqueness Score: -1.00%

          Function 033DD01C Relevance: .1, Instructions: 72COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.418625176.00000000033DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 033DD000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_33dd000_olPUTAxpzu.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 26fcd7b5ec790e3fe2db7410b2264a579b014f7af3803337e325b958d0e02dca
          • Instruction ID: d4b0c6b74402102d3dfbdb10995229a68e8d1e24c908cfa9864baf9365b5e7b1
          • Opcode Fuzzy Hash: 26fcd7b5ec790e3fe2db7410b2264a579b014f7af3803337e325b958d0e02dca
          • Instruction Fuzzy Hash: 8221D3B6508240DFCB14DF24F8C0B16BB69FF84318F24C5A9E90A4B646C73AD846CA61
          Uniqueness

          Uniqueness Score: -1.00%

          Function 033DD006 Relevance: .1, Instructions: 60COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.418625176.00000000033DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 033DD000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_33dd000_olPUTAxpzu.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 397ea8b3397bc5a1dcfd1336b4bdf47d803d9470e47d20d891d489eeda58a2d9
          • Instruction ID: 952d97214ea16ec77da3620863f8a81b032e65679ef51ec2aee05543cadbf2c2
          • Opcode Fuzzy Hash: 397ea8b3397bc5a1dcfd1336b4bdf47d803d9470e47d20d891d489eeda58a2d9
          • Instruction Fuzzy Hash: 502184755093808FCB12CF24E9D4715BF71EF86214F28C5DAD8498B657C33AD44ACB62
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01A1D04F Relevance: .1, Instructions: 58COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.418499222.0000000001A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A1D000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_1a1d000_olPUTAxpzu.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 5d45503816e92e2fa8290720e2be2ddeb3b086092fcda944810b3628bec8652e
          • Instruction ID: 1e25e0fe1c7641a52d58bf8ff8d7dbca68ba1b718e4207f6ebd9d4f4429feec1
          • Opcode Fuzzy Hash: 5d45503816e92e2fa8290720e2be2ddeb3b086092fcda944810b3628bec8652e
          • Instruction Fuzzy Hash: 8621AF76404280DFCF16CF54D9C4B16BF72FB88314F2486A9D9480B21BC33AD466CBA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01A1D5A7 Relevance: .1, Instructions: 56COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.418499222.0000000001A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A1D000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_1a1d000_olPUTAxpzu.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 2227ead48887bb7cce9473fabd61b0e2a12cb043cc437ada36f796e4309a0fc6
          • Instruction ID: 8027b3b7b25508e89e42795db87061ac87a14beda6807a24b86abb65f32067fa
          • Opcode Fuzzy Hash: 2227ead48887bb7cce9473fabd61b0e2a12cb043cc437ada36f796e4309a0fc6
          • Instruction Fuzzy Hash: 5311B176404280CFCF02CF54D9C4B16BF62FB84324F24CAA9D8490B25BC33AD45ACBA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01A1D693 Relevance: .1, Instructions: 56COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.418499222.0000000001A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A1D000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_1a1d000_olPUTAxpzu.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 2227ead48887bb7cce9473fabd61b0e2a12cb043cc437ada36f796e4309a0fc6
          • Instruction ID: d63edcaf9812a4f4d312c530b32cffeaa97b4f7fe276f930013fb351209e7f4e
          • Opcode Fuzzy Hash: 2227ead48887bb7cce9473fabd61b0e2a12cb043cc437ada36f796e4309a0fc6
          • Instruction Fuzzy Hash: 2111D376504280DFDB12CF54D5C8B16BF71FB84324F24C6A9D8450B21BC336D45ACBA2
          Uniqueness

          Uniqueness Score: -1.00%

          Function 034A05B0 Relevance: .0, Instructions: 31COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.418840346.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_34a0000_olPUTAxpzu.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: cf439c7afbc461d9d8943d7da1063ef4a1d219d776f47fe58d965854cfc9b83d
          • Instruction ID: ba01c827ccadad3a30d818b5a11db9b0824ec10ee201d78038b4c1d31f69fbcc
          • Opcode Fuzzy Hash: cf439c7afbc461d9d8943d7da1063ef4a1d219d776f47fe58d965854cfc9b83d
          • Instruction Fuzzy Hash: 54E02B767012501BD705E27872087EE6B5797C2628F0D406FD2498F741CAB51C4A83A5
          Uniqueness

          Uniqueness Score: -1.00%

          Function 034A0AE7 Relevance: .0, Instructions: 28COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.418840346.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_34a0000_olPUTAxpzu.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: f0a2294cb964ab7b014738960536072433714c1cb582da9ae53171444850a33c
          • Instruction ID: a8ea1a760f33f8e5f18117a4ca5a734dcbabd12ae7c6466febad99a516b6cfaf
          • Opcode Fuzzy Hash: f0a2294cb964ab7b014738960536072433714c1cb582da9ae53171444850a33c
          • Instruction Fuzzy Hash: AAF02B32B40200AFD7148B18D805BE577F5EFCA319F1800A9F9498B363DBB35C128B90
          Uniqueness

          Uniqueness Score: -1.00%

          Function 034A11D8 Relevance: .0, Instructions: 26COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.418840346.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_34a0000_olPUTAxpzu.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 190b582319ddb3eb4a4e9a6ea23ba0b34bce7d4f114ce77f7c6058ce26563067
          • Instruction ID: f371dfb5ce1745046f2d1de4f92f84b1c64f61856b3ef5fd462137d2d6a66a27
          • Opcode Fuzzy Hash: 190b582319ddb3eb4a4e9a6ea23ba0b34bce7d4f114ce77f7c6058ce26563067
          • Instruction Fuzzy Hash: 4FF0ED3AA89200EFC301CBE8CD40F95BBF5AB29300F0940ABF500CF193E2728A50C785
          Uniqueness

          Uniqueness Score: -1.00%

          Function 034A0AF8 Relevance: .0, Instructions: 24COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.418840346.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_34a0000_olPUTAxpzu.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: f35de68cef8c2f3a87bfb37fd60544e7183893d047fa81bb870028cc2f064395
          • Instruction ID: 8506795865ca9f0a4ddb83e1bc2dd5a83c2dcef31579ed86ec2e7d61cea7e25e
          • Opcode Fuzzy Hash: f35de68cef8c2f3a87bfb37fd60544e7183893d047fa81bb870028cc2f064395
          • Instruction Fuzzy Hash: 33E026317002046FD3105758D800F957BEAEFCA328F1500A5F6488B3A3CAA2AC018790
          Uniqueness

          Uniqueness Score: -1.00%

          Function 034A0448 Relevance: .0, Instructions: 19COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.418840346.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_34a0000_olPUTAxpzu.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: fc6524557072766b3bfcd0b6e8fba7531adb5008038db9f9f2bc1cc1ba90c92a
          • Instruction ID: 57f4605faf3d59de3e07906e6f17787817febbb26173b88d4c00939eeb2914a0
          • Opcode Fuzzy Hash: fc6524557072766b3bfcd0b6e8fba7531adb5008038db9f9f2bc1cc1ba90c92a
          • Instruction Fuzzy Hash: 41D0A71974053C239A0C7678612432F358F8BC5564F40002CD20B87388CF2A8E0103D6
          Uniqueness

          Uniqueness Score: -1.00%

          Function 034A1220 Relevance: .0, Instructions: 14COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.418840346.00000000034A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_34a0000_olPUTAxpzu.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 742e30e507af470dabb5ed1466d6442d3c7e67f5aec065f6e11830ae3cdefc29
          • Instruction ID: 9c62aa9fd472928c8027e724cb6a93d158860cda35d54a2617f0631623381d18
          • Opcode Fuzzy Hash: 742e30e507af470dabb5ed1466d6442d3c7e67f5aec065f6e11830ae3cdefc29
          • Instruction Fuzzy Hash: 2AD01276A4020CBFDB10CEE0DD05F9ABBADD705701F104065FE04D7141E6729A109795
          Uniqueness

          Uniqueness Score: -1.00%