Edit tour

Windows Analysis Report
OhWWbQcp7Q.exe

Overview

General Information

Sample name:	OhWWbQcp7Q.exe renamed because original name is a hash value
Original sample name:	2b4e54af556badc27f08c9a966dd55f090f4a5ef8978793e0ba296b05ddfb242.exe
Analysis ID:	1547535
MD5:	00345de133a4d119eacc29fb87f648e9
SHA1:	63b3f141071e71d39866d7a4bd204b2b8615080d
SHA256:	2b4e54af556badc27f08c9a966dd55f090f4a5ef8978793e0ba296b05ddfb242
Tags:	cdt2023-ddns-netexeuser-JAMESWT_MHT
Infos:

Detection

AveMaria, UACMe

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AveMaria stealer

Yara detected UACMe UAC Bypass tool

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to hide user accounts

Contains functionality to inject threads in other processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal e-mail passwords

Hides that the sample has been downloaded from the Internet (zone.identifier)

Increases the number of concurrent connection per server for Internet Explorer

Machine Learning detection for dropped file

Machine Learning detection for sample

Contains functionality to create new users

Contains functionality to download and execute PE files

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to retrieve information about pressed keystrokes

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Found decision node followed by non-executed suspicious APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

OhWWbQcp7Q.exe (PID: 6892 cmdline: "C:\Users\user\Desktop\OhWWbQcp7Q.exe" MD5: 00345DE133A4D119EACC29FB87F648E9)

images.exe (PID: 3760 cmdline: "C:\ProgramData\images.exe" MD5: 00345DE133A4D119EACC29FB87F648E9)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Ave Maria, AveMariaRAT, avemaria	Information stealer which uses AutoIT for wrapping.	Anunak	http://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery https://asec.ahnlab.com/en/36629/ https://blog.cyber5w.com/analyzing-macro-enabled-office-documents https://blog.morphisec.com/syk-crypter-discord https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria

Name	Description	Attribution	Blogpost URLs	Link
UACMe	A toolkit maintained by hfiref0x which incorporates numerous UAC bypass techniques for Windows 7 - Windows 10. Typically, components of this tool are stripped out and reused by malicious actors.	No Attribution	https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/ https://github.com/hfiref0x/UACME	https://malpedia.caad.fkie.fraunhofer.de/details/win.uacme

Malware Configuration

Threatname: AveMaria

{"C2 url": "chromedata.accesscam.org", "port": 5221, "Proxy Port": 26368}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
OhWWbQcp7Q.exe	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
OhWWbQcp7Q.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
OhWWbQcp7Q.exe	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
OhWWbQcp7Q.exe	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x16630:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x14e78:$a2: SMTP Password 0x140b8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x191f0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x16538:$a5: for /F "usebackq tokens=*" %%A in (" 0x148a8:$a6: \Torch\User Data\Default\Login Data 0x19310:$a7: /n:%temp%\ellocnak.xml 0x15414:$a8: "os_crypt":{"encrypted_key":" 0x19340:$a9: Hey I'm Admin 0x14d40:$a10: \logins.json 0x1538c:$a11: Accounts\Account.rec0 0x13c50:$a12: warzone160 0x162e0:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
OhWWbQcp7Q.exe	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x144e8:$a1: \Opera Software\Opera Stable\Login Data 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
OhWWbQcp7Q.exe	AveMaria_WarZone	unknown	unknown	0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1640c:$str2: MsgBox.exe 0x1669c:$str4: \System32\cmd.exe 0x162e0:$str6: Ave_Maria 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x14e78:$str8: SMTP Password 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data 0x15b44:$str12: \sqlmap.dll 0x191f0:$str16: Elevation:Administrator!new 0x19310:$str17: /n:%temp%
OhWWbQcp7Q.exe	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
OhWWbQcp7Q.exe	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x166dd:$r1: Classes\Folder\shell\open\command 0x16700:$k1: DelegateExecute
OhWWbQcp7Q.exe	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x160e4:$s1: RDPClip 0x167cc:$s2: Grabber 0x162e0:$s3: Ave_Maria Stealer OpenSource 0x163e0:$s4: \MidgetPorn\workspace\MsgBox.exe 0x16116:$s5: @\cmd.exe 0x19310:$s6: /n:%temp%\ellocnak.xml 0x19340:$s7: Hey I'm Admin 0x13c50:$s8: warzone160
Click to see the 4 entries

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\images.exe	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
C:\ProgramData\images.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\ProgramData\images.exe	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
C:\ProgramData\images.exe	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x16630:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x14e78:$a2: SMTP Password 0x140b8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x191f0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x16538:$a5: for /F "usebackq tokens=*" %%A in (" 0x148a8:$a6: \Torch\User Data\Default\Login Data 0x19310:$a7: /n:%temp%\ellocnak.xml 0x15414:$a8: "os_crypt":{"encrypted_key":" 0x19340:$a9: Hey I'm Admin 0x14d40:$a10: \logins.json 0x1538c:$a11: Accounts\Account.rec0 0x13c50:$a12: warzone160 0x162e0:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
C:\ProgramData\images.exe	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x144e8:$a1: \Opera Software\Opera Stable\Login Data 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
C:\ProgramData\images.exe	AveMaria_WarZone	unknown	unknown	0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1640c:$str2: MsgBox.exe 0x1669c:$str4: \System32\cmd.exe 0x162e0:$str6: Ave_Maria 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x14e78:$str8: SMTP Password 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data 0x15b44:$str12: \sqlmap.dll 0x191f0:$str16: Elevation:Administrator!new 0x19310:$str17: /n:%temp%
C:\ProgramData\images.exe	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
C:\ProgramData\images.exe	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x166dd:$r1: Classes\Folder\shell\open\command 0x16700:$k1: DelegateExecute
C:\ProgramData\images.exe	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x160e4:$s1: RDPClip 0x167cc:$s2: Grabber 0x162e0:$s3: Ave_Maria Stealer OpenSource 0x163e0:$s4: \MidgetPorn\workspace\MsgBox.exe 0x16116:$s5: @\cmd.exe 0x19310:$s6: /n:%temp%\ellocnak.xml 0x19340:$s7: Hey I'm Admin 0x13c50:$s8: warzone160
Click to see the 4 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000000.00000000.1665942039.00000000002FF000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000000.00000000.1665841407.00000000001C4000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000000.1665841407.00000000001C4000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000000.00000000.1665841407.00000000001C4000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x3230:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1a78:$a2: SMTP Password 0xcb8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x3138:$a5: for /F "usebackq tokens=*" %%A in (" 0x14a8:$a6: \Torch\User Data\Default\Login Data 0x2014:$a8: "os_crypt":{"encrypted_key":" 0x1940:$a10: \logins.json 0x1f8c:$a11: Accounts\Account.rec0 0x850:$a12: warzone160 0x2ee0:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000001.00000003.1702151085.0000000001238000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000001.00000003.1702151085.0000000001238000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1702151085.0000000001238000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000001.00000003.1702151085.0000000001238000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x2b70:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x13b8:$a2: SMTP Password 0x5f8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x5138:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x2a78:$a5: for /F "usebackq tokens=*" %%A in (" 0xde8:$a6: \Torch\User Data\Default\Login Data 0x5258:$a7: /n:%temp%\ellocnak.xml 0x1954:$a8: "os_crypt":{"encrypted_key":" 0x5288:$a9: Hey I'm Admin 0x1280:$a10: \logins.json 0x18cc:$a11: Accounts\Account.rec0 0x190:$a12: warzone160 0x2820:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x3230:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1a78:$a2: SMTP Password 0xcb8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x3138:$a5: for /F "usebackq tokens=*" %%A in (" 0x14a8:$a6: \Torch\User Data\Default\Login Data 0x2014:$a8: "os_crypt":{"encrypted_key":" 0x1940:$a10: \logins.json 0x1f8c:$a11: Accounts\Account.rec0 0x850:$a12: warzone160 0x2ee0:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000001.00000003.1702165776.0000000001200000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000000.00000003.1682866444.0000000000814000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000001.00000000.1683394560.00000000007BF000.00000002.00000001.01000000.00000005.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000000.00000003.1682769402.0000000000814000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000000.00000003.1684884030.0000000000814000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000000.00000003.1684884030.0000000000814000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1684884030.0000000000814000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000000.00000003.1684884030.0000000000814000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x15b08:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x14350:$a2: SMTP Password 0x13590:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x186c8:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x15a10:$a5: for /F "usebackq tokens=*" %%A in (" 0x13d80:$a6: \Torch\User Data\Default\Login Data 0x187e8:$a7: /n:%temp%\ellocnak.xml 0x148ec:$a8: "os_crypt":{"encrypted_key":" 0x18818:$a9: Hey I'm Admin 0x14218:$a10: \logins.json 0x14864:$a11: Accounts\Account.rec0 0x13128:$a12: warzone160 0x157b8:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000000.00000003.1682902231.0000000000805000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1682902231.0000000000805000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000000.00000003.1682902231.0000000000805000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x2310:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0xb58:$a2: SMTP Password 0x2218:$a5: for /F "usebackq tokens=*" %%A in (" 0x588:$a6: \Torch\User Data\Default\Login Data 0x10f4:$a8: "os_crypt":{"encrypted_key":" 0xa20:$a10: \logins.json 0x106c:$a11: Accounts\Account.rec0 0x1fc0:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x3230:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1a78:$a2: SMTP Password 0xcb8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x3138:$a5: for /F "usebackq tokens=*" %%A in (" 0x14a8:$a6: \Torch\User Data\Default\Login Data 0x2014:$a8: "os_crypt":{"encrypted_key":" 0x1940:$a10: \logins.json 0x1f8c:$a11: Accounts\Account.rec0 0x850:$a12: warzone160 0x2ee0:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000000.00000003.1682968555.0000000000800000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1682968555.0000000000800000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000000.00000003.1682968555.0000000000800000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x2908:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1150:$a2: SMTP Password 0x390:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x4d98:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x2810:$a5: for /F "usebackq tokens=*" %%A in (" 0xb80:$a6: \Torch\User Data\Default\Login Data 0x16ec:$a8: "os_crypt":{"encrypted_key":" 0x1018:$a10: \logins.json 0x1664:$a11: Accounts\Account.rec0 0x4930:$a12: warzone160 0x25b8:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000001.00000003.1702087810.0000000001200000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000001.00000003.1702087810.0000000001200000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1702087810.0000000001200000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000001.00000003.1702087810.0000000001200000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x22f0:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0xb38:$a2: SMTP Password 0x48b8:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x21f8:$a5: for /F "usebackq tokens=*" %%A in (" 0x568:$a6: \Torch\User Data\Default\Login Data 0x49d8:$a7: /n:%temp%\ellocnak.xml 0x10d4:$a8: "os_crypt":{"encrypted_key":" 0x4a08:$a9: Hey I'm Admin 0xa00:$a10: \logins.json 0x104c:$a11: Accounts\Account.rec0 0x1fa0:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000000.00000003.1682751830.0000000000805000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000000.00000003.1682751830.0000000000805000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1682751830.0000000000805000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000000.00000003.1682751830.0000000000805000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x2310:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0xb58:$a2: SMTP Password 0xf6d0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x124d8:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x2218:$a5: for /F "usebackq tokens=*" %%A in (" 0x588:$a6: \Torch\User Data\Default\Login Data 0xf7f0:$a7: /n:%temp%\ellocnak.xml 0x125f8:$a7: /n:%temp%\ellocnak.xml 0x10f4:$a8: "os_crypt":{"encrypted_key":" 0xf820:$a9: Hey I'm Admin 0x12628:$a9: Hey I'm Admin 0xa20:$a10: \logins.json 0x106c:$a11: Accounts\Account.rec0 0x1fc0:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000001.00000000.1683260743.0000000000684000.00000002.00000001.01000000.00000005.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000000.1683260743.0000000000684000.00000002.00000001.01000000.00000005.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000001.00000000.1683260743.0000000000684000.00000002.00000001.01000000.00000005.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x3230:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1a78:$a2: SMTP Password 0xcb8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x3138:$a5: for /F "usebackq tokens=*" %%A in (" 0x14a8:$a6: \Torch\User Data\Default\Login Data 0x2014:$a8: "os_crypt":{"encrypted_key":" 0x1940:$a10: \logins.json 0x1f8c:$a11: Accounts\Account.rec0 0x850:$a12: warzone160 0x2ee0:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000001.00000002.2923447659.00000000033FF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000001.00000002.2923447659.00000000033FF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2923447659.00000000033FF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000001.00000002.2923447659.00000000033FF000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x16650:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x14e98:$a2: SMTP Password 0x140d8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x19210:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x16558:$a5: for /F "usebackq tokens=*" %%A in (" 0x148c8:$a6: \Torch\User Data\Default\Login Data 0x19330:$a7: /n:%temp%\ellocnak.xml 0x15434:$a8: "os_crypt":{"encrypted_key":" 0x19360:$a9: Hey I'm Admin 0x14d60:$a10: \logins.json 0x153ac:$a11: Accounts\Account.rec0 0x13c70:$a12: warzone160 0x16300:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000001.00000003.1702057537.0000000001224000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000001.00000003.1702057537.0000000001224000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1702057537.0000000001224000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000001.00000003.1702057537.0000000001224000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x16b70:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x153b8:$a2: SMTP Password 0x145f8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x19138:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x16a78:$a5: for /F "usebackq tokens=*" %%A in (" 0x14de8:$a6: \Torch\User Data\Default\Login Data 0x19258:$a7: /n:%temp%\ellocnak.xml 0x15954:$a8: "os_crypt":{"encrypted_key":" 0x19288:$a9: Hey I'm Admin 0x15280:$a10: \logins.json 0x158cc:$a11: Accounts\Account.rec0 0x14190:$a12: warzone160 0x16820:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000000.00000002.1686330176.000000000294A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000000.00000002.1686330176.000000000294A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1686330176.000000000294A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000000.00000002.1686330176.000000000294A000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x16650:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x14e98:$a2: SMTP Password 0x140d8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x19210:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x16558:$a5: for /F "usebackq tokens=*" %%A in (" 0x148c8:$a6: \Torch\User Data\Default\Login Data 0x19330:$a7: /n:%temp%\ellocnak.xml 0x15434:$a8: "os_crypt":{"encrypted_key":" 0x19360:$a9: Hey I'm Admin 0x14d60:$a10: \logins.json 0x153ac:$a11: Accounts\Account.rec0 0x13c70:$a12: warzone160 0x16300:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000000.00000003.1683534167.0000000000808000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000000.00000003.1683534167.0000000000808000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1683534167.0000000000808000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000000.00000003.1683534167.0000000000808000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x21b08:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x20350:$a2: SMTP Password 0x1f590:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x246c8:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x21a10:$a5: for /F "usebackq tokens=*" %%A in (" 0x1fd80:$a6: \Torch\User Data\Default\Login Data 0x247e8:$a7: /n:%temp%\ellocnak.xml 0x208ec:$a8: "os_crypt":{"encrypted_key":" 0x24818:$a9: Hey I'm Admin 0x20218:$a10: \logins.json 0x20864:$a11: Accounts\Account.rec0 0x1f128:$a12: warzone160 0x217b8:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000001.00000003.1702130332.0000000001224000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000001.00000003.1702130332.0000000001224000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1702130332.0000000001224000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000001.00000003.1702130332.0000000001224000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x16b70:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x153b8:$a2: SMTP Password 0x145f8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x19138:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x16a78:$a5: for /F "usebackq tokens=*" %%A in (" 0x14de8:$a6: \Torch\User Data\Default\Login Data 0x19258:$a7: /n:%temp%\ellocnak.xml 0x15954:$a8: "os_crypt":{"encrypted_key":" 0x19288:$a9: Hey I'm Admin 0x15280:$a10: \logins.json 0x158cc:$a11: Accounts\Account.rec0 0x14190:$a12: warzone160 0x16820:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000000.00000003.1684809257.0000000000808000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000000.00000003.1684809257.0000000000808000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1684809257.0000000000808000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000000.00000003.1684809257.0000000000808000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x21b08:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x20350:$a2: SMTP Password 0x1f590:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x246c8:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x21a10:$a5: for /F "usebackq tokens=*" %%A in (" 0x1fd80:$a6: \Torch\User Data\Default\Login Data 0x247e8:$a7: /n:%temp%\ellocnak.xml 0x208ec:$a8: "os_crypt":{"encrypted_key":" 0x24818:$a9: Hey I'm Admin 0x20218:$a10: \logins.json 0x20864:$a11: Accounts\Account.rec0 0x1f128:$a12: warzone160 0x217b8:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
Process Memory Space: OhWWbQcp7Q.exe PID: 6892	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
Process Memory Space: OhWWbQcp7Q.exe PID: 6892	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: images.exe PID: 3760	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
Process Memory Space: images.exe PID: 3760	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 64 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.3.images.exe.123c3b8.7.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
1.3.images.exe.123c3b8.7.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.3.OhWWbQcp7Q.exe.8151c0.7.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.3.OhWWbQcp7Q.exe.8151c0.7.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x2318:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
1.3.images.exe.123c3b8.0.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
1.3.images.exe.123c3b8.0.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
1.2.images.exe.3417490.3.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
1.2.images.exe.3417490.3.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
1.3.images.exe.1203b38.3.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
1.3.images.exe.1203b38.3.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.3.OhWWbQcp7Q.exe.816758.4.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.3.OhWWbQcp7Q.exe.816758.4.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.3.OhWWbQcp7Q.exe.8134d8.0.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.3.OhWWbQcp7Q.exe.8134d8.0.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x11f8:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x4000:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
1.3.images.exe.123c3b8.5.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
1.3.images.exe.123c3b8.5.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.3.OhWWbQcp7Q.exe.813950.2.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.3.OhWWbQcp7Q.exe.813950.2.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x3b88:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.2.OhWWbQcp7Q.exe.2962490.2.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.2.OhWWbQcp7Q.exe.2962490.2.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.3.OhWWbQcp7Q.exe.816758.6.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.3.OhWWbQcp7Q.exe.816758.6.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.3.OhWWbQcp7Q.exe.82b948.12.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.3.OhWWbQcp7Q.exe.82b948.12.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.3.OhWWbQcp7Q.exe.82b948.16.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.3.OhWWbQcp7Q.exe.82b948.16.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
1.3.images.exe.12009a0.9.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
1.3.images.exe.12009a0.9.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x19fd:$r1: Classes\Folder\shell\open\command 0x1a20:$k1: DelegateExecute
0.3.OhWWbQcp7Q.exe.8151c0.1.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.3.OhWWbQcp7Q.exe.8151c0.1.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x2318:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.3.OhWWbQcp7Q.exe.82b948.14.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.3.OhWWbQcp7Q.exe.82b948.14.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.3.OhWWbQcp7Q.exe.8151c0.3.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.3.OhWWbQcp7Q.exe.8151c0.3.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x2318:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.2.OhWWbQcp7Q.exe.1b0000.0.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.2.OhWWbQcp7Q.exe.1b0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.OhWWbQcp7Q.exe.1b0000.0.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0.2.OhWWbQcp7Q.exe.1b0000.0.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x16630:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x14e78:$a2: SMTP Password 0x140b8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x191f0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x16538:$a5: for /F "usebackq tokens=*" %%A in (" 0x148a8:$a6: \Torch\User Data\Default\Login Data 0x19310:$a7: /n:%temp%\ellocnak.xml 0x15414:$a8: "os_crypt":{"encrypted_key":" 0x19340:$a9: Hey I'm Admin 0x14d40:$a10: \logins.json 0x1538c:$a11: Accounts\Account.rec0 0x13c50:$a12: warzone160 0x162e0:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
0.2.OhWWbQcp7Q.exe.1b0000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x144e8:$a1: \Opera Software\Opera Stable\Login Data 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
0.2.OhWWbQcp7Q.exe.1b0000.0.unpack	AveMaria_WarZone	unknown	unknown	0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1640c:$str2: MsgBox.exe 0x1669c:$str4: \System32\cmd.exe 0x162e0:$str6: Ave_Maria 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x14e78:$str8: SMTP Password 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data 0x15b44:$str12: \sqlmap.dll 0x191f0:$str16: Elevation:Administrator!new 0x19310:$str17: /n:%temp%
0.2.OhWWbQcp7Q.exe.1b0000.0.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.2.OhWWbQcp7Q.exe.1b0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x166dd:$r1: Classes\Folder\shell\open\command 0x16700:$k1: DelegateExecute
0.2.OhWWbQcp7Q.exe.1b0000.0.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x160e4:$s1: RDPClip 0x167cc:$s2: Grabber 0x162e0:$s3: Ave_Maria Stealer OpenSource 0x163e0:$s4: \MidgetPorn\workspace\MsgBox.exe 0x19310:$s6: /n:%temp%\ellocnak.xml 0x19340:$s7: Hey I'm Admin 0x13c50:$s8: warzone160
0.0.OhWWbQcp7Q.exe.1b0000.0.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.0.OhWWbQcp7Q.exe.1b0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.0.OhWWbQcp7Q.exe.1b0000.0.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0.0.OhWWbQcp7Q.exe.1b0000.0.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x16630:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x14e78:$a2: SMTP Password 0x140b8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x191f0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x16538:$a5: for /F "usebackq tokens=*" %%A in (" 0x148a8:$a6: \Torch\User Data\Default\Login Data 0x19310:$a7: /n:%temp%\ellocnak.xml 0x15414:$a8: "os_crypt":{"encrypted_key":" 0x19340:$a9: Hey I'm Admin 0x14d40:$a10: \logins.json 0x1538c:$a11: Accounts\Account.rec0 0x13c50:$a12: warzone160 0x162e0:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
0.0.OhWWbQcp7Q.exe.1b0000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x144e8:$a1: \Opera Software\Opera Stable\Login Data 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
0.0.OhWWbQcp7Q.exe.1b0000.0.unpack	AveMaria_WarZone	unknown	unknown	0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1640c:$str2: MsgBox.exe 0x1669c:$str4: \System32\cmd.exe 0x162e0:$str6: Ave_Maria 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x14e78:$str8: SMTP Password 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data 0x15b44:$str12: \sqlmap.dll 0x191f0:$str16: Elevation:Administrator!new 0x19310:$str17: /n:%temp%
0.0.OhWWbQcp7Q.exe.1b0000.0.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.0.OhWWbQcp7Q.exe.1b0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x166dd:$r1: Classes\Folder\shell\open\command 0x16700:$k1: DelegateExecute
0.0.OhWWbQcp7Q.exe.1b0000.0.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x160e4:$s1: RDPClip 0x167cc:$s2: Grabber 0x162e0:$s3: Ave_Maria Stealer OpenSource 0x163e0:$s4: \MidgetPorn\workspace\MsgBox.exe 0x19310:$s6: /n:%temp%\ellocnak.xml 0x19340:$s7: Hey I'm Admin 0x13c50:$s8: warzone160
1.0.images.exe.670000.0.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
1.0.images.exe.670000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.0.images.exe.670000.0.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
1.0.images.exe.670000.0.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x16630:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x14e78:$a2: SMTP Password 0x140b8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x191f0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x16538:$a5: for /F "usebackq tokens=*" %%A in (" 0x148a8:$a6: \Torch\User Data\Default\Login Data 0x19310:$a7: /n:%temp%\ellocnak.xml 0x15414:$a8: "os_crypt":{"encrypted_key":" 0x19340:$a9: Hey I'm Admin 0x14d40:$a10: \logins.json 0x1538c:$a11: Accounts\Account.rec0 0x13c50:$a12: warzone160 0x162e0:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
1.0.images.exe.670000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x144e8:$a1: \Opera Software\Opera Stable\Login Data 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
1.0.images.exe.670000.0.unpack	AveMaria_WarZone	unknown	unknown	0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1640c:$str2: MsgBox.exe 0x1669c:$str4: \System32\cmd.exe 0x162e0:$str6: Ave_Maria 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x14e78:$str8: SMTP Password 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data 0x15b44:$str12: \sqlmap.dll 0x191f0:$str16: Elevation:Administrator!new 0x19310:$str17: /n:%temp%
1.0.images.exe.670000.0.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
1.0.images.exe.670000.0.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x166dd:$r1: Classes\Folder\shell\open\command 0x16700:$k1: DelegateExecute
1.0.images.exe.670000.0.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x160e4:$s1: RDPClip 0x167cc:$s2: Grabber 0x162e0:$s3: Ave_Maria Stealer OpenSource 0x163e0:$s4: \MidgetPorn\workspace\MsgBox.exe 0x19310:$s6: /n:%temp%\ellocnak.xml 0x19340:$s7: Hey I'm Admin 0x13c50:$s8: warzone160
1.2.images.exe.670000.0.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
1.2.images.exe.670000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.images.exe.670000.0.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
1.2.images.exe.670000.0.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x16630:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x14e78:$a2: SMTP Password 0x140b8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x191f0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x16538:$a5: for /F "usebackq tokens=*" %%A in (" 0x148a8:$a6: \Torch\User Data\Default\Login Data 0x19310:$a7: /n:%temp%\ellocnak.xml 0x15414:$a8: "os_crypt":{"encrypted_key":" 0x19340:$a9: Hey I'm Admin 0x14d40:$a10: \logins.json 0x1538c:$a11: Accounts\Account.rec0 0x13c50:$a12: warzone160 0x162e0:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
1.2.images.exe.670000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x144e8:$a1: \Opera Software\Opera Stable\Login Data 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
1.2.images.exe.670000.0.unpack	AveMaria_WarZone	unknown	unknown	0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1640c:$str2: MsgBox.exe 0x1669c:$str4: \System32\cmd.exe 0x162e0:$str6: Ave_Maria 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x14e78:$str8: SMTP Password 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data 0x15b44:$str12: \sqlmap.dll 0x191f0:$str16: Elevation:Administrator!new 0x19310:$str17: /n:%temp%
1.2.images.exe.670000.0.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
1.2.images.exe.670000.0.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x166dd:$r1: Classes\Folder\shell\open\command 0x16700:$k1: DelegateExecute
1.2.images.exe.670000.0.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x160e4:$s1: RDPClip 0x167cc:$s2: Grabber 0x162e0:$s3: Ave_Maria Stealer OpenSource 0x163e0:$s4: \MidgetPorn\workspace\MsgBox.exe 0x19310:$s6: /n:%temp%\ellocnak.xml 0x19340:$s7: Hey I'm Admin 0x13c50:$s8: warzone160
Click to see the 65 entries

Sigma Signatures

System Summary

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 10, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\OhWWbQcp7Q.exe, ProcessId: 6892, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPer1_0Server

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-02T16:56:32.628540+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.4	49733	TCP
2024-11-02T16:57:12.782068+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.4	64519	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: OhWWbQcp7Q.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\ProgramData\images.exe

Avira: detection malicious, Label: TR/Redcap.ghjpt

Found malware configuration

Source: OhWWbQcp7Q.exe

Malware Configuration Extractor: AveMaria {"C2 url": "chromedata.accesscam.org", "port": 5221, "Proxy Port": 26368}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\images.exe

ReversingLabs: Detection: 89%

Multi AV Scanner detection for submitted file

Source: OhWWbQcp7Q.exe

ReversingLabs: Detection: 89%

Yara detected AveMaria stealer

Source: Yara match	File source: OhWWbQcp7Q.exe, type: SAMPLE
Source: Yara match	File source: 1.3.images.exe.12009a0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OhWWbQcp7Q.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.OhWWbQcp7Q.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.images.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.images.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1665841407.00000000001C4000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1702151085.0000000001238000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1702165776.0000000001200000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1684884030.0000000000814000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1682902231.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1682968555.0000000000800000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1702087810.0000000001200000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1682751830.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.1683260743.0000000000684000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2923447659.00000000033FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1702057537.0000000001224000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1686330176.000000000294A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1683534167.0000000000808000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1702130332.0000000001224000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1684809257.0000000000808000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\images.exe, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\ProgramData\images.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: OhWWbQcp7Q.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Code function: 0_2_001BB15E lstrlenA,CryptStringToBinaryA,lstrcpyA,	0_2_001BB15E
Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Code function: 0_2_001BCAFC CryptUnprotectData,LocalAlloc,LocalFree,	0_2_001BCAFC
Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Code function: 0_2_001BCC54 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree,	0_2_001BCC54
Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Code function: 0_2_001BCCB4 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,	0_2_001BCCB4
Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Code function: 0_2_001BA632 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW,	0_2_001BA632
Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Code function: 0_2_001BCF58 LocalAlloc,BCryptDecrypt,LocalFree,	0_2_001BCF58
Source: C:\ProgramData\images.exe	Code function: 1_2_0067B15E lstrlenA,CryptStringToBinaryA,lstrcpyA,	1_2_0067B15E
Source: C:\ProgramData\images.exe	Code function: 1_2_0067CAFC CryptUnprotectData,LocalAlloc,LocalFree,	1_2_0067CAFC
Source: C:\ProgramData\images.exe	Code function: 1_2_0067CC54 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree,	1_2_0067CC54
Source: C:\ProgramData\images.exe	Code function: 1_2_0067CCB4 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,	1_2_0067CCB4
Source: C:\ProgramData\images.exe	Code function: 1_2_0067A632 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW,	1_2_0067A632
Source: C:\ProgramData\images.exe	Code function: 1_2_0067CF58 LocalAlloc,BCryptDecrypt,LocalFree,	1_2_0067CF58

Exploits

Yara detected UACMe UAC Bypass tool

Source: Yara match	File source: OhWWbQcp7Q.exe, type: SAMPLE
Source: Yara match	File source: 1.3.images.exe.123c3b8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.OhWWbQcp7Q.exe.8151c0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.images.exe.123c3b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.images.exe.3417490.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.images.exe.1203b38.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.OhWWbQcp7Q.exe.816758.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.OhWWbQcp7Q.exe.8134d8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.images.exe.123c3b8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.OhWWbQcp7Q.exe.813950.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OhWWbQcp7Q.exe.2962490.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.OhWWbQcp7Q.exe.816758.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.OhWWbQcp7Q.exe.82b948.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.OhWWbQcp7Q.exe.82b948.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.OhWWbQcp7Q.exe.8151c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.OhWWbQcp7Q.exe.82b948.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.OhWWbQcp7Q.exe.8151c0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OhWWbQcp7Q.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.OhWWbQcp7Q.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.images.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.images.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1665942039.00000000002FF000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1702151085.0000000001238000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1682866444.0000000000814000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.1683394560.00000000007BF000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1682769402.0000000000814000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1684884030.0000000000814000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1702087810.0000000001200000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1682751830.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2923447659.00000000033FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1702057537.0000000001224000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1686330176.000000000294A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1683534167.0000000000808000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1702130332.0000000001224000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1684809257.0000000000808000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OhWWbQcp7Q.exe PID: 6892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: images.exe PID: 3760, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\images.exe, type: DROPPED

Source: OhWWbQcp7Q.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe

Directory created: C:\Program Files\Microsoft DN1

Jump to behavior

Source: OhWWbQcp7Q.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Code function: 0_2_001B9DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,	0_2_001B9DF6
Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Code function: 0_2_001BFF27 FindFirstFileW,FindNextFileW,	0_2_001BFF27
Source: C:\ProgramData\images.exe	Code function: 1_2_00679DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,	1_2_00679DF6
Source: C:\ProgramData\images.exe	Code function: 1_2_0067FF27 FindFirstFileW,FindNextFileW,	1_2_0067FF27

Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe

Code function: 0_2_001C002B GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,

0_2_001C002B

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: chromedata.accesscam.org

Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe

Code function: 0_2_001B27D3 URLDownloadToFileW,ShellExecuteW,

0_2_001B27D3

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 128.90.129.125:5221

Source: Joe Sandbox View

IP Address: 128.90.129.125 128.90.129.125

Source: Joe Sandbox View

ASN Name: PHMGMT-AS1US PHMGMT-AS1US

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:64519
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:49733

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe

Code function: 0_2_001BD0A3 recv,

0_2_001BD0A3

Source: global traffic

DNS traffic detected: DNS query: chromedata.accesscam.org

Source: OhWWbQcp7Q.exe, images.exe	String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeper
Source: OhWWbQcp7Q.exe, images.exe.0.dr	String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:

Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe

Code function: 0_2_001B89D5 GetAsyncKeyState,wsprintfW,GetAsyncKeyState,wsprintfW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyNameTextW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,CallNextHookEx,

0_2_001B89D5

Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe

Code function: 0_2_001B902E DefWindowProcA,GetRawInputData,GetRawInputData,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrcpyW,CreateFileW,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,CloseHandle,PostQuitMessage,RegisterRawInputDevices,

0_2_001B902E

E-Banking Fraud

Yara detected AveMaria stealer

Source: Yara match	File source: OhWWbQcp7Q.exe, type: SAMPLE
Source: Yara match	File source: 1.3.images.exe.12009a0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OhWWbQcp7Q.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.OhWWbQcp7Q.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.images.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.images.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1665841407.00000000001C4000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1702151085.0000000001238000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1702165776.0000000001200000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1684884030.0000000000814000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1682902231.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1682968555.0000000000800000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1702087810.0000000001200000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1682751830.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.1683260743.0000000000684000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2923447659.00000000033FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1702057537.0000000001224000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1686330176.000000000294A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1683534167.0000000000808000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1702130332.0000000001224000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1684809257.0000000000808000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\images.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: OhWWbQcp7Q.exe, type: SAMPLE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: OhWWbQcp7Q.exe, type: SAMPLE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: OhWWbQcp7Q.exe, type: SAMPLE	Matched rule: AveMaria_WarZone Author: unknown
Source: OhWWbQcp7Q.exe, type: SAMPLE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: OhWWbQcp7Q.exe, type: SAMPLE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: OhWWbQcp7Q.exe, type: SAMPLE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 1.3.images.exe.123c3b8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.3.OhWWbQcp7Q.exe.8151c0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 1.3.images.exe.123c3b8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 1.2.images.exe.3417490.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 1.3.images.exe.1203b38.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.3.OhWWbQcp7Q.exe.816758.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.3.OhWWbQcp7Q.exe.8134d8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 1.3.images.exe.123c3b8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.3.OhWWbQcp7Q.exe.813950.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.OhWWbQcp7Q.exe.2962490.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.3.OhWWbQcp7Q.exe.816758.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.3.OhWWbQcp7Q.exe.82b948.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.3.OhWWbQcp7Q.exe.82b948.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 1.3.images.exe.12009a0.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.3.OhWWbQcp7Q.exe.8151c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.3.OhWWbQcp7Q.exe.82b948.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.3.OhWWbQcp7Q.exe.8151c0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.OhWWbQcp7Q.exe.1b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.OhWWbQcp7Q.exe.1b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.OhWWbQcp7Q.exe.1b0000.0.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 0.2.OhWWbQcp7Q.exe.1b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.OhWWbQcp7Q.exe.1b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.OhWWbQcp7Q.exe.1b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.0.OhWWbQcp7Q.exe.1b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.0.OhWWbQcp7Q.exe.1b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.0.OhWWbQcp7Q.exe.1b0000.0.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 0.0.OhWWbQcp7Q.exe.1b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.0.OhWWbQcp7Q.exe.1b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.0.OhWWbQcp7Q.exe.1b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 1.0.images.exe.670000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 1.0.images.exe.670000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.0.images.exe.670000.0.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 1.0.images.exe.670000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 1.0.images.exe.670000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 1.0.images.exe.670000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 1.2.images.exe.670000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 1.2.images.exe.670000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.images.exe.670000.0.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 1.2.images.exe.670000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 1.2.images.exe.670000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 1.2.images.exe.670000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 00000000.00000000.1665841407.00000000001C4000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000001.00000003.1702151085.0000000001238000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000000.00000003.1684884030.0000000000814000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000000.00000003.1682902231.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000000.00000003.1682968555.0000000000800000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000001.00000003.1702087810.0000000001200000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000000.00000003.1682751830.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000001.00000000.1683260743.0000000000684000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000001.00000002.2923447659.00000000033FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000001.00000003.1702057537.0000000001224000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000000.00000002.1686330176.000000000294A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000000.00000003.1683534167.0000000000808000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000001.00000003.1702130332.0000000001224000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000000.00000003.1684809257.0000000000808000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: C:\ProgramData\images.exe, type: DROPPED	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: C:\ProgramData\images.exe, type: DROPPED	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: C:\ProgramData\images.exe, type: DROPPED	Matched rule: AveMaria_WarZone Author: unknown
Source: C:\ProgramData\images.exe, type: DROPPED	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: C:\ProgramData\images.exe, type: DROPPED	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: C:\ProgramData\images.exe, type: DROPPED	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen

Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Code function: 0_2_001C1BF8		0_2_001C1BF8
Source: C:\ProgramData\images.exe	Code function: 1_2_00681BF8		1_2_00681BF8

Source: C:\ProgramData\images.exe	Code function: String function: 006735E5 appears 40 times
Source: C:\ProgramData\images.exe	Code function: String function: 00680969 appears 38 times
Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Code function: String function: 001B35E5 appears 40 times
Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Code function: String function: 001C0969 appears 38 times

Source: OhWWbQcp7Q.exe	Static PE information: Resource name: WM_DSP type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: images.exe.0.dr	Static PE information: Resource name: WM_DSP type: PE32 executable (GUI) Intel 80386, for MS Windows

Source: OhWWbQcp7Q.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: OhWWbQcp7Q.exe, type: SAMPLE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: OhWWbQcp7Q.exe, type: SAMPLE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: OhWWbQcp7Q.exe, type: SAMPLE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: OhWWbQcp7Q.exe, type: SAMPLE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: OhWWbQcp7Q.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: OhWWbQcp7Q.exe, type: SAMPLE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 1.3.images.exe.123c3b8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.3.OhWWbQcp7Q.exe.8151c0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 1.3.images.exe.123c3b8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 1.2.images.exe.3417490.3.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 1.3.images.exe.1203b38.3.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.3.OhWWbQcp7Q.exe.816758.4.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.3.OhWWbQcp7Q.exe.8134d8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 1.3.images.exe.123c3b8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.3.OhWWbQcp7Q.exe.813950.2.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.OhWWbQcp7Q.exe.2962490.2.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.3.OhWWbQcp7Q.exe.816758.6.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.3.OhWWbQcp7Q.exe.82b948.12.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.3.OhWWbQcp7Q.exe.82b948.16.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 1.3.images.exe.12009a0.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.3.OhWWbQcp7Q.exe.8151c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.3.OhWWbQcp7Q.exe.82b948.14.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.3.OhWWbQcp7Q.exe.8151c0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.OhWWbQcp7Q.exe.1b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.OhWWbQcp7Q.exe.1b0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.OhWWbQcp7Q.exe.1b0000.0.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.OhWWbQcp7Q.exe.1b0000.0.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.OhWWbQcp7Q.exe.1b0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.OhWWbQcp7Q.exe.1b0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.0.OhWWbQcp7Q.exe.1b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.0.OhWWbQcp7Q.exe.1b0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.OhWWbQcp7Q.exe.1b0000.0.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.0.OhWWbQcp7Q.exe.1b0000.0.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.0.OhWWbQcp7Q.exe.1b0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.0.OhWWbQcp7Q.exe.1b0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 1.0.images.exe.670000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 1.0.images.exe.670000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.0.images.exe.670000.0.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.0.images.exe.670000.0.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 1.0.images.exe.670000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 1.0.images.exe.670000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 1.2.images.exe.670000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 1.2.images.exe.670000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.images.exe.670000.0.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.images.exe.670000.0.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 1.2.images.exe.670000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 1.2.images.exe.670000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 00000000.00000000.1665841407.00000000001C4000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000001.00000003.1702151085.0000000001238000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000000.00000003.1684884030.0000000000814000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000000.00000003.1682902231.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000000.00000003.1682968555.0000000000800000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000001.00000003.1702087810.0000000001200000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000000.00000003.1682751830.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000001.00000000.1683260743.0000000000684000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000001.00000002.2923447659.00000000033FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000001.00000003.1702057537.0000000001224000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000000.00000002.1686330176.000000000294A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000000.00000003.1683534167.0000000000808000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000001.00000003.1702130332.0000000001224000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000000.00000003.1684809257.0000000000808000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: C:\ProgramData\images.exe, type: DROPPED	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: C:\ProgramData\images.exe, type: DROPPED	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\ProgramData\images.exe, type: DROPPED	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\ProgramData\images.exe, type: DROPPED	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: C:\ProgramData\images.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: C:\ProgramData\images.exe, type: DROPPED	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT

Source: classification engine

Classification label: mal100.phis.troj.spyw.expl.evad.winEXE@3/2@1/1

Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Code function: 0_2_001BF619 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,		0_2_001BF619
Source: C:\ProgramData\images.exe	Code function: 1_2_0067F619 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,		1_2_0067F619

Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe

Code function: 0_2_001C20B8 RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_001C20B8

Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe

Code function: 0_2_001C290F CoInitialize,CoCreateInstance,VariantInit,CoUninitialize,

0_2_001C290F

Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe

Code function: 0_2_001C30B3 LoadResource,SizeofResource,LockResource,GetTempPathA,GetTempPathA,lstrcatA,lstrcatA,GetTempPathA,lstrcatA,CreateFileA,WriteFile,CloseHandle,wsprintfA,ShellExecuteExA,

0_2_001C30B3

Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe

Code function: 0_2_001BD49C OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

0_2_001BD49C

Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe

File created: C:\Program Files\Microsoft DN1

Jump to behavior

Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe

File created: C:\Users\user\AppData\Local\Microsoft Vision\

Jump to behavior

Source: C:\ProgramData\images.exe

Mutant created: NULL

Source: OhWWbQcp7Q.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: OhWWbQcp7Q.exe

ReversingLabs: Detection: 89%

Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe

File read: C:\Users\user\Desktop\OhWWbQcp7Q.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\OhWWbQcp7Q.exe "C:\Users\user\Desktop\OhWWbQcp7Q.exe"
Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Process created: C:\ProgramData\images.exe "C:\ProgramData\images.exe"
Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Process created: C:\ProgramData\images.exe "C:\ProgramData\images.exe"	Jump to behavior

Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\images.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\images.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\images.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\ProgramData\images.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\images.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\images.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\images.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\ProgramData\images.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\images.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\images.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\ProgramData\images.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\images.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ProgramData\images.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\images.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\images.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\ProgramData\images.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\ProgramData\images.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\ProgramData\images.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\images.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\images.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\images.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\images.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\images.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\images.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe

Directory created: C:\Program Files\Microsoft DN1

Jump to behavior

Source: OhWWbQcp7Q.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: OhWWbQcp7Q.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe

Code function: 0_2_001BFA42 LoadLibraryA,GetProcAddress,

0_2_001BFA42

Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Code function: 0_2_001B1190 push eax; ret	0_2_001B11A4
Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Code function: 0_2_001B1190 push eax; ret	0_2_001B11CC
Source: C:\ProgramData\images.exe	Code function: 1_2_006739DF push C3C18B00h; retn 0004h	1_2_006739EF
Source: C:\ProgramData\images.exe	Code function: 1_2_00671190 push eax; ret	1_2_006711A4
Source: C:\ProgramData\images.exe	Code function: 1_2_00671190 push eax; ret	1_2_006711CC
Source: C:\ProgramData\images.exe	Code function: 1_2_00673D40 push C3C18B00h; retn 0004h	1_2_00673D46

Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe

Code function: 0_2_001BD418 NetUserAdd,NetLocalGroupAddMembers,

0_2_001BD418

Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe

Code function: 0_2_001B27D3 URLDownloadToFileW,ShellExecuteW,

0_2_001B27D3

Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe

File created: C:\ProgramData\images.exe

Jump to dropped file

Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe

File created: C:\ProgramData\images.exe

Jump to dropped file

Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Code function: 0_2_001BAC0A lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,	0_2_001BAC0A
Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Code function: 0_2_001BA6C8 GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,	0_2_001BA6C8
Source: C:\ProgramData\images.exe	Code function: 1_2_0067AC0A lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,	1_2_0067AC0A
Source: C:\ProgramData\images.exe	Code function: 1_2_0067A6C8 GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,	1_2_0067A6C8

Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe

Code function: 0_2_001BD508 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,GetLastError,Sleep,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

0_2_001BD508

Hooking and other Techniques for Hiding and Protection

Contains functionality to hide user accounts

Source: OhWWbQcp7Q.exe	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: OhWWbQcp7Q.exe, 00000000.00000002.1686330176.000000000294A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: OhWWbQcp7Q.exe, 00000000.00000002.1686330176.000000000294A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: OhWWbQcp7Q.exe, 00000000.00000000.1665841407.00000000001C4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: OhWWbQcp7Q.exe, 00000000.00000000.1665841407.00000000001C4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: OhWWbQcp7Q.exe, 00000000.00000003.1684884030.0000000000814000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: OhWWbQcp7Q.exe, 00000000.00000003.1684884030.0000000000814000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: OhWWbQcp7Q.exe, 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: OhWWbQcp7Q.exe, 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: OhWWbQcp7Q.exe, 00000000.00000003.1682968555.0000000000800000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: OhWWbQcp7Q.exe, 00000000.00000003.1682968555.0000000000800000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: OhWWbQcp7Q.exe, 00000000.00000003.1682902231.0000000000805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: OhWWbQcp7Q.exe, 00000000.00000003.1682902231.0000000000805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: OhWWbQcp7Q.exe, 00000000.00000003.1684809257.0000000000808000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: OhWWbQcp7Q.exe, 00000000.00000003.1684809257.0000000000808000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: OhWWbQcp7Q.exe, 00000000.00000003.1682751830.0000000000805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: OhWWbQcp7Q.exe, 00000000.00000003.1682751830.0000000000805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: images.exe	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: images.exe, 00000001.00000002.2923447659.00000000033FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: images.exe, 00000001.00000002.2923447659.00000000033FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: images.exe, 00000001.00000003.1702087810.0000000001200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: images.exe, 00000001.00000003.1702087810.0000000001200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: images.exe, 00000001.00000003.1702057537.0000000001224000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: images.exe, 00000001.00000003.1702057537.0000000001224000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: images.exe, 00000001.00000003.1702151085.0000000001238000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: images.exe, 00000001.00000003.1702151085.0000000001238000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: images.exe, 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: images.exe, 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: images.exe, 00000001.00000000.1683260743.0000000000684000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: images.exe, 00000001.00000000.1683260743.0000000000684000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: images.exe, 00000001.00000003.1702130332.0000000001224000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: images.exe, 00000001.00000003.1702130332.0000000001224000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: OhWWbQcp7Q.exe	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: OhWWbQcp7Q.exe	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: images.exe.0.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: images.exe.0.dr	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe

File opened: C:\ProgramData\images.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Code function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW,		0_2_001BDA5B
Source: C:\ProgramData\images.exe	Code function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW,		1_2_0067DA5B

Source: C:\ProgramData\images.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)			graph_1-11921
Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)			graph_0-11615

Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe TID: 3668	Thread sleep count: 60 > 30	Jump to behavior
Source: C:\ProgramData\images.exe TID: 3684	Thread sleep count: 60 > 30	Jump to behavior
Source: C:\ProgramData\images.exe TID: 3684	Thread sleep time: -95000s >= -30000s	Jump to behavior

Source: C:\ProgramData\images.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Code function: 0_2_001B9DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,	0_2_001B9DF6
Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Code function: 0_2_001BFF27 FindFirstFileW,FindNextFileW,	0_2_001BFF27
Source: C:\ProgramData\images.exe	Code function: 1_2_00679DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,	1_2_00679DF6
Source: C:\ProgramData\images.exe	Code function: 1_2_0067FF27 FindFirstFileW,FindNextFileW,	1_2_0067FF27

Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe

Code function: 0_2_001C002B GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,

0_2_001C002B

Source: OhWWbQcp7Q.exe, 00000000.00000003.1684918601.0000000000808000.00000004.00000020.00020000.00000000.sdmp, OhWWbQcp7Q.exe, 00000000.00000003.1685008470.000000000080F000.00000004.00000020.00020000.00000000.sdmp, OhWWbQcp7Q.exe, 00000000.00000003.1682968555.0000000000808000.00000004.00000020.00020000.00000000.sdmp, OhWWbQcp7Q.exe, 00000000.00000003.1682902231.0000000000805000.00000004.00000020.00020000.00000000.sdmp, OhWWbQcp7Q.exe, 00000000.00000003.1684809257.0000000000808000.00000004.00000020.00020000.00000000.sdmp, OhWWbQcp7Q.exe, 00000000.00000003.1682751830.0000000000805000.00000004.00000020.00020000.00000000.sdmp, images.exe, 00000001.00000003.1702302574.000000000120B000.00000004.00000020.00020000.00000000.sdmp, images.exe, 00000001.00000003.1702165776.000000000120B000.00000004.00000020.00020000.00000000.sdmp, images.exe, 00000001.00000003.1702087810.000000000120B000.00000004.00000020.00020000.00000000.sdmp, images.exe, 00000001.00000002.2923231738.000000000120B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	API call chain: ExitProcess graph end node	graph_0-8560
Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	API call chain: ExitProcess graph end node	graph_0-10463
Source: C:\ProgramData\images.exe	API call chain: ExitProcess graph end node	graph_1-8935
Source: C:\ProgramData\images.exe	API call chain: ExitProcess graph end node	graph_1-10834

Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe

Code function: 0_2_001BFA42 LoadLibraryA,GetProcAddress,

0_2_001BFA42

Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Code function: 0_2_001C094E mov eax, dword ptr fs:[00000030h]	0_2_001C094E
Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Code function: 0_2_001C0619 mov eax, dword ptr fs:[00000030h]	0_2_001C0619
Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Code function: 0_2_001C0620 mov eax, dword ptr fs:[00000030h]	0_2_001C0620
Source: C:\ProgramData\images.exe	Code function: 1_2_0068094E mov eax, dword ptr fs:[00000030h]	1_2_0068094E
Source: C:\ProgramData\images.exe	Code function: 1_2_00680620 mov eax, dword ptr fs:[00000030h]	1_2_00680620
Source: C:\ProgramData\images.exe	Code function: 1_2_00680619 mov eax, dword ptr fs:[00000030h]	1_2_00680619

Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe

Code function: 0_2_001B1085 GetProcessHeap,RtlAllocateHeap,

0_2_001B1085

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Code function: 0_2_001B79E8 OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,	0_2_001B79E8
Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Code function: 0_2_001C1FD8 RegSetValueExA,OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,	0_2_001C1FD8
Source: C:\ProgramData\images.exe	Code function: 1_2_006779E8 OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,	1_2_006779E8
Source: C:\ProgramData\images.exe	Code function: 1_2_00681FD8 RegSetValueExA,OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,	1_2_00681FD8

Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Code function: RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe		0_2_001C20B8
Source: C:\ProgramData\images.exe	Code function: RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe		1_2_006820B8

Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe

Code function: 0_2_001C18BA InitializeSecurityDescriptor,SetSecurityDescriptorDacl,RegCreateKeyExA,RegCloseKey,SetLastError,

0_2_001C18BA

Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe

Code function: 0_2_001BF56D AllocateAndInitializeSid,LookupAccountSidW,GetLastError,FreeSid,

0_2_001BF56D

Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe

Code function: 0_2_001BF93F cpuid

0_2_001BF93F

Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe

Code function: 0_2_001B882F GetModuleHandleA,SHGetFolderPathW,lstrcatW,lstrcatW,GetLocalTime,wsprintfW,lstrcatW,CreateFileW,CloseHandle,GetMessageA,TranslateMessage,DispatchMessageA,GetMessageA,

0_2_001B882F

Lowering of HIPS / PFW / Operating System Security Settings

Increases the number of concurrent connection per server for Internet Explorer

Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe

Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10

Jump to behavior

Stealing of Sensitive Information

Yara detected AveMaria stealer

Source: Yara match	File source: OhWWbQcp7Q.exe, type: SAMPLE
Source: Yara match	File source: 1.3.images.exe.12009a0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OhWWbQcp7Q.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.OhWWbQcp7Q.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.images.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.images.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1665841407.00000000001C4000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1702151085.0000000001238000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1702165776.0000000001200000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1684884030.0000000000814000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1682902231.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1682968555.0000000000800000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1702087810.0000000001200000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1682751830.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.1683260743.0000000000684000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2923447659.00000000033FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1702057537.0000000001224000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1686330176.000000000294A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1683534167.0000000000808000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1702130332.0000000001224000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1684809257.0000000000808000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\images.exe, type: DROPPED

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Code function: \Google\Chrome\User Data\Default\Login Data	0_2_001BC1B2
Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Code function: \Chromium\User Data\Default\Login Data	0_2_001BC1B2
Source: C:\ProgramData\images.exe	Code function: \Google\Chrome\User Data\Default\Login Data	1_2_0067C1B2
Source: C:\ProgramData\images.exe	Code function: \Chromium\User Data\Default\Login Data	1_2_0067C1B2

Contains functionality to steal e-mail passwords

Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Code function: POP3 Password	0_2_001BA29A
Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Code function: SMTP Password	0_2_001BA29A
Source: C:\Users\user\Desktop\OhWWbQcp7Q.exe	Code function: IMAP Password	0_2_001BA29A
Source: C:\ProgramData\images.exe	Code function: POP3 Password	1_2_0067A29A
Source: C:\ProgramData\images.exe	Code function: SMTP Password	1_2_0067A29A
Source: C:\ProgramData\images.exe	Code function: IMAP Password	1_2_0067A29A

Source: Yara match	File source: OhWWbQcp7Q.exe, type: SAMPLE
Source: Yara match	File source: 0.2.OhWWbQcp7Q.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.OhWWbQcp7Q.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.images.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.images.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1665841407.00000000001C4000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1702151085.0000000001238000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1684884030.0000000000814000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1682902231.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1682968555.0000000000800000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1702087810.0000000001200000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1682751830.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.1683260743.0000000000684000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2923447659.00000000033FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1702057537.0000000001224000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1686330176.000000000294A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1683534167.0000000000808000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1702130332.0000000001224000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1684809257.0000000000808000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OhWWbQcp7Q.exe PID: 6892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: images.exe PID: 3760, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\images.exe, type: DROPPED

Remote Access Functionality

Yara detected AveMaria stealer

Source: Yara match	File source: OhWWbQcp7Q.exe, type: SAMPLE
Source: Yara match	File source: 1.3.images.exe.12009a0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OhWWbQcp7Q.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.OhWWbQcp7Q.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.images.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.images.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1665841407.00000000001C4000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1702151085.0000000001238000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1702165776.0000000001200000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1684884030.0000000000814000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1682902231.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1682968555.0000000000800000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1702087810.0000000001200000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1682751830.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.1683260743.0000000000684000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2923447659.00000000033FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1702057537.0000000001224000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1686330176.000000000294A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1683534167.0000000000808000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1702130332.0000000001224000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1684809257.0000000000808000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\images.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	21 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 Endpoint Denial of Service
Credentials	Domains	Default Accounts	2 Service Execution	1 Create Account	1 Access Token Manipulation	2 Obfuscated Files or Information	21 Input Capture	1 System Service Discovery	Remote Desktop Protocol	21 Input Capture	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Windows Service	1 Windows Service	1 DLL Side-Loading	1 Credentials In Files	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	111 Process Injection	3 Masquerading	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Virtualization/Sandbox Evasion	LSA Secrets	111 Security Software Discovery	SSH	Keylogging	11 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Access Token Manipulation	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	111 Process Injection	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Hidden Files and Directories	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Hidden Users	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
OhWWbQcp7Q.exe	89%	ReversingLabs	Win32.Backdoor.Remcos
OhWWbQcp7Q.exe	100%	Avira	TR/Redcap.ghjpt
OhWWbQcp7Q.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\images.exe	100%	Avira	TR/Redcap.ghjpt
C:\ProgramData\images.exe	100%	Joe Sandbox ML
C:\ProgramData\images.exe	89%	ReversingLabs	Win32.Backdoor.Remcos

Name	IP	Active	Malicious	Antivirus Detection	Reputation
chromedata.accesscam.org	128.90.129.125	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
chromedata.accesscam.org	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/syohex/java-simple-mine-sweeperC:	OhWWbQcp7Q.exe, images.exe.0.dr	false		unknown
https://github.com/syohex/java-simple-mine-sweeper	OhWWbQcp7Q.exe, images.exe	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
128.90.129.125	chromedata.accesscam.org	United States		22363	PHMGMT-AS1US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1547535
Start date and time:	2024-11-02 16:55:19 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	OhWWbQcp7Q.exe renamed because original name is a hash value
Original Sample Name:	2b4e54af556badc27f08c9a966dd55f090f4a5ef8978793e0ba296b05ddfb242.exe
Detection:	MAL
Classification:	mal100.phis.troj.spyw.expl.evad.winEXE@3/2@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 65 Number of non-executed functions: 175
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: OhWWbQcp7Q.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
128.90.129.125	uVyl5BbR2M.exe	Get hash	malicious	AsyncRAT	Browse
	ahMvIr4vjN.exe	Get hash	malicious	AsyncRAT	Browse
	WlewaiA251.exe	Get hash	malicious	AsyncRAT	Browse
	meORoynQKS.exe	Get hash	malicious	ArrowRAT	Browse
	OeyoNPTUuj.exe	Get hash	malicious	AsyncRAT	Browse
	NUO7hWbWCz.exe	Get hash	malicious	AsyncRAT	Browse
	nRfBYvq4io.exe	Get hash	malicious	AsyncRAT	Browse
	uqBq7FwS83.exe	Get hash	malicious	AsyncRAT	Browse
	YTrJ5NViJC.exe	Get hash	malicious	Njrat	Browse
	XprhPg52TO.exe	Get hash	malicious	AsyncRAT	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
chromedata.accesscam.org	uVyl5BbR2M.exe	Get hash	malicious	AsyncRAT	Browse	128.90.129.125
	ahMvIr4vjN.exe	Get hash	malicious	AsyncRAT	Browse	128.90.129.125
	WlewaiA251.exe	Get hash	malicious	AsyncRAT	Browse	128.90.129.125
	meORoynQKS.exe	Get hash	malicious	ArrowRAT	Browse	128.90.129.125
	OeyoNPTUuj.exe	Get hash	malicious	AsyncRAT	Browse	128.90.129.125
	NUO7hWbWCz.exe	Get hash	malicious	AsyncRAT	Browse	128.90.129.125
	nRfBYvq4io.exe	Get hash	malicious	AsyncRAT	Browse	128.90.129.125
	uqBq7FwS83.exe	Get hash	malicious	AsyncRAT	Browse	128.90.129.125
	YTrJ5NViJC.exe	Get hash	malicious	Njrat	Browse	128.90.129.125
	XprhPg52TO.exe	Get hash	malicious	AsyncRAT	Browse	128.90.129.125

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PHMGMT-AS1US	uVyl5BbR2M.exe	Get hash	malicious	AsyncRAT	Browse	128.90.129.125
	ahMvIr4vjN.exe	Get hash	malicious	AsyncRAT	Browse	128.90.129.125
	WlewaiA251.exe	Get hash	malicious	AsyncRAT	Browse	128.90.129.125
	meORoynQKS.exe	Get hash	malicious	ArrowRAT	Browse	128.90.129.125
	OeyoNPTUuj.exe	Get hash	malicious	AsyncRAT	Browse	128.90.129.125
	NUO7hWbWCz.exe	Get hash	malicious	AsyncRAT	Browse	128.90.129.125
	nRfBYvq4io.exe	Get hash	malicious	AsyncRAT	Browse	128.90.129.125
	uqBq7FwS83.exe	Get hash	malicious	AsyncRAT	Browse	128.90.129.125
	YTrJ5NViJC.exe	Get hash	malicious	Njrat	Browse	128.90.129.125
	XprhPg52TO.exe	Get hash	malicious	AsyncRAT	Browse	128.90.129.125

Process:	C:\Users\user\Desktop\OhWWbQcp7Q.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	115712
Entropy (8bit):	6.376207291854624
Encrypted:	false
SSDEEP:	1536:h0jP7/L1B5rVmN8sxHv2M28ix8EUaJxWZoB4u0OVE01:K1VmhaH8EFvW+0OVE0
MD5:	00345DE133A4D119EACC29FB87F648E9
SHA1:	63B3F141071E71D39866D7A4BD204B2B8615080D
SHA-256:	2B4E54AF556BADC27F08C9A966DD55F090F4A5EF8978793E0BA296B05DDFB242
SHA-512:	F44554716CA9B88EF9823508947B9756774C93888308FC4AAD892DB99CC3373E45013F7AD6D188FEF608404A9D94E22C79C6DAD6021AE3C7C3C6BCB21DB3824A
Malicious:	true
Yara Hits:	Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: C:\ProgramData\images.exe, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\ProgramData\images.exe, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: C:\ProgramData\images.exe, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: C:\ProgramData\images.exe, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: C:\ProgramData\images.exe, Author: Florian Roth Rule: AveMaria_WarZone, Description: unknown, Source: C:\ProgramData\images.exe, Author: unknown Rule: Codoso_Gh0st_2, Description: Detects Codoso APT Gh0st Malware, Source: C:\ProgramData\images.exe, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM, Description: Detects executables embedding command execution via IExecuteCommand COM object, Source: C:\ProgramData\images.exe, Author: ditekSHen Rule: MALWARE_Win_WarzoneRAT, Description: Detects AveMaria/WarzoneRAT, Source: C:\ProgramData\images.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 89%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z]..><..><..><...3.?<..7D..?<...3.<<......?<......=<..;0..?<..7D..:<..7D..!<..><...<...U..N<...Um.?<...U..?<..Rich><..........PE..L.....I_.................0...........\.......@....@..........................@............@..................................w..........p,................... .......u...............................................@..p............................text............0.................. ..`.rdata...I...@...J...4..............@..@.data....P...........~..............@....rsrc...p,..........................@..@.reloc....... ......................@..B.bss.........0......................@..@................................................................................................................................................................................................................................................................

C:\ProgramData\images.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\OhWWbQcp7Q.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.376207291854624
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	OhWWbQcp7Q.exe
File size:	115'712 bytes
MD5:	00345de133a4d119eacc29fb87f648e9
SHA1:	63b3f141071e71d39866d7a4bd204b2b8615080d
SHA256:	2b4e54af556badc27f08c9a966dd55f090f4a5ef8978793e0ba296b05ddfb242
SHA512:	f44554716ca9b88ef9823508947b9756774c93888308fc4aad892db99cc3373e45013f7ad6d188fef608404a9d94e22c79c6dad6021ae3c7c3c6bcb21db3824a
SSDEEP:	1536:h0jP7/L1B5rVmN8sxHv2M28ix8EUaJxWZoB4u0OVE01:K1VmhaH8EFvW+0OVE0
TLSH:	CDB39E13F7E54835F3B201B01ABD7E7ACBEDF9700528849FA394858A2D31946E925357
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z]..><..><..><...3..?<..7D..?<...3..<<......?<......=<..;0..?<..7D..:<..7D..!<..><...<...U..N<...Um.?<...U..?<..Rich><.........

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x405ce2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5F49FB9C [Sat Aug 29 06:54:20 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	51a1d638436da72d7fa5fb524e02d427

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 44h
push esi
call dword ptr [004141E8h]
mov ecx, eax
mov al, byte ptr [ecx]
cmp al, 22h
jne 00007F6EC47B595Ah
inc ecx
mov dl, byte ptr [ecx]
test dl, dl
je 00007F6EC47B5943h
mov al, dl
mov dl, al
cmp al, 22h
je 00007F6EC47B593Bh
inc ecx
mov dl, byte ptr [ecx]
mov al, dl
test dl, dl
jne 00007F6EC47B5923h
lea eax, dword ptr [ecx+01h]
cmp dl, 00000022h
cmovne eax, ecx
mov ecx, eax
jmp 00007F6EC47B5940h
inc ecx
mov al, byte ptr [ecx]
cmp al, 20h
jnle 00007F6EC47B592Bh
jmp 00007F6EC47B5939h
cmp al, 20h
jnle 00007F6EC47B5939h
inc ecx
mov al, byte ptr [ecx]
test al, al
jne 00007F6EC47B5927h
and dword ptr [ebp-18h], 00000000h
lea eax, dword ptr [ebp-44h]
push eax
call dword ptr [00414140h]
call 00007F6EC47B5962h
mov edx, 0041902Ch
mov ecx, 00419000h
call 00007F6EC47B5980h
push 00000000h
call dword ptr [004141ECh]
push ecx
push ecx
call 00007F6EC47C3009h
mov esi, eax
call 00007F6EC47B5952h
push esi
call dword ptr [004141F0h]
int3
mov dword ptr [0054DB64h], 00000020h
call 00007F6EC47B5844h
mov dword ptr [0054D0E4h], eax
ret
mov eax, dword ptr [0054E01Ch]
test eax, eax
je 00007F6EC47B5940h
mov ecx, dword ptr [0054D0E4h]
lea edx, dword ptr [ecx+eax*4]
jmp 00007F6EC47B5936h
ret
push ebx
push esi
push edi
mov edi, ecx
mov esi, edx
sub esi, edi
xor eax, eax
add esi, 00000000h

Rich Headers

Programming Language:

[C++] VS2008 SP1 build 30729
[ C ] VS2005 build 50727
[C++] VS2005 build 50727
[ASM] VS2003 (.NET) build 3077
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1771c	0x118	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14f000	0x2c70	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x152000	0xfa8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x175a0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x14000	0x370	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x12eab	0x13000	6dbe7c9f7981297db465fd69821e1c4b	False	0.5748226768092105	data	6.494947391542317	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x14000	0x49ce	0x4a00	1271925bf242f5dd778122d822dac6d9	False	0.40466638513513514	data	5.281541653463336	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x19000	0x1350d8	0x600	0e383bc5047fd3f1a7a5e78591f96b14	False	0.5709635416666666	data	4.992963293914077	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x14f000	0x2c70	0x2e00	cdd112e1df434d31179f9eee936b7ff7	False	0.32778532608695654	data	3.9587156670856	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x152000	0xfa8	0x1000	d7f0f9f1a21533bcdc70c4c071cede21	False	0.83251953125	data	6.690653232264333	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.bss	0x153000	0x1000	0x200	15d865d72d9e55ae7ffc4c8fda8f54a6	False	0.38671875	data	3.250905567420535	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
WM_DSP	0x14f070	0x2c00	PE32 executable (GUI) Intel 80386, for MS Windows	English	India	0.3400213068181818

Imports

DLL	Import
bcrypt.dll	BCryptSetProperty, BCryptGenerateSymmetricKey, BCryptOpenAlgorithmProvider, BCryptDecrypt
KERNEL32.dll	HeapFree, VirtualAlloc, HeapReAlloc, VirtualQuery, TerminateThread, CreateThread, WriteProcessMemory, GetCurrentProcess, OpenProcess, GetWindowsDirectoryA, VirtualProtectEx, VirtualAllocEx, CreateRemoteThread, CreateProcessA, GetModuleHandleW, IsWow64Process, WriteFile, CreateFileW, LoadLibraryW, GetLocalTime, GetCurrentThreadId, GetCurrentProcessId, ReadFile, FindFirstFileA, GetBinaryTypeW, FindNextFileA, GetFullPathNameA, GetTempPathW, GetPrivateProfileStringW, CreateFileA, GlobalAlloc, GetCurrentDirectoryW, SetCurrentDirectoryW, GetFileSize, FreeLibrary, SetDllDirectoryW, GetFileSizeEx, LoadLibraryA, LocalFree, WaitForSingleObject, WaitForMultipleObjects, CreatePipe, PeekNamedPipe, DuplicateHandle, SetEvent, GetStartupInfoA, CreateEventA, GetModuleFileNameW, LoadResource, FindResourceW, GetComputerNameW, GlobalMemoryStatusEx, LoadLibraryExW, FindFirstFileW, FindNextFileW, SetFilePointer, GetLogicalDriveStringsW, DeleteFileW, CopyFileW, GetDriveTypeW, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, GetProcessHeap, ReleaseMutex, TerminateProcess, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, SizeofResource, VirtualProtect, GetSystemDirectoryW, LockResource, GetWindowsDirectoryW, Process32First, Process32Next, WinExec, GetTempPathA, HeapAlloc, lstrcmpW, GetTickCount, lstrcpyW, WideCharToMultiByte, lstrcpyA, Sleep, MultiByteToWideChar, GetCommandLineA, GetModuleHandleA, ExitProcess, CreateProcessW, lstrcatA, lstrcmpA, lstrlenA, ExpandEnvironmentStringsW, lstrlenW, CloseHandle, lstrcatW, GetLastError, VirtualFree, GetProcAddress, SetLastError, GetModuleFileNameA, CreateDirectoryW, LocalAlloc, CreateMutexA
USER32.dll	GetKeyState, GetMessageA, DispatchMessageA, CreateWindowExW, CallNextHookEx, GetAsyncKeyState, RegisterClassW, GetRawInputData, MapVirtualKeyA, DefWindowProcA, RegisterRawInputDevices, TranslateMessage, GetForegroundWindow, GetKeyNameTextW, PostQuitMessage, MessageBoxA, GetLastInputInfo, wsprintfW, GetWindowTextW, wsprintfA, ToUnicode
ADVAPI32.dll	RegDeleteKeyW, RegCreateKeyExW, RegSetValueExA, RegDeleteValueW, LookupPrivilegeValueW, AdjustTokenPrivileges, AllocateAndInitializeSid, OpenProcessToken, InitializeSecurityDescriptor, RegDeleteKeyA, SetSecurityDescriptorDacl, RegOpenKeyExW, RegOpenKeyExA, RegEnumKeyExW, RegQueryValueExA, RegQueryInfoKeyW, RegCloseKey, OpenServiceW, ChangeServiceConfigW, QueryServiceConfigW, EnumServicesStatusExW, StartServiceW, RegSetValueExW, RegCreateKeyExA, OpenSCManagerW, CloseServiceHandle, GetTokenInformation, LookupAccountSidW, FreeSid, RegQueryValueExW
SHELL32.dll	ShellExecuteExA, ShellExecuteExW, SHGetSpecialFolderPathW, SHCreateDirectoryExW, ShellExecuteW, SHGetFolderPathW, SHGetKnownFolderPath
urlmon.dll	URLDownloadToFileW
WS2_32.dll	htons, recv, connect, socket, send, WSAStartup, shutdown, closesocket, WSACleanup, InetNtopW, gethostbyname, inet_addr, getaddrinfo, setsockopt, freeaddrinfo
ole32.dll	CoInitializeSecurity, CoCreateInstance, CoInitialize, CoUninitialize, CoTaskMemFree
SHLWAPI.dll	StrStrW, PathRemoveFileSpecA, StrStrA, PathCombineA, PathFindFileNameW, PathFileExistsW, PathFindExtensionW
NETAPI32.dll	NetLocalGroupAddMembers, NetUserAdd
OLEAUT32.dll	VariantInit
CRYPT32.dll	CryptUnprotectData, CryptStringToBinaryA, CryptStringToBinaryW
PSAPI.DLL	GetModuleFileNameExW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	India

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-02T16:56:32.628540+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	172.202.163.200	443	192.168.2.4	49733	TCP
2024-11-02T16:57:12.782068+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	172.202.163.200	443	192.168.2.4	64519	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 2, 2024 16:56:14.725898981 CET	49730	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:56:14.730739117 CET	5221	49730	128.90.129.125	192.168.2.4
Nov 2, 2024 16:56:14.730868101 CET	49730	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:56:15.603915930 CET	5221	49730	128.90.129.125	192.168.2.4
Nov 2, 2024 16:56:15.604090929 CET	49730	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:56:20.614994049 CET	49731	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:56:20.620167017 CET	5221	49731	128.90.129.125	192.168.2.4
Nov 2, 2024 16:56:20.620254040 CET	49731	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:56:21.464850903 CET	5221	49731	128.90.129.125	192.168.2.4
Nov 2, 2024 16:56:21.464979887 CET	49731	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:56:26.474457979 CET	49732	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:56:26.479688883 CET	5221	49732	128.90.129.125	192.168.2.4
Nov 2, 2024 16:56:26.479787111 CET	49732	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:56:27.360249043 CET	5221	49732	128.90.129.125	192.168.2.4
Nov 2, 2024 16:56:27.360374928 CET	49732	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:56:32.364857912 CET	49735	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:56:32.370065928 CET	5221	49735	128.90.129.125	192.168.2.4
Nov 2, 2024 16:56:32.370140076 CET	49735	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:56:33.236500025 CET	5221	49735	128.90.129.125	192.168.2.4
Nov 2, 2024 16:56:33.236742020 CET	49735	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:56:38.239952087 CET	64512	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:56:38.244991064 CET	5221	64512	128.90.129.125	192.168.2.4
Nov 2, 2024 16:56:38.245121002 CET	64512	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:56:39.081250906 CET	5221	64512	128.90.129.125	192.168.2.4
Nov 2, 2024 16:56:39.081408024 CET	64512	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:56:44.083827972 CET	64513	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:56:44.088784933 CET	5221	64513	128.90.129.125	192.168.2.4
Nov 2, 2024 16:56:44.088908911 CET	64513	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:56:44.955877066 CET	5221	64513	128.90.129.125	192.168.2.4
Nov 2, 2024 16:56:44.955988884 CET	64513	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:56:49.961847067 CET	64514	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:56:49.967922926 CET	5221	64514	128.90.129.125	192.168.2.4
Nov 2, 2024 16:56:49.968106031 CET	64514	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:56:50.830710888 CET	5221	64514	128.90.129.125	192.168.2.4
Nov 2, 2024 16:56:50.830843925 CET	64514	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:56:55.833651066 CET	64515	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:56:55.838592052 CET	5221	64515	128.90.129.125	192.168.2.4
Nov 2, 2024 16:56:55.838670015 CET	64515	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:56:56.680929899 CET	5221	64515	128.90.129.125	192.168.2.4
Nov 2, 2024 16:56:56.681075096 CET	64515	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:57:01.693044901 CET	64516	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:57:01.697901011 CET	5221	64516	128.90.129.125	192.168.2.4
Nov 2, 2024 16:57:01.697994947 CET	64516	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:57:02.541167021 CET	5221	64516	128.90.129.125	192.168.2.4
Nov 2, 2024 16:57:02.541250944 CET	64516	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:57:07.553530931 CET	64517	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:57:07.788666010 CET	5221	64517	128.90.129.125	192.168.2.4
Nov 2, 2024 16:57:07.788752079 CET	64517	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:57:08.638259888 CET	5221	64517	128.90.129.125	192.168.2.4
Nov 2, 2024 16:57:08.638359070 CET	64517	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:57:13.646056890 CET	64530	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:57:13.651287079 CET	5221	64530	128.90.129.125	192.168.2.4
Nov 2, 2024 16:57:13.651500940 CET	64530	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:57:14.486818075 CET	5221	64530	128.90.129.125	192.168.2.4
Nov 2, 2024 16:57:14.489553928 CET	64530	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:57:19.505599022 CET	64564	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:57:19.510457039 CET	5221	64564	128.90.129.125	192.168.2.4
Nov 2, 2024 16:57:19.510565042 CET	64564	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:57:20.369215012 CET	5221	64564	128.90.129.125	192.168.2.4
Nov 2, 2024 16:57:20.369293928 CET	64564	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:57:25.380609989 CET	64594	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:57:25.385551929 CET	5221	64594	128.90.129.125	192.168.2.4
Nov 2, 2024 16:57:25.385639906 CET	64594	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:57:26.228087902 CET	5221	64594	128.90.129.125	192.168.2.4
Nov 2, 2024 16:57:26.228230000 CET	64594	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:57:31.241110086 CET	64627	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:57:31.246128082 CET	5221	64627	128.90.129.125	192.168.2.4
Nov 2, 2024 16:57:31.246284962 CET	64627	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:57:32.118328094 CET	5221	64627	128.90.129.125	192.168.2.4
Nov 2, 2024 16:57:32.118443966 CET	64627	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:57:37.130604982 CET	64660	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:57:37.135495901 CET	5221	64660	128.90.129.125	192.168.2.4
Nov 2, 2024 16:57:37.135601044 CET	64660	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:57:37.973843098 CET	5221	64660	128.90.129.125	192.168.2.4
Nov 2, 2024 16:57:37.973918915 CET	64660	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:57:42.990102053 CET	64691	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:57:43.180336952 CET	5221	64691	128.90.129.125	192.168.2.4
Nov 2, 2024 16:57:43.180442095 CET	64691	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:57:44.041574955 CET	5221	64691	128.90.129.125	192.168.2.4
Nov 2, 2024 16:57:44.041641951 CET	64691	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:57:49.052228928 CET	64717	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:57:49.057080030 CET	5221	64717	128.90.129.125	192.168.2.4
Nov 2, 2024 16:57:49.057153940 CET	64717	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:57:49.889766932 CET	5221	64717	128.90.129.125	192.168.2.4
Nov 2, 2024 16:57:49.889982939 CET	64717	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:57:54.896023035 CET	64749	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:57:54.900887012 CET	5221	64749	128.90.129.125	192.168.2.4
Nov 2, 2024 16:57:54.900947094 CET	64749	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:57:55.773487091 CET	5221	64749	128.90.129.125	192.168.2.4
Nov 2, 2024 16:57:55.773591995 CET	64749	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:58:00.786699057 CET	64784	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:58:00.791647911 CET	5221	64784	128.90.129.125	192.168.2.4
Nov 2, 2024 16:58:00.791728973 CET	64784	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:58:01.639043093 CET	5221	64784	128.90.129.125	192.168.2.4
Nov 2, 2024 16:58:01.639132977 CET	64784	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:58:06.646157026 CET	64793	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:58:06.652089119 CET	5221	64793	128.90.129.125	192.168.2.4
Nov 2, 2024 16:58:06.652196884 CET	64793	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:58:07.520040989 CET	5221	64793	128.90.129.125	192.168.2.4
Nov 2, 2024 16:58:07.520137072 CET	64793	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:58:12.536711931 CET	64794	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:58:12.541678905 CET	5221	64794	128.90.129.125	192.168.2.4
Nov 2, 2024 16:58:12.541755915 CET	64794	5221	192.168.2.4	128.90.129.125
Nov 2, 2024 16:58:13.387090921 CET	5221	64794	128.90.129.125	192.168.2.4
Nov 2, 2024 16:58:13.387236118 CET	64794	5221	192.168.2.4	128.90.129.125

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 2, 2024 16:56:14.621650934 CET	55159	53	192.168.2.4	1.1.1.1
Nov 2, 2024 16:56:14.722695112 CET	53	55159	1.1.1.1	192.168.2.4
Nov 2, 2024 16:56:34.699172974 CET	53	64563	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 2, 2024 16:56:14.621650934 CET	192.168.2.4	1.1.1.1	0xc391	Standard query (0)	chromedata.accesscam.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 2, 2024 16:56:14.722695112 CET	1.1.1.1	192.168.2.4	0xc391	No error (0)	chromedata.accesscam.org		128.90.129.125	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	11:56:09
Start date:	02/11/2024
Path:	C:\Users\user\Desktop\OhWWbQcp7Q.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\OhWWbQcp7Q.exe"
Imagebase:	0x1b0000
File size:	115'712 bytes
MD5 hash:	00345DE133A4D119EACC29FB87F648E9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000000.1665942039.00000000002FF000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.1665841407.00000000001C4000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000000.1665841407.00000000001C4000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000000.00000000.1665841407.00000000001C4000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000003.1682866444.0000000000814000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000003.1682769402.0000000000814000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000003.1684884030.0000000000814000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1684884030.0000000000814000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000003.1684884030.0000000000814000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000000.00000003.1684884030.0000000000814000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1682902231.0000000000805000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000003.1682902231.0000000000805000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000000.00000003.1682902231.0000000000805000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1682968555.0000000000800000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000003.1682968555.0000000000800000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000000.00000003.1682968555.0000000000800000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000003.1682751830.0000000000805000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1682751830.0000000000805000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000003.1682751830.0000000000805000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000000.00000003.1682751830.0000000000805000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000002.1686330176.000000000294A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1686330176.000000000294A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000002.1686330176.000000000294A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000000.00000002.1686330176.000000000294A000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000003.1683534167.0000000000808000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1683534167.0000000000808000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000003.1683534167.0000000000808000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000000.00000003.1683534167.0000000000808000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000003.1684809257.0000000000808000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1684809257.0000000000808000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000003.1684809257.0000000000808000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000000.00000003.1684809257.0000000000808000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:56:11
Start date:	02/11/2024
Path:	C:\ProgramData\images.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\images.exe"
Imagebase:	0x670000
File size:	115'712 bytes
MD5 hash:	00345DE133A4D119EACC29FB87F648E9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000001.00000003.1702151085.0000000001238000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1702151085.0000000001238000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000001.00000003.1702151085.0000000001238000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000001.00000003.1702151085.0000000001238000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmp, Author: unknown Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000001.00000003.1702165776.0000000001200000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000001.00000000.1683394560.00000000007BF000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000001.00000003.1702087810.0000000001200000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1702087810.0000000001200000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000001.00000003.1702087810.0000000001200000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000001.00000003.1702087810.0000000001200000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.1683260743.0000000000684000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000001.00000000.1683260743.0000000000684000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000001.00000000.1683260743.0000000000684000.00000002.00000001.01000000.00000005.sdmp, Author: unknown Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000001.00000002.2923447659.00000000033FF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2923447659.00000000033FF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000001.00000002.2923447659.00000000033FF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000001.00000002.2923447659.00000000033FF000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000001.00000003.1702057537.0000000001224000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1702057537.0000000001224000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000001.00000003.1702057537.0000000001224000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000001.00000003.1702057537.0000000001224000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000001.00000003.1702130332.0000000001224000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1702130332.0000000001224000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000001.00000003.1702130332.0000000001224000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000001.00000003.1702130332.0000000001224000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: C:\ProgramData\images.exe, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\ProgramData\images.exe, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: C:\ProgramData\images.exe, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: C:\ProgramData\images.exe, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: C:\ProgramData\images.exe, Author: Florian Roth Rule: AveMaria_WarZone, Description: unknown, Source: C:\ProgramData\images.exe, Author: unknown Rule: Codoso_Gh0st_2, Description: Detects Codoso APT Gh0st Malware, Source: C:\ProgramData\images.exe, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM, Description: Detects executables embedding command execution via IExecuteCommand COM object, Source: C:\ProgramData\images.exe, Author: ditekSHen Rule: MALWARE_Win_WarzoneRAT, Description: Detects AveMaria/WarzoneRAT, Source: C:\ProgramData\images.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 89%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	76

Executed Functions

Function 001C290F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 138
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32(00000000), ref: 001C291E
CoCreateInstance.OLE32(001C45E0,00000000,00000001,001C73F0,?,?,?,?,001C2F37,?,?,?,001C227B), ref: 001C293E
VariantInit.OLEAUT32(?), ref: 001C299A
CoUninitialize.OLE32(?,?,?,001C2F37,?,?,?,001C227B), ref: 001C2A60

Strings

Description, xrefs: 001C29A8
FriendlyName, xrefs: 001C29BF

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: CreateInitInitializeInstanceUninitializeVariant
String ID: Description$FriendlyName
API String ID: 4142528535-3192352273
Opcode ID: 7cbe2d35c5e9d93a7088ae360ad1567ad7067b6e45152e2ba65cbddd648c13bf
Instruction ID: 16222b4909e5372fbd612a10cb8a346270de60a66f348c9118774daa3fef02ce
Opcode Fuzzy Hash: 7cbe2d35c5e9d93a7088ae360ad1567ad7067b6e45152e2ba65cbddd648c13bf
Instruction Fuzzy Hash: FB415174A00245AFCB24DFA6C894EBEBBB9FFD5B04B14445DE446EB250DB70DA41CB60

Function 001B1085 Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,?,001C1E36,00400000,?,?,00000000,?,?,001C349D), ref: 001B108B
RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,001C349D), ref: 001B1092

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: cd0c0f28cd1e98b3453252b28a6400594443af6bac039b13f7ca1701760a7791
Instruction ID: 84364700da9214ece2417b78d626ad5c02ec3a829ea8dbfd65ff5c782d620c9c
Opcode Fuzzy Hash: cd0c0f28cd1e98b3453252b28a6400594443af6bac039b13f7ca1701760a7791
Instruction Fuzzy Hash: F8B0123140C200FBDF001BE09D1CF093F28AB54703F054400F285C1460C631D0C0DB11

Function 001C3435 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 188
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 001C3467
GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 001C3483

Part of subcall function 001C1E21: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000,?,?,001C349D), ref: 001C1E4E
Part of subcall function 001C1E21: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,001C349D), ref: 001C1E61
Part of subcall function 001C1E21: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,001C349D), ref: 001C1E72
Part of subcall function 001C1E21: CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,001C349D), ref: 001C1E7F

Part of subcall function 001B1085: GetProcessHeap.KERNEL32(00000000,?,001C1E36,00400000,?,?,00000000,?,?,001C349D), ref: 001B108B
Part of subcall function 001B1085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,001C349D), ref: 001B1092

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 001C34EA
GetLastError.KERNEL32 ref: 001C34F5
RegCreateKeyExA.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 001C352F
RegSetValueExA.KERNEL32(?,MaxConnectionsPer1_0Server,00000000,00000004,?,00000004), ref: 001C354E
RegSetValueExA.KERNEL32(?,MaxConnectionsPerServer,00000000,00000004,?,00000004), ref: 001C3563
RegCloseKey.ADVAPI32(?), ref: 001C3569
SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?,?,?,?), ref: 001C35C5
lstrcatW.KERNEL32(?,\Microsoft Vision\), ref: 001C35D8
CreateDirectoryW.KERNEL32(?,00000000), ref: 001C35E7

Part of subcall function 001C1A3C: GetModuleFileNameW.KERNEL32(00000000,002FCBF0,00000208,00000000,00000000,?,?,?,001B57B9,?,00000000,00000000), ref: 001C1A58
Part of subcall function 001C1A3C: IsUserAnAdmin.SHELL32 ref: 001C1A5E
Part of subcall function 001C1A3C: FindResourceW.KERNEL32(00000000,00000066,WM_DSP,?,?,?,?,001B57B9,?,00000000,00000000), ref: 001C1A87
Part of subcall function 001C1A3C: LoadResource.KERNEL32(00000000,00000000,?,?,?,?,001B57B9,?,00000000,00000000,?,?,?,?,?,?), ref: 001C1A91
Part of subcall function 001C1A3C: SizeofResource.KERNEL32(00000000,00000000,?,?,?,?,001B57B9,?,00000000,00000000,?,?,?,?,?,?), ref: 001C1A9B
Part of subcall function 001C1A3C: LockResource.KERNEL32(00000000,?,?,?,?,001B57B9,?,00000000,00000000,?,?,?,?,?,?,00000000), ref: 001C1AA2

Part of subcall function 001C1136: CopyFileW.KERNEL32(?,?,00000000,?,001C4684,?,00000000,?,?,?,?,00000000,75A901C0,00000000), ref: 001C11D7

Part of subcall function 001B362D: lstrcpyW.KERNEL32(00000000,75A901C0,?,?,?,001C150A,001C35B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,001C3589,00000000,75A901C0,00000000), ref: 001B3657

Part of subcall function 001C0BD9: CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,75A901C0,00000000), ref: 001C0C14

Part of subcall function 001B5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,001B5C2A,00000000,?,001C10EE,?,?,001C36B9), ref: 001B5EAD

Strings

MaxConnectionsPerServer, xrefs: 001C355A
MaxConnectionsPer1_0Server, xrefs: 001C3545
Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 001C3525
\Microsoft Vision\, xrefs: 001C35CB

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: File$Create$Resource$CloseHeapModuleNameProcessValue$AdminAllocateCopyCountDirectoryErrorEventFindFolderFreeHandleLastLoadLockPathReadSizeSizeofTickUserVirtuallstrcatlstrcpy
String ID: MaxConnectionsPer1_0Server$MaxConnectionsPerServer$Software\Microsoft\Windows\CurrentVersion\Internet Settings$\Microsoft Vision\
API String ID: 3138263686-2552559493
Opcode ID: 6193438ffc20757c8ab6494c10fcc42c0e5c1faf3ff31611a31b35a61bee8a19
Instruction ID: 042d8f99678c5ceb27eb49c6cdbd2300e597583ca443cc16c85bd18255c44c49
Opcode Fuzzy Hash: 6193438ffc20757c8ab6494c10fcc42c0e5c1faf3ff31611a31b35a61bee8a19
Instruction Fuzzy Hash: 1D615EB1448344AFD720EB60DC96FEBB7ACEBA4704F40492EF69592151DB70DA48CB62

Function 001BE703 Relevance: 25.6, APIs: 1, Strings: 16, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(002FE020), ref: 001BE710

Part of subcall function 001B5F53: GetProcessHeap.KERNEL32(00000000,000000F4,001C0477,?,75A901C0,00000000,001B5A34), ref: 001B5F56
Part of subcall function 001B5F53: HeapAlloc.KERNEL32(00000000), ref: 001B5F5D

Part of subcall function 001B31D4: ExpandEnvironmentStringsW.KERNEL32(?,?,000001FF), ref: 001B3207

Part of subcall function 001B3437: lstrcpyW.KERNEL32(00000000,00000000,00000000,?,?,001C1E0A,00000000,00000000,00000000,.bss,00000000), ref: 001B345C

Part of subcall function 001B5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,001B5C2A,00000000,?,001C10EE,?,?,001C36B9), ref: 001B5EAD

Strings

\/, xrefs: 001BE859
TermService, xrefs: 001BE773
\sqlmap.dll, xrefs: 001BE872, 001BE879, 001BE87F
X/, xrefs: 001BE7F0
\rdpwrap.ini, xrefs: 001BE866
%windir%\System32, xrefs: 001BE79B
X/, xrefs: 001BE819
\Microsoft DN1, xrefs: 001BE82E, 001BE835, 001BE83B
\rfxvmt.dll, xrefs: 001BE843
T/, xrefs: 001BE78E
`/, xrefs: 001BE848
%ProgramW6432%, xrefs: 001BE7DA
%ProgramFiles%, xrefs: 001BE789, 001BE793, 001BE805
H/, xrefs: 001BE76E
/, xrefs: 001BE889
`/, xrefs: 001BE7B3

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: Heap$AllocCriticalEnvironmentExpandFreeInitializeProcessSectionStringsVirtuallstrcpy
String ID: /$%ProgramFiles%$%ProgramW6432%$%windir%\System32$H/$TermService$T/$X/$X/$\Microsoft DN1$\rdpwrap.ini$\rfxvmt.dll$\sqlmap.dll$\/$`/$`/
API String ID: 2811233055-1830286314
Opcode ID: 3f0d1d1e762ccb411daa8677a802208fa8eb7d2987d8484b16bcd74aa641ec8f
Instruction ID: 2926653a4c439c77075ca5ae2002af1f9a82badb987307d535c26c48fd8a4cb8
Opcode Fuzzy Hash: 3f0d1d1e762ccb411daa8677a802208fa8eb7d2987d8484b16bcd74aa641ec8f
Instruction Fuzzy Hash: 4831E470B00654A7DF16BF689C56EFDB66A9BF4750702047EF102772A2CFA08E55CB50

Function 001C1136 Relevance: 17.8, APIs: 4, Strings: 6, Instructions: 278
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001BF481: GetModuleFileNameW.KERNEL32(00000000,00000000,000007D0,?,00000000,001C3589,?,001C1618,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\,00000000,InitWindows), ref: 001BF4A2

Part of subcall function 001C0F6E: RegCreateKeyExW.KERNEL32(80000001,00000000,00000000,00000000,00000001,00000001,00000000,?,00000000,75A901C0,?,?,001C1165,?,?), ref: 001C0F8E

Part of subcall function 001C0FAE: RegCloseKey.KERNEL32(?,?,001C112D,?,?,001C36B9), ref: 001C0FB8

CopyFileW.KERNEL32(?,?,00000000,?,001C4684,?,00000000,?,?,?,?,00000000,75A901C0,00000000), ref: 001C11D7

Part of subcall function 001C106C: RegCreateKeyExW.ADVAPI32(75A901C0,00000000,00000000,00000000,00000000,001C3589,00000000,?,?,?,?,001C3589,?,001C158B,80000001,?), ref: 001C10A0
Part of subcall function 001C106C: RegOpenKeyExW.KERNEL32(75A901C0,00000000,00000000,001C3589,?,?,?,001C3589,?,001C158B,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\), ref: 001C10BB

Part of subcall function 001C1039: RegSetValueExW.KERNEL32(?,75A901C0,00000000,?,?,?,?,?,001C1432,00000000,00000000,?,00000001,?,?,?), ref: 001C1058

SHGetKnownFolderPath.SHELL32(001C4550,00000000,00000000,?,?,?,?,?,00000000,75A901C0,00000000), ref: 001C1264
CopyFileW.KERNEL32(?,?,00000000,?,?,:start,?,001C7204,wmic process call create '",00000000,?,?,?,:start,") do %%A,for /F "usebackq tokens=*" %%A in ("), ref: 001C1382

Part of subcall function 001BF76B: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000,?,00000000,?), ref: 001BF79C

Part of subcall function 001B3437: lstrcpyW.KERNEL32(00000000,00000000,00000000,?,?,001C1E0A,00000000,00000000,00000000,.bss,00000000), ref: 001B345C

Part of subcall function 001B5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,001B5C2A,00000000,?,001C10EE,?,?,001C36B9), ref: 001B5EAD

Part of subcall function 001BF71F: SHCreateDirectoryExW.SHELL32(00000000,?,00000000,001C11A6,00000000,?,?,?,?,00000000,75A901C0,00000000), ref: 001BF725

Part of subcall function 001B362D: lstrcpyW.KERNEL32(00000000,75A901C0,?,?,?,001C150A,001C35B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,001C3589,00000000,75A901C0,00000000), ref: 001B3657

Part of subcall function 001B3335: lstrcatW.KERNEL32(00000000,75A901C0,?,?,001C3589,?,001C1515,001C3589,001C35B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,001C3589,00000000,75A901C0,00000000), ref: 001B3365

DeleteFileW.KERNEL32(?,00000000,:Zone.Identifier,?,?,?,?,?,00000000,75A901C0,00000000), ref: 001C147C

Strings

") do %%A, xrefs: 001C128F
:Zone.Identifier, xrefs: 001C145B
for /F "usebackq tokens=*" %%A in (", xrefs: 001C1282
\programs.bat, xrefs: 001C1275
:start, xrefs: 001C1294, 001C132F
wmic process call create '", xrefs: 001C130A

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: File$Create$CopyFolderPathlstrcpy$CloseDeleteDirectoryFreeKnownModuleNameOpenSpecialValueVirtuallstrcat
String ID: ") do %%A$:Zone.Identifier$:start$\programs.bat$for /F "usebackq tokens=*" %%A in ("$wmic process call create '"
API String ID: 2154703971-2016382161
Opcode ID: d95dc77745188df7269cb91fb6080d7c3ab3153201fa49a525434e03c79391bc
Instruction ID: 49f9ccc86be41bdb0cb66f6ca4603744d43184a89172c9a378db66fcf1c979fc
Opcode Fuzzy Hash: d95dc77745188df7269cb91fb6080d7c3ab3153201fa49a525434e03c79391bc
Instruction Fuzzy Hash: 42A10D71A00109ABDF19EFA0CC92EEEB779AFA5700B50456DF81267192DF30EB59CB50

Function 001B99A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 38
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(002FDB10,?,001B1221), ref: 001B99D3
LoadLibraryW.KERNEL32(User32.dll,?,001B1221), ref: 001B99FE

Part of subcall function 001C0969: lstrcmpA.KERNEL32(?,001C1BD0,?,open,001C1BD0), ref: 001C09A2

Strings

ToUnicode, xrefs: 001B9A13
MapVirtualKeyA, xrefs: 001B9A24
GetRawInputData, xrefs: 001B9A06
User32.dll, xrefs: 001B99EC

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: CriticalInitializeLibraryLoadSectionlstrcmp
String ID: GetRawInputData$MapVirtualKeyA$ToUnicode$User32.dll
API String ID: 4274177235-2474467583
Opcode ID: d9a3a1a32899577390098562b6c212bc7c5cc8e13d047f4fb55eb9abf4ba4fd8
Instruction ID: 34947b3f22c5504f8e7c6c2822717208a66bd1a91133dc791340e873061b3cd3
Opcode Fuzzy Hash: d9a3a1a32899577390098562b6c212bc7c5cc8e13d047f4fb55eb9abf4ba4fd8
Instruction Fuzzy Hash: BE016271A642109F8345AF64FD2CB393A97E7A8BA8713413EF109D7351DB308891CB49

Function 001B5CE2 Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineA.KERNEL32 ref: 001B5CE9
GetStartupInfoA.KERNEL32(?), ref: 001B5D38
GetModuleHandleA.KERNEL32(00000000), ref: 001B5D54
ExitProcess.KERNEL32 ref: 001B5D69

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: CommandExitHandleInfoLineModuleProcessStartup
String ID:
API String ID: 2164999147-0
Opcode ID: 6c04b7a065000ccabc8cc6ef24bb0a9d79cd3fe2e51ce34d6dddd01bdc59353f
Instruction ID: 0a49b68c901831db4fd8533fac73b36f3ac94536ccaa19e6cad2c5cf2176b1ad
Opcode Fuzzy Hash: 6c04b7a065000ccabc8cc6ef24bb0a9d79cd3fe2e51ce34d6dddd01bdc59353f
Instruction Fuzzy Hash: 490121240089445FD7251FF4D45DBE93F675F27344BA81148E4C2C7113D7134C87C665

Function 001C1E21 Relevance: 6.0, APIs: 4, Instructions: 48
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001B1085: GetProcessHeap.KERNEL32(00000000,?,001C1E36,00400000,?,?,00000000,?,?,001C349D), ref: 001B108B
Part of subcall function 001B1085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,001C349D), ref: 001B1092

CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000,?,?,001C349D), ref: 001C1E4E
GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,001C349D), ref: 001C1E61
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,001C349D), ref: 001C1E72
CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,001C349D), ref: 001C1E7F

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: File$Heap$AllocateCloseCreateHandleProcessReadSize
String ID:
API String ID: 2517252058-0
Opcode ID: 78490cdeb3eff6828d30c4eb08f6fee3590f151e1687fb3b01e1c37a7ec7f216
Instruction ID: 58db98496724cc0cb49e08f0e81a5a2b7043cc7c20a31fc504b509c444875968
Opcode Fuzzy Hash: 78490cdeb3eff6828d30c4eb08f6fee3590f151e1687fb3b01e1c37a7ec7f216
Instruction Fuzzy Hash: 1EF062B2B55210BFF3205B65AC19FBB7BACEB65725F200129FD51E21C0E7B09D4086A4

Function 001BFBFC Relevance: 6.0, APIs: 4, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000008,00000000,75A901C0,00000000,75A901C0,00000000,?,?,?,?,001C3589,?), ref: 001BFC0E
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,001C3589,?), ref: 001BFC15
GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,001C3589,?), ref: 001BFC33
CloseHandle.KERNEL32(00000000), ref: 001BFC48

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: d76f07ee47b939562dcd343f8181f5c9c1db258547e0f92d26fa891c33a9225e
Instruction ID: 8133299fcbd39a710982f1dc6437fd09e8cf1196fa6fab2550054724c5635b82
Opcode Fuzzy Hash: d76f07ee47b939562dcd343f8181f5c9c1db258547e0f92d26fa891c33a9225e
Instruction Fuzzy Hash: 24F0E772904218FBDB159BA09D0AEDEBFB8EF04741F114165FA01A6190D770DF95DA90

Function 001C0BD9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,75A901C0,00000000), ref: 001C0C14

Strings

D, xrefs: 001C0BFA

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: D
API String ID: 963392458-2746444292
Opcode ID: de683ab72fd79fc7af927afe912b736c183ace1e6109a8add61f01574eab16ee
Instruction ID: 8361d2cda310bb839ab3a8944fd10f19fb85849454cd668e264620280db695d5
Opcode Fuzzy Hash: de683ab72fd79fc7af927afe912b736c183ace1e6109a8add61f01574eab16ee
Instruction Fuzzy Hash: E5F030B2600209AFDB00DFE4CC85EAF77BCEB54348B008929F64A9B240E774DD088764

Function 001B5A10 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 156
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(000001F4,00000000,75A901C0,00000000), ref: 001B5A26

Part of subcall function 001B33BF: lstrlenA.KERNEL32(?,75A901C0,?,001B5A4F,.bss,00000000), ref: 001B33C8
Part of subcall function 001B33BF: lstrlenA.KERNEL32(?,?,001B5A4F,.bss,00000000), ref: 001B33D5
Part of subcall function 001B33BF: lstrcpyA.KERNEL32(00000000,?,?,001B5A4F,.bss,00000000), ref: 001B33E8

Part of subcall function 001B5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,001B5C2A,00000000,?,001C10EE,?,?,001C36B9), ref: 001B5EAD

Part of subcall function 001B3437: lstrcpyW.KERNEL32(00000000,00000000,00000000,?,?,001C1E0A,00000000,00000000,00000000,.bss,00000000), ref: 001B345C

Strings

.bss, xrefs: 001B5A42

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$FreeSleepVirtual
String ID: .bss
API String ID: 277671435-3890483948
Opcode ID: b0f6b243dd20f83c82831ba3a20b119bd2d5afb59a371456e083e83b38ee8af2
Instruction ID: e07424fc6f3b651266a99fe7cff2a5e289933f1fb5f49627b1428f57634f9c24
Opcode Fuzzy Hash: b0f6b243dd20f83c82831ba3a20b119bd2d5afb59a371456e083e83b38ee8af2
Instruction Fuzzy Hash: 28514F75904549AFCB15EFA0C9D19EEBBB5BF64304B1001AAE416AB256EF30EB05CB90

Function 001C106C Relevance: 3.0, APIs: 2, Instructions: 47
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(75A901C0,00000000,00000000,001C3589,?,?,?,001C3589,?,001C158B,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\), ref: 001C10BB

Part of subcall function 001BF731: RegOpenKeyExW.ADVAPI32(75A901C0,00000000,00000000,00020019,00000000,75A901C0,?,001C1088,?,?,001C3589,?,001C158B,80000001,?,000F003F), ref: 001BF747

RegCreateKeyExW.ADVAPI32(75A901C0,00000000,00000000,00000000,00000000,001C3589,00000000,?,?,?,?,001C3589,?,001C158B,80000001,?), ref: 001C10A0

Part of subcall function 001C0FAE: RegCloseKey.KERNEL32(?,?,001C112D,?,?,001C36B9), ref: 001C0FB8

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: Open$CloseCreate
String ID:
API String ID: 1752019758-0
Opcode ID: 9dc86dc55d4aeb18f01f823f6b0b097fb2b6d6699d8293ad15b55df0ff7c8a3c
Instruction ID: 70bda330ec3b633a63765834432775c637e691ffe252dc77ca856c29d58680df
Opcode Fuzzy Hash: 9dc86dc55d4aeb18f01f823f6b0b097fb2b6d6699d8293ad15b55df0ff7c8a3c
Instruction Fuzzy Hash: D7013C7124424DBFAB119E91EC90EBF7BAEFF66394710402EFD0582211E731DDB19AA1

Function 001C1D0C Relevance: 3.0, APIs: 2, Instructions: 14
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000001), ref: 001C1D11
GetTickCount.KERNEL32 ref: 001C1D17

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: CountSleepTick
String ID:
API String ID: 2804873075-0
Opcode ID: de93daad4bf4f8d21f4a4d69800c584ec426efa9d95f44d071439205c3e20829
Instruction ID: a1c40a67451c588962b4a2068d7acc23af37abe1e3800e6c630d8faa5a58e85a
Opcode Fuzzy Hash: de93daad4bf4f8d21f4a4d69800c584ec426efa9d95f44d071439205c3e20829
Instruction Fuzzy Hash: 15D0223034C1044FE30CAB09FC6EA213E6EE7E0305F08C02BF54EC90E0C9B0A5E08440

Function 001C0283 Relevance: 3.0, APIs: 2, Instructions: 8
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReleaseMutex.KERNEL32(?,?,001BFEFD,001C3578,001B5BEC,001C3578,00000000,00000000,00000000,00000000,?,?,?,?,00000000,.bss), ref: 001C0288
CloseHandle.KERNEL32(?), ref: 001C0290

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: CloseHandleMutexRelease
String ID:
API String ID: 4207627910-0
Opcode ID: 080825963bba6b49dcba94f05af04aa0ab0a0e149b65ac1e926bb5fb15b8cd12
Instruction ID: 711b5179ae17cbb9e814620d0fefdb0f5a0a9c41b2586e32d23cb3f730623b59
Opcode Fuzzy Hash: 080825963bba6b49dcba94f05af04aa0ab0a0e149b65ac1e926bb5fb15b8cd12
Instruction Fuzzy Hash: 79B0923A009020DFEB252F54FC1DC94BFB6FF18251319046AF1C1814388BB35CA09B80

Function 001B5EFF Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?,001B2FA7,001B5A42,?,?,001C03FD,001B5A42,?,?,75A901C0,00000000,?,001B5A42,00000000), ref: 001B5F02
RtlAllocateHeap.NTDLL(00000000,?,001C03FD,001B5A42,?,?,75A901C0,00000000,?,001B5A42,00000000), ref: 001B5F09

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: a84567f6b363b3848eecec499e51b84c40b43ce9e953a73ef2ae881260c2cae6
Instruction ID: c569d936b4e6df76acbe14c46ff0ad263d0fe421c6a2aba556cdb8c076a168a1
Opcode Fuzzy Hash: a84567f6b363b3848eecec499e51b84c40b43ce9e953a73ef2ae881260c2cae6
Instruction Fuzzy Hash: B1A00271554100ABEE4457E49D5DF153E1CA755702F054544B185C54509965A4C48725

Function 001B5EEE Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,001B3044,?,001B5C22,00000000,?,001C10EE,?,?,001C36B9), ref: 001B5EF1
RtlFreeHeap.NTDLL(00000000,?,?,001C36B9), ref: 001B5EF8

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 98294e5244258497a35fea2eaec2e68e52398aed0d5efb833ae82afa8737176d
Instruction ID: 80984def5cae23750cc0e5f6b3e2d8746d45bedd964db99df8c046a65349ab98
Opcode Fuzzy Hash: 98294e5244258497a35fea2eaec2e68e52398aed0d5efb833ae82afa8737176d
Instruction Fuzzy Hash: 68A0027155C100ABFD4457E09D1DF553D2C9755702F054544B246C6550966494908631

Function 001B309D Relevance: 2.6, APIs: 2, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 001B308C: lstrlenA.KERNEL32(00000000,001B30B4,75A901C0,00000000,00000000,?,001B32DC,001B350E,00000000,-00000001,75A901C0,?,001B350E,00000000,?,00000000), ref: 001B3093

MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,-00000002,00000000,00000000,75A901C0,00000000,00000000,?,001B32DC,001B350E,00000000,-00000001,75A901C0), ref: 001B30CA

Part of subcall function 001B5E22: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?,001B33E2,?,001B5A4F,.bss,00000000), ref: 001B5E30

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,?,001B32DC,001B350E,00000000,-00000001,75A901C0,?,001B350E,00000000), ref: 001B30F5

Part of subcall function 001B35E5: lstrlenW.KERNEL32(001C1E02,00000000,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B35EE
Part of subcall function 001B35E5: lstrlenW.KERNEL32(001C1E02,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B3605
Part of subcall function 001B35E5: lstrcpyW.KERNEL32(?,001C1E02,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B3620

Part of subcall function 001B3437: lstrcpyW.KERNEL32(00000000,00000000,00000000,?,?,001C1E0A,00000000,00000000,00000000,.bss,00000000), ref: 001B345C

Part of subcall function 001B5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,001B5C2A,00000000,?,001C10EE,?,?,001C36B9), ref: 001B5EAD

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: lstrlen$ByteCharMultiVirtualWidelstrcpy$AllocFree
String ID:
API String ID: 4006399363-0
Opcode ID: bee3d34915352654e46d325e50896ad618aa972894fec64e0a20b4c4a0143b19
Instruction ID: e8434b0d36d031a206f3055842df464baf54e7faad369242411ad83c3f6d89cf
Opcode Fuzzy Hash: bee3d34915352654e46d325e50896ad618aa972894fec64e0a20b4c4a0143b19
Instruction Fuzzy Hash: 27015E75600124BBDB25FFA9CC96EDEBBAD9F59350B00012AF511DB292CB74DF0087A0

Function 001BF481 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

Part of subcall function 001B1085: GetProcessHeap.KERNEL32(00000000,?,001C1E36,00400000,?,?,00000000,?,?,001C349D), ref: 001B108B
Part of subcall function 001B1085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,001C349D), ref: 001B1092

GetModuleFileNameW.KERNEL32(00000000,00000000,000007D0,?,00000000,001C3589,?,001C1618,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\,00000000,InitWindows), ref: 001BF4A2

Part of subcall function 001B35E5: lstrlenW.KERNEL32(001C1E02,00000000,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B35EE
Part of subcall function 001B35E5: lstrlenW.KERNEL32(001C1E02,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B3605
Part of subcall function 001B35E5: lstrcpyW.KERNEL32(?,001C1E02,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B3620

Part of subcall function 001B3437: lstrcpyW.KERNEL32(00000000,00000000,00000000,?,?,001C1E0A,00000000,00000000,00000000,.bss,00000000), ref: 001B345C

Part of subcall function 001B5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,001B5C2A,00000000,?,001C10EE,?,?,001C36B9), ref: 001B5EAD

Part of subcall function 001B1099: GetProcessHeap.KERNEL32(00000000,00000000,001C1E18,00000000,00000000,00000000,00000000,.bss,00000000), ref: 001B109F
Part of subcall function 001B1099: HeapFree.KERNEL32(00000000), ref: 001B10A6

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcesslstrcpylstrlen$AllocateFileModuleNameVirtual
String ID:
API String ID: 258861418-0
Opcode ID: 841bdd32e1018db94bdb19a0bb3bbd61ac3d6b081fe6b2e62c0cf057f86713e3
Instruction ID: 7a5fcfe2e66f56575ad0f5c88e7c99d2c126c68bf80dc3b3cd118677b5c6ff0c
Opcode Fuzzy Hash: 841bdd32e1018db94bdb19a0bb3bbd61ac3d6b081fe6b2e62c0cf057f86713e3
Instruction Fuzzy Hash: 78E06D726042507BD714B765DC26FEF7BADCFA1362F010029F10596181EFA49A4086A0

Function 001BF76B Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000,?,00000000,?), ref: 001BF79C

Part of subcall function 001B35E5: lstrlenW.KERNEL32(001C1E02,00000000,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B35EE
Part of subcall function 001B35E5: lstrlenW.KERNEL32(001C1E02,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B3605
Part of subcall function 001B35E5: lstrcpyW.KERNEL32(?,001C1E02,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B3620

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: lstrlen$FolderPathSpeciallstrcpy
String ID:
API String ID: 1680175942-0
Opcode ID: ccaaf21ca542145697186bd7ccd1b41fcb6543fd148cc0fc5b3738911ff21d63
Instruction ID: 672ea0b5bf7eedf9649b74c247c28d38098fb7fdbb1c6a5728c35a7dd868bb18
Opcode Fuzzy Hash: ccaaf21ca542145697186bd7ccd1b41fcb6543fd148cc0fc5b3738911ff21d63
Instruction Fuzzy Hash: 2CE0487574031877DB70A655AC0EFC77A6CDBD4711F040171B658D71D1EE60DA45C6E0

Function 001C0F6E Relevance: 1.5, APIs: 1, Instructions: 28registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNEL32(80000001,00000000,00000000,00000000,00000001,00000001,00000000,?,00000000,75A901C0,?,?,001C1165,?,?), ref: 001C0F8E

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 5fad129797fce0ef2175cfd9249893c4eb35f35ec2459f3118b8181b6632e134
Instruction ID: b20db31fda9fa702bbd6646d0ac518d9740dd56ab3075875a68424684951093b
Opcode Fuzzy Hash: 5fad129797fce0ef2175cfd9249893c4eb35f35ec2459f3118b8181b6632e134
Instruction Fuzzy Hash: E9E0DF32519229FFDB348B528D09FCB3E6CDF49BE4F008018F60AA2040C2B18A80D6F0

Function 001B31D4 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(?,?,000001FF), ref: 001B3207

Part of subcall function 001B35E5: lstrlenW.KERNEL32(001C1E02,00000000,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B35EE
Part of subcall function 001B35E5: lstrlenW.KERNEL32(001C1E02,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B3605
Part of subcall function 001B35E5: lstrcpyW.KERNEL32(?,001C1E02,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B3620

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: lstrlen$EnvironmentExpandStringslstrcpy
String ID:
API String ID: 1709970682-0
Opcode ID: f320012cf9bb6197bbc6bd199f5e002390f2086f57ef6d5f4277e3e8b176bc32
Instruction ID: 6eb280d5d8ed9d92207a5ab41cf65b4a264190445d889e561400c602d819f7fb
Opcode Fuzzy Hash: f320012cf9bb6197bbc6bd199f5e002390f2086f57ef6d5f4277e3e8b176bc32
Instruction Fuzzy Hash: EDE048B670011967DB30A6159C06FD677ADDBC4718F040075F708F21C4EA75DA46C6A4

Function 001C1039 Relevance: 1.5, APIs: 1, Instructions: 25registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNEL32(?,75A901C0,00000000,?,?,?,?,?,001C1432,00000000,00000000,?,00000001,?,?,?), ref: 001C1058

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: c34e4d18c89a8482b74061e8658b0189bf6c1240d37f9c3dca74142aa307c19b
Instruction ID: 6362343ac61bd29936a711127b4135d6b1e28fc4e86210b1091ee922805dbc25
Opcode Fuzzy Hash: c34e4d18c89a8482b74061e8658b0189bf6c1240d37f9c3dca74142aa307c19b
Instruction Fuzzy Hash: 6FE01232241254BFDB008F94CC44FAB7BA8EB5AB90B258459FE058B221D731EC609BA4

Function 001B3335 Relevance: 1.5, APIs: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

Part of subcall function 001B3261: lstrlenW.KERNEL32(75A901C0,001B3646,?,?,?,001C150A,001C35B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,001C3589,00000000,75A901C0,00000000), ref: 001B3268

lstrcatW.KERNEL32(00000000,75A901C0,?,?,001C3589,?,001C1515,001C3589,001C35B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,001C3589,00000000,75A901C0,00000000), ref: 001B3365

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: lstrcatlstrlen
String ID:
API String ID: 1475610065-0
Opcode ID: ed8331381f38108276b71f6ad50573b66ca84744ac8b528a95eca1c7be6b1e0b
Instruction ID: 56c75237719f19fdeec85f0195fa58ffd1ed239ec5846f24a7b8ada2727d2166
Opcode Fuzzy Hash: ed8331381f38108276b71f6ad50573b66ca84744ac8b528a95eca1c7be6b1e0b
Instruction Fuzzy Hash: FCE086722042149BCB016BA9ECC59AEBBAEEFA5360B040576FA05D7211EB31BD1096E0

Function 001B58D3 Relevance: 1.5, APIs: 1, Instructions: 23networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001C0298: CreateMutexA.KERNEL32(00000000,00000000,00000000,?,001BFEDE,?,?,001C0459,?,75A901C0,00000000,001B5A34), ref: 001C02A0

WSAStartup.WS2_32(00000002,?), ref: 001B58FC

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: CreateMutexStartup
String ID:
API String ID: 3730780901-0
Opcode ID: 429cea290db2873c0b4ea79ad2f4bd5d1a3221534499d10d5d158c9dcb728ab0
Instruction ID: 118d62e78c912b98e04739903b7bb971a82c3e503fb2b2662fda1a5f8bad3afe
Opcode Fuzzy Hash: 429cea290db2873c0b4ea79ad2f4bd5d1a3221534499d10d5d158c9dcb728ab0
Instruction Fuzzy Hash: 17E0C971501B508BC270AF2A9945997FBE8FFE47207401B1FA4A782A61C7B0A5458B90

Function 001BFDA5 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 001B3125: lstrcatA.KERNEL32(00000000,75A901C0,?,00000000,?,001B35C4,00000000,00000000,?,001B4E98,?,?,?,?,?,00000000), ref: 001B3151

CreateEventA.KERNEL32(00000000,00000001,00000000,?,?), ref: 001BFDC0

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: CreateEventlstrcat
String ID:
API String ID: 2275612694-0
Opcode ID: f1d273521fde6e14c703aaee3bb5eca47dbd286e9d4c6e86d49af8936548ab36
Instruction ID: d3dafd19ab8adfb8edd471b2ab5bf1d30cd2a1f3549ab6e57cc93c5535f13a11
Opcode Fuzzy Hash: f1d273521fde6e14c703aaee3bb5eca47dbd286e9d4c6e86d49af8936548ab36
Instruction Fuzzy Hash: C4D05E722482057BD710AB95DC06F86FF69EB65760F004026F65986590DBB1A070C790

Function 001C0298 Relevance: 1.5, APIs: 1, Instructions: 15synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000000,00000000,?,001BFEDE,?,?,001C0459,?,75A901C0,00000000,001B5A34), ref: 001C02A0

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 23787c31eaf96b06f802328f980b3c8595c6a8bb9bbedd669c97df61d7556a49
Instruction ID: f0700d22fa0540937fca037a48e559fb304a8f5a02d263060c3ba77d3989ff7b
Opcode Fuzzy Hash: 23787c31eaf96b06f802328f980b3c8595c6a8bb9bbedd669c97df61d7556a49
Instruction Fuzzy Hash: 9CD012B15045205FA3249F396C48C67B5EDEF98720315CE29B4A5C71D4E6308C808770

Function 001B5558 Relevance: 1.5, APIs: 1, Instructions: 12networkCOMMON

Download Yara Rule

APIs

WSACleanup.WS2_32 ref: 001B555B

Part of subcall function 001C0283: ReleaseMutex.KERNEL32(?,?,001BFEFD,001C3578,001B5BEC,001C3578,00000000,00000000,00000000,00000000,?,?,?,?,00000000,.bss), ref: 001C0288
Part of subcall function 001C0283: CloseHandle.KERNEL32(?), ref: 001C0290

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: CleanupCloseHandleMutexRelease
String ID:
API String ID: 708017517-0
Opcode ID: 1cb9f5f3eb18c7c2007e7a9c451082e3c0bd270666b70724fd67fbc68c551f79
Instruction ID: 48a06e8059e29658c6fb16cfdac1e54dc7ad6425e7d36b8bea05b13ee1c103f3
Opcode Fuzzy Hash: 1cb9f5f3eb18c7c2007e7a9c451082e3c0bd270666b70724fd67fbc68c551f79
Instruction Fuzzy Hash: 52D092310186558BC378FB30D8A59EAB3B1BF28340340092EE0A303891AF60AA45CB40

Function 001C0FAE Relevance: 1.5, APIs: 1, Instructions: 9registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32(?,?,001C112D,?,?,001C36B9), ref: 001C0FB8

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: de61b8ed74125ce9ad21b7e32f041b0c7aee42cdb37cf029b771dfad268d911e
Instruction ID: 6916a888a897cfdca4a424ec12dbd2532bf01a70cebf922c4e9bc375b35b6a55
Opcode Fuzzy Hash: de61b8ed74125ce9ad21b7e32f041b0c7aee42cdb37cf029b771dfad268d911e
Instruction Fuzzy Hash: 81C04C31014221CBD7361F14F404B90B6F5AB04312F25045DE4C055464D7B54CD0CA44

Function 001BF71F Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SHCreateDirectoryExW.SHELL32(00000000,?,00000000,001C11A6,00000000,?,?,?,?,00000000,75A901C0,00000000), ref: 001BF725

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 1c7449cccdff30157b198825fe116de62a1356ad7776167bbdd71ae70327588a
Instruction ID: 8fb7fe9861ca204bce016bd29a5eba515a8d7a199b0aac810634130f910fd80a
Opcode Fuzzy Hash: 1c7449cccdff30157b198825fe116de62a1356ad7776167bbdd71ae70327588a
Instruction Fuzzy Hash: 50B012303EC30157DA001B709C07F1039119742F07F200160B156C80E0C65140005504

Function 001C0969 Relevance: 1.3, APIs: 1, Instructions: 49stringCOMMON

Download Yara Rule

APIs

lstrcmpA.KERNEL32(?,001C1BD0,?,open,001C1BD0), ref: 001C09A2

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: lstrcmp
String ID:
API String ID: 1534048567-0
Opcode ID: ee3ce7899af6503a448cc8f6be4fd7670433912cff741008c76c63644c4c162c
Instruction ID: fc420ac34d9c5bfbcc3b54b9433291ad5624c1203134cdd3b1a7643d321e0a6d
Opcode Fuzzy Hash: ee3ce7899af6503a448cc8f6be4fd7670433912cff741008c76c63644c4c162c
Instruction Fuzzy Hash: AD015E71A00515EFD725DF99C881F6AB7B8FF59358705016DA445C3B02EB30ED55CAD0

Function 001C2C91 Relevance: 1.3, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

CoUninitialize.COMBASE(?,?,001C238A,007EE108,001B4D2D), ref: 001C2CFF

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: Uninitialize
String ID:
API String ID: 3861434553-0
Opcode ID: 703c6efb7efcc3176c926f94e7c64ccc98cd657c5d0b9a052a79e1a90409ac60
Instruction ID: 0b359a8439c66c265bd20906f516cc17283cd8c62cf6453e0e9165ae4e24fedf
Opcode Fuzzy Hash: 703c6efb7efcc3176c926f94e7c64ccc98cd657c5d0b9a052a79e1a90409ac60
Instruction Fuzzy Hash: 6401B3752127008BD73CEF25D994DAAB7F4FFA87053441A6DE49787A61CB35F804CA50

Function 001B5E22 Relevance: 1.3, APIs: 1, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?,001B33E2,?,001B5A4F,.bss,00000000), ref: 001B5E30

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1735ed26d5f14d02b6bf7389149d3ec947c71c615ed754ca9a7f5919a4af1f25
Instruction ID: ed28a9717188d623de31691cb8bf9fe15536714d97d50ffe7dbe9195b3f28987
Opcode Fuzzy Hash: 1735ed26d5f14d02b6bf7389149d3ec947c71c615ed754ca9a7f5919a4af1f25
Instruction Fuzzy Hash: 9FC0122234826027F124121A7C1AFAB8D6DCBD1F71F01001EF7048A2D0D9D14C4241A4

Function 001B9FCE Relevance: 1.3, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,00000000,00008000,001B5C2A,00000000,?,001C10EE,?,?,001C36B9), ref: 001B5EAD

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: ff16521be1f04897e23df9b168fd362b1021d85adb5f53e9f1cd08607c2e7095
Instruction ID: 9fa34c70fa1ffad9032d98b04555e8c30c0c1c96e5940547b021d53deeae2802
Opcode Fuzzy Hash: ff16521be1f04897e23df9b168fd362b1021d85adb5f53e9f1cd08607c2e7095
Instruction Fuzzy Hash: 94B0923438070057EF2CCB309CA6FA96712BB80B06FA1458CB142DA4D08BA5E8418A04

Function 001B5EB4 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,001B3652,?,?,?,001C150A,001C35B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,001C3589,00000000,75A901C0,00000000), ref: 001B5EBE

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b425d1f8f6c165de9278a86d71efe1263e3538e5ec12e5f0e043ddaa8026fd92
Instruction ID: 1c82cceb30ae86b1efae05c27d6f5cb66595291741328b2439595fa49ce71650
Opcode Fuzzy Hash: b425d1f8f6c165de9278a86d71efe1263e3538e5ec12e5f0e043ddaa8026fd92
Instruction Fuzzy Hash: BFA002B47D93407BFD695760AD2FF553D28A750F16F200144B30D6D4D055E165508529

Function 001B5EA5 Relevance: 1.3, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,00000000,00008000,001B5C2A,00000000,?,001C10EE,?,?,001C36B9), ref: 001B5EAD

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 0f7fb7f87a16058f5252e591bf178d259793710f36b8bf7f69855d68080da45a
Instruction ID: 80a9cfcfcbc559eb377bcc02c5c0841bbd7f671bf4fe3c55681cf181bc76b9b0
Opcode Fuzzy Hash: 0f7fb7f87a16058f5252e591bf178d259793710f36b8bf7f69855d68080da45a
Instruction Fuzzy Hash: B9A002746D470067ED7457606D5BF452A14A740B01F2146447241A84E049A5E4848A58

Non-executed Functions

Function 001B89D5 Relevance: 45.8, APIs: 17, Strings: 9, Instructions: 286keyboardCOMMON

Download Yara Rule

APIs

GetAsyncKeyState.USER32(00000010), ref: 001B8A11
CallNextHookEx.USER32(00000000,?,?,?), ref: 001B8E12

Part of subcall function 001B8E66: GetForegroundWindow.USER32(?,?,?), ref: 001B8E8F
Part of subcall function 001B8E66: GetWindowTextW.USER32(00000000,?,00000104), ref: 001B8EA2
Part of subcall function 001B8E66: lstrlenW.KERNEL32(-00000210,{Unknown},?,?), ref: 001B8F0B
Part of subcall function 001B8E66: CreateFileW.KERNEL32(?,00000004,00000001,00000000,00000004,00000080,00000000,?,?), ref: 001B8F79
Part of subcall function 001B8E66: lstrlenW.KERNEL32(001C4AD0,00000008,00000000,?,?), ref: 001B8FA2
Part of subcall function 001B8E66: WriteFile.KERNEL32(?,001C4AD0,00000000,?,?), ref: 001B8FAE

Strings

[INSERT], xrefs: 001B8BCE
[CAPS], xrefs: 001B8B7D
[CTRL], xrefs: 001B8C81
[DEL], xrefs: 001B8BC4
[ENTER], xrefs: 001B8B3D
[BKSP], xrefs: 001B8B51
[ALT], xrefs: 001B8CD8
[TAB], xrefs: 001B8B47
[ESC], xrefs: 001B8B73

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: FileWindowlstrlen$AsyncCallCreateForegroundHookNextStateTextWrite
String ID: [ALT]$[BKSP]$[CAPS]$[CTRL]$[DEL]$[ENTER]$[ESC]$[INSERT]$[TAB]
API String ID: 2452648998-4143582258
Opcode ID: 10c132421e30e1d0c51a3bba5692844e5b2fa8d404ba6efb9a39db9155794cf6
Instruction ID: b8cb51135f88e6952e9f6cc8bbcf42372bdb1f30417dc56a034ce492ce5c27b7
Opcode Fuzzy Hash: 10c132421e30e1d0c51a3bba5692844e5b2fa8d404ba6efb9a39db9155794cf6
Instruction Fuzzy Hash: 9E91E372A0D214C7D72C16A8977ABF8692DE7A5F00F16453EEA4377AE0DF20CD41D292

Function 001B902E Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 277registrystringwindowCOMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 001B9084
GetRawInputData.USER32(?,10000003,00000000,?,00000010), ref: 001B90A1
GetRawInputData.USER32(?,10000003,00000000,?,00000010), ref: 001B90D7
GetForegroundWindow.USER32 ref: 001B90F4
GetWindowTextW.USER32(00000000,?,00000104), ref: 001B9105
lstrlenW.KERNEL32(-00000210,-00000010,?,Unknow), ref: 001B91EE
PostQuitMessage.USER32(00000000), ref: 001B9381
RegisterRawInputDevices.USER32 ref: 001B93B0

Strings

Unknow, xrefs: 001B9132

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: InputWindow$Data$DevicesForegroundMessagePostProcQuitRegisterTextlstrlen
String ID: Unknow
API String ID: 3853268301-1240069140
Opcode ID: a01ed94d3c3a6b0bfabdc074dfec181462f0aa7afb8709a8ed140437d8b566e9
Instruction ID: 7b411a936094e389bc94a4a0b12e0c443e60cc13818859e4327b9da89b47bca8
Opcode Fuzzy Hash: a01ed94d3c3a6b0bfabdc074dfec181462f0aa7afb8709a8ed140437d8b566e9
Instruction Fuzzy Hash: C5A17971104200EFC710EF69EC9AEAABBF8FF99300F444518F695936A2DB35E945CB61

Function 001BC1B2 Relevance: 35.2, Strings: 28, Instructions: 218COMMON

Download Yara Rule

Strings

\BraveSoftware\Brave-Browser\User Data\Local State, xrefs: 001BC310
\Slimjet\User Data\Default\Login Data, xrefs: 001BC381
\Opera Software\Opera Stable\Local State, xrefs: 001BC2BF
\Blisk\User Data\Local State, xrefs: 001BC2DA
\Comodo\Dragon\User Data\Local State, xrefs: 001BC346
\Opera Software\Opera Stable\Login Data, xrefs: 001BC2C4
\Torch\User Data\Local State, xrefs: 001BC361
\UCBrowser\User Data_i18n\Default\UC Login Data.17, xrefs: 001BC28D
\Tencent\QQBrowser\User Data\Local State, xrefs: 001BC2A3
\Microsoft\Edge\User Data\Local State, xrefs: 001BC26C
\Tencent\QQBrowser\User Data\Default\Login Data, xrefs: 001BC2A8
\CentBrowser\User Data\Local State, xrefs: 001BC397
\Vivaldi\User Data\Local State, xrefs: 001BC329
\BraveSoftware\Brave-Browser\User Data\Default\Login Data, xrefs: 001BC315
\Epic Privacy Browser\User Data\Default\Login Data, xrefs: 001BC256
\Microsoft\Edge\User Data\Default\Login Data, xrefs: 001BC271
\UCBrowser\User Data_i18n\Local State, xrefs: 001BC288
\Vivaldi\User Data\Default\Login Data, xrefs: 001BC330
\Chromium\User Data\Local State, xrefs: 001BC2F5
\Slimjet\User Data\Local State, xrefs: 001BC37C
\Epic Privacy Browser\User Data\Local State, xrefs: 001BC251
\Comodo\Dragon\User Data\Default\Login Data, xrefs: 001BC34B
\Blisk\User Data\Default\Login Data, xrefs: 001BC2DF
\Google\Chrome\User Data\Local State, xrefs: 001BC236
\Torch\User Data\Default\Login Data, xrefs: 001BC366
\Chromium\User Data\Default\Login Data, xrefs: 001BC2FA
\CentBrowser\User Data\Default\Login Data, xrefs: 001BC39C
\Google\Chrome\User Data\Default\Login Data, xrefs: 001BC23B

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: FilePath$lstrcatlstrcpy$BinaryCopyExistsOpenType$CloseCombineEnumFolderInfoPrivateProfileQuerySpecialString
String ID: \Blisk\User Data\Default\Login Data$\Blisk\User Data\Local State$\BraveSoftware\Brave-Browser\User Data\Default\Login Data$\BraveSoftware\Brave-Browser\User Data\Local State$\CentBrowser\User Data\Default\Login Data$\CentBrowser\User Data\Local State$\Chromium\User Data\Default\Login Data$\Chromium\User Data\Local State$\Comodo\Dragon\User Data\Default\Login Data$\Comodo\Dragon\User Data\Local State$\Epic Privacy Browser\User Data\Default\Login Data$\Epic Privacy Browser\User Data\Local State$\Google\Chrome\User Data\Default\Login Data$\Google\Chrome\User Data\Local State$\Microsoft\Edge\User Data\Default\Login Data$\Microsoft\Edge\User Data\Local State$\Opera Software\Opera Stable\Local State$\Opera Software\Opera Stable\Login Data$\Slimjet\User Data\Default\Login Data$\Slimjet\User Data\Local State$\Tencent\QQBrowser\User Data\Default\Login Data$\Tencent\QQBrowser\User Data\Local State$\Torch\User Data\Default\Login Data$\Torch\User Data\Local State$\UCBrowser\User Data_i18n\Default\UC Login Data.17$\UCBrowser\User Data_i18n\Local State$\Vivaldi\User Data\Default\Login Data$\Vivaldi\User Data\Local State
API String ID: 2377953819-4166025770
Opcode ID: b38391519cf065d767dcb17c63f8c8f1edfcf99c25073d2bffe61677fb1aea0a
Instruction ID: 89c92cb3b3b07c2da886449f7458e726004f67b6bcb65d708dd7d527223ae177
Opcode Fuzzy Hash: b38391519cf065d767dcb17c63f8c8f1edfcf99c25073d2bffe61677fb1aea0a
Instruction Fuzzy Hash: 54713330355210AFC718EB65DD67EAA3BAAEFBA710F40001CF1165B6E1CFA1E944CB61

Function 001BA29A Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 296registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,Account Name,00000000,00000000,?,00001000,?,?,?,?,?,75A8E9B0,74E2F860,00000000,?,001BA25E), ref: 001BA31C
RegQueryValueExW.ADVAPI32(?,Email,00000000,00000000,?,00001000,?,?,?,?,?,?,?,?,75A8E9B0,74E2F860), ref: 001BA363
RegQueryValueExW.ADVAPI32(?,POP3 Server,00000000,00000000,?,00001000), ref: 001BA3A7
RegQueryValueExW.ADVAPI32(?,POP3 User,00000000,00000000,?,00001000), ref: 001BA3EB
RegQueryValueExW.ADVAPI32(?,SMTP Server,00000000,00000000,?,00001000), ref: 001BA42F
RegQueryValueExW.ADVAPI32(?,POP3 Password,00000000,00000000,?,00001000), ref: 001BA473
RegQueryValueExW.ADVAPI32(?,SMTP Password,00000000,00000000,?,00001000), ref: 001BA4E0
RegQueryValueExW.ADVAPI32(?,HTTP Password,00000000,00000000,?,00001000), ref: 001BA54D
RegQueryValueExW.ADVAPI32(?,IMAP Password,00000000,00000000,?,00001000), ref: 001BA5BA

Part of subcall function 001BA632: GlobalAlloc.KERNEL32(00000040,-00000001,75A8E8E0,?,?,?,001BA5E6,00001000,?,00000000,00001000), ref: 001BA650
Part of subcall function 001BA632: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,001BA5E6), ref: 001BA686
Part of subcall function 001BA632: lstrcpyW.KERNEL32(?,Could not decrypt,?,?,001BA5E6,00001000,?,00000000,00001000), ref: 001BA6BD

Part of subcall function 001B3261: lstrlenW.KERNEL32(75A901C0,001B3646,?,?,?,001C150A,001C35B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,001C3589,00000000,75A901C0,00000000), ref: 001B3268

Strings

POP3 Server, xrefs: 001BA3A1
Account Name, xrefs: 001BA316
POP3 Password, xrefs: 001BA46D
HTTP Password, xrefs: 001BA547
Email, xrefs: 001BA35D
IMAP Password, xrefs: 001BA5B4
SMTP Server, xrefs: 001BA429
POP3 User, xrefs: 001BA3E5
SMTP Password, xrefs: 001BA4DA

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: QueryValue$AllocCryptDataGlobalUnprotectlstrcpylstrlen
String ID: Account Name$Email$HTTP Password$IMAP Password$POP3 Password$POP3 Server$POP3 User$SMTP Password$SMTP Server
API String ID: 6593746-2537589853
Opcode ID: 234f9719e427d14ecf9c2b2cdaa8cfae41416ec55d37efba632729e124285a41
Instruction ID: ddf94332bf1f5441dae8ed2e2a87b6dd8ef507e69d05e810a0faea9d7d30fd1e
Opcode Fuzzy Hash: 234f9719e427d14ecf9c2b2cdaa8cfae41416ec55d37efba632729e124285a41
Instruction Fuzzy Hash: 18A120B291025DBADB25FAA4CD96FEE737CAF24740F5401A5F605F2080E774AB448BA4

Function 001C30B3 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 119filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 001B3437: lstrcpyW.KERNEL32(00000000,00000000,00000000,?,?,001C1E0A,00000000,00000000,00000000,.bss,00000000), ref: 001B345C

Part of subcall function 001B5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,001B5C2A,00000000,?,001C10EE,?,?,001C36B9), ref: 001B5EAD

LoadResource.KERNEL32(00000000,?,00000000), ref: 001C30EE
SizeofResource.KERNEL32(00000000,?), ref: 001C30FA
LockResource.KERNEL32(00000000), ref: 001C3104
GetTempPathA.KERNEL32(00000400,?), ref: 001C313E
lstrcatA.KERNEL32(?,find.exe), ref: 001C3152
GetTempPathA.KERNEL32(00000400,?), ref: 001C3160
lstrcatA.KERNEL32(?,find.db), ref: 001C316E
CreateFileA.KERNEL32(?,10000000,00000001,00000000,00000002,00000084,00000000), ref: 001C3189
WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 001C319B
CloseHandle.KERNEL32(00000000), ref: 001C31A2
wsprintfA.USER32 ref: 001C31D2
ShellExecuteExA.SHELL32(0000003C), ref: 001C3220

Strings

find.exe, xrefs: 001C314C
@, xrefs: 001C31F1
find.db, xrefs: 001C3162
-w %ws -d C -f %s, xrefs: 001C31CC
<, xrefs: 001C31DE

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: Resource$FilePathTemplstrcat$CloseCreateExecuteFreeHandleLoadLockShellSizeofVirtualWritelstrcpywsprintf
String ID: -w %ws -d C -f %s$<$@$find.db$find.exe
API String ID: 2504251837-265381321
Opcode ID: faa6e63ae8b78df8c3c0f3e65cd18cb178bbd03cad3a2e203f38487e469bed11
Instruction ID: 09e848d1752dda6af6d09c23847441b2811a9bd111bb657a1c4da1f23347874e
Opcode Fuzzy Hash: faa6e63ae8b78df8c3c0f3e65cd18cb178bbd03cad3a2e203f38487e469bed11
Instruction Fuzzy Hash: D84127B2900219ABDB10DFA5DD85FDEBBBCEF99304F004156F609A2150DB74AA858FA4

Function 001BAC0A Relevance: 28.4, APIs: 5, Strings: 11, Instructions: 406filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 001B35E5: lstrlenW.KERNEL32(001C1E02,00000000,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B35EE
Part of subcall function 001B35E5: lstrlenW.KERNEL32(001C1E02,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B3605
Part of subcall function 001B35E5: lstrcpyW.KERNEL32(?,001C1E02,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B3620

Part of subcall function 001BC118: lstrcpyW.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths\,?,00000104,00000000), ref: 001BC154
Part of subcall function 001BC118: lstrcatW.KERNEL32(?,thunderbird.exe,?,00000104,00000000), ref: 001BC162
Part of subcall function 001BC118: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,001BA729,?,00000104,00000000), ref: 001BC17B
Part of subcall function 001BC118: RegQueryValueExW.ADVAPI32(001BA729,Path,00000000,?,?,?,?,00000104,00000000), ref: 001BC198
Part of subcall function 001BC118: RegCloseKey.ADVAPI32(001BA729,?,00000104,00000000), ref: 001BC1A1

lstrcatW.KERNEL32(?,\firefox.exe,?), ref: 001BAC8C
GetBinaryTypeW.KERNEL32(?,?), ref: 001BAC9D
GetPrivateProfileStringW.KERNEL32(?,Path,00000000,?,00000104,?), ref: 001BB11D

Part of subcall function 001B3437: lstrcpyW.KERNEL32(00000000,00000000,00000000,?,?,001C1E0A,00000000,00000000,00000000,.bss,00000000), ref: 001B345C

Part of subcall function 001B5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,001B5C2A,00000000,?,001C10EE,?,?,001C36B9), ref: 001B5EAD

Part of subcall function 001B3272: wsprintfW.USER32 ref: 001B328D

Part of subcall function 001B362D: lstrcpyW.KERNEL32(00000000,75A901C0,?,?,?,001C150A,001C35B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,001C3589,00000000,75A901C0,00000000), ref: 001B3657

Part of subcall function 001B3554: WideCharToMultiByte.KERNEL32(00000000,00000200,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,001B4E98,?), ref: 001B3581
Part of subcall function 001B3554: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,001B4E98,?,?,?,?,?,00000000), ref: 001B35AC

CopyFileW.KERNEL32(?,?,00000000,.tmp,00000000,001C4684,\logins.json,?), ref: 001BAE14

Strings

.tmp, xrefs: 001BADFB
encryptedUsername, xrefs: 001BAE7C, 001BAF0C
\logins.json, xrefs: 001BADBA
profiles.ini, xrefs: 001BACDF
firefox.exe, xrefs: 001BAC5E
Path, xrefs: 001BB115
\firefox.exe, xrefs: 001BAC80
\Mozilla\Firefox\, xrefs: 001BACC6
Profile, xrefs: 001BAC1B, 001BACEC, 001BAD1F
hostname, xrefs: 001BAECC
encryptedPassword, xrefs: 001BAF49

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: lstrcpy$ByteCharMultiWidelstrcatlstrlen$BinaryCloseCopyFileFreeOpenPrivateProfileQueryStringTypeValueVirtualwsprintf
String ID: .tmp$Path$Profile$\Mozilla\Firefox\$\firefox.exe$\logins.json$encryptedPassword$encryptedUsername$firefox.exe$hostname$profiles.ini
API String ID: 288196626-815594582
Opcode ID: 2669500f03718b922d63863299a367437ab65cee235c582919500c48023816c1
Instruction ID: d2608242becdff3b36b9310f8e150ee2b36096810ecf89dd352c55655157b702
Opcode Fuzzy Hash: 2669500f03718b922d63863299a367437ab65cee235c582919500c48023816c1
Instruction Fuzzy Hash: B3E1D671900519ABDF15EFA0DC92EEEB77AAF64300F50406AF516A7192EF30AF49CB50

Function 001B882F Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 135windowstringfileCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 001B8840
SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,-00000010), ref: 001B8894
lstrcatW.KERNEL32(-00000010,\Microsoft Vision\), ref: 001B88AE
GetLocalTime.KERNEL32(?), ref: 001B88B5
wsprintfW.USER32 ref: 001B88E9
lstrcatW.KERNEL32(-00000010,?), ref: 001B8900
CreateFileW.KERNEL32(?,10000000,00000001,00000000,00000002,00000080,00000000,00000010), ref: 001B892C
CloseHandle.KERNEL32(00000000), ref: 001B893C

Part of subcall function 001C1E21: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000,?,?,001C349D), ref: 001C1E4E
Part of subcall function 001C1E21: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,001C349D), ref: 001C1E61
Part of subcall function 001C1E21: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,001C349D), ref: 001C1E72
Part of subcall function 001C1E21: CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,001C349D), ref: 001C1E7F

Part of subcall function 001C09D2: VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,74E2F770,00000000,?,?,?,?,001B895D), ref: 001C09FE

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 001B89AF

Part of subcall function 001C0969: lstrcmpA.KERNEL32(?,001C1BD0,?,open,001C1BD0), ref: 001C09A2

TranslateMessage.USER32(?), ref: 001B8996
DispatchMessageA.USER32(?), ref: 001B89A1

Strings

SetWindowsHookExA, xrefs: 001B8962
c:\windows\system32\user32.dll, xrefs: 001B894A
%02d-%02d-%02d_%02d.%02d.%02d, xrefs: 001B88E3
\Microsoft Vision\, xrefs: 001B88A8

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: File$HandleMessage$CloseCreatelstrcat$AllocDispatchFolderLocalModulePathReadSizeTimeTranslateVirtuallstrcmpwsprintf
String ID: %02d-%02d-%02d_%02d.%02d.%02d$SetWindowsHookExA$\Microsoft Vision\$c:\windows\system32\user32.dll
API String ID: 1431388325-3884914687
Opcode ID: 04f98780f4bd38fa971ca2904fa8f59ab758c17e284fa740b3718f414c0df0d0
Instruction ID: b1e6eff8994c3867f0a64642b83cc483abfa06b25776a8deabe6dd6ee936e4c6
Opcode Fuzzy Hash: 04f98780f4bd38fa971ca2904fa8f59ab758c17e284fa740b3718f414c0df0d0
Instruction Fuzzy Hash: 8941AFB1504240ABD710EBAAEC4AF6B7BECFBC9B04F000919F685D3591DB39E954C722

Function 001BA6C8 Relevance: 24.9, APIs: 4, Strings: 10, Instructions: 404COMMON

Download Yara Rule

APIs

Part of subcall function 001B35E5: lstrlenW.KERNEL32(001C1E02,00000000,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B35EE
Part of subcall function 001B35E5: lstrlenW.KERNEL32(001C1E02,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B3605
Part of subcall function 001B35E5: lstrcpyW.KERNEL32(?,001C1E02,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B3620

Part of subcall function 001BC118: lstrcpyW.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths\,?,00000104,00000000), ref: 001BC154
Part of subcall function 001BC118: lstrcatW.KERNEL32(?,thunderbird.exe,?,00000104,00000000), ref: 001BC162
Part of subcall function 001BC118: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,001BA729,?,00000104,00000000), ref: 001BC17B
Part of subcall function 001BC118: RegQueryValueExW.ADVAPI32(001BA729,Path,00000000,?,?,?,?,00000104,00000000), ref: 001BC198
Part of subcall function 001BC118: RegCloseKey.ADVAPI32(001BA729,?,00000104,00000000), ref: 001BC1A1

GetBinaryTypeW.KERNEL32(?,?), ref: 001BA747

Part of subcall function 001B362D: lstrcpyW.KERNEL32(00000000,75A901C0,?,?,?,001C150A,001C35B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,001C3589,00000000,75A901C0,00000000), ref: 001B3657

Part of subcall function 001BB67E: GetCurrentDirectoryW.KERNEL32(00000104,?,?,00000104,00000000), ref: 001BB6AC
Part of subcall function 001BB67E: SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 001BB6B5
Part of subcall function 001BB67E: PathFileExistsW.SHLWAPI(001BA760,.dll,?,msvcr,?,msvcp,?,softokn3.dll,?,mozglue.dll,?,msvcp120.dll,?,msvcr120.dll,?,nss3.dll), ref: 001BB7A3

GetPrivateProfileStringW.KERNEL32(?,Path,00000000,?,00000104,?), ref: 001BABCA

Part of subcall function 001BB67E: PathFileExistsW.SHLWAPI(001BA760,.dll,?,001BA760,?,00000104,00000000), ref: 001BB7FF
Part of subcall function 001BB67E: LoadLibraryW.KERNEL32(?,001BA760,?,00000104,00000000), ref: 001BB83E
Part of subcall function 001BB67E: LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 001BB849
Part of subcall function 001BB67E: LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 001BB854
Part of subcall function 001BB67E: LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 001BB85F
Part of subcall function 001BB67E: LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 001BB86A
Part of subcall function 001BB67E: SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 001BB957

Strings

.tmp, xrefs: 001BA8BC
encryptedUsername, xrefs: 001BA93D, 001BA9CD
\logins.json, xrefs: 001BA87B
profiles.ini, xrefs: 001BA79C
thunderbird.exe, xrefs: 001BA71F
\Thunderbird\, xrefs: 001BA783
Path, xrefs: 001BABC4
Profile, xrefs: 001BA6D9, 001BA7A9, 001BA7E0
hostname, xrefs: 001BA98D
encryptedPassword, xrefs: 001BAA04

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: LibraryLoad$CurrentDirectorylstrcpy$ExistsFilePathlstrlen$BinaryCloseOpenPrivateProfileQueryStringTypeValuelstrcat
String ID: .tmp$Path$Profile$\Thunderbird\$\logins.json$encryptedPassword$encryptedUsername$hostname$profiles.ini$thunderbird.exe
API String ID: 1065485167-1863067114
Opcode ID: cad3f54977d3188bac4efff221dcdbfd64a7ae48d4ad3f2c3701b748e4b1d601
Instruction ID: 597120a8b02aace8b07bfb80a74719ba4fffc7c68d8a634cd922366f3eb7b229
Opcode Fuzzy Hash: cad3f54977d3188bac4efff221dcdbfd64a7ae48d4ad3f2c3701b748e4b1d601
Instruction Fuzzy Hash: 4EE1C771900119ABDF15EBA0DC96EEEB77AAF64300F50406AF516A7192EF30AF49CB50

Function 001BD508 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 55servicesleepCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001), ref: 001BD517
OpenServiceW.ADVAPI32(00000000,?,00000010), ref: 001BD52C
CloseServiceHandle.ADVAPI32(00000000), ref: 001BD539
StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 001BD546
GetLastError.KERNEL32 ref: 001BD550
Sleep.KERNEL32(000007D0), ref: 001BD562
StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 001BD56B
CloseServiceHandle.ADVAPI32(00000000), ref: 001BD57F
CloseServiceHandle.ADVAPI32(00000000), ref: 001BD582

Strings

ServicesActive, xrefs: 001BD50F

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$OpenStart$ErrorLastManagerSleep
String ID: ServicesActive
API String ID: 104619213-3071072050
Opcode ID: 246d07887aa61f44babe09f797f0ae761534f48ab50240dbee7ea2f8f0af8048
Instruction ID: 926234172c6dfdf50d37870b9828485b5484c65ff16c27842aa89bdecca46ac6
Opcode Fuzzy Hash: 246d07887aa61f44babe09f797f0ae761534f48ab50240dbee7ea2f8f0af8048
Instruction Fuzzy Hash: BB018B727842657BD2301B62BC5DFEB3E7CDBD6B55B110025FB06D2450EB64C990CAB4

Function 001BDA5B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167servicestringCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000005), ref: 001BDA82
EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,00000000,?,?,?,00000000), ref: 001BDAB9

Part of subcall function 001B5EFF: GetProcessHeap.KERNEL32(00000008,?,001B2FA7,001B5A42,?,?,001C03FD,001B5A42,?,?,75A901C0,00000000,?,001B5A42,00000000), ref: 001B5F02
Part of subcall function 001B5EFF: RtlAllocateHeap.NTDLL(00000000,?,001C03FD,001B5A42,?,?,75A901C0,00000000,?,001B5A42,00000000), ref: 001B5F09

EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,?,?,?,?,00000000), ref: 001BDAE2
GetLastError.KERNEL32 ref: 001BDAEC
CloseServiceHandle.ADVAPI32(00000000), ref: 001BDAFA
OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000005,00000000,00000000,00000000), ref: 001BDBBB
lstrcmpW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 001BDBFE

Strings

ServicesActive, xrefs: 001BDA6A, 001BDBB4

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: EnumHeapManagerOpenServicesStatus$AllocateCloseErrorHandleLastProcessServicelstrcmp
String ID: ServicesActive
API String ID: 899334174-3071072050
Opcode ID: cdebb3328bb86d41ed2892a26a8445680f2952bb39d0c1d8aa7bba6e255976d1
Instruction ID: 7f16d533228ed7b193de353e922f4be9b38c39bf4e844914e3599f525171ad17
Opcode Fuzzy Hash: cdebb3328bb86d41ed2892a26a8445680f2952bb39d0c1d8aa7bba6e255976d1
Instruction Fuzzy Hash: EC514C71900219AFDF19EFA0DD95BEEBBB9EF28311F110169E502B6181EB74AE40CF50

Function 001B79E8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 97injectionmemorythreadCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(001FFFFF,00000000,?,?,?,?,?), ref: 001B7A16

Part of subcall function 001B8617: GetCurrentProcess.KERNEL32(001C9698,001B7A03,?,?,?,?), ref: 001B861C
Part of subcall function 001B8617: IsWow64Process.KERNEL32(00000000), ref: 001B8623
Part of subcall function 001B8617: GetProcessHeap.KERNEL32 ref: 001B8629

VirtualAllocEx.KERNEL32(00000000,00000000,00100000,00003000,00000040,00000000), ref: 001B7A3A
VirtualProtectEx.KERNEL32(00000000,00000000,00100000,00000040,00000000), ref: 001B7A5B
VirtualAllocEx.KERNEL32(00000000,33370000,00000100,00003000,00000040), ref: 001B7A73
WriteProcessMemory.KERNEL32(00000000,00000000,XXXXXX,00000000,00000000), ref: 001B7A9D
WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 001B7AC5
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001B7ADD

Strings

XXXXXX, xrefs: 001B7A88, 001B7A94, 001B7AA7

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: Process$Virtual$AllocMemoryWrite$CreateCurrentHeapOpenProtectRemoteThreadWow64
String ID: XXXXXX
API String ID: 813767414-582547948
Opcode ID: 82875f8cc77a0f0f6927d3a7a39ec6665f91844cf92214574c4cbbd745ba3820
Instruction ID: afa6d3c40fcc8eca31030e214432e27f11d96d638532fab910f9fe46b716b74c
Opcode Fuzzy Hash: 82875f8cc77a0f0f6927d3a7a39ec6665f91844cf92214574c4cbbd745ba3820
Instruction Fuzzy Hash: C3219E72649215BBEB219BB49C19FFF7A6CAB85B14F240119F610E20D0DBB4CA40866A

Function 001B9DF6 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 61fileCOMMON

Download Yara Rule

APIs

GetFullPathNameA.KERNEL32(001C96A8,00000104,?,00000000), ref: 001B9E17
PathCombineA.SHLWAPI(?,?,001C5F88), ref: 001B9E36
FindFirstFileA.KERNEL32(?,?), ref: 001B9E46
PathCombineA.SHLWAPI(?,001C96A8,0000002E), ref: 001B9E7D
PathCombineA.SHLWAPI(?,?,Accounts\Account.rec0), ref: 001B9E8C

Part of subcall function 001B9ADF: CreateFileA.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 001B9AFC
Part of subcall function 001B9ADF: GetLastError.KERNEL32 ref: 001B9B09
Part of subcall function 001B9ADF: CloseHandle.KERNEL32(00000000), ref: 001B9B10

FindNextFileA.KERNEL32(00000000,?), ref: 001B9EA4

Strings

Accounts\Account.rec0, xrefs: 001B9E7F
., xrefs: 001B9E61

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: Path$CombineFile$Find$CloseCreateErrorFirstFullHandleLastNameNext
String ID: .$Accounts\Account.rec0
API String ID: 3873318193-2526347284
Opcode ID: 7d066d0fe4301ea9e31684ce7da6b1326de64f3c93e42b3eda097c327b4d522e
Instruction ID: f446812e618a9f9290502b1fe9530ca6e726b05010e7d87858fe79b887fae58c
Opcode Fuzzy Hash: 7d066d0fe4301ea9e31684ce7da6b1326de64f3c93e42b3eda097c327b4d522e
Instruction Fuzzy Hash: 991100B294022C6BEB24D6A4DC89FEE776CEB55714F0045AAE609D3180E774DE898F50

Function 001C1FD8 Relevance: 13.6, APIs: 9, Instructions: 81injectionmemorythreadCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(001FFFFF,00000000,00000000,00000000,75A901C0,00000000), ref: 001C1FEC
GetCurrentProcessId.KERNEL32 ref: 001C1FF7

Part of subcall function 001B1085: GetProcessHeap.KERNEL32(00000000,?,001C1E36,00400000,?,?,00000000,?,?,001C349D), ref: 001B108B
Part of subcall function 001B1085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,001C349D), ref: 001B1092

GetModuleFileNameA.KERNEL32(00000000,00000000,000000FF), ref: 001C2015
VirtualAllocEx.KERNEL32(00000000,00000000,00000800,00003000,00000040), ref: 001C203F
WriteProcessMemory.KERNEL32(00000000,00000000,001C9158,00000800,00000000), ref: 001C2057
VirtualProtectEx.KERNEL32(001C1FD3,00000000,00000800,00000040,?), ref: 001C2068
VirtualAllocEx.KERNEL32(001C1FD3,00000000,00000103,00003000,00000004), ref: 001C207F
WriteProcessMemory.KERNEL32(001C1FD3,00000000,?,00000103,00000000), ref: 001C2095
CreateRemoteThread.KERNEL32(001C1FD3,00000000,00000000,0000010E,00000000,00000000,00000000), ref: 001C20A8

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: Process$Virtual$AllocHeapMemoryWrite$AllocateCreateCurrentFileModuleNameOpenProtectRemoteThread
String ID:
API String ID: 900395357-0
Opcode ID: 60e63a56e845b66fb8b4c8556a0cf978f3eb5be325ba2beff9bb53d879070537
Instruction ID: 9eb48a4838520aabde21dad565da0ce9c9430d2c2ff245a241db0b1e7036c4ab
Opcode Fuzzy Hash: 60e63a56e845b66fb8b4c8556a0cf978f3eb5be325ba2beff9bb53d879070537
Instruction Fuzzy Hash: 79212471684218BFF7205B51DC5BFEA7E6CEB45B60F200165F745A61D0D6F06E808BA4

Function 001BD49C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001), ref: 001BD4AB
OpenServiceW.ADVAPI32(00000000,?,00000002), ref: 001BD4C0
CloseServiceHandle.ADVAPI32(00000000), ref: 001BD4CD
ChangeServiceConfigW.ADVAPI32(00000000,000000FF,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001BD4E6
CloseServiceHandle.ADVAPI32(00000000), ref: 001BD4FA
CloseServiceHandle.ADVAPI32(00000000), ref: 001BD4FD

Strings

ServicesActive, xrefs: 001BD4A3

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ChangeConfigManager
String ID: ServicesActive
API String ID: 493672254-3071072050
Opcode ID: 9a6161a4ebba08a7019cf1f02a13bdc873dcfb5dc6422984d834c2032f2b00f0
Instruction ID: 6cc1a9876b1a1f4923d99cdc253efaf8b4da3bd679365b6e561a0582c652ea03
Opcode Fuzzy Hash: 9a6161a4ebba08a7019cf1f02a13bdc873dcfb5dc6422984d834c2032f2b00f0
Instruction Fuzzy Hash: 40F096322482257BD6211B66AC49EDB3E6CEBCA7707110221FB16D6590DB70DC5087A0

Function 001C18BA Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48registryCOMMON

Download Yara Rule

APIs

InitializeSecurityDescriptor.ADVAPI32(?,00000001,00000000,?,?,?,?,?,?,?,?,?,001C1B06), ref: 001C18C7
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000,?,?,?,?,?,?,?,?,?,001C1B06), ref: 001C18DB
RegCreateKeyExA.ADVAPI32(80000001,Software\Classes\Folder\shell\open\command,00000000,00000000,00000000,00020006,0000000C,001C1B06,?), ref: 001C1913
RegCloseKey.ADVAPI32(001C1B06), ref: 001C1920
SetLastError.KERNEL32(00000000), ref: 001C192B

Strings

Software\Classes\Folder\shell\open\command, xrefs: 001C1909

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: DescriptorSecurity$CloseCreateDaclErrorInitializeLast
String ID: Software\Classes\Folder\shell\open\command
API String ID: 1473660444-2536721355
Opcode ID: a1a1b856f80255bedafa978f9caa6a34ffa8055351951a6ef39d61b73abacdfe
Instruction ID: 36780057ef3fb8590e724df49464b9fd31deada95676ab51011a2bde93bae0af
Opcode Fuzzy Hash: a1a1b856f80255bedafa978f9caa6a34ffa8055351951a6ef39d61b73abacdfe
Instruction Fuzzy Hash: 6F011A71944218BBDB209BA1AC59FDF7FBCEF1A755F001125F605F2150E770C684CAA0

Function 001BCCB4 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

BCryptOpenAlgorithmProvider.BCRYPT(00000020,AES,00000000,00000000,?,00000000,?,?,?,001BCA5F,?), ref: 001BCCD1
BCryptSetProperty.BCRYPT(00000020,ChainingMode,ChainingModeGCM,00000020,00000000,?,001BCA5F,?), ref: 001BCCEA
BCryptGenerateSymmetricKey.BCRYPT(00000020,001BCA5F,00000000,00000000,?,00000020,00000000,?,001BCA5F,?), ref: 001BCCFF

Strings

ChainingMode, xrefs: 001BCCE3
ChainingModeGCM, xrefs: 001BCCDE
AES, xrefs: 001BCCC7

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: Crypt$AlgorithmGenerateOpenPropertyProviderSymmetric
String ID: AES$ChainingMode$ChainingModeGCM
API String ID: 1692524283-1213888626
Opcode ID: fb9d3821d3e169422268eae03f36e87279e6f59828f488f48f7b90dee3185c42
Instruction ID: 611b9c3b8094a31c632ba2999fa5b16f624d5c7d56d7f95ca5f0eca561521d7b
Opcode Fuzzy Hash: fb9d3821d3e169422268eae03f36e87279e6f59828f488f48f7b90dee3185c42
Instruction Fuzzy Hash: CBF062312453257BDB240F5ADC49F9BBFACEF5ABA1B10002AF505D2150D7A1D84087E0

Function 001BCF58 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,-0000001F,?,?,?,00000000,?,00000000), ref: 001BCFE0
BCryptDecrypt.BCRYPT(?,0000000C,?,?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,?,00000000), ref: 001BD00E

Part of subcall function 001B1085: GetProcessHeap.KERNEL32(00000000,?,001C1E36,00400000,?,?,00000000,?,?,001C349D), ref: 001B108B
Part of subcall function 001B1085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,001C349D), ref: 001B1092

LocalFree.KERNEL32(?), ref: 001BD096

Strings

0, xrefs: 001BCF69
v1, xrefs: 001BCF63

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: HeapLocal$AllocAllocateCryptDecryptFreeProcess
String ID: 0$v1
API String ID: 4131498132-3331332043
Opcode ID: 13c8c86c7ca6840b72fdf0b17b756b67fa96770636a34c64ada097bf6917b6ba
Instruction ID: b7e0d8512e70bf9f645b87a1eb97e7689ae6fcdeaf466248a04a663faa3db361
Opcode Fuzzy Hash: 13c8c86c7ca6840b72fdf0b17b756b67fa96770636a34c64ada097bf6917b6ba
Instruction Fuzzy Hash: 8F416DB2D00108BBDB15ABE5DC85EEEBBBCEF54344F044026F915E2240F7759E468BA1

Function 001C20B8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,75A901C0), ref: 001C20C7
Process32First.KERNEL32(00000000,?), ref: 001C20F4
Process32Next.KERNEL32(00000000,?), ref: 001C211B
CloseHandle.KERNEL32(00000000), ref: 001C2126

Strings

explorer.exe, xrefs: 001C2102

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID: explorer.exe
API String ID: 420147892-3187896405
Opcode ID: d9431ba751a313f3ccee45f4ee8da57085c17acf24e692d719096543bacf17e2
Instruction ID: baaa2c104b4add50440089be010bfae4187659dc78bd0d1dd01d003a67e3305b
Opcode Fuzzy Hash: d9431ba751a313f3ccee45f4ee8da57085c17acf24e692d719096543bacf17e2
Instruction Fuzzy Hash: FB01A9B5505114ABD720A764AC15FDA77FCDF65710F0500A5FA45E1480EB34EAD08A54

Function 001BFA42 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ntdll.dll), ref: 001BFA5A
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 001BFA6A

Strings

RtlGetVersion, xrefs: 001BFA64
ntdll.dll, xrefs: 001BFA4B

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: RtlGetVersion$ntdll.dll
API String ID: 2574300362-1489217083
Opcode ID: 3ed6e6127061c005affc6b22ef33a2df125784f5ef4eca07d7658c778d80f10d
Instruction ID: 68fcd092210fee7286b60917257a632844e6a6e0ffbddcc188c1a3a2071c6222
Opcode Fuzzy Hash: 3ed6e6127061c005affc6b22ef33a2df125784f5ef4eca07d7658c778d80f10d
Instruction Fuzzy Hash: 8F416830A0012CAADF248B55DD6A3FCB6B4AB1174EF1448F9E645E01C1E378CEC6CA54

Function 001BA632 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62memoryencryptionstringCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,-00000001,75A8E8E0,?,?,?,001BA5E6,00001000,?,00000000,00001000), ref: 001BA650
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,001BA5E6), ref: 001BA686
lstrcpyW.KERNEL32(?,Could not decrypt,?,?,001BA5E6,00001000,?,00000000,00001000), ref: 001BA6BD

Strings

Could not decrypt, xrefs: 001BA6B7

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: AllocCryptDataGlobalUnprotectlstrcpy
String ID: Could not decrypt
API String ID: 3112367126-1484008118
Opcode ID: 0d6ca7ddf9e8d7315df9fa4840c49920cbc7501d5097bd563d5a7cb9b235990c
Instruction ID: 38734d9413566b33b11960c4ad0659855bca5aa318c1d7f7705dafcf5454ab1a
Opcode Fuzzy Hash: 0d6ca7ddf9e8d7315df9fa4840c49920cbc7501d5097bd563d5a7cb9b235990c
Instruction Fuzzy Hash: 251129B29002199BC711CBA9C880DEEFBBCEF58700B55406AE955E3201E731EE41CBB1

Function 001BF56D Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,001BD471,?,?,00000001), ref: 001BF5C2
LookupAccountSidW.ADVAPI32(00000000,001BD471,?,00000104,?,00000010,?), ref: 001BF5E7
GetLastError.KERNEL32(?,?,00000001), ref: 001BF5F1
FreeSid.ADVAPI32(001BD471,?,?,00000001), ref: 001BF5FF

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: AccountAllocateErrorFreeInitializeLastLookup
String ID:
API String ID: 1866703397-0
Opcode ID: d6174c21828b4802c2d93bb841e6e215ecf5c1ba275f2137f422608c7dbb8b1e
Instruction ID: a941baafebbc5e22551d0db8d24c879c015131247d671f57d176d65fdbfcee20
Opcode Fuzzy Hash: d6174c21828b4802c2d93bb841e6e215ecf5c1ba275f2137f422608c7dbb8b1e
Instruction Fuzzy Hash: 2C11CBB190421DABDB10DFD5DC89EEEBBBCEB04344F10046AF605E2150E7709A859BA1

Function 001BCC54 Relevance: 6.0, APIs: 4, Instructions: 49encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 001BCC73
LocalAlloc.KERNEL32(00000040,?,?,001BCBC6,?,00000000,?,00000000,?), ref: 001BCC81
CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 001BCC97
LocalFree.KERNEL32(?,?,001BCBC6,?,00000000,?,00000000,?), ref: 001BCCA5

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID:
API String ID: 4291131564-0
Opcode ID: 4e233e1a81ff1ad5e2b11f47c38f4aec10facb6a358cf4a83039faafbe8fcfc3
Instruction ID: 8cda67d28ad385be002a8a046f0bc6b975fa1101d0a77e6b9fbdaacb4c77c8d5
Opcode Fuzzy Hash: 4e233e1a81ff1ad5e2b11f47c38f4aec10facb6a358cf4a83039faafbe8fcfc3
Instruction Fuzzy Hash: 2701C9B1601226BFEB214B5BDD4DE97BFACEF197A1B100021FA48D6250E771DC50CAE0

Function 001B27D3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82filenetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 001BF76B: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000,?,00000000,?), ref: 001BF79C

Part of subcall function 001B3335: lstrcatW.KERNEL32(00000000,75A901C0,?,?,001C3589,?,001C1515,001C3589,001C35B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,001C3589,00000000,75A901C0,00000000), ref: 001B3365

Part of subcall function 001B5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,001B5C2A,00000000,?,001C10EE,?,?,001C36B9), ref: 001B5EAD

Part of subcall function 001B362D: lstrcpyW.KERNEL32(00000000,75A901C0,?,?,?,001C150A,001C35B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,001C3589,00000000,75A901C0,00000000), ref: 001B3657

Part of subcall function 001B351D: PathFindExtensionW.SHLWAPI(?,?,001B282E,?,?,00000000,001C4684), ref: 001B3527

URLDownloadToFileW.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 001B2860
ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 001B288A

Strings

open, xrefs: 001B2884

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: Path$DownloadExecuteExtensionFileFindFolderFreeShellSpecialVirtuallstrcatlstrcpy
String ID: open
API String ID: 4166385161-2758837156
Opcode ID: 5cf5e434dd7c3fa244e0f113b0cceb3f0365377563e9a32109b79ff0eb56b526
Instruction ID: 7e22428367b4c5721257b37cd42b9a1a32fec5117c9ee675760d8f11bf7a4fac
Opcode Fuzzy Hash: 5cf5e434dd7c3fa244e0f113b0cceb3f0365377563e9a32109b79ff0eb56b526
Instruction Fuzzy Hash: 98219072A00208BBDF14AFA0CC95EEEBB79AFE1750F018059F42667291DF709B49CB50

Function 001C002B Relevance: 4.6, APIs: 3, Instructions: 90COMMON

Download Yara Rule

APIs

Part of subcall function 001B5F53: GetProcessHeap.KERNEL32(00000000,000000F4,001C0477,?,75A901C0,00000000,001B5A34), ref: 001B5F56
Part of subcall function 001B5F53: HeapAlloc.KERNEL32(00000000), ref: 001B5F5D

GetLogicalDriveStringsW.KERNEL32(00000104,00000000), ref: 001C0060
GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 001C0087
GetDriveTypeW.KERNEL32(?,00000000,00000000), ref: 001C00B7

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: Drive$HeapLogicalStrings$AllocProcessType
String ID:
API String ID: 2408535517-0
Opcode ID: 2dd33cf7feb880480965520895d0a94970445cb5d35ec868103a5e4740bae6ac
Instruction ID: c5e78d8aa27e22e6ff469fda74ff2db3af616c2e5656c612da6c0a443de18a42
Opcode Fuzzy Hash: 2dd33cf7feb880480965520895d0a94970445cb5d35ec868103a5e4740bae6ac
Instruction Fuzzy Hash: 19314F71E002199BCF15EBA4C596AEFB7F8AF58344F11406AE501B7291EB709F44CBA1

Function 001BB15E Relevance: 4.6, APIs: 3, Instructions: 61stringencryptionCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,?,00000000,?,001BAA4B,?,?,?,?,?,encryptedUsername,?,?,00000000,C0000000), ref: 001BB17B
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,?,?,00000000,00000000), ref: 001BB1A9

Part of subcall function 001B5EB4: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,001B3652,?,?,?,001C150A,001C35B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,001C3589,00000000,75A901C0,00000000), ref: 001B5EBE

lstrcpyA.KERNEL32(00000000,?), ref: 001BB1F6

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: AllocBinaryCryptStringVirtuallstrcpylstrlen
String ID:
API String ID: 573875632-0
Opcode ID: 445dd67a5f4711c68e06d0bcef8d0324ba2afecfea560446a384612f49c51bf0
Instruction ID: 80a6a05ec3b120e1a6beccc46c29f048b1081818b8663ac1dbfeb7fbf90cd9ef
Opcode Fuzzy Hash: 445dd67a5f4711c68e06d0bcef8d0324ba2afecfea560446a384612f49c51bf0
Instruction Fuzzy Hash: 5A11D3B6D00209AFDB01DFA4D884CEEBBBDEB08344F1040AAF909A3201D7359A45CBA0

Function 001BF619 Relevance: 4.6, APIs: 3, Instructions: 60COMMON

Download Yara Rule

APIs

OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,00000000,?,?,?,?,?,?,?,?,001BE18E), ref: 001BF644
LookupPrivilegeValueW.ADVAPI32(00000000,00000000,?), ref: 001BF655
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,?,?,?,00000000,00000000), ref: 001BF68A

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: Token$AdjustLookupOpenPrivilegePrivilegesProcessValue
String ID:
API String ID: 658607936-0
Opcode ID: 2383f73253eaedbbe3a39cf1283dc7c84401965a3dc6bdca84332390919fd345
Instruction ID: c60c210c64f00fbb615c894c5a54d3483563d7126fc5fa1d9a6097d7fd91c1b9
Opcode Fuzzy Hash: 2383f73253eaedbbe3a39cf1283dc7c84401965a3dc6bdca84332390919fd345
Instruction Fuzzy Hash: 5B11D675A10219AFEB11CFE5DC84AEFFBBCFB48740F10452AEA01F2150E7709A459BA0

Function 001BCAFC Relevance: 4.5, APIs: 3, Instructions: 46memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?), ref: 001BCB24
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,001BCAD5,?,00000000,?,?,?,?,001BCA44), ref: 001BCB3B
LocalFree.KERNEL32(001BCAD5,?,?,?,?,?,001BCAD5,?,00000000,?,?,?,?,001BCA44), ref: 001BCB5B

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID:
API String ID: 2068576380-0
Opcode ID: 96160914b013eeb83024a184bd468f145c034b6903587a0b86df4d40deeabf5c
Instruction ID: 3cae7db904bbc1260047e97b9f88a54be772c71ba81d855171b28746b3fc445f
Opcode Fuzzy Hash: 96160914b013eeb83024a184bd468f145c034b6903587a0b86df4d40deeabf5c
Instruction Fuzzy Hash: 2A010CB5900209AFDB159FA4DC1ACEEBBB9EB48311B10016AFD41A2350E771DA548AA0

Function 001BFF27 Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,?), ref: 001BFF54
FindNextFileW.KERNEL32(00000000,00000010,00000000), ref: 001BFFF6

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNext
String ID:
API String ID: 1690352074-0
Opcode ID: 2c53f5e58db944ddda1add49e6b730c0a8789981b97e7221ab727cbac09d9fd7
Instruction ID: 8e8cc3a268f4f512c260646a4631fd4fb2d929cce09b2565e5dd14f6c16b178f
Opcode Fuzzy Hash: 2c53f5e58db944ddda1add49e6b730c0a8789981b97e7221ab727cbac09d9fd7
Instruction Fuzzy Hash: C3313A71D01209ABDB14EFB5C999BEEBBB9AF58310F104569E415A3281EB34AE84CF50

Function 001BD418 Relevance: 3.1, APIs: 2, Instructions: 57COMMON

Download Yara Rule

APIs

NetUserAdd.NETAPI32(00000000,00000001,?,00000000,?,00000000,002FE080,?,?,?,001BE634,002FE07C,002FE080), ref: 001BD45A

Part of subcall function 001BF56D: AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,001BD471,?,?,00000001), ref: 001BF5C2
Part of subcall function 001BF56D: LookupAccountSidW.ADVAPI32(00000000,001BD471,?,00000104,?,00000010,?), ref: 001BF5E7
Part of subcall function 001BF56D: GetLastError.KERNEL32(?,?,00000001), ref: 001BF5F1
Part of subcall function 001BF56D: FreeSid.ADVAPI32(001BD471,?,?,00000001), ref: 001BF5FF

NetLocalGroupAddMembers.NETAPI32(00000000,00000000,00000003,00010201,00000001,?,?,?,001BE634,002FE07C,002FE080), ref: 001BD47B

Part of subcall function 001B5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,001B5C2A,00000000,?,001C10EE,?,?,001C36B9), ref: 001B5EAD

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: Free$AccountAllocateErrorGroupInitializeLastLocalLookupMembersUserVirtual
String ID:
API String ID: 188019324-0
Opcode ID: abba8b6691e34aaf75dc929de0a67998e01f450ef078c533e3878cbffec64b24
Instruction ID: d51e529cc4292ba27743ed7ba650ce03821e2aa7364d82f4557db3358e34b381
Opcode Fuzzy Hash: abba8b6691e34aaf75dc929de0a67998e01f450ef078c533e3878cbffec64b24
Instruction Fuzzy Hash: AC113372900208AFDB11DFAAD8849EEFBFCFF59714B10442AF911EB210D7B4AA448B50

Function 001BD0A3 Relevance: 1.5, APIs: 1, Instructions: 40networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,00001000,00000000), ref: 001BD0FD

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 30b044bb3a87d86c89c73dc16b2b970076def72af6dad09254b5f131aaae4dbb
Instruction ID: bbad56d5a1c4bf1d3201d583a75d34a1bb723d00be60508ed192a0d255e92f60
Opcode Fuzzy Hash: 30b044bb3a87d86c89c73dc16b2b970076def72af6dad09254b5f131aaae4dbb
Instruction Fuzzy Hash: 69F09671900258ABDB25FA64EC81FEA736CAB283D5F540455F554E70C5E7B0EDC08B60

Function 001BF93F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92eed5e057af5c338e84efe1873390fd3db005f0a50fb21675b463ae26445d8a
Instruction ID: 199f18ddae5865029415e1a6093a2c7be0060046a120174549e6e5f68bbbbe7f
Opcode Fuzzy Hash: 92eed5e057af5c338e84efe1873390fd3db005f0a50fb21675b463ae26445d8a
Instruction Fuzzy Hash: 7321AB72D00108ABDF15DFA8CC82BEEBBB9AF54314F14417AF505EB241E73199C587A4

Function 001C1BF8 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee9a03c5baf9720a6e7d8e5d675cdaadf48f2bf7d7bc5066cbb6e6d82dfa4c0b
Instruction ID: 97c259b69bffc24c0e06325ec512de73dffac6224d4b46fd0c79348c6b777603
Opcode Fuzzy Hash: ee9a03c5baf9720a6e7d8e5d675cdaadf48f2bf7d7bc5066cbb6e6d82dfa4c0b
Instruction Fuzzy Hash: 151148323905214A872C883E4D57067FBCBD3DA110788853EE59BCB252E531E7068680

Function 001C0620 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60c1047820937477a62ebe8b3556f1e42973dfa080cef3034b4bd0468cc2296e
Instruction ID: 1f25556e271a8252a503c0a0a36ce8909eaee7ae6bea94fe4761edde61e24f60
Opcode Fuzzy Hash: 60c1047820937477a62ebe8b3556f1e42973dfa080cef3034b4bd0468cc2296e
Instruction Fuzzy Hash: B4E08C32200530CBC622DF5AD440F12B3B6EBE8770B2B046CE48AA3501C320FC61CA90

Function 001C094E Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a420be4fd1d60918cb23d9961ed4b3e9e51cbd9e1df09b6748f783962a9c5c8
Instruction ID: a7166f06473ab02afc2080fda5cb57e0a8fd0ff9123a3cf00940b80e05d6fe1d
Opcode Fuzzy Hash: 1a420be4fd1d60918cb23d9961ed4b3e9e51cbd9e1df09b6748f783962a9c5c8
Instruction Fuzzy Hash: C8D0EA38361940CFDB51CF18C684F01B3E4EB59B60B098495E909CB736D734ED00EA00

Function 001C0619 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Function 001BB67E Relevance: 47.5, APIs: 10, Strings: 17, Instructions: 219libraryCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00000104,?,?,00000104,00000000), ref: 001BB6AC
SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 001BB6B5

Part of subcall function 001B362D: lstrcpyW.KERNEL32(00000000,75A901C0,?,?,?,001C150A,001C35B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,001C3589,00000000,75A901C0,00000000), ref: 001B3657

Part of subcall function 001B3272: wsprintfW.USER32 ref: 001B328D

PathFileExistsW.SHLWAPI(001BA760,.dll,?,msvcr,?,msvcp,?,softokn3.dll,?,mozglue.dll,?,msvcp120.dll,?,msvcr120.dll,?,nss3.dll), ref: 001BB7A3
PathFileExistsW.SHLWAPI(001BA760,.dll,?,001BA760,?,00000104,00000000), ref: 001BB7FF
LoadLibraryW.KERNEL32(?,001BA760,?,00000104,00000000), ref: 001BB83E
LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 001BB849
LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 001BB854
LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 001BB85F
LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 001BB86A
SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 001BB957

Part of subcall function 001B5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,001B5C2A,00000000,?,001C10EE,?,?,001C36B9), ref: 001B5EAD

Strings

NSSBase64_DecodeBuffer, xrefs: 001BB8ED
PK11_GetInternalKeySlot, xrefs: 001BB8B1
NSS_Shutdown, xrefs: 001BB913
.dll, xrefs: 001BB789, 001BB7E7
PK11_Authenticate, xrefs: 001BB8C4
softokn3.dll, xrefs: 001BB738
msvcp, xrefs: 001BB751
PK11_CheckUserPassword, xrefs: 001BB900
msvcp120.dll, xrefs: 001BB706
PR_GetError, xrefs: 001BB939
msvcr, xrefs: 001BB76A
mozglue.dll, xrefs: 001BB71F
msvcr120.dll, xrefs: 001BB6ED
PK11SDR_Decrypt, xrefs: 001BB8DA
nss3.dll, xrefs: 001BB6D4
NSS_Init, xrefs: 001BB8A1
PK11_FreeSlot, xrefs: 001BB926

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: LibraryLoad$CurrentDirectory$ExistsFilePath$FreeVirtuallstrcpywsprintf
String ID: .dll$NSSBase64_DecodeBuffer$NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_CheckUserPassword$PK11_FreeSlot$PK11_GetInternalKeySlot$PR_GetError$mozglue.dll$msvcp$msvcp120.dll$msvcr$msvcr120.dll$nss3.dll$softokn3.dll
API String ID: 410702425-850564384
Opcode ID: 4bff2842527ca05507e623463993fed26dcf948d5b9a26c659ff5ccc79edfcc4
Instruction ID: 43d17c704d1f2c3bff7dfc650a3b14f9b8f2ffdfc6e79077f19bdea575cbe62a
Opcode Fuzzy Hash: 4bff2842527ca05507e623463993fed26dcf948d5b9a26c659ff5ccc79edfcc4
Instruction Fuzzy Hash: 5E912C71A00609EBDB05EFB0C992EDEB77ABF64300F50416AE51567291DF30AF58CB90

Function 001BE3FA Relevance: 35.2, APIs: 9, Strings: 11, Instructions: 237registryCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,?,?), ref: 001BE407
DeleteCriticalSection.KERNEL32(?,?,?), ref: 001BE41E
EnterCriticalSection.KERNEL32(002FE020,?,?), ref: 001BE42A

Part of subcall function 001BDE1F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters,?,002FE020,?,?,001BE451,?,?), ref: 001BDE51

RegCreateKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList,00000000,00000000,00000000,000F013F,00000000,?,?,00000000,00000000,?,?), ref: 001BE5FF
RegSetValueExW.ADVAPI32(?,00000000,00000004,?,00000004,?,?), ref: 001BE61A
RegCloseKey.ADVAPI32(?,?,?), ref: 001BE623
LeaveCriticalSection.KERNEL32(002FE020,00000000,002FE07C,002FE080,?,?), ref: 001BE65E

Part of subcall function 001B35E5: lstrlenW.KERNEL32(001C1E02,00000000,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B35EE
Part of subcall function 001B35E5: lstrlenW.KERNEL32(001C1E02,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B3605
Part of subcall function 001B35E5: lstrcpyW.KERNEL32(?,001C1E02,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B3620

Part of subcall function 001B3437: lstrcpyW.KERNEL32(00000000,00000000,00000000,?,?,001C1E0A,00000000,00000000,00000000,.bss,00000000), ref: 001B345C

Part of subcall function 001B5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,001B5C2A,00000000,?,001C10EE,?,?,001C36B9), ref: 001B5EAD

Part of subcall function 001B3261: lstrlenW.KERNEL32(75A901C0,001B3646,?,?,?,001C150A,001C35B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,001C3589,00000000,75A901C0,00000000), ref: 001B3268

LeaveCriticalSection.KERNEL32(002FE020,00000000,rpdp,002FE080,00000000,rudp,002FE07C,002FE07C,002FE080,?,?), ref: 001BE6C4
LeaveCriticalSection.KERNEL32(002FE020,00000000,?,?), ref: 001BE6F4

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList, xrefs: 001BE5F5
|/, xrefs: 001BE473
/, xrefs: 001BE658
rpdp, xrefs: 001BE492, 001BE691
|/, xrefs: 001BE5B0
/, xrefs: 001BE424
8/, xrefs: 001BE6B3
|/, xrefs: 001BE4CB
/, xrefs: 001BE6AE
/, xrefs: 001BE413
rudp, xrefs: 001BE459, 001BE670

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leavelstrlen$lstrcpy$CloseCreateDeleteEnterFreeInitializeOpenValueVirtual
String ID: /$ /$ /$ /$8/$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList$rpdp$rudp$|/$|/$|/
API String ID: 2046459734-2535273432
Opcode ID: 9ee75f38eddcb0f30bcecd8ffe4bf6979825d3774544f023d05388595dd63a4d
Instruction ID: 7f87b0cba852399a15374a34747035dd60efea448a21b26aa88f402ddac9b657
Opcode Fuzzy Hash: 9ee75f38eddcb0f30bcecd8ffe4bf6979825d3774544f023d05388595dd63a4d
Instruction Fuzzy Hash: 0F719470610118BBDF15FB60CC96EFE7B69AF68350F014029F906A6192DF70EA11CB61

Function 001B95AA Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 214windowstringregistryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 001B95BC
SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,-00000010), ref: 001B962B
lstrcatW.KERNEL32(-00000010,\Microsoft Vision\), ref: 001B9645
CreateDirectoryW.KERNEL32(-00000010,00000000), ref: 001B9651
lstrcpyW.KERNEL32(?,-00000010), ref: 001B968B
lstrcatW.KERNEL32(?,001C4A58), ref: 001B969E

Part of subcall function 001B35E5: lstrlenW.KERNEL32(001C1E02,00000000,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B35EE
Part of subcall function 001B35E5: lstrlenW.KERNEL32(001C1E02,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B3605
Part of subcall function 001B35E5: lstrcpyW.KERNEL32(?,001C1E02,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B3620

Part of subcall function 001BFF27: FindFirstFileW.KERNEL32(?,?,?,?), ref: 001BFF54

GetLocalTime.KERNEL32(?,00000000,ExplorerIdentifier), ref: 001B9721
wsprintfW.USER32 ref: 001B9758
CreateFileW.KERNEL32(?,10000000,00000001,00000000,00000002,00000080,00000000,00000010,?), ref: 001B979A
CloseHandle.KERNEL32(00000000), ref: 001B97AA
RegisterClassW.USER32 ref: 001B97C9
CreateWindowExW.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,?), ref: 001B97E1
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 001B9802
TranslateMessage.USER32(?), ref: 001B9814
DispatchMessageA.USER32(?), ref: 001B981F
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 001B982F

Strings

ExplorerIdentifier, xrefs: 001B96E6
%02d-%02d-%02d_%02d.%02d.%02d, xrefs: 001B9752
\Microsoft Vision\, xrefs: 001B963F

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: Message$Create$FileHandlelstrcatlstrcpylstrlen$ClassCloseDirectoryDispatchFindFirstFolderLocalModulePathRegisterTimeTranslateWindowwsprintf
String ID: %02d-%02d-%02d_%02d.%02d.%02d$ExplorerIdentifier$\Microsoft Vision\
API String ID: 2678186124-2372768292
Opcode ID: 69297673acbbfb1e4d61f2d99302d80b05fc64a294aa8affbbfeb63d47e0438b
Instruction ID: 39429542c6674c40db49e8e08f01665814fb83f1c3be155bee2eb0cd91eb0869
Opcode Fuzzy Hash: 69297673acbbfb1e4d61f2d99302d80b05fc64a294aa8affbbfeb63d47e0438b
Instruction Fuzzy Hash: 21717AB2508304ABC710DBA5DC5AEABBBECFB99700F000919F695D3191DB35E985CB62

Function 001BA0D8 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 160registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676,00000000,000F003F,?), ref: 001BA12F
RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676,00000000,000F003F,?), ref: 001BA14C
lstrcpyW.KERNEL32(?,Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676), ref: 001BA19F
RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001BA1B5
RegEnumKeyExW.ADVAPI32(?,00000000,?,00000800,00000000,00000000,00000000,00000000), ref: 001BA1E8
RegCloseKey.ADVAPI32(?), ref: 001BA1F9
lstrcpyW.KERNEL32(?,?), ref: 001BA20D
lstrcatW.KERNEL32(?,001C4684), ref: 001BA21B
lstrcatW.KERNEL32(?,?), ref: 001BA22F
RegOpenKeyExW.ADVAPI32(80000001,?,00000000,000F003F,?), ref: 001BA24C
RegCloseKey.ADVAPI32(?,?), ref: 001BA261
RegOpenKeyExW.ADVAPI32(80000001,?,00000000,000F003F,?), ref: 001BA27E

Strings

Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 001BA125
Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676, xrefs: 001BA15F, 001BA16F
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 001BA17C, 001BA181, 001BA191
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 001BA142, 001BA152
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 001BA135

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: Open$Closelstrcatlstrcpy$EnumInfoQuery
String ID: Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
API String ID: 1891545080-2020977430
Opcode ID: 9bf30ba293afda08c46002deaa2f25a9341aba9fda41d69ca34a8d5d26b712f3
Instruction ID: 8a2f97ad308373fc267d8ddca827eb87a217bd392ba89f4cd8184886859ae481
Opcode Fuzzy Hash: 9bf30ba293afda08c46002deaa2f25a9341aba9fda41d69ca34a8d5d26b712f3
Instruction Fuzzy Hash: AC411AB290021DBEEB21DAA5CC85EFB7B7DEF14784F5004A5F605E2001E771AE849BA1

Function 001C1AB9 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 90sleepregistrystringCOMMON

Download Yara Rule

APIs

Part of subcall function 001BFBFC: GetCurrentProcess.KERNEL32(00000008,00000000,75A901C0,00000000,75A901C0,00000000,?,?,?,?,001C3589,?), ref: 001BFC0E
Part of subcall function 001BFBFC: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,001C3589,?), ref: 001BFC15
Part of subcall function 001BFBFC: GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,001C3589,?), ref: 001BFC33
Part of subcall function 001BFBFC: CloseHandle.KERNEL32(00000000), ref: 001BFC48

CloseHandle.KERNEL32(?,00000000), ref: 001C1AD8
GetCurrentProcess.KERNEL32(?), ref: 001C1AE7
IsWow64Process.KERNEL32(00000000), ref: 001C1AEE
GetModuleFileNameA.KERNEL32(00000000,?,00000400), ref: 001C1B25
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 001C1B57
lstrcatW.KERNEL32(?,\sdclt.exe), ref: 001C1B69
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 001C1B81
ShellExecuteExW.SHELL32(?), ref: 001C1BB3
TerminateProcess.KERNEL32(00000000,00000000), ref: 001C1BBD
Sleep.KERNEL32(000007D0), ref: 001C1BD5
RegDeleteKeyA.ADVAPI32(80000001,Software\Classes\Folder\shell\open\command), ref: 001C1BE5
ExitProcess.KERNEL32 ref: 001C1BEC

Strings

\sdclt.exe, xrefs: 001C1B5D
@, xrefs: 001C1BA2
DelegateExecute, xrefs: 001C1B3E
<, xrefs: 001C1B9B
open, xrefs: 001C1B79, 001C1B7F
Software\Classes\Folder\shell\open\command, xrefs: 001C1BDB

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: Process$CloseCurrentExecuteHandleShellToken$DeleteDirectoryExitFileInformationModuleNameOpenSleepSystemTerminateWow64lstrcat
String ID: <$@$DelegateExecute$Software\Classes\Folder\shell\open\command$\sdclt.exe$open
API String ID: 3164795406-2081737068
Opcode ID: 2b46d0f137d5273acc1350d4e45f56a1345ae4b5e5402ea5c6307437d7ab4407
Instruction ID: d97b9df63f372721a8c0b67e0b5b5bc00f1564ccadc48378a4936947e340c6ab
Opcode Fuzzy Hash: 2b46d0f137d5273acc1350d4e45f56a1345ae4b5e5402ea5c6307437d7ab4407
Instruction Fuzzy Hash: 98318EB1C05118FBDB10ABA0EC59EDEBFBCEF65311F0000A9F608A2550D7749A81CF60

Function 001C30A7 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 122filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 001B3437: lstrcpyW.KERNEL32(00000000,00000000,00000000,?,?,001C1E0A,00000000,00000000,00000000,.bss,00000000), ref: 001B345C

Part of subcall function 001B5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,001B5C2A,00000000,?,001C10EE,?,?,001C36B9), ref: 001B5EAD

LoadResource.KERNEL32(00000000,?,00000000), ref: 001C30EE
SizeofResource.KERNEL32(00000000,?), ref: 001C30FA
LockResource.KERNEL32(00000000), ref: 001C3104
GetTempPathA.KERNEL32(00000400,?), ref: 001C313E
lstrcatA.KERNEL32(?,find.exe), ref: 001C3152
GetTempPathA.KERNEL32(00000400,?), ref: 001C3160
lstrcatA.KERNEL32(?,find.db), ref: 001C316E
CreateFileA.KERNEL32(?,10000000,00000001,00000000,00000002,00000084,00000000), ref: 001C3189
WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 001C319B
CloseHandle.KERNEL32(00000000), ref: 001C31A2
wsprintfA.USER32 ref: 001C31D2
ShellExecuteExA.SHELL32(0000003C), ref: 001C3220

Strings

find.exe, xrefs: 001C314C
@, xrefs: 001C31F1
find.db, xrefs: 001C3162
-w %ws -d C -f %s, xrefs: 001C31CC
<, xrefs: 001C31DE

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: Resource$FilePathTemplstrcat$CloseCreateExecuteFreeHandleLoadLockShellSizeofVirtualWritelstrcpywsprintf
String ID: -w %ws -d C -f %s$<$@$find.db$find.exe
API String ID: 2504251837-265381321
Opcode ID: 73715a9224549466f2e8da89d1cb2feef25099324b480dd77b8d73de494dca3d
Instruction ID: 6ecb44bd0cdc56326f07ae5104d4a968503ae24e414c533aa530b56fb9abf020
Opcode Fuzzy Hash: 73715a9224549466f2e8da89d1cb2feef25099324b480dd77b8d73de494dca3d
Instruction Fuzzy Hash: 364149B2800219ABDB10DFA1DD85FDEBBBCFF99304F04415AF609A2151D774AA85CFA4

Function 001B8E66 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 147filestringCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?), ref: 001B8E8F
GetWindowTextW.USER32(00000000,?,00000104), ref: 001B8EA2
lstrlenW.KERNEL32(-00000210,{Unknown},?,?), ref: 001B8F0B
lstrcpyW.KERNEL32(-00000210,?,?,?), ref: 001B8F58
CreateFileW.KERNEL32(?,00000004,00000001,00000000,00000004,00000080,00000000,?,?), ref: 001B8F79
lstrlenW.KERNEL32(001C4AD0,00000008,00000000,?,?), ref: 001B8FA2
WriteFile.KERNEL32(?,001C4AD0,00000000,?,?), ref: 001B8FAE
WriteFile.KERNEL32(?,?,00000000,-00000008,00000000,?,?), ref: 001B8FD2
lstrlenW.KERNEL32(001C4AD0,-00000008,00000000,?,?), ref: 001B8FE5
WriteFile.KERNEL32(?,001C4AD0,00000000,?,?), ref: 001B8FF1
lstrlenW.KERNEL32(?,00000008,00000000,?,?), ref: 001B9003
WriteFile.KERNEL32(?,?,00000000,?,?), ref: 001B9011
CloseHandle.KERNEL32(?,?,?), ref: 001B901B

Part of subcall function 001B35E5: lstrlenW.KERNEL32(001C1E02,00000000,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B35EE
Part of subcall function 001B35E5: lstrlenW.KERNEL32(001C1E02,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B3605
Part of subcall function 001B35E5: lstrcpyW.KERNEL32(?,001C1E02,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B3620

Part of subcall function 001B3335: lstrcatW.KERNEL32(00000000,75A901C0,?,?,001C3589,?,001C1515,001C3589,001C35B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,001C3589,00000000,75A901C0,00000000), ref: 001B3365

Part of subcall function 001B5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,001B5C2A,00000000,?,001C10EE,?,?,001C36B9), ref: 001B5EAD

Strings

{Unknown}, xrefs: 001B8EED

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: lstrlen$File$Write$Windowlstrcpy$CloseCreateForegroundFreeHandleTextVirtuallstrcat
String ID: {Unknown}
API String ID: 2314120260-4054869793
Opcode ID: 75b07f7abdfbe73af39718a460f3080bc40089afe980e02d7fa104b4c37172fa
Instruction ID: b83b366edc5b11ca783ac9995a1f50e2cfaf44444ace91eec33a345d63a7d277
Opcode Fuzzy Hash: 75b07f7abdfbe73af39718a460f3080bc40089afe980e02d7fa104b4c37172fa
Instruction Fuzzy Hash: 8F517B71A00218EFDB00EF65DC9AFEA7BB9EB14300F4540A8F505A72A1DB35EE50CB54

Function 001BEAFB Relevance: 19.6, APIs: 13, Instructions: 135pipethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 001BEA89: GetCurrentThreadId.KERNEL32 ref: 001BEA95
Part of subcall function 001BEA89: SetEvent.KERNEL32(00000000), ref: 001BEAA9
Part of subcall function 001BEA89: WaitForSingleObject.KERNEL32(001C956C,00001388), ref: 001BEAB6
Part of subcall function 001BEA89: TerminateThread.KERNEL32(001C956C,000000FE), ref: 001BEAC7

CreatePipe.KERNEL32(00000000,00000000,?,00000000,?,?,00000000), ref: 001BEB41
GetCurrentProcess.KERNEL32(00000000,00000000,00000001,00000002,?,00000000), ref: 001BEB5E
GetCurrentProcess.KERNEL32(00000000,00000000,?,00000000), ref: 001BEB64
DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 001BEB6D
CreatePipe.KERNEL32(00000000,00000000,0000000C,00000000,?,00000000), ref: 001BEB85
GetCurrentProcess.KERNEL32(001C9560,00000000,00000000,00000002,?,00000000), ref: 001BEB9E
GetCurrentProcess.KERNEL32(00000000,00000000,?,00000000), ref: 001BEBA4
DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 001BEBA7
GetCurrentProcess.KERNEL32(001C9564,00000000,00000000,00000002,?,00000000), ref: 001BEBBC
GetCurrentProcess.KERNEL32(00000000,00000000,?,00000000), ref: 001BEBC2
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 001BEC18
CreateThread.KERNEL32(00000000,00000000,001BE92A,001C9558,00000000,001C9570), ref: 001BEC38
DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 001BEBC5

Part of subcall function 001BEC8C: CloseHandle.KERNEL32(001C9568,001C9558,001BEADC,?,00000000,001B2A8C,00000000,exit,00000000,start), ref: 001BEC96

Part of subcall function 001B362D: lstrcpyW.KERNEL32(00000000,75A901C0,?,?,?,001C150A,001C35B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,001C3589,00000000,75A901C0,00000000), ref: 001B3657

Part of subcall function 001BE891: CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000001,00000010,00000000,00000000,?,00000000,?,?,00000001), ref: 001BE8E3

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: CurrentProcess$Create$Handle$DuplicateThread$EventPipe$CloseObjectSingleTerminateWaitlstrcpy
String ID:
API String ID: 337272696-0
Opcode ID: 26ddb3d463a29ad1a8cb4758274a54872388fc600f254006052aefe5fd881fcc
Instruction ID: e8c45b0add540d1984eea00fa8cee15a081f6eb31a184436c17f57a4fa4800ad
Opcode Fuzzy Hash: 26ddb3d463a29ad1a8cb4758274a54872388fc600f254006052aefe5fd881fcc
Instruction Fuzzy Hash: A6412C71A40209BBDB15EBA1DD5AFEEBFB8AF64751F100015F201B60D1DBB4AA44CAA1

Function 001BD58D Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 71serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001), ref: 001BD5A0
OpenServiceW.ADVAPI32(00000000,?,00000001), ref: 001BD5B9
CloseServiceHandle.ADVAPI32(00000000), ref: 001BD5C6
QueryServiceConfigW.ADVAPI32(00000000,00000000,00000000,?), ref: 001BD5D5
GetLastError.KERNEL32 ref: 001BD5DF
QueryServiceConfigW.ADVAPI32(00000000,00000000,?,?), ref: 001BD600
CloseServiceHandle.ADVAPI32(00000000), ref: 001BD611
CloseServiceHandle.ADVAPI32(00000000), ref: 001BD614
CloseServiceHandle.ADVAPI32(00000000), ref: 001BD624
CloseServiceHandle.ADVAPI32(00000000), ref: 001BD627

Part of subcall function 001B1099: GetProcessHeap.KERNEL32(00000000,00000000,001C1E18,00000000,00000000,00000000,00000000,.bss,00000000), ref: 001B109F
Part of subcall function 001B1099: HeapFree.KERNEL32(00000000), ref: 001B10A6

Strings

ServicesActive, xrefs: 001BD597

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$ConfigHeapOpenQuery$ErrorFreeLastManagerProcess
String ID: ServicesActive
API String ID: 1929760286-3071072050
Opcode ID: 33ebd1cfbcc387e9a38fb6cd9fb2949ceba127a1ae6554ba77e6dc3d91a2c678
Instruction ID: 655e9950407af95636d0abfe42f97d4345ed4391a03a116268275dd94ee53df5
Opcode Fuzzy Hash: 33ebd1cfbcc387e9a38fb6cd9fb2949ceba127a1ae6554ba77e6dc3d91a2c678
Instruction Fuzzy Hash: 97118872604218BBCB24AB66ED98DDB7FBDEF953507110025FA06D3110EB30DE40CBA0

Function 001BDED2 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 324COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 001BDEEF

Part of subcall function 001BFC58: GetCurrentProcess.KERNEL32(?,?,001B2D84,?,001C4648,?,?,00000000,?,?,?), ref: 001BFC5C

PathFileExistsW.SHLWAPI(?), ref: 001BE099
PathFileExistsW.SHLWAPI(?), ref: 001BDF0D

Part of subcall function 001BFDF0: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,00000000,00000000,?,?,?,001B9A69,?,?,?), ref: 001BFE07
Part of subcall function 001BFDF0: GetLastError.KERNEL32(?,?,?,001B9A69,?,?,?), ref: 001BFE15

LeaveCriticalSection.KERNEL32(?,00000000), ref: 001BE28C

Part of subcall function 001BD9B6: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000102,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters), ref: 001BD9EA

GetCurrentProcess.KERNEL32(SeDebugPrivilege), ref: 001BE17F
LeaveCriticalSection.KERNEL32(?,00000000), ref: 001BE2CC

Strings

SeDebugPrivilege, xrefs: 001BE16F

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: CriticalFileSection$CurrentExistsLeavePathProcess$CreateEnterErrorLastOpen
String ID: SeDebugPrivilege
API String ID: 1717069549-2896544425
Opcode ID: 3be31adf14b0015325446858deca6028206e924e63291120c3df6d0e2a906f57
Instruction ID: 19a38750400aedeb58b95d6c2f7b1e3d77a07bc4b735be2eb9bf5494084a66ed
Opcode Fuzzy Hash: 3be31adf14b0015325446858deca6028206e924e63291120c3df6d0e2a906f57
Instruction Fuzzy Hash: CBB11A71508245ABC718FF60DC92DEEB7A9BFA4344F40092DF59293192EF70EA19CB52

Function 001BDCB2 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 111registryCOMMON

Download Yara Rule

APIs

Part of subcall function 001B35E5: lstrlenW.KERNEL32(001C1E02,00000000,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B35EE
Part of subcall function 001B35E5: lstrlenW.KERNEL32(001C1E02,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B3605
Part of subcall function 001B35E5: lstrcpyW.KERNEL32(?,001C1E02,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B3620

RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters,SYSTEM\CurrentControlSet\Services\TermService), ref: 001BDCF3

Part of subcall function 001C0FC3: RegQueryValueExW.ADVAPI32(?,75A901C0,00000000,75A901C0,00000000,00000000,?,00000000,001C3589,?,?,?,001C15B2,?,?,80000001), ref: 001C0FE6
Part of subcall function 001C0FC3: RegQueryValueExW.ADVAPI32(?,75A901C0,00000000,75A901C0,00000000,00000000,?,001C15B2,?,?,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\), ref: 001C100A

Part of subcall function 001B5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,001B5C2A,00000000,?,001C10EE,?,?,001C36B9), ref: 001B5EAD

Part of subcall function 001C0FAE: RegCloseKey.KERNEL32(?,?,001C112D,?,?,001C36B9), ref: 001C0FB8

StrStrW.SHLWAPI(?,svchost.exe,?,00000000,ImagePath,?), ref: 001BDD57
StrStrW.SHLWAPI(?,svchost.exe -k), ref: 001BDD65
RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?), ref: 001BDD82

Strings

SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 001BDCCE
ImagePath, xrefs: 001BDD05
svchost.exe -k, xrefs: 001BDD5D
SYSTEM\CurrentControlSet\Services\TermService, xrefs: 001BDCBE
ServiceDll, xrefs: 001BDD90
svchost.exe, xrefs: 001BDD4F

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: OpenQueryValuelstrlen$CloseFreeVirtuallstrcpy
String ID: ImagePath$SYSTEM\CurrentControlSet\Services\TermService$SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll$svchost.exe$svchost.exe -k
API String ID: 2246401353-3333427388
Opcode ID: 46690e83673c25f2328b6eb70c5de6b4d37c6a1d85d90d68d59fa68de575dbac
Instruction ID: 4533ee1ef1c80451484f6db8039e582cb55d2aa2a6fc607da60b377bf11ae97d
Opcode Fuzzy Hash: 46690e83673c25f2328b6eb70c5de6b4d37c6a1d85d90d68d59fa68de575dbac
Instruction Fuzzy Hash: C041F631D00228ABDF15EBE0DC92EEEB779AF28740F504169E511B2195EF70AF54CBA0

Function 001B9ADF Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 229fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 001B9AFC
GetLastError.KERNEL32 ref: 001B9B09
CloseHandle.KERNEL32(00000000), ref: 001B9B10
GetFileSize.KERNEL32(00000000,00000000), ref: 001B9B1D
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001B9B4C
CloseHandle.KERNEL32(00000000), ref: 001B9B53

Strings

Password, xrefs: 001B9CC3, 001B9CAB, 001B9CD7
Password, xrefs: 001B9CDD

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateErrorLastReadSize
String ID: Password$Password
API String ID: 1366138817-7788977
Opcode ID: 81142ab71cb82b1d8d87145fc17fd0c90efa5f2aeddb15f30408e41f05d58788
Instruction ID: f0562fead0fac617ad420619c4678e025708edf146add4a6cf28ee3bc61e40aa
Opcode Fuzzy Hash: 81142ab71cb82b1d8d87145fc17fd0c90efa5f2aeddb15f30408e41f05d58788
Instruction Fuzzy Hash: 58812370C042846FEF25EBA8D891BFEBFB5AF61314F50406AE1516B282CB754E83C751

Function 001BF80E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 130comCOMMON

Download Yara Rule

APIs

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 001BF825
CoInitialize.OLE32(00000000), ref: 001BF82C
CoCreateInstance.OLE32(001C4490,00000000,00000017,001C6E60,?,?,?,?,?,?,?,?,?,001B2D0C), ref: 001BF84A
VariantInit.OLEAUT32(?), ref: 001BF8CE

Strings

Name, xrefs: 001BF8E0
root\CIMV2, xrefs: 001BF86A
SELECT Name FROM Win32_VideoController, xrefs: 001BF89C
WQL, xrefs: 001BF8A6

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: Initialize$CreateInitInstanceSecurityVariant
String ID: Name$SELECT Name FROM Win32_VideoController$WQL$root\CIMV2
API String ID: 2382742315-3227336550
Opcode ID: 85337e24564a4d32bbd81e234e4e69ca0f0f05c618888d1f4fd2e37755e8fa2e
Instruction ID: f9d739ba69a398a84b949e505a43c02682c82c3e99b63c57d6860ea79cd6303b
Opcode Fuzzy Hash: 85337e24564a4d32bbd81e234e4e69ca0f0f05c618888d1f4fd2e37755e8fa2e
Instruction Fuzzy Hash: FA41F975A00259ABCB14DB95CC48EAFBBBDEFC9B14B10446CF515EB290D771E942CB20

Function 001C1F13 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 75sleepprocessmemoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00000000,75A901C0,00000000), ref: 001C1F25
IsWow64Process.KERNEL32(00000000), ref: 001C1F2C
VirtualAlloc.KERNEL32(00000000,000000FF,00001000,00000040), ref: 001C1F50
GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 001C1F5E
lstrlenA.KERNEL32(00000000,\System32\cmd.exe,00000014), ref: 001C1F6C
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 001C1FA9
Sleep.KERNEL32(000003E8), ref: 001C1FB8

Strings

\System32\cmd.exe, xrefs: 001C1F66

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: Process$AllocCreateCurrentDirectorySleepVirtualWindowsWow64lstrlen
String ID: \System32\cmd.exe
API String ID: 3151064845-2003734499
Opcode ID: b656fd3eaad2e976a926eb47b217cfa04e7f810479c8d5826aa30ecb349e91fd
Instruction ID: 6f2a9374cbaeab22bac15263f53dc012239ab47124598369ea9f3fa89d17b94b
Opcode Fuzzy Hash: b656fd3eaad2e976a926eb47b217cfa04e7f810479c8d5826aa30ecb349e91fd
Instruction Fuzzy Hash: 6E1184B1A84308BFE7106BB5AC8AFEF7A7CEB14745F000029F705E6091D770DE448666

Function 001BC118 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 56registrystringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths\,?,00000104,00000000), ref: 001BC154
lstrcatW.KERNEL32(?,thunderbird.exe,?,00000104,00000000), ref: 001BC162
RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,001BA729,?,00000104,00000000), ref: 001BC17B
RegQueryValueExW.ADVAPI32(001BA729,Path,00000000,?,?,?,?,00000104,00000000), ref: 001BC198
RegCloseKey.ADVAPI32(001BA729,?,00000104,00000000), ref: 001BC1A1

Strings

thunderbird.exe, xrefs: 001BC15A
Software\Microsoft\Windows\CurrentVersion\App Paths\, xrefs: 001BC14E
Path, xrefs: 001BC190

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValuelstrcatlstrcpy
String ID: Path$Software\Microsoft\Windows\CurrentVersion\App Paths\$thunderbird.exe
API String ID: 3135247354-1374996286
Opcode ID: 0fede333e552f3b39611dbc02ef25a60d0b2fb4821cf8a31dab5ea40f486d2cd
Instruction ID: 10ca6961fe9acb0dba7ec550d6ad5d01c56f86c6e15faaee436c3b40cf388210
Opcode Fuzzy Hash: 0fede333e552f3b39611dbc02ef25a60d0b2fb4821cf8a31dab5ea40f486d2cd
Instruction Fuzzy Hash: 5B111EB694011CBFEB10ABA4ED89FDABBBCEB14344F100065F605E2150E770DE548B61

Function 001BC117 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 55registrystringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths\,?,00000104,00000000), ref: 001BC154
lstrcatW.KERNEL32(?,thunderbird.exe,?,00000104,00000000), ref: 001BC162
RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,001BA729,?,00000104,00000000), ref: 001BC17B
RegQueryValueExW.ADVAPI32(001BA729,Path,00000000,?,?,?,?,00000104,00000000), ref: 001BC198
RegCloseKey.ADVAPI32(001BA729,?,00000104,00000000), ref: 001BC1A1

Strings

thunderbird.exe, xrefs: 001BC15A
Software\Microsoft\Windows\CurrentVersion\App Paths\, xrefs: 001BC14E
Path, xrefs: 001BC190

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValuelstrcatlstrcpy
String ID: Path$Software\Microsoft\Windows\CurrentVersion\App Paths\$thunderbird.exe
API String ID: 3135247354-1374996286
Opcode ID: a64bc69318f071d3434c113708af10a28d04d45eb2c47e4fa532c9a67d3c474c
Instruction ID: 73d5a3a30748cd8af28c4c4ee70ad67f76e748a8dd3a9464ad11049841679e4b
Opcode Fuzzy Hash: a64bc69318f071d3434c113708af10a28d04d45eb2c47e4fa532c9a67d3c474c
Instruction Fuzzy Hash: F01121B694411CBFEB10EBA4ED89FDEBBBCEB14344F1000A9F605E2150E7709E448B61

Function 001BC4A8 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 371fileCOMMON

Download Yara Rule

APIs

Part of subcall function 001BF76B: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000,?,00000000,?), ref: 001BF79C

Part of subcall function 001B3335: lstrcatW.KERNEL32(00000000,75A901C0,?,?,001C3589,?,001C1515,001C3589,001C35B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,001C3589,00000000,75A901C0,00000000), ref: 001B3365

Part of subcall function 001B5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,001B5C2A,00000000,?,001C10EE,?,?,001C36B9), ref: 001B5EAD

PathFileExistsW.SHLWAPI(00000000,?,00000000,00000000,00000000,.tmp,00000000,001C4684,.tmp,00000000,001C4684,?,00000000), ref: 001BC5A5
PathFileExistsW.SHLWAPI(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,001BC245), ref: 001BC5AF
CopyFileW.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 001BC5C3
CopyFileW.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 001BC5CF

Part of subcall function 001BCED9: LocalFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,001BC66B,?,?,00000000,?), ref: 001BCF43
Part of subcall function 001BCED9: LocalFree.KERNEL32(?,00000000,00000000,00000000,00000000,?,001BC66B,?,?,00000000,?), ref: 001BCF4C

Part of subcall function 001BCF58: LocalAlloc.KERNEL32(00000040,-0000001F,?,?,?,00000000,?,00000000), ref: 001BCFE0
Part of subcall function 001BCF58: BCryptDecrypt.BCRYPT(?,0000000C,?,?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,?,00000000), ref: 001BD00E
Part of subcall function 001BCF58: LocalFree.KERNEL32(?), ref: 001BD096

Part of subcall function 001B33BF: lstrlenA.KERNEL32(?,75A901C0,?,001B5A4F,.bss,00000000), ref: 001B33C8
Part of subcall function 001B33BF: lstrlenA.KERNEL32(?,?,001B5A4F,.bss,00000000), ref: 001B33D5
Part of subcall function 001B33BF: lstrcpyA.KERNEL32(00000000,?,?,001B5A4F,.bss,00000000), ref: 001B33E8

Part of subcall function 001B3125: lstrcatA.KERNEL32(00000000,75A901C0,?,00000000,?,001B35C4,00000000,00000000,?,001B4E98,?,?,?,?,?,00000000), ref: 001B3151

Part of subcall function 001B308C: lstrlenA.KERNEL32(00000000,001B30B4,75A901C0,00000000,00000000,?,001B32DC,001B350E,00000000,-00000001,75A901C0,?,001B350E,00000000,?,00000000), ref: 001B3093

Strings

.tmp, xrefs: 001BC4F3, 001BC4FB, 001BC531
select signon_realm, origin_url, username_value, password_value from logins, xrefs: 001BC688, 001BC692
select signon_realm, origin_url, username_value, password_value from wow_logins, xrefs: 001BC683

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: FileFreeLocal$Pathlstrlen$CopyExistslstrcat$AllocCryptDecryptFolderSpecialVirtuallstrcpy
String ID: .tmp$select signon_realm, origin_url, username_value, password_value from logins$select signon_realm, origin_url, username_value, password_value from wow_logins
API String ID: 881303001-3832748974
Opcode ID: d61327b4733d211bf00cf8598181329d8a2eec99b2dd7610d28da470d26da252
Instruction ID: 9e185dd2b98a698af1aee52ff1541dcd06c9d1347c0cb34c6cd9e471595392b3
Opcode Fuzzy Hash: d61327b4733d211bf00cf8598181329d8a2eec99b2dd7610d28da470d26da252
Instruction Fuzzy Hash: 0AD10E72A00109ABDF15FFA4DD96EEEB779AF64300F14442AF512A6191EF30AF15CB60

Function 001C273A Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 175comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 001C274C
CoCreateInstance.OLE32(001C45A0,00000000,00000001,001C7410,001C227B), ref: 001C2779
CoUninitialize.OLE32 ref: 001C2902

Part of subcall function 001C2A6B: CoCreateInstance.OLE32(001C45E0,00000000,00000001,001C73F0,?,756FE550,00000000,00000000,?,?,001C27B0), ref: 001C2A99

CoCreateInstance.OLE32(001C45F0,00000000,00000001,001C7400,?), ref: 001C27CA

Part of subcall function 001C24EB: CoTaskMemFree.OLE32(?,?,00000000,001C2896), ref: 001C24F9

Strings

Source, xrefs: 001C27D9
vids, xrefs: 001C2805
Grabber, xrefs: 001C27E8

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: CreateInstance$FreeInitializeTaskUninitialize
String ID: Grabber$Source$vids
API String ID: 533512943-4200688928
Opcode ID: 64e9324a4aa9fdf6de7f2b458344be30c580c78f2562eaf9cbc4bc24abdcf04d
Instruction ID: 33934229dd4a3fea7d46330477da65e153f4d9672e04ef4a7f29c43420038c9a
Opcode Fuzzy Hash: 64e9324a4aa9fdf6de7f2b458344be30c580c78f2562eaf9cbc4bc24abdcf04d
Instruction Fuzzy Hash: 2B512871A00219AFDB14DFA4C899FAEBBB9BF94705F04845CE905AB260CBB1DD45CB60

Function 001B2961 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 108processthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 001C0F31: RegDeleteKeyW.ADVAPI32(80000001,?), ref: 001C0F38

TerminateThread.KERNEL32(00000000,?,?), ref: 001C1740
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 001C17AD
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 001C1837
CloseHandle.KERNEL32(?), ref: 001C1846
CloseHandle.KERNEL32(?), ref: 001C184B
ExitProcess.KERNEL32 ref: 001C184E

Strings

cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q , xrefs: 001C17BB

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: CloseHandleProcess$CreateDeleteExitFileModuleNameTerminateThread
String ID: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
API String ID: 3630425516-84290196
Opcode ID: 07718605c3ff1679f3cd31d68f7eda7019322b2a3c0d79aa6698d6c6eac30a30
Instruction ID: 856f247bc7b44d885ac8f6fdc4d0fc2df702022ae73499a55e120c28be7e0fd4
Opcode Fuzzy Hash: 07718605c3ff1679f3cd31d68f7eda7019322b2a3c0d79aa6698d6c6eac30a30
Instruction Fuzzy Hash: 54313EB2900619FFDB11EBE0DD96EEEB77DEB24300F400465B605A2151DB74EE94CBA1

Function 001BB559 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(vaultcli.dll,00000000,001BB229), ref: 001BB561

Part of subcall function 001C0969: lstrcmpA.KERNEL32(?,001C1BD0,?,open,001C1BD0), ref: 001C09A2

Strings

vaultcli.dll, xrefs: 001BB55A
VaultCloseVault, xrefs: 001BB589
VaultGetItem, xrefs: 001BB5B5
VaultFree, xrefs: 001BB5E0
VaultOpenVault, xrefs: 001BB577
VaultEnumerateItems, xrefs: 001BB59F

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: LibraryLoadlstrcmp
String ID: VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetItem$VaultOpenVault$vaultcli.dll
API String ID: 2493137890-3967309459
Opcode ID: e8d5994a39cf65011c9b3f4f96fb0af0d73bcd3dc77752f38b9a5ccd2ed611e1
Instruction ID: 4842c8d188b41cb5b3502c71d9f27f4e0d38964ec7271e23117b50192c5af8ef
Opcode Fuzzy Hash: e8d5994a39cf65011c9b3f4f96fb0af0d73bcd3dc77752f38b9a5ccd2ed611e1
Instruction Fuzzy Hash: B511F830A05B00CFEB649B72A851FA7B7E6EBA4301F54492ED49E97742DB70E842CB10

Function 001C19C9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\_rptls,00000000,000F003F,?,00000208,002FCBF0,?,?,?,?,001C1A78), ref: 001C19E9
RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\_rptls,00000000,00000000,00000000,000F003F,00000000,?,?,?,?,?,?,001C1A78), ref: 001C1A06
lstrlenW.KERNEL32(002FCBF0,?,?,?,?,001C1A78,?,?,?,?,001B57B9,?,00000000,00000000), ref: 001C1A12
RegSetValueExW.ADVAPI32(?,Install,00000000,00000001,002FCBF0,00000000,?,?,?,?,001C1A78,?,?,?,?,001B57B9), ref: 001C1A28
RegCloseKey.ADVAPI32(?,?,?,?,?,001C1A78,?,?,?,?,001B57B9,?,00000000,00000000), ref: 001C1A31

Strings

Install, xrefs: 001C1A20
SOFTWARE\_rptls, xrefs: 001C19DD, 001C19E3, 001C1A00

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: CloseCreateOpenValuelstrlen
String ID: Install$SOFTWARE\_rptls
API String ID: 2036214137-3226779556
Opcode ID: 6200b065bac48bfa4ff71bdf4d37514ed56741bd9204ab13d6ce9ecd51e41529
Instruction ID: 8278ec8fc14579042e2aabc9e10942db031cd8955cc98de9db6a1f7b42dad1d7
Opcode Fuzzy Hash: 6200b065bac48bfa4ff71bdf4d37514ed56741bd9204ab13d6ce9ecd51e41529
Instruction Fuzzy Hash: F0F0A972504058BFE7205B92EC4DEEB7E7CEB82791B000069FA05E2161CBA0DE90CAB0

Function 001C1A3C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,002FCBF0,00000208,00000000,00000000,?,?,?,001B57B9,?,00000000,00000000), ref: 001C1A58
IsUserAnAdmin.SHELL32 ref: 001C1A5E

Part of subcall function 001BFBFC: GetCurrentProcess.KERNEL32(00000008,00000000,75A901C0,00000000,75A901C0,00000000,?,?,?,?,001C3589,?), ref: 001BFC0E
Part of subcall function 001BFBFC: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,001C3589,?), ref: 001BFC15
Part of subcall function 001BFBFC: GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,001C3589,?), ref: 001BFC33
Part of subcall function 001BFBFC: CloseHandle.KERNEL32(00000000), ref: 001BFC48

Part of subcall function 001C19C9: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\_rptls,00000000,000F003F,?,00000208,002FCBF0,?,?,?,?,001C1A78), ref: 001C19E9
Part of subcall function 001C19C9: RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\_rptls,00000000,00000000,00000000,000F003F,00000000,?,?,?,?,?,?,001C1A78), ref: 001C1A06
Part of subcall function 001C19C9: lstrlenW.KERNEL32(002FCBF0,?,?,?,?,001C1A78,?,?,?,?,001B57B9,?,00000000,00000000), ref: 001C1A12
Part of subcall function 001C19C9: RegSetValueExW.ADVAPI32(?,Install,00000000,00000001,002FCBF0,00000000,?,?,?,?,001C1A78,?,?,?,?,001B57B9), ref: 001C1A28
Part of subcall function 001C19C9: RegCloseKey.ADVAPI32(?,?,?,?,?,001C1A78,?,?,?,?,001B57B9,?,00000000,00000000), ref: 001C1A31

FindResourceW.KERNEL32(00000000,00000066,WM_DSP,?,?,?,?,001B57B9,?,00000000,00000000), ref: 001C1A87
LoadResource.KERNEL32(00000000,00000000,?,?,?,?,001B57B9,?,00000000,00000000,?,?,?,?,?,?), ref: 001C1A91
SizeofResource.KERNEL32(00000000,00000000,?,?,?,?,001B57B9,?,00000000,00000000,?,?,?,?,?,?), ref: 001C1A9B
LockResource.KERNEL32(00000000,?,?,?,?,001B57B9,?,00000000,00000000,?,?,?,?,?,?,00000000), ref: 001C1AA2

Part of subcall function 001C1936: VirtualProtect.KERNEL32(00000000,000007D0,00000040,00000000,00000000,00000000,?,00000000,?,001C1AB4,?,?,?,001B57B9,?,00000000), ref: 001C1974
Part of subcall function 001C1936: VirtualAlloc.KERNEL32(00000000,000001FE,00001000,00000040,?,00000000,?,001C1AB4,?,?,?,001B57B9,?,00000000,00000000), ref: 001C1988
Part of subcall function 001C1936: GetWindowsDirectoryW.KERNEL32(00000000,00000104,?,00000000,?,001C1AB4,?,?,?,001B57B9,?,00000000,00000000), ref: 001C1996
Part of subcall function 001C1936: lstrlenW.KERNEL32(00000000,\System32\cmd.exe,00000028,?,00000000,?,001C1AB4,?,?,?,001B57B9,?,00000000,00000000), ref: 001C19A4

Strings

WM_DSP, xrefs: 001C1A7D

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: Resource$CloseOpenProcessTokenVirtuallstrlen$AdminAllocCreateCurrentDirectoryFileFindHandleInformationLoadLockModuleNameProtectSizeofUserValueWindows
String ID: WM_DSP
API String ID: 1403607128-506093727
Opcode ID: 2a56508bdf392659ae9cc317cfb1f8429b1388743f0e7678b019de0635f74160
Instruction ID: 02c915b2b418c21db609c40e4fcba74339defd7b0803ea7e804e66600af59e61
Opcode Fuzzy Hash: 2a56508bdf392659ae9cc317cfb1f8429b1388743f0e7678b019de0635f74160
Instruction Fuzzy Hash: E6F062316852907BD72037B2AC6EF9F2D6CAFB2750F090828F442D6692DB24C8818260

Function 001B5CA3 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(USER32.DLL,?,001C02E1,?,75A901C0,00000000), ref: 001B5CAB
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 001B5CB7
ExitProcess.KERNEL32 ref: 001B5CDB

Strings

An assertion condition failed, xrefs: 001B5CD0
USER32.DLL, xrefs: 001B5CA4
MessageBoxA, xrefs: 001B5CB1
Assert, xrefs: 001B5CCB

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: AddressExitLibraryLoadProcProcess
String ID: An assertion condition failed$Assert$MessageBoxA$USER32.DLL
API String ID: 881411216-1361702557
Opcode ID: e54403c1fa0627e36c7c689e2ca334abca54a43b4fa16c62e23386267559aeef
Instruction ID: 6ec45698462d903dae75d375341462bf0aad9611c2c466d30f26b902207966b8
Opcode Fuzzy Hash: e54403c1fa0627e36c7c689e2ca334abca54a43b4fa16c62e23386267559aeef
Instruction Fuzzy Hash: 6CD017747C93416BEA1067F13C3AFA92E296B35F05F180018B681A64C1D792D8908520

Function 001B5F6A Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 14libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(USER32.DLL), ref: 001B5F6F
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 001B5F7B
ExitProcess.KERNEL32 ref: 001B5F9A

Strings

A pure virtual function was called. This is a fatal error, and indicates a serious error in the implementation of the application, xrefs: 001B5F8F
USER32.DLL, xrefs: 001B5F6A
MessageBoxA, xrefs: 001B5F75
PureCall, xrefs: 001B5F8A

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: AddressExitLibraryLoadProcProcess
String ID: A pure virtual function was called. This is a fatal error, and indicates a serious error in the implementation of the application$MessageBoxA$PureCall$USER32.DLL
API String ID: 881411216-4134947204
Opcode ID: dfb4d78681c3921e1fd81743244fbfbe9128e55f1e44ae689a8c9f28512b728f
Instruction ID: bdb96d236bcc6af3320b02585dca88b3166a4c0939f3082498acce88f176ae93
Opcode Fuzzy Hash: dfb4d78681c3921e1fd81743244fbfbe9128e55f1e44ae689a8c9f28512b728f
Instruction Fuzzy Hash: EDD092303CC3416FE65027F16C2BF6829246B24F02F040018B645A44D1CBD0E4908629

Function 001C0D24 Relevance: 12.2, APIs: 8, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 001C0D6A
Process32FirstW.KERNEL32(00000000,0000022C), ref: 001C0D83
CloseHandle.KERNEL32(00000000), ref: 001C0D8E

Part of subcall function 001B35E5: lstrlenW.KERNEL32(001C1E02,00000000,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B35EE
Part of subcall function 001B35E5: lstrlenW.KERNEL32(001C1E02,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B3605
Part of subcall function 001B35E5: lstrcpyW.KERNEL32(?,001C1E02,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B3620

Part of subcall function 001B3437: lstrcpyW.KERNEL32(00000000,00000000,00000000,?,?,001C1E0A,00000000,00000000,00000000,.bss,00000000), ref: 001B345C

Part of subcall function 001B5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,001B5C2A,00000000,?,001C10EE,?,?,001C36B9), ref: 001B5EAD

OpenProcess.KERNEL32(00001410,00000000,?,?), ref: 001C0DF8
GetModuleFileNameExW.PSAPI(00000000,00000000,?,00000208), ref: 001C0E2E
CloseHandle.KERNEL32(00000000,00000000,001C4C14), ref: 001C0E81
Process32NextW.KERNEL32(00000000,0000022C), ref: 001C0EE5
CloseHandle.KERNEL32(00000000), ref: 001C0EF7

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: CloseHandle$Process32lstrcpylstrlen$CreateFileFirstFreeModuleNameNextOpenProcessSnapshotToolhelp32Virtual
String ID:
API String ID: 3514491001-0
Opcode ID: 02ddfb8910d32b3099eb583867a116379e44125a389d1e457e80c43e575083c2
Instruction ID: dc51dd63524620534067a83218ffb75684fbf4785ca8d7923a4d73fde583d611
Opcode Fuzzy Hash: 02ddfb8910d32b3099eb583867a116379e44125a389d1e457e80c43e575083c2
Instruction Fuzzy Hash: 34518072D00119ABDB11EBA4CC9AFEEBBB8AF64710F010169F415A7190EB30DF85CB50

Function 001C2D0A Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 001C2D1A
CoCreateInstance.OLE32(001C45A0,00000000,00000001,001C7410,007EE120,?,?), ref: 001C2D32
CoCreateInstance.OLE32(001C45F0,00000000,00000001,001C7400,007EE12C,?,?,001C4580,007EE124,?,?), ref: 001C2D8C

Part of subcall function 001C2A6B: CoCreateInstance.OLE32(001C45E0,00000000,00000001,001C73F0,?,756FE550,00000000,00000000,?,?,001C27B0), ref: 001C2A99

Strings

Source, xrefs: 001C2D9E
vids, xrefs: 001C2DC6
Grabber, xrefs: 001C2DAC

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: CreateInstance$Initialize
String ID: Grabber$Source$vids
API String ID: 1108742289-4200688928
Opcode ID: 15870a13b4bb796935514558ef60ce2e6c5096d8691c017e876c9f130ef89222
Instruction ID: 664d03f59c57522462e25847a14534c4bc9fe1302e7e864b0134d1b22f784ce9
Opcode Fuzzy Hash: 15870a13b4bb796935514558ef60ce2e6c5096d8691c017e876c9f130ef89222
Instruction Fuzzy Hash: 86518D75600211AFDB28DFA4C895FAA3B75BF99700B11459CFD05AF295CB71EC41CBA0

Function 001B7948 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64sleepprocessmemoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,000000FF,00001000,00000040,00000000,?,?), ref: 001B796B
GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 001B7979
lstrlenA.KERNEL32(00000000,\System32\cmd.exe,00000014), ref: 001B7987
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 001B79C1
Sleep.KERNEL32(000003E8), ref: 001B79D0

Strings

\System32\cmd.exe, xrefs: 001B7981

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: AllocCreateDirectoryProcessSleepVirtualWindowslstrlen
String ID: \System32\cmd.exe
API String ID: 2560724043-2003734499
Opcode ID: 883839ff6b0d54d84ca73334d959d9923fcd1cf1cdf540606124ee5d1d0422d2
Instruction ID: a3deb05f7bd1e671587d8c979b87c975e9af4167f1f279fb0fe4c2fc939f390d
Opcode Fuzzy Hash: 883839ff6b0d54d84ca73334d959d9923fcd1cf1cdf540606124ee5d1d0422d2
Instruction Fuzzy Hash: A4115EB2644218BFE710ABA8DC96FEF767CEB54748F000425F701E6191DB709E4486A5

Function 001C1855 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38registrystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(001C1B3D,001C6056,?,?,001C1B3D,001C6056,?), ref: 001C185D
RegOpenKeyExA.ADVAPI32(80000001,Software\Classes\Folder\shell\open\command,00000000,00020006,?,?,?,001C1B3D,001C6056,?), ref: 001C187A
SetLastError.KERNEL32(00000000,?,?,001C1B3D,001C6056,?), ref: 001C1885
RegSetValueExA.ADVAPI32(?,001C6056,00000000,00000001,001C1B3D,00000000,?,?,001C1B3D,001C6056,?), ref: 001C189D
RegCloseKey.ADVAPI32(?,?,?,001C1B3D,001C6056,?), ref: 001C18A8

Strings

Software\Classes\Folder\shell\open\command, xrefs: 001C1870

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: CloseErrorLastOpenValuelstrlen
String ID: Software\Classes\Folder\shell\open\command
API String ID: 1613093083-2536721355
Opcode ID: 575ce5889110028655c6af9d528cb91b7e5db33182c9631c874175722175777c
Instruction ID: 9040e80813e4f5f91a6c2b34f49d4e35d64baacbe8911630047502f78df318c6
Opcode Fuzzy Hash: 575ce5889110028655c6af9d528cb91b7e5db33182c9631c874175722175777c
Instruction Fuzzy Hash: C3F06D35588214FBEF210FA0BC0AFDA7F79BB15750F110154BE01A64A1D7B1C950AA90

Function 001B7CB7 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,?,?,001B86D6,00000000), ref: 001B7CD3
GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 001B7CE1
GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 001B7CF2

Strings

RtlNtStatusToDosError, xrefs: 001B7CDB
ntdll.dll, xrefs: 001B7CCE
RtlSetLastWin32Error, xrefs: 001B7CE7

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
API String ID: 667068680-2897241497
Opcode ID: 933cfd52c5a80496b5beeda12b78a22acab1907de3c1267be154a6083a13ea48
Instruction ID: 725aa2f2623f4a130e95c5d83d2066c478b9063044d568cc90d3f3f9c5943065
Opcode Fuzzy Hash: 933cfd52c5a80496b5beeda12b78a22acab1907de3c1267be154a6083a13ea48
Instruction Fuzzy Hash: F0F0D0342483019BDF155FA5BC69E7A3BA9ABA8795301042DF80AE37B0DB70D845C624

Function 001B57FB Relevance: 9.1, APIs: 6, Instructions: 75networksynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 001B3125: lstrcatA.KERNEL32(00000000,75A901C0,?,00000000,?,001B35C4,00000000,00000000,?,001B4E98,?,?,?,?,?,00000000), ref: 001B3151

Part of subcall function 001C026F: WaitForSingleObject.KERNEL32(?,000000FF,001B5824,75A901C0,?,?,00000000,001B4EA0,?,?,?,?,?,00000000,75A901C0), ref: 001C0273

getaddrinfo.WS2_32(75A901C0,00000000,001B4EA0,00000000), ref: 001B5848
socket.WS2_32(00000002,00000001,00000000), ref: 001B585F
htons.WS2_32(00000000), ref: 001B5885
freeaddrinfo.WS2_32(00000000), ref: 001B5895
connect.WS2_32(?,?,00000010), ref: 001B58A1
ReleaseMutex.KERNEL32(?), ref: 001B58CB

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: MutexObjectReleaseSingleWaitconnectfreeaddrinfogetaddrinfohtonslstrcatsocket
String ID:
API String ID: 2516106447-0
Opcode ID: 37ea94deb31224b8bae52cff6306ef565194e6c5fa0138501ab296e10f37fa9d
Instruction ID: 7b3953586083beb4ab72641b00ae73b02a28dc72f0e4f33cbc292606a68cf884
Opcode Fuzzy Hash: 37ea94deb31224b8bae52cff6306ef565194e6c5fa0138501ab296e10f37fa9d
Instruction Fuzzy Hash: 0D215A71A00204ABDF109F65D889FDABBB9FF54320F148066F919DB1A1D771DA84CB60

Function 001BCBA8 Relevance: 9.1, APIs: 6, Instructions: 73filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,00000000,00000000,?,00000000,?), ref: 001BCBDC
GetFileSizeEx.KERNEL32(00000000,?,?,00000000,?), ref: 001BCBF2
LocalAlloc.KERNEL32(00000040,?,?,?,00000000,?), ref: 001BCC0D
ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,?), ref: 001BCC25
CloseHandle.KERNEL32(00000000,?,00000000,?), ref: 001BCC48

Part of subcall function 001BCC54: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 001BCC73
Part of subcall function 001BCC54: LocalAlloc.KERNEL32(00000040,?,?,001BCBC6,?,00000000,?,00000000,?), ref: 001BCC81
Part of subcall function 001BCC54: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 001BCC97
Part of subcall function 001BCC54: LocalFree.KERNEL32(?,?,001BCBC6,?,00000000,?,00000000,?), ref: 001BCCA5

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: FileLocal$AllocBinaryCryptString$CloseCreateFreeHandleReadSize
String ID:
API String ID: 4225742195-0
Opcode ID: a615791aaa3c475e198aeda90b018c9ded9ba1a4798671a2ac96b1e726a634aa
Instruction ID: 9bf54883ffa28470c645183f4784cab73fae24ca74185bf625cc0ba1f9f9fcaf
Opcode Fuzzy Hash: a615791aaa3c475e198aeda90b018c9ded9ba1a4798671a2ac96b1e726a634aa
Instruction Fuzzy Hash: 6311AFB1600114ABCB259BA9EC99EEEBFBCEF55750B144118F909E6150D730DE41CBA0

Function 001B562F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 151networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32(000000FF,0000FFFF,00001006,?,00000004), ref: 001B5666

Part of subcall function 001B33BF: lstrlenA.KERNEL32(?,75A901C0,?,001B5A4F,.bss,00000000), ref: 001B33C8
Part of subcall function 001B33BF: lstrlenA.KERNEL32(?,?,001B5A4F,.bss,00000000), ref: 001B33D5
Part of subcall function 001B33BF: lstrcpyA.KERNEL32(00000000,?,?,001B5A4F,.bss,00000000), ref: 001B33E8

Part of subcall function 001B5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,001B5C2A,00000000,?,001C10EE,?,?,001C36B9), ref: 001B5EAD

recv.WS2_32(000000FF,?,0000000C,00000000), ref: 001B56B6
recv.WS2_32(000000FF,?,000000FF,00000000), ref: 001B5726

Strings

`, xrefs: 001B5650
warzone160, xrefs: 001B5688

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: lstrlenrecv$FreeVirtuallstrcpysetsockopt
String ID: `$warzone160
API String ID: 3973575906-811885577
Opcode ID: 132851181918c62d72acae7957a527ef8f76629b169ecdd9a8bad031ac01318a
Instruction ID: 0c0a343de3e21a247b3e942db5e0be44b09b1af60261ace5149856b31fc716ee
Opcode Fuzzy Hash: 132851181918c62d72acae7957a527ef8f76629b169ecdd9a8bad031ac01318a
Instruction Fuzzy Hash: 64516071900118ABCB15FB64DC96DEEBB79EF64350F500229F415A7191EF309B58CBA1

Function 001B2CEC Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107stringCOMMON

Download Yara Rule

APIs

Part of subcall function 001BF80E: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 001BF825
Part of subcall function 001BF80E: CoInitialize.OLE32(00000000), ref: 001BF82C
Part of subcall function 001BF80E: CoCreateInstance.OLE32(001C4490,00000000,00000017,001C6E60,?,?,?,?,?,?,?,?,?,001B2D0C), ref: 001BF84A

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 001B2D1B

Part of subcall function 001C1E21: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000,?,?,001C349D), ref: 001C1E4E
Part of subcall function 001C1E21: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,001C349D), ref: 001C1E61
Part of subcall function 001C1E21: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,001C349D), ref: 001C1E72
Part of subcall function 001C1E21: CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,001C349D), ref: 001C1E7F

Part of subcall function 001B35E5: lstrlenW.KERNEL32(001C1E02,00000000,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B35EE
Part of subcall function 001B35E5: lstrlenW.KERNEL32(001C1E02,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B3605
Part of subcall function 001B35E5: lstrcpyW.KERNEL32(?,001C1E02,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B3620

Part of subcall function 001BFA1F: GlobalMemoryStatusEx.KERNEL32(?), ref: 001BFA30

Part of subcall function 001BFC7E: GetComputerNameW.KERNEL32(001B2D7F,00000010), ref: 001BFCA1

Part of subcall function 001BFC58: GetCurrentProcess.KERNEL32(?,?,001B2D84,?,001C4648,?,?,00000000,?,?,?), ref: 001BFC5C

Part of subcall function 001BFBFC: GetCurrentProcess.KERNEL32(00000008,00000000,75A901C0,00000000,75A901C0,00000000,?,?,?,?,001C3589,?), ref: 001BFC0E
Part of subcall function 001BFBFC: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,001C3589,?), ref: 001BFC15
Part of subcall function 001BFBFC: GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,001C3589,?), ref: 001BFC33
Part of subcall function 001BFBFC: CloseHandle.KERNEL32(00000000), ref: 001BFC48

Part of subcall function 001BFA42: LoadLibraryA.KERNEL32(ntdll.dll), ref: 001BFA5A
Part of subcall function 001BFA42: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 001BFA6A

Part of subcall function 001BFCB8: RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00000101,?,SOFTWARE\Microsoft\Cryptography,?,?,?,?,00000000,?,?,?), ref: 001BFCFC

SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?,?,?,?), ref: 001B2DDF
lstrcatW.KERNEL32(?,\Microsoft Vision\,?,?), ref: 001B2DF1
CreateDirectoryW.KERNEL32(?,00000000,?,?), ref: 001B2DFF

Part of subcall function 001B990A: InitializeCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,001B2E0D,?,00000001,?,?), ref: 001B9916
Part of subcall function 001B990A: DeleteCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,001B2E0D,?,00000001,?,?), ref: 001B992D
Part of subcall function 001B990A: EnterCriticalSection.KERNEL32(002FDB10,?,00000000,?,?,?,?,001B2E0D,?,00000001,?,?), ref: 001B9939
Part of subcall function 001B990A: GetModuleHandleA.KERNEL32(00000000,?,00000000,?,?,?,?,001B2E0D,?,00000001,?,?), ref: 001B9949
Part of subcall function 001B990A: LeaveCriticalSection.KERNEL32(002FDB10,?,00000000), ref: 001B999C

Strings

\Microsoft Vision\, xrefs: 001B2DE5

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: CriticalFileSection$CreateHandleInitializeProcess$CloseCurrentModuleNameOpenTokenlstrlen$AddressComputerDeleteDirectoryEnterFolderGlobalInformationInstanceLeaveLibraryLoadMemoryPathProcReadSecuritySizeStatuslstrcatlstrcpy
String ID: \Microsoft Vision\
API String ID: 1987359387-1618823865
Opcode ID: 3a0fe76a63bf86a9788744a07528ca2d3c8241d00729147841dafa9fd78bf274
Instruction ID: 1250311fafd3e1d2b477282073d75151dbc71e5473e2aab54c27c68b38fb9a52
Opcode Fuzzy Hash: 3a0fe76a63bf86a9788744a07528ca2d3c8241d00729147841dafa9fd78bf274
Instruction Fuzzy Hash: 10317EB1A002187BCB14FBA4DC5AEEEBB7DAF65300F004468F505A3182DB709B858BA1

Function 001C0B2A Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 61windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001C0969: lstrcmpA.KERNEL32(?,001C1BD0,?,open,001C1BD0), ref: 001C09A2

MessageBoxA.USER32(00000000,Bla2,Bla2,00000000), ref: 001C0B70

Part of subcall function 001B35E5: lstrlenW.KERNEL32(001C1E02,00000000,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B35EE
Part of subcall function 001B35E5: lstrlenW.KERNEL32(001C1E02,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B3605
Part of subcall function 001B35E5: lstrcpyW.KERNEL32(?,001C1E02,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B3620

Part of subcall function 001C0BD9: CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,75A901C0,00000000), ref: 001C0C14

Part of subcall function 001B5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,001B5C2A,00000000,?,001C10EE,?,?,001C36B9), ref: 001B5EAD

Strings

Bla2, xrefs: 001C0B67, 001C0B6D, 001C0B6E
Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper, xrefs: 001C0B7E
C:\Users\Vitali Kremez\Documents\MidgetPorn\workspace\MsgBox.exe, xrefs: 001C0BAE
VirtualQuery, xrefs: 001C0B37

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: lstrlen$CreateFreeMessageProcessVirtuallstrcmplstrcpy
String ID: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper$Bla2$C:\Users\Vitali Kremez\Documents\MidgetPorn\workspace\MsgBox.exe$VirtualQuery
API String ID: 1196126833-2308542105
Opcode ID: b691b3a7563da29e2efb8e9cfd20d3028a5071a7290e56b5b40445f611256fb0
Instruction ID: 6fe6d69b1bf399199ba8ff2cef8b876c904eccc126bab82ed53a3d6aef7361c6
Opcode Fuzzy Hash: b691b3a7563da29e2efb8e9cfd20d3028a5071a7290e56b5b40445f611256fb0
Instruction Fuzzy Hash: 7D110A75A00218EADB09EBA4DD56EEFBB6D9E68714B10005EF406B2185DB30DF04CA62

Function 001C1936 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 001B1085: GetProcessHeap.KERNEL32(00000000,?,001C1E36,00400000,?,?,00000000,?,?,001C349D), ref: 001B108B
Part of subcall function 001B1085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,001C349D), ref: 001B1092

VirtualProtect.KERNEL32(00000000,000007D0,00000040,00000000,00000000,00000000,?,00000000,?,001C1AB4,?,?,?,001B57B9,?,00000000), ref: 001C1974
VirtualAlloc.KERNEL32(00000000,000001FE,00001000,00000040,?,00000000,?,001C1AB4,?,?,?,001B57B9,?,00000000,00000000), ref: 001C1988
GetWindowsDirectoryW.KERNEL32(00000000,00000104,?,00000000,?,001C1AB4,?,?,?,001B57B9,?,00000000,00000000), ref: 001C1996
lstrlenW.KERNEL32(00000000,\System32\cmd.exe,00000028,?,00000000,?,001C1AB4,?,?,?,001B57B9,?,00000000,00000000), ref: 001C19A4

Strings

\System32\cmd.exe, xrefs: 001C199E

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: HeapVirtual$AllocAllocateDirectoryProcessProtectWindowslstrlen
String ID: \System32\cmd.exe
API String ID: 2244922440-2003734499
Opcode ID: 12330899815f3f3b06d1b036b3f2d5e8b3e13a430d2a62ba69d2c7813ea06a73
Instruction ID: 4e8f1ebb561ef655f27f9623f0691fd82f81e6b89c078ce17bae9c4e24bd08b9
Opcode Fuzzy Hash: 12330899815f3f3b06d1b036b3f2d5e8b3e13a430d2a62ba69d2c7813ea06a73
Instruction Fuzzy Hash: EE0147713843507BE22057749C06FAB3BACCB96B41F000024F745FA1C0CAE5EC8087D8

Function 001BCE83 Relevance: 8.8, APIs: 7, Instructions: 35COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(?,00000000,00000000,001BCAF5), ref: 001BCE9A
LocalFree.KERNEL32(?,00000000,00000000,001BCAF5), ref: 001BCEA5
LocalFree.KERNEL32(?,00000000,00000000,001BCAF5), ref: 001BCEB0
LocalFree.KERNEL32(?,00000000,00000000,001BCAF5), ref: 001BCEBB
LocalFree.KERNEL32(?,00000000,00000000,001BCAF5), ref: 001BCEC6
LocalFree.KERNEL32(?,00000000,00000000,001BCAF5), ref: 001BCED1
LocalFree.KERNEL32(00000000,00000000,00000000,001BCAF5), ref: 001BCED4

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: FreeLocal
String ID:
API String ID: 2826327444-0
Opcode ID: f994c237020b9231fdf1afd46e125bb3c126d376793ca72610aa8a4ffb45fba7
Instruction ID: 8675af457f183b84c00c41515d798739088c23878ef02145517aafa350ab80b5
Opcode Fuzzy Hash: f994c237020b9231fdf1afd46e125bb3c126d376793ca72610aa8a4ffb45fba7
Instruction Fuzzy Hash: 5DF09231010B14DBD7366B2ADC48BA7BAE1BF80306F060839D582619B087B5E8D6EB90

Function 001B9D9A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,software\Aerofox\FoxmailPreview,00000000,00020019,?), ref: 001B9DB5
RegQueryValueExA.ADVAPI32(?,Executable,00000000,00000000,001C97B0,?), ref: 001B9DDC
PathRemoveFileSpecA.SHLWAPI(001C97B0), ref: 001B9DE7

Strings

software\Aerofox\FoxmailPreview, xrefs: 001B9DAB
Executable, xrefs: 001B9DD4

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: FileOpenPathQueryRemoveSpecValue
String ID: Executable$software\Aerofox\FoxmailPreview
API String ID: 3687894118-2371247776
Opcode ID: ea23586c42bc9466626abf32d2d4528bde51a32ee182670d774fccded8a8660f
Instruction ID: b3e8c08402447e377c8277cc9978ab2ab2e661328799041bc89a625a294baef6
Opcode Fuzzy Hash: ea23586c42bc9466626abf32d2d4528bde51a32ee182670d774fccded8a8660f
Instruction Fuzzy Hash: 2EF03075684304BFEB209B96DD8BFDA7FBCEB55B44F110058FA01F6180E3B0E9829524

Function 001BEF4F Relevance: 7.7, APIs: 5, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 3a94f423a485f7c71fce4ce3d1aefdc3873cd775f017892f2d4632ba4e9fca44
Instruction ID: 598855a38f86fc23828918ff6c29b090eaa97c0821b157d2d36533f97b509de4
Opcode Fuzzy Hash: 3a94f423a485f7c71fce4ce3d1aefdc3873cd775f017892f2d4632ba4e9fca44
Instruction Fuzzy Hash: 3A61D471904218EFDB10DFA4CC45BEEBBF9BF19300F058069F504AB282D7B5A946CBA1

Function 001BEE9A Relevance: 7.6, APIs: 5, Instructions: 70networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 001BEEB4
gethostbyname.WS2_32(?), ref: 001BEEBD
htons.WS2_32(?), ref: 001BEEE1
InetNtopW.WS2_32(00000002,?,?,00000802), ref: 001BEF12
connect.WS2_32(00000000,?,00000010), ref: 001BEF2B

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: InetNtopconnectgethostbynamehtonssocket
String ID:
API String ID: 2393792429-0
Opcode ID: fae27d4ef009ee90f3ddcf932993ae009569478f85777fcd6aeaa124431017b8
Instruction ID: 4c57cd9ef79b7cca68c2da06c258326286e10ec4aa77ebe01dbad9d89329788e
Opcode Fuzzy Hash: fae27d4ef009ee90f3ddcf932993ae009569478f85777fcd6aeaa124431017b8
Instruction Fuzzy Hash: 0111D0B29042A8BBE71097A4AC5EFFB7BACEF05320F014466F905C71D1D7B0C98487A0

Function 001B990A Relevance: 7.5, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,001B2E0D,?,00000001,?,?), ref: 001B9916
DeleteCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,001B2E0D,?,00000001,?,?), ref: 001B992D
EnterCriticalSection.KERNEL32(002FDB10,?,00000000,?,?,?,?,001B2E0D,?,00000001,?,?), ref: 001B9939
GetModuleHandleA.KERNEL32(00000000,?,00000000,?,?,?,?,001B2E0D,?,00000001,?,?), ref: 001B9949
LeaveCriticalSection.KERNEL32(002FDB10,?,00000000), ref: 001B999C

Part of subcall function 001B1F4B: CreateThread.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 001B1F60

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: CriticalSection$CreateDeleteEnterHandleInitializeLeaveModuleThread
String ID:
API String ID: 2964645253-0
Opcode ID: 49bf042c1f30794ab453e8f813b9bbf76b1b9a61e8f832624e4a1a487c7e18db
Instruction ID: f533db58adcb2a19ec0b35defd61a5e1eca1362625f1cfbd876203b530a8c8a8
Opcode Fuzzy Hash: 49bf042c1f30794ab453e8f813b9bbf76b1b9a61e8f832624e4a1a487c7e18db
Instruction Fuzzy Hash: 0A01B531904208ABDB10AF61EC5DFEF7F7EE751364F424029F60557241DB759485CB90

Function 001C0C79 Relevance: 7.5, APIs: 5, Instructions: 44processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 001C0C97
Process32FirstW.KERNEL32(00000000,0000022C), ref: 001C0CAC
Process32NextW.KERNEL32(00000000,0000022C), ref: 001C0CC4
CloseHandle.KERNEL32(00000000,?,00000000), ref: 001C0CCF
CloseHandle.KERNEL32(00000000,?,00000000), ref: 001C0CE0

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32
String ID:
API String ID: 1789362936-0
Opcode ID: 5f9a0a1215a78c69dc7f6d332399f6c07c253693eb87bc095f9a8b34f6299567
Instruction ID: 656dcc65cb027aaa6e12f54173d8d14421c287d45f575ee43945ff1889fbad5d
Opcode Fuzzy Hash: 5f9a0a1215a78c69dc7f6d332399f6c07c253693eb87bc095f9a8b34f6299567
Instruction Fuzzy Hash: ED01D131200214EBD7216BB5EC4DF7E7ABCAB68765F1041A9F54592190E774CC818B15

Function 001BB9A9 Relevance: 7.5, APIs: 5, Instructions: 25COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,00000001,?,00000000,001BB132), ref: 001BB9BA
FreeLibrary.KERNEL32(?,?,00000000,001BB132), ref: 001BB9CA
FreeLibrary.KERNEL32(?,?,00000000,001BB132), ref: 001BB9D8
FreeLibrary.KERNEL32(?,?,00000000,001BB132), ref: 001BB9E6
FreeLibrary.KERNEL32(?,?,00000000,001BB132), ref: 001BB9F4

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 54bd3c257dd10fde81ee8071521d1816fbbf7d81f2f102b4af81df01603ee36f
Instruction ID: a82c04241ec5a0feea9c60a464ac9dab2308fb971d958f12dfc0ae9b6ae119d7
Opcode Fuzzy Hash: 54bd3c257dd10fde81ee8071521d1816fbbf7d81f2f102b4af81df01603ee36f
Instruction Fuzzy Hash: B2F01EB1B00B26BEC7485F768C80B86FE2AFF09260F00422BA12C42221CB716474DFD2

Function 001BB627 Relevance: 7.5, APIs: 5, Instructions: 25COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00000000,001BABDF), ref: 001BB638
FreeLibrary.KERNEL32(?,?,?,00000000,001BABDF), ref: 001BB648
FreeLibrary.KERNEL32(?,?,?,00000000,001BABDF), ref: 001BB656
FreeLibrary.KERNEL32(?,?,?,00000000,001BABDF), ref: 001BB664
FreeLibrary.KERNEL32(?,?,?,00000000,001BABDF), ref: 001BB672

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 54bd3c257dd10fde81ee8071521d1816fbbf7d81f2f102b4af81df01603ee36f
Instruction ID: a82c04241ec5a0feea9c60a464ac9dab2308fb971d958f12dfc0ae9b6ae119d7
Opcode Fuzzy Hash: 54bd3c257dd10fde81ee8071521d1816fbbf7d81f2f102b4af81df01603ee36f
Instruction Fuzzy Hash: B2F01EB1B00B26BEC7485F768C80B86FE2AFF09260F00422BA12C42221CB716474DFD2

Function 001BB203 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 252COMMON

Download Yara Rule

APIs

Part of subcall function 001BB559: LoadLibraryA.KERNEL32(vaultcli.dll,00000000,001BB229), ref: 001BB561

FreeLibrary.KERNEL32(?), ref: 001BB506

Part of subcall function 001B35E5: lstrlenW.KERNEL32(001C1E02,00000000,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B35EE
Part of subcall function 001B35E5: lstrlenW.KERNEL32(001C1E02,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B3605
Part of subcall function 001B35E5: lstrcpyW.KERNEL32(?,001C1E02,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B3620

Part of subcall function 001B3248: lstrcmpW.KERNEL32(?,?), ref: 001B3252

Part of subcall function 001B5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,001B5C2A,00000000,?,001C10EE,?,?,001C36B9), ref: 001B5EAD

Part of subcall function 001B3437: lstrcpyW.KERNEL32(00000000,00000000,00000000,?,?,001C1E0A,00000000,00000000,00000000,.bss,00000000), ref: 001B345C

Strings

8, xrefs: 001BB4C9
4, xrefs: 001BB4CE
Internet Explorer, xrefs: 001BB2B4, 001BB3CF

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: FreeLibrarylstrcpylstrlen$LoadVirtuallstrcmp
String ID: 4$8$Internet Explorer
API String ID: 708496175-747916358
Opcode ID: 270e2092ca54d571489e5e76f55a7c9e6e3dfc753f72e17e1076e346e501acb2
Instruction ID: c7aed32745368064cda4fa08cc83f232ffa05126fa5a57fbdf8e2c3e047f3c59
Opcode Fuzzy Hash: 270e2092ca54d571489e5e76f55a7c9e6e3dfc753f72e17e1076e346e501acb2
Instruction Fuzzy Hash: B0A13871D00219ABCF15EFA5C895EEEBB79FF64300F14402AF415B7252EB70AA55CBA0

Function 001C3251 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48stringCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000400,?), ref: 001C327D
lstrcatW.KERNEL32(?,send.db), ref: 001C328F

Part of subcall function 001B35E5: lstrlenW.KERNEL32(001C1E02,00000000,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B35EE
Part of subcall function 001B35E5: lstrlenW.KERNEL32(001C1E02,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B3605
Part of subcall function 001B35E5: lstrcpyW.KERNEL32(?,001C1E02,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B3620

Part of subcall function 001B3437: lstrcpyW.KERNEL32(00000000,00000000,00000000,?,?,001C1E0A,00000000,00000000,00000000,.bss,00000000), ref: 001B345C

Part of subcall function 001B5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,001B5C2A,00000000,?,001C10EE,?,?,001C36B9), ref: 001B5EAD

Strings

5, xrefs: 001C32C4
send.db, xrefs: 001C3283

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$FreePathTempVirtuallstrcat
String ID: 5$send.db
API String ID: 891666058-2022884741
Opcode ID: c8a68d2ed75fd3d265a2b0a0e317a4239388f39e0c56eb6d9b7412190916ba87
Instruction ID: 50def3b8fc5c26df2eb38dc31fc2cbcb4cef1a52da3bf8180ace5559fde8d433
Opcode Fuzzy Hash: c8a68d2ed75fd3d265a2b0a0e317a4239388f39e0c56eb6d9b7412190916ba87
Instruction Fuzzy Hash: B7013972940118ABCB10EB64DC46FEEBBBCAF60304F408065F515A2181EB749B96CBE0

Function 001C36E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringCOMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 001C3710
lstrcatW.KERNEL32(?,\Microsoft Vision\), ref: 001C3722

Part of subcall function 001B5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,001B5C2A,00000000,?,001C10EE,?,?,001C36B9), ref: 001B5EAD

Strings

;, xrefs: 001C373D
\Microsoft Vision\, xrefs: 001C3716

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: FolderFreePathVirtuallstrcat
String ID: ;$\Microsoft Vision\
API String ID: 1529938272-253167065
Opcode ID: 71a732204add4851f5b91ba7eec24935f17d8766db1eff28c3c9a122636f1a73
Instruction ID: e1f5ad8b456c4972e4c245bd69ae4e8a6354ace162c2fa1a2966cb285f02bd27
Opcode Fuzzy Hash: 71a732204add4851f5b91ba7eec24935f17d8766db1eff28c3c9a122636f1a73
Instruction Fuzzy Hash: 69011BB1C0011DBBCB10EBA0ED5AEDFBBB8AF24304F104155F515A2181EB34AB94DBD0

Function 001BF4CE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ntdll.dll), ref: 001BF4E6
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 001BF4F6

Strings

RtlGetVersion, xrefs: 001BF4F0
ntdll.dll, xrefs: 001BF4D7

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: RtlGetVersion$ntdll.dll
API String ID: 2574300362-1489217083
Opcode ID: e7ee3e731e56992f805dcdffaf8a8b41644068d7e66674ba2f3918f895db0f98
Instruction ID: 315a8e998bd263e19a8f393f8203719cf9936bc4efd9563733b018189faf4341
Opcode Fuzzy Hash: e7ee3e731e56992f805dcdffaf8a8b41644068d7e66674ba2f3918f895db0f98
Instruction Fuzzy Hash: A0E0D83478020C16CB346FB66C0BBE77AA81B12705F440178D182E1080DB74DA43CAE1

Function 001BF51D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ntdll.dll), ref: 001BF535
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 001BF545

Strings

RtlGetVersion, xrefs: 001BF53F
ntdll.dll, xrefs: 001BF526

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: RtlGetVersion$ntdll.dll
API String ID: 2574300362-1489217083
Opcode ID: e67f5d243388ed830dab8cad7b9cbfab26c1d3cf3192696c5e149e0ae4c1af0d
Instruction ID: bdf31bc0b81490907bee0866b6c026a2d2c8bdf308d5b0adda95603fb335a189
Opcode Fuzzy Hash: e67f5d243388ed830dab8cad7b9cbfab26c1d3cf3192696c5e149e0ae4c1af0d
Instruction Fuzzy Hash: ACE0123074021C5BCB34AFB1AC0BFD67BB85B21705F0041A8F246E1080DB74D9868E91

Function 001C0C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,001BFC6D,?,?,001B2D84,?,001C4648,?,?,00000000,?), ref: 001C0C4B
GetProcAddress.KERNEL32(00000000), ref: 001C0C52

Strings

IsWow64Process, xrefs: 001C0C3F
kernel32, xrefs: 001C0C44

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: IsWow64Process$kernel32
API String ID: 1646373207-3789238822
Opcode ID: 5358a89e7d0cbaf51a2affb5053dad78b9df509c7f91a2b7fd8b7a375e970197
Instruction ID: c7c60d52c8362aaf4a56e116faf6f73fa1e898a435ff0c484783e0efeb2baaa4
Opcode Fuzzy Hash: 5358a89e7d0cbaf51a2affb5053dad78b9df509c7f91a2b7fd8b7a375e970197
Instruction Fuzzy Hash: 72E08C3A540204FBDB20DBE1DC0AF8E7BACEB18351B100048B001A2240DBB4EE00C764

Function 001BD17D Relevance: 6.3, APIs: 5, Instructions: 92COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 001BD18E
LeaveCriticalSection.KERNEL32(?,?,?,?), ref: 001BD1DD

Part of subcall function 001B33F5: lstrcpyA.KERNEL32(00000000,?,?,00000000,?,001B2A97,?,?,00000000,exit,00000000,start), ref: 001B341A

Part of subcall function 001B57FB: getaddrinfo.WS2_32(75A901C0,00000000,001B4EA0,00000000), ref: 001B5848
Part of subcall function 001B57FB: socket.WS2_32(00000002,00000001,00000000), ref: 001B585F
Part of subcall function 001B57FB: htons.WS2_32(00000000), ref: 001B5885
Part of subcall function 001B57FB: freeaddrinfo.WS2_32(00000000), ref: 001B5895
Part of subcall function 001B57FB: connect.WS2_32(?,?,00000010), ref: 001B58A1

LeaveCriticalSection.KERNEL32(?), ref: 001BD261
EnterCriticalSection.KERNEL32(?), ref: 001BD27E
LeaveCriticalSection.KERNEL32(?), ref: 001BD288

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$Enter$connectfreeaddrinfogetaddrinfohtonslstrcpysocket
String ID:
API String ID: 4195813003-0
Opcode ID: 3dd462edaef4cd618ec476e8f9fda21fe45456a0d3997f932df2e5d1b9c1df6e
Instruction ID: 41be1564ca4165c396f7fde97d4091a63787022194b0c3ab957bfe45162f8074
Opcode Fuzzy Hash: 3dd462edaef4cd618ec476e8f9fda21fe45456a0d3997f932df2e5d1b9c1df6e
Instruction Fuzzy Hash: 5C318471600606BBD709EBB4DC51FEAB7ACBF24350F514119F51992091FB70BA55CBA0

Function 001BF69F Relevance: 6.1, APIs: 4, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,?,001BDCAA), ref: 001BF6AA
FindResourceW.KERNEL32(00000000,00000001,00000010,?,00000000,00000002,?,?,?,001BDCAA), ref: 001BF6BE
LoadResource.KERNEL32(00000000,00000000,?,00000000,00000002,?,?,?,001BDCAA), ref: 001BF6CA
FreeLibrary.KERNEL32(00000000,?,00000000,00000002,?,?,?,001BDCAA), ref: 001BF70F

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: LibraryLoadResource$FindFree
String ID:
API String ID: 3272429154-0
Opcode ID: c40163097c176048c828396be983db33ef4601c557c61c40fbd27fb2d20aba16
Instruction ID: 676944b7886fcc90756c363e0b303b6aa1f9aaad50e2bd88df0e065747f69dfe
Opcode Fuzzy Hash: c40163097c176048c828396be983db33ef4601c557c61c40fbd27fb2d20aba16
Instruction Fuzzy Hash: 1E01C4B5304A019FD3084F66EC84EA6BBB5FF48314708827DE425C37A0D770D896C7A0

Function 001BC9F2 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 001BCC54: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 001BCC73
Part of subcall function 001BCC54: LocalAlloc.KERNEL32(00000040,?,?,001BCBC6,?,00000000,?,00000000,?), ref: 001BCC81
Part of subcall function 001BCC54: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 001BCC97
Part of subcall function 001BCC54: LocalFree.KERNEL32(?,?,001BCBC6,?,00000000,?,00000000,?), ref: 001BCCA5

LocalFree.KERNEL32(?,00000000,-0000003A,00000000,?), ref: 001BCA6C

Part of subcall function 001BCA78: GetLastError.KERNEL32 ref: 001BCADE

LocalFree.KERNEL32(?), ref: 001BCA65

Part of subcall function 001BCCB4: BCryptOpenAlgorithmProvider.BCRYPT(00000020,AES,00000000,00000000,?,00000000,?,?,?,001BCA5F,?), ref: 001BCCD1
Part of subcall function 001BCCB4: BCryptSetProperty.BCRYPT(00000020,ChainingMode,ChainingModeGCM,00000020,00000000,?,001BCA5F,?), ref: 001BCCEA
Part of subcall function 001BCCB4: BCryptGenerateSymmetricKey.BCRYPT(00000020,001BCA5F,00000000,00000000,?,00000020,00000000,?,001BCA5F,?), ref: 001BCCFF

Strings

, xrefs: 001BCA4B
DPAPI, xrefs: 001BCA18

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: Crypt$Local$Free$BinaryString$AlgorithmAllocErrorGenerateLastOpenPropertyProviderSymmetric
String ID: $DPAPI
API String ID: 379455710-1819349886
Opcode ID: 7024982ceb1fe2e2cc06d5ed2e1c9823fcfedb670d4248aff7a108b41fc02e99
Instruction ID: 154760d508f76f3d281a88b81c96846e28dc7e0f6b16433041daaf0f120811ea
Opcode Fuzzy Hash: 7024982ceb1fe2e2cc06d5ed2e1c9823fcfedb670d4248aff7a108b41fc02e99
Instruction Fuzzy Hash: 13015BB290010DBBCF20EBA1D956DDEBB78AB94705F058265F805A3144F730EB85DBD0

Function 001B47EA Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetLastInputInfo.USER32(?), ref: 001B47FF
GetTickCount.KERNEL32 ref: 001B4805
GetForegroundWindow.USER32 ref: 001B4819
GetWindowTextW.USER32(00000000,?,00000100), ref: 001B482C

Part of subcall function 001B35E5: lstrlenW.KERNEL32(001C1E02,00000000,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B35EE
Part of subcall function 001B35E5: lstrlenW.KERNEL32(001C1E02,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B3605
Part of subcall function 001B35E5: lstrcpyW.KERNEL32(?,001C1E02,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B3620

Part of subcall function 001B5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,001B5C2A,00000000,?,001C10EE,?,?,001C36B9), ref: 001B5EAD

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: Windowlstrlen$CountForegroundFreeInfoInputLastTextTickVirtuallstrcpy
String ID:
API String ID: 2567647128-0
Opcode ID: 45e11aebe5f07e4c4649e48d19c0352303f19012db282304a5aa38bc64686e43
Instruction ID: e53f27828ede0ddc8433da540b02a21cad508d2c4a9a573b373c3a05339b214f
Opcode Fuzzy Hash: 45e11aebe5f07e4c4649e48d19c0352303f19012db282304a5aa38bc64686e43
Instruction Fuzzy Hash: 8C111BB1D00208ABDB14EBA4ED5AADDBBB9EF68305F004155F412A6191EF74AB94CB60

Function 001BEA89 Relevance: 6.0, APIs: 4, Instructions: 35threadsynchronizationCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 001BEA95
SetEvent.KERNEL32(00000000), ref: 001BEAA9
WaitForSingleObject.KERNEL32(001C956C,00001388), ref: 001BEAB6
TerminateThread.KERNEL32(001C956C,000000FE), ref: 001BEAC7

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: Thread$CurrentEventObjectSingleTerminateWait
String ID:
API String ID: 2174867186-0
Opcode ID: 16411559ce00ddcfd2eed6bd3277e235a0e6c67402f844a683f5f1863ed2a7e8
Instruction ID: a0ee62fab963ea03436adf1844a55816249ad0e512605650e756f055cd9438bc
Opcode Fuzzy Hash: 16411559ce00ddcfd2eed6bd3277e235a0e6c67402f844a683f5f1863ed2a7e8
Instruction Fuzzy Hash: 740131310046019BD734AF20E959EE9BBF6BF60321F544A29E092528E1CBB4A998CB51

Function 001BFCB8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65registryCOMMON

Download Yara Rule

APIs

Part of subcall function 001B35E5: lstrlenW.KERNEL32(001C1E02,00000000,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B35EE
Part of subcall function 001B35E5: lstrlenW.KERNEL32(001C1E02,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B3605
Part of subcall function 001B35E5: lstrcpyW.KERNEL32(?,001C1E02,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B3620

RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00000101,?,SOFTWARE\Microsoft\Cryptography,?,?,?,?,00000000,?,?,?), ref: 001BFCFC

Part of subcall function 001B5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,001B5C2A,00000000,?,001C10EE,?,?,001C36B9), ref: 001B5EAD

Part of subcall function 001C0FC3: RegQueryValueExW.ADVAPI32(?,75A901C0,00000000,75A901C0,00000000,00000000,?,00000000,001C3589,?,?,?,001C15B2,?,?,80000001), ref: 001C0FE6
Part of subcall function 001C0FC3: RegQueryValueExW.ADVAPI32(?,75A901C0,00000000,75A901C0,00000000,00000000,?,001C15B2,?,?,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\), ref: 001C100A

Part of subcall function 001C0FAE: RegCloseKey.KERNEL32(?,?,001C112D,?,?,001C36B9), ref: 001C0FB8

Strings

SOFTWARE\Microsoft\Cryptography, xrefs: 001BFCDE
MachineGuid, xrefs: 001BFD17

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: QueryValuelstrlen$CloseFreeOpenVirtuallstrcpy
String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
API String ID: 1903904756-1211650757
Opcode ID: eb571b4be33b309b36a7e4c71a2d6085febc93d9e21445788321f693161044ef
Instruction ID: 132a7c08d333725ab7db002b9676361d64c0260f29da2686aa43948b6fb51178
Opcode Fuzzy Hash: eb571b4be33b309b36a7e4c71a2d6085febc93d9e21445788321f693161044ef
Instruction Fuzzy Hash: 7F113A70A00119ABCB25EBA4CD92DEEB779AF74700B10056EF102A3191EBB09F45CB91

Function 001BDE1F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

Part of subcall function 001B35E5: lstrlenW.KERNEL32(001C1E02,00000000,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B35EE
Part of subcall function 001B35E5: lstrlenW.KERNEL32(001C1E02,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B3605
Part of subcall function 001B35E5: lstrcpyW.KERNEL32(?,001C1E02,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B3620

RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters,?,002FE020,?,?,001BE451,?,?), ref: 001BDE51

Part of subcall function 001C0FC3: RegQueryValueExW.ADVAPI32(?,75A901C0,00000000,75A901C0,00000000,00000000,?,00000000,001C3589,?,?,?,001C15B2,?,?,80000001), ref: 001C0FE6
Part of subcall function 001C0FC3: RegQueryValueExW.ADVAPI32(?,75A901C0,00000000,75A901C0,00000000,00000000,?,001C15B2,?,?,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\), ref: 001C100A

Part of subcall function 001B5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,001B5C2A,00000000,?,001C10EE,?,?,001C36B9), ref: 001B5EAD

Part of subcall function 001C0FAE: RegCloseKey.KERNEL32(?,?,001C112D,?,?,001C36B9), ref: 001C0FB8

Strings

SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 001BDE2C
ServiceDll, xrefs: 001BDE5F

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: QueryValuelstrlen$CloseFreeOpenVirtuallstrcpy
String ID: SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll
API String ID: 1903904756-387424650
Opcode ID: 919e9079237d1f3c3000b2b7ec30753ef1d2aa8d39720da9f54d1351b63580b0
Instruction ID: ed6a1c09c5f4de7da73de938b6198c85aae901ada92180d1ce8540a985018ec2
Opcode Fuzzy Hash: 919e9079237d1f3c3000b2b7ec30753ef1d2aa8d39720da9f54d1351b63580b0
Instruction Fuzzy Hash: 86118F31D00218ABCF25FBA0C956DEEB779AFB4700B100069F812B7281EB309F44CB50

Function 001BD9B6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

Part of subcall function 001B35E5: lstrlenW.KERNEL32(001C1E02,00000000,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B35EE
Part of subcall function 001B35E5: lstrlenW.KERNEL32(001C1E02,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B3605
Part of subcall function 001B35E5: lstrcpyW.KERNEL32(?,001C1E02,?,001C1E02,00000000,00000000,.bss,00000000), ref: 001B3620

RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000102,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters), ref: 001BD9EA

Part of subcall function 001C1039: RegSetValueExW.KERNEL32(?,75A901C0,00000000,?,?,?,?,?,001C1432,00000000,00000000,?,00000001,?,?,?), ref: 001C1058

Part of subcall function 001B5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,001B5C2A,00000000,?,001C10EE,?,?,001C36B9), ref: 001B5EAD

Part of subcall function 001C0FAE: RegCloseKey.KERNEL32(?,?,001C112D,?,?,001C36B9), ref: 001C0FB8

Strings

SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 001BD9C2
ServiceDll, xrefs: 001BDA03

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: lstrlen$CloseFreeOpenValueVirtuallstrcpy
String ID: SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll
API String ID: 2854241163-387424650
Opcode ID: f19bdf3e3af3281f7cc4df5d5ee0263085a34e33f4e849eb8c3d085cdf75309f
Instruction ID: 59803343d2616685a523addbd301a53ef3d054e2a2683db022bb0b152b64d46d
Opcode Fuzzy Hash: f19bdf3e3af3281f7cc4df5d5ee0263085a34e33f4e849eb8c3d085cdf75309f
Instruction Fuzzy Hash: BA112171D00218ABCB24EBA1CC96DEFBB79EFA4700F404459F51273181EB709B55CA60

Function 001C2FD7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53processCOMMON

Download Yara Rule

APIs

Part of subcall function 001B1085: GetProcessHeap.KERNEL32(00000000,?,001C1E36,00400000,?,?,00000000,?,?,001C349D), ref: 001B108B
Part of subcall function 001B1085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,001C349D), ref: 001B1092

GetModuleFileNameA.KERNEL32(00000000,00000000,00000100,?,?,?,?,?,?,?,00000000,75A901C0,00000000,001C3628), ref: 001C3008
WinExec.KERNEL32(00000000,00000000), ref: 001C304E

Strings

powershell Add-MpPreference -ExclusionPath , xrefs: 001C300E, 001C3013, 001C301A

Memory Dump Source

Source File: 00000000.00000002.1685145058.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1685127008.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685168541.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000001C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685189189.00000000002FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685257455.00000000002FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_OhWWbQcp7Q.jbxd

Yara matches

Similarity

API ID: Heap$AllocateExecFileModuleNameProcess
String ID: powershell Add-MpPreference -ExclusionPath
API String ID: 1183730998-2194938034
Opcode ID: d8fded5037ebc35c6bac7bd84428ee8c70e430f394cccc216c3f1fed7c139f24
Instruction ID: b52bb73dbdf3b2d6a1dd86690fb61221b67c548657f22b6a1247eaebd9dba9fa
Opcode Fuzzy Hash: d8fded5037ebc35c6bac7bd84428ee8c70e430f394cccc216c3f1fed7c139f24
Instruction Fuzzy Hash: 4DF096F154025076E12032756CDBFFF5A9CDFB9751F850025F604A21C2EB68DD8041B5

Analysis Process: images.exePID: 3760, Parent PID: 6892COMMON

Execution Graph

Execution Coverage:	9.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	2000
Total number of Limit Nodes:	58

Executed Functions

Function 00683435 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 188
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00683467
GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 00683483

Part of subcall function 00681E21: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000,?,?,0068349D), ref: 00681E4E
Part of subcall function 00681E21: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,0068349D), ref: 00681E61
Part of subcall function 00681E21: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,0068349D), ref: 00681E72
Part of subcall function 00681E21: CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,0068349D), ref: 00681E7F

Part of subcall function 00671085: GetProcessHeap.KERNEL32(00000000,?,00681E36,00400000,?,?,00000000,?,?,0068349D), ref: 0067108B
Part of subcall function 00671085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,0068349D), ref: 00671092

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 006834EA
GetLastError.KERNEL32 ref: 006834F5
RegCreateKeyExA.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 0068352F
RegSetValueExA.KERNELBASE(?,MaxConnectionsPer1_0Server,00000000,00000004,?,00000004), ref: 0068354E
RegSetValueExA.KERNELBASE(?,MaxConnectionsPerServer,00000000,00000004,?,00000004), ref: 00683563
RegCloseKey.ADVAPI32(?), ref: 00683569
SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?,?,?,?), ref: 006835C5
lstrcatW.KERNEL32(?,\Microsoft Vision\), ref: 006835D8
CreateDirectoryW.KERNEL32(?,00000000), ref: 006835E7

Part of subcall function 00681A3C: GetModuleFileNameW.KERNEL32(00000000,007BCBF0,00000208,00000000,00000000,?,?,?,006757B9,?,00000000,00000000), ref: 00681A58
Part of subcall function 00681A3C: IsUserAnAdmin.SHELL32 ref: 00681A5E
Part of subcall function 00681A3C: FindResourceW.KERNEL32(00000000,00000066,WM_DSP,?,?,?,?,006757B9,?,00000000,00000000), ref: 00681A87
Part of subcall function 00681A3C: LoadResource.KERNEL32(00000000,00000000,?,?,?,?,006757B9,?,00000000,00000000,?,?,?,?,?,?), ref: 00681A91
Part of subcall function 00681A3C: SizeofResource.KERNEL32(00000000,00000000,?,?,?,?,006757B9,?,00000000,00000000,?,?,?,?,?,?), ref: 00681A9B
Part of subcall function 00681A3C: LockResource.KERNEL32(00000000,?,?,?,?,006757B9,?,00000000,00000000,?,?,?,?,?,?,00000000), ref: 00681AA2

Part of subcall function 00681136: CopyFileW.KERNEL32(?,?,00000000,?,00684684,?,00000000,?,?,?,?,00000000,75A901C0,00000000), ref: 006811D7

Part of subcall function 0067362D: lstrcpyW.KERNEL32(00000000,75A901C0,?,?,?,0068150A,006835B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00683589,00000000,75A901C0,00000000), ref: 00673657

Part of subcall function 00680BD9: CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,75A901C0,00000000), ref: 00680C14

Part of subcall function 00675EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00675C2A,00000000,?,006810EE,?,?,006836B9), ref: 00675EAD

Strings

\Microsoft Vision\, xrefs: 006835CB
MaxConnectionsPerServer, xrefs: 0068355A
Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00683525
MaxConnectionsPer1_0Server, xrefs: 00683545

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: File$Create$Resource$CloseHeapModuleNameProcessValue$AdminAllocateCopyCountDirectoryErrorEventFindFolderFreeHandleLastLoadLockPathReadSizeSizeofTickUserVirtuallstrcatlstrcpy
String ID: MaxConnectionsPer1_0Server$MaxConnectionsPerServer$Software\Microsoft\Windows\CurrentVersion\Internet Settings$\Microsoft Vision\
API String ID: 3138263686-2552559493
Opcode ID: 993e751b20e3b1b484fe8cf0c5a83d34ac68b0d813393d05e5465a35326e71d3
Instruction ID: 5e333993202e9015787062d41c1d84f0a11e6f74f974a1ffedceace18d9e1369
Opcode Fuzzy Hash: 993e751b20e3b1b484fe8cf0c5a83d34ac68b0d813393d05e5465a35326e71d3
Instruction Fuzzy Hash: FE6182B1408345AFD760FF60CC85EAF77EEEB94704F004A2EF68592251EE709A45CB56

Function 0067E703 Relevance: 25.6, APIs: 1, Strings: 16, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(007BE020), ref: 0067E710

Part of subcall function 00675F53: GetProcessHeap.KERNEL32(00000000,000000F4,00680477,?,75A901C0,00000000,00675A34), ref: 00675F56
Part of subcall function 00675F53: HeapAlloc.KERNEL32(00000000), ref: 00675F5D

Part of subcall function 006731D4: ExpandEnvironmentStringsW.KERNEL32(?,?,000001FF), ref: 00673207

Part of subcall function 00673437: lstrcpyW.KERNEL32(00000000,00000000,00000000,?,?,00681E0A,00000000,00000000,00000000,h\Hh,00000000), ref: 0067345C

Part of subcall function 00675EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00675C2A,00000000,?,006810EE,?,?,006836B9), ref: 00675EAD

Strings

\rfxvmt.dll, xrefs: 0067E843
\sqlmap.dll, xrefs: 0067E872, 0067E879, 0067E87F
H{, xrefs: 0067E76E
\{, xrefs: 0067E859
X{, xrefs: 0067E7F0
%ProgramW6432%, xrefs: 0067E7DA
T{, xrefs: 0067E78E
X{, xrefs: 0067E819
`{, xrefs: 0067E848
\rdpwrap.ini, xrefs: 0067E866
\Microsoft DN1, xrefs: 0067E82E, 0067E835, 0067E83B
{, xrefs: 0067E889
%ProgramFiles%, xrefs: 0067E789, 0067E793, 0067E805
`{, xrefs: 0067E7B3
TermService, xrefs: 0067E773
%windir%\System32, xrefs: 0067E79B

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: Heap$AllocCriticalEnvironmentExpandFreeInitializeProcessSectionStringsVirtuallstrcpy
String ID: {$%ProgramFiles%$%ProgramW6432%$%windir%\System32$H{$TermService$T{$X{$X{$\Microsoft DN1$\rdpwrap.ini$\rfxvmt.dll$\sqlmap.dll$\{$`{$`{
API String ID: 2811233055-3134099439
Opcode ID: c228859bcef0a2efd79ba89c3266576537e26cdda7692298cabdb7c20233c6e9
Instruction ID: 97a2dea34a4f404f1c904837e8e040651a92440814d1d5c00a66c76deb40c9d5
Opcode Fuzzy Hash: c228859bcef0a2efd79ba89c3266576537e26cdda7692298cabdb7c20233c6e9
Instruction Fuzzy Hash: 55312870B002606B9759BF24CC52AED37ABABD5700B20C13EB00B97392DEE84F45D758

Function 0068290F Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 138
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32(00000000), ref: 0068291E
CoCreateInstance.OLE32(006845E0,00000000,00000001,006873F0,?,?,?,?,00682F37,?,?,?,0068227B), ref: 0068293E
VariantInit.OLEAUT32(?), ref: 0068299A
CoUninitialize.OLE32(?,?,?,00682F37,?,?,?,0068227B), ref: 00682A60

Strings

FriendlyName, xrefs: 006829BF
{"h, xrefs: 00682A29, 00682977, 0068298A, 00682A2F
Description, xrefs: 006829A8

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: CreateInitInitializeInstanceUninitializeVariant
String ID: Description$FriendlyName${"h
API String ID: 4142528535-2338741783
Opcode ID: 6fc26f7586fa9348a3aec4195d204468b97e8151536a7221b6bd2b70735fb4cc
Instruction ID: e85b3754b2350e4e8c9ecfcf38b8e6ffc2e692bdae2e121a4479fc25419b3a22
Opcode Fuzzy Hash: 6fc26f7586fa9348a3aec4195d204468b97e8151536a7221b6bd2b70735fb4cc
Instruction Fuzzy Hash: 29413374A00206AFCF24DFA6C894DEEBBBAFF84704B14455DE446E7250DB70D941CB60

Function 006799A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 38
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(007BDB10,?,00671221), ref: 006799D3
LoadLibraryW.KERNEL32(User32.dll,?,00671221), ref: 006799FE

Part of subcall function 00680969: lstrcmpA.KERNEL32(?,00681BD0,?,open,00681BD0), ref: 006809A2

Strings

GetRawInputData, xrefs: 00679A06
ToUnicode, xrefs: 00679A13
MapVirtualKeyA, xrefs: 00679A24
User32.dll, xrefs: 006799EC

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: CriticalInitializeLibraryLoadSectionlstrcmp
String ID: GetRawInputData$MapVirtualKeyA$ToUnicode$User32.dll
API String ID: 4274177235-2474467583
Opcode ID: 6ffccb119de9ddfde7e3ddc7e6b24e00e27a4de5c08df5c874199e96b7b46c9c
Instruction ID: 668e8c27948db60d280eaba80d4a69f08fba62e0156cea557c99dc2fee49ae9d
Opcode Fuzzy Hash: 6ffccb119de9ddfde7e3ddc7e6b24e00e27a4de5c08df5c874199e96b7b46c9c
Instruction Fuzzy Hash: CC0162F5A512119B87A8BF647855B4B3E979788B10B12C32FF1049B351FF780C418B8D

Function 006757FB Relevance: 9.1, APIs: 6, Instructions: 75
networksynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00673125: lstrcatA.KERNEL32(00000000,75A901C0,?,00000000,?,006735C4,00000000,00000000,?,00674E98,?,?,?,?,?,00000000), ref: 00673151

Part of subcall function 0068026F: WaitForSingleObject.KERNEL32(?,000000FF,00675824,75A901C0,?,?,00000000,00674EA0,?,?,?,?,?,00000000,75A901C0), ref: 00680273

getaddrinfo.WS2_32(75A901C0,00000000,00674EA0,00000000), ref: 00675848
socket.WS2_32(00000002,00000001,00000000), ref: 0067585F
htons.WS2_32(00000000), ref: 00675885
freeaddrinfo.WS2_32(00000000), ref: 00675895
connect.WS2_32(?,?,00000010), ref: 006758A1
ReleaseMutex.KERNEL32(?), ref: 006758CB

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: MutexObjectReleaseSingleWaitconnectfreeaddrinfogetaddrinfohtonslstrcatsocket
String ID:
API String ID: 2516106447-0
Opcode ID: ec0612024910ac190550a760fa97d01c5f746e5bc1c1e260151352f807904189
Instruction ID: d45e76c75c66c781f2b06bb723db83f6374f4d22889a137deaa2ddb215863974
Opcode Fuzzy Hash: ec0612024910ac190550a760fa97d01c5f746e5bc1c1e260151352f807904189
Instruction Fuzzy Hash: C6217F71A00205EBDF10DF61D889BDABBBAFF44321F108166F91ADF291DB719A45CB50

Function 0067562F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 151
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(000000FF,0000FFFF,00001006,?,00000004), ref: 00675666

Part of subcall function 006733BF: lstrlenA.KERNEL32(?,75A901C0,?,00675A4F,h\Hh,00000000), ref: 006733C8
Part of subcall function 006733BF: lstrlenA.KERNEL32(?,?,00675A4F,h\Hh,00000000), ref: 006733D5
Part of subcall function 006733BF: lstrcpyA.KERNEL32(00000000,?,?,00675A4F,h\Hh,00000000), ref: 006733E8

Part of subcall function 00675EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00675C2A,00000000,?,006810EE,?,?,006836B9), ref: 00675EAD

recv.WS2_32(000000FF,?,0000000C,00000000), ref: 006756B6
recv.WS2_32(000000FF,?,000000FF,00000000), ref: 00675726

Strings

`, xrefs: 00675650
warzone160, xrefs: 00675688

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: lstrlenrecv$FreeVirtuallstrcpysetsockopt
String ID: `$warzone160
API String ID: 3973575906-811885577
Opcode ID: 60d9d4a7493b3b8e5199933bfd072d0197fff23060ad919a28a1ab66e89a2968
Instruction ID: 435f68ebe4f68b990e0544eaadd3aa3eeda69bd2aee547d72824375e874f6735
Opcode Fuzzy Hash: 60d9d4a7493b3b8e5199933bfd072d0197fff23060ad919a28a1ab66e89a2968
Instruction Fuzzy Hash: 4C519371900129ABCB55EB60CC96CEEBB3AEF54350F10826DF41AA6291EB745B44CBA4

Function 00675CE2 Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineA.KERNEL32 ref: 00675CE9
GetStartupInfoA.KERNEL32(?), ref: 00675D38
GetModuleHandleA.KERNEL32(00000000), ref: 00675D54
ExitProcess.KERNEL32 ref: 00675D69

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: CommandExitHandleInfoLineModuleProcessStartup
String ID:
API String ID: 2164999147-0
Opcode ID: 4056415e70e3f1d02d3a44d7068e80bab96bc3d1c97f7b549bfe073688ed10e6
Instruction ID: 0ad47459b695d10ac936db2051bf90f22b090b2c7db03c0c4b563eebc6fe291c
Opcode Fuzzy Hash: 4056415e70e3f1d02d3a44d7068e80bab96bc3d1c97f7b549bfe073688ed10e6
Instruction Fuzzy Hash: 1D01D228014A456EDB346F74A88E6F93BA79F16304FA4A1CCE4CF87313DA920C47876D

Function 00681E21 Relevance: 6.0, APIs: 4, Instructions: 48
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00671085: GetProcessHeap.KERNEL32(00000000,?,00681E36,00400000,?,?,00000000,?,?,0068349D), ref: 0067108B
Part of subcall function 00671085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,0068349D), ref: 00671092

CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000,?,?,0068349D), ref: 00681E4E
GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,0068349D), ref: 00681E61
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,0068349D), ref: 00681E72
CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,0068349D), ref: 00681E7F

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: File$Heap$AllocateCloseCreateHandleProcessReadSize
String ID:
API String ID: 2517252058-0
Opcode ID: b6d607bdc19ba441b55ea85abfb4a0f708f0e502c4d737d4b2bb6df0d56aebbb
Instruction ID: 9f4910534440c9cab21da045320b0cc44329273c8c298bb1a6a0c259c947e0ab
Opcode Fuzzy Hash: b6d607bdc19ba441b55ea85abfb4a0f708f0e502c4d737d4b2bb6df0d56aebbb
Instruction Fuzzy Hash: 7AF062B2A11211BFF3205B65AC4DFBB77ADEB55725F200225F951E61C0EBB05D0187A4

Function 0067FBFC Relevance: 6.0, APIs: 4, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000008,00000000,75A901C0,00000000,75A901C0,00000000,?,?,?,?,00683589,?), ref: 0067FC0E
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,00683589,?), ref: 0067FC15
GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,00683589,?), ref: 0067FC33
CloseHandle.KERNEL32(00000000), ref: 0067FC48

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: 028e3c1754d9f4198a3eb8ab6dd310c010c88101730d11301be63a74d54d43f1
Instruction ID: 137f8fb46a5db1ad0f76b64c73488548d87424f320e3e41988890b20d45ab8b4
Opcode Fuzzy Hash: 028e3c1754d9f4198a3eb8ab6dd310c010c88101730d11301be63a74d54d43f1
Instruction Fuzzy Hash: D1F0E772900219FBDB159BA09D09ADEBBB9EF04741F114165AA01A6190DB709E44EB90

Function 00675A10 Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 156
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(000001F4,00000000,75A901C0,00000000), ref: 00675A26

Part of subcall function 006733BF: lstrlenA.KERNEL32(?,75A901C0,?,00675A4F,h\Hh,00000000), ref: 006733C8
Part of subcall function 006733BF: lstrlenA.KERNEL32(?,?,00675A4F,h\Hh,00000000), ref: 006733D5
Part of subcall function 006733BF: lstrcpyA.KERNEL32(00000000,?,?,00675A4F,h\Hh,00000000), ref: 006733E8

Part of subcall function 00675EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00675C2A,00000000,?,006810EE,?,?,006836B9), ref: 00675EAD

Part of subcall function 00673437: lstrcpyW.KERNEL32(00000000,00000000,00000000,?,?,00681E0A,00000000,00000000,00000000,h\Hh,00000000), ref: 0067345C

Strings

x5h, xrefs: 00675AB5, 00675AD5, 00675AE9, 00675B09, 00675B1D, 00675B3D, 00675B56, 00675B59, 00675B98, 00675BA4, 00675B9B
h\Hh, xrefs: 00675A42

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$FreeSleepVirtual
String ID: h\Hh$x5h
API String ID: 277671435-1559918964
Opcode ID: 746b917fbcce9ab6bfc760e438f6f9b9a26ac70e45192a1b343a4f85603f2879
Instruction ID: 0ae5b65988b4a188b37ffcde53162d394e4f58b1b8afbd4ef86c443bcf0edd9e
Opcode Fuzzy Hash: 746b917fbcce9ab6bfc760e438f6f9b9a26ac70e45192a1b343a4f85603f2879
Instruction Fuzzy Hash: EB517575900559EFCB54EFA0C8D1CEEB7B6BF44304B1045AEE41AAB246EF30AB05CB94

Function 00680FC3 Relevance: 3.1, APIs: 2, Instructions: 56
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNEL32(?,75A901C0,00000000,75A901C0,00000000,00000000,?,00000000,00683589,?,?,?,006815B2,?,?,80000001), ref: 00680FE6

Part of subcall function 00671085: GetProcessHeap.KERNEL32(00000000,?,00681E36,00400000,?,?,00000000,?,?,0068349D), ref: 0067108B
Part of subcall function 00671085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,0068349D), ref: 00671092

RegQueryValueExW.KERNEL32(?,75A901C0,00000000,75A901C0,00000000,00000000,?,006815B2,?,?,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\), ref: 0068100A

Part of subcall function 00671099: GetProcessHeap.KERNEL32(00000000,00000000,00681E18,00000000,00000000,00000000,00000000,h\Hh,00000000), ref: 0067109F
Part of subcall function 00671099: HeapFree.KERNEL32(00000000), ref: 006710A6

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: Heap$ProcessQueryValue$AllocateFree
String ID:
API String ID: 3459632794-0
Opcode ID: 8937a24454dddab825bad43730ae2b2d43f6dc26d26af36f33c4e104c0bbcf50
Instruction ID: 53e4e62150a88400cefd60766d7470a88ccfb85f5bfb5eda7e5aba9568241c86
Opcode Fuzzy Hash: 8937a24454dddab825bad43730ae2b2d43f6dc26d26af36f33c4e104c0bbcf50
Instruction Fuzzy Hash: C9019272500119BF9B15EBA0DC45EEF7B7EEF49350F10026AF505DA210EB31AE419B64

Function 00673554 Relevance: 3.1, APIs: 2, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00673261: lstrlenW.KERNEL32(75A901C0,00673646,?,?,?,0068150A,006835B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00683589,00000000,75A901C0,00000000), ref: 00673268

WideCharToMultiByte.KERNEL32(00000000,00000200,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00674E98,?), ref: 00673581

Part of subcall function 00675EB4: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,00673652,?,?,?,0068150A,006835B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00683589,00000000,75A901C0,00000000), ref: 00675EBE

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00674E98,?,?,?,?,?,00000000), ref: 006735AC

Part of subcall function 006733BF: lstrlenA.KERNEL32(?,75A901C0,?,00675A4F,h\Hh,00000000), ref: 006733C8
Part of subcall function 006733BF: lstrlenA.KERNEL32(?,?,00675A4F,h\Hh,00000000), ref: 006733D5
Part of subcall function 006733BF: lstrcpyA.KERNEL32(00000000,?,?,00675A4F,h\Hh,00000000), ref: 006733E8

Part of subcall function 00673125: lstrcatA.KERNEL32(00000000,75A901C0,?,00000000,?,006735C4,00000000,00000000,?,00674E98,?,?,?,?,?,00000000), ref: 00673151

Part of subcall function 00675EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00675C2A,00000000,?,006810EE,?,?,006836B9), ref: 00675EAD

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: lstrlen$ByteCharMultiVirtualWide$AllocFreelstrcatlstrcpy
String ID:
API String ID: 346377423-0
Opcode ID: a6d494fe29affa3c44c459d503afbfa72745badba59b37971a22547db2aabd67
Instruction ID: 57511ad59a064dd65eb29c7aa8398837061f52ab1e5b39c579504d1d8f33c430
Opcode Fuzzy Hash: a6d494fe29affa3c44c459d503afbfa72745badba59b37971a22547db2aabd67
Instruction Fuzzy Hash: 85017571701220BBDB55BBA4CC96FEE776F9F49750F104069B50AAB382CE706F0097A8

Function 0068106C Relevance: 3.0, APIs: 2, Instructions: 47
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(75A901C0,00000000,00000000,00683589,?,?,?,00683589,?,0068158B,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\), ref: 006810BB

Part of subcall function 0067F731: RegOpenKeyExW.ADVAPI32(75A901C0,00000000,00000000,00020019,00000000,75A901C0,?,00681088,?,?,00683589,?,0068158B,80000001,?,000F003F), ref: 0067F747

RegCreateKeyExW.ADVAPI32(75A901C0,00000000,00000000,00000000,00000000,00683589,00000000,?,?,?,?,00683589,?,0068158B,80000001,?), ref: 006810A0

Part of subcall function 00680FAE: RegCloseKey.ADVAPI32(?,?,0068112D,?,?,006836B9), ref: 00680FB8

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: Open$CloseCreate
String ID:
API String ID: 1752019758-0
Opcode ID: 8b72e5acf66d2c576aaa9169315a0b171a37ad19b7d536fffbebf666e6a52cb7
Instruction ID: f37b61b419f7c9805f4db0ef47644a5b9162dd57d4a72c463c09851b6b5656d8
Opcode Fuzzy Hash: 8b72e5acf66d2c576aaa9169315a0b171a37ad19b7d536fffbebf666e6a52cb7
Instruction Fuzzy Hash: A6011D7120014EBFAB11AF51EC80CBF7B6FEF45395710412AFD0596210EB319DA29BB1

Function 00681D0C Relevance: 3.0, APIs: 2, Instructions: 14
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000001), ref: 00681D11
GetTickCount.KERNEL32 ref: 00681D17

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: CountSleepTick
String ID:
API String ID: 2804873075-0
Opcode ID: 6740908d24ad6fe53ddf92b698473d866d5708eadbc607f0b758aabf5be8ec68
Instruction ID: 8558a20035afaf1e3c0087ed050c9b469400ca87e8c2fd7c20b177bebc543a53
Opcode Fuzzy Hash: 6740908d24ad6fe53ddf92b698473d866d5708eadbc607f0b758aabf5be8ec68
Instruction Fuzzy Hash: 83D0A9302481046BE30C9B09FC8E2213E4EE7E0B05F04902AB50EC90E0CDA055A04640

Function 00680283 Relevance: 3.0, APIs: 2, Instructions: 8synchronizationCOMMON

Download Yara Rule

APIs

ReleaseMutex.KERNEL32(?,?,0067FEFD,x5h,00675BEC,x5h,00000000,00000000,00000000,00000000,?,?,?,?,00000000,h\Hh), ref: 00680288
CloseHandle.KERNEL32(?), ref: 00680290

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: CloseHandleMutexRelease
String ID:
API String ID: 4207627910-0
Opcode ID: 86d22ced4ab80d1d23bdfd48f1becf0acda16719671137a4123cf9d5def9ed58
Instruction ID: 79c715b7bc0b4e77bb247292de0419af07d47cf5ebd2e9088ebb95360a21766a
Opcode Fuzzy Hash: 86d22ced4ab80d1d23bdfd48f1becf0acda16719671137a4123cf9d5def9ed58
Instruction Fuzzy Hash: 12B0923A005021EFEB252F54FC1C8A4BFA6FF08251315166AF1C1810389FB30C609B80

Function 00671085 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,00681E36,00400000,?,?,00000000,?,?,0068349D), ref: 0067108B
RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,0068349D), ref: 00671092

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 55bff317a9b0d2edadf901ef595ee8c014a646e57a6e23f51e95aa7957d0f68c
Instruction ID: ade9255e09b8105a8c4b25ee4034172da3b4cc71f6200df17c156558e9265648
Opcode Fuzzy Hash: 55bff317a9b0d2edadf901ef595ee8c014a646e57a6e23f51e95aa7957d0f68c
Instruction Fuzzy Hash: DEB00275544201FBDF415BE09D4DF197B6AAB55703F015654F285C5060DE754490DB11

Function 00675EEE Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,00673044,?,00675C22,00000000,?,006810EE,?,?,006836B9), ref: 00675EF1
RtlFreeHeap.NTDLL(00000000,?,?,006836B9), ref: 00675EF8

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 5b7f5a4ba72e4ef1f0f1b9ef8c4626640ef8b77f3051c407dd1b128081e1eb48
Instruction ID: 54e07874c8cf6366c727327cd514aa849919fcd241780fc60fab07f6d37175c1
Opcode Fuzzy Hash: 5b7f5a4ba72e4ef1f0f1b9ef8c4626640ef8b77f3051c407dd1b128081e1eb48
Instruction Fuzzy Hash: B6A00271594101BBDF4457E09D0DB16352D9755702F005644B246C6150DE6454408731

Function 00675EFF Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?,00672FA7,BZg,?,?,006803FD,BZg,00675D61,?,75A901C0,00000000,?,00675A42,00000000), ref: 00675F02
RtlAllocateHeap.NTDLL(00000000,?,006803FD,BZg,00675D61,?,75A901C0,00000000,?,00675A42,00000000), ref: 00675F09

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: e4b175e804d684c533a78193318825dd40d3ce3ce4ec5011df33202acf70b072
Instruction ID: e6c8d19e370206e4e4c2f86bc4f4dbe0c152e87690cd6b35cef992ec43921e98
Opcode Fuzzy Hash: e4b175e804d684c533a78193318825dd40d3ce3ce4ec5011df33202acf70b072
Instruction Fuzzy Hash: 60A00271550101BBDF4457E49D4DF25361DA755702F015754B185C5050DD6554848721

Function 006731D4 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(?,?,000001FF), ref: 00673207

Part of subcall function 006735E5: lstrlenW.KERNEL32(00681E02,00000000,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 006735EE
Part of subcall function 006735E5: lstrlenW.KERNEL32(00681E02,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 00673605
Part of subcall function 006735E5: lstrcpyW.KERNEL32(?,00681E02,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 00673620

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: lstrlen$EnvironmentExpandStringslstrcpy
String ID:
API String ID: 1709970682-0
Opcode ID: 599fa2584a9ed9f64bbaa7c275f1395db47bbfabe287e2e8d9f69858fd543327
Instruction ID: 6ecebf80939bb8d2f55298c572c09d507f47dc0200010c72f853f01cb65f41f6
Opcode Fuzzy Hash: 599fa2584a9ed9f64bbaa7c275f1395db47bbfabe287e2e8d9f69858fd543327
Instruction Fuzzy Hash: 1CE048F674021967DB20A6259C06F9677ADDBC4718F044079B70CF61C0ED75DA46C7A8

Function 00673335 Relevance: 1.5, APIs: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00673261: lstrlenW.KERNEL32(75A901C0,00673646,?,?,?,0068150A,006835B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00683589,00000000,75A901C0,00000000), ref: 00673268

lstrcatW.KERNEL32(00000000,75A901C0,?,?,00683589,?,00681515,00683589,006835B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00683589,00000000,75A901C0,00000000), ref: 00673365

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: lstrcatlstrlen
String ID:
API String ID: 1475610065-0
Opcode ID: ff5cdea8e8c1cadb4923dc9ee3514bc095c4dfb8aa5c95644729872ba9ccdead
Instruction ID: fda480a647962711c035f63a04becbb96ea8bae29f1e204c856bf9d363152a27
Opcode Fuzzy Hash: ff5cdea8e8c1cadb4923dc9ee3514bc095c4dfb8aa5c95644729872ba9ccdead
Instruction Fuzzy Hash: EEE048723042149BCB016BA9E88496D775FEF95360B044539F90997311FA717D1096D4

Function 006758D3 Relevance: 1.5, APIs: 1, Instructions: 23networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00680298: CreateMutexA.KERNEL32(00000000,00000000,00000000,?,0067FEDE,?,?,00680459,?,75A901C0,00000000,00675A34), ref: 006802A0

WSAStartup.WS2_32(00000002,?), ref: 006758FC

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: CreateMutexStartup
String ID:
API String ID: 3730780901-0
Opcode ID: 6bed8149b3119ae3fe8b009a9dc7c122b41e60551e33aede808c71b75af53323
Instruction ID: 0972f72f0078d87ed7bac1be4facc11bbfcf7e2436a225aa591b28269be5a2d9
Opcode Fuzzy Hash: 6bed8149b3119ae3fe8b009a9dc7c122b41e60551e33aede808c71b75af53323
Instruction Fuzzy Hash: 0FE0C971501B109BD2B0AF2B9945897FBE9FF907207401B1FA4A782A61C7B0A5098B90

Function 0067FDA5 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00673125: lstrcatA.KERNEL32(00000000,75A901C0,?,00000000,?,006735C4,00000000,00000000,?,00674E98,?,?,?,?,?,00000000), ref: 00673151

CreateEventA.KERNEL32(00000000,00000001,00000000,?,?), ref: 0067FDC0

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: CreateEventlstrcat
String ID:
API String ID: 2275612694-0
Opcode ID: bb727c4015ef7b5b7eecd4140bf8a392f03278ef9c0c9b4500167c67e92772bc
Instruction ID: 102fb524441eae1e27deceb5ceb8af4ce6355ef20864321d765811ba7248dddd
Opcode Fuzzy Hash: bb727c4015ef7b5b7eecd4140bf8a392f03278ef9c0c9b4500167c67e92772bc
Instruction Fuzzy Hash: CFD05E722442057BD710EB91DD4AF96FF6AEB55760F008026F65986690DBB1A020D790

Function 00680298 Relevance: 1.5, APIs: 1, Instructions: 15synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000000,00000000,?,0067FEDE,?,?,00680459,?,75A901C0,00000000,00675A34), ref: 006802A0

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: bb917759b73c2e4d47b4698447dc3fff66618ac2b08ca21929f88f69d47496ee
Instruction ID: 5817af92009203bfec84cf3110054a9006afca300e4e14f65efeb8e4ea4a4ef7
Opcode Fuzzy Hash: bb917759b73c2e4d47b4698447dc3fff66618ac2b08ca21929f88f69d47496ee
Instruction Fuzzy Hash: 97D012B15045215FA3249F395C4896775DDEF98730315CF29B4A5C71D4E6308C408770

Function 0067F71F Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SHCreateDirectoryExW.SHELL32(00000000,?,00000000,006811A6,00000000,?,?,?,?,00000000,75A901C0,00000000), ref: 0067F725

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: de261e011cd38330da53dafbd6ba3cf6946703a372b25fa9e5b8d2a6732781f7
Instruction ID: 611f3c841c699e12c8c1daf743f3b28a6bc127eebfc954d3a1206a23993bbed3
Opcode Fuzzy Hash: de261e011cd38330da53dafbd6ba3cf6946703a372b25fa9e5b8d2a6732781f7
Instruction Fuzzy Hash: F2B012303EC30267DB001B708C06F1035129742F07F200260B256C80E0CB5100005704

Function 00680969 Relevance: 1.3, APIs: 1, Instructions: 49stringCOMMON

Download Yara Rule

APIs

lstrcmpA.KERNEL32(?,00681BD0,?,open,00681BD0), ref: 006809A2

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: lstrcmp
String ID:
API String ID: 1534048567-0
Opcode ID: 03b1c92964b0f919e5ec83f6c7c4c6611f021f9cf899f5dd66f48c41d52f485b
Instruction ID: f892c72d4fa7e7ebbe07222fa688aa1d16272c49b8e5be5af19c95b549d3705a
Opcode Fuzzy Hash: 03b1c92964b0f919e5ec83f6c7c4c6611f021f9cf899f5dd66f48c41d52f485b
Instruction Fuzzy Hash: F7015E71A00525AFEB50EF99C8959AAB7B9FF453147000669E441C3702EB30ED99CBD0

Function 00674E5B Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00673554: WideCharToMultiByte.KERNEL32(00000000,00000200,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00674E98,?), ref: 00673581
Part of subcall function 00673554: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00674E98,?,?,?,?,?,00000000), ref: 006735AC

Part of subcall function 006757FB: getaddrinfo.WS2_32(75A901C0,00000000,00674EA0,00000000), ref: 00675848
Part of subcall function 006757FB: socket.WS2_32(00000002,00000001,00000000), ref: 0067585F
Part of subcall function 006757FB: htons.WS2_32(00000000), ref: 00675885
Part of subcall function 006757FB: freeaddrinfo.WS2_32(00000000), ref: 00675895
Part of subcall function 006757FB: connect.WS2_32(?,?,00000010), ref: 006758A1

Part of subcall function 00675EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00675C2A,00000000,?,006810EE,?,?,006836B9), ref: 00675EAD

Sleep.KERNEL32(?,?,?,?,?,?,00000000,75A901C0,00000000), ref: 00674ECD

Part of subcall function 0067562F: setsockopt.WS2_32(000000FF,0000FFFF,00001006,?,00000004), ref: 00675666
Part of subcall function 0067562F: recv.WS2_32(000000FF,?,0000000C,00000000), ref: 006756B6
Part of subcall function 0067562F: recv.WS2_32(000000FF,?,000000FF,00000000), ref: 00675726

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWiderecv$FreeSleepVirtualconnectfreeaddrinfogetaddrinfohtonssetsockoptsocket
String ID:
API String ID: 3250391716-0
Opcode ID: 3e0c15b82373aaa4c5c2a944a3b08323770b2c300570e8069bd6e5cb3548edb7
Instruction ID: 2f2473d631d397d752c9f71fa2e825fd37b60a789d3c32743e4c2c49684aef32
Opcode Fuzzy Hash: 3e0c15b82373aaa4c5c2a944a3b08323770b2c300570e8069bd6e5cb3548edb7
Instruction Fuzzy Hash: FE01B571600A15ABDB54EB74C849BEEF77AFF40314F00425DE41E63181EBB06A55C7D4

Function 00675E22 Relevance: 1.3, APIs: 1, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?,006733E2,?,00675A4F,h\Hh,00000000), ref: 00675E30

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f3f1fe339a96ad099adf4d25b171434d4dd9c788e84e4389388d578d283ecfd2
Instruction ID: f6b3fd5b298b96239016211a90411a769e482d8a50ebd269a6858e3d6736a2f9
Opcode Fuzzy Hash: f3f1fe339a96ad099adf4d25b171434d4dd9c788e84e4389388d578d283ecfd2
Instruction Fuzzy Hash: 25C0123234862037F164122A7C1AF5B8D5DCBC1F71F11005EF7058A2D0DCD10C0241E5

Function 00679FCE Relevance: 1.3, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,00000000,00008000,00675C2A,00000000,?,006810EE,?,?,006836B9), ref: 00675EAD

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 0f618e8a456516d6b939d5017a6e9e29492f9fdfcdf012fb902e48d801000b3e
Instruction ID: ca9286f41b55a495a41b1eda03f48b8c4f150e8650a92ddf284a2ed6c2144749
Opcode Fuzzy Hash: 0f618e8a456516d6b939d5017a6e9e29492f9fdfcdf012fb902e48d801000b3e
Instruction Fuzzy Hash: 60B0923038070167EF2CCB308CA5F6923227B80B06FA1968CB146DA1D08AA6E5018A04

Function 00675EB4 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,00673652,?,?,?,0068150A,006835B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00683589,00000000,75A901C0,00000000), ref: 00675EBE

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4fef59b891257500b9fd9527b998fa9e39b098ce0a7ee451c719f36502888f24
Instruction ID: a25265e81ab05f287640157f9913abbec4c80006e67b3c0a9f86d2b430828c23
Opcode Fuzzy Hash: 4fef59b891257500b9fd9527b998fa9e39b098ce0a7ee451c719f36502888f24
Instruction Fuzzy Hash: F4A002B07D53017AFE695760AD1FF163D19A740F16F301244B30D6D0D069E125008629

Function 00675EA5 Relevance: 1.3, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,00000000,00008000,00675C2A,00000000,?,006810EE,?,?,006836B9), ref: 00675EAD

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: ab4e80c269bbac9083c1fb1a8a39c0eb024a6f73ff0ee61cf026aa71cb2b818d
Instruction ID: 6f572cffabd8a6527c90b41753f664258b7d177d214053d802415ff837534f40
Opcode Fuzzy Hash: ab4e80c269bbac9083c1fb1a8a39c0eb024a6f73ff0ee61cf026aa71cb2b818d
Instruction Fuzzy Hash: 31A002706D470176EE7457205D5AF0526156740B01F2157447241A80E04DA6B1448B58

Non-executed Functions

Function 0067A29A Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 296registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,Account Name,00000000,00000000,?,00001000,?,?,?,?,?,75A8E9B0,74E2F860,00000000,?,0067A25E), ref: 0067A31C
RegQueryValueExW.ADVAPI32(?,Email,00000000,00000000,?,00001000,?,?,?,?,?,?,?,?,75A8E9B0,74E2F860), ref: 0067A363
RegQueryValueExW.ADVAPI32(?,POP3 Server,00000000,00000000,?,00001000), ref: 0067A3A7
RegQueryValueExW.ADVAPI32(?,POP3 User,00000000,00000000,?,00001000), ref: 0067A3EB
RegQueryValueExW.ADVAPI32(?,SMTP Server,00000000,00000000,?,00001000), ref: 0067A42F
RegQueryValueExW.ADVAPI32(?,POP3 Password,00000000,00000000,?,00001000), ref: 0067A473
RegQueryValueExW.ADVAPI32(?,SMTP Password,00000000,00000000,?,00001000), ref: 0067A4E0
RegQueryValueExW.ADVAPI32(?,HTTP Password,00000000,00000000,?,00001000), ref: 0067A54D
RegQueryValueExW.ADVAPI32(?,IMAP Password,00000000,00000000,?,00001000), ref: 0067A5BA

Part of subcall function 0067A632: GlobalAlloc.KERNEL32(00000040,-00000001,75A8E8E0,?,?,?,0067A5E6,00001000,?,00000000,00001000), ref: 0067A650
Part of subcall function 0067A632: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,0067A5E6), ref: 0067A686
Part of subcall function 0067A632: lstrcpyW.KERNEL32(?,Could not decrypt,?,?,0067A5E6,00001000,?,00000000,00001000), ref: 0067A6BD

Part of subcall function 00673261: lstrlenW.KERNEL32(75A901C0,00673646,?,?,?,0068150A,006835B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00683589,00000000,75A901C0,00000000), ref: 00673268

Strings

Account Name, xrefs: 0067A316
SMTP Password, xrefs: 0067A4DA
Email, xrefs: 0067A35D
HTTP Password, xrefs: 0067A547
SMTP Server, xrefs: 0067A429
POP3 Server, xrefs: 0067A3A1
POP3 Password, xrefs: 0067A46D
IMAP Password, xrefs: 0067A5B4
POP3 User, xrefs: 0067A3E5

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: QueryValue$AllocCryptDataGlobalUnprotectlstrcpylstrlen
String ID: Account Name$Email$HTTP Password$IMAP Password$POP3 Password$POP3 Server$POP3 User$SMTP Password$SMTP Server
API String ID: 6593746-2537589853
Opcode ID: f93c5dbed67cf1055ad0e0bf20454ba6c08478525363e415ecc2c8a0c38ea6c5
Instruction ID: 62ca6874af317752e700bce2e4896aff2b6e9fba2326073ca6394a7db3cd892a
Opcode Fuzzy Hash: f93c5dbed67cf1055ad0e0bf20454ba6c08478525363e415ecc2c8a0c38ea6c5
Instruction Fuzzy Hash: E0A164B2D1011DBADB25EBA4CD46FEE737DAF14700F1041AAF509F6181EA74AB448F68

Function 0067AC0A Relevance: 28.4, APIs: 5, Strings: 11, Instructions: 406filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 006735E5: lstrlenW.KERNEL32(00681E02,00000000,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 006735EE
Part of subcall function 006735E5: lstrlenW.KERNEL32(00681E02,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 00673605
Part of subcall function 006735E5: lstrcpyW.KERNEL32(?,00681E02,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 00673620

Part of subcall function 0067C118: lstrcpyW.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths\,?,00000104,00000000), ref: 0067C154
Part of subcall function 0067C118: lstrcatW.KERNEL32(?,thunderbird.exe,?,00000104,00000000), ref: 0067C162
Part of subcall function 0067C118: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,0067A729,?,00000104,00000000), ref: 0067C17B
Part of subcall function 0067C118: RegQueryValueExW.ADVAPI32(0067A729,Path,00000000,?,?,?,?,00000104,00000000), ref: 0067C198
Part of subcall function 0067C118: RegCloseKey.ADVAPI32(0067A729,?,00000104,00000000), ref: 0067C1A1

lstrcatW.KERNEL32(?,\firefox.exe,?), ref: 0067AC8C
GetBinaryTypeW.KERNEL32(?,?), ref: 0067AC9D
GetPrivateProfileStringW.KERNEL32(?,Path,00000000,?,00000104,?), ref: 0067B11D

Part of subcall function 00673437: lstrcpyW.KERNEL32(00000000,00000000,00000000,?,?,00681E0A,00000000,00000000,00000000,h\Hh,00000000), ref: 0067345C

Part of subcall function 00675EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00675C2A,00000000,?,006810EE,?,?,006836B9), ref: 00675EAD

Part of subcall function 00673272: wsprintfW.USER32 ref: 0067328D

Part of subcall function 0067362D: lstrcpyW.KERNEL32(00000000,75A901C0,?,?,?,0068150A,006835B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00683589,00000000,75A901C0,00000000), ref: 00673657

Part of subcall function 00673554: WideCharToMultiByte.KERNEL32(00000000,00000200,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00674E98,?), ref: 00673581
Part of subcall function 00673554: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00674E98,?,?,?,?,?,00000000), ref: 006735AC

CopyFileW.KERNEL32(?,?,00000000,.tmp,00000000,00684684,\logins.json,?), ref: 0067AE14

Strings

\Mozilla\Firefox\, xrefs: 0067ACC6
\firefox.exe, xrefs: 0067AC80
Path, xrefs: 0067B115
hostname, xrefs: 0067AECC
profiles.ini, xrefs: 0067ACDF
firefox.exe, xrefs: 0067AC5E
Profile, xrefs: 0067AC1B, 0067ACEC, 0067AD1F
.tmp, xrefs: 0067ADFB
encryptedUsername, xrefs: 0067AE7C, 0067AF0C
encryptedPassword, xrefs: 0067AF49
\logins.json, xrefs: 0067ADBA

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: lstrcpy$ByteCharMultiWidelstrcatlstrlen$BinaryCloseCopyFileFreeOpenPrivateProfileQueryStringTypeValueVirtualwsprintf
String ID: .tmp$Path$Profile$\Mozilla\Firefox\$\firefox.exe$\logins.json$encryptedPassword$encryptedUsername$firefox.exe$hostname$profiles.ini
API String ID: 288196626-815594582
Opcode ID: aa8438f895eccdb16a31f8b41ed341516ecc3a0a76f3be5a023707174ab68358
Instruction ID: ba3a15f77f7cf0d6369b3fdc3ee512bda7230cc12cb4bef3ad65510c6a65e6a1
Opcode Fuzzy Hash: aa8438f895eccdb16a31f8b41ed341516ecc3a0a76f3be5a023707174ab68358
Instruction Fuzzy Hash: 98E10771900519ABDF55EFA0DC92DEEB77AAF44300F10816EE10AA7292EF706F45CB58

Function 0067A6C8 Relevance: 24.9, APIs: 4, Strings: 10, Instructions: 404COMMON

Download Yara Rule

APIs

Part of subcall function 006735E5: lstrlenW.KERNEL32(00681E02,00000000,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 006735EE
Part of subcall function 006735E5: lstrlenW.KERNEL32(00681E02,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 00673605
Part of subcall function 006735E5: lstrcpyW.KERNEL32(?,00681E02,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 00673620

Part of subcall function 0067C118: lstrcpyW.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths\,?,00000104,00000000), ref: 0067C154
Part of subcall function 0067C118: lstrcatW.KERNEL32(?,thunderbird.exe,?,00000104,00000000), ref: 0067C162
Part of subcall function 0067C118: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,0067A729,?,00000104,00000000), ref: 0067C17B
Part of subcall function 0067C118: RegQueryValueExW.ADVAPI32(0067A729,Path,00000000,?,?,?,?,00000104,00000000), ref: 0067C198
Part of subcall function 0067C118: RegCloseKey.ADVAPI32(0067A729,?,00000104,00000000), ref: 0067C1A1

GetBinaryTypeW.KERNEL32(?,?), ref: 0067A747

Part of subcall function 0067362D: lstrcpyW.KERNEL32(00000000,75A901C0,?,?,?,0068150A,006835B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00683589,00000000,75A901C0,00000000), ref: 00673657

Part of subcall function 0067B67E: GetCurrentDirectoryW.KERNEL32(00000104,?,?,00000104,00000000), ref: 0067B6AC
Part of subcall function 0067B67E: SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 0067B6B5
Part of subcall function 0067B67E: PathFileExistsW.SHLWAPI(0067A760,.dll,?,msvcr,?,msvcp,?,softokn3.dll,?,mozglue.dll,?,msvcp120.dll,?,msvcr120.dll,?,nss3.dll), ref: 0067B7A3

GetPrivateProfileStringW.KERNEL32(?,Path,00000000,?,00000104,?), ref: 0067ABCA

Part of subcall function 0067B67E: PathFileExistsW.SHLWAPI(0067A760,.dll,?,0067A760,?,00000104,00000000), ref: 0067B7FF
Part of subcall function 0067B67E: LoadLibraryW.KERNEL32(?,0067A760,?,00000104,00000000), ref: 0067B83E
Part of subcall function 0067B67E: LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0067B849
Part of subcall function 0067B67E: LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0067B854
Part of subcall function 0067B67E: LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0067B85F
Part of subcall function 0067B67E: LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0067B86A
Part of subcall function 0067B67E: SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 0067B957

Strings

hostname, xrefs: 0067A98D
profiles.ini, xrefs: 0067A79C
Path, xrefs: 0067ABC4
Profile, xrefs: 0067A6D9, 0067A7A9, 0067A7E0
\Thunderbird\, xrefs: 0067A783
thunderbird.exe, xrefs: 0067A71F
encryptedUsername, xrefs: 0067A93D, 0067A9CD
.tmp, xrefs: 0067A8BC
encryptedPassword, xrefs: 0067AA04
\logins.json, xrefs: 0067A87B

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: LibraryLoad$CurrentDirectorylstrcpy$ExistsFilePathlstrlen$BinaryCloseOpenPrivateProfileQueryStringTypeValuelstrcat
String ID: .tmp$Path$Profile$\Thunderbird\$\logins.json$encryptedPassword$encryptedUsername$hostname$profiles.ini$thunderbird.exe
API String ID: 1065485167-1863067114
Opcode ID: 81680b4d0bfcfa58589514026250fc29bea6361129fcd2ac51cdee932c7fcf6f
Instruction ID: 5c40737197561f0b8d6074e871755fb09df0c4ee1e813e7fd2290c74ec803e1c
Opcode Fuzzy Hash: 81680b4d0bfcfa58589514026250fc29bea6361129fcd2ac51cdee932c7fcf6f
Instruction Fuzzy Hash: A2E1F872900119ABDF55EFA0DC92DEEB77AAF44300F10806EE50AA7292EF706F45CB54

Function 0067DA5B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167servicestringCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000005), ref: 0067DA82
EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,00000000,?,?,?,00000000), ref: 0067DAB9

Part of subcall function 00675EFF: GetProcessHeap.KERNEL32(00000008,?,00672FA7,BZg,?,?,006803FD,BZg,00675D61,?,75A901C0,00000000,?,00675A42,00000000), ref: 00675F02
Part of subcall function 00675EFF: RtlAllocateHeap.NTDLL(00000000,?,006803FD,BZg,00675D61,?,75A901C0,00000000,?,00675A42,00000000), ref: 00675F09

EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,?,?,?,?,00000000), ref: 0067DAE2
GetLastError.KERNEL32 ref: 0067DAEC
CloseServiceHandle.ADVAPI32(00000000), ref: 0067DAFA
OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000005,00000000,00000000,00000000), ref: 0067DBBB
lstrcmpW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 0067DBFE

Strings

ServicesActive, xrefs: 0067DA6A, 0067DBB4

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: EnumHeapManagerOpenServicesStatus$AllocateCloseErrorHandleLastProcessServicelstrcmp
String ID: ServicesActive
API String ID: 899334174-3071072050
Opcode ID: eea29cec5743c3a09b5afc9015a45f11db9c309007d8b5d9953389499782d076
Instruction ID: 6713ab9adefe2cee86a4d4c7a4172d39584b5c40e41fcf353ba4aca676d38faf
Opcode Fuzzy Hash: eea29cec5743c3a09b5afc9015a45f11db9c309007d8b5d9953389499782d076
Instruction Fuzzy Hash: 64515FB190021AABDF15DFA0CC95BEEB7BAFF18701F118569E506B6281EB706E40CB54

Function 006779E8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 97injectionmemorythreadCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(001FFFFF,00000000,?,?,?,?,?), ref: 00677A16

Part of subcall function 00678617: GetCurrentProcess.KERNEL32(00689698,00677A03,?,?,?,?), ref: 0067861C
Part of subcall function 00678617: IsWow64Process.KERNEL32(00000000), ref: 00678623
Part of subcall function 00678617: GetProcessHeap.KERNEL32 ref: 00678629

VirtualAllocEx.KERNEL32(00000000,00000000,00100000,00003000,00000040,00000000), ref: 00677A3A
VirtualProtectEx.KERNEL32(00000000,00000000,00100000,00000040,00000000), ref: 00677A5B
VirtualAllocEx.KERNEL32(00000000,33370000,00000100,00003000,00000040), ref: 00677A73
WriteProcessMemory.KERNEL32(00000000,00000000,XXXXXX,00000000,00000000), ref: 00677A9D
WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 00677AC5
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00677ADD

Strings

XXXXXX, xrefs: 00677A88, 00677A94, 00677AA7

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: Process$Virtual$AllocMemoryWrite$CreateCurrentHeapOpenProtectRemoteThreadWow64
String ID: XXXXXX
API String ID: 813767414-582547948
Opcode ID: efc7976af3626501c740c3c2b92c89c148b5bd72e35c9c72efbc209828e25fc5
Instruction ID: 23f2976273bdc0bf1e67fc8a038e28351099f3aaccc71d9b4ee9a192e1bcc1b5
Opcode Fuzzy Hash: efc7976af3626501c740c3c2b92c89c148b5bd72e35c9c72efbc209828e25fc5
Instruction Fuzzy Hash: B621A27160521ABFFB2197A49C06FBF7B6E9F01710F204215F618E41D0EBB48A00877A

Function 00679DF6 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 61fileCOMMON

Download Yara Rule

APIs

GetFullPathNameA.KERNEL32(006896A8,00000104,?,00000000), ref: 00679E17
PathCombineA.SHLWAPI(?,?,00685F88), ref: 00679E36
FindFirstFileA.KERNEL32(?,?), ref: 00679E46
PathCombineA.SHLWAPI(?,006896A8,0000002E), ref: 00679E7D
PathCombineA.SHLWAPI(?,?,Accounts\Account.rec0), ref: 00679E8C

Part of subcall function 00679ADF: CreateFileA.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 00679AFC
Part of subcall function 00679ADF: GetLastError.KERNEL32 ref: 00679B09
Part of subcall function 00679ADF: CloseHandle.KERNEL32(00000000), ref: 00679B10

FindNextFileA.KERNEL32(00000000,?), ref: 00679EA4

Strings

., xrefs: 00679E61
Accounts\Account.rec0, xrefs: 00679E7F

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: Path$CombineFile$Find$CloseCreateErrorFirstFullHandleLastNameNext
String ID: .$Accounts\Account.rec0
API String ID: 3873318193-2526347284
Opcode ID: 5d06387ba84bd2a89e049fc5b47a2316ebb2f24c801c77c5b9d323bbcfda5d61
Instruction ID: 0096134ce4de6d66a34c20d1effeb42a1275242db89919a6950afd2e2639f497
Opcode Fuzzy Hash: 5d06387ba84bd2a89e049fc5b47a2316ebb2f24c801c77c5b9d323bbcfda5d61
Instruction Fuzzy Hash: CA1158B290121C6FDB20D7A4DC89EEF77BDDB45714F0045A6E609E3180E7749E848F60

Function 00681FD8 Relevance: 13.6, APIs: 9, Instructions: 81injectionmemorythreadCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(001FFFFF,00000000,00000000,00000000,75A901C0,00000000), ref: 00681FEC
GetCurrentProcessId.KERNEL32 ref: 00681FF7

Part of subcall function 00671085: GetProcessHeap.KERNEL32(00000000,?,00681E36,00400000,?,?,00000000,?,?,0068349D), ref: 0067108B
Part of subcall function 00671085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,0068349D), ref: 00671092

GetModuleFileNameA.KERNEL32(00000000,00000000,000000FF), ref: 00682015
VirtualAllocEx.KERNEL32(00000000,00000000,00000800,00003000,00000040), ref: 0068203F
WriteProcessMemory.KERNEL32(00000000,00000000,00689158,00000800,00000000), ref: 00682057
VirtualProtectEx.KERNEL32(00681FD3,00000000,00000800,00000040,?), ref: 00682068
VirtualAllocEx.KERNEL32(00681FD3,00000000,00000103,00003000,00000004), ref: 0068207F
WriteProcessMemory.KERNEL32(00681FD3,00000000,?,00000103,00000000), ref: 00682095
CreateRemoteThread.KERNEL32(00681FD3,00000000,00000000,0000010E,00000000,00000000,00000000), ref: 006820A8

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: Process$Virtual$AllocHeapMemoryWrite$AllocateCreateCurrentFileModuleNameOpenProtectRemoteThread
String ID:
API String ID: 900395357-0
Opcode ID: 22b580cc8671ebf2f6b433f18b56ad69d4a2e0f15ba115260e46e473e601531f
Instruction ID: 26464a6b07c193c9ea0ffaaf1c10ffda00e9b362272bcbe6cf0818f9ce3abf45
Opcode Fuzzy Hash: 22b580cc8671ebf2f6b433f18b56ad69d4a2e0f15ba115260e46e473e601531f
Instruction Fuzzy Hash: 62219371640219BEF7209B51DC4BFEB7BADEB45B50F204266B744BA1D0DAF02E408FA4

Function 0067CF58 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 127memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,-0000001F,?,?,?,00000000,?,00000000), ref: 0067CFE0
BCryptDecrypt.BCRYPT(?,0000000C,?,?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,?,00000000), ref: 0067D00E

Part of subcall function 00671085: GetProcessHeap.KERNEL32(00000000,?,00681E36,00400000,?,?,00000000,?,?,0068349D), ref: 0067108B
Part of subcall function 00671085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,0068349D), ref: 00671092

LocalFree.KERNEL32(?), ref: 0067D096

Strings

v1, xrefs: 0067CF63
V`h, xrefs: 0067D044
0, xrefs: 0067CF69

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: HeapLocal$AllocAllocateCryptDecryptFreeProcess
String ID: 0$V`h$v1
API String ID: 4131498132-1905648294
Opcode ID: 5162e86d0697bbb97b77e273963a2cd25c48c6a82527b04ff7fff05c7536eec0
Instruction ID: 84762c86c2add455ec816cf56ba9308d63ed27700617201234835061d72b2016
Opcode Fuzzy Hash: 5162e86d0697bbb97b77e273963a2cd25c48c6a82527b04ff7fff05c7536eec0
Instruction Fuzzy Hash: 1941A2B2D00108BBDB119FE5DC45DEFBBBEEF45340F04842AF919E6240EA748E468B64

Function 0067CCB4 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

BCryptOpenAlgorithmProvider.BCRYPT(00000020,AES,00000000,00000000,?,00000000,?,?,?,0067CA5F,?), ref: 0067CCD1
BCryptSetProperty.BCRYPT(00000020,ChainingMode,ChainingModeGCM,00000020,00000000,?,0067CA5F,?), ref: 0067CCEA
BCryptGenerateSymmetricKey.BCRYPT(00000020,0067CA5F,00000000,00000000,?,00000020,00000000,?,0067CA5F,?), ref: 0067CCFF

Strings

ChainingModeGCM, xrefs: 0067CCDE
AES, xrefs: 0067CCC7
ChainingMode, xrefs: 0067CCE3

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: Crypt$AlgorithmGenerateOpenPropertyProviderSymmetric
String ID: AES$ChainingMode$ChainingModeGCM
API String ID: 1692524283-1213888626
Opcode ID: 8db39bf399b4b8411740bcb896aa669b4050d315196786faf8716a3bd0da42d3
Instruction ID: 918f4bc7e32e89c35f3a0fcb6ee7ca4cfbd656a7ea1ac879c60ebea491248e26
Opcode Fuzzy Hash: 8db39bf399b4b8411740bcb896aa669b4050d315196786faf8716a3bd0da42d3
Instruction Fuzzy Hash: 55F096313513227BDB241F5BEC49F9BBFADEF5ABA1B11412AF505D2150DAA19800CBE0

Function 006820B8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,75A901C0), ref: 006820C7
Process32First.KERNEL32(00000000,?), ref: 006820F4
Process32Next.KERNEL32(00000000,?), ref: 0068211B
CloseHandle.KERNEL32(00000000), ref: 00682126

Strings

explorer.exe, xrefs: 00682102

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID: explorer.exe
API String ID: 420147892-3187896405
Opcode ID: 13160f71522ca9fd358e324ff94f964dba1dd7269b45ba40c3d0807f6dae9e50
Instruction ID: 71037b4f5590f766d0601e6bbd7d2eb4d2014c5ae273e666cc12b6c357f3d1b8
Opcode Fuzzy Hash: 13160f71522ca9fd358e324ff94f964dba1dd7269b45ba40c3d0807f6dae9e50
Instruction Fuzzy Hash: 4101F971501115ABD760A764AC0DFEA77FDDF49710F1001A5FA49E5180EE34DAC08B54

Function 0067A632 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62memoryencryptionstringCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,-00000001,75A8E8E0,?,?,?,0067A5E6,00001000,?,00000000,00001000), ref: 0067A650
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,0067A5E6), ref: 0067A686
lstrcpyW.KERNEL32(?,Could not decrypt,?,?,0067A5E6,00001000,?,00000000,00001000), ref: 0067A6BD

Strings

Could not decrypt, xrefs: 0067A6B7

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: AllocCryptDataGlobalUnprotectlstrcpy
String ID: Could not decrypt
API String ID: 3112367126-1484008118
Opcode ID: 16e725e8af114396ae4e29eb4503e8546e7b8ec279aa9b5b6c9e6b7caf317fea
Instruction ID: 3b233726c79f23241ae848172efe1a56c2f9b5a7b30481a6f242e417b4fb2201
Opcode Fuzzy Hash: 16e725e8af114396ae4e29eb4503e8546e7b8ec279aa9b5b6c9e6b7caf317fea
Instruction Fuzzy Hash: 1711EC76900215EBC711DBD8C9849EEF7BEEF88700B14816AE959E7211E7319E01CBB1

Function 0067CC54 Relevance: 6.0, APIs: 4, Instructions: 49encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0067CC73
LocalAlloc.KERNEL32(00000040,?,?,0067CBC6,?,00000000,?,00000000,?), ref: 0067CC81
CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0067CC97
LocalFree.KERNEL32(?,?,0067CBC6,?,00000000,?,00000000,?), ref: 0067CCA5

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID:
API String ID: 4291131564-0
Opcode ID: 02b8cde808cf6feceb1c90ec183aa859112158882f3d9c6ec3d3e1e5655953c9
Instruction ID: b6001b99727937de949d8c5ceeaf44fed0f4b1f48aade3f7edd7f757d31ed962
Opcode Fuzzy Hash: 02b8cde808cf6feceb1c90ec183aa859112158882f3d9c6ec3d3e1e5655953c9
Instruction Fuzzy Hash: E4011D71201222BFD7214B56DD4DE9BBFADEF497A1B100124F90CD6250EB718C00CBA0

Function 006789D5 Relevance: 54.5, APIs: 17, Strings: 14, Instructions: 286keyboardCOMMON

Download Yara Rule

APIs

GetAsyncKeyState.USER32(00000010), ref: 00678A11
CallNextHookEx.USER32(00000000,?,?,?), ref: 00678E12

Part of subcall function 00678E66: GetForegroundWindow.USER32(?,?,?), ref: 00678E8F
Part of subcall function 00678E66: GetWindowTextW.USER32(00000000,?,00000104), ref: 00678EA2
Part of subcall function 00678E66: lstrlenW.KERNEL32(-00000210,{Unknown},?,?), ref: 00678F0B
Part of subcall function 00678E66: CreateFileW.KERNEL32(?,00000004,00000001,00000000,00000004,00000080,00000000,?,?), ref: 00678F79
Part of subcall function 00678E66: lstrlenW.KERNEL32(00684AD0,00000008,00000000,?,?), ref: 00678FA2
Part of subcall function 00678E66: WriteFile.KERNEL32(?,00684AD0,00000000,?,?), ref: 00678FAE

Strings

[ESC], xrefs: 00678B73
[INSERT], xrefs: 00678BCE
[CTRL], xrefs: 00678C81
[BKSP], xrefs: 00678B51
[DEL], xrefs: 00678BC4
Kh, xrefs: 00678DE5
Kh, xrefs: 00678D86
Kh, xrefs: 00678D2D
[CAPS], xrefs: 00678B7D
Kh, xrefs: 00678B87
[TAB], xrefs: 00678B47
[ENTER], xrefs: 00678B3D
Kh, xrefs: 00678DF7
[ALT], xrefs: 00678CD8

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: FileWindowlstrlen$AsyncCallCreateForegroundHookNextStateTextWrite
String ID: Kh$[ALT]$[BKSP]$[CAPS]$[CTRL]$[DEL]$[ENTER]$[ESC]$[INSERT]$[TAB]$Kh$Kh$Kh$Kh
API String ID: 2452648998-776801271
Opcode ID: b68962be114bbe5256f5d5a744b827df73bfee31e260c4b06ad842b07b793398
Instruction ID: 8dede5f6a5537355a8713288eed42365a003601364a46c8d8545075138e82507
Opcode Fuzzy Hash: b68962be114bbe5256f5d5a744b827df73bfee31e260c4b06ad842b07b793398
Instruction Fuzzy Hash: 8691E632BC5212DFC7286A58466C7B46927EB90300F65C736EA4F7B7E0EF508D415392

Function 0067B67E Relevance: 47.5, APIs: 10, Strings: 17, Instructions: 219libraryCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00000104,?,?,00000104,00000000), ref: 0067B6AC
SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 0067B6B5

Part of subcall function 0067362D: lstrcpyW.KERNEL32(00000000,75A901C0,?,?,?,0068150A,006835B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00683589,00000000,75A901C0,00000000), ref: 00673657

Part of subcall function 00673272: wsprintfW.USER32 ref: 0067328D

PathFileExistsW.SHLWAPI(0067A760,.dll,?,msvcr,?,msvcp,?,softokn3.dll,?,mozglue.dll,?,msvcp120.dll,?,msvcr120.dll,?,nss3.dll), ref: 0067B7A3
PathFileExistsW.SHLWAPI(0067A760,.dll,?,0067A760,?,00000104,00000000), ref: 0067B7FF
LoadLibraryW.KERNEL32(?,0067A760,?,00000104,00000000), ref: 0067B83E
LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0067B849
LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0067B854
LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0067B85F
LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0067B86A
SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 0067B957

Part of subcall function 00675EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00675C2A,00000000,?,006810EE,?,?,006836B9), ref: 00675EAD

Strings

msvcp, xrefs: 0067B751
PK11_CheckUserPassword, xrefs: 0067B900
PK11_Authenticate, xrefs: 0067B8C4
nss3.dll, xrefs: 0067B6D4
PK11_GetInternalKeySlot, xrefs: 0067B8B1
softokn3.dll, xrefs: 0067B738
NSS_Shutdown, xrefs: 0067B913
NSSBase64_DecodeBuffer, xrefs: 0067B8ED
msvcr, xrefs: 0067B76A
PR_GetError, xrefs: 0067B939
.dll, xrefs: 0067B789, 0067B7E7
PK11SDR_Decrypt, xrefs: 0067B8DA
NSS_Init, xrefs: 0067B8A1
PK11_FreeSlot, xrefs: 0067B926
mozglue.dll, xrefs: 0067B71F
msvcp120.dll, xrefs: 0067B706
msvcr120.dll, xrefs: 0067B6ED

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: LibraryLoad$CurrentDirectory$ExistsFilePath$FreeVirtuallstrcpywsprintf
String ID: .dll$NSSBase64_DecodeBuffer$NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_CheckUserPassword$PK11_FreeSlot$PK11_GetInternalKeySlot$PR_GetError$mozglue.dll$msvcp$msvcp120.dll$msvcr$msvcr120.dll$nss3.dll$softokn3.dll
API String ID: 410702425-850564384
Opcode ID: f41b0c5e3510467aa239e0f2210621a8819fa2ccdc181a8b4be3ab7129afacef
Instruction ID: 3d0d679a1958ec93fff3e4465d5d78934795b4e259e8d97d43bd89bf8a51b11d
Opcode Fuzzy Hash: f41b0c5e3510467aa239e0f2210621a8819fa2ccdc181a8b4be3ab7129afacef
Instruction Fuzzy Hash: 10910E72A00519EBDB48FFB0D9959EEBB7BBF44300F10816AE51A67251EF306B04DB94

Function 0067902E Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 277registrystringwindowCOMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00679084
GetRawInputData.USER32(?,10000003,00000000,?,00000010), ref: 006790A1
GetRawInputData.USER32(?,10000003,00000000,?,00000010), ref: 006790D7
GetForegroundWindow.USER32 ref: 006790F4
GetWindowTextW.USER32(00000000,?,00000104), ref: 00679105
lstrlenW.KERNEL32(-00000210,-00000010,?,Unknow), ref: 006791EE
PostQuitMessage.USER32(00000000), ref: 00679381
RegisterRawInputDevices.USER32 ref: 006793B0

Strings

Unknow, xrefs: 00679132

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: InputWindow$Data$DevicesForegroundMessagePostProcQuitRegisterTextlstrlen
String ID: Unknow
API String ID: 3853268301-1240069140
Opcode ID: 56a5eea85c07938502f627a338acd3443f06626d1185330cc63b4d3c1ef89c3c
Instruction ID: 061de619f98d71157507730c735eb11542f79305baa4d5ef4f30873d445c5530
Opcode Fuzzy Hash: 56a5eea85c07938502f627a338acd3443f06626d1185330cc63b4d3c1ef89c3c
Instruction Fuzzy Hash: 93A18A71104201AFD700EF64DC99EAB7BFAFF85310F448618F54A972A2EB31EA45CB65

Function 0067E3FA Relevance: 37.0, APIs: 9, Strings: 12, Instructions: 237registryCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,?,?), ref: 0067E407
DeleteCriticalSection.KERNEL32(?,?,?), ref: 0067E41E
EnterCriticalSection.KERNEL32(007BE020,?,?), ref: 0067E42A

Part of subcall function 0067DE1F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters,?,007BE020,?,?,0067E451,?,?), ref: 0067DE51

RegCreateKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList,00000000,00000000,00000000,000F013F,00000000,?,?,00000000,00000000,?,?), ref: 0067E5FF
RegSetValueExW.ADVAPI32(?,00000000,00000004,?,00000004,?,?), ref: 0067E61A
RegCloseKey.ADVAPI32(?,?,?), ref: 0067E623
LeaveCriticalSection.KERNEL32(007BE020,00000000,007BE07C,007BE080,?,?), ref: 0067E65E

Part of subcall function 006735E5: lstrlenW.KERNEL32(00681E02,00000000,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 006735EE
Part of subcall function 006735E5: lstrlenW.KERNEL32(00681E02,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 00673605
Part of subcall function 006735E5: lstrcpyW.KERNEL32(?,00681E02,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 00673620

Part of subcall function 00673437: lstrcpyW.KERNEL32(00000000,00000000,00000000,?,?,00681E0A,00000000,00000000,00000000,h\Hh,00000000), ref: 0067345C

Part of subcall function 00675EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00675C2A,00000000,?,006810EE,?,?,006836B9), ref: 00675EAD

Part of subcall function 00673261: lstrlenW.KERNEL32(75A901C0,00673646,?,?,?,0068150A,006835B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00683589,00000000,75A901C0,00000000), ref: 00673268

LeaveCriticalSection.KERNEL32(007BE020,00000000,rpdp,007BE080,00000000,rudp,007BE07C,007BE07C,007BE080,?,?), ref: 0067E6C4
LeaveCriticalSection.KERNEL32(007BE020,00000000,?,?), ref: 0067E6F4

Strings

|{, xrefs: 0067E4CB
|{, xrefs: 0067E5B0
|{, xrefs: 0067E473
rpdp, xrefs: 0067E492, 0067E691
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList, xrefs: 0067E5F5
{, xrefs: 0067E6AE
rudp, xrefs: 0067E459, 0067E670
HFh, xrefs: 0067E4E4
{, xrefs: 0067E413
{, xrefs: 0067E658
{, xrefs: 0067E424
8{, xrefs: 0067E6B3

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leavelstrlen$lstrcpy$CloseCreateDeleteEnterFreeInitializeOpenValueVirtual
String ID: {$ {$ {$ {$8{$HFh$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList$rpdp$rudp$|{$|{$|{
API String ID: 2046459734-1993887963
Opcode ID: 3b74e767cddf3a03c16b94f1bac8b37ca4ffc1b687eaf400e61053de4e0d8271
Instruction ID: 7e967a0429b698818143bde14f68b5b40cdb6be5a943ece49c7b3b108695adc8
Opcode Fuzzy Hash: 3b74e767cddf3a03c16b94f1bac8b37ca4ffc1b687eaf400e61053de4e0d8271
Instruction Fuzzy Hash: 0E717370640114ABDB54FF60CC96EFE376BAF58700B10C129F50EAA292EF759A05C759

Function 006795AA Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 214windowstringregistryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 006795BC
SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,-00000010), ref: 0067962B
lstrcatW.KERNEL32(-00000010,\Microsoft Vision\), ref: 00679645
CreateDirectoryW.KERNEL32(-00000010,00000000), ref: 00679651
lstrcpyW.KERNEL32(?,-00000010), ref: 0067968B
lstrcatW.KERNEL32(?,00684A58), ref: 0067969E

Part of subcall function 006735E5: lstrlenW.KERNEL32(00681E02,00000000,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 006735EE
Part of subcall function 006735E5: lstrlenW.KERNEL32(00681E02,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 00673605
Part of subcall function 006735E5: lstrcpyW.KERNEL32(?,00681E02,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 00673620

Part of subcall function 0067FF27: FindFirstFileW.KERNEL32(?,?,?,?), ref: 0067FF54

GetLocalTime.KERNEL32(?,00000000,ExplorerIdentifier), ref: 00679721
wsprintfW.USER32 ref: 00679758
CreateFileW.KERNEL32(?,10000000,00000001,00000000,00000002,00000080,00000000,00000010,?), ref: 0067979A
CloseHandle.KERNEL32(00000000), ref: 006797AA
RegisterClassW.USER32 ref: 006797C9
CreateWindowExW.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,?), ref: 006797E1
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00679802
TranslateMessage.USER32(?), ref: 00679814
DispatchMessageA.USER32(?), ref: 0067981F
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0067982F

Strings

\Microsoft Vision\, xrefs: 0067963F
ExplorerIdentifier, xrefs: 006796E6
%02d-%02d-%02d_%02d.%02d.%02d, xrefs: 00679752

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: Message$Create$FileHandlelstrcatlstrcpylstrlen$ClassCloseDirectoryDispatchFindFirstFolderLocalModulePathRegisterTimeTranslateWindowwsprintf
String ID: %02d-%02d-%02d_%02d.%02d.%02d$ExplorerIdentifier$\Microsoft Vision\
API String ID: 2678186124-2372768292
Opcode ID: 2b82b0ac7c538835aff711db91126e06d7a2d8decb0f77abd3e8c1bfa9868b6b
Instruction ID: cba18335178901c85b9279f8b5b1cad576c4ba4c8960a6a2c46a356df2c0ee2f
Opcode Fuzzy Hash: 2b82b0ac7c538835aff711db91126e06d7a2d8decb0f77abd3e8c1bfa9868b6b
Instruction Fuzzy Hash: 7671ADB2504304BBD710DFA8DC49EABB7EEFB89700F044A1DF649E6291EA31D944CB61

Function 0067A0D8 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 160registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676,00000000,000F003F,?), ref: 0067A12F
RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676,00000000,000F003F,?), ref: 0067A14C
lstrcpyW.KERNEL32(?,Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676), ref: 0067A19F
RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0067A1B5
RegEnumKeyExW.ADVAPI32(?,00000000,?,00000800,00000000,00000000,00000000,00000000), ref: 0067A1E8
RegCloseKey.ADVAPI32(?), ref: 0067A1F9
lstrcpyW.KERNEL32(?,?), ref: 0067A20D
lstrcatW.KERNEL32(?,00684684), ref: 0067A21B
lstrcatW.KERNEL32(?,?), ref: 0067A22F
RegOpenKeyExW.ADVAPI32(80000001,?,00000000,000F003F,?), ref: 0067A24C
RegCloseKey.ADVAPI32(?,?), ref: 0067A261
RegOpenKeyExW.ADVAPI32(80000001,?,00000000,000F003F,?), ref: 0067A27E

Strings

Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676, xrefs: 0067A15F, 0067A16F
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 0067A17C, 0067A181, 0067A191
Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 0067A125
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 0067A142, 0067A152
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 0067A135

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: Open$Closelstrcatlstrcpy$EnumInfoQuery
String ID: Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
API String ID: 1891545080-2020977430
Opcode ID: b4ec3265ddad96da2eec1cd77541d7ce4972e78946ae4ac40a5e5af179ea536f
Instruction ID: 7fa95b09fba084d71d8985cad622c1ac5121cbd0152d2eb41678ef9e0b8bc263
Opcode Fuzzy Hash: b4ec3265ddad96da2eec1cd77541d7ce4972e78946ae4ac40a5e5af179ea536f
Instruction Fuzzy Hash: EC413FB290021DBEEB21DBE0CC84EFF776EEF44784F1445A5B919E2101E6719F449BA1

Function 00681AB9 Relevance: 33.3, APIs: 12, Strings: 7, Instructions: 90sleepregistrystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0067FBFC: GetCurrentProcess.KERNEL32(00000008,00000000,75A901C0,00000000,75A901C0,00000000,?,?,?,?,00683589,?), ref: 0067FC0E
Part of subcall function 0067FBFC: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,00683589,?), ref: 0067FC15
Part of subcall function 0067FBFC: GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,00683589,?), ref: 0067FC33
Part of subcall function 0067FBFC: CloseHandle.KERNEL32(00000000), ref: 0067FC48

CloseHandle.KERNEL32(?,00000000), ref: 00681AD8
GetCurrentProcess.KERNEL32(?), ref: 00681AE7
IsWow64Process.KERNEL32(00000000), ref: 00681AEE
GetModuleFileNameA.KERNEL32(00000000,?,00000400), ref: 00681B25
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00681B57
lstrcatW.KERNEL32(?,\sdclt.exe), ref: 00681B69
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00681B81
ShellExecuteExW.SHELL32(?), ref: 00681BB3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00681BBD
Sleep.KERNEL32(000007D0), ref: 00681BD5
RegDeleteKeyA.ADVAPI32(80000001,Software\Classes\Folder\shell\open\command), ref: 00681BE5
ExitProcess.KERNEL32 ref: 00681BEC

Strings

\sdclt.exe, xrefs: 00681B5D
V`h, xrefs: 00681B31
Software\Classes\Folder\shell\open\command, xrefs: 00681BDB
@, xrefs: 00681BA2
open, xrefs: 00681B79, 00681B7F
DelegateExecute, xrefs: 00681B3E
<, xrefs: 00681B9B

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: Process$CloseCurrentExecuteHandleShellToken$DeleteDirectoryExitFileInformationModuleNameOpenSleepSystemTerminateWow64lstrcat
String ID: <$@$DelegateExecute$Software\Classes\Folder\shell\open\command$V`h$\sdclt.exe$open
API String ID: 3164795406-4056476792
Opcode ID: 616fe6846bdce2ee3da144f32a62f95de5da1c5ac60d0fb50c193bb6c0050715
Instruction ID: 19b32957101054bca8c376e7e2ed154c660bcd310367e954777f3fee1d5b8ee1
Opcode Fuzzy Hash: 616fe6846bdce2ee3da144f32a62f95de5da1c5ac60d0fb50c193bb6c0050715
Instruction Fuzzy Hash: 77316CB1C01119FBDB50EBA4EC4DDEEBBBEEF45711F104269FA09A2150EB315A85CB60

Function 006830B3 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 119filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00673437: lstrcpyW.KERNEL32(00000000,00000000,00000000,?,?,00681E0A,00000000,00000000,00000000,h\Hh,00000000), ref: 0067345C

Part of subcall function 00675EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00675C2A,00000000,?,006810EE,?,?,006836B9), ref: 00675EAD

LoadResource.KERNEL32(00000000,?,00000000), ref: 006830EE
SizeofResource.KERNEL32(00000000,?), ref: 006830FA
LockResource.KERNEL32(00000000), ref: 00683104
GetTempPathA.KERNEL32(00000400,?), ref: 0068313E
lstrcatA.KERNEL32(?,find.exe), ref: 00683152
GetTempPathA.KERNEL32(00000400,?), ref: 00683160
lstrcatA.KERNEL32(?,find.db), ref: 0068316E
CreateFileA.KERNEL32(?,10000000,00000001,00000000,00000002,00000084,00000000), ref: 00683189
WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 0068319B
CloseHandle.KERNEL32(00000000), ref: 006831A2
wsprintfA.USER32 ref: 006831D2
ShellExecuteExA.SHELL32(0000003C), ref: 00683220

Strings

<, xrefs: 006831DE
-w %ws -d C -f %s, xrefs: 006831CC
find.db, xrefs: 00683162
find.exe, xrefs: 0068314C
@, xrefs: 006831F1

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: Resource$FilePathTemplstrcat$CloseCreateExecuteFreeHandleLoadLockShellSizeofVirtualWritelstrcpywsprintf
String ID: -w %ws -d C -f %s$<$@$find.db$find.exe
API String ID: 2504251837-265381321
Opcode ID: f7c101c0ae97cbbf20fe431092ac116c6333e3e58222a5eb6c56864ec35aa598
Instruction ID: fd6ed570c1b1873ef17f8dfe67ff6a173a1704fb8230f32b1467f074e3f15e5b
Opcode Fuzzy Hash: f7c101c0ae97cbbf20fe431092ac116c6333e3e58222a5eb6c56864ec35aa598
Instruction Fuzzy Hash: 8C412BB180021DBBDB10DFA4DD88EDEBBBDFF89304F104256F609A6150DB749A858BA4

Function 0067882F Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 135windowstringfileCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00678840
SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,-00000010), ref: 00678894
lstrcatW.KERNEL32(-00000010,\Microsoft Vision\), ref: 006788AE
GetLocalTime.KERNEL32(?), ref: 006788B5
wsprintfW.USER32 ref: 006788E9
lstrcatW.KERNEL32(-00000010,?), ref: 00678900
CreateFileW.KERNEL32(?,10000000,00000001,00000000,00000002,00000080,00000000,00000010), ref: 0067892C
CloseHandle.KERNEL32(00000000), ref: 0067893C

Part of subcall function 00681E21: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000,?,?,0068349D), ref: 00681E4E
Part of subcall function 00681E21: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,0068349D), ref: 00681E61
Part of subcall function 00681E21: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,0068349D), ref: 00681E72
Part of subcall function 00681E21: CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,0068349D), ref: 00681E7F

Part of subcall function 006809D2: VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,74E2F770,00000000,?,?,?,?,0067895D), ref: 006809FE

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 006789AF

Part of subcall function 00680969: lstrcmpA.KERNEL32(?,00681BD0,?,open,00681BD0), ref: 006809A2

TranslateMessage.USER32(?), ref: 00678996
DispatchMessageA.USER32(?), ref: 006789A1

Strings

\Microsoft Vision\, xrefs: 006788A8
SetWindowsHookExA, xrefs: 00678962
c:\windows\system32\user32.dll, xrefs: 0067894A
%02d-%02d-%02d_%02d.%02d.%02d, xrefs: 006788E3

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: File$HandleMessage$CloseCreatelstrcat$AllocDispatchFolderLocalModulePathReadSizeTimeTranslateVirtuallstrcmpwsprintf
String ID: %02d-%02d-%02d_%02d.%02d.%02d$SetWindowsHookExA$\Microsoft Vision\$c:\windows\system32\user32.dll
API String ID: 1431388325-3884914687
Opcode ID: 1ab84627197046b84b870730d02331c167ed2249ee575535efd7dc4ee717fcab
Instruction ID: 602a0538323519db665edc3732772d08380a28f6992e5a22025f22f242ccf4a5
Opcode Fuzzy Hash: 1ab84627197046b84b870730d02331c167ed2249ee575535efd7dc4ee717fcab
Instruction Fuzzy Hash: 1741B0B1504201BFE750EBA9EC49E2B77EEFB89700F044A19F649E3291EA35D944C731

Function 00678E66 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 147filestringCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?), ref: 00678E8F
GetWindowTextW.USER32(00000000,?,00000104), ref: 00678EA2
lstrlenW.KERNEL32(-00000210,{Unknown},?,?), ref: 00678F0B
lstrcpyW.KERNEL32(-00000210,?,?,?), ref: 00678F58
CreateFileW.KERNEL32(?,00000004,00000001,00000000,00000004,00000080,00000000,?,?), ref: 00678F79
lstrlenW.KERNEL32(00684AD0,00000008,00000000,?,?), ref: 00678FA2
WriteFile.KERNEL32(?,00684AD0,00000000,?,?), ref: 00678FAE
WriteFile.KERNEL32(?,?,00000000,-00000008,00000000,?,?), ref: 00678FD2
lstrlenW.KERNEL32(00684AD0,-00000008,00000000,?,?), ref: 00678FE5
WriteFile.KERNEL32(?,00684AD0,00000000,?,?), ref: 00678FF1
lstrlenW.KERNEL32(?,00000008,00000000,?,?), ref: 00679003
WriteFile.KERNEL32(?,?,00000000,?,?), ref: 00679011
CloseHandle.KERNEL32(?,?,?), ref: 0067901B

Part of subcall function 006735E5: lstrlenW.KERNEL32(00681E02,00000000,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 006735EE
Part of subcall function 006735E5: lstrlenW.KERNEL32(00681E02,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 00673605
Part of subcall function 006735E5: lstrcpyW.KERNEL32(?,00681E02,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 00673620

Part of subcall function 00673335: lstrcatW.KERNEL32(00000000,75A901C0,?,?,00683589,?,00681515,00683589,006835B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00683589,00000000,75A901C0,00000000), ref: 00673365

Part of subcall function 00675EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00675C2A,00000000,?,006810EE,?,?,006836B9), ref: 00675EAD

Strings

{Unknown}, xrefs: 00678EED

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: lstrlen$File$Write$Windowlstrcpy$CloseCreateForegroundFreeHandleTextVirtuallstrcat
String ID: {Unknown}
API String ID: 2314120260-4054869793
Opcode ID: 78bea1ea76f581acfb29ba5889070dce8a036ae4e809533757aec780a11abe11
Instruction ID: fcdb9ffe545d0bc59e4187d0ec2caa60678ebcaf763f226e1099811ed514022f
Opcode Fuzzy Hash: 78bea1ea76f581acfb29ba5889070dce8a036ae4e809533757aec780a11abe11
Instruction Fuzzy Hash: C8519471A40214BFDB00EF64DC89FAA77BAFF44300F494168F50AA7251EB71AE40CB64

Function 0067EAFB Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 135pipethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 0067EA89: GetCurrentThreadId.KERNEL32 ref: 0067EA95
Part of subcall function 0067EA89: SetEvent.KERNEL32(00000000), ref: 0067EAA9
Part of subcall function 0067EA89: WaitForSingleObject.KERNEL32(?,00001388), ref: 0067EAB6
Part of subcall function 0067EA89: TerminateThread.KERNEL32(?,000000FE), ref: 0067EAC7

CreatePipe.KERNEL32(00000000,00000000,?,00000000,?,?,00000000), ref: 0067EB41
GetCurrentProcess.KERNEL32(00000000,00000000,00000001,00000002,?,00000000), ref: 0067EB5E
GetCurrentProcess.KERNEL32(00000000,00000000,?,00000000), ref: 0067EB64
DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 0067EB6D
CreatePipe.KERNEL32(00000000,00000000,0000000C,00000000,?,00000000), ref: 0067EB85
GetCurrentProcess.KERNEL32(00689560,00000000,00000000,00000002,?,00000000), ref: 0067EB9E
GetCurrentProcess.KERNEL32(00000000,00000000,?,00000000), ref: 0067EBA4
DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 0067EBA7
GetCurrentProcess.KERNEL32(00689564,00000000,00000000,00000002,?,00000000), ref: 0067EBBC
GetCurrentProcess.KERNEL32(00000000,00000000,?,00000000), ref: 0067EBC2
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0067EC18
CreateThread.KERNEL32(00000000,00000000,0067E92A,,mh,00000000,00689570), ref: 0067EC38
DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 0067EBC5

Part of subcall function 0067EC8C: CloseHandle.KERNEL32(?,,mh,0067EADC,?,00000000,00672A8C,00000000,exit,00000000,start), ref: 0067EC96

Part of subcall function 0067362D: lstrcpyW.KERNEL32(00000000,75A901C0,?,?,?,0068150A,006835B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00683589,00000000,75A901C0,00000000), ref: 00673657

Part of subcall function 0067E891: CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000001,00000010,00000000,00000000,?,00000000,?,?,00000001), ref: 0067E8E3

Strings

,mh, xrefs: 0067EB04, 0067EC25, 0067EC6F

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: CurrentProcess$Create$Handle$DuplicateThread$EventPipe$CloseObjectSingleTerminateWaitlstrcpy
String ID: ,mh
API String ID: 337272696-1563204118
Opcode ID: 5457df63625e71a145bb69661f70339f37b2283def42bb720593c899b424773d
Instruction ID: c0d90a837da2a36392a9175dc4051f0d0e09d3621ecd4188f328013887672eac
Opcode Fuzzy Hash: 5457df63625e71a145bb69661f70339f37b2283def42bb720593c899b424773d
Instruction Fuzzy Hash: 62418371900309BBDB16EBE0DD46FEE7B7AAF18741F104159B215B20D1DBB19A08CB65

Function 0067D58D Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 71serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001), ref: 0067D5A0
OpenServiceW.ADVAPI32(00000000,?,00000001), ref: 0067D5B9
CloseServiceHandle.ADVAPI32(00000000), ref: 0067D5C6
QueryServiceConfigW.ADVAPI32(00000000,00000000,00000000,?), ref: 0067D5D5
GetLastError.KERNEL32 ref: 0067D5DF
QueryServiceConfigW.ADVAPI32(00000000,00000000,?,?), ref: 0067D600
CloseServiceHandle.ADVAPI32(00000000), ref: 0067D611
CloseServiceHandle.ADVAPI32(00000000), ref: 0067D614
CloseServiceHandle.ADVAPI32(00000000), ref: 0067D624
CloseServiceHandle.ADVAPI32(00000000), ref: 0067D627

Part of subcall function 00671099: GetProcessHeap.KERNEL32(00000000,00000000,00681E18,00000000,00000000,00000000,00000000,h\Hh,00000000), ref: 0067109F
Part of subcall function 00671099: HeapFree.KERNEL32(00000000), ref: 006710A6

Strings

ServicesActive, xrefs: 0067D597

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$ConfigHeapOpenQuery$ErrorFreeLastManagerProcess
String ID: ServicesActive
API String ID: 1929760286-3071072050
Opcode ID: c90852f0daa5486bbcae18f296089f1be9e7e1ff4c0d36793af52af5e5d62bc8
Instruction ID: e79e7fa66ea91ebb4313873e983bcd42560539a5e2a23d79559b6ecec2f7afe7
Opcode Fuzzy Hash: c90852f0daa5486bbcae18f296089f1be9e7e1ff4c0d36793af52af5e5d62bc8
Instruction Fuzzy Hash: 29118B7150021ABBCB20AB62DD48D9B7F7EEF95394B108525F60AD7210DF709E01CBA0

Function 0067DED2 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 324COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0067DEEF

Part of subcall function 0067FC58: GetCurrentProcess.KERNEL32(?,?,00672D84,?,00684648,?,?,00000000,?,?,?), ref: 0067FC5C

PathFileExistsW.SHLWAPI(?), ref: 0067E099
PathFileExistsW.SHLWAPI(?), ref: 0067DF0D

Part of subcall function 0067FDF0: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,00000000,00000000,?,?,?,00679A69,?,?,?), ref: 0067FE07
Part of subcall function 0067FDF0: GetLastError.KERNEL32(?,?,?,00679A69,?,?,?), ref: 0067FE15

LeaveCriticalSection.KERNEL32(?,00000000), ref: 0067E28C

Part of subcall function 0067D9B6: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000102,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters), ref: 0067D9EA

GetCurrentProcess.KERNEL32(SeDebugPrivilege), ref: 0067E17F
LeaveCriticalSection.KERNEL32(?,00000000), ref: 0067E2CC

Strings

SeDebugPrivilege, xrefs: 0067E16F

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: CriticalFileSection$CurrentExistsLeavePathProcess$CreateEnterErrorLastOpen
String ID: SeDebugPrivilege
API String ID: 1717069549-2896544425
Opcode ID: e31844915e4b318d344a4f2375574698f68075095cb942e393047a204e9c6a1c
Instruction ID: 44b823f8a23bec7cb1e67e220538f55ed1536e4b75153b24e29836d252a1d6f9
Opcode Fuzzy Hash: e31844915e4b318d344a4f2375574698f68075095cb942e393047a204e9c6a1c
Instruction Fuzzy Hash: C2B19371104205ABC754FF60CC92DAFB7AABF94344F408A2DF19A93191EF70EA08CB56

Function 00681136 Relevance: 17.8, APIs: 4, Strings: 6, Instructions: 278fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0067F481: GetModuleFileNameW.KERNEL32(00000000,00000000,000007D0,?,00000000,00683589,?,00681618,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\,00000000,InitWindows), ref: 0067F4A2

Part of subcall function 00680F6E: RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,00000001,00000001,00000000,?,00000000,75A901C0,?,?,00681165,?,?), ref: 00680F8E

Part of subcall function 00680FAE: RegCloseKey.ADVAPI32(?,?,0068112D,?,?,006836B9), ref: 00680FB8

CopyFileW.KERNEL32(?,?,00000000,?,00684684,?,00000000,?,?,?,?,00000000,75A901C0,00000000), ref: 006811D7

Part of subcall function 0068106C: RegCreateKeyExW.ADVAPI32(75A901C0,00000000,00000000,00000000,00000000,00683589,00000000,?,?,?,?,00683589,?,0068158B,80000001,?), ref: 006810A0
Part of subcall function 0068106C: RegOpenKeyExW.KERNEL32(75A901C0,00000000,00000000,00683589,?,?,?,00683589,?,0068158B,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\), ref: 006810BB

Part of subcall function 00681039: RegSetValueExW.ADVAPI32(?,75A901C0,00000000,?,?,?,?,?,00681432,00000000,00000000,?,00000001,?,?,?), ref: 00681058

SHGetKnownFolderPath.SHELL32(00684550,00000000,00000000,?,?,?,?,?,00000000,75A901C0,00000000), ref: 00681264
CopyFileW.KERNEL32(?,?,00000000,?,?,:start,?,00687204,wmic process call create '",00000000,?,?,?,:start,") do %%A,for /F "usebackq tokens=*" %%A in ("), ref: 00681382

Part of subcall function 0067F76B: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000,?,00000000,?), ref: 0067F79C

Part of subcall function 00673437: lstrcpyW.KERNEL32(00000000,00000000,00000000,?,?,00681E0A,00000000,00000000,00000000,h\Hh,00000000), ref: 0067345C

Part of subcall function 00675EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00675C2A,00000000,?,006810EE,?,?,006836B9), ref: 00675EAD

Part of subcall function 0067F71F: SHCreateDirectoryExW.SHELL32(00000000,?,00000000,006811A6,00000000,?,?,?,?,00000000,75A901C0,00000000), ref: 0067F725

Part of subcall function 0067362D: lstrcpyW.KERNEL32(00000000,75A901C0,?,?,?,0068150A,006835B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00683589,00000000,75A901C0,00000000), ref: 00673657

Part of subcall function 00673335: lstrcatW.KERNEL32(00000000,75A901C0,?,?,00683589,?,00681515,00683589,006835B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00683589,00000000,75A901C0,00000000), ref: 00673365

DeleteFileW.KERNEL32(?,00000000,:Zone.Identifier,?,?,?,?,?,00000000,75A901C0,00000000), ref: 0068147C

Strings

") do %%A, xrefs: 0068128F
:start, xrefs: 00681294, 0068132F
:Zone.Identifier, xrefs: 0068145B
wmic process call create '", xrefs: 0068130A
for /F "usebackq tokens=*" %%A in (", xrefs: 00681282
\programs.bat, xrefs: 00681275

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: File$Create$CopyFolderPathlstrcpy$CloseDeleteDirectoryFreeKnownModuleNameOpenSpecialValueVirtuallstrcat
String ID: ") do %%A$:Zone.Identifier$:start$\programs.bat$for /F "usebackq tokens=*" %%A in ("$wmic process call create '"
API String ID: 2154703971-2016382161
Opcode ID: db206ef3da7497b80ad8cd02f9e22427d9fda5e0e58c371794f20b11a72909c0
Instruction ID: 8384d260c97131ef3f8834df5f0e33ffc751c7801fccef5f45d5ff24d99f4e2b
Opcode Fuzzy Hash: db206ef3da7497b80ad8cd02f9e22427d9fda5e0e58c371794f20b11a72909c0
Instruction Fuzzy Hash: C1A12D71600119ABDF59FFA0CC92CFE777AAF94300B10815DB8166B296EF70AB45CB54

Function 0067DCB2 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 111registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006735E5: lstrlenW.KERNEL32(00681E02,00000000,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 006735EE
Part of subcall function 006735E5: lstrlenW.KERNEL32(00681E02,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 00673605
Part of subcall function 006735E5: lstrcpyW.KERNEL32(?,00681E02,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 00673620

RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters,SYSTEM\CurrentControlSet\Services\TermService), ref: 0067DCF3

Part of subcall function 00680FC3: RegQueryValueExW.KERNEL32(?,75A901C0,00000000,75A901C0,00000000,00000000,?,00000000,00683589,?,?,?,006815B2,?,?,80000001), ref: 00680FE6
Part of subcall function 00680FC3: RegQueryValueExW.KERNEL32(?,75A901C0,00000000,75A901C0,00000000,00000000,?,006815B2,?,?,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\), ref: 0068100A

Part of subcall function 00675EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00675C2A,00000000,?,006810EE,?,?,006836B9), ref: 00675EAD

Part of subcall function 00680FAE: RegCloseKey.ADVAPI32(?,?,0068112D,?,?,006836B9), ref: 00680FB8

StrStrW.SHLWAPI(?,svchost.exe,?,00000000,ImagePath,?), ref: 0067DD57
StrStrW.SHLWAPI(?,svchost.exe -k), ref: 0067DD65
RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?), ref: 0067DD82

Strings

ImagePath, xrefs: 0067DD05
SYSTEM\CurrentControlSet\Services\TermService, xrefs: 0067DCBE
ServiceDll, xrefs: 0067DD90
SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 0067DCCE
svchost.exe -k, xrefs: 0067DD5D
svchost.exe, xrefs: 0067DD4F

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: OpenQueryValuelstrlen$CloseFreeVirtuallstrcpy
String ID: ImagePath$SYSTEM\CurrentControlSet\Services\TermService$SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll$svchost.exe$svchost.exe -k
API String ID: 2246401353-3333427388
Opcode ID: 0751cb3e3909e09d634c7f0cc847ae4eb09a799fc7cee2fac091f1c588ec6e49
Instruction ID: 791a2c2ed60df3d34d5fd5cd0ad01bef7268cb3468fde1567eecdfbdad252f7c
Opcode Fuzzy Hash: 0751cb3e3909e09d634c7f0cc847ae4eb09a799fc7cee2fac091f1c588ec6e49
Instruction Fuzzy Hash: A4410971D00129ABDF54EBA0CC92EEEB77AAF14740F508569F90676291EF706B04CBA4

Function 0067D508 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 55servicesleepCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001), ref: 0067D517
OpenServiceW.ADVAPI32(00000000,?,00000010), ref: 0067D52C
CloseServiceHandle.ADVAPI32(00000000), ref: 0067D539
StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 0067D546
GetLastError.KERNEL32 ref: 0067D550
Sleep.KERNEL32(000007D0), ref: 0067D562
StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 0067D56B
CloseServiceHandle.ADVAPI32(00000000), ref: 0067D57F
CloseServiceHandle.ADVAPI32(00000000), ref: 0067D582

Strings

ServicesActive, xrefs: 0067D50F

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$OpenStart$ErrorLastManagerSleep
String ID: ServicesActive
API String ID: 104619213-3071072050
Opcode ID: a9e749e63021f51a95b26513cf7854632565823df4869b378c6819d534705666
Instruction ID: 2ce4420a938201f83f158514f97023b079ca7a1181ef9a865800dc1d7c94ca02
Opcode Fuzzy Hash: a9e749e63021f51a95b26513cf7854632565823df4869b378c6819d534705666
Instruction Fuzzy Hash: AF01DF716002667BE3301B22AC4CEAB3E7EEFD5B65B005624F70ADA150DE648900C7B0

Function 00679ADF Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 229fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 00679AFC
GetLastError.KERNEL32 ref: 00679B09
CloseHandle.KERNEL32(00000000), ref: 00679B10
GetFileSize.KERNEL32(00000000,00000000), ref: 00679B1D
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00679B4C
CloseHandle.KERNEL32(00000000), ref: 00679B53

Strings

Password, xrefs: 00679CDD
Password, xrefs: 00679CC3, 00679CAB, 00679CD7

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateErrorLastReadSize
String ID: Password$Password
API String ID: 1366138817-7788977
Opcode ID: 3b05cd230624db907b91a019b9dea92ec2915837e9c45fa498d10906e2d9141b
Instruction ID: 530a9a37636efed9b3e97d079fae47a8515cb198c515ce302b1b542760703eb7
Opcode Fuzzy Hash: 3b05cd230624db907b91a019b9dea92ec2915837e9c45fa498d10906e2d9141b
Instruction Fuzzy Hash: 0681F270C042456EEF26ABA8D855AFE7FF7AF51314F10C09EE0496A282CB750E42C765

Function 0068273A Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 175comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0068274C
CoCreateInstance.OLE32(006845A0,00000000,00000001,00687410,{"h), ref: 00682779
CoUninitialize.OLE32 ref: 00682902

Part of subcall function 00682A6B: CoCreateInstance.OLE32(006845E0,00000000,00000001,006873F0,?,756FE550,00000000,00000000,?,?,006827B0), ref: 00682A99

CoCreateInstance.OLE32(006845F0,00000000,00000001,00687400,?), ref: 006827CA

Part of subcall function 006824EB: CoTaskMemFree.OLE32(?,?,00000000,00682896), ref: 006824F9

Strings

vids, xrefs: 00682805
Grabber, xrefs: 006827E8
{"h, xrefs: 00682752, 0068277B, 006828DD, 0068280A, 0068285E, 00682758, 00682791, 0068281E, 00682868, 006828E6
Source, xrefs: 006827D9

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: CreateInstance$FreeInitializeTaskUninitialize
String ID: Grabber$Source$vids${"h
API String ID: 533512943-1943566631
Opcode ID: 43904b403700eea63f1eb9910aecd380de1441d546f062dcb072f9638d85e91a
Instruction ID: 2fb72a1969a99965afa645365d8b1a0cc5eed6bb13523e70d332fdb5b9312150
Opcode Fuzzy Hash: 43904b403700eea63f1eb9910aecd380de1441d546f062dcb072f9638d85e91a
Instruction Fuzzy Hash: 0B5183B1A0020AAFDF14EFA4C898EAEB7BAFF44701F14865DF505AB250DB719D45CB60

Function 0067F80E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 130comCOMMON

Download Yara Rule

APIs

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0067F825
CoInitialize.OLE32(00000000), ref: 0067F82C
CoCreateInstance.OLE32(00684490,00000000,00000017,00686E60,?,?,?,?,?,?,?,?,?,00672D0C), ref: 0067F84A
VariantInit.OLEAUT32(?), ref: 0067F8CE

Strings

SELECT Name FROM Win32_VideoController, xrefs: 0067F89C
WQL, xrefs: 0067F8A6
root\CIMV2, xrefs: 0067F86A
Name, xrefs: 0067F8E0

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: Initialize$CreateInitInstanceSecurityVariant
String ID: Name$SELECT Name FROM Win32_VideoController$WQL$root\CIMV2
API String ID: 2382742315-3227336550
Opcode ID: d2eb4bc897ebb95a9d53532fc11a2ae6be6738db2a02d485d7e8e9f2c993bf6b
Instruction ID: b022a4c8feee10895128db4e8c295ed81e4976ef98220dd3e8527d6732216543
Opcode Fuzzy Hash: d2eb4bc897ebb95a9d53532fc11a2ae6be6738db2a02d485d7e8e9f2c993bf6b
Instruction Fuzzy Hash: 55410D74A00219BFCB14DB95CC48E9FBBBEEFC9B14B108558F515EB290DB719901CB21

Function 00672961 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 108processthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00680F31: RegDeleteKeyW.ADVAPI32(80000001,?), ref: 00680F38

TerminateThread.KERNEL32(00000000,?,?), ref: 00681740
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 006817AD
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00681837
CloseHandle.KERNEL32(?), ref: 00681846
CloseHandle.KERNEL32(?), ref: 0068184B
ExitProcess.KERNEL32 ref: 0068184E

Strings

cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q , xrefs: 006817BB
hrh, xrefs: 006817C8

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: CloseHandleProcess$CreateDeleteExitFileModuleNameTerminateThread
String ID: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q $hrh
API String ID: 3630425516-930638143
Opcode ID: 8c463303bc548f4b67277ae6c8d0cb710c837656157acaf8362809fdb1cb0d03
Instruction ID: 502a73e4e7d7efbbbb0e17c2c8f620ecd3eb5f425c0d52fc12fb6f558c4166ad
Opcode Fuzzy Hash: 8c463303bc548f4b67277ae6c8d0cb710c837656157acaf8362809fdb1cb0d03
Instruction Fuzzy Hash: 8A3161B2900619BFDB11EBE0CD86EEFB77EEB04300F00456AB605A6151DB74AF44CBA5

Function 00681F13 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 75sleepprocessmemoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00000000,75A901C0,00000000), ref: 00681F25
IsWow64Process.KERNEL32(00000000), ref: 00681F2C
VirtualAlloc.KERNEL32(00000000,000000FF,00001000,00000040), ref: 00681F50
GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 00681F5E
lstrlenA.KERNEL32(00000000,\System32\cmd.exe,00000014), ref: 00681F6C
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00681FA9
Sleep.KERNEL32(000003E8), ref: 00681FB8

Strings

\System32\cmd.exe, xrefs: 00681F66

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: Process$AllocCreateCurrentDirectorySleepVirtualWindowsWow64lstrlen
String ID: \System32\cmd.exe
API String ID: 3151064845-2003734499
Opcode ID: 731b4a9be2dffbd329409d3317b2997efcb0168ae3dcc92e9aa3c9caf90b1ddd
Instruction ID: d527cd6fc3c93d651ba2f6b813b54fa0673af4dd537c9d5fb6d3bc8c0699c91e
Opcode Fuzzy Hash: 731b4a9be2dffbd329409d3317b2997efcb0168ae3dcc92e9aa3c9caf90b1ddd
Instruction Fuzzy Hash: AA1181B1A00209BBE710A7B5AC89FAF76AEEB05745F100225F705EA190EA709E458775

Function 0067C118 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 56registrystringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths\,?,00000104,00000000), ref: 0067C154
lstrcatW.KERNEL32(?,thunderbird.exe,?,00000104,00000000), ref: 0067C162
RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,0067A729,?,00000104,00000000), ref: 0067C17B
RegQueryValueExW.ADVAPI32(0067A729,Path,00000000,?,?,?,?,00000104,00000000), ref: 0067C198
RegCloseKey.ADVAPI32(0067A729,?,00000104,00000000), ref: 0067C1A1

Strings

Software\Microsoft\Windows\CurrentVersion\App Paths\, xrefs: 0067C14E
Path, xrefs: 0067C190
thunderbird.exe, xrefs: 0067C15A

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValuelstrcatlstrcpy
String ID: Path$Software\Microsoft\Windows\CurrentVersion\App Paths\$thunderbird.exe
API String ID: 3135247354-1374996286
Opcode ID: 76d89f068f1e4464a0eb5d763857f53994beac1fdc940c47d10777402f12ec3e
Instruction ID: dbcb4455aa255cfc433a7a0640eb835453cd788c37679bb7488c78489bf26a07
Opcode Fuzzy Hash: 76d89f068f1e4464a0eb5d763857f53994beac1fdc940c47d10777402f12ec3e
Instruction Fuzzy Hash: 151161B294010DBFEB10EBE4EC89FEE77BDEB58304F100175B609E2150EA709E448B61

Function 0067C117 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 55registrystringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths\,?,00000104,00000000), ref: 0067C154
lstrcatW.KERNEL32(?,thunderbird.exe,?,00000104,00000000), ref: 0067C162
RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,0067A729,?,00000104,00000000), ref: 0067C17B
RegQueryValueExW.ADVAPI32(0067A729,Path,00000000,?,?,?,?,00000104,00000000), ref: 0067C198
RegCloseKey.ADVAPI32(0067A729,?,00000104,00000000), ref: 0067C1A1

Strings

Software\Microsoft\Windows\CurrentVersion\App Paths\, xrefs: 0067C14E
Path, xrefs: 0067C190
thunderbird.exe, xrefs: 0067C15A

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValuelstrcatlstrcpy
String ID: Path$Software\Microsoft\Windows\CurrentVersion\App Paths\$thunderbird.exe
API String ID: 3135247354-1374996286
Opcode ID: eb2af976c019dcec0384b9428e4706a69b639a681bb22aba12dabeabf72817b7
Instruction ID: ef73bf1bffbcbe9e82103fbb292f42969f5fc7d4c5dd17775fabf38b3917b903
Opcode Fuzzy Hash: eb2af976c019dcec0384b9428e4706a69b639a681bb22aba12dabeabf72817b7
Instruction Fuzzy Hash: 0D1121B294011DBFEB10EBA4ED89FEE7B7DEB58354F1001B9F609E2150E6709E448B61

Function 0067C4A8 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 371fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0067F76B: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000,?,00000000,?), ref: 0067F79C

Part of subcall function 00673335: lstrcatW.KERNEL32(00000000,75A901C0,?,?,00683589,?,00681515,00683589,006835B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00683589,00000000,75A901C0,00000000), ref: 00673365

Part of subcall function 00675EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00675C2A,00000000,?,006810EE,?,?,006836B9), ref: 00675EAD

PathFileExistsW.SHLWAPI(00000000,?,00000000,00000000,00000000,.tmp,00000000,00684684,.tmp,00000000,00684684,?,00000000), ref: 0067C5A5
PathFileExistsW.SHLWAPI(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0067C245), ref: 0067C5AF
CopyFileW.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0067C5C3
CopyFileW.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0067C5CF

Part of subcall function 0067CED9: LocalFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0067C66B,?,?,00000000,?), ref: 0067CF43
Part of subcall function 0067CED9: LocalFree.KERNEL32(?,00000000,00000000,00000000,00000000,?,0067C66B,?,?,00000000,?), ref: 0067CF4C

Part of subcall function 0067CF58: LocalAlloc.KERNEL32(00000040,-0000001F,?,?,?,00000000,?,00000000), ref: 0067CFE0
Part of subcall function 0067CF58: BCryptDecrypt.BCRYPT(?,0000000C,?,?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,?,00000000), ref: 0067D00E
Part of subcall function 0067CF58: LocalFree.KERNEL32(?), ref: 0067D096

Part of subcall function 006733BF: lstrlenA.KERNEL32(?,75A901C0,?,00675A4F,h\Hh,00000000), ref: 006733C8
Part of subcall function 006733BF: lstrlenA.KERNEL32(?,?,00675A4F,h\Hh,00000000), ref: 006733D5
Part of subcall function 006733BF: lstrcpyA.KERNEL32(00000000,?,?,00675A4F,h\Hh,00000000), ref: 006733E8

Part of subcall function 00673125: lstrcatA.KERNEL32(00000000,75A901C0,?,00000000,?,006735C4,00000000,00000000,?,00674E98,?,?,?,?,?,00000000), ref: 00673151

Part of subcall function 0067308C: lstrlenA.KERNEL32(00000000,006730B4,75A901C0,00000000,00000000,?,006732DC,0067350E,00000000,-00000001,75A901C0,?,0067350E,00000000,?,00000000), ref: 00673093

Strings

select signon_realm, origin_url, username_value, password_value from logins, xrefs: 0067C688, 0067C692
select signon_realm, origin_url, username_value, password_value from wow_logins, xrefs: 0067C683
.tmp, xrefs: 0067C4F3, 0067C4FB, 0067C531

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: FileFreeLocal$Pathlstrlen$CopyExistslstrcat$AllocCryptDecryptFolderSpecialVirtuallstrcpy
String ID: .tmp$select signon_realm, origin_url, username_value, password_value from logins$select signon_realm, origin_url, username_value, password_value from wow_logins
API String ID: 881303001-3832748974
Opcode ID: 7b3cd93418058919705a1c8d94e17e8386823ba4b68ee6cc7672522c571e57c5
Instruction ID: fe30bcb766f05844dcbc1a8eba66fdccdb6f811c961e3ce63e2d7ca7c2898ed2
Opcode Fuzzy Hash: 7b3cd93418058919705a1c8d94e17e8386823ba4b68ee6cc7672522c571e57c5
Instruction Fuzzy Hash: 76D15F72900119ABDF59FFB4DC92AEEB77AAF44310F10802DF41AA6291EF709B05DB54

Function 0067B559 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(vaultcli.dll,00000000,0067B229), ref: 0067B561

Part of subcall function 00680969: lstrcmpA.KERNEL32(?,00681BD0,?,open,00681BD0), ref: 006809A2

Strings

VaultCloseVault, xrefs: 0067B589
VaultFree, xrefs: 0067B5E0
VaultOpenVault, xrefs: 0067B577
VaultGetItem, xrefs: 0067B5B5
VaultEnumerateItems, xrefs: 0067B59F
vaultcli.dll, xrefs: 0067B55A

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: LibraryLoadlstrcmp
String ID: VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetItem$VaultOpenVault$vaultcli.dll
API String ID: 2493137890-3967309459
Opcode ID: 4c66167fa1d29a7cd6b32aeb421bc7f432abf4eac4c2d791e03dce3746fcd2e9
Instruction ID: b985aacfada72b03eec6211f2773fcc5806d67b13f27d3d1d3537db02335f048
Opcode Fuzzy Hash: 4c66167fa1d29a7cd6b32aeb421bc7f432abf4eac4c2d791e03dce3746fcd2e9
Instruction Fuzzy Hash: A011EC70A01B11CFFBA4AB71A405BE676E7EB85301F145A2FD6AE97341DB30A801CB44

Function 0067D49C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001), ref: 0067D4AB
OpenServiceW.ADVAPI32(00000000,?,00000002), ref: 0067D4C0
CloseServiceHandle.ADVAPI32(00000000), ref: 0067D4CD
ChangeServiceConfigW.ADVAPI32(00000000,000000FF,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0067D4E6
CloseServiceHandle.ADVAPI32(00000000), ref: 0067D4FA
CloseServiceHandle.ADVAPI32(00000000), ref: 0067D4FD

Strings

ServicesActive, xrefs: 0067D4A3

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ChangeConfigManager
String ID: ServicesActive
API String ID: 493672254-3071072050
Opcode ID: f72b52c9f375882e10e934d8ab2b69da134f3aff0725e39648ad137bd5114514
Instruction ID: 5f6a717524a754bcfc432e7dda960cc0ac897c123a585511d248d0e7455251bc
Opcode Fuzzy Hash: f72b52c9f375882e10e934d8ab2b69da134f3aff0725e39648ad137bd5114514
Instruction Fuzzy Hash: A5F0963220432677D7211B669C49E9B3E6EEFC67B5B115721FB1AD6290DE70D80187A0

Function 006819C9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\_rptls,00000000,000F003F,?,00000208,007BCBF0,?,?,?,?,00681A78), ref: 006819E9
RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\_rptls,00000000,00000000,00000000,000F003F,00000000,?,?,?,?,?,?,00681A78), ref: 00681A06
lstrlenW.KERNEL32(007BCBF0,?,?,?,?,00681A78,?,?,?,?,006757B9,?,00000000,00000000), ref: 00681A12
RegSetValueExW.ADVAPI32(?,Install,00000000,00000001,007BCBF0,00000000,?,?,?,?,00681A78,?,?,?,?,006757B9), ref: 00681A28
RegCloseKey.ADVAPI32(?,?,?,?,?,00681A78,?,?,?,?,006757B9,?,00000000,00000000), ref: 00681A31

Strings

SOFTWARE\_rptls, xrefs: 006819DD, 006819E3, 00681A00
Install, xrefs: 00681A20

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: CloseCreateOpenValuelstrlen
String ID: Install$SOFTWARE\_rptls
API String ID: 2036214137-3226779556
Opcode ID: d0b67af52ea0682fb8485602c0df8caaa4462a2f1c6e76dc60299cbbd7bba2dc
Instruction ID: 6af71123a9465fbb5f11f384fc7245446d7ef8c0899aa44ec8522069964cab50
Opcode Fuzzy Hash: d0b67af52ea0682fb8485602c0df8caaa4462a2f1c6e76dc60299cbbd7bba2dc
Instruction Fuzzy Hash: C9F04F72500058BFE7216B96EC4DEEB7E7DEB86791B100269BA05E2111DA619E40D7B0

Function 00681A3C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,007BCBF0,00000208,00000000,00000000,?,?,?,006757B9,?,00000000,00000000), ref: 00681A58
IsUserAnAdmin.SHELL32 ref: 00681A5E

Part of subcall function 0067FBFC: GetCurrentProcess.KERNEL32(00000008,00000000,75A901C0,00000000,75A901C0,00000000,?,?,?,?,00683589,?), ref: 0067FC0E
Part of subcall function 0067FBFC: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,00683589,?), ref: 0067FC15
Part of subcall function 0067FBFC: GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,00683589,?), ref: 0067FC33
Part of subcall function 0067FBFC: CloseHandle.KERNEL32(00000000), ref: 0067FC48

Part of subcall function 006819C9: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\_rptls,00000000,000F003F,?,00000208,007BCBF0,?,?,?,?,00681A78), ref: 006819E9
Part of subcall function 006819C9: RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\_rptls,00000000,00000000,00000000,000F003F,00000000,?,?,?,?,?,?,00681A78), ref: 00681A06
Part of subcall function 006819C9: lstrlenW.KERNEL32(007BCBF0,?,?,?,?,00681A78,?,?,?,?,006757B9,?,00000000,00000000), ref: 00681A12
Part of subcall function 006819C9: RegSetValueExW.ADVAPI32(?,Install,00000000,00000001,007BCBF0,00000000,?,?,?,?,00681A78,?,?,?,?,006757B9), ref: 00681A28
Part of subcall function 006819C9: RegCloseKey.ADVAPI32(?,?,?,?,?,00681A78,?,?,?,?,006757B9,?,00000000,00000000), ref: 00681A31

FindResourceW.KERNEL32(00000000,00000066,WM_DSP,?,?,?,?,006757B9,?,00000000,00000000), ref: 00681A87
LoadResource.KERNEL32(00000000,00000000,?,?,?,?,006757B9,?,00000000,00000000,?,?,?,?,?,?), ref: 00681A91
SizeofResource.KERNEL32(00000000,00000000,?,?,?,?,006757B9,?,00000000,00000000,?,?,?,?,?,?), ref: 00681A9B
LockResource.KERNEL32(00000000,?,?,?,?,006757B9,?,00000000,00000000,?,?,?,?,?,?,00000000), ref: 00681AA2

Part of subcall function 00681936: VirtualProtect.KERNEL32(00000000,000007D0,00000040,00000000,00000000,00000000,?,00000000,?,00681AB4,?,?,?,006757B9,?,00000000), ref: 00681974
Part of subcall function 00681936: VirtualAlloc.KERNEL32(00000000,000001FE,00001000,00000040,?,00000000,?,00681AB4,?,?,?,006757B9,?,00000000,00000000), ref: 00681988
Part of subcall function 00681936: GetWindowsDirectoryW.KERNEL32(00000000,00000104,?,00000000,?,00681AB4,?,?,?,006757B9,?,00000000,00000000), ref: 00681996
Part of subcall function 00681936: lstrlenW.KERNEL32(00000000,\System32\cmd.exe,00000028,?,00000000,?,00681AB4,?,?,?,006757B9,?,00000000,00000000), ref: 006819A4

Strings

WM_DSP, xrefs: 00681A7D

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: Resource$CloseOpenProcessTokenVirtuallstrlen$AdminAllocCreateCurrentDirectoryFileFindHandleInformationLoadLockModuleNameProtectSizeofUserValueWindows
String ID: WM_DSP
API String ID: 1403607128-506093727
Opcode ID: 8bc82ce171456ae743e652b082d60f1a296da7f9519284cb79c2e581e8d1bc2c
Instruction ID: 21d037c2a283ef7bf8e74b67733c5b34df05ac7682f09c54b1090b4bfd5e8c58
Opcode Fuzzy Hash: 8bc82ce171456ae743e652b082d60f1a296da7f9519284cb79c2e581e8d1bc2c
Instruction Fuzzy Hash: CFF0C2716002517BDB6037B2AC1DFAF2D5F9F93B50F051624F406EA251EE24C8828364

Function 00681855 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38registrystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00681B3D,00686056,?,?,00681B3D,00686056,?), ref: 0068185D
RegOpenKeyExA.ADVAPI32(80000001,Software\Classes\Folder\shell\open\command,00000000,00020006,?,?,?,00681B3D,00686056,?), ref: 0068187A
SetLastError.KERNEL32(00000000,?,?,00681B3D,00686056,?), ref: 00681885
RegSetValueExA.ADVAPI32(?,V`h,00000000,00000001,00681B3D,00000000,?,?,00681B3D,00686056,?), ref: 0068189D
RegCloseKey.ADVAPI32(?,?,?,00681B3D,00686056,?), ref: 006818A8

Strings

V`h, xrefs: 00681897
Software\Classes\Folder\shell\open\command, xrefs: 00681870

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: CloseErrorLastOpenValuelstrlen
String ID: Software\Classes\Folder\shell\open\command$V`h
API String ID: 1613093083-120741707
Opcode ID: 9c0dff04bd14903a038e238c66203e1ef04354635673186fc17a4d6f8f67fb63
Instruction ID: 1ea7ecf940d73a885688e5df92c2fa96faa28d1177b78e2ff3e919023c9d7282
Opcode Fuzzy Hash: 9c0dff04bd14903a038e238c66203e1ef04354635673186fc17a4d6f8f67fb63
Instruction Fuzzy Hash: DEF03075540214FBDF212FA0AC0AFDA7F6FEF09750F215350FA06BA160EA719A01AB90

Function 00675CA3 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(USER32.DLL,?,006802E1,?,75A901C0,00000000), ref: 00675CAB
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00675CB7
ExitProcess.KERNEL32 ref: 00675CDB

Strings

An assertion condition failed, xrefs: 00675CD0
USER32.DLL, xrefs: 00675CA4
Assert, xrefs: 00675CCB
MessageBoxA, xrefs: 00675CB1

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: AddressExitLibraryLoadProcProcess
String ID: An assertion condition failed$Assert$MessageBoxA$USER32.DLL
API String ID: 881411216-1361702557
Opcode ID: e6bdcb4ec574a6dfeeac33de3c1fdf9d6b7607d02d64058b83bbbca652076531
Instruction ID: a6b6b05d184c3767b70f5574f4625092c95afe48b12e3a770916cd9f4b262d6f
Opcode Fuzzy Hash: e6bdcb4ec574a6dfeeac33de3c1fdf9d6b7607d02d64058b83bbbca652076531
Instruction Fuzzy Hash: FCD05EB07C53437AEB1077B12C1FFA52A1B6B15F05F155354B686D62C1EFD2C4808764

Function 00675F6A Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 14libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(USER32.DLL), ref: 00675F6F
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00675F7B
ExitProcess.KERNEL32 ref: 00675F9A

Strings

USER32.DLL, xrefs: 00675F6A
PureCall, xrefs: 00675F8A
MessageBoxA, xrefs: 00675F75
A pure virtual function was called. This is a fatal error, and indicates a serious error in the implementation of the application, xrefs: 00675F8F

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: AddressExitLibraryLoadProcProcess
String ID: A pure virtual function was called. This is a fatal error, and indicates a serious error in the implementation of the application$MessageBoxA$PureCall$USER32.DLL
API String ID: 881411216-4134947204
Opcode ID: b79b0df34b3e3614297681104190f8b3edc5428e181e307aa55907e14788909c
Instruction ID: 180c60fa99b181fac6ad3269ad6aab92af09f9834de004e4c07e4d8ded3b292c
Opcode Fuzzy Hash: b79b0df34b3e3614297681104190f8b3edc5428e181e307aa55907e14788909c
Instruction Fuzzy Hash: 36D0C9B03C43437EE7007BB16C0EF2829176B15F02F011310B645E40D1EFD1D0808729

Function 00680D24 Relevance: 12.2, APIs: 8, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00680D6A
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00680D83
CloseHandle.KERNEL32(00000000), ref: 00680D8E

Part of subcall function 006735E5: lstrlenW.KERNEL32(00681E02,00000000,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 006735EE
Part of subcall function 006735E5: lstrlenW.KERNEL32(00681E02,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 00673605
Part of subcall function 006735E5: lstrcpyW.KERNEL32(?,00681E02,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 00673620

Part of subcall function 00673437: lstrcpyW.KERNEL32(00000000,00000000,00000000,?,?,00681E0A,00000000,00000000,00000000,h\Hh,00000000), ref: 0067345C

Part of subcall function 00675EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00675C2A,00000000,?,006810EE,?,?,006836B9), ref: 00675EAD

OpenProcess.KERNEL32(00001410,00000000,?,?), ref: 00680DF8
GetModuleFileNameExW.PSAPI(00000000,00000000,?,00000208), ref: 00680E2E
CloseHandle.KERNEL32(00000000,00000000,00684C14), ref: 00680E81
Process32NextW.KERNEL32(00000000,0000022C), ref: 00680EE5
CloseHandle.KERNEL32(00000000), ref: 00680EF7

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: CloseHandle$Process32lstrcpylstrlen$CreateFileFirstFreeModuleNameNextOpenProcessSnapshotToolhelp32Virtual
String ID:
API String ID: 3514491001-0
Opcode ID: fd04293955dbc2a5cc227d66edec38ca4dac5a4242ffd2e99d9604215c5eed3e
Instruction ID: 11dd52117dfe54d88cf20b08bfb151c87dea32412b395d3e53598735ec76356d
Opcode Fuzzy Hash: fd04293955dbc2a5cc227d66edec38ca4dac5a4242ffd2e99d9604215c5eed3e
Instruction Fuzzy Hash: 0A51D772D00119ABEB50EBA4CC59EEE7BBAAF54710F014669F505B7280EF309F49CB54

Function 00682D0A Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00682D1A
CoCreateInstance.OLE32(006845A0,00000000,00000001,00687410,011EE0E0,?,?), ref: 00682D32
CoCreateInstance.OLE32(006845F0,00000000,00000001,00687400,011EE0EC,?,?,00684580,011EE0E4,?,?), ref: 00682D8C

Part of subcall function 00682A6B: CoCreateInstance.OLE32(006845E0,00000000,00000001,006873F0,?,756FE550,00000000,00000000,?,?,006827B0), ref: 00682A99

Strings

vids, xrefs: 00682DC6
Grabber, xrefs: 00682DAC
Source, xrefs: 00682D9E

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: CreateInstance$Initialize
String ID: Grabber$Source$vids
API String ID: 1108742289-4200688928
Opcode ID: e3bbe5f300d5e9158e826f2555827606e1d02a110a404a1107f82c90d74e1b73
Instruction ID: 8758c39b8b4f8ba5cd6e3aff2194261961029e07c0b6c8be6fe88cb723c72f5d
Opcode Fuzzy Hash: e3bbe5f300d5e9158e826f2555827606e1d02a110a404a1107f82c90d74e1b73
Instruction Fuzzy Hash: 9F518071600202AFCB24EF64C895E9A3B76BF49700B11465CFD05AF291DB71EC45CBA4

Function 00672CEC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 107stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0067F80E: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0067F825
Part of subcall function 0067F80E: CoInitialize.OLE32(00000000), ref: 0067F82C
Part of subcall function 0067F80E: CoCreateInstance.OLE32(00684490,00000000,00000017,00686E60,?,?,?,?,?,?,?,?,?,00672D0C), ref: 0067F84A

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00672D1B

Part of subcall function 00681E21: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000,?,?,0068349D), ref: 00681E4E
Part of subcall function 00681E21: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,0068349D), ref: 00681E61
Part of subcall function 00681E21: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,0068349D), ref: 00681E72
Part of subcall function 00681E21: CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,0068349D), ref: 00681E7F

Part of subcall function 006735E5: lstrlenW.KERNEL32(00681E02,00000000,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 006735EE
Part of subcall function 006735E5: lstrlenW.KERNEL32(00681E02,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 00673605
Part of subcall function 006735E5: lstrcpyW.KERNEL32(?,00681E02,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 00673620

Part of subcall function 0067FA1F: GlobalMemoryStatusEx.KERNEL32(?), ref: 0067FA30

Part of subcall function 0067FC7E: GetComputerNameW.KERNEL32(00672D7F,00000010), ref: 0067FCA1

Part of subcall function 0067FC58: GetCurrentProcess.KERNEL32(?,?,00672D84,?,00684648,?,?,00000000,?,?,?), ref: 0067FC5C

Part of subcall function 0067FBFC: GetCurrentProcess.KERNEL32(00000008,00000000,75A901C0,00000000,75A901C0,00000000,?,?,?,?,00683589,?), ref: 0067FC0E
Part of subcall function 0067FBFC: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,00683589,?), ref: 0067FC15
Part of subcall function 0067FBFC: GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,00683589,?), ref: 0067FC33
Part of subcall function 0067FBFC: CloseHandle.KERNEL32(00000000), ref: 0067FC48

Part of subcall function 0067FA42: LoadLibraryA.KERNEL32(ntdll.dll), ref: 0067FA5A
Part of subcall function 0067FA42: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0067FA6A

Part of subcall function 0067FCB8: RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00000101,?,SOFTWARE\Microsoft\Cryptography,?,?,?,?,00000000,?,?,?), ref: 0067FCFC

SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?,?,?,?), ref: 00672DDF
lstrcatW.KERNEL32(?,\Microsoft Vision\,?,?), ref: 00672DF1
CreateDirectoryW.KERNEL32(?,00000000,?,?), ref: 00672DFF

Part of subcall function 0067990A: InitializeCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,00672E0D,?,00000001,?,?), ref: 00679916
Part of subcall function 0067990A: DeleteCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,00672E0D,?,00000001,?,?), ref: 0067992D
Part of subcall function 0067990A: EnterCriticalSection.KERNEL32(007BDB10,?,00000000,?,?,?,?,00672E0D,?,00000001,?,?), ref: 00679939
Part of subcall function 0067990A: GetModuleHandleA.KERNEL32(00000000,?,00000000,?,?,?,?,00672E0D,?,00000001,?,?), ref: 00679949
Part of subcall function 0067990A: LeaveCriticalSection.KERNEL32(007BDB10,?,00000000), ref: 0067999C

Strings

\Microsoft Vision\, xrefs: 00672DE5
$uh, xrefs: 00672E10

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: CriticalFileSection$CreateHandleInitializeProcess$CloseCurrentModuleNameOpenTokenlstrlen$AddressComputerDeleteDirectoryEnterFolderGlobalInformationInstanceLeaveLibraryLoadMemoryPathProcReadSecuritySizeStatuslstrcatlstrcpy
String ID: $uh$\Microsoft Vision\
API String ID: 1987359387-2745996654
Opcode ID: 29cbe8018da9183ee8f0d530fc613898fdc3664f65dc0d2e1b5f9f7f7e700d69
Instruction ID: 6dce4aae3459211d63d6035460b614885ecc641e18eeef69658fade826142c76
Opcode Fuzzy Hash: 29cbe8018da9183ee8f0d530fc613898fdc3664f65dc0d2e1b5f9f7f7e700d69
Instruction Fuzzy Hash: 6131C3B1A10219BBDF44FBE0DC5ADEFB77EAF48300F00856CB509A6182DE705B458BA5

Function 00677948 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64sleepprocessmemoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,000000FF,00001000,00000040,00000000,?,?), ref: 0067796B
GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 00677979
lstrlenA.KERNEL32(00000000,\System32\cmd.exe,00000014), ref: 00677987
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 006779C1
Sleep.KERNEL32(000003E8), ref: 006779D0

Strings

\System32\cmd.exe, xrefs: 00677981

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: AllocCreateDirectoryProcessSleepVirtualWindowslstrlen
String ID: \System32\cmd.exe
API String ID: 2560724043-2003734499
Opcode ID: e2b1db92e715b846647af4af7eab723a4d7e81302e8a0271ff18c21429133908
Instruction ID: 44b5482441ecd190e35e1b729129db4d1b83ee45fcb93c49091b6ae08c7b805f
Opcode Fuzzy Hash: e2b1db92e715b846647af4af7eab723a4d7e81302e8a0271ff18c21429133908
Instruction Fuzzy Hash: 5D115EB2600209BFE710ABB8EC86FAF777EAB04745F100525F705E6191DAB09E0486A5

Function 00681936 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00671085: GetProcessHeap.KERNEL32(00000000,?,00681E36,00400000,?,?,00000000,?,?,0068349D), ref: 0067108B
Part of subcall function 00671085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,0068349D), ref: 00671092

VirtualProtect.KERNEL32(00000000,000007D0,00000040,00000000,00000000,00000000,?,00000000,?,00681AB4,?,?,?,006757B9,?,00000000), ref: 00681974
VirtualAlloc.KERNEL32(00000000,000001FE,00001000,00000040,?,00000000,?,00681AB4,?,?,?,006757B9,?,00000000,00000000), ref: 00681988
GetWindowsDirectoryW.KERNEL32(00000000,00000104,?,00000000,?,00681AB4,?,?,?,006757B9,?,00000000,00000000), ref: 00681996
lstrlenW.KERNEL32(00000000,\System32\cmd.exe,00000028,?,00000000,?,00681AB4,?,?,?,006757B9,?,00000000,00000000), ref: 006819A4

Strings

p`h, xrefs: 0068194B
\System32\cmd.exe, xrefs: 0068199E

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: HeapVirtual$AllocAllocateDirectoryProcessProtectWindowslstrlen
String ID: \System32\cmd.exe$p`h
API String ID: 2244922440-1741495605
Opcode ID: 8ff472abbe1911453dde7073c209a59b9f486fbbbf5abc034aed933bb8144597
Instruction ID: 6d3a2f4cafa6e33a32d18aae9f467addc5f040a416520606f2d574ce02208e5d
Opcode Fuzzy Hash: 8ff472abbe1911453dde7073c209a59b9f486fbbbf5abc034aed933bb8144597
Instruction Fuzzy Hash: 930147713403117BE32067749C0AFAB3BADCB86B11F100224F749FE1C0CDA5AD448398

Function 006818BA Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48registryCOMMON

Download Yara Rule

APIs

InitializeSecurityDescriptor.ADVAPI32(?,00000001,00000000,?,?,?,?,?,?,?,?,?,00681B06), ref: 006818C7
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000,?,?,?,?,?,?,?,?,?,00681B06), ref: 006818DB
RegCreateKeyExA.ADVAPI32(80000001,Software\Classes\Folder\shell\open\command,00000000,00000000,00000000,00020006,0000000C,00681B06,?), ref: 00681913
RegCloseKey.ADVAPI32(00681B06), ref: 00681920
SetLastError.KERNEL32(00000000), ref: 0068192B

Strings

Software\Classes\Folder\shell\open\command, xrefs: 00681909

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: DescriptorSecurity$CloseCreateDaclErrorInitializeLast
String ID: Software\Classes\Folder\shell\open\command
API String ID: 1473660444-2536721355
Opcode ID: 63ee69f6ee5fbdccd2ff2729249bd2c211950e482e467acf3fccb897a76e3c67
Instruction ID: a9a5c5ff2728f3ee01198274bc8aecfaf236336e8a6851cec486de9a0f47ef4d
Opcode Fuzzy Hash: 63ee69f6ee5fbdccd2ff2729249bd2c211950e482e467acf3fccb897a76e3c67
Instruction Fuzzy Hash: 3D011A71900229BADF209BA19C49EDF7FBEEF09761F101221F605F6150EB708645DBA0

Function 0067990A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,00672E0D,?,00000001,?,?), ref: 00679916
DeleteCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,00672E0D,?,00000001,?,?), ref: 0067992D
EnterCriticalSection.KERNEL32(007BDB10,?,00000000,?,?,?,?,00672E0D,?,00000001,?,?), ref: 00679939
GetModuleHandleA.KERNEL32(00000000,?,00000000,?,?,?,?,00672E0D,?,00000001,?,?), ref: 00679949
LeaveCriticalSection.KERNEL32(007BDB10,?,00000000), ref: 0067999C

Part of subcall function 00671F4B: CreateThread.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 00671F60

Strings

.g, xrefs: 0067993F

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: CriticalSection$CreateDeleteEnterHandleInitializeLeaveModuleThread
String ID: .g
API String ID: 2964645253-793294742
Opcode ID: d9788c2666c3adb927013140de85598825773f78a11e5be5673f7aa123c88a08
Instruction ID: ef5788f42cf76e188d51e93415d9c65ea3b67afdcad0b59b3add36df4b717c2f
Opcode Fuzzy Hash: d9788c2666c3adb927013140de85598825773f78a11e5be5673f7aa123c88a08
Instruction Fuzzy Hash: 3B01B575900104BBCB20AFA59C4DFEB3FBBE746320F41C12AF50957241EB798885CBA0

Function 00677CB7 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,?,?,006786D6,00000000), ref: 00677CD3
GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 00677CE1
GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 00677CF2

Strings

RtlSetLastWin32Error, xrefs: 00677CE7
RtlNtStatusToDosError, xrefs: 00677CDB
ntdll.dll, xrefs: 00677CCE

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
API String ID: 667068680-2897241497
Opcode ID: 0dddc868a117861dc49559a42f9b14375b3edbf824d38b578f7f51e737167e99
Instruction ID: 42b21577acfbcf9b0b53c89025bbbfc36f397be165d330c0354b7f2e68b4fe73
Opcode Fuzzy Hash: 0dddc868a117861dc49559a42f9b14375b3edbf824d38b578f7f51e737167e99
Instruction Fuzzy Hash: C1F0F434248302AB9F246F65AC55FB63BAAAE847413119619F80AC3360DF759841C724

Function 0067CBA8 Relevance: 9.1, APIs: 6, Instructions: 73filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,00000000,00000000,?,00000000,?), ref: 0067CBDC
GetFileSizeEx.KERNEL32(00000000,?,?,00000000,?), ref: 0067CBF2
LocalAlloc.KERNEL32(00000040,?,?,?,00000000,?), ref: 0067CC0D
ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,?), ref: 0067CC25
CloseHandle.KERNEL32(00000000,?,00000000,?), ref: 0067CC48

Part of subcall function 0067CC54: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0067CC73
Part of subcall function 0067CC54: LocalAlloc.KERNEL32(00000040,?,?,0067CBC6,?,00000000,?,00000000,?), ref: 0067CC81
Part of subcall function 0067CC54: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0067CC97
Part of subcall function 0067CC54: LocalFree.KERNEL32(?,?,0067CBC6,?,00000000,?,00000000,?), ref: 0067CCA5

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: FileLocal$AllocBinaryCryptString$CloseCreateFreeHandleReadSize
String ID:
API String ID: 4225742195-0
Opcode ID: 00e28f2f4eee5dfd746b556d359e4e1544bb832d9a54a33b295d110c5da59a26
Instruction ID: 368a07aa7d402911231d453e54c6424c371da385ab4e0db5bb4109b550cfefe7
Opcode Fuzzy Hash: 00e28f2f4eee5dfd746b556d359e4e1544bb832d9a54a33b295d110c5da59a26
Instruction Fuzzy Hash: F511A571500115BBCB269B69DC84EBEBBBEEF45760B14821CF90DD6250DB30DE01DB50

Function 00680B2A Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 61windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00680969: lstrcmpA.KERNEL32(?,00681BD0,?,open,00681BD0), ref: 006809A2

MessageBoxA.USER32(00000000,Bla2,Bla2,00000000), ref: 00680B70

Part of subcall function 006735E5: lstrlenW.KERNEL32(00681E02,00000000,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 006735EE
Part of subcall function 006735E5: lstrlenW.KERNEL32(00681E02,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 00673605
Part of subcall function 006735E5: lstrcpyW.KERNEL32(?,00681E02,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 00673620

Part of subcall function 00680BD9: CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,75A901C0,00000000), ref: 00680C14

Part of subcall function 00675EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00675C2A,00000000,?,006810EE,?,?,006836B9), ref: 00675EAD

Strings

VirtualQuery, xrefs: 00680B37
C:\Users\Vitali Kremez\Documents\MidgetPorn\workspace\MsgBox.exe, xrefs: 00680BAE
Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper, xrefs: 00680B7E
Bla2, xrefs: 00680B67, 00680B6D, 00680B6E

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: lstrlen$CreateFreeMessageProcessVirtuallstrcmplstrcpy
String ID: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper$Bla2$C:\Users\Vitali Kremez\Documents\MidgetPorn\workspace\MsgBox.exe$VirtualQuery
API String ID: 1196126833-2308542105
Opcode ID: f805e2a68769d642b55d367270d748acc8960251164898bede1ad61590d07035
Instruction ID: f3eed4f298577002f9969115dfbfcbdd0c483364fc3ab756e1cd728ef439108a
Opcode Fuzzy Hash: f805e2a68769d642b55d367270d748acc8960251164898bede1ad61590d07035
Instruction Fuzzy Hash: 30111C71A01118BAEF88FBA4DD56CEFBB7E9E44710B10465EF406B2181DB709F08D768

Function 0067CE83 Relevance: 8.8, APIs: 7, Instructions: 35COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(?,00000000,00000000,0067CAF5), ref: 0067CE9A
LocalFree.KERNEL32(?,00000000,00000000,0067CAF5), ref: 0067CEA5
LocalFree.KERNEL32(?,00000000,00000000,0067CAF5), ref: 0067CEB0
LocalFree.KERNEL32(?,00000000,00000000,0067CAF5), ref: 0067CEBB
LocalFree.KERNEL32(?,00000000,00000000,0067CAF5), ref: 0067CEC6
LocalFree.KERNEL32(?,00000000,00000000,0067CAF5), ref: 0067CED1
LocalFree.KERNEL32(00000000,00000000,00000000,0067CAF5), ref: 0067CED4

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: FreeLocal
String ID:
API String ID: 2826327444-0
Opcode ID: 5f783a38566d4b2f6b289463e740aa74c0c5f084f7810d039a024b45717133c9
Instruction ID: 58eabaec72ae16a45362c4e878cd58e2a7c80d189349446cfd1b1635f05f322c
Opcode Fuzzy Hash: 5f783a38566d4b2f6b289463e740aa74c0c5f084f7810d039a024b45717133c9
Instruction Fuzzy Hash: E1F0A931010B14DBD7366B2ADC08BA7B6F2BF80325F16493DD58651AB0C7B5A8D6DF50

Function 00679D9A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,software\Aerofox\FoxmailPreview,00000000,00020019,?), ref: 00679DB5
RegQueryValueExA.ADVAPI32(?,Executable,00000000,00000000,006897B0,?), ref: 00679DDC
PathRemoveFileSpecA.SHLWAPI(006897B0), ref: 00679DE7

Strings

software\Aerofox\FoxmailPreview, xrefs: 00679DAB
Executable, xrefs: 00679DD4

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: FileOpenPathQueryRemoveSpecValue
String ID: Executable$software\Aerofox\FoxmailPreview
API String ID: 3687894118-2371247776
Opcode ID: 5b3e880263de955a968408b8deb9d864917947e03f3e8d2c985fa8e4808aec7f
Instruction ID: e0df7338245f4e4434c1275d98ce21ad3eb5af432887c9ae44fb27b116c73206
Opcode Fuzzy Hash: 5b3e880263de955a968408b8deb9d864917947e03f3e8d2c985fa8e4808aec7f
Instruction Fuzzy Hash: 2BF0A774244204BFEB209B91DC8AFDA7BFEDB41B48F100254FA05F1180E7B099019B20

Function 0067EF4F Relevance: 7.7, APIs: 5, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: b80286464948bb81da1d5098360fd744daef9045a556d21d23feb8a1068c3c0b
Instruction ID: fff3d270f3bdd6ba70a53feced1668a7e683bbdd90c3c814ec7f9b40f2f76af6
Opcode Fuzzy Hash: b80286464948bb81da1d5098360fd744daef9045a556d21d23feb8a1068c3c0b
Instruction Fuzzy Hash: 3861C671904619AFDB10CFA4CC45FEEB7BABF09300F14C169F508AB281DBB5A945CBA5

Function 0067EE9A Relevance: 7.6, APIs: 5, Instructions: 70networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 0067EEB4
gethostbyname.WS2_32(?), ref: 0067EEBD
htons.WS2_32(?), ref: 0067EEE1
InetNtopW.WS2_32(00000002,?,?,00000802), ref: 0067EF12
connect.WS2_32(00000000,?,00000010), ref: 0067EF2B

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: InetNtopconnectgethostbynamehtonssocket
String ID:
API String ID: 2393792429-0
Opcode ID: f434d1b6d2fb53509c16ec7555bfd9481d2780e139fe544304befbd867b68b40
Instruction ID: 019075085b624f7545653e5569dedf8f8a17df0b37959b0122ae2d0bfc7583a4
Opcode Fuzzy Hash: f434d1b6d2fb53509c16ec7555bfd9481d2780e139fe544304befbd867b68b40
Instruction Fuzzy Hash: 9D110B729002547FE71097A4AC4AFBB77ADEF05320F048566F909CB191EAB0894487A0

Function 00680C79 Relevance: 7.5, APIs: 5, Instructions: 44processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00680C97
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00680CAC
Process32NextW.KERNEL32(00000000,0000022C), ref: 00680CC4
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00680CCF
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00680CE0

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32
String ID:
API String ID: 1789362936-0
Opcode ID: be4e7cf66512b83b802e2a69f12811296021c8a3346949388fb510c745e6cfa2
Instruction ID: c82742629c04ecd1ed4d03fb1e1af6f75605bb435fbda8f805494e0636d30c7f
Opcode Fuzzy Hash: be4e7cf66512b83b802e2a69f12811296021c8a3346949388fb510c745e6cfa2
Instruction Fuzzy Hash: CD01F431201215BBE7206FB5EC4CBBE7BBEEB44725F104769F545E2290EB708D898B10

Function 0067B9A9 Relevance: 7.5, APIs: 5, Instructions: 25COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,00000001,?,00000000,0067B132), ref: 0067B9BA
FreeLibrary.KERNEL32(?,?,00000000,0067B132), ref: 0067B9CA
FreeLibrary.KERNEL32(?,?,00000000,0067B132), ref: 0067B9D8
FreeLibrary.KERNEL32(?,?,00000000,0067B132), ref: 0067B9E6
FreeLibrary.KERNEL32(?,?,00000000,0067B132), ref: 0067B9F4

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 48bf2bea44bfe2f0005bea1525e6e2adec2d9829796835456fcb3f9374951a19
Instruction ID: 13a49065228b042e667d43d028877ada0954e116dff1bee79505ae60d1c87c73
Opcode Fuzzy Hash: 48bf2bea44bfe2f0005bea1525e6e2adec2d9829796835456fcb3f9374951a19
Instruction Fuzzy Hash: 94F0AEB1B00B26BED7495F768C84B86FE6AFF49260F01522BA56C42221CB716474DFD2

Function 0067B627 Relevance: 7.5, APIs: 5, Instructions: 25COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00000000,0067ABDF), ref: 0067B638
FreeLibrary.KERNEL32(?,?,?,00000000,0067ABDF), ref: 0067B648
FreeLibrary.KERNEL32(?,?,?,00000000,0067ABDF), ref: 0067B656
FreeLibrary.KERNEL32(?,?,?,00000000,0067ABDF), ref: 0067B664
FreeLibrary.KERNEL32(?,?,?,00000000,0067ABDF), ref: 0067B672

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 48bf2bea44bfe2f0005bea1525e6e2adec2d9829796835456fcb3f9374951a19
Instruction ID: 13a49065228b042e667d43d028877ada0954e116dff1bee79505ae60d1c87c73
Opcode Fuzzy Hash: 48bf2bea44bfe2f0005bea1525e6e2adec2d9829796835456fcb3f9374951a19
Instruction Fuzzy Hash: 94F0AEB1B00B26BED7495F768C84B86FE6AFF49260F01522BA56C42221CB716474DFD2

Function 0067B203 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 252COMMON

Download Yara Rule

APIs

Part of subcall function 0067B559: LoadLibraryA.KERNEL32(vaultcli.dll,00000000,0067B229), ref: 0067B561

FreeLibrary.KERNEL32(?), ref: 0067B506

Part of subcall function 006735E5: lstrlenW.KERNEL32(00681E02,00000000,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 006735EE
Part of subcall function 006735E5: lstrlenW.KERNEL32(00681E02,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 00673605
Part of subcall function 006735E5: lstrcpyW.KERNEL32(?,00681E02,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 00673620

Part of subcall function 00673248: lstrcmpW.KERNEL32(?,?), ref: 00673252

Part of subcall function 00675EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00675C2A,00000000,?,006810EE,?,?,006836B9), ref: 00675EAD

Part of subcall function 00673437: lstrcpyW.KERNEL32(00000000,00000000,00000000,?,?,00681E0A,00000000,00000000,00000000,h\Hh,00000000), ref: 0067345C

Strings

Internet Explorer, xrefs: 0067B2B4, 0067B3CF
8, xrefs: 0067B4C9
4, xrefs: 0067B4CE

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: FreeLibrarylstrcpylstrlen$LoadVirtuallstrcmp
String ID: 4$8$Internet Explorer
API String ID: 708496175-747916358
Opcode ID: ecd883b73b75afebd2114c48e14834a49689e01cf686d01739e03fbb3cdba975
Instruction ID: 1a593c820a3672c0d399b48d306c90c4d77202c8da9632d64872e1fb8623a351
Opcode Fuzzy Hash: ecd883b73b75afebd2114c48e14834a49689e01cf686d01739e03fbb3cdba975
Instruction Fuzzy Hash: 63A15070D00219ABDF15EFE5C885AEEBBBAFF44300F14815AF409BB256DB70AA45CB54

Function 0067FA42 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ntdll.dll), ref: 0067FA5A
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0067FA6A

Strings

RtlGetVersion, xrefs: 0067FA64
ntdll.dll, xrefs: 0067FA4B

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: RtlGetVersion$ntdll.dll
API String ID: 2574300362-1489217083
Opcode ID: b6416e3dcb63217e5ffb688e4de5e30d5894cecc9c95f43db25ffbb8bea36dc0
Instruction ID: 9139a0e35ca88f51aaa2432b3bf34d8edfea2d0dd531339d16d329eeaa20c665
Opcode Fuzzy Hash: b6416e3dcb63217e5ffb688e4de5e30d5894cecc9c95f43db25ffbb8bea36dc0
Instruction Fuzzy Hash: D6416B30A0012CAADF248B55D866BFC76F6AB11B4DF1084F5E549F0281E678CEC5CB54

Function 0068002B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

Part of subcall function 00675F53: GetProcessHeap.KERNEL32(00000000,000000F4,00680477,?,75A901C0,00000000,00675A34), ref: 00675F56
Part of subcall function 00675F53: HeapAlloc.KERNEL32(00000000), ref: 00675F5D

GetLogicalDriveStringsW.KERNEL32(00000104,00000000), ref: 00680060
GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 00680087
GetDriveTypeW.KERNEL32(?,00000000,00000000), ref: 006800B7

Strings

X,g, xrefs: 00680103

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: Drive$HeapLogicalStrings$AllocProcessType
String ID: X,g
API String ID: 2408535517-1997093199
Opcode ID: a4783244c685bf8d952d4c5e3605205e8ef4e0b1aadcaba839b3f3f081c15112
Instruction ID: 0054124c310695008081d7241af9d83157d03ed5eb22b02de720d32c60b2abbe
Opcode Fuzzy Hash: a4783244c685bf8d952d4c5e3605205e8ef4e0b1aadcaba839b3f3f081c15112
Instruction Fuzzy Hash: 42319571E002199BDF54EFE8C5859EFB7F5AF44340F10455EE506B7281EA705E44CBA1

Function 00683251 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48stringCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000400,?), ref: 0068327D
lstrcatW.KERNEL32(?,send.db), ref: 0068328F

Part of subcall function 006735E5: lstrlenW.KERNEL32(00681E02,00000000,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 006735EE
Part of subcall function 006735E5: lstrlenW.KERNEL32(00681E02,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 00673605
Part of subcall function 006735E5: lstrcpyW.KERNEL32(?,00681E02,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 00673620

Part of subcall function 00673437: lstrcpyW.KERNEL32(00000000,00000000,00000000,?,?,00681E0A,00000000,00000000,00000000,h\Hh,00000000), ref: 0067345C

Part of subcall function 00675EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00675C2A,00000000,?,006810EE,?,?,006836B9), ref: 00675EAD

Strings

5, xrefs: 006832C4
send.db, xrefs: 00683283

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$FreePathTempVirtuallstrcat
String ID: 5$send.db
API String ID: 891666058-2022884741
Opcode ID: b319e855f7d1498e3ba42642d07f105f63b6c39bca71363ababfe7d18c76177a
Instruction ID: 956ed18584d3c23647b08f672960ed614c5a6ababdf3549322f2011e2631824c
Opcode Fuzzy Hash: b319e855f7d1498e3ba42642d07f105f63b6c39bca71363ababfe7d18c76177a
Instruction Fuzzy Hash: 85015B72D4011DABCB10EB64DC46EEEB7BDAF50304F10C169B509A6281EF74AB46CBD4

Function 006836D9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48stringCOMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00683710
lstrcatW.KERNEL32(?,\Microsoft Vision\), ref: 00683722

Part of subcall function 00675EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00675C2A,00000000,?,006810EE,?,?,006836B9), ref: 00675EAD

Strings

\Microsoft Vision\, xrefs: 00683716
;, xrefs: 0068373D

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: FolderFreePathVirtuallstrcat
String ID: ;$\Microsoft Vision\
API String ID: 1529938272-253167065
Opcode ID: bd3424937e45ca495e504e761349b86577996e8dc43d7212ac5be92b3f57b04b
Instruction ID: bb1fa78adf17721d54bcc72ee07c01511d02a1ac60fe51bc69832e104c2c3a8a
Opcode Fuzzy Hash: bd3424937e45ca495e504e761349b86577996e8dc43d7212ac5be92b3f57b04b
Instruction Fuzzy Hash: E6015EB1C0012DFACB50EBA0DD49DDFBBB9EF14300F108155B509A2141EB34AB45DBD4

Function 006836E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringCOMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00683710
lstrcatW.KERNEL32(?,\Microsoft Vision\), ref: 00683722

Part of subcall function 00675EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00675C2A,00000000,?,006810EE,?,?,006836B9), ref: 00675EAD

Strings

\Microsoft Vision\, xrefs: 00683716
;, xrefs: 0068373D

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: FolderFreePathVirtuallstrcat
String ID: ;$\Microsoft Vision\
API String ID: 1529938272-253167065
Opcode ID: 1bae866ef1643ba0e2e19e5fb13d2ce5d0a06bb410a014e00087fa113297be7b
Instruction ID: a832d2e1756953eeb849b9142bc698f7b3079e92bc9039395878430c5ad1de86
Opcode Fuzzy Hash: 1bae866ef1643ba0e2e19e5fb13d2ce5d0a06bb410a014e00087fa113297be7b
Instruction Fuzzy Hash: A8011BB1C0012EFACB10EBA0DD4ADDFBBB9AF15344F108156B509A2181EB74AB84DBD4

Function 0067F4CE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ntdll.dll), ref: 0067F4E6
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0067F4F6

Strings

RtlGetVersion, xrefs: 0067F4F0
ntdll.dll, xrefs: 0067F4D7

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: RtlGetVersion$ntdll.dll
API String ID: 2574300362-1489217083
Opcode ID: 5d13592b8a4eb2ad64055912ba86b96b8ac3e98112168e6a4d85af1a5733f339
Instruction ID: 50f3e36e6c6b719e9b4193a3b4ae2d4baba04301e5f3dad474518f63c732d289
Opcode Fuzzy Hash: 5d13592b8a4eb2ad64055912ba86b96b8ac3e98112168e6a4d85af1a5733f339
Instruction Fuzzy Hash: E9E0923068021826DB247F75EC0BAE77AAA1F12705F444260A146D1280EE64DA028BE1

Function 0067F51D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ntdll.dll), ref: 0067F535
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0067F545

Strings

RtlGetVersion, xrefs: 0067F53F
ntdll.dll, xrefs: 0067F526

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: RtlGetVersion$ntdll.dll
API String ID: 2574300362-1489217083
Opcode ID: 7f5f42e53c4f9adb5d9b5f950d1b63436204ab1dee3818dc2be4a019f4048057
Instruction ID: 96d4ea22bdb5865505ce97f5c49e93b78771cb99039b56aab13346d0427fb1b9
Opcode Fuzzy Hash: 7f5f42e53c4f9adb5d9b5f950d1b63436204ab1dee3818dc2be4a019f4048057
Instruction Fuzzy Hash: 4BE0123074021D57DB24BF71DC0AAD677AA6B21B45F0082E4B205E2180EA74DA858F90

Function 00680C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,0067FC6D,?,?,00672D84,?,00684648,?,?,00000000,?), ref: 00680C4B
GetProcAddress.KERNEL32(00000000), ref: 00680C52

Strings

IsWow64Process, xrefs: 00680C3F
kernel32, xrefs: 00680C44

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: IsWow64Process$kernel32
API String ID: 1646373207-3789238822
Opcode ID: 3bd7733f20f0e4987f92d861c99b7b8d78debc2ffba05f7529fd1028e4f240a0
Instruction ID: 839fddc2e1690bda711ca8f83b5bb73ae83576b54bb7dbba89e5dff0a6ebb0b1
Opcode Fuzzy Hash: 3bd7733f20f0e4987f92d861c99b7b8d78debc2ffba05f7529fd1028e4f240a0
Instruction Fuzzy Hash: 88E08C3A540204FBDB20EBA1DC0EA9A76ADEB04352B100248B001A2240DBB5AB008750

Function 0067D17D Relevance: 6.3, APIs: 5, Instructions: 92COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 0067D18E
LeaveCriticalSection.KERNEL32(?,?,?,?), ref: 0067D1DD

Part of subcall function 006733F5: lstrcpyA.KERNEL32(00000000,?,?,00000000,?,00672A97,?,?,00000000,exit,00000000,start), ref: 0067341A

Part of subcall function 006757FB: getaddrinfo.WS2_32(75A901C0,00000000,00674EA0,00000000), ref: 00675848
Part of subcall function 006757FB: socket.WS2_32(00000002,00000001,00000000), ref: 0067585F
Part of subcall function 006757FB: htons.WS2_32(00000000), ref: 00675885
Part of subcall function 006757FB: freeaddrinfo.WS2_32(00000000), ref: 00675895
Part of subcall function 006757FB: connect.WS2_32(?,?,00000010), ref: 006758A1

LeaveCriticalSection.KERNEL32(?), ref: 0067D261
EnterCriticalSection.KERNEL32(?), ref: 0067D27E
LeaveCriticalSection.KERNEL32(?), ref: 0067D288

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$Enter$connectfreeaddrinfogetaddrinfohtonslstrcpysocket
String ID:
API String ID: 4195813003-0
Opcode ID: 694f2597255817f0641ecd894a07138121586bf4ef40d4a723e86ad57cce0d0b
Instruction ID: b3822d8feeabb2709706638c9fdb3bbc60b428295e6e25d4f2dbc5b4ef7a6357
Opcode Fuzzy Hash: 694f2597255817f0641ecd894a07138121586bf4ef40d4a723e86ad57cce0d0b
Instruction Fuzzy Hash: 1C319371200606BBD709EBA0CC51FEAB7BEFF15350F509619F52E92181EF70AA118BA4

Function 0067F56D Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,0067D471,?,?,00000001), ref: 0067F5C2
LookupAccountSidW.ADVAPI32(00000000,0067D471,?,00000104,?,00000010,?), ref: 0067F5E7
GetLastError.KERNEL32(?,?,00000001), ref: 0067F5F1
FreeSid.ADVAPI32(0067D471,?,?,00000001), ref: 0067F5FF

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: AccountAllocateErrorFreeInitializeLastLookup
String ID:
API String ID: 1866703397-0
Opcode ID: 1a097b4dc0f77b8f3a4975e7d63e27b3401568dab48d5eeb7aa2de5af01104c5
Instruction ID: 5e3223ad35211ecd1df125f58841f00a1fedbb7d7394c05b3daaceba00c7fab5
Opcode Fuzzy Hash: 1a097b4dc0f77b8f3a4975e7d63e27b3401568dab48d5eeb7aa2de5af01104c5
Instruction Fuzzy Hash: 0111CBB190021DBBDB10DFD5DC89EEEB7BDEB04344F104566E609E2150EB709B449BA5

Function 0067F69F Relevance: 6.1, APIs: 4, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,?,0067DCAA), ref: 0067F6AA
FindResourceW.KERNEL32(00000000,00000001,00000010,?,00000000,00000002,?,?,?,0067DCAA), ref: 0067F6BE
LoadResource.KERNEL32(00000000,00000000,?,00000000,00000002,?,?,?,0067DCAA), ref: 0067F6CA
FreeLibrary.KERNEL32(00000000,?,00000000,00000002,?,?,?,0067DCAA), ref: 0067F70F

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: LibraryLoadResource$FindFree
String ID:
API String ID: 3272429154-0
Opcode ID: 142d04bb86755c4b5f42e56f2b8474864b1505846d73aceeb9fb71ef49b728dd
Instruction ID: 76eb1ec7249eb47d0cfc81b8d9bf703aa7d2426080d954a3fccccf6cc07d3487
Opcode Fuzzy Hash: 142d04bb86755c4b5f42e56f2b8474864b1505846d73aceeb9fb71ef49b728dd
Instruction Fuzzy Hash: 520184B5300A02AFD3085F69EC99EA6B7B6FF88714705C239E429C33A0D774D855C7A0

Function 0067C9F2 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 0067CC54: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0067CC73
Part of subcall function 0067CC54: LocalAlloc.KERNEL32(00000040,?,?,0067CBC6,?,00000000,?,00000000,?), ref: 0067CC81
Part of subcall function 0067CC54: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0067CC97
Part of subcall function 0067CC54: LocalFree.KERNEL32(?,?,0067CBC6,?,00000000,?,00000000,?), ref: 0067CCA5

LocalFree.KERNEL32(?,00000000,-0000003A,00000000,?), ref: 0067CA6C

Part of subcall function 0067CA78: GetLastError.KERNEL32 ref: 0067CADE

LocalFree.KERNEL32(?), ref: 0067CA65

Part of subcall function 0067CCB4: BCryptOpenAlgorithmProvider.BCRYPT(00000020,AES,00000000,00000000,?,00000000,?,?,?,0067CA5F,?), ref: 0067CCD1
Part of subcall function 0067CCB4: BCryptSetProperty.BCRYPT(00000020,ChainingMode,ChainingModeGCM,00000020,00000000,?,0067CA5F,?), ref: 0067CCEA
Part of subcall function 0067CCB4: BCryptGenerateSymmetricKey.BCRYPT(00000020,0067CA5F,00000000,00000000,?,00000020,00000000,?,0067CA5F,?), ref: 0067CCFF

Strings

DPAPI, xrefs: 0067CA18
, xrefs: 0067CA4B

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: Crypt$Local$Free$BinaryString$AlgorithmAllocErrorGenerateLastOpenPropertyProviderSymmetric
String ID: $DPAPI
API String ID: 379455710-1819349886
Opcode ID: 15e39dad349f3944833dc4e9cb0433fd972dc99e286f31897be079d7120265a8
Instruction ID: 9f11f637746dfeb53366a4cecea989ec08e878c08b016639f84b04736eece143
Opcode Fuzzy Hash: 15e39dad349f3944833dc4e9cb0433fd972dc99e286f31897be079d7120265a8
Instruction Fuzzy Hash: 9901C47290060DBBCF10EBA4DD459DEB77AEB45725F00C269EC08E6144FB30AB85DB90

Function 006747EA Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetLastInputInfo.USER32(?), ref: 006747FF
GetTickCount.KERNEL32 ref: 00674805
GetForegroundWindow.USER32 ref: 00674819
GetWindowTextW.USER32(00000000,?,00000100), ref: 0067482C

Part of subcall function 006735E5: lstrlenW.KERNEL32(00681E02,00000000,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 006735EE
Part of subcall function 006735E5: lstrlenW.KERNEL32(00681E02,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 00673605
Part of subcall function 006735E5: lstrcpyW.KERNEL32(?,00681E02,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 00673620

Part of subcall function 00675EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00675C2A,00000000,?,006810EE,?,?,006836B9), ref: 00675EAD

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: Windowlstrlen$CountForegroundFreeInfoInputLastTextTickVirtuallstrcpy
String ID:
API String ID: 2567647128-0
Opcode ID: 5ef43e9f1dd188028bd9b4fade7df77b6e6173bc28402fc1df5e4e82ea64bb6c
Instruction ID: 54fc926a6a63b42deaf5d8538485b1e75de9d5130264e7c8d5862662d74200d6
Opcode Fuzzy Hash: 5ef43e9f1dd188028bd9b4fade7df77b6e6173bc28402fc1df5e4e82ea64bb6c
Instruction Fuzzy Hash: 98118BB1C00218ABCB04EBB0DD59AEDB7BAEF48300F008259B406A2290EF74AB44CB54

Function 0067EA89 Relevance: 6.0, APIs: 4, Instructions: 35threadsynchronizationCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0067EA95
SetEvent.KERNEL32(00000000), ref: 0067EAA9
WaitForSingleObject.KERNEL32(?,00001388), ref: 0067EAB6
TerminateThread.KERNEL32(?,000000FE), ref: 0067EAC7

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: Thread$CurrentEventObjectSingleTerminateWait
String ID:
API String ID: 2174867186-0
Opcode ID: 139942c02b511399c96689162a5997d2d49301263bfddba08441d50e88536a76
Instruction ID: 1376273f8f2f7043ee3b97efb63a06566a87b6f75d1f90229afcc67ba6aab1ac
Opcode Fuzzy Hash: 139942c02b511399c96689162a5997d2d49301263bfddba08441d50e88536a76
Instruction Fuzzy Hash: 70011D35100701ABD735AF10E949BAA77B3BF58311F508BADE066528F1CFB2698CCB51

Function 00677AF1 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,?,?,00672617,?,?), ref: 00677B2C

Part of subcall function 00678617: GetCurrentProcess.KERNEL32(00689698,00677A03,?,?,?,?), ref: 0067861C
Part of subcall function 00678617: IsWow64Process.KERNEL32(00000000), ref: 00678623
Part of subcall function 00678617: GetProcessHeap.KERNEL32 ref: 00678629

Strings

XXXXXX, xrefs: 00677BA7, 00677BB6, 00677BCC
YYj, xrefs: 00677B71

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: Process$CurrentHeapOpenWow64
String ID: XXXXXX$YYj
API String ID: 1563638298-1957121946
Opcode ID: c99605e4c00dc287fe1759ecedbf040863fd3ef740785556ea043f959b143409
Instruction ID: 4977ef0fc0cd842d91d407f85e21f9ee42acb8f4627674407965d8e04c2ba244
Opcode Fuzzy Hash: c99605e4c00dc287fe1759ecedbf040863fd3ef740785556ea043f959b143409
Instruction Fuzzy Hash: 9931E4B1A04205BFEF15AA688C45BBF76AFDF50764F20C22DF81C97281FA708D4186A1

Function 006727D3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82filenetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 0067F76B: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000,?,00000000,?), ref: 0067F79C

Part of subcall function 00673335: lstrcatW.KERNEL32(00000000,75A901C0,?,?,00683589,?,00681515,00683589,006835B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00683589,00000000,75A901C0,00000000), ref: 00673365

Part of subcall function 00675EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00675C2A,00000000,?,006810EE,?,?,006836B9), ref: 00675EAD

Part of subcall function 0067362D: lstrcpyW.KERNEL32(00000000,75A901C0,?,?,?,0068150A,006835B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00683589,00000000,75A901C0,00000000), ref: 00673657

Part of subcall function 0067351D: PathFindExtensionW.SHLWAPI(?,?,0067282E,?,?,00000000,00684684), ref: 00673527

URLDownloadToFileW.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 00672860
ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0067288A

Strings

open, xrefs: 00672884

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: Path$DownloadExecuteExtensionFileFindFolderFreeShellSpecialVirtuallstrcatlstrcpy
String ID: open
API String ID: 4166385161-2758837156
Opcode ID: b786caab362cccf4b49822f26fed944ac14ce2404c4028df6c398e098c060f9c
Instruction ID: 1324d106b3aec60799116d82ca6514aa5ba9e7bbbf3a187b9363dadb7b152c97
Opcode Fuzzy Hash: b786caab362cccf4b49822f26fed944ac14ce2404c4028df6c398e098c060f9c
Instruction Fuzzy Hash: 9E218972A00218BBDB54AFA0C895EEE7B7AAF81310F01C19EF41A67281DF705B49CB54

Function 0067FCB8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006735E5: lstrlenW.KERNEL32(00681E02,00000000,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 006735EE
Part of subcall function 006735E5: lstrlenW.KERNEL32(00681E02,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 00673605
Part of subcall function 006735E5: lstrcpyW.KERNEL32(?,00681E02,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 00673620

RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00000101,?,SOFTWARE\Microsoft\Cryptography,?,?,?,?,00000000,?,?,?), ref: 0067FCFC

Part of subcall function 00675EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00675C2A,00000000,?,006810EE,?,?,006836B9), ref: 00675EAD

Part of subcall function 00680FC3: RegQueryValueExW.KERNEL32(?,75A901C0,00000000,75A901C0,00000000,00000000,?,00000000,00683589,?,?,?,006815B2,?,?,80000001), ref: 00680FE6
Part of subcall function 00680FC3: RegQueryValueExW.KERNEL32(?,75A901C0,00000000,75A901C0,00000000,00000000,?,006815B2,?,?,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\), ref: 0068100A

Part of subcall function 00680FAE: RegCloseKey.ADVAPI32(?,?,0068112D,?,?,006836B9), ref: 00680FB8

Strings

SOFTWARE\Microsoft\Cryptography, xrefs: 0067FCDE
MachineGuid, xrefs: 0067FD17

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: QueryValuelstrlen$CloseFreeOpenVirtuallstrcpy
String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
API String ID: 1903904756-1211650757
Opcode ID: 792d98864d86efefdb642ae43c38d5ddfe52b9222701d4b01ee73994ca8fca2a
Instruction ID: e8f539752ea99eb09e91c0446851461b259e3fdeb353be205c229f4b34b85ab1
Opcode Fuzzy Hash: 792d98864d86efefdb642ae43c38d5ddfe52b9222701d4b01ee73994ca8fca2a
Instruction Fuzzy Hash: 5711B470D00129ABCB64FBA4CD52CEDB77AAF50700B10856EB40A73291EFB01F05CB95

Function 0067DE1F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006735E5: lstrlenW.KERNEL32(00681E02,00000000,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 006735EE
Part of subcall function 006735E5: lstrlenW.KERNEL32(00681E02,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 00673605
Part of subcall function 006735E5: lstrcpyW.KERNEL32(?,00681E02,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 00673620

RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters,?,007BE020,?,?,0067E451,?,?), ref: 0067DE51

Part of subcall function 00680FC3: RegQueryValueExW.KERNEL32(?,75A901C0,00000000,75A901C0,00000000,00000000,?,00000000,00683589,?,?,?,006815B2,?,?,80000001), ref: 00680FE6
Part of subcall function 00680FC3: RegQueryValueExW.KERNEL32(?,75A901C0,00000000,75A901C0,00000000,00000000,?,006815B2,?,?,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\), ref: 0068100A

Part of subcall function 00675EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00675C2A,00000000,?,006810EE,?,?,006836B9), ref: 00675EAD

Part of subcall function 00680FAE: RegCloseKey.ADVAPI32(?,?,0068112D,?,?,006836B9), ref: 00680FB8

Strings

ServiceDll, xrefs: 0067DE5F
SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 0067DE2C

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: QueryValuelstrlen$CloseFreeOpenVirtuallstrcpy
String ID: SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll
API String ID: 1903904756-387424650
Opcode ID: 583a0b9bdb5ae6e5e2085581aa01ce86551e735732bcdf1d4b8eb641deab1a77
Instruction ID: b32872f0a4922da9ac0cd856602940fa32c24edecdd953b10efcf6b18a8e5f64
Opcode Fuzzy Hash: 583a0b9bdb5ae6e5e2085581aa01ce86551e735732bcdf1d4b8eb641deab1a77
Instruction Fuzzy Hash: E4118271D00218ABDB61FBA0C956CFEBB7AAF90700B10859DB90677281EF705F04DB50

Function 0067D9B6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006735E5: lstrlenW.KERNEL32(00681E02,00000000,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 006735EE
Part of subcall function 006735E5: lstrlenW.KERNEL32(00681E02,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 00673605
Part of subcall function 006735E5: lstrcpyW.KERNEL32(?,00681E02,?,00681E02,00000000,00000000,h\Hh,00000000), ref: 00673620

RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000102,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters), ref: 0067D9EA

Part of subcall function 00681039: RegSetValueExW.ADVAPI32(?,75A901C0,00000000,?,?,?,?,?,00681432,00000000,00000000,?,00000001,?,?,?), ref: 00681058

Part of subcall function 00675EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00675C2A,00000000,?,006810EE,?,?,006836B9), ref: 00675EAD

Part of subcall function 00680FAE: RegCloseKey.ADVAPI32(?,?,0068112D,?,?,006836B9), ref: 00680FB8

Strings

ServiceDll, xrefs: 0067DA03
SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 0067D9C2

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: lstrlen$CloseFreeOpenValueVirtuallstrcpy
String ID: SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll
API String ID: 2854241163-387424650
Opcode ID: 3eab7c516cc63ca84e2499e10c100de3c87fae6bb7457bb20530ad5fba9776c4
Instruction ID: ba462b12383050432b8d2097c214a4c980fad2912f179d0feaed35020ab4d4b8
Opcode Fuzzy Hash: 3eab7c516cc63ca84e2499e10c100de3c87fae6bb7457bb20530ad5fba9776c4
Instruction Fuzzy Hash: 39111F75900218ABDB54EBA1CC96CFEBB7AEF94700F40855DE90672281DB705B45CB64

Function 00682FD7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53processCOMMON

Download Yara Rule

APIs

Part of subcall function 00671085: GetProcessHeap.KERNEL32(00000000,?,00681E36,00400000,?,?,00000000,?,?,0068349D), ref: 0067108B
Part of subcall function 00671085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,0068349D), ref: 00671092

GetModuleFileNameA.KERNEL32(00000000,00000000,00000100,?,?,?,?,?,?,?,00000000,75A901C0,00000000,00683628), ref: 00683008
WinExec.KERNEL32(00000000,00000000), ref: 0068304E

Strings

powershell Add-MpPreference -ExclusionPath , xrefs: 0068300E, 00683013, 0068301A

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: Heap$AllocateExecFileModuleNameProcess
String ID: powershell Add-MpPreference -ExclusionPath
API String ID: 1183730998-2194938034
Opcode ID: 1457e9d272e5c6d6467992e1f30ba1e497c600221250ba9b630e76bf775a39a4
Instruction ID: 979315397b2c702c3b96eec3d6edbc6e19b2c1870d17bee5d4a45b40e05851f7
Opcode Fuzzy Hash: 1457e9d272e5c6d6467992e1f30ba1e497c600221250ba9b630e76bf775a39a4
Instruction Fuzzy Hash: B9F0F6B155021076E26073785CCBFBF5A9ECF8BB51F00402BF60CED182EE689D8142B9

Function 006755A5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52networkCOMMON

Download Yara Rule

APIs

send.WS2_32(00683CC7,IOg,?,00000000), ref: 00675608

Strings

warzone160, xrefs: 006755BA
IOg, xrefs: 006755F2, 00675602

Memory Dump Source

Source File: 00000001.00000002.2923038427.0000000000671000.00000020.00000001.01000000.00000005.sdmp, Offset: 00670000, based on PE: true

Associated: 00000001.00000002.2923014214.0000000000670000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923060782.0000000000684000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.0000000000689000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923077213.00000000007BD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2923138503.00000000007BF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_670000_images.jbxd

Yara matches

Similarity

API ID: send
String ID: IOg$warzone160
API String ID: 2809346765-1861354328
Opcode ID: f4027f4669a57158f80fe3a2cfc647404f4a022c4ed1da06ee46d7d2c6b69326
Instruction ID: 0f1880948af25721fe46c39e60f3a498405349c542084f584b332f3281cb625d
Opcode Fuzzy Hash: f4027f4669a57158f80fe3a2cfc647404f4a022c4ed1da06ee46d7d2c6b69326
Instruction Fuzzy Hash: 4801D271900019BBCB04FBA4DC42CEEB73AEF10320B10836DF02A622D1EF60AF0496A4

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, User Account: User Account Creation, User Account: User Account Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report OhWWbQcp7Q.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: AveMaria

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\images.exe

C:\ProgramData\images.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
OhWWbQcp7Q.exe

Function 001C290F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 138
comCOMMON

Function 001B1085 Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Function 001C3435 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 188
registrystringCOMMON

Function 001BE703 Relevance: 25.6, APIs: 1, Strings: 16, Instructions: 121
COMMON

Function 001C1136 Relevance: 17.8, APIs: 4, Strings: 6, Instructions: 278
fileCOMMON

Function 001B99A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 38
libraryCOMMON

Function 001B5CE2 Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Function 001C1E21 Relevance: 6.0, APIs: 4, Instructions: 48
fileCOMMON

Function 001BFBFC Relevance: 6.0, APIs: 4, Instructions: 37
COMMON

Function 001C0BD9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
processCOMMON

Function 001B5A10 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 156
sleepCOMMON

Function 001C106C Relevance: 3.0, APIs: 2, Instructions: 47
registryCOMMON

Function 001C1D0C Relevance: 3.0, APIs: 2, Instructions: 14
sleepCOMMON

Function 001C0283 Relevance: 3.0, APIs: 2, Instructions: 8
synchronizationCOMMON

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposesand to support other malicious activities, including distraction, hacktivism, and extortion.
Tactics:	Impact
Data Sources:	Application Log: Application Log Content, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Sensor Health: Host Status
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre