Edit tour

Windows Analysis Report
hb21QzBgft.exe

Overview

General Information

Sample name:	hb21QzBgft.exe renamed because original name is a hash value
Original sample name:	3790861e8c62040dbb2dd3c290d1a2738cef6b04fd38de2d37ba58708838ddab.exe
Analysis ID:	1547536
MD5:	e94753e8a792b65ce7765c83e7d901e9
SHA1:	b007cc3dde9c3eb45a2da18fac939d51c80e641b
SHA256:	3790861e8c62040dbb2dd3c290d1a2738cef6b04fd38de2d37ba58708838ddab
Tags:	AveMariaRATcdt2023-ddns-netexeuser-JAMESWT_MHT
Infos:

Detection

AveMaria, UACMe

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AveMaria stealer

Yara detected UACMe UAC Bypass tool

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to hide user accounts

Contains functionality to inject threads in other processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal e-mail passwords

Hides that the sample has been downloaded from the Internet (zone.identifier)

Increases the number of concurrent connection per server for Internet Explorer

Machine Learning detection for sample

Contains functionality to create new users

Contains functionality to download and execute PE files

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to retrieve information about pressed keystrokes

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found decision node followed by non-executed suspicious APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

hb21QzBgft.exe (PID: 1440 cmdline: "C:\Users\user\Desktop\hb21QzBgft.exe" MD5: E94753E8A792B65CE7765C83E7D901E9)

hb21QzBgft.exe (PID: 6004 cmdline: "C:\Users\user\Desktop\hb21QzBgft.exe" MD5: E94753E8A792B65CE7765C83E7D901E9)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Ave Maria, AveMariaRAT, avemaria	Information stealer which uses AutoIT for wrapping.	Anunak	http://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery https://asec.ahnlab.com/en/36629/ https://blog.cyber5w.com/analyzing-macro-enabled-office-documents https://blog.morphisec.com/syk-crypter-discord https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria

Name	Description	Attribution	Blogpost URLs	Link
UACMe	A toolkit maintained by hfiref0x which incorporates numerous UAC bypass techniques for Windows 7 - Windows 10. Typically, components of this tool are stripped out and reused by malicious actors.	No Attribution	https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/ https://github.com/hfiref0x/UACME	https://malpedia.caad.fkie.fraunhofer.de/details/win.uacme

Malware Configuration

Threatname: AveMaria

{"C2 url": "chromedata.accesscam.org", "port": 5222, "Proxy Port": 67}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
hb21QzBgft.exe	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
hb21QzBgft.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
hb21QzBgft.exe	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
hb21QzBgft.exe	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x16630:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x14e78:$a2: SMTP Password 0x140b8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x191f0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x16538:$a5: for /F "usebackq tokens=*" %%A in (" 0x148a8:$a6: \Torch\User Data\Default\Login Data 0x19310:$a7: /n:%temp%\ellocnak.xml 0x15414:$a8: "os_crypt":{"encrypted_key":" 0x19340:$a9: Hey I'm Admin 0x14d40:$a10: \logins.json 0x1538c:$a11: Accounts\Account.rec0 0x13c50:$a12: warzone160 0x162e0:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
hb21QzBgft.exe	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x144e8:$a1: \Opera Software\Opera Stable\Login Data 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
hb21QzBgft.exe	AveMaria_WarZone	unknown	unknown	0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1640c:$str2: MsgBox.exe 0x1669c:$str4: \System32\cmd.exe 0x162e0:$str6: Ave_Maria 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x14e78:$str8: SMTP Password 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data 0x15b44:$str12: \sqlmap.dll 0x191f0:$str16: Elevation:Administrator!new 0x19310:$str17: /n:%temp%
hb21QzBgft.exe	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
hb21QzBgft.exe	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x166dd:$r1: Classes\Folder\shell\open\command 0x16700:$k1: DelegateExecute
hb21QzBgft.exe	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x160e4:$s1: RDPClip 0x167cc:$s2: Grabber 0x162e0:$s3: Ave_Maria Stealer OpenSource 0x163e0:$s4: \MidgetPorn\workspace\MsgBox.exe 0x16116:$s5: @\cmd.exe 0x19310:$s6: /n:%temp%\ellocnak.xml 0x19340:$s7: Hey I'm Admin 0x13c50:$s8: warzone160
Click to see the 4 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000000.2153744904.0000000000F1F000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000002.00000002.2164545039.0000000000F1F000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000002.00000000.2153677162.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000000.2153677162.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000002.00000000.2153677162.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x3230:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1a78:$a2: SMTP Password 0xcb8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x3138:$a5: for /F "usebackq tokens=*" %%A in (" 0x14a8:$a6: \Torch\User Data\Default\Login Data 0x2014:$a8: "os_crypt":{"encrypted_key":" 0x1940:$a10: \logins.json 0x1f8c:$a11: Accounts\Account.rec0 0x850:$a12: warzone160 0x2ee0:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000000.00000003.2062030837.0000000001085000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000000.00000000.2045348214.0000000000F1F000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000000.00000003.2061962654.000000000107C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000000.00000003.2062078035.0000000001085000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000002.00000002.2164573446.0000000002C09000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000002.00000002.2164573446.0000000002C09000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2164573446.0000000002C09000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000002.00000002.2164573446.0000000002C09000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x16650:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x14e98:$a2: SMTP Password 0x140d8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x19210:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x16558:$a5: for /F "usebackq tokens=*" %%A in (" 0x148c8:$a6: \Torch\User Data\Default\Login Data 0x19330:$a7: /n:%temp%\ellocnak.xml 0x15434:$a8: "os_crypt":{"encrypted_key":" 0x19360:$a9: Hey I'm Admin 0x14d60:$a10: \logins.json 0x153ac:$a11: Accounts\Account.rec0 0x13c70:$a12: warzone160 0x16300:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000000.00000003.2061962654.0000000001074000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.2061962654.0000000001074000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000000.00000003.2061962654.0000000001074000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x2c20:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1468:$a2: SMTP Password 0x6a8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x2b28:$a5: for /F "usebackq tokens=*" %%A in (" 0xe98:$a6: \Torch\User Data\Default\Login Data 0x1a04:$a8: "os_crypt":{"encrypted_key":" 0x1330:$a10: \logins.json 0x197c:$a11: Accounts\Account.rec0 0x240:$a12: warzone160 0x28d0:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000002.00000002.2164475001.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2164475001.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000002.00000002.2164475001.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x3230:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1a78:$a2: SMTP Password 0xcb8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x3138:$a5: for /F "usebackq tokens=*" %%A in (" 0x14a8:$a6: \Torch\User Data\Default\Login Data 0x2014:$a8: "os_crypt":{"encrypted_key":" 0x1940:$a10: \logins.json 0x1f8c:$a11: Accounts\Account.rec0 0x850:$a12: warzone160 0x2ee0:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x3230:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1a78:$a2: SMTP Password 0xcb8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x3138:$a5: for /F "usebackq tokens=*" %%A in (" 0x14a8:$a6: \Torch\User Data\Default\Login Data 0x2014:$a8: "os_crypt":{"encrypted_key":" 0x1940:$a10: \logins.json 0x1f8c:$a11: Accounts\Account.rec0 0x850:$a12: warzone160 0x2ee0:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000000.00000000.2045107278.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000000.2045107278.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000000.00000000.2045107278.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x3230:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1a78:$a2: SMTP Password 0xcb8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x3138:$a5: for /F "usebackq tokens=*" %%A in (" 0x14a8:$a6: \Torch\User Data\Default\Login Data 0x2014:$a8: "os_crypt":{"encrypted_key":" 0x1940:$a10: \logins.json 0x1f8c:$a11: Accounts\Account.rec0 0x850:$a12: warzone160 0x2ee0:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000000.00000002.3314934510.00000000030E3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000000.00000002.3314934510.00000000030E3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.3314934510.00000000030E3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000000.00000002.3314934510.00000000030E3000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x16650:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x14e98:$a2: SMTP Password 0x140d8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x19210:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x16558:$a5: for /F "usebackq tokens=*" %%A in (" 0x148c8:$a6: \Torch\User Data\Default\Login Data 0x19330:$a7: /n:%temp%\ellocnak.xml 0x15434:$a8: "os_crypt":{"encrypted_key":" 0x19360:$a9: Hey I'm Admin 0x14d60:$a10: \logins.json 0x153ac:$a11: Accounts\Account.rec0 0x13c70:$a12: warzone160 0x16300:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000000.00000003.2062112969.000000000106F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.2062112969.000000000106F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000000.00000003.2062112969.000000000106F000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x3218:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x7c20:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1a60:$a2: SMTP Password 0x6468:$a2: SMTP Password 0xca0:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x56a8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x3120:$a5: for /F "usebackq tokens=" %%A in (" 0x7b28:$a5: for /F "usebackq tokens=" %%A in (" 0x1490:$a6: \Torch\User Data\Default\Login Data 0x5e98:$a6: \Torch\User Data\Default\Login Data 0x1ffc:$a8: "os_crypt":{"encrypted_key":" 0x6a04:$a8: "os_crypt":{"encrypted_key":" 0x1928:$a10: \logins.json 0x6330:$a10: \logins.json 0x1f74:$a11: Accounts\Account.rec0 0x697c:$a11: Accounts\Account.rec0 0x838:$a12: warzone160 0x5240:$a12: warzone160 0x2ec8:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper 0x78d0:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
Process Memory Space: hb21QzBgft.exe PID: 1440	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
Process Memory Space: hb21QzBgft.exe PID: 1440	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: hb21QzBgft.exe PID: 6004	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
Process Memory Space: hb21QzBgft.exe PID: 6004	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 32 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.3.hb21QzBgft.exe.1086838.3.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.3.hb21QzBgft.exe.1086838.3.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0xb18:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.2.hb21QzBgft.exe.30fb490.2.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.2.hb21QzBgft.exe.30fb490.2.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.3.hb21QzBgft.exe.1086838.0.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.3.hb21QzBgft.exe.1086838.0.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0xb18:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.3.hb21QzBgft.exe.1084fc8.1.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.3.hb21QzBgft.exe.1084fc8.1.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x3b88:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.3.hb21QzBgft.exe.1087dd0.4.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.3.hb21QzBgft.exe.1087dd0.4.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.3.hb21QzBgft.exe.1086838.3.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.3.hb21QzBgft.exe.1086838.3.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x2318:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.3.hb21QzBgft.exe.1086838.0.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.3.hb21QzBgft.exe.1086838.0.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x2318:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.0.hb21QzBgft.exe.dd0000.0.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.0.hb21QzBgft.exe.dd0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.0.hb21QzBgft.exe.dd0000.0.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0.0.hb21QzBgft.exe.dd0000.0.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x16630:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x14e78:$a2: SMTP Password 0x140b8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x191f0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x16538:$a5: for /F "usebackq tokens=*" %%A in (" 0x148a8:$a6: \Torch\User Data\Default\Login Data 0x19310:$a7: /n:%temp%\ellocnak.xml 0x15414:$a8: "os_crypt":{"encrypted_key":" 0x19340:$a9: Hey I'm Admin 0x14d40:$a10: \logins.json 0x1538c:$a11: Accounts\Account.rec0 0x13c50:$a12: warzone160 0x162e0:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
0.0.hb21QzBgft.exe.dd0000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x144e8:$a1: \Opera Software\Opera Stable\Login Data 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
0.0.hb21QzBgft.exe.dd0000.0.unpack	AveMaria_WarZone	unknown	unknown	0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1640c:$str2: MsgBox.exe 0x1669c:$str4: \System32\cmd.exe 0x162e0:$str6: Ave_Maria 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x14e78:$str8: SMTP Password 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data 0x15b44:$str12: \sqlmap.dll 0x191f0:$str16: Elevation:Administrator!new 0x19310:$str17: /n:%temp%
0.0.hb21QzBgft.exe.dd0000.0.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.0.hb21QzBgft.exe.dd0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x166dd:$r1: Classes\Folder\shell\open\command 0x16700:$k1: DelegateExecute
0.0.hb21QzBgft.exe.dd0000.0.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x160e4:$s1: RDPClip 0x167cc:$s2: Grabber 0x162e0:$s3: Ave_Maria Stealer OpenSource 0x163e0:$s4: \MidgetPorn\workspace\MsgBox.exe 0x19310:$s6: /n:%temp%\ellocnak.xml 0x19340:$s7: Hey I'm Admin 0x13c50:$s8: warzone160
2.2.hb21QzBgft.exe.2c21490.2.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
2.2.hb21QzBgft.exe.2c21490.2.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.3.hb21QzBgft.exe.1087dd0.2.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.3.hb21QzBgft.exe.1087dd0.2.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.3.hb21QzBgft.exe.1086838.8.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.3.hb21QzBgft.exe.1086838.8.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0xb18:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.3.hb21QzBgft.exe.1087dd0.7.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.3.hb21QzBgft.exe.1087dd0.7.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.3.hb21QzBgft.exe.1086838.8.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.3.hb21QzBgft.exe.1086838.8.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x2318:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.2.hb21QzBgft.exe.dd0000.0.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.2.hb21QzBgft.exe.dd0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.hb21QzBgft.exe.dd0000.0.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0.2.hb21QzBgft.exe.dd0000.0.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x16630:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x14e78:$a2: SMTP Password 0x140b8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x191f0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x16538:$a5: for /F "usebackq tokens=*" %%A in (" 0x148a8:$a6: \Torch\User Data\Default\Login Data 0x19310:$a7: /n:%temp%\ellocnak.xml 0x15414:$a8: "os_crypt":{"encrypted_key":" 0x19340:$a9: Hey I'm Admin 0x14d40:$a10: \logins.json 0x1538c:$a11: Accounts\Account.rec0 0x13c50:$a12: warzone160 0x162e0:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
2.2.hb21QzBgft.exe.dd0000.0.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
2.2.hb21QzBgft.exe.dd0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.hb21QzBgft.exe.dd0000.0.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0.2.hb21QzBgft.exe.dd0000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x144e8:$a1: \Opera Software\Opera Stable\Login Data 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
0.2.hb21QzBgft.exe.dd0000.0.unpack	AveMaria_WarZone	unknown	unknown	0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1640c:$str2: MsgBox.exe 0x1669c:$str4: \System32\cmd.exe 0x162e0:$str6: Ave_Maria 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x14e78:$str8: SMTP Password 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data 0x15b44:$str12: \sqlmap.dll 0x191f0:$str16: Elevation:Administrator!new 0x19310:$str17: /n:%temp%
0.2.hb21QzBgft.exe.dd0000.0.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
2.2.hb21QzBgft.exe.dd0000.0.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x16630:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x14e78:$a2: SMTP Password 0x140b8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x191f0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x16538:$a5: for /F "usebackq tokens=*" %%A in (" 0x148a8:$a6: \Torch\User Data\Default\Login Data 0x19310:$a7: /n:%temp%\ellocnak.xml 0x15414:$a8: "os_crypt":{"encrypted_key":" 0x19340:$a9: Hey I'm Admin 0x14d40:$a10: \logins.json 0x1538c:$a11: Accounts\Account.rec0 0x13c50:$a12: warzone160 0x162e0:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
0.2.hb21QzBgft.exe.dd0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x166dd:$r1: Classes\Folder\shell\open\command 0x16700:$k1: DelegateExecute
0.2.hb21QzBgft.exe.dd0000.0.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x160e4:$s1: RDPClip 0x167cc:$s2: Grabber 0x162e0:$s3: Ave_Maria Stealer OpenSource 0x163e0:$s4: \MidgetPorn\workspace\MsgBox.exe 0x19310:$s6: /n:%temp%\ellocnak.xml 0x19340:$s7: Hey I'm Admin 0x13c50:$s8: warzone160
2.2.hb21QzBgft.exe.dd0000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x144e8:$a1: \Opera Software\Opera Stable\Login Data 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
2.2.hb21QzBgft.exe.dd0000.0.unpack	AveMaria_WarZone	unknown	unknown	0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1640c:$str2: MsgBox.exe 0x1669c:$str4: \System32\cmd.exe 0x162e0:$str6: Ave_Maria 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x14e78:$str8: SMTP Password 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data 0x15b44:$str12: \sqlmap.dll 0x191f0:$str16: Elevation:Administrator!new 0x19310:$str17: /n:%temp%
2.2.hb21QzBgft.exe.dd0000.0.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
2.2.hb21QzBgft.exe.dd0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x166dd:$r1: Classes\Folder\shell\open\command 0x16700:$k1: DelegateExecute
2.2.hb21QzBgft.exe.dd0000.0.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x160e4:$s1: RDPClip 0x167cc:$s2: Grabber 0x162e0:$s3: Ave_Maria Stealer OpenSource 0x163e0:$s4: \MidgetPorn\workspace\MsgBox.exe 0x19310:$s6: /n:%temp%\ellocnak.xml 0x19340:$s7: Hey I'm Admin 0x13c50:$s8: warzone160
2.0.hb21QzBgft.exe.dd0000.0.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
2.0.hb21QzBgft.exe.dd0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.0.hb21QzBgft.exe.dd0000.0.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
2.0.hb21QzBgft.exe.dd0000.0.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x16630:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x14e78:$a2: SMTP Password 0x140b8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x191f0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x16538:$a5: for /F "usebackq tokens=*" %%A in (" 0x148a8:$a6: \Torch\User Data\Default\Login Data 0x19310:$a7: /n:%temp%\ellocnak.xml 0x15414:$a8: "os_crypt":{"encrypted_key":" 0x19340:$a9: Hey I'm Admin 0x14d40:$a10: \logins.json 0x1538c:$a11: Accounts\Account.rec0 0x13c50:$a12: warzone160 0x162e0:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
2.0.hb21QzBgft.exe.dd0000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x144e8:$a1: \Opera Software\Opera Stable\Login Data 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
2.0.hb21QzBgft.exe.dd0000.0.unpack	AveMaria_WarZone	unknown	unknown	0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1640c:$str2: MsgBox.exe 0x1669c:$str4: \System32\cmd.exe 0x162e0:$str6: Ave_Maria 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x14e78:$str8: SMTP Password 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data 0x15b44:$str12: \sqlmap.dll 0x191f0:$str16: Elevation:Administrator!new 0x19310:$str17: /n:%temp%
2.0.hb21QzBgft.exe.dd0000.0.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
2.0.hb21QzBgft.exe.dd0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x166dd:$r1: Classes\Folder\shell\open\command 0x16700:$k1: DelegateExecute
2.0.hb21QzBgft.exe.dd0000.0.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x160e4:$s1: RDPClip 0x167cc:$s2: Grabber 0x162e0:$s3: Ave_Maria Stealer OpenSource 0x163e0:$s4: \MidgetPorn\workspace\MsgBox.exe 0x19310:$s6: /n:%temp%\ellocnak.xml 0x19340:$s7: Hey I'm Admin 0x13c50:$s8: warzone160
Click to see the 55 entries

Sigma Signatures

System Summary

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Desktop\hb21QzBgft.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\hb21QzBgft.exe, ProcessId: 1440, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CClean

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 10, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\hb21QzBgft.exe, ProcessId: 1440, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPer1_0Server

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-02T16:56:45.252171+0100	2022930	1	A Network Trojan was detected	4.175.87.197	443	192.168.2.5	49707	TCP
2024-11-02T16:57:24.185503+0100	2022930	1	A Network Trojan was detected	4.175.87.197	443	192.168.2.5	49905	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: hb21QzBgft.exe

Avira: detected

Found malware configuration

Source: hb21QzBgft.exe

Malware Configuration Extractor: AveMaria {"C2 url": "chromedata.accesscam.org", "port": 5222, "Proxy Port": 67}

Multi AV Scanner detection for submitted file

Source: hb21QzBgft.exe

ReversingLabs: Detection: 89%

Yara detected AveMaria stealer

Source: Yara match	File source: hb21QzBgft.exe, type: SAMPLE
Source: Yara match	File source: 0.0.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.2153677162.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2164573446.0000000002C09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2061962654.0000000001074000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2164475001.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2045107278.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3314934510.00000000030E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2062112969.000000000106F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: hb21QzBgft.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\hb21QzBgft.exe	Code function: 0_2_00DDB15E lstrlenA,CryptStringToBinaryA,lstrcpyA,	0_2_00DDB15E
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Code function: 0_2_00DDCAFC CryptUnprotectData,LocalAlloc,LocalFree,	0_2_00DDCAFC
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Code function: 0_2_00DDCCB4 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,	0_2_00DDCCB4
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Code function: 0_2_00DDCC54 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree,	0_2_00DDCC54
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Code function: 0_2_00DDA632 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW,	0_2_00DDA632
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Code function: 0_2_00DDCF58 LocalAlloc,BCryptDecrypt,LocalFree,	0_2_00DDCF58

Exploits

Yara detected UACMe UAC Bypass tool

Source: Yara match	File source: hb21QzBgft.exe, type: SAMPLE
Source: Yara match	File source: 0.3.hb21QzBgft.exe.1086838.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hb21QzBgft.exe.30fb490.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.hb21QzBgft.exe.1086838.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.hb21QzBgft.exe.1084fc8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.hb21QzBgft.exe.1087dd0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.hb21QzBgft.exe.1086838.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.hb21QzBgft.exe.1086838.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.hb21QzBgft.exe.2c21490.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.hb21QzBgft.exe.1087dd0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.hb21QzBgft.exe.1086838.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.hb21QzBgft.exe.1087dd0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.hb21QzBgft.exe.1086838.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.2153744904.0000000000F1F000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2164545039.0000000000F1F000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2062030837.0000000001085000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2045348214.0000000000F1F000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2061962654.000000000107C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2062078035.0000000001085000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2164573446.0000000002C09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3314934510.00000000030E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hb21QzBgft.exe PID: 1440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hb21QzBgft.exe PID: 6004, type: MEMORYSTR

Source: hb21QzBgft.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\hb21QzBgft.exe

Directory created: C:\Program Files\Microsoft DN1

Jump to behavior

Source: hb21QzBgft.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\hb21QzBgft.exe	Code function: 0_2_00DD9DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,		0_2_00DD9DF6
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Code function: 0_2_00DDFF27 FindFirstFileW,FindNextFileW,		0_2_00DDFF27

Source: C:\Users\user\Desktop\hb21QzBgft.exe

Code function: 0_2_00DE002B GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,

0_2_00DE002B

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: chromedata.accesscam.org

Source: C:\Users\user\Desktop\hb21QzBgft.exe

Code function: 0_2_00DD27D3 URLDownloadToFileW,ShellExecuteW,

0_2_00DD27D3

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 128.90.129.125:5222

Source: Joe Sandbox View

IP Address: 128.90.129.125 128.90.129.125

Source: Joe Sandbox View

ASN Name: PHMGMT-AS1US PHMGMT-AS1US

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.5:49707
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.5:49905

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\hb21QzBgft.exe

Code function: 0_2_00DD562F setsockopt,recv,recv,

0_2_00DD562F

Source: global traffic

DNS traffic detected: DNS query: chromedata.accesscam.org

Source: hb21QzBgft.exe	String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeper
Source: hb21QzBgft.exe	String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:

Source: C:\Users\user\Desktop\hb21QzBgft.exe

Code function: 0_2_00DD89D5 GetAsyncKeyState,wsprintfW,GetAsyncKeyState,wsprintfW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyNameTextW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,CallNextHookEx,

0_2_00DD89D5

Source: C:\Users\user\Desktop\hb21QzBgft.exe

Code function: 0_2_00DD902E DefWindowProcA,GetRawInputData,GetRawInputData,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrcpyW,CreateFileW,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,CloseHandle,PostQuitMessage,RegisterRawInputDevices,

0_2_00DD902E

E-Banking Fraud

Yara detected AveMaria stealer

Source: Yara match	File source: hb21QzBgft.exe, type: SAMPLE
Source: Yara match	File source: 0.0.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.2153677162.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2164573446.0000000002C09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2061962654.0000000001074000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2164475001.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2045107278.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3314934510.00000000030E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2062112969.000000000106F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: hb21QzBgft.exe, type: SAMPLE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: hb21QzBgft.exe, type: SAMPLE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: hb21QzBgft.exe, type: SAMPLE	Matched rule: AveMaria_WarZone Author: unknown
Source: hb21QzBgft.exe, type: SAMPLE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: hb21QzBgft.exe, type: SAMPLE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: hb21QzBgft.exe, type: SAMPLE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.3.hb21QzBgft.exe.1086838.3.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.hb21QzBgft.exe.30fb490.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.3.hb21QzBgft.exe.1086838.0.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.3.hb21QzBgft.exe.1084fc8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.3.hb21QzBgft.exe.1087dd0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.3.hb21QzBgft.exe.1086838.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.3.hb21QzBgft.exe.1086838.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.0.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.0.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.0.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 0.0.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.0.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.0.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 2.2.hb21QzBgft.exe.2c21490.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.3.hb21QzBgft.exe.1087dd0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.3.hb21QzBgft.exe.1086838.8.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.3.hb21QzBgft.exe.1087dd0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.3.hb21QzBgft.exe.1086838.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 0.2.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 2.2.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 2.2.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 2.2.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 2.2.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 2.2.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 2.0.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 2.0.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.0.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 2.0.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 2.0.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 2.0.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 00000002.00000000.2153677162.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000002.00000002.2164573446.0000000002C09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000000.00000003.2061962654.0000000001074000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000002.00000002.2164475001.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000000.00000000.2045107278.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000000.00000002.3314934510.00000000030E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000000.00000003.2062112969.000000000106F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown

Source: C:\Users\user\Desktop\hb21QzBgft.exe

Code function: 0_2_00DE1BF8

0_2_00DE1BF8

Source: C:\Users\user\Desktop\hb21QzBgft.exe	Code function: String function: 00DD35E5 appears 40 times
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Code function: String function: 00DE0969 appears 47 times

Source: hb21QzBgft.exe

Static PE information: Resource name: WM_DSP type: PE32 executable (GUI) Intel 80386, for MS Windows

Source: hb21QzBgft.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: hb21QzBgft.exe, type: SAMPLE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: hb21QzBgft.exe, type: SAMPLE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: hb21QzBgft.exe, type: SAMPLE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: hb21QzBgft.exe, type: SAMPLE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: hb21QzBgft.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: hb21QzBgft.exe, type: SAMPLE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.3.hb21QzBgft.exe.1086838.3.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.hb21QzBgft.exe.30fb490.2.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.3.hb21QzBgft.exe.1086838.0.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.3.hb21QzBgft.exe.1084fc8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.3.hb21QzBgft.exe.1087dd0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.3.hb21QzBgft.exe.1086838.3.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.3.hb21QzBgft.exe.1086838.0.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.0.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.0.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.0.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.0.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.0.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 2.2.hb21QzBgft.exe.2c21490.2.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.3.hb21QzBgft.exe.1087dd0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.3.hb21QzBgft.exe.1086838.8.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.3.hb21QzBgft.exe.1087dd0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.3.hb21QzBgft.exe.1086838.8.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 2.2.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 2.2.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.2.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 2.2.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 2.2.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 2.0.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 2.0.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.0.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.0.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 2.0.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 2.0.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 00000002.00000000.2153677162.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000002.00000002.2164573446.0000000002C09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000000.00000003.2061962654.0000000001074000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000002.00000002.2164475001.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000000.00000000.2045107278.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000000.00000002.3314934510.00000000030E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000000.00000003.2062112969.000000000106F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.phis.troj.spyw.expl.evad.winEXE@2/0@2/1

Source: C:\Users\user\Desktop\hb21QzBgft.exe

Code function: 0_2_00DDF619 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,

0_2_00DDF619

Source: C:\Users\user\Desktop\hb21QzBgft.exe

Code function: 0_2_00DE20B8 RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_00DE20B8

Source: C:\Users\user\Desktop\hb21QzBgft.exe

Code function: 0_2_00DE290F CoInitialize,CoCreateInstance,VariantInit,CoUninitialize,

0_2_00DE290F

Source: C:\Users\user\Desktop\hb21QzBgft.exe

Code function: 0_2_00DE30B3 LoadResource,SizeofResource,LockResource,GetTempPathA,GetTempPathA,lstrcatA,lstrcatA,GetTempPathA,lstrcatA,CreateFileA,WriteFile,CloseHandle,wsprintfA,ShellExecuteExA,

0_2_00DE30B3

Source: C:\Users\user\Desktop\hb21QzBgft.exe

Code function: 0_2_00DDD49C OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

0_2_00DDD49C

Source: C:\Users\user\Desktop\hb21QzBgft.exe

File created: C:\Program Files\Microsoft DN1

Jump to behavior

Source: C:\Users\user\Desktop\hb21QzBgft.exe

File created: C:\Users\user\AppData\Local\Microsoft Vision\

Jump to behavior

Source: C:\Users\user\Desktop\hb21QzBgft.exe

Mutant created: NULL

Source: hb21QzBgft.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\hb21QzBgft.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: hb21QzBgft.exe

ReversingLabs: Detection: 89%

Source: C:\Users\user\Desktop\hb21QzBgft.exe

File read: C:\Users\user\Desktop\hb21QzBgft.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\hb21QzBgft.exe "C:\Users\user\Desktop\hb21QzBgft.exe"
Source: unknown	Process created: C:\Users\user\Desktop\hb21QzBgft.exe "C:\Users\user\Desktop\hb21QzBgft.exe"

Source: C:\Users\user\Desktop\hb21QzBgft.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Section loaded: msvfw32.dll	Jump to behavior

Source: C:\Users\user\Desktop\hb21QzBgft.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\hb21QzBgft.exe

Directory created: C:\Program Files\Microsoft DN1

Jump to behavior

Source: hb21QzBgft.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: hb21QzBgft.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: C:\Users\user\Desktop\hb21QzBgft.exe

Code function: 0_2_00DDFA42 LoadLibraryA,GetProcAddress,

0_2_00DDFA42

Source: C:\Users\user\Desktop\hb21QzBgft.exe	Code function: 0_2_00DD1190 push eax; ret		0_2_00DD11A4
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Code function: 0_2_00DD1190 push eax; ret		0_2_00DD11CC

Source: C:\Users\user\Desktop\hb21QzBgft.exe

Code function: 0_2_00DDD418 NetUserAdd,NetLocalGroupAddMembers,

0_2_00DDD418

Source: C:\Users\user\Desktop\hb21QzBgft.exe

Code function: 0_2_00DD27D3 URLDownloadToFileW,ShellExecuteW,

0_2_00DD27D3

Source: C:\Users\user\Desktop\hb21QzBgft.exe	Code function: 0_2_00DDAC0A lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,		0_2_00DDAC0A
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Code function: 0_2_00DDA6C8 GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,		0_2_00DDA6C8

Source: C:\Users\user\Desktop\hb21QzBgft.exe

Code function: 0_2_00DDD508 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,GetLastError,Sleep,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

0_2_00DDD508

Source: C:\Users\user\Desktop\hb21QzBgft.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run CClean			Jump to behavior
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run CClean			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Contains functionality to hide user accounts

Source: hb21QzBgft.exe	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: hb21QzBgft.exe, 00000000.00000003.2061962654.0000000001074000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: hb21QzBgft.exe, 00000000.00000003.2061962654.0000000001074000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: hb21QzBgft.exe, 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: hb21QzBgft.exe, 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: hb21QzBgft.exe, 00000000.00000003.2062112969.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: hb21QzBgft.exe, 00000000.00000003.2062112969.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: hb21QzBgft.exe, 00000000.00000002.3314934510.00000000030E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: hb21QzBgft.exe, 00000000.00000002.3314934510.00000000030E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: hb21QzBgft.exe, 00000000.00000000.2045107278.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: hb21QzBgft.exe, 00000000.00000000.2045107278.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: hb21QzBgft.exe, 00000002.00000000.2153677162.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: hb21QzBgft.exe, 00000002.00000000.2153677162.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: hb21QzBgft.exe, 00000002.00000002.2164573446.0000000002C09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: hb21QzBgft.exe, 00000002.00000002.2164573446.0000000002C09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: hb21QzBgft.exe, 00000002.00000002.2164475001.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: hb21QzBgft.exe, 00000002.00000002.2164475001.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: hb21QzBgft.exe	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: hb21QzBgft.exe	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\hb21QzBgft.exe

File opened: C:\Users\user\Desktop\hb21QzBgft.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\hb21QzBgft.exe

Code function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW,

0_2_00DDDA5B

Source: C:\Users\user\Desktop\hb21QzBgft.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_0-12832

Source: C:\Users\user\Desktop\hb21QzBgft.exe TID: 3176	Thread sleep count: 60 > 30	Jump to behavior
Source: C:\Users\user\Desktop\hb21QzBgft.exe TID: 3176	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hb21QzBgft.exe TID: 5972	Thread sleep count: 60 > 30	Jump to behavior

Source: C:\Users\user\Desktop\hb21QzBgft.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\hb21QzBgft.exe	Code function: 0_2_00DD9DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,		0_2_00DD9DF6
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Code function: 0_2_00DDFF27 FindFirstFileW,FindNextFileW,		0_2_00DDFF27

Source: C:\Users\user\Desktop\hb21QzBgft.exe

Code function: 0_2_00DE002B GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,

0_2_00DE002B

Source: hb21QzBgft.exe, 00000000.00000002.3314715175.000000000107C000.00000004.00000020.00020000.00000000.sdmp, hb21QzBgft.exe, 00000000.00000003.2062112969.000000000107C000.00000004.00000020.00020000.00000000.sdmp, hb21QzBgft.exe, 00000000.00000003.2061962654.000000000107C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllm
Source: hb21QzBgft.exe, 00000002.00000003.2163912789.0000000000AB4000.00000004.00000020.00020000.00000000.sdmp, hb21QzBgft.exe, 00000002.00000003.2164083077.0000000000AB5000.00000004.00000020.00020000.00000000.sdmp, hb21QzBgft.exe, 00000002.00000003.2164038364.0000000000AB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\hb21QzBgft.exe	API call chain: ExitProcess graph end node			graph_0-8613
Source: C:\Users\user\Desktop\hb21QzBgft.exe	API call chain: ExitProcess graph end node			graph_0-11767

Source: C:\Users\user\Desktop\hb21QzBgft.exe

Code function: 0_2_00DDFA42 LoadLibraryA,GetProcAddress,

0_2_00DDFA42

Source: C:\Users\user\Desktop\hb21QzBgft.exe	Code function: 0_2_00DE094E mov eax, dword ptr fs:[00000030h]	0_2_00DE094E
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Code function: 0_2_00DE0619 mov eax, dword ptr fs:[00000030h]	0_2_00DE0619
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Code function: 0_2_00DE0620 mov eax, dword ptr fs:[00000030h]	0_2_00DE0620

Source: C:\Users\user\Desktop\hb21QzBgft.exe

Code function: 0_2_00DD1085 GetProcessHeap,RtlAllocateHeap,

0_2_00DD1085

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\hb21QzBgft.exe	Code function: 0_2_00DD79E8 OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,		0_2_00DD79E8
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Code function: 0_2_00DE1FD8 RegSetValueExA,OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,		0_2_00DE1FD8

Source: C:\Users\user\Desktop\hb21QzBgft.exe

Code function: RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe

0_2_00DE20B8

Source: C:\Users\user\Desktop\hb21QzBgft.exe

Code function: 0_2_00DE18BA InitializeSecurityDescriptor,SetSecurityDescriptorDacl,RegCreateKeyExA,RegCloseKey,SetLastError,

0_2_00DE18BA

Source: C:\Users\user\Desktop\hb21QzBgft.exe

Code function: 0_2_00DDF56D AllocateAndInitializeSid,LookupAccountSidW,GetLastError,FreeSid,

0_2_00DDF56D

Source: C:\Users\user\Desktop\hb21QzBgft.exe

Code function: 0_2_00DDF93F cpuid

0_2_00DDF93F

Source: C:\Users\user\Desktop\hb21QzBgft.exe

Code function: 0_2_00DD882F GetModuleHandleA,SHGetFolderPathW,lstrcatW,lstrcatW,GetLocalTime,wsprintfW,lstrcatW,CreateFileW,CloseHandle,GetMessageA,TranslateMessage,DispatchMessageA,GetMessageA,

0_2_00DD882F

Lowering of HIPS / PFW / Operating System Security Settings

Increases the number of concurrent connection per server for Internet Explorer

Source: C:\Users\user\Desktop\hb21QzBgft.exe

Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10

Jump to behavior

Stealing of Sensitive Information

Yara detected AveMaria stealer

Source: Yara match	File source: hb21QzBgft.exe, type: SAMPLE
Source: Yara match	File source: 0.0.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.2153677162.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2164573446.0000000002C09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2061962654.0000000001074000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2164475001.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2045107278.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3314934510.00000000030E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2062112969.000000000106F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\Desktop\hb21QzBgft.exe	Code function: \Google\Chrome\User Data\Default\Login Data		0_2_00DDC1B2
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Code function: \Chromium\User Data\Default\Login Data		0_2_00DDC1B2

Contains functionality to steal e-mail passwords

Source: C:\Users\user\Desktop\hb21QzBgft.exe	Code function: POP3 Password	0_2_00DDA29A
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Code function: SMTP Password	0_2_00DDA29A
Source: C:\Users\user\Desktop\hb21QzBgft.exe	Code function: IMAP Password	0_2_00DDA29A

Source: Yara match	File source: hb21QzBgft.exe, type: SAMPLE
Source: Yara match	File source: 0.0.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.2153677162.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2164573446.0000000002C09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2061962654.0000000001074000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2164475001.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2045107278.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3314934510.00000000030E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2062112969.000000000106F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hb21QzBgft.exe PID: 1440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hb21QzBgft.exe PID: 6004, type: MEMORYSTR

Remote Access Functionality

Yara detected AveMaria stealer

Source: Yara match	File source: hb21QzBgft.exe, type: SAMPLE
Source: Yara match	File source: 0.0.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.hb21QzBgft.exe.dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.2153677162.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2164573446.0000000002C09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2061962654.0000000001074000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2164475001.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2045107278.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3314934510.00000000030E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2062112969.000000000106F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	21 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 Endpoint Denial of Service
Credentials	Domains	Default Accounts	2 Service Execution	1 Create Account	1 Access Token Manipulation	2 Obfuscated Files or Information	21 Input Capture	1 System Service Discovery	Remote Desktop Protocol	21 Input Capture	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Windows Service	1 Windows Service	1 DLL Side-Loading	1 Credentials In Files	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Registry Run Keys / Startup Folder	111 Process Injection	3 Masquerading	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Registry Run Keys / Startup Folder	1 Virtualization/Sandbox Evasion	LSA Secrets	11 Security Software Discovery	SSH	Keylogging	11 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Access Token Manipulation	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	111 Process Injection	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Hidden Files and Directories	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Hidden Users	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
hb21QzBgft.exe	89%	ReversingLabs	Win32.Backdoor.Remcos
hb21QzBgft.exe	100%	Avira	TR/Redcap.ghjpt
hb21QzBgft.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
chromedata.accesscam.org	128.90.129.125	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
chromedata.accesscam.org	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/syohex/java-simple-mine-sweeperC:	hb21QzBgft.exe	false		unknown
https://github.com/syohex/java-simple-mine-sweeper	hb21QzBgft.exe	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
128.90.129.125	chromedata.accesscam.org	United States		22363	PHMGMT-AS1US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1547536
Start date and time:	2024-11-02 16:55:36 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	hb21QzBgft.exe renamed because original name is a hash value
Original Sample Name:	3790861e8c62040dbb2dd3c290d1a2738cef6b04fd38de2d37ba58708838ddab.exe
Detection:	MAL
Classification:	mal100.phis.troj.spyw.expl.evad.winEXE@2/0@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 35 Number of non-executed functions: 89
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
VT rate limit hit for: hb21QzBgft.exe

Simulations

Behavior and APIs

Time	Type	Description
16:56:29	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run CClean C:\Users\user\Desktop\hb21QzBgft.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
128.90.129.125	uVyl5BbR2M.exe	Get hash	malicious	AsyncRAT	Browse
	ahMvIr4vjN.exe	Get hash	malicious	AsyncRAT	Browse
	WlewaiA251.exe	Get hash	malicious	AsyncRAT	Browse
	meORoynQKS.exe	Get hash	malicious	ArrowRAT	Browse
	OeyoNPTUuj.exe	Get hash	malicious	AsyncRAT	Browse
	NUO7hWbWCz.exe	Get hash	malicious	AsyncRAT	Browse
	nRfBYvq4io.exe	Get hash	malicious	AsyncRAT	Browse
	uqBq7FwS83.exe	Get hash	malicious	AsyncRAT	Browse
	YTrJ5NViJC.exe	Get hash	malicious	Njrat	Browse
	XprhPg52TO.exe	Get hash	malicious	AsyncRAT	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
chromedata.accesscam.org	uVyl5BbR2M.exe	Get hash	malicious	AsyncRAT	Browse	128.90.129.125
	ahMvIr4vjN.exe	Get hash	malicious	AsyncRAT	Browse	128.90.129.125
	WlewaiA251.exe	Get hash	malicious	AsyncRAT	Browse	128.90.129.125
	meORoynQKS.exe	Get hash	malicious	ArrowRAT	Browse	128.90.129.125
	OeyoNPTUuj.exe	Get hash	malicious	AsyncRAT	Browse	128.90.129.125
	NUO7hWbWCz.exe	Get hash	malicious	AsyncRAT	Browse	128.90.129.125
	nRfBYvq4io.exe	Get hash	malicious	AsyncRAT	Browse	128.90.129.125
	uqBq7FwS83.exe	Get hash	malicious	AsyncRAT	Browse	128.90.129.125
	YTrJ5NViJC.exe	Get hash	malicious	Njrat	Browse	128.90.129.125
	XprhPg52TO.exe	Get hash	malicious	AsyncRAT	Browse	128.90.129.125

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PHMGMT-AS1US	uVyl5BbR2M.exe	Get hash	malicious	AsyncRAT	Browse	128.90.129.125
	ahMvIr4vjN.exe	Get hash	malicious	AsyncRAT	Browse	128.90.129.125
	WlewaiA251.exe	Get hash	malicious	AsyncRAT	Browse	128.90.129.125
	meORoynQKS.exe	Get hash	malicious	ArrowRAT	Browse	128.90.129.125
	OeyoNPTUuj.exe	Get hash	malicious	AsyncRAT	Browse	128.90.129.125
	NUO7hWbWCz.exe	Get hash	malicious	AsyncRAT	Browse	128.90.129.125
	nRfBYvq4io.exe	Get hash	malicious	AsyncRAT	Browse	128.90.129.125
	uqBq7FwS83.exe	Get hash	malicious	AsyncRAT	Browse	128.90.129.125
	YTrJ5NViJC.exe	Get hash	malicious	Njrat	Browse	128.90.129.125
	XprhPg52TO.exe	Get hash	malicious	AsyncRAT	Browse	128.90.129.125

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.375556012562547
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	hb21QzBgft.exe
File size:	115'712 bytes
MD5:	e94753e8a792b65ce7765c83e7d901e9
SHA1:	b007cc3dde9c3eb45a2da18fac939d51c80e641b
SHA256:	3790861e8c62040dbb2dd3c290d1a2738cef6b04fd38de2d37ba58708838ddab
SHA512:	1a572de1861f2e6487ee60ea9102ea8443d057ae9c00b53242719e1835f56d22e3eed3ac6999408b7b2a6902cf432ed23074968ad5d0f2907ffc70645812af6a
SSDEEP:	1536:h0jP7/L1B5rVmN8sxHv2M28ix8EUaJxWZoB4u0OVE01:K1VmhaH8EFvW+0OVE0
TLSH:	7BB39E13F7E54835F3B201B01ABD7E7ACBEDF9700628C49FA394858A2D31946E925397
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z]..><..><..><...3..?<..7D..?<...3..<<......?<......=<..;0..?<..7D..:<..7D..!<..><...<...U..N<...Um.?<...U..?<..Rich><.........

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x405ce2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5F49FB9C [Sat Aug 29 06:54:20 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	51a1d638436da72d7fa5fb524e02d427

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 44h
push esi
call dword ptr [004141E8h]
mov ecx, eax
mov al, byte ptr [ecx]
cmp al, 22h
jne 00007F62A4DDD12Ah
inc ecx
mov dl, byte ptr [ecx]
test dl, dl
je 00007F62A4DDD113h
mov al, dl
mov dl, al
cmp al, 22h
je 00007F62A4DDD10Bh
inc ecx
mov dl, byte ptr [ecx]
mov al, dl
test dl, dl
jne 00007F62A4DDD0F3h
lea eax, dword ptr [ecx+01h]
cmp dl, 00000022h
cmovne eax, ecx
mov ecx, eax
jmp 00007F62A4DDD110h
inc ecx
mov al, byte ptr [ecx]
cmp al, 20h
jnle 00007F62A4DDD0FBh
jmp 00007F62A4DDD109h
cmp al, 20h
jnle 00007F62A4DDD109h
inc ecx
mov al, byte ptr [ecx]
test al, al
jne 00007F62A4DDD0F7h
and dword ptr [ebp-18h], 00000000h
lea eax, dword ptr [ebp-44h]
push eax
call dword ptr [00414140h]
call 00007F62A4DDD132h
mov edx, 0041902Ch
mov ecx, 00419000h
call 00007F62A4DDD150h
push 00000000h
call dword ptr [004141ECh]
push ecx
push ecx
call 00007F62A4DEA7D9h
mov esi, eax
call 00007F62A4DDD122h
push esi
call dword ptr [004141F0h]
int3
mov dword ptr [0054DB64h], 00000020h
call 00007F62A4DDD014h
mov dword ptr [0054D0E4h], eax
ret
mov eax, dword ptr [0054E01Ch]
test eax, eax
je 00007F62A4DDD110h
mov ecx, dword ptr [0054D0E4h]
lea edx, dword ptr [ecx+eax*4]
jmp 00007F62A4DDD106h
ret
push ebx
push esi
push edi
mov edi, ecx
mov esi, edx
sub esi, edi
xor eax, eax
add esi, 00000000h

Rich Headers

Programming Language:

[C++] VS2008 SP1 build 30729
[ C ] VS2005 build 50727
[C++] VS2005 build 50727
[ASM] VS2003 (.NET) build 3077
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1771c	0x118	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14f000	0x2c70	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x152000	0xfa8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x175a0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x14000	0x370	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x12eab	0x13000	6dbe7c9f7981297db465fd69821e1c4b	False	0.5748226768092105	data	6.494947391542317	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x14000	0x49ce	0x4a00	1271925bf242f5dd778122d822dac6d9	False	0.40466638513513514	data	5.281541653463336	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x19000	0x1350d8	0x600	0e383bc5047fd3f1a7a5e78591f96b14	False	0.5709635416666666	data	4.992963293914077	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x14f000	0x2c70	0x2e00	cdd112e1df434d31179f9eee936b7ff7	False	0.32778532608695654	data	3.9587156670856	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x152000	0xfa8	0x1000	d7f0f9f1a21533bcdc70c4c071cede21	False	0.83251953125	data	6.690653232264333	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.bss	0x153000	0x1000	0x200	6bf023baf38d049837478ef4940a09e0	False	0.37109375	data	3.1246956947790547	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
WM_DSP	0x14f070	0x2c00	PE32 executable (GUI) Intel 80386, for MS Windows	English	India	0.3400213068181818

Imports

DLL	Import
bcrypt.dll	BCryptSetProperty, BCryptGenerateSymmetricKey, BCryptOpenAlgorithmProvider, BCryptDecrypt
KERNEL32.dll	HeapFree, VirtualAlloc, HeapReAlloc, VirtualQuery, TerminateThread, CreateThread, WriteProcessMemory, GetCurrentProcess, OpenProcess, GetWindowsDirectoryA, VirtualProtectEx, VirtualAllocEx, CreateRemoteThread, CreateProcessA, GetModuleHandleW, IsWow64Process, WriteFile, CreateFileW, LoadLibraryW, GetLocalTime, GetCurrentThreadId, GetCurrentProcessId, ReadFile, FindFirstFileA, GetBinaryTypeW, FindNextFileA, GetFullPathNameA, GetTempPathW, GetPrivateProfileStringW, CreateFileA, GlobalAlloc, GetCurrentDirectoryW, SetCurrentDirectoryW, GetFileSize, FreeLibrary, SetDllDirectoryW, GetFileSizeEx, LoadLibraryA, LocalFree, WaitForSingleObject, WaitForMultipleObjects, CreatePipe, PeekNamedPipe, DuplicateHandle, SetEvent, GetStartupInfoA, CreateEventA, GetModuleFileNameW, LoadResource, FindResourceW, GetComputerNameW, GlobalMemoryStatusEx, LoadLibraryExW, FindFirstFileW, FindNextFileW, SetFilePointer, GetLogicalDriveStringsW, DeleteFileW, CopyFileW, GetDriveTypeW, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, GetProcessHeap, ReleaseMutex, TerminateProcess, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, SizeofResource, VirtualProtect, GetSystemDirectoryW, LockResource, GetWindowsDirectoryW, Process32First, Process32Next, WinExec, GetTempPathA, HeapAlloc, lstrcmpW, GetTickCount, lstrcpyW, WideCharToMultiByte, lstrcpyA, Sleep, MultiByteToWideChar, GetCommandLineA, GetModuleHandleA, ExitProcess, CreateProcessW, lstrcatA, lstrcmpA, lstrlenA, ExpandEnvironmentStringsW, lstrlenW, CloseHandle, lstrcatW, GetLastError, VirtualFree, GetProcAddress, SetLastError, GetModuleFileNameA, CreateDirectoryW, LocalAlloc, CreateMutexA
USER32.dll	GetKeyState, GetMessageA, DispatchMessageA, CreateWindowExW, CallNextHookEx, GetAsyncKeyState, RegisterClassW, GetRawInputData, MapVirtualKeyA, DefWindowProcA, RegisterRawInputDevices, TranslateMessage, GetForegroundWindow, GetKeyNameTextW, PostQuitMessage, MessageBoxA, GetLastInputInfo, wsprintfW, GetWindowTextW, wsprintfA, ToUnicode
ADVAPI32.dll	RegDeleteKeyW, RegCreateKeyExW, RegSetValueExA, RegDeleteValueW, LookupPrivilegeValueW, AdjustTokenPrivileges, AllocateAndInitializeSid, OpenProcessToken, InitializeSecurityDescriptor, RegDeleteKeyA, SetSecurityDescriptorDacl, RegOpenKeyExW, RegOpenKeyExA, RegEnumKeyExW, RegQueryValueExA, RegQueryInfoKeyW, RegCloseKey, OpenServiceW, ChangeServiceConfigW, QueryServiceConfigW, EnumServicesStatusExW, StartServiceW, RegSetValueExW, RegCreateKeyExA, OpenSCManagerW, CloseServiceHandle, GetTokenInformation, LookupAccountSidW, FreeSid, RegQueryValueExW
SHELL32.dll	ShellExecuteExA, ShellExecuteExW, SHGetSpecialFolderPathW, SHCreateDirectoryExW, ShellExecuteW, SHGetFolderPathW, SHGetKnownFolderPath
urlmon.dll	URLDownloadToFileW
WS2_32.dll	htons, recv, connect, socket, send, WSAStartup, shutdown, closesocket, WSACleanup, InetNtopW, gethostbyname, inet_addr, getaddrinfo, setsockopt, freeaddrinfo
ole32.dll	CoInitializeSecurity, CoCreateInstance, CoInitialize, CoUninitialize, CoTaskMemFree
SHLWAPI.dll	StrStrW, PathRemoveFileSpecA, StrStrA, PathCombineA, PathFindFileNameW, PathFileExistsW, PathFindExtensionW
NETAPI32.dll	NetLocalGroupAddMembers, NetUserAdd
OLEAUT32.dll	VariantInit
CRYPT32.dll	CryptUnprotectData, CryptStringToBinaryA, CryptStringToBinaryW
PSAPI.DLL	GetModuleFileNameExW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	India

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-02T16:56:45.252171+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.175.87.197	443	192.168.2.5	49707	TCP
2024-11-02T16:57:24.185503+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.175.87.197	443	192.168.2.5	49905	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 2, 2024 16:56:30.299602032 CET	49704	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:56:30.304557085 CET	5222	49704	128.90.129.125	192.168.2.5
Nov 2, 2024 16:56:30.304692030 CET	49704	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:56:31.148051023 CET	5222	49704	128.90.129.125	192.168.2.5
Nov 2, 2024 16:56:31.148220062 CET	49704	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:56:36.150094032 CET	49705	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:56:36.155019045 CET	5222	49705	128.90.129.125	192.168.2.5
Nov 2, 2024 16:56:36.155127048 CET	49705	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:56:36.990180969 CET	5222	49705	128.90.129.125	192.168.2.5
Nov 2, 2024 16:56:36.990356922 CET	49705	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:56:41.993783951 CET	49706	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:56:41.999008894 CET	5222	49706	128.90.129.125	192.168.2.5
Nov 2, 2024 16:56:41.999166012 CET	49706	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:56:42.846821070 CET	5222	49706	128.90.129.125	192.168.2.5
Nov 2, 2024 16:56:42.846885920 CET	49706	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:56:47.853573084 CET	49718	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:56:47.858778000 CET	5222	49718	128.90.129.125	192.168.2.5
Nov 2, 2024 16:56:47.861443996 CET	49718	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:56:48.791198969 CET	5222	49718	128.90.129.125	192.168.2.5
Nov 2, 2024 16:56:48.791331053 CET	49718	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:56:53.807893991 CET	49749	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:56:53.812752008 CET	5222	49749	128.90.129.125	192.168.2.5
Nov 2, 2024 16:56:53.812956095 CET	49749	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:56:54.653049946 CET	5222	49749	128.90.129.125	192.168.2.5
Nov 2, 2024 16:56:54.653153896 CET	49749	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:56:59.668231964 CET	49779	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:56:59.673396111 CET	5222	49779	128.90.129.125	192.168.2.5
Nov 2, 2024 16:56:59.673978090 CET	49779	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:57:00.507580042 CET	5222	49779	128.90.129.125	192.168.2.5
Nov 2, 2024 16:57:00.507819891 CET	49779	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:57:05.519788980 CET	49810	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:57:05.524853945 CET	5222	49810	128.90.129.125	192.168.2.5
Nov 2, 2024 16:57:05.524928093 CET	49810	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:57:06.373466969 CET	5222	49810	128.90.129.125	192.168.2.5
Nov 2, 2024 16:57:06.373635054 CET	49810	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:57:11.384190083 CET	49842	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:57:11.389272928 CET	5222	49842	128.90.129.125	192.168.2.5
Nov 2, 2024 16:57:11.389347076 CET	49842	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:57:12.237132072 CET	5222	49842	128.90.129.125	192.168.2.5
Nov 2, 2024 16:57:12.237323999 CET	49842	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:57:17.243484974 CET	49874	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:57:17.248413086 CET	5222	49874	128.90.129.125	192.168.2.5
Nov 2, 2024 16:57:17.248524904 CET	49874	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:57:18.085475922 CET	5222	49874	128.90.129.125	192.168.2.5
Nov 2, 2024 16:57:18.085669041 CET	49874	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:57:23.087205887 CET	49908	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:57:23.092097044 CET	5222	49908	128.90.129.125	192.168.2.5
Nov 2, 2024 16:57:23.092161894 CET	49908	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:57:23.934256077 CET	5222	49908	128.90.129.125	192.168.2.5
Nov 2, 2024 16:57:23.934360027 CET	49908	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:57:28.946639061 CET	49941	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:57:28.953725100 CET	5222	49941	128.90.129.125	192.168.2.5
Nov 2, 2024 16:57:28.953850031 CET	49941	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:57:29.806833029 CET	5222	49941	128.90.129.125	192.168.2.5
Nov 2, 2024 16:57:29.806987047 CET	49941	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:57:34.821686029 CET	49970	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:57:34.826622963 CET	5222	49970	128.90.129.125	192.168.2.5
Nov 2, 2024 16:57:34.826716900 CET	49970	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:57:35.651884079 CET	5222	49970	128.90.129.125	192.168.2.5
Nov 2, 2024 16:57:35.651958942 CET	49970	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:57:40.665509939 CET	49987	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:57:40.671502113 CET	5222	49987	128.90.129.125	192.168.2.5
Nov 2, 2024 16:57:40.671631098 CET	49987	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:57:41.522726059 CET	5222	49987	128.90.129.125	192.168.2.5
Nov 2, 2024 16:57:41.522882938 CET	49987	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:57:46.524759054 CET	49988	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:57:47.005861998 CET	5222	49988	128.90.129.125	192.168.2.5
Nov 2, 2024 16:57:47.005940914 CET	49988	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:57:47.875472069 CET	5222	49988	128.90.129.125	192.168.2.5
Nov 2, 2024 16:57:47.875633001 CET	49988	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:57:52.884236097 CET	49989	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:57:52.889365911 CET	5222	49989	128.90.129.125	192.168.2.5
Nov 2, 2024 16:57:52.889473915 CET	49989	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:57:53.734366894 CET	5222	49989	128.90.129.125	192.168.2.5
Nov 2, 2024 16:57:53.734451056 CET	49989	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:57:58.743829966 CET	49990	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:57:58.748621941 CET	5222	49990	128.90.129.125	192.168.2.5
Nov 2, 2024 16:57:58.748703957 CET	49990	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:57:59.594101906 CET	5222	49990	128.90.129.125	192.168.2.5
Nov 2, 2024 16:57:59.594170094 CET	49990	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:58:04.602926970 CET	49991	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:58:04.607868910 CET	5222	49991	128.90.129.125	192.168.2.5
Nov 2, 2024 16:58:04.608074903 CET	49991	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:58:05.467264891 CET	5222	49991	128.90.129.125	192.168.2.5
Nov 2, 2024 16:58:05.467360020 CET	49991	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:58:10.477943897 CET	49992	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:58:10.483726978 CET	5222	49992	128.90.129.125	192.168.2.5
Nov 2, 2024 16:58:10.483814955 CET	49992	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:58:11.333164930 CET	5222	49992	128.90.129.125	192.168.2.5
Nov 2, 2024 16:58:11.333267927 CET	49992	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:58:16.337829113 CET	49993	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:58:16.342709064 CET	5222	49993	128.90.129.125	192.168.2.5
Nov 2, 2024 16:58:16.342809916 CET	49993	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:58:17.199736118 CET	5222	49993	128.90.129.125	192.168.2.5
Nov 2, 2024 16:58:17.205605984 CET	49993	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:58:22.213025093 CET	49994	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:58:22.218453884 CET	5222	49994	128.90.129.125	192.168.2.5
Nov 2, 2024 16:58:22.218528032 CET	49994	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:58:23.074675083 CET	5222	49994	128.90.129.125	192.168.2.5
Nov 2, 2024 16:58:23.074778080 CET	49994	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:58:28.087347031 CET	49995	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:58:28.092451096 CET	5222	49995	128.90.129.125	192.168.2.5
Nov 2, 2024 16:58:28.092582941 CET	49995	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:58:28.953320980 CET	5222	49995	128.90.129.125	192.168.2.5
Nov 2, 2024 16:58:28.953440905 CET	49995	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:58:34.123712063 CET	49996	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:58:34.129797935 CET	5222	49996	128.90.129.125	192.168.2.5
Nov 2, 2024 16:58:34.129971027 CET	49996	5222	192.168.2.5	128.90.129.125
Nov 2, 2024 16:58:34.977895021 CET	5222	49996	128.90.129.125	192.168.2.5
Nov 2, 2024 16:58:34.978034019 CET	49996	5222	192.168.2.5	128.90.129.125

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 2, 2024 16:56:30.149367094 CET	52331	53	192.168.2.5	1.1.1.1
Nov 2, 2024 16:56:30.296305895 CET	53	52331	1.1.1.1	192.168.2.5
Nov 2, 2024 16:58:33.994203091 CET	62768	53	192.168.2.5	1.1.1.1
Nov 2, 2024 16:58:34.122656107 CET	53	62768	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 2, 2024 16:56:30.149367094 CET	192.168.2.5	1.1.1.1	0xe8cc	Standard query (0)	chromedata.accesscam.org	A (IP address)	IN (0x0001)	false
Nov 2, 2024 16:58:33.994203091 CET	192.168.2.5	1.1.1.1	0x6c9e	Standard query (0)	chromedata.accesscam.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 2, 2024 16:56:30.296305895 CET	1.1.1.1	192.168.2.5	0xe8cc	No error (0)	chromedata.accesscam.org		128.90.129.125	A (IP address)	IN (0x0001)	false
Nov 2, 2024 16:58:34.122656107 CET	1.1.1.1	192.168.2.5	0x6c9e	No error (0)	chromedata.accesscam.org		128.90.129.125	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	11:56:26
Start date:	02/11/2024
Path:	C:\Users\user\Desktop\hb21QzBgft.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\hb21QzBgft.exe"
Imagebase:	0xdd0000
File size:	115'712 bytes
MD5 hash:	E94753E8A792B65CE7765C83E7D901E9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000003.2062030837.0000000001085000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000000.2045348214.0000000000F1F000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000003.2061962654.000000000107C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000003.2062078035.0000000001085000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2061962654.0000000001074000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000003.2061962654.0000000001074000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000000.00000003.2061962654.0000000001074000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.2045107278.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000000.2045107278.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000000.00000000.2045107278.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000002.3314934510.00000000030E3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.3314934510.00000000030E3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000002.3314934510.00000000030E3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000000.00000002.3314934510.00000000030E3000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2062112969.000000000106F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000003.2062112969.000000000106F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000000.00000003.2062112969.000000000106F000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	11:56:37
Start date:	02/11/2024
Path:	C:\Users\user\Desktop\hb21QzBgft.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\hb21QzBgft.exe"
Imagebase:	0xdd0000
File size:	115'712 bytes
MD5 hash:	E94753E8A792B65CE7765C83E7D901E9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000002.00000000.2153744904.0000000000F1F000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000002.00000002.2164545039.0000000000F1F000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000000.2153677162.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000002.00000000.2153677162.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000002.00000000.2153677162.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000002.00000002.2164573446.0000000002C09000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2164573446.0000000002C09000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000002.00000002.2164573446.0000000002C09000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000002.00000002.2164573446.0000000002C09000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2164475001.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000002.00000002.2164475001.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000002.00000002.2164475001.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6%
Total number of Nodes:	2000
Total number of Limit Nodes:	70

Executed Functions

Function 00DE290F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 138
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32(00000000), ref: 00DE291E
CoCreateInstance.OLE32(00DE45E0,00000000,00000001,00DE73F0,?,?,?,?,00DE2F37,?,?,?,00DE227B), ref: 00DE293E
VariantInit.OLEAUT32(?), ref: 00DE299A
CoUninitialize.OLE32(?,?,?,00DE2F37,?,?,?,00DE227B), ref: 00DE2A60

Strings

Description, xrefs: 00DE29A8
FriendlyName, xrefs: 00DE29BF

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: CreateInitInitializeInstanceUninitializeVariant
String ID: Description$FriendlyName
API String ID: 4142528535-3192352273
Opcode ID: fbe65f4bef5a284350e7e4a2249faeb057d84453cdfb5cf0dcfc8629da567a6c
Instruction ID: f2323e66abe6f2d2f8083a63bf530ac5061973ac35bc34e687c288d917438ce1
Opcode Fuzzy Hash: fbe65f4bef5a284350e7e4a2249faeb057d84453cdfb5cf0dcfc8629da567a6c
Instruction Fuzzy Hash: AA413F74A00285AFCB24EFA6C884DBEBBBDEF84704B14445DE446EB251DB70DA41CB70

Function 00DD562F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 151
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(000000FF,0000FFFF,00001006,?,00000004), ref: 00DD5666

Part of subcall function 00DD33BF: lstrlenA.KERNEL32(?,750901C0,?,00DD5A4F,.bss,00000000), ref: 00DD33C8
Part of subcall function 00DD33BF: lstrlenA.KERNEL32(?,?,00DD5A4F,.bss,00000000), ref: 00DD33D5
Part of subcall function 00DD33BF: lstrcpyA.KERNEL32(00000000,?,?,00DD5A4F,.bss,00000000), ref: 00DD33E8

Part of subcall function 00DD5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00DD5C2A,00000000,?,00DE10EE,?,?,00DE36B9), ref: 00DD5EAD

recv.WS2_32(000000FF,?,0000000C,00000000), ref: 00DD56B6
recv.WS2_32(000000FF,?,000000FF,00000000), ref: 00DD5726

Strings

`, xrefs: 00DD5650
warzone160, xrefs: 00DD5688

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: lstrlenrecv$FreeVirtuallstrcpysetsockopt
String ID: `$warzone160
API String ID: 3973575906-811885577
Opcode ID: 1c9cdcd6e126b6b4d128daf0540d82b0da8712c76cba157f5c57645044755bf2
Instruction ID: 76bc66724b655bce1e89c6941b1f9166570d769b6fcbdc01e544883d3a733c4e
Opcode Fuzzy Hash: 1c9cdcd6e126b6b4d128daf0540d82b0da8712c76cba157f5c57645044755bf2
Instruction Fuzzy Hash: A9515E71900118EBCB29EFA1DC96DFEBB78EF54350F14012AF415A6291EB309B48CBB1

Function 00DD1085 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,00DE1E36,00400000,?,?,00000000,?,?,00DE349D), ref: 00DD108B
RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00DE349D), ref: 00DD1092

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: aa86f1d7152a93d591e0e6b15c10028d2c1a5d3efff506dfa5f8e0d8a308ba4d
Instruction ID: 02d25699d5d0bbde7871555b727ebfd4d8707283bdadf93f4c34196a72492eb1
Opcode Fuzzy Hash: aa86f1d7152a93d591e0e6b15c10028d2c1a5d3efff506dfa5f8e0d8a308ba4d
Instruction Fuzzy Hash: 5BB00275944340FBDF457BE09E8DF097B69AB59703F014544F245C9160D6754490DB31

Function 00DE3435 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 188
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00DE3467
GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 00DE3483

Part of subcall function 00DE1E21: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000,?,?,00DE349D), ref: 00DE1E4E
Part of subcall function 00DE1E21: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,00DE349D), ref: 00DE1E61
Part of subcall function 00DE1E21: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,00DE349D), ref: 00DE1E72
Part of subcall function 00DE1E21: CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,00DE349D), ref: 00DE1E7F

Part of subcall function 00DD1085: GetProcessHeap.KERNEL32(00000000,?,00DE1E36,00400000,?,?,00000000,?,?,00DE349D), ref: 00DD108B
Part of subcall function 00DD1085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00DE349D), ref: 00DD1092

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00DE34EA
GetLastError.KERNEL32 ref: 00DE34F5
RegCreateKeyExA.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 00DE352F
RegSetValueExA.KERNEL32(?,MaxConnectionsPer1_0Server,00000000,00000004,?,00000004), ref: 00DE354E
RegSetValueExA.KERNEL32(?,MaxConnectionsPerServer,00000000,00000004,?,00000004), ref: 00DE3563
RegCloseKey.ADVAPI32(?), ref: 00DE3569
SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?,?,?,?), ref: 00DE35C5
lstrcatW.KERNEL32(?,\Microsoft Vision\), ref: 00DE35D8
CreateDirectoryW.KERNEL32(?,00000000), ref: 00DE35E7

Part of subcall function 00DE1A3C: GetModuleFileNameW.KERNEL32(00000000,00F1CBF0,00000208,00000000,00000000,?,?,?,00DD57B9,?,00000000,00000000), ref: 00DE1A58
Part of subcall function 00DE1A3C: IsUserAnAdmin.SHELL32 ref: 00DE1A5E
Part of subcall function 00DE1A3C: FindResourceW.KERNEL32(00000000,00000066,WM_DSP,?,?,?,?,00DD57B9,?,00000000,00000000), ref: 00DE1A87
Part of subcall function 00DE1A3C: LoadResource.KERNEL32(00000000,00000000,?,?,?,?,00DD57B9,?,00000000,00000000,?,?,?,?,?,?), ref: 00DE1A91
Part of subcall function 00DE1A3C: SizeofResource.KERNEL32(00000000,00000000,?,?,?,?,00DD57B9,?,00000000,00000000,?,?,?,?,?,?), ref: 00DE1A9B
Part of subcall function 00DE1A3C: LockResource.KERNEL32(00000000,?,?,?,?,00DD57B9,?,00000000,00000000,?,?,?,?,?,?,00000000), ref: 00DE1AA2

Part of subcall function 00DE1136: CopyFileW.KERNEL32(?,?,00000000,?,00DE4684,?,00000000,?,?,?,?,00000000,750901C0,00000000), ref: 00DE11D7

Part of subcall function 00DD362D: lstrcpyW.KERNEL32(00000000,750901C0,?,?,?,00DE150A,00DE35B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00DE3589,00000000,750901C0,00000000), ref: 00DD3657

Part of subcall function 00DE0BD9: CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,750901C0,00000000), ref: 00DE0C14

Part of subcall function 00DD5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00DD5C2A,00000000,?,00DE10EE,?,?,00DE36B9), ref: 00DD5EAD

Strings

MaxConnectionsPerServer, xrefs: 00DE355A
\Microsoft Vision\, xrefs: 00DE35CB
MaxConnectionsPer1_0Server, xrefs: 00DE3545
Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00DE3525

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: File$Create$Resource$CloseHeapModuleNameProcessValue$AdminAllocateCopyCountDirectoryErrorEventFindFolderFreeHandleLastLoadLockPathReadSizeSizeofTickUserVirtuallstrcatlstrcpy
String ID: MaxConnectionsPer1_0Server$MaxConnectionsPerServer$Software\Microsoft\Windows\CurrentVersion\Internet Settings$\Microsoft Vision\
API String ID: 3138263686-2552559493
Opcode ID: 69f798988ad970e571474df05d95205d076d1c2015d743b9ab2fd75ef56441f4
Instruction ID: b7c98dfed1e82c0595d517e346286018de46eb617d3ba8611fd6c5c4ad2745aa
Opcode Fuzzy Hash: 69f798988ad970e571474df05d95205d076d1c2015d743b9ab2fd75ef56441f4
Instruction Fuzzy Hash: F0611DB5508384AFD720FB61DC85EAFB7ACEF94704F04092EF68596251DA709A48CB72

Function 00DE1136 Relevance: 17.8, APIs: 4, Strings: 6, Instructions: 278
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DDF481: GetModuleFileNameW.KERNEL32(00000000,00000000,000007D0,?,00000000,00DE3589,?,00DE1618,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\,00000000,InitWindows), ref: 00DDF4A2

Part of subcall function 00DE0F6E: RegCreateKeyExW.KERNEL32(80000001,00000000,00000000,00000000,00000001,00000001,00000000,?,00000000,750901C0,?,?,00DE1165,?,?), ref: 00DE0F8E

Part of subcall function 00DE0FAE: RegCloseKey.KERNEL32(?,?,00DE112D,?,?,00DE36B9), ref: 00DE0FB8

CopyFileW.KERNEL32(?,?,00000000,?,00DE4684,?,00000000,?,?,?,?,00000000,750901C0,00000000), ref: 00DE11D7

Part of subcall function 00DE106C: RegCreateKeyExW.ADVAPI32(750901C0,00000000,00000000,00000000,00000000,00DE3589,00000000,?,?,?,?,00DE3589,?,00DE158B,80000001,?), ref: 00DE10A0
Part of subcall function 00DE106C: RegOpenKeyExW.KERNEL32(750901C0,00000000,00000000,00DE3589,?,?,?,00DE3589,?,00DE158B,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\), ref: 00DE10BB

Part of subcall function 00DE1039: RegSetValueExW.KERNEL32(?,750901C0,00000000,?,?,?,?,?,00DE1432,00000000,00000000,?,00000001,?,?,?), ref: 00DE1058

SHGetKnownFolderPath.SHELL32(00DE4550,00000000,00000000,?,?,?,?,?,00000000,750901C0,00000000), ref: 00DE1264
CopyFileW.KERNEL32(?,?,00000000,?,?,:start,?,00DE7204,wmic process call create '",00000000,?,?,?,:start,") do %%A,for /F "usebackq tokens=*" %%A in ("), ref: 00DE1382

Part of subcall function 00DDF76B: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000,?,00000000,?), ref: 00DDF79C

Part of subcall function 00DD3437: lstrcpyW.KERNEL32(00000000,00000000,00000000,?,?,00DE1E0A,00000000,00000000,00000000,.bss,00000000), ref: 00DD345C

Part of subcall function 00DD5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00DD5C2A,00000000,?,00DE10EE,?,?,00DE36B9), ref: 00DD5EAD

Part of subcall function 00DDF71F: SHCreateDirectoryExW.SHELL32(00000000,?,00000000,00DE11A6,00000000,?,?,?,?,00000000,750901C0,00000000), ref: 00DDF725

Part of subcall function 00DD362D: lstrcpyW.KERNEL32(00000000,750901C0,?,?,?,00DE150A,00DE35B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00DE3589,00000000,750901C0,00000000), ref: 00DD3657

Part of subcall function 00DD3335: lstrcatW.KERNEL32(00000000,750901C0,?,?,00DE3589,?,00DE1515,00DE3589,00DE35B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00DE3589,00000000,750901C0,00000000), ref: 00DD3365

DeleteFileW.KERNEL32(?,00000000,:Zone.Identifier,?,?,?,?,?,00000000,750901C0,00000000), ref: 00DE147C

Strings

") do %%A, xrefs: 00DE128F
:Zone.Identifier, xrefs: 00DE145B
\programs.bat, xrefs: 00DE1275
for /F "usebackq tokens=*" %%A in (", xrefs: 00DE1282
:start, xrefs: 00DE1294, 00DE132F
wmic process call create '", xrefs: 00DE130A

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: File$Create$CopyFolderPathlstrcpy$CloseDeleteDirectoryFreeKnownModuleNameOpenSpecialValueVirtuallstrcat
String ID: ") do %%A$:Zone.Identifier$:start$\programs.bat$for /F "usebackq tokens=*" %%A in ("$wmic process call create '"
API String ID: 2154703971-2016382161
Opcode ID: c10cadbee545d826504292b6f95bdba030e4ca20a9bfa994fa58b5f35b04e081
Instruction ID: 408db59da57da3d4fafbcc613fb27176d25dbd18bcb189a73034472607e37cf9
Opcode Fuzzy Hash: c10cadbee545d826504292b6f95bdba030e4ca20a9bfa994fa58b5f35b04e081
Instruction Fuzzy Hash: 0BA10EB1A00249ABDF15FFA1DC92CEE7779EF94300B40446AF41267296DF34AA49CB71

Function 00DDE703 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(00F1E020), ref: 00DDE710

Part of subcall function 00DD5F53: GetProcessHeap.KERNEL32(00000000,000000F4,00DE0477,?,750901C0,00000000,00DD5A34), ref: 00DD5F56
Part of subcall function 00DD5F53: HeapAlloc.KERNEL32(00000000), ref: 00DD5F5D

Part of subcall function 00DD31D4: ExpandEnvironmentStringsW.KERNEL32(?,?,000001FF), ref: 00DD3207

Part of subcall function 00DD3437: lstrcpyW.KERNEL32(00000000,00000000,00000000,?,?,00DE1E0A,00000000,00000000,00000000,.bss,00000000), ref: 00DD345C

Part of subcall function 00DD5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00DD5C2A,00000000,?,00DE10EE,?,?,00DE36B9), ref: 00DD5EAD

Strings

\Microsoft DN1, xrefs: 00DDE82E, 00DDE835, 00DDE83B
%ProgramW6432%, xrefs: 00DDE7DA
%windir%\System32, xrefs: 00DDE79B
TermService, xrefs: 00DDE773
\rfxvmt.dll, xrefs: 00DDE843
%ProgramFiles%, xrefs: 00DDE789, 00DDE793, 00DDE805
\rdpwrap.ini, xrefs: 00DDE866
\sqlmap.dll, xrefs: 00DDE872, 00DDE879, 00DDE87F

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: Heap$AllocCriticalEnvironmentExpandFreeInitializeProcessSectionStringsVirtuallstrcpy
String ID: %ProgramFiles%$%ProgramW6432%$%windir%\System32$TermService$\Microsoft DN1$\rdpwrap.ini$\rfxvmt.dll$\sqlmap.dll
API String ID: 2811233055-3289620323
Opcode ID: cadc3947268518139e1be0100de67a771532267d375f0a8f0ff2d31939a7e7ca
Instruction ID: abe630f7d19e721d59b6235bd32f9ccdac80b5dd55a713959074bdd30c8bdaa9
Opcode Fuzzy Hash: cadc3947268518139e1be0100de67a771532267d375f0a8f0ff2d31939a7e7ca
Instruction Fuzzy Hash: 7D31C471B006446B9B19BF699C929AD7B6ADFE8700701442FF8025B392CEB48F49D772

Function 00DD99A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 38
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(00F1DB10,?,00DD1221), ref: 00DD99D3
LoadLibraryW.KERNEL32(User32.dll,?,00DD1221), ref: 00DD99FE

Part of subcall function 00DE0969: lstrcmpA.KERNEL32(?,00DE1BD0,?,open,00DE1BD0), ref: 00DE09A2

Strings

MapVirtualKeyA, xrefs: 00DD9A24
User32.dll, xrefs: 00DD99EC
GetRawInputData, xrefs: 00DD9A06
ToUnicode, xrefs: 00DD9A13

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: CriticalInitializeLibraryLoadSectionlstrcmp
String ID: GetRawInputData$MapVirtualKeyA$ToUnicode$User32.dll
API String ID: 4274177235-2474467583
Opcode ID: dd0fffdb092c4332b01c41aa8bddd6538a1e4755eb0fd4022659fdee31939912
Instruction ID: a90ebdbaeb812bf856bc2d1e18db891d938edd54a735b2a0fc15cad93c627f42
Opcode Fuzzy Hash: dd0fffdb092c4332b01c41aa8bddd6538a1e4755eb0fd4022659fdee31939912
Instruction Fuzzy Hash: 0F014F75A582649B8344FF667C501893BB5D7C8710713812AF006D7352DB740981EB69

Function 00DD57FB Relevance: 9.1, APIs: 6, Instructions: 75
networksynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DD3125: lstrcatA.KERNEL32(00000000,750901C0,?,00000000,?,00DD35C4,00000000,00000000,?,00DD4E98,?,?,?,?,?,00000000), ref: 00DD3151

Part of subcall function 00DE026F: WaitForSingleObject.KERNEL32(?,000000FF,00DD5824,750901C0,?,?,00000000,00DD4EA0,?,?,?,?,?,00000000,750901C0), ref: 00DE0273

getaddrinfo.WS2_32(750901C0,00000000,00DD4EA0,00000000), ref: 00DD5848
socket.WS2_32(00000002,00000001,00000000), ref: 00DD585F
htons.WS2_32(00000000), ref: 00DD5885
freeaddrinfo.WS2_32(00000000), ref: 00DD5895
connect.WS2_32(?,?,00000010), ref: 00DD58A1
ReleaseMutex.KERNEL32(?), ref: 00DD58CB

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: MutexObjectReleaseSingleWaitconnectfreeaddrinfogetaddrinfohtonslstrcatsocket
String ID:
API String ID: 2516106447-0
Opcode ID: 2f47c544cf52895e2880b86a06dae7515456a46a4046974da23d9e9fa659c15a
Instruction ID: eee5626270554576a534569885062095bafb5fe9c7c5d1fc267bfd1dad56b5db
Opcode Fuzzy Hash: 2f47c544cf52895e2880b86a06dae7515456a46a4046974da23d9e9fa659c15a
Instruction Fuzzy Hash: FB216D71900204EBDF10AF61D889BDABBB9FF44320F148066FA09EF295D7719A44DB74

Function 00DD5CE2 Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineA.KERNEL32 ref: 00DD5CE9
GetStartupInfoA.KERNEL32(?), ref: 00DD5D38
GetModuleHandleA.KERNEL32(00000000), ref: 00DD5D54
ExitProcess.KERNEL32 ref: 00DD5D69

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: CommandExitHandleInfoLineModuleProcessStartup
String ID:
API String ID: 2164999147-0
Opcode ID: 5b997371f7f857d372a46bb576934473f7dff400434339e0dedbc6797236284f
Instruction ID: f728a0cc0b146c326721b375af6546f6f358dc8ac2466d2c880556c93ae2746b
Opcode Fuzzy Hash: 5b997371f7f857d372a46bb576934473f7dff400434339e0dedbc6797236284f
Instruction Fuzzy Hash: 40012D28004B841EDB243F78B48EAED3FA79F17305BA81049E4C2CB35BD6124C47C675

Function 00DE1E21 Relevance: 6.0, APIs: 4, Instructions: 48
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DD1085: GetProcessHeap.KERNEL32(00000000,?,00DE1E36,00400000,?,?,00000000,?,?,00DE349D), ref: 00DD108B
Part of subcall function 00DD1085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00DE349D), ref: 00DD1092

CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000,?,?,00DE349D), ref: 00DE1E4E
GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,00DE349D), ref: 00DE1E61
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,00DE349D), ref: 00DE1E72
CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,00DE349D), ref: 00DE1E7F

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: File$Heap$AllocateCloseCreateHandleProcessReadSize
String ID:
API String ID: 2517252058-0
Opcode ID: d2d0a3c06f7fd11c18bc7918f7ddc60cf406e6fddf51d73c6530cadbb4037ddc
Instruction ID: bb502a31a91357e062fd9c23eefc6e207682a3089efb02c32630abad788c24b7
Opcode Fuzzy Hash: d2d0a3c06f7fd11c18bc7918f7ddc60cf406e6fddf51d73c6530cadbb4037ddc
Instruction Fuzzy Hash: 15F062B6B11350BFF7206B65AC49FBB77ACEB55765F200229FA11E62C0E7B05D0086B4

Function 00DDFBFC Relevance: 6.0, APIs: 4, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000008,00000000,750901C0,00000000,750901C0,00000000,?,?,?,?,00DE3589,?), ref: 00DDFC0E
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,00DE3589,?), ref: 00DDFC15
GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,00DE3589,?), ref: 00DDFC33
CloseHandle.KERNEL32(00000000), ref: 00DDFC48

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: 288bb259c728f3e922c17319522faa17555ee255e7c1239a261125546edb58f5
Instruction ID: 28ec49762b77c2ae8be9e8580daf0bd99f642b6b2c1de216c38a8b38a58bd301
Opcode Fuzzy Hash: 288bb259c728f3e922c17319522faa17555ee255e7c1239a261125546edb58f5
Instruction Fuzzy Hash: D2F04972D00218FBDB10ABA0DD49BDEBBBCEF04701F114065EA02EA290D7309E44EAA0

Function 00DD5A10 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 156
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(000001F4,00000000,750901C0,00000000), ref: 00DD5A26

Part of subcall function 00DD33BF: lstrlenA.KERNEL32(?,750901C0,?,00DD5A4F,.bss,00000000), ref: 00DD33C8
Part of subcall function 00DD33BF: lstrlenA.KERNEL32(?,?,00DD5A4F,.bss,00000000), ref: 00DD33D5
Part of subcall function 00DD33BF: lstrcpyA.KERNEL32(00000000,?,?,00DD5A4F,.bss,00000000), ref: 00DD33E8

Part of subcall function 00DD5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00DD5C2A,00000000,?,00DE10EE,?,?,00DE36B9), ref: 00DD5EAD

Part of subcall function 00DD3437: lstrcpyW.KERNEL32(00000000,00000000,00000000,?,?,00DE1E0A,00000000,00000000,00000000,.bss,00000000), ref: 00DD345C

Strings

.bss, xrefs: 00DD5A42

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$FreeSleepVirtual
String ID: .bss
API String ID: 277671435-3890483948
Opcode ID: 774a2e92e4290cc6f6166db6bfd4dea0ef43da7f1e6361c453c4f2c93a0625f7
Instruction ID: 5f4712d5aeadc70939c568461888a2037bc7f3bc2f9ed5344494011f0990a8d4
Opcode Fuzzy Hash: 774a2e92e4290cc6f6166db6bfd4dea0ef43da7f1e6361c453c4f2c93a0625f7
Instruction Fuzzy Hash: C7515175900549AFCB14EFA0D9D18EEBBB5FF44304B1045AAE416AB256EF30AB05CFB0

Function 00DD3554 Relevance: 3.1, APIs: 2, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DD3261: lstrlenW.KERNEL32(750901C0,00DD3646,?,?,?,00DE150A,00DE35B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00DE3589,00000000,750901C0,00000000), ref: 00DD3268

WideCharToMultiByte.KERNEL32(00000000,00000200,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00DD4E98,?), ref: 00DD3581

Part of subcall function 00DD5EB4: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,00DD3652,?,?,?,00DE150A,00DE35B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00DE3589,00000000,750901C0,00000000), ref: 00DD5EBE

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00DD4E98,?,?,?,?,?,00000000), ref: 00DD35AC

Part of subcall function 00DD33BF: lstrlenA.KERNEL32(?,750901C0,?,00DD5A4F,.bss,00000000), ref: 00DD33C8
Part of subcall function 00DD33BF: lstrlenA.KERNEL32(?,?,00DD5A4F,.bss,00000000), ref: 00DD33D5
Part of subcall function 00DD33BF: lstrcpyA.KERNEL32(00000000,?,?,00DD5A4F,.bss,00000000), ref: 00DD33E8

Part of subcall function 00DD3125: lstrcatA.KERNEL32(00000000,750901C0,?,00000000,?,00DD35C4,00000000,00000000,?,00DD4E98,?,?,?,?,?,00000000), ref: 00DD3151

Part of subcall function 00DD5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00DD5C2A,00000000,?,00DE10EE,?,?,00DE36B9), ref: 00DD5EAD

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: lstrlen$ByteCharMultiVirtualWide$AllocFreelstrcatlstrcpy
String ID:
API String ID: 346377423-0
Opcode ID: 0afa2432ddd539b09ccac807b43b3cd182696207f91e0b1a3a56829f1bb156bf
Instruction ID: b024f9934c10b0685f4b7a9d7ef111e9dbd4321321604cd23055b62c151757f6
Opcode Fuzzy Hash: 0afa2432ddd539b09ccac807b43b3cd182696207f91e0b1a3a56829f1bb156bf
Instruction Fuzzy Hash: 25015271601220BBDF15BBA4DC86EAE7B6DDF49750F100026B506AB381CA706F0087B5

Function 00DE106C Relevance: 3.0, APIs: 2, Instructions: 47
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(750901C0,00000000,00000000,00DE3589,?,?,?,00DE3589,?,00DE158B,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\), ref: 00DE10BB

Part of subcall function 00DDF731: RegOpenKeyExW.ADVAPI32(750901C0,00000000,00000000,00020019,00000000,750901C0,?,00DE1088,?,?,00DE3589,?,00DE158B,80000001,?,000F003F), ref: 00DDF747

RegCreateKeyExW.ADVAPI32(750901C0,00000000,00000000,00000000,00000000,00DE3589,00000000,?,?,?,?,00DE3589,?,00DE158B,80000001,?), ref: 00DE10A0

Part of subcall function 00DE0FAE: RegCloseKey.KERNEL32(?,?,00DE112D,?,?,00DE36B9), ref: 00DE0FB8

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: Open$CloseCreate
String ID:
API String ID: 1752019758-0
Opcode ID: b4612d02fe0ef098c02ce6ca62f5a366e01253d84f852ab768332323a768bf07
Instruction ID: fd59b07b47ec998168d26149cb1b9ef062e631cb2ee97ac2dab112405b63ec53
Opcode Fuzzy Hash: b4612d02fe0ef098c02ce6ca62f5a366e01253d84f852ab768332323a768bf07
Instruction Fuzzy Hash: 27011D7520018DBFAB11AE52DC80CBB7BAEEF44398714402AF90586210E771DDA19AB1

Function 00DE1D0C Relevance: 3.0, APIs: 2, Instructions: 14
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000001), ref: 00DE1D11
GetTickCount.KERNEL32 ref: 00DE1D17

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: CountSleepTick
String ID:
API String ID: 2804873075-0
Opcode ID: 24518f7327d708c4e5d7eec46118632f25ad0591849c5e7af73920e4a538eed8
Instruction ID: 820106df0b8f45eb31c4a7cf0f5984bc56a16fb09519eca59c1f42eace0514ad
Opcode Fuzzy Hash: 24518f7327d708c4e5d7eec46118632f25ad0591849c5e7af73920e4a538eed8
Instruction Fuzzy Hash: ACD0A9302483444BE70CAB09FC8A2263E4EE7E0306F04802EB50EC92E0C9A055A04460

Function 00DE0283 Relevance: 3.0, APIs: 2, Instructions: 8synchronizationCOMMON

Download Yara Rule

APIs

ReleaseMutex.KERNEL32(?,?,00DDFEFD,00DE3578,00DD5BEC,00DE3578,00000000,00000000,00000000,00000000,?,?,?,?,00000000,.bss), ref: 00DE0288
CloseHandle.KERNEL32(?), ref: 00DE0290

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: CloseHandleMutexRelease
String ID:
API String ID: 4207627910-0
Opcode ID: 0c1a260ef3d2cac1bf031c25186d2a6f510c7a08d1d1ee68b9e8bafad7430508
Instruction ID: 6e576297d00065b60dcc884ff3e9de2cb031ae6d499ed6d83945134d9532c3fe
Opcode Fuzzy Hash: 0c1a260ef3d2cac1bf031c25186d2a6f510c7a08d1d1ee68b9e8bafad7430508
Instruction Fuzzy Hash: A8B0923A001260DFEB253F54FC4C894BFA5FF08251315046EF285C52388BB20C609BA0

Function 00DD5EFF Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?,00DD2FA7,00DD5A42,?,?,00DE03FD,00DD5A42,?,?,750901C0,00000000,?,00DD5A42,00000000), ref: 00DD5F02
RtlAllocateHeap.NTDLL(00000000,?,00DE03FD,00DD5A42,?,?,750901C0,00000000,?,00DD5A42,00000000), ref: 00DD5F09

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 1af52d5a6d7c6456b117c44e95c6a78ec189929782061e80089f725cdeef0a8c
Instruction ID: 9d8f4706e2a3fd66786b978b3a1d1696c0689bb2213645bb4b380db85ee42508
Opcode Fuzzy Hash: 1af52d5a6d7c6456b117c44e95c6a78ec189929782061e80089f725cdeef0a8c
Instruction Fuzzy Hash: 1EA00271950340ABDE4477E49D8DF15361CA755702F014544B145C9150996554848731

Function 00DD5EEE Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,00DD3044,?,00DD5C22,00000000,?,00DE10EE,?,?,00DE36B9), ref: 00DD5EF1
RtlFreeHeap.NTDLL(00000000,?,?,00DE36B9), ref: 00DD5EF8

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: b9507f13416d2114a5efb5c7ad7a48d9448f25f8e53e9424a21b52ca3eec63b3
Instruction ID: ba2bd6c556e1b490b51f4b679b75d32937a34c3e7e1f5c5b08d9d1815c017761
Opcode Fuzzy Hash: b9507f13416d2114a5efb5c7ad7a48d9448f25f8e53e9424a21b52ca3eec63b3
Instruction Fuzzy Hash: 8FA00271554340ABDDC477E09D4DB15352C9759702F004554B206CA250966454408731

Function 00DD309D Relevance: 2.6, APIs: 2, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 00DD308C: lstrlenA.KERNEL32(00000000,00DD30B4,750901C0,00000000,00000000,?,00DD32DC,00DD350E,00000000,-00000001,750901C0,?,00DD350E,00000000,?,00000000), ref: 00DD3093

MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,-00000002,00000000,00000000,750901C0,00000000,00000000,?,00DD32DC,00DD350E,00000000,-00000001,750901C0), ref: 00DD30CA

Part of subcall function 00DD5E22: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?,00DD33E2,?,00DD5A4F,.bss,00000000), ref: 00DD5E30

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,?,00DD32DC,00DD350E,00000000,-00000001,750901C0,?,00DD350E,00000000), ref: 00DD30F5

Part of subcall function 00DD35E5: lstrlenW.KERNEL32(00DE1E02,00000000,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD35EE
Part of subcall function 00DD35E5: lstrlenW.KERNEL32(00DE1E02,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD3605
Part of subcall function 00DD35E5: lstrcpyW.KERNEL32(?,00DE1E02,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD3620

Part of subcall function 00DD3437: lstrcpyW.KERNEL32(00000000,00000000,00000000,?,?,00DE1E0A,00000000,00000000,00000000,.bss,00000000), ref: 00DD345C

Part of subcall function 00DD5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00DD5C2A,00000000,?,00DE10EE,?,?,00DE36B9), ref: 00DD5EAD

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: lstrlen$ByteCharMultiVirtualWidelstrcpy$AllocFree
String ID:
API String ID: 4006399363-0
Opcode ID: 015ff4c3a490d731fa17e0e9e7896500fdd6ac50f6e3b0459f6875e1239d3ca6
Instruction ID: 5c98f1b77b246eec861509a7e288eb70c1bd859cf5a0e3d3bf74059dfb3ae936
Opcode Fuzzy Hash: 015ff4c3a490d731fa17e0e9e7896500fdd6ac50f6e3b0459f6875e1239d3ca6
Instruction Fuzzy Hash: 06015E75600214BBDB15FFA4DC82DEE7BA9DF49350B00012BB501DB392CA749F0087B1

Function 00DDF481 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

Part of subcall function 00DD1085: GetProcessHeap.KERNEL32(00000000,?,00DE1E36,00400000,?,?,00000000,?,?,00DE349D), ref: 00DD108B
Part of subcall function 00DD1085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00DE349D), ref: 00DD1092

GetModuleFileNameW.KERNEL32(00000000,00000000,000007D0,?,00000000,00DE3589,?,00DE1618,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\,00000000,InitWindows), ref: 00DDF4A2

Part of subcall function 00DD35E5: lstrlenW.KERNEL32(00DE1E02,00000000,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD35EE
Part of subcall function 00DD35E5: lstrlenW.KERNEL32(00DE1E02,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD3605
Part of subcall function 00DD35E5: lstrcpyW.KERNEL32(?,00DE1E02,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD3620

Part of subcall function 00DD3437: lstrcpyW.KERNEL32(00000000,00000000,00000000,?,?,00DE1E0A,00000000,00000000,00000000,.bss,00000000), ref: 00DD345C

Part of subcall function 00DD5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00DD5C2A,00000000,?,00DE10EE,?,?,00DE36B9), ref: 00DD5EAD

Part of subcall function 00DD1099: GetProcessHeap.KERNEL32(00000000,00000000,00DE1E18,00000000,00000000,00000000,00000000,.bss,00000000), ref: 00DD109F
Part of subcall function 00DD1099: HeapFree.KERNEL32(00000000), ref: 00DD10A6

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcesslstrcpylstrlen$AllocateFileModuleNameVirtual
String ID:
API String ID: 258861418-0
Opcode ID: 2837097df011fda046c9b61e8cc4e1557136a5c030d0901cdb3bdeba3e83460f
Instruction ID: 97056265f057caa8c7faaea926849102473ad1a409558ad498afb00cc78d26c1
Opcode Fuzzy Hash: 2837097df011fda046c9b61e8cc4e1557136a5c030d0901cdb3bdeba3e83460f
Instruction Fuzzy Hash: B2E06D766042547BD614B765EC16FAF3BADCF81322F00001AF105A6281DEA45A4086B1

Function 00DE0F6E Relevance: 1.5, APIs: 1, Instructions: 28registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNEL32(80000001,00000000,00000000,00000000,00000001,00000001,00000000,?,00000000,750901C0,?,?,00DE1165,?,?), ref: 00DE0F8E

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 2ebcb78e89e62c6b99a4a6c9a6a7989b7348263842bcf2169d0e20025f7cea1c
Instruction ID: fd980b0394b9c4b6e810691bb02d63d3f754ac65430b3bccf58fa96dd08d90b3
Opcode Fuzzy Hash: 2ebcb78e89e62c6b99a4a6c9a6a7989b7348263842bcf2169d0e20025f7cea1c
Instruction Fuzzy Hash: 07E0DF32515229FFDB309B538D08ECB3E7CDF85BE4F008014F60AA6140C2B18A40D6F0

Function 00DD31D4 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(?,?,000001FF), ref: 00DD3207

Part of subcall function 00DD35E5: lstrlenW.KERNEL32(00DE1E02,00000000,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD35EE
Part of subcall function 00DD35E5: lstrlenW.KERNEL32(00DE1E02,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD3605
Part of subcall function 00DD35E5: lstrcpyW.KERNEL32(?,00DE1E02,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD3620

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: lstrlen$EnvironmentExpandStringslstrcpy
String ID:
API String ID: 1709970682-0
Opcode ID: 6b850b67ae942ed184beffb1e48262438d80ff52aa4cba339b21435165b66919
Instruction ID: 7f37a7408e83a95b425538386a0023646e30706dc5c0ae563db800728b9ee7c5
Opcode Fuzzy Hash: 6b850b67ae942ed184beffb1e48262438d80ff52aa4cba339b21435165b66919
Instruction Fuzzy Hash: 81E048B6B0025967DB20A6559C06F9A77ADDBC4718F040075B709F62C0E975DE06C7B8

Function 00DE1039 Relevance: 1.5, APIs: 1, Instructions: 25registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNEL32(?,750901C0,00000000,?,?,?,?,?,00DE1432,00000000,00000000,?,00000001,?,?,?), ref: 00DE1058

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 608427e4e3d78c39ac10018f06f1d174d4837a0aa8e51e3c7765ab6217d2c730
Instruction ID: 67e99f7d921f51429229a10eda563d9b456a706b935666ab0293e449d3da4793
Opcode Fuzzy Hash: 608427e4e3d78c39ac10018f06f1d174d4837a0aa8e51e3c7765ab6217d2c730
Instruction Fuzzy Hash: 57E01A36201294AFDB11DF55DC45EA777A8EB49B50F588059F9058B320D631EC509BA0

Function 00DD3335 Relevance: 1.5, APIs: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00DD3261: lstrlenW.KERNEL32(750901C0,00DD3646,?,?,?,00DE150A,00DE35B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00DE3589,00000000,750901C0,00000000), ref: 00DD3268

lstrcatW.KERNEL32(00000000,750901C0,?,?,00DE3589,?,00DE1515,00DE3589,00DE35B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00DE3589,00000000,750901C0,00000000), ref: 00DD3365

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: lstrcatlstrlen
String ID:
API String ID: 1475610065-0
Opcode ID: f4abc70631d4d04ea045151e3babd5ba83f1d8003ed85e34869e758b6173cce6
Instruction ID: d1c9d80b60ac8b41f6a07d181742f463fe4335165da0d83fe25fcc5be35b8dfe
Opcode Fuzzy Hash: f4abc70631d4d04ea045151e3babd5ba83f1d8003ed85e34869e758b6173cce6
Instruction Fuzzy Hash: BAE086726042149BCB017BA9ECC596EBB9EEF95360B040537FA05DB311EA317D10C6F5

Function 00DD58D3 Relevance: 1.5, APIs: 1, Instructions: 23networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00DE0298: CreateMutexA.KERNEL32(00000000,00000000,00000000,?,00DDFEDE,?,?,00DE0459,?,750901C0,00000000,00DD5A34), ref: 00DE02A0

WSAStartup.WS2_32(00000002,?), ref: 00DD58FC

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: CreateMutexStartup
String ID:
API String ID: 3730780901-0
Opcode ID: a895a101bc70be8dc7da302d3ad4536aabd03fed6807b873539aa1be2143872b
Instruction ID: ee014e17d5d491a58b8574368a14e10f4c60e6f414a44e69120c255be7e7c32c
Opcode Fuzzy Hash: a895a101bc70be8dc7da302d3ad4536aabd03fed6807b873539aa1be2143872b
Instruction Fuzzy Hash: 36E0ED71501B508BC270AF2B9945897FBF8FFD07207400B1FA5A7C2A61C7B0B545CBA0

Function 00DDFDA5 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00DD3125: lstrcatA.KERNEL32(00000000,750901C0,?,00000000,?,00DD35C4,00000000,00000000,?,00DD4E98,?,?,?,?,?,00000000), ref: 00DD3151

CreateEventA.KERNEL32(00000000,00000001,00000000,?,?), ref: 00DDFDC0

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: CreateEventlstrcat
String ID:
API String ID: 2275612694-0
Opcode ID: b38278a0104f32e2cd50e4c5d4fafed05d20d6b0fbf188043f43f659e9e04cde
Instruction ID: dcf1681780acece0496029e9f6f0a79b85c572c5b3b36fb72dbeb99be523761e
Opcode Fuzzy Hash: b38278a0104f32e2cd50e4c5d4fafed05d20d6b0fbf188043f43f659e9e04cde
Instruction Fuzzy Hash: 9FD05E362443057BD710AB91DC46F86FF6AEB55760F004026F65986690DBB1A020C7A0

Function 00DE0298 Relevance: 1.5, APIs: 1, Instructions: 15synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000000,00000000,?,00DDFEDE,?,?,00DE0459,?,750901C0,00000000,00DD5A34), ref: 00DE02A0

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: de0d961f69fe0cec02a7ec010cbaa4f25a87bcb158d961f7b6916d5abc07db71
Instruction ID: 8141b2ed189f1eff6cb68db7255b3653f8d1fa18198f685a8d141aa4c9cb572d
Opcode Fuzzy Hash: de0d961f69fe0cec02a7ec010cbaa4f25a87bcb158d961f7b6916d5abc07db71
Instruction Fuzzy Hash: 38D012B15006215FA324AF395C4886775DDEF98720315CE29B4A5CF2D4E6308C408770

Function 00DE0FAE Relevance: 1.5, APIs: 1, Instructions: 9registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32(?,?,00DE112D,?,?,00DE36B9), ref: 00DE0FB8

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: fef68f8c47bf333c21f0a7023f0095326b67b34c3d18b4600dbc4ca0904f5f08
Instruction ID: 11318162819598d577aaa8685b16e653735ca711c91fb0bf0aa71b636ab0bd36
Opcode Fuzzy Hash: fef68f8c47bf333c21f0a7023f0095326b67b34c3d18b4600dbc4ca0904f5f08
Instruction Fuzzy Hash: C1C04C31014261CBD7352F14F404790B6E5AF00316F25046DD5C05516497B50CD0CE54

Function 00DDF71F Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SHCreateDirectoryExW.SHELL32(00000000,?,00000000,00DE11A6,00000000,?,?,?,?,00000000,750901C0,00000000), ref: 00DDF725

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: ea6fc2edcb7251a5e08807931a8df8b322654a15eb9850a95dc4d7e199f84ea8
Instruction ID: 4de847e75ebaa97fcfa152fd3d3fba29fb92695565ced6ec6a4b88c1307fe88c
Opcode Fuzzy Hash: ea6fc2edcb7251a5e08807931a8df8b322654a15eb9850a95dc4d7e199f84ea8
Instruction Fuzzy Hash: 8BB012307E834157DA002B708C06F1035119742F07F2001A0B256CC0E0C65100005518

Function 00DE0969 Relevance: 1.3, APIs: 1, Instructions: 49stringCOMMON

Download Yara Rule

APIs

lstrcmpA.KERNEL32(?,00DE1BD0,?,open,00DE1BD0), ref: 00DE09A2

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: lstrcmp
String ID:
API String ID: 1534048567-0
Opcode ID: bd55c4d13a9ad7deb999b5e3ca71d837af7bf630a85236ee8313c6a9ac1b249a
Instruction ID: 92398b1771e5ef17a06d7e4441a3f82cbb0384cc9fa6fb944b733866b1ea10dc
Opcode Fuzzy Hash: bd55c4d13a9ad7deb999b5e3ca71d837af7bf630a85236ee8313c6a9ac1b249a
Instruction Fuzzy Hash: 18015E71A00614AFD710EF9ACC81A6ABBF8FF453147080169A445C7702EB70ED95CEE4

Function 00DD4E5B Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00DD3554: WideCharToMultiByte.KERNEL32(00000000,00000200,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00DD4E98,?), ref: 00DD3581
Part of subcall function 00DD3554: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00DD4E98,?,?,?,?,?,00000000), ref: 00DD35AC

Part of subcall function 00DD57FB: getaddrinfo.WS2_32(750901C0,00000000,00DD4EA0,00000000), ref: 00DD5848
Part of subcall function 00DD57FB: socket.WS2_32(00000002,00000001,00000000), ref: 00DD585F
Part of subcall function 00DD57FB: htons.WS2_32(00000000), ref: 00DD5885
Part of subcall function 00DD57FB: freeaddrinfo.WS2_32(00000000), ref: 00DD5895
Part of subcall function 00DD57FB: connect.WS2_32(?,?,00000010), ref: 00DD58A1

Part of subcall function 00DD5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00DD5C2A,00000000,?,00DE10EE,?,?,00DE36B9), ref: 00DD5EAD

Sleep.KERNEL32(?,?,?,?,?,?,00000000,750901C0,00000000), ref: 00DD4ECD

Part of subcall function 00DD562F: setsockopt.WS2_32(000000FF,0000FFFF,00001006,?,00000004), ref: 00DD5666
Part of subcall function 00DD562F: recv.WS2_32(000000FF,?,0000000C,00000000), ref: 00DD56B6
Part of subcall function 00DD562F: recv.WS2_32(000000FF,?,000000FF,00000000), ref: 00DD5726

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWiderecv$FreeSleepVirtualconnectfreeaddrinfogetaddrinfohtonssetsockoptsocket
String ID:
API String ID: 3250391716-0
Opcode ID: a2a4479d05b7e7b05d336227422cbfa87eba73a50dd6bf96d674ecf1dc75ea52
Instruction ID: f36295b15a9564323280397149d586d05f6fca44d8240c1612adada68ad946fd
Opcode Fuzzy Hash: a2a4479d05b7e7b05d336227422cbfa87eba73a50dd6bf96d674ecf1dc75ea52
Instruction Fuzzy Hash: C0014075600A15ABDB14AB74D849AEEF768FB40314F04021AE519A3255DB70AA54C7F0

Function 00DD5E22 Relevance: 1.3, APIs: 1, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?,00DD33E2,?,00DD5A4F,.bss,00000000), ref: 00DD5E30

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9bae2a1357f253c298ce5846771cebc8bd664fa1435b323f675bd26bd684669a
Instruction ID: 22675f5e9901b4deedcf5502ed6859f9cff04dc4a661e1b9bf3077af6fd89463
Opcode Fuzzy Hash: 9bae2a1357f253c298ce5846771cebc8bd664fa1435b323f675bd26bd684669a
Instruction Fuzzy Hash: F1C012223482602BF128222ABC1AF6B8AACCBC2F71F01006BF708CE3D0D8D10D0281B4

Function 00DD9FCE Relevance: 1.3, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,00000000,00008000,00DD5C2A,00000000,?,00DE10EE,?,?,00DE36B9), ref: 00DD5EAD

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 7fdc934b1473cc3ca3edcfd77140ba99799e1fb17084c0c4016db0c4a5108e55
Instruction ID: 2b9b6f0bb1570b2b17521c181499c0f93c19dea0e1f5a353a14b24cef6094e44
Opcode Fuzzy Hash: 7fdc934b1473cc3ca3edcfd77140ba99799e1fb17084c0c4016db0c4a5108e55
Instruction Fuzzy Hash: E9B0927078070057EE3CEB309C95F2923117B80B06FA5458DB242DE2D48AA6E4018A68

Function 00DD5EB4 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,00DD3652,?,?,?,00DE150A,00DE35B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00DE3589,00000000,750901C0,00000000), ref: 00DD5EBE

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 069abeb6308045b9109bb2ea882aba322fc23297e9d925e8fb61a6d19bd63236
Instruction ID: 2274c77e45ee105ed09254a5593424779237d3a0bf11bd65ee36850dda8e2465
Opcode Fuzzy Hash: 069abeb6308045b9109bb2ea882aba322fc23297e9d925e8fb61a6d19bd63236
Instruction Fuzzy Hash: 4DA002B07D53407AFD696760AD5FF153918A780F16F200154B30DAD1D055E026008539

Function 00DD5EA5 Relevance: 1.3, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,00000000,00008000,00DD5C2A,00000000,?,00DE10EE,?,?,00DE36B9), ref: 00DD5EAD

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: bbf2723abaf3e781c6a6c7a15f12e394f81d9a9accf739046527c39656731499
Instruction ID: d9c8ff1f19ff14f2166d0082c482989010a48faf83263716b8f546be9d544469
Opcode Fuzzy Hash: bbf2723abaf3e781c6a6c7a15f12e394f81d9a9accf739046527c39656731499
Instruction Fuzzy Hash: E4A00270AD074066ED7467205D8AF0526146740B01F2146847341EC2E049A5A0448A6C

Non-executed Functions

Function 00DD89D5 Relevance: 45.8, APIs: 17, Strings: 9, Instructions: 286keyboardCOMMON

Download Yara Rule

APIs

GetAsyncKeyState.USER32(00000010), ref: 00DD8A11
CallNextHookEx.USER32(00000000,?,?,?), ref: 00DD8E12

Part of subcall function 00DD8E66: GetForegroundWindow.USER32(?,?,?), ref: 00DD8E8F
Part of subcall function 00DD8E66: GetWindowTextW.USER32(00000000,?,00000104), ref: 00DD8EA2
Part of subcall function 00DD8E66: lstrlenW.KERNEL32(-00000210,{Unknown},?,?), ref: 00DD8F0B
Part of subcall function 00DD8E66: CreateFileW.KERNEL32(?,00000004,00000001,00000000,00000004,00000080,00000000,?,?), ref: 00DD8F79
Part of subcall function 00DD8E66: lstrlenW.KERNEL32(00DE4AD0,00000008,00000000,?,?), ref: 00DD8FA2
Part of subcall function 00DD8E66: WriteFile.KERNEL32(?,00DE4AD0,00000000,?,?), ref: 00DD8FAE

Strings

[INSERT], xrefs: 00DD8BCE
[DEL], xrefs: 00DD8BC4
[CAPS], xrefs: 00DD8B7D
[ENTER], xrefs: 00DD8B3D
[CTRL], xrefs: 00DD8C81
[ESC], xrefs: 00DD8B73
[TAB], xrefs: 00DD8B47
[BKSP], xrefs: 00DD8B51
[ALT], xrefs: 00DD8CD8

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: FileWindowlstrlen$AsyncCallCreateForegroundHookNextStateTextWrite
String ID: [ALT]$[BKSP]$[CAPS]$[CTRL]$[DEL]$[ENTER]$[ESC]$[INSERT]$[TAB]
API String ID: 2452648998-4143582258
Opcode ID: 5667f9d9d6d63a3761e5ae358aceeb3f1d5ce887ee99e889eb8a6bd7e472a25b
Instruction ID: 1d83735f79010b143b6a54c93c1e808b3537efbb9cf66f7798784ce7e2fb3d8e
Opcode Fuzzy Hash: 5667f9d9d6d63a3761e5ae358aceeb3f1d5ce887ee99e889eb8a6bd7e472a25b
Instruction Fuzzy Hash: 8D910632E852D0DBC72A365E86597796225E790300F6A4437FA837B7E0DD12CD44BAB2

Function 00DD902E Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 277registrystringwindowCOMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00DD9084
GetRawInputData.USER32(?,10000003,00000000,?,00000010), ref: 00DD90A1
GetRawInputData.USER32(?,10000003,00000000,?,00000010), ref: 00DD90D7
GetForegroundWindow.USER32 ref: 00DD90F4
GetWindowTextW.USER32(00000000,?,00000104), ref: 00DD9105
lstrlenW.KERNEL32(-00000210,-00000010,?,Unknow), ref: 00DD91EE
PostQuitMessage.USER32(00000000), ref: 00DD9381
RegisterRawInputDevices.USER32 ref: 00DD93B0

Strings

Unknow, xrefs: 00DD9132

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: InputWindow$Data$DevicesForegroundMessagePostProcQuitRegisterTextlstrlen
String ID: Unknow
API String ID: 3853268301-1240069140
Opcode ID: 844cf40209c5604731922205f3a7e37e054ad23ebb77e299c9b052602e3dda68
Instruction ID: 86468695ffa339b9c126861f8f854b7e3d581510263c5a099330ace31faa21b3
Opcode Fuzzy Hash: 844cf40209c5604731922205f3a7e37e054ad23ebb77e299c9b052602e3dda68
Instruction Fuzzy Hash: D8A156B1500340AFCB10EF65DC99EAABBA8EF85304F44052AF545DB3A1DB72E904CB76

Function 00DDC1B2 Relevance: 35.2, Strings: 28, Instructions: 218COMMON

Download Yara Rule

Strings

\Google\Chrome\User Data\Default\Login Data, xrefs: 00DDC23B
\Comodo\Dragon\User Data\Default\Login Data, xrefs: 00DDC34B
\CentBrowser\User Data\Default\Login Data, xrefs: 00DDC39C
\Blisk\User Data\Default\Login Data, xrefs: 00DDC2DF
\Epic Privacy Browser\User Data\Local State, xrefs: 00DDC251
\UCBrowser\User Data_i18n\Default\UC Login Data.17, xrefs: 00DDC28D
\BraveSoftware\Brave-Browser\User Data\Local State, xrefs: 00DDC310
\Google\Chrome\User Data\Local State, xrefs: 00DDC236
\UCBrowser\User Data_i18n\Local State, xrefs: 00DDC288
\Torch\User Data\Default\Login Data, xrefs: 00DDC366
\Epic Privacy Browser\User Data\Default\Login Data, xrefs: 00DDC256
\Microsoft\Edge\User Data\Local State, xrefs: 00DDC26C
\Slimjet\User Data\Local State, xrefs: 00DDC37C
\Microsoft\Edge\User Data\Default\Login Data, xrefs: 00DDC271
\Vivaldi\User Data\Default\Login Data, xrefs: 00DDC330
\Blisk\User Data\Local State, xrefs: 00DDC2DA
\CentBrowser\User Data\Local State, xrefs: 00DDC397
\BraveSoftware\Brave-Browser\User Data\Default\Login Data, xrefs: 00DDC315
\Slimjet\User Data\Default\Login Data, xrefs: 00DDC381
\Opera Software\Opera Stable\Local State, xrefs: 00DDC2BF
\Torch\User Data\Local State, xrefs: 00DDC361
\Tencent\QQBrowser\User Data\Local State, xrefs: 00DDC2A3
\Comodo\Dragon\User Data\Local State, xrefs: 00DDC346
\Opera Software\Opera Stable\Login Data, xrefs: 00DDC2C4
\Tencent\QQBrowser\User Data\Default\Login Data, xrefs: 00DDC2A8
\Chromium\User Data\Default\Login Data, xrefs: 00DDC2FA
\Vivaldi\User Data\Local State, xrefs: 00DDC329
\Chromium\User Data\Local State, xrefs: 00DDC2F5

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: FilePath$lstrcatlstrcpy$BinaryCopyExistsOpenType$CloseCombineEnumFolderInfoPrivateProfileQuerySpecialString
String ID: \Blisk\User Data\Default\Login Data$\Blisk\User Data\Local State$\BraveSoftware\Brave-Browser\User Data\Default\Login Data$\BraveSoftware\Brave-Browser\User Data\Local State$\CentBrowser\User Data\Default\Login Data$\CentBrowser\User Data\Local State$\Chromium\User Data\Default\Login Data$\Chromium\User Data\Local State$\Comodo\Dragon\User Data\Default\Login Data$\Comodo\Dragon\User Data\Local State$\Epic Privacy Browser\User Data\Default\Login Data$\Epic Privacy Browser\User Data\Local State$\Google\Chrome\User Data\Default\Login Data$\Google\Chrome\User Data\Local State$\Microsoft\Edge\User Data\Default\Login Data$\Microsoft\Edge\User Data\Local State$\Opera Software\Opera Stable\Local State$\Opera Software\Opera Stable\Login Data$\Slimjet\User Data\Default\Login Data$\Slimjet\User Data\Local State$\Tencent\QQBrowser\User Data\Default\Login Data$\Tencent\QQBrowser\User Data\Local State$\Torch\User Data\Default\Login Data$\Torch\User Data\Local State$\UCBrowser\User Data_i18n\Default\UC Login Data.17$\UCBrowser\User Data_i18n\Local State$\Vivaldi\User Data\Default\Login Data$\Vivaldi\User Data\Local State
API String ID: 2377953819-4166025770
Opcode ID: baf152d0ef2035de3f1bacb552b96adc7fc8437d7e21b987d2c7b516094f52c5
Instruction ID: 1c3d6bfc23d8a23b90dc23986de931a211dd4ec110419ea27c706fb606f0ea7c
Opcode Fuzzy Hash: baf152d0ef2035de3f1bacb552b96adc7fc8437d7e21b987d2c7b516094f52c5
Instruction Fuzzy Hash: 92711031352741AFC728FB65DDA2E6A7769EF96758F00011EB1069F3E1CAA26804CB71

Function 00DDA29A Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 296registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,Account Name,00000000,00000000,?,00001000,?,?,?,?,?,7508E9B0,7595F860,00000000,?,00DDA25E), ref: 00DDA31C
RegQueryValueExW.ADVAPI32(?,Email,00000000,00000000,?,00001000,?,?,?,?,?,?,?,?,7508E9B0,7595F860), ref: 00DDA363
RegQueryValueExW.ADVAPI32(?,POP3 Server,00000000,00000000,?,00001000), ref: 00DDA3A7
RegQueryValueExW.ADVAPI32(?,POP3 User,00000000,00000000,?,00001000), ref: 00DDA3EB
RegQueryValueExW.ADVAPI32(?,SMTP Server,00000000,00000000,?,00001000), ref: 00DDA42F
RegQueryValueExW.ADVAPI32(?,POP3 Password,00000000,00000000,?,00001000), ref: 00DDA473
RegQueryValueExW.ADVAPI32(?,SMTP Password,00000000,00000000,?,00001000), ref: 00DDA4E0
RegQueryValueExW.ADVAPI32(?,HTTP Password,00000000,00000000,?,00001000), ref: 00DDA54D
RegQueryValueExW.ADVAPI32(?,IMAP Password,00000000,00000000,?,00001000), ref: 00DDA5BA

Part of subcall function 00DDA632: GlobalAlloc.KERNEL32(00000040,-00000001,7508E8E0,?,?,?,00DDA5E6,00001000,?,00000000,00001000), ref: 00DDA650
Part of subcall function 00DDA632: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,00DDA5E6), ref: 00DDA686
Part of subcall function 00DDA632: lstrcpyW.KERNEL32(?,Could not decrypt,?,?,00DDA5E6,00001000,?,00000000,00001000), ref: 00DDA6BD

Part of subcall function 00DD3261: lstrlenW.KERNEL32(750901C0,00DD3646,?,?,?,00DE150A,00DE35B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00DE3589,00000000,750901C0,00000000), ref: 00DD3268

Strings

POP3 Password, xrefs: 00DDA46D
HTTP Password, xrefs: 00DDA547
Email, xrefs: 00DDA35D
POP3 Server, xrefs: 00DDA3A1
SMTP Server, xrefs: 00DDA429
IMAP Password, xrefs: 00DDA5B4
Account Name, xrefs: 00DDA316
SMTP Password, xrefs: 00DDA4DA
POP3 User, xrefs: 00DDA3E5

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: QueryValue$AllocCryptDataGlobalUnprotectlstrcpylstrlen
String ID: Account Name$Email$HTTP Password$IMAP Password$POP3 Password$POP3 Server$POP3 User$SMTP Password$SMTP Server
API String ID: 6593746-2537589853
Opcode ID: 9b8e8ddaf6b342017a0ede28045764d0ae9c5882bbf56a5b19be9ac56fe547a5
Instruction ID: c25aa0f580b507b84b6394c3ad799dee437b6efa2ededec45d3bcf7f4fc7eea0
Opcode Fuzzy Hash: 9b8e8ddaf6b342017a0ede28045764d0ae9c5882bbf56a5b19be9ac56fe547a5
Instruction Fuzzy Hash: 2FA13DB2D10259BADB25FAA4CD46FEE737CEF14740F1401A6F604F2180E674AB488BB5

Function 00DE30B3 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 119filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00DD3437: lstrcpyW.KERNEL32(00000000,00000000,00000000,?,?,00DE1E0A,00000000,00000000,00000000,.bss,00000000), ref: 00DD345C

Part of subcall function 00DD5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00DD5C2A,00000000,?,00DE10EE,?,?,00DE36B9), ref: 00DD5EAD

LoadResource.KERNEL32(00000000,?,00000000), ref: 00DE30EE
SizeofResource.KERNEL32(00000000,?), ref: 00DE30FA
LockResource.KERNEL32(00000000), ref: 00DE3104
GetTempPathA.KERNEL32(00000400,?), ref: 00DE313E
lstrcatA.KERNEL32(?,find.exe), ref: 00DE3152
GetTempPathA.KERNEL32(00000400,?), ref: 00DE3160
lstrcatA.KERNEL32(?,find.db), ref: 00DE316E
CreateFileA.KERNEL32(?,10000000,00000001,00000000,00000002,00000084,00000000), ref: 00DE3189
WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00DE319B
CloseHandle.KERNEL32(00000000), ref: 00DE31A2
wsprintfA.USER32 ref: 00DE31D2
ShellExecuteExA.SHELL32(0000003C), ref: 00DE3220

Strings

find.db, xrefs: 00DE3162
@, xrefs: 00DE31F1
find.exe, xrefs: 00DE314C
-w %ws -d C -f %s, xrefs: 00DE31CC
<, xrefs: 00DE31DE

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: Resource$FilePathTemplstrcat$CloseCreateExecuteFreeHandleLoadLockShellSizeofVirtualWritelstrcpywsprintf
String ID: -w %ws -d C -f %s$<$@$find.db$find.exe
API String ID: 2504251837-265381321
Opcode ID: 5951ccfb2a13e4a8b99e33bfc7fde9b72f43a278e6aa441c009799ec221f3266
Instruction ID: ac3bed83d75e5f190f3abf01742dd66c3da0b7e2a4d06d6f9a8ea1e39a6c8ef5
Opcode Fuzzy Hash: 5951ccfb2a13e4a8b99e33bfc7fde9b72f43a278e6aa441c009799ec221f3266
Instruction Fuzzy Hash: 124119B290025DABDB10EFA5DD84EDEBBBCFF89304F004156F609E6250DB745A858BB4

Function 00DDAC0A Relevance: 28.4, APIs: 5, Strings: 11, Instructions: 406filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00DD35E5: lstrlenW.KERNEL32(00DE1E02,00000000,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD35EE
Part of subcall function 00DD35E5: lstrlenW.KERNEL32(00DE1E02,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD3605
Part of subcall function 00DD35E5: lstrcpyW.KERNEL32(?,00DE1E02,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD3620

Part of subcall function 00DDC118: lstrcpyW.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths\,?,00000104,00000000), ref: 00DDC154
Part of subcall function 00DDC118: lstrcatW.KERNEL32(?,thunderbird.exe,?,00000104,00000000), ref: 00DDC162
Part of subcall function 00DDC118: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00DDA729,?,00000104,00000000), ref: 00DDC17B
Part of subcall function 00DDC118: RegQueryValueExW.ADVAPI32(00DDA729,Path,00000000,?,?,?,?,00000104,00000000), ref: 00DDC198
Part of subcall function 00DDC118: RegCloseKey.ADVAPI32(00DDA729,?,00000104,00000000), ref: 00DDC1A1

lstrcatW.KERNEL32(?,\firefox.exe,?), ref: 00DDAC8C
GetBinaryTypeW.KERNEL32(?,?), ref: 00DDAC9D
GetPrivateProfileStringW.KERNEL32(?,Path,00000000,?,00000104,?), ref: 00DDB11D

Part of subcall function 00DD3437: lstrcpyW.KERNEL32(00000000,00000000,00000000,?,?,00DE1E0A,00000000,00000000,00000000,.bss,00000000), ref: 00DD345C

Part of subcall function 00DD5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00DD5C2A,00000000,?,00DE10EE,?,?,00DE36B9), ref: 00DD5EAD

Part of subcall function 00DD3272: wsprintfW.USER32 ref: 00DD328D

Part of subcall function 00DD362D: lstrcpyW.KERNEL32(00000000,750901C0,?,?,?,00DE150A,00DE35B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00DE3589,00000000,750901C0,00000000), ref: 00DD3657

Part of subcall function 00DD3554: WideCharToMultiByte.KERNEL32(00000000,00000200,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00DD4E98,?), ref: 00DD3581
Part of subcall function 00DD3554: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00DD4E98,?,?,?,?,?,00000000), ref: 00DD35AC

CopyFileW.KERNEL32(?,?,00000000,.tmp,00000000,00DE4684,\logins.json,?), ref: 00DDAE14

Strings

Path, xrefs: 00DDB115
\firefox.exe, xrefs: 00DDAC80
profiles.ini, xrefs: 00DDACDF
encryptedUsername, xrefs: 00DDAE7C, 00DDAF0C
Profile, xrefs: 00DDAC1B, 00DDACEC, 00DDAD1F
encryptedPassword, xrefs: 00DDAF49
\logins.json, xrefs: 00DDADBA
firefox.exe, xrefs: 00DDAC5E
hostname, xrefs: 00DDAECC
.tmp, xrefs: 00DDADFB
\Mozilla\Firefox\, xrefs: 00DDACC6

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: lstrcpy$ByteCharMultiWidelstrcatlstrlen$BinaryCloseCopyFileFreeOpenPrivateProfileQueryStringTypeValueVirtualwsprintf
String ID: .tmp$Path$Profile$\Mozilla\Firefox\$\firefox.exe$\logins.json$encryptedPassword$encryptedUsername$firefox.exe$hostname$profiles.ini
API String ID: 288196626-815594582
Opcode ID: 69aca702eef0e257264f1a6914332e9f19b4bb4d04775eef6785aed3809b19a9
Instruction ID: 45356c2df20d8b4908c2fe61331f6ccc8519f58b301d3a529417b417bddd416a
Opcode Fuzzy Hash: 69aca702eef0e257264f1a6914332e9f19b4bb4d04775eef6785aed3809b19a9
Instruction Fuzzy Hash: A8E1E6B1900218ABDF25FBA0DC929EEB779EF54304F10406BB506A7296DF316E45CB71

Function 00DD882F Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 135windowstringfileCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00DD8840
SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,-00000010), ref: 00DD8894
lstrcatW.KERNEL32(-00000010,\Microsoft Vision\), ref: 00DD88AE
GetLocalTime.KERNEL32(?), ref: 00DD88B5
wsprintfW.USER32 ref: 00DD88E9
lstrcatW.KERNEL32(-00000010,?), ref: 00DD8900
CreateFileW.KERNEL32(?,10000000,00000001,00000000,00000002,00000080,00000000,00000010), ref: 00DD892C
CloseHandle.KERNEL32(00000000), ref: 00DD893C

Part of subcall function 00DE1E21: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000,?,?,00DE349D), ref: 00DE1E4E
Part of subcall function 00DE1E21: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,00DE349D), ref: 00DE1E61
Part of subcall function 00DE1E21: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,00DE349D), ref: 00DE1E72
Part of subcall function 00DE1E21: CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,00DE349D), ref: 00DE1E7F

Part of subcall function 00DE09D2: VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,7595F770,00000000,?,?,?,?,00DD895D), ref: 00DE09FE

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00DD89AF

Part of subcall function 00DE0969: lstrcmpA.KERNEL32(?,00DE1BD0,?,open,00DE1BD0), ref: 00DE09A2

TranslateMessage.USER32(?), ref: 00DD8996
DispatchMessageA.USER32(?), ref: 00DD89A1

Strings

SetWindowsHookExA, xrefs: 00DD8962
\Microsoft Vision\, xrefs: 00DD88A8
%02d-%02d-%02d_%02d.%02d.%02d, xrefs: 00DD88E3
c:\windows\system32\user32.dll, xrefs: 00DD894A

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: File$HandleMessage$CloseCreatelstrcat$AllocDispatchFolderLocalModulePathReadSizeTimeTranslateVirtuallstrcmpwsprintf
String ID: %02d-%02d-%02d_%02d.%02d.%02d$SetWindowsHookExA$\Microsoft Vision\$c:\windows\system32\user32.dll
API String ID: 1431388325-3884914687
Opcode ID: 9ea5eb59a23f40238c74256df80a0d263700d5a1bf66d18271bdeabf7ff2c0e9
Instruction ID: 8adab10f90ac6a972e503d372ffacbdf0f1a550ef58838f7950a229c1effcf3e
Opcode Fuzzy Hash: 9ea5eb59a23f40238c74256df80a0d263700d5a1bf66d18271bdeabf7ff2c0e9
Instruction Fuzzy Hash: 514180B1500380ABD710BBAAEC89E2B77ECFB89704F04091AF685DB391DA75D904CB75

Function 00DDA6C8 Relevance: 24.9, APIs: 4, Strings: 10, Instructions: 404COMMON

Download Yara Rule

APIs

Part of subcall function 00DD35E5: lstrlenW.KERNEL32(00DE1E02,00000000,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD35EE
Part of subcall function 00DD35E5: lstrlenW.KERNEL32(00DE1E02,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD3605
Part of subcall function 00DD35E5: lstrcpyW.KERNEL32(?,00DE1E02,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD3620

Part of subcall function 00DDC118: lstrcpyW.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths\,?,00000104,00000000), ref: 00DDC154
Part of subcall function 00DDC118: lstrcatW.KERNEL32(?,thunderbird.exe,?,00000104,00000000), ref: 00DDC162
Part of subcall function 00DDC118: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00DDA729,?,00000104,00000000), ref: 00DDC17B
Part of subcall function 00DDC118: RegQueryValueExW.ADVAPI32(00DDA729,Path,00000000,?,?,?,?,00000104,00000000), ref: 00DDC198
Part of subcall function 00DDC118: RegCloseKey.ADVAPI32(00DDA729,?,00000104,00000000), ref: 00DDC1A1

GetBinaryTypeW.KERNEL32(?,?), ref: 00DDA747

Part of subcall function 00DD362D: lstrcpyW.KERNEL32(00000000,750901C0,?,?,?,00DE150A,00DE35B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00DE3589,00000000,750901C0,00000000), ref: 00DD3657

Part of subcall function 00DDB67E: GetCurrentDirectoryW.KERNEL32(00000104,?,?,00000104,00000000), ref: 00DDB6AC
Part of subcall function 00DDB67E: SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 00DDB6B5
Part of subcall function 00DDB67E: PathFileExistsW.SHLWAPI(00DDA760,.dll,?,msvcr,?,msvcp,?,softokn3.dll,?,mozglue.dll,?,msvcp120.dll,?,msvcr120.dll,?,nss3.dll), ref: 00DDB7A3

GetPrivateProfileStringW.KERNEL32(?,Path,00000000,?,00000104,?), ref: 00DDABCA

Part of subcall function 00DDB67E: PathFileExistsW.SHLWAPI(00DDA760,.dll,?,00DDA760,?,00000104,00000000), ref: 00DDB7FF
Part of subcall function 00DDB67E: LoadLibraryW.KERNEL32(?,00DDA760,?,00000104,00000000), ref: 00DDB83E
Part of subcall function 00DDB67E: LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 00DDB849
Part of subcall function 00DDB67E: LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 00DDB854
Part of subcall function 00DDB67E: LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 00DDB85F
Part of subcall function 00DDB67E: LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 00DDB86A
Part of subcall function 00DDB67E: SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 00DDB957

Strings

Path, xrefs: 00DDABC4
profiles.ini, xrefs: 00DDA79C
encryptedUsername, xrefs: 00DDA93D, 00DDA9CD
\Thunderbird\, xrefs: 00DDA783
Profile, xrefs: 00DDA6D9, 00DDA7A9, 00DDA7E0
encryptedPassword, xrefs: 00DDAA04
\logins.json, xrefs: 00DDA87B
thunderbird.exe, xrefs: 00DDA71F
hostname, xrefs: 00DDA98D
.tmp, xrefs: 00DDA8BC

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: LibraryLoad$CurrentDirectorylstrcpy$ExistsFilePathlstrlen$BinaryCloseOpenPrivateProfileQueryStringTypeValuelstrcat
String ID: .tmp$Path$Profile$\Thunderbird\$\logins.json$encryptedPassword$encryptedUsername$hostname$profiles.ini$thunderbird.exe
API String ID: 1065485167-1863067114
Opcode ID: 47345278fc3d5862fae39627b3090c0f3d8a0ac1898aaee2aa15795f230ad761
Instruction ID: 82e6db4218526161da07c06cf9cc06e8d64c09822c26f6bb23ebca6f21773c21
Opcode Fuzzy Hash: 47345278fc3d5862fae39627b3090c0f3d8a0ac1898aaee2aa15795f230ad761
Instruction Fuzzy Hash: 78E1D5B1900218ABDF15FBA0DC929EEB779EF54300F50406BF506A7296DE316E49CBB1

Function 00DDD508 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 55servicesleepCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001), ref: 00DDD517
OpenServiceW.ADVAPI32(00000000,?,00000010), ref: 00DDD52C
CloseServiceHandle.ADVAPI32(00000000), ref: 00DDD539
StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 00DDD546
GetLastError.KERNEL32 ref: 00DDD550
Sleep.KERNEL32(000007D0), ref: 00DDD562
StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 00DDD56B
CloseServiceHandle.ADVAPI32(00000000), ref: 00DDD57F
CloseServiceHandle.ADVAPI32(00000000), ref: 00DDD582

Strings

ServicesActive, xrefs: 00DDD50F

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$OpenStart$ErrorLastManagerSleep
String ID: ServicesActive
API String ID: 104619213-3071072050
Opcode ID: 868876a73d7e06e4c7269becd300d03ee6f3bba7cdb6ce919fb0f108ef14cf6b
Instruction ID: cc705e142311f70fe39311461596aad181173a640b3820887a4eab4849d63832
Opcode Fuzzy Hash: 868876a73d7e06e4c7269becd300d03ee6f3bba7cdb6ce919fb0f108ef14cf6b
Instruction Fuzzy Hash: 78018F716403A57BDA302B63BC8DE5B3E6DDBD6B65B540026F706DA350DA64C90086B0

Function 00DDDA5B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167servicestringCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000005), ref: 00DDDA82
EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,00000000,?,?,?,00000000), ref: 00DDDAB9

Part of subcall function 00DD5EFF: GetProcessHeap.KERNEL32(00000008,?,00DD2FA7,00DD5A42,?,?,00DE03FD,00DD5A42,?,?,750901C0,00000000,?,00DD5A42,00000000), ref: 00DD5F02
Part of subcall function 00DD5EFF: RtlAllocateHeap.NTDLL(00000000,?,00DE03FD,00DD5A42,?,?,750901C0,00000000,?,00DD5A42,00000000), ref: 00DD5F09

EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,?,?,?,?,00000000), ref: 00DDDAE2
GetLastError.KERNEL32 ref: 00DDDAEC
CloseServiceHandle.ADVAPI32(00000000), ref: 00DDDAFA
OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000005,00000000,00000000,00000000), ref: 00DDDBBB
lstrcmpW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 00DDDBFE

Strings

ServicesActive, xrefs: 00DDDA6A, 00DDDBB4

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: EnumHeapManagerOpenServicesStatus$AllocateCloseErrorHandleLastProcessServicelstrcmp
String ID: ServicesActive
API String ID: 899334174-3071072050
Opcode ID: b3ff3de54b36c4dfda10c5358ee4525192693f3c505ae93bda59ebd015561d83
Instruction ID: cedd05158f5e9d51c3daf97393be60103f4253543e02bcc4120199b272f288ec
Opcode Fuzzy Hash: b3ff3de54b36c4dfda10c5358ee4525192693f3c505ae93bda59ebd015561d83
Instruction Fuzzy Hash: A5516E71900219ABDF15EFA0DC95BEEBBB9EF18305F15006BE502B6381DB74AA44CB70

Function 00DD79E8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 97injectionmemorythreadCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(001FFFFF,00000000,?,?,?,?,?), ref: 00DD7A16

Part of subcall function 00DD8617: GetCurrentProcess.KERNEL32(00DE9698,00DD7A03,?,?,?,?), ref: 00DD861C
Part of subcall function 00DD8617: IsWow64Process.KERNEL32(00000000), ref: 00DD8623
Part of subcall function 00DD8617: GetProcessHeap.KERNEL32 ref: 00DD8629

VirtualAllocEx.KERNEL32(00000000,00000000,00100000,00003000,00000040,00000000), ref: 00DD7A3A
VirtualProtectEx.KERNEL32(00000000,00000000,00100000,00000040,00000000), ref: 00DD7A5B
VirtualAllocEx.KERNEL32(00000000,33370000,00000100,00003000,00000040), ref: 00DD7A73
WriteProcessMemory.KERNEL32(00000000,00000000,XXXXXX,00000000,00000000), ref: 00DD7A9D
WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 00DD7AC5
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00DD7ADD

Strings

XXXXXX, xrefs: 00DD7A88, 00DD7A94, 00DD7AA7

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: Process$Virtual$AllocMemoryWrite$CreateCurrentHeapOpenProtectRemoteThreadWow64
String ID: XXXXXX
API String ID: 813767414-582547948
Opcode ID: 601b307a50c175d021acace9b7461fd20bd8f993022a60c9a6143931014c0067
Instruction ID: d0d9a995eb23e2c3b69bfb7a49bd10617bdb35643b915eeaa39752426f6e3bcd
Opcode Fuzzy Hash: 601b307a50c175d021acace9b7461fd20bd8f993022a60c9a6143931014c0067
Instruction Fuzzy Hash: 0D21A271A05355BFEB21A7A19C45FBF7A6CDF01725F24016AF614E42D0EBB48A008675

Function 00DD9DF6 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 61fileCOMMON

Download Yara Rule

APIs

GetFullPathNameA.KERNEL32(00DE96A8,00000104,?,00000000), ref: 00DD9E17
PathCombineA.SHLWAPI(?,?,00DE5F88), ref: 00DD9E36
FindFirstFileA.KERNEL32(?,?), ref: 00DD9E46
PathCombineA.SHLWAPI(?,00DE96A8,0000002E), ref: 00DD9E7D
PathCombineA.SHLWAPI(?,?,Accounts\Account.rec0), ref: 00DD9E8C

Part of subcall function 00DD9ADF: CreateFileA.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 00DD9AFC
Part of subcall function 00DD9ADF: GetLastError.KERNEL32 ref: 00DD9B09
Part of subcall function 00DD9ADF: CloseHandle.KERNEL32(00000000), ref: 00DD9B10

FindNextFileA.KERNEL32(00000000,?), ref: 00DD9EA4

Strings

Accounts\Account.rec0, xrefs: 00DD9E7F
., xrefs: 00DD9E61

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: Path$CombineFile$Find$CloseCreateErrorFirstFullHandleLastNameNext
String ID: .$Accounts\Account.rec0
API String ID: 3873318193-2526347284
Opcode ID: 00f4b6317540239a3f3cf3fc9e6488f02e4326a2d45e7375c0030dbc401e1873
Instruction ID: bb349a57a81038501dea376eb7c335cb62b1971027441b179330a990dfc3883d
Opcode Fuzzy Hash: 00f4b6317540239a3f3cf3fc9e6488f02e4326a2d45e7375c0030dbc401e1873
Instruction Fuzzy Hash: 071160B2A0125C6FDB20E7A4DC88EEEB76CEB44354F0045A7A609D3180E7749E888F70

Function 00DE1FD8 Relevance: 13.6, APIs: 9, Instructions: 81injectionmemorythreadCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(001FFFFF,00000000,00000000,00000000,750901C0,00000000), ref: 00DE1FEC
GetCurrentProcessId.KERNEL32 ref: 00DE1FF7

Part of subcall function 00DD1085: GetProcessHeap.KERNEL32(00000000,?,00DE1E36,00400000,?,?,00000000,?,?,00DE349D), ref: 00DD108B
Part of subcall function 00DD1085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00DE349D), ref: 00DD1092

GetModuleFileNameA.KERNEL32(00000000,00000000,000000FF), ref: 00DE2015
VirtualAllocEx.KERNEL32(00000000,00000000,00000800,00003000,00000040), ref: 00DE203F
WriteProcessMemory.KERNEL32(00000000,00000000,00DE9158,00000800,00000000), ref: 00DE2057
VirtualProtectEx.KERNEL32(00DE1FD3,00000000,00000800,00000040,?), ref: 00DE2068
VirtualAllocEx.KERNEL32(00DE1FD3,00000000,00000103,00003000,00000004), ref: 00DE207F
WriteProcessMemory.KERNEL32(00DE1FD3,00000000,?,00000103,00000000), ref: 00DE2095
CreateRemoteThread.KERNEL32(00DE1FD3,00000000,00000000,0000010E,00000000,00000000,00000000), ref: 00DE20A8

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: Process$Virtual$AllocHeapMemoryWrite$AllocateCreateCurrentFileModuleNameOpenProtectRemoteThread
String ID:
API String ID: 900395357-0
Opcode ID: b0df0b5fead520b83126685173ac36d0b1b90521577f1e2c62084ef39687edb6
Instruction ID: 226f6026bc2a5dcb377609795ebaf625da6a04735b1c4f281b787c9ebb89f865
Opcode Fuzzy Hash: b0df0b5fead520b83126685173ac36d0b1b90521577f1e2c62084ef39687edb6
Instruction Fuzzy Hash: 52214271640358BEE720AB51DC4BFEA7B6CEB45760F100165B705EA1D0DAF06E409AB4

Function 00DDD49C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001), ref: 00DDD4AB
OpenServiceW.ADVAPI32(00000000,?,00000002), ref: 00DDD4C0
CloseServiceHandle.ADVAPI32(00000000), ref: 00DDD4CD
ChangeServiceConfigW.ADVAPI32(00000000,000000FF,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00DDD4E6
CloseServiceHandle.ADVAPI32(00000000), ref: 00DDD4FA
CloseServiceHandle.ADVAPI32(00000000), ref: 00DDD4FD

Strings

ServicesActive, xrefs: 00DDD4A3

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ChangeConfigManager
String ID: ServicesActive
API String ID: 493672254-3071072050
Opcode ID: 00034753b5f045565d4f4467ab3762535859a261379fc22fc5c3f9ed2fe4043a
Instruction ID: 490a284d648c9b71a3ed583312c2eddedda0f04d9c7bea19e961b70e55cb0cfa
Opcode Fuzzy Hash: 00034753b5f045565d4f4467ab3762535859a261379fc22fc5c3f9ed2fe4043a
Instruction Fuzzy Hash: 87F096322443657BDA212B67AC89E6B3E5DEBC67717440232FB16DA390CA74D80186B0

Function 00DE18BA Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48registryCOMMON

Download Yara Rule

APIs

InitializeSecurityDescriptor.ADVAPI32(?,00000001,00000000,?,?,?,?,?,?,?,?,?,00DE1B06), ref: 00DE18C7
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000,?,?,?,?,?,?,?,?,?,00DE1B06), ref: 00DE18DB
RegCreateKeyExA.ADVAPI32(80000001,Software\Classes\Folder\shell\open\command,00000000,00000000,00000000,00020006,0000000C,00DE1B06,?), ref: 00DE1913
RegCloseKey.ADVAPI32(00DE1B06), ref: 00DE1920
SetLastError.KERNEL32(00000000), ref: 00DE192B

Strings

Software\Classes\Folder\shell\open\command, xrefs: 00DE1909

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: DescriptorSecurity$CloseCreateDaclErrorInitializeLast
String ID: Software\Classes\Folder\shell\open\command
API String ID: 1473660444-2536721355
Opcode ID: 80fd346f7ecd9dc6dae0bc07b7ff84bedb53c8cc16dd03b9325928ed9321ef8b
Instruction ID: 5cc2a9ce9fc8dd32e93fd664402719b00afa3dc0842d751d538d869d3be7ce0e
Opcode Fuzzy Hash: 80fd346f7ecd9dc6dae0bc07b7ff84bedb53c8cc16dd03b9325928ed9321ef8b
Instruction Fuzzy Hash: 30011A75A01358BADB20ABA2EC89EDF7FBCEF09751F040121F605F6151E6708644CAB0

Function 00DDCCB4 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

BCryptOpenAlgorithmProvider.BCRYPT(00000020,AES,00000000,00000000,?,00000000,?,?,?,00DDCA5F,?), ref: 00DDCCD1
BCryptSetProperty.BCRYPT(00000020,ChainingMode,ChainingModeGCM,00000020,00000000,?,00DDCA5F,?), ref: 00DDCCEA
BCryptGenerateSymmetricKey.BCRYPT(00000020,00DDCA5F,00000000,00000000,?,00000020,00000000,?,00DDCA5F,?), ref: 00DDCCFF

Strings

ChainingModeGCM, xrefs: 00DDCCDE
ChainingMode, xrefs: 00DDCCE3
AES, xrefs: 00DDCCC7

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: Crypt$AlgorithmGenerateOpenPropertyProviderSymmetric
String ID: AES$ChainingMode$ChainingModeGCM
API String ID: 1692524283-1213888626
Opcode ID: fa95598c79d8473c6557992c8bf9fb3f01be0dcbc29eff44a6fc061241b07637
Instruction ID: e7e6087d3501aabb35a321f61456bbbc02bb614930b613f2997eef8af577a650
Opcode Fuzzy Hash: fa95598c79d8473c6557992c8bf9fb3f01be0dcbc29eff44a6fc061241b07637
Instruction Fuzzy Hash: E6F06231291321BFDB251B5BEC49E9BBFACEF5ABA5B100026F505D6264D6B1580097F0

Function 00DDCF58 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,-0000001F,?,?,?,00000000,?,00000000), ref: 00DDCFE0
BCryptDecrypt.BCRYPT(?,0000000C,?,?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,?,00000000), ref: 00DDD00E

Part of subcall function 00DD1085: GetProcessHeap.KERNEL32(00000000,?,00DE1E36,00400000,?,?,00000000,?,?,00DE349D), ref: 00DD108B
Part of subcall function 00DD1085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00DE349D), ref: 00DD1092

LocalFree.KERNEL32(?), ref: 00DDD096

Strings

0, xrefs: 00DDCF69
v1, xrefs: 00DDCF63

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: HeapLocal$AllocAllocateCryptDecryptFreeProcess
String ID: 0$v1
API String ID: 4131498132-3331332043
Opcode ID: ca4104652dca7216030025acb3948b2ec4fa663ee2c51daadd597e07984af9ac
Instruction ID: e52ac79de88dc145a3f11701398cff16102c7dcf7d1db781ade43f42ef18a9fb
Opcode Fuzzy Hash: ca4104652dca7216030025acb3948b2ec4fa663ee2c51daadd597e07984af9ac
Instruction Fuzzy Hash: 92414AB6D00108BBDF11ABE5DC85DBEBBBDEF84344F044026F915E6340E6759A468B71

Function 00DE20B8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,750901C0), ref: 00DE20C7
Process32First.KERNEL32(00000000,?), ref: 00DE20F4
Process32Next.KERNEL32(00000000,?), ref: 00DE211B
CloseHandle.KERNEL32(00000000), ref: 00DE2126

Strings

explorer.exe, xrefs: 00DE2102

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID: explorer.exe
API String ID: 420147892-3187896405
Opcode ID: cee8e22d529095cf0f8daca3de5a83a1b50e2cb36ee2d83d9802fc6a32e9b623
Instruction ID: d63a69c893c7ac71351bf82f3099091424ea727e7f35105ccec6042ca4f4a5c4
Opcode Fuzzy Hash: cee8e22d529095cf0f8daca3de5a83a1b50e2cb36ee2d83d9802fc6a32e9b623
Instruction Fuzzy Hash: D601F976901364ABDB60B761AC45FEA37FCDF44710F0000A1FA05E5180EE30DB808A74

Function 00DDFA42 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ntdll.dll), ref: 00DDFA5A
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00DDFA6A

Strings

RtlGetVersion, xrefs: 00DDFA64
ntdll.dll, xrefs: 00DDFA4B

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: RtlGetVersion$ntdll.dll
API String ID: 2574300362-1489217083
Opcode ID: ee44fffa54c6c1c5318b9006e2af4013ce217e09e950be48918be16823cfd6f3
Instruction ID: ca03bac8618d113113f1b6ff69f560eb091757e8dbc520039a90fc51396b30b7
Opcode Fuzzy Hash: ee44fffa54c6c1c5318b9006e2af4013ce217e09e950be48918be16823cfd6f3
Instruction Fuzzy Hash: C7415B30A4022C9ADF248B55DC663FC76B4AF5174DF1988F7E646E4281E278CEC9CA74

Function 00DDA632 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62memoryencryptionstringCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,-00000001,7508E8E0,?,?,?,00DDA5E6,00001000,?,00000000,00001000), ref: 00DDA650
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,00DDA5E6), ref: 00DDA686
lstrcpyW.KERNEL32(?,Could not decrypt,?,?,00DDA5E6,00001000,?,00000000,00001000), ref: 00DDA6BD

Strings

Could not decrypt, xrefs: 00DDA6B7

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: AllocCryptDataGlobalUnprotectlstrcpy
String ID: Could not decrypt
API String ID: 3112367126-1484008118
Opcode ID: 491eb99c201b7d85b73913d0add2c3529f9a209a05cb51d525b3602bbbc845c6
Instruction ID: d292456c8a8301a165953b560ffec746f53504345bf45d769c33802189f41b5c
Opcode Fuzzy Hash: 491eb99c201b7d85b73913d0add2c3529f9a209a05cb51d525b3602bbbc845c6
Instruction Fuzzy Hash: B811C176900719DBC721DB99C8809AEF7BCEF48700B1880A6E955E7301E631EA01CBB1

Function 00DDF56D Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00DDD471,?,?,00000001), ref: 00DDF5C2
LookupAccountSidW.ADVAPI32(00000000,00DDD471,?,00000104,?,00000010,?), ref: 00DDF5E7
GetLastError.KERNEL32(?,?,00000001), ref: 00DDF5F1
FreeSid.ADVAPI32(00DDD471,?,?,00000001), ref: 00DDF5FF

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: AccountAllocateErrorFreeInitializeLastLookup
String ID:
API String ID: 1866703397-0
Opcode ID: 6b0da8eb60e1fe2b875919f9b091bb4e25bf3ed81b323518ca57a560f522e70c
Instruction ID: d6c274da9383d0516e2f151b1c9125a30e5237b5dd7b9c8b867d097ec2d6cb64
Opcode Fuzzy Hash: 6b0da8eb60e1fe2b875919f9b091bb4e25bf3ed81b323518ca57a560f522e70c
Instruction Fuzzy Hash: AF11CBB190021DBBDB10EFD5EC89AEEB7BCEB04344F1404B6E605E6250E7709B489BB5

Function 00DDCC54 Relevance: 6.0, APIs: 4, Instructions: 49encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00DDCC73
LocalAlloc.KERNEL32(00000040,?,?,00DDCBC6,?,00000000,?,00000000,?), ref: 00DDCC81
CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00DDCC97
LocalFree.KERNEL32(?,?,00DDCBC6,?,00000000,?,00000000,?), ref: 00DDCCA5

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID:
API String ID: 4291131564-0
Opcode ID: 6e42640af2807715d5cf009f4267c24f3afcecc1071876bca92e2b588202975f
Instruction ID: 4e5f3e0e8c41750e50617c1fadd8bb68b484b54357b73fb222d5ca11effb7075
Opcode Fuzzy Hash: 6e42640af2807715d5cf009f4267c24f3afcecc1071876bca92e2b588202975f
Instruction Fuzzy Hash: E701B671611226BFEB215B5BDD89E97BEACEF097A1B140021FA08DA350E6718C10CAB0

Function 00DD27D3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82filenetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 00DDF76B: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000,?,00000000,?), ref: 00DDF79C

Part of subcall function 00DD3335: lstrcatW.KERNEL32(00000000,750901C0,?,?,00DE3589,?,00DE1515,00DE3589,00DE35B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00DE3589,00000000,750901C0,00000000), ref: 00DD3365

Part of subcall function 00DD5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00DD5C2A,00000000,?,00DE10EE,?,?,00DE36B9), ref: 00DD5EAD

Part of subcall function 00DD362D: lstrcpyW.KERNEL32(00000000,750901C0,?,?,?,00DE150A,00DE35B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00DE3589,00000000,750901C0,00000000), ref: 00DD3657

Part of subcall function 00DD351D: PathFindExtensionW.SHLWAPI(?,?,00DD282E,?,?,00000000,00DE4684), ref: 00DD3527

URLDownloadToFileW.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 00DD2860
ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00DD288A

Strings

open, xrefs: 00DD2884

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: Path$DownloadExecuteExtensionFileFindFolderFreeShellSpecialVirtuallstrcatlstrcpy
String ID: open
API String ID: 4166385161-2758837156
Opcode ID: d34aa4616ea5caa245f5d7ec5f4bc843c33af82b6f1f6fcbdf8127cb7a6c2f55
Instruction ID: 5a6865d931eabe6c689c85dfb3dad32d449417c8215879cab4847c2c7a83d1b9
Opcode Fuzzy Hash: d34aa4616ea5caa245f5d7ec5f4bc843c33af82b6f1f6fcbdf8127cb7a6c2f55
Instruction Fuzzy Hash: 3D215A75900208BBDB24BFA1D885EEE7B78EF95710F00805AF4166B391DB749B49CBB1

Function 00DE002B Relevance: 4.6, APIs: 3, Instructions: 90COMMON

Download Yara Rule

APIs

Part of subcall function 00DD5F53: GetProcessHeap.KERNEL32(00000000,000000F4,00DE0477,?,750901C0,00000000,00DD5A34), ref: 00DD5F56
Part of subcall function 00DD5F53: HeapAlloc.KERNEL32(00000000), ref: 00DD5F5D

GetLogicalDriveStringsW.KERNEL32(00000104,00000000), ref: 00DE0060
GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 00DE0087
GetDriveTypeW.KERNEL32(?,00000000,00000000), ref: 00DE00B7

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: Drive$HeapLogicalStrings$AllocProcessType
String ID:
API String ID: 2408535517-0
Opcode ID: 43740d2c21fd262de04f51dfcbf727cc292b2982b619a922d61b5c800b796648
Instruction ID: 61b235cc9722383f1e3fffab2c5807d4168574c3f0dc73dc6acbc8ef92151734
Opcode Fuzzy Hash: 43740d2c21fd262de04f51dfcbf727cc292b2982b619a922d61b5c800b796648
Instruction Fuzzy Hash: 2E314D71E002199BCF14FBE4D9969AFBBB8EF44340F10446AE502B7381EA705E44CBB1

Function 00DDB15E Relevance: 4.6, APIs: 3, Instructions: 61stringencryptionCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,?,00000000,?,00DDAA4B,?,?,?,?,?,encryptedUsername,?,?,00000000,C0000000), ref: 00DDB17B
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,?,?,00000000,00000000), ref: 00DDB1A9

Part of subcall function 00DD5EB4: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,00DD3652,?,?,?,00DE150A,00DE35B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00DE3589,00000000,750901C0,00000000), ref: 00DD5EBE

lstrcpyA.KERNEL32(00000000,?), ref: 00DDB1F6

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: AllocBinaryCryptStringVirtuallstrcpylstrlen
String ID:
API String ID: 573875632-0
Opcode ID: 27bca8caa44cc10cae4247d9cb1bc862953141508b92297a0ce5771f68d5093f
Instruction ID: 9dbe9fb688379b6fe60c7c42fb6c89bbe7061eee233f926f53f5bd538c35cc88
Opcode Fuzzy Hash: 27bca8caa44cc10cae4247d9cb1bc862953141508b92297a0ce5771f68d5093f
Instruction Fuzzy Hash: 4311B3B6D00209AFDB01DFA4D8849EEBBBDEB48344F1041AAF919E7251D7359A45CBA0

Function 00DDF619 Relevance: 4.6, APIs: 3, Instructions: 60COMMON

Download Yara Rule

APIs

OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,00000000,?,?,?,?,?,?,?,?,00DDE18E), ref: 00DDF644
LookupPrivilegeValueW.ADVAPI32(00000000,00000000,?), ref: 00DDF655
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,?,?,?,00000000,00000000), ref: 00DDF68A

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: Token$AdjustLookupOpenPrivilegePrivilegesProcessValue
String ID:
API String ID: 658607936-0
Opcode ID: 353e52ec131f4e825d0de7b48ebd15bf2e10aedefd6f2ae9df20f10e09e69150
Instruction ID: 8d59a34e65550f2e26f679cf09fd4278cd2aa5b72c3b66d5b641f922575d2d0d
Opcode Fuzzy Hash: 353e52ec131f4e825d0de7b48ebd15bf2e10aedefd6f2ae9df20f10e09e69150
Instruction Fuzzy Hash: 9011DA75A10219AFEB11DFA5DC849EFFBBCFB48640F10452AA501F2250E6709A049BA0

Function 00DDCAFC Relevance: 4.5, APIs: 3, Instructions: 46memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?), ref: 00DDCB24
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,00DDCAD5,?,00000000,?,?,?,?,00DDCA44), ref: 00DDCB3B
LocalFree.KERNEL32(00DDCAD5,?,?,?,?,?,00DDCAD5,?,00000000,?,?,?,?,00DDCA44), ref: 00DDCB5B

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID:
API String ID: 2068576380-0
Opcode ID: ac81aa81e5da8cbf27972dfd8bdc613c63fedc5c358b1db680d8a1979c352732
Instruction ID: 20dea680e78babd35be025a17509afae93049715412c3b2bbe6731399a476c98
Opcode Fuzzy Hash: ac81aa81e5da8cbf27972dfd8bdc613c63fedc5c358b1db680d8a1979c352732
Instruction Fuzzy Hash: 860100B5910209AFDB059FA4DC4A8AEBBB9EB48311F14016AFD41A6350E671D944CAB0

Function 00DDFF27 Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,?), ref: 00DDFF54
FindNextFileW.KERNEL32(00000000,00000010,00000000), ref: 00DDFFF6

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNext
String ID:
API String ID: 1690352074-0
Opcode ID: 3be5c1d49a0e63f8395a3342947a65737543caa763ae1b200b63ed00ea27837e
Instruction ID: e23bf4c7ad0cefd70ffd94db4f481e2b7fed0d4cf1858b9212e96f37c54906d7
Opcode Fuzzy Hash: 3be5c1d49a0e63f8395a3342947a65737543caa763ae1b200b63ed00ea27837e
Instruction Fuzzy Hash: BD314E75D01209ABDB10EFB5D885BEEBBB4EF48310F10456AE402A3381DB749A44CF70

Function 00DDD418 Relevance: 3.1, APIs: 2, Instructions: 57COMMON

Download Yara Rule

APIs

NetUserAdd.NETAPI32(00000000,00000001,?,00000000,?,00000000,00F1E080,?,?,?,00DDE634,00F1E07C,00F1E080), ref: 00DDD45A

Part of subcall function 00DDF56D: AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00DDD471,?,?,00000001), ref: 00DDF5C2
Part of subcall function 00DDF56D: LookupAccountSidW.ADVAPI32(00000000,00DDD471,?,00000104,?,00000010,?), ref: 00DDF5E7
Part of subcall function 00DDF56D: GetLastError.KERNEL32(?,?,00000001), ref: 00DDF5F1
Part of subcall function 00DDF56D: FreeSid.ADVAPI32(00DDD471,?,?,00000001), ref: 00DDF5FF

NetLocalGroupAddMembers.NETAPI32(00000000,00000000,00000003,00010201,00000001,?,?,?,00DDE634,00F1E07C,00F1E080), ref: 00DDD47B

Part of subcall function 00DD5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00DD5C2A,00000000,?,00DE10EE,?,?,00DE36B9), ref: 00DD5EAD

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: Free$AccountAllocateErrorGroupInitializeLastLocalLookupMembersUserVirtual
String ID:
API String ID: 188019324-0
Opcode ID: d41be4783309a5e6814c2780254b1d247c9a475a4406b0f5cafdeb578f37876f
Instruction ID: 8598a8622a0c5b4ddf84206180c4de241c407a77019fc006b639f3b974baff8f
Opcode Fuzzy Hash: d41be4783309a5e6814c2780254b1d247c9a475a4406b0f5cafdeb578f37876f
Instruction Fuzzy Hash: 88111272900208AFDB11DFA9D8849EEB7F9FF59314B10442BF951EB310D7749A448B60

Function 00DDF93F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5591a45f8ec71f9df1d6b4e146d8c1370b447604982269fdd642af02d843cb38
Instruction ID: 99a72845c57cb91a635bf6b1712bec3fa8a5c92854a38602b5766b9c97298822
Opcode Fuzzy Hash: 5591a45f8ec71f9df1d6b4e146d8c1370b447604982269fdd642af02d843cb38
Instruction Fuzzy Hash: 9D218776D00208ABDB159FA8D892BEEB7B9EF44310F144067E505EB341E63199858BB4

Function 00DE1BF8 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee9a03c5baf9720a6e7d8e5d675cdaadf48f2bf7d7bc5066cbb6e6d82dfa4c0b
Instruction ID: f0535cccd7094f04b75fe9f53188737f403d50586e6a09fea536b4da622641f3
Opcode Fuzzy Hash: ee9a03c5baf9720a6e7d8e5d675cdaadf48f2bf7d7bc5066cbb6e6d82dfa4c0b
Instruction Fuzzy Hash: 041148323905210A872C983E4D57067FBDBD3C911075C853EE59BCB251E431E7068690

Function 00DE0620 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60c1047820937477a62ebe8b3556f1e42973dfa080cef3034b4bd0468cc2296e
Instruction ID: 6bc48a04d338f3165ae8bdc40ae71c84b97b8aff9785fe17f5f85ed9318c3bc0
Opcode Fuzzy Hash: 60c1047820937477a62ebe8b3556f1e42973dfa080cef3034b4bd0468cc2296e
Instruction Fuzzy Hash: F2E08C32200590CBCA21FB1BD440B12BBB4FBC0370B2A046CE48AA3501C3A0FCA1CAB0

Function 00DE094E Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a420be4fd1d60918cb23d9961ed4b3e9e51cbd9e1df09b6748f783962a9c5c8
Instruction ID: fd984e7c4e6249c65f8a4f255fed2bfd3c12a57ee4a4e9ce0390df81adf119fa
Opcode Fuzzy Hash: 1a420be4fd1d60918cb23d9961ed4b3e9e51cbd9e1df09b6748f783962a9c5c8
Instruction Fuzzy Hash: E5D0EA783619418FDB51CF19C684E01B3E4EB49B60B098491E909CB736D734ED40EA10

Function 00DE0619 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Function 00DDB67E Relevance: 47.5, APIs: 10, Strings: 17, Instructions: 219libraryCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00000104,?,?,00000104,00000000), ref: 00DDB6AC
SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 00DDB6B5

Part of subcall function 00DD362D: lstrcpyW.KERNEL32(00000000,750901C0,?,?,?,00DE150A,00DE35B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00DE3589,00000000,750901C0,00000000), ref: 00DD3657

Part of subcall function 00DD3272: wsprintfW.USER32 ref: 00DD328D

PathFileExistsW.SHLWAPI(00DDA760,.dll,?,msvcr,?,msvcp,?,softokn3.dll,?,mozglue.dll,?,msvcp120.dll,?,msvcr120.dll,?,nss3.dll), ref: 00DDB7A3
PathFileExistsW.SHLWAPI(00DDA760,.dll,?,00DDA760,?,00000104,00000000), ref: 00DDB7FF
LoadLibraryW.KERNEL32(?,00DDA760,?,00000104,00000000), ref: 00DDB83E
LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 00DDB849
LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 00DDB854
LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 00DDB85F
LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 00DDB86A
SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 00DDB957

Part of subcall function 00DD5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00DD5C2A,00000000,?,00DE10EE,?,?,00DE36B9), ref: 00DD5EAD

Strings

PR_GetError, xrefs: 00DDB939
nss3.dll, xrefs: 00DDB6D4
NSS_Shutdown, xrefs: 00DDB913
NSS_Init, xrefs: 00DDB8A1
msvcr120.dll, xrefs: 00DDB6ED
mozglue.dll, xrefs: 00DDB71F
softokn3.dll, xrefs: 00DDB738
PK11_CheckUserPassword, xrefs: 00DDB900
NSSBase64_DecodeBuffer, xrefs: 00DDB8ED
PK11_FreeSlot, xrefs: 00DDB926
.dll, xrefs: 00DDB789, 00DDB7E7
PK11_GetInternalKeySlot, xrefs: 00DDB8B1
PK11_Authenticate, xrefs: 00DDB8C4
msvcr, xrefs: 00DDB76A
PK11SDR_Decrypt, xrefs: 00DDB8DA
msvcp120.dll, xrefs: 00DDB706
msvcp, xrefs: 00DDB751

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: LibraryLoad$CurrentDirectory$ExistsFilePath$FreeVirtuallstrcpywsprintf
String ID: .dll$NSSBase64_DecodeBuffer$NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_CheckUserPassword$PK11_FreeSlot$PK11_GetInternalKeySlot$PR_GetError$mozglue.dll$msvcp$msvcp120.dll$msvcr$msvcr120.dll$nss3.dll$softokn3.dll
API String ID: 410702425-850564384
Opcode ID: 473d045cc939c497cb90caf1c6ed66949ad8deac79a4cf81bbe3ab68bc5fa327
Instruction ID: b76d297c62a432b24c255b5b93229c9793483eb6ce958e4ef7c9a6ce72b4430d
Opcode Fuzzy Hash: 473d045cc939c497cb90caf1c6ed66949ad8deac79a4cf81bbe3ab68bc5fa327
Instruction Fuzzy Hash: F29118B5A00649EBCB04FFA1E8919EEB779FF44300F10412BE515A6351DB34AB54CBB1

Function 00DD95AA Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 214windowstringregistryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00DD95BC
SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,-00000010), ref: 00DD962B
lstrcatW.KERNEL32(-00000010,\Microsoft Vision\), ref: 00DD9645
CreateDirectoryW.KERNEL32(-00000010,00000000), ref: 00DD9651
lstrcpyW.KERNEL32(?,-00000010), ref: 00DD968B
lstrcatW.KERNEL32(?,00DE4A58), ref: 00DD969E

Part of subcall function 00DD35E5: lstrlenW.KERNEL32(00DE1E02,00000000,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD35EE
Part of subcall function 00DD35E5: lstrlenW.KERNEL32(00DE1E02,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD3605
Part of subcall function 00DD35E5: lstrcpyW.KERNEL32(?,00DE1E02,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD3620

Part of subcall function 00DDFF27: FindFirstFileW.KERNEL32(?,?,?,?), ref: 00DDFF54

GetLocalTime.KERNEL32(?,00000000,ExplorerIdentifier), ref: 00DD9721
wsprintfW.USER32 ref: 00DD9758
CreateFileW.KERNEL32(?,10000000,00000001,00000000,00000002,00000080,00000000,00000010,?), ref: 00DD979A
CloseHandle.KERNEL32(00000000), ref: 00DD97AA
RegisterClassW.USER32 ref: 00DD97C9
CreateWindowExW.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,?), ref: 00DD97E1
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00DD9802
TranslateMessage.USER32(?), ref: 00DD9814
DispatchMessageA.USER32(?), ref: 00DD981F
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00DD982F

Strings

\Microsoft Vision\, xrefs: 00DD963F
ExplorerIdentifier, xrefs: 00DD96E6
%02d-%02d-%02d_%02d.%02d.%02d, xrefs: 00DD9752

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: Message$Create$FileHandlelstrcatlstrcpylstrlen$ClassCloseDirectoryDispatchFindFirstFolderLocalModulePathRegisterTimeTranslateWindowwsprintf
String ID: %02d-%02d-%02d_%02d.%02d.%02d$ExplorerIdentifier$\Microsoft Vision\
API String ID: 2678186124-2372768292
Opcode ID: cd2e70f41a86300f949086546ea1e4a9b040763a38c3062d136bdef011d5014f
Instruction ID: f294ec6c1ddf8fd8a5f6cf83c695e5e9bb3310e6ae8e09425789d3a0cd469055
Opcode Fuzzy Hash: cd2e70f41a86300f949086546ea1e4a9b040763a38c3062d136bdef011d5014f
Instruction Fuzzy Hash: 5D717CB2504384AFC710EBA5DC89EABB7E8FB89700F04091AF655DA391DA75D904CB72

Function 00DDA0D8 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 160registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676,00000000,000F003F,?), ref: 00DDA12F
RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676,00000000,000F003F,?), ref: 00DDA14C
lstrcpyW.KERNEL32(?,Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676), ref: 00DDA19F
RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00DDA1B5
RegEnumKeyExW.ADVAPI32(?,00000000,?,00000800,00000000,00000000,00000000,00000000), ref: 00DDA1E8
RegCloseKey.ADVAPI32(?), ref: 00DDA1F9
lstrcpyW.KERNEL32(?,?), ref: 00DDA20D
lstrcatW.KERNEL32(?,00DE4684), ref: 00DDA21B
lstrcatW.KERNEL32(?,?), ref: 00DDA22F
RegOpenKeyExW.ADVAPI32(80000001,?,00000000,000F003F,?), ref: 00DDA24C
RegCloseKey.ADVAPI32(?,?), ref: 00DDA261
RegOpenKeyExW.ADVAPI32(80000001,?,00000000,000F003F,?), ref: 00DDA27E

Strings

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 00DDA142, 00DDA152
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 00DDA17C, 00DDA181, 00DDA191
Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676, xrefs: 00DDA15F, 00DDA16F
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 00DDA135
Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 00DDA125

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: Open$Closelstrcatlstrcpy$EnumInfoQuery
String ID: Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
API String ID: 1891545080-2020977430
Opcode ID: 6c3c700e898ab7940b11182628d03d4811ff9316f8abc721b5a007785fc229f7
Instruction ID: 5fd918bf3c058614e6e57a9e1a057e38d56783677d7666cdc5bd6d711a4f543a
Opcode Fuzzy Hash: 6c3c700e898ab7940b11182628d03d4811ff9316f8abc721b5a007785fc229f7
Instruction Fuzzy Hash: 9F413FB290021DBEEB21EA95DC84EFF7B7CEB04784F1444A6B615E2201E6719F449BB1

Function 00DE1AB9 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 90sleepregistrystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00DDFBFC: GetCurrentProcess.KERNEL32(00000008,00000000,750901C0,00000000,750901C0,00000000,?,?,?,?,00DE3589,?), ref: 00DDFC0E
Part of subcall function 00DDFBFC: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,00DE3589,?), ref: 00DDFC15
Part of subcall function 00DDFBFC: GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,00DE3589,?), ref: 00DDFC33
Part of subcall function 00DDFBFC: CloseHandle.KERNEL32(00000000), ref: 00DDFC48

CloseHandle.KERNEL32(?,00000000), ref: 00DE1AD8
GetCurrentProcess.KERNEL32(?), ref: 00DE1AE7
IsWow64Process.KERNEL32(00000000), ref: 00DE1AEE
GetModuleFileNameA.KERNEL32(00000000,?,00000400), ref: 00DE1B25
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00DE1B57
lstrcatW.KERNEL32(?,\sdclt.exe), ref: 00DE1B69
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00DE1B81
ShellExecuteExW.SHELL32(?), ref: 00DE1BB3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00DE1BBD
Sleep.KERNEL32(000007D0), ref: 00DE1BD5
RegDeleteKeyA.ADVAPI32(80000001,Software\Classes\Folder\shell\open\command), ref: 00DE1BE5
ExitProcess.KERNEL32 ref: 00DE1BEC

Strings

\sdclt.exe, xrefs: 00DE1B5D
DelegateExecute, xrefs: 00DE1B3E
@, xrefs: 00DE1BA2
open, xrefs: 00DE1B79, 00DE1B7F
<, xrefs: 00DE1B9B
Software\Classes\Folder\shell\open\command, xrefs: 00DE1BDB

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: Process$CloseCurrentExecuteHandleShellToken$DeleteDirectoryExitFileInformationModuleNameOpenSleepSystemTerminateWow64lstrcat
String ID: <$@$DelegateExecute$Software\Classes\Folder\shell\open\command$\sdclt.exe$open
API String ID: 3164795406-2081737068
Opcode ID: 0d2df9ed7cec009f9d67d1041b1d820aa43ae7c6f31aff0c299810805a4cd683
Instruction ID: 52c4085774e9ae3cabc72014699fa01680055af7ebc7533e4f8d6335593c608d
Opcode Fuzzy Hash: 0d2df9ed7cec009f9d67d1041b1d820aa43ae7c6f31aff0c299810805a4cd683
Instruction Fuzzy Hash: CF312BB1C01298FBDB10BBA5EC899DEBB7CEF45711F004166F609E6250E7355A85CB70

Function 00DE30A7 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 122filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00DD3437: lstrcpyW.KERNEL32(00000000,00000000,00000000,?,?,00DE1E0A,00000000,00000000,00000000,.bss,00000000), ref: 00DD345C

Part of subcall function 00DD5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00DD5C2A,00000000,?,00DE10EE,?,?,00DE36B9), ref: 00DD5EAD

LoadResource.KERNEL32(00000000,?,00000000), ref: 00DE30EE
SizeofResource.KERNEL32(00000000,?), ref: 00DE30FA
LockResource.KERNEL32(00000000), ref: 00DE3104
GetTempPathA.KERNEL32(00000400,?), ref: 00DE313E
lstrcatA.KERNEL32(?,find.exe), ref: 00DE3152
GetTempPathA.KERNEL32(00000400,?), ref: 00DE3160
lstrcatA.KERNEL32(?,find.db), ref: 00DE316E
CreateFileA.KERNEL32(?,10000000,00000001,00000000,00000002,00000084,00000000), ref: 00DE3189
WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00DE319B
CloseHandle.KERNEL32(00000000), ref: 00DE31A2
wsprintfA.USER32 ref: 00DE31D2
ShellExecuteExA.SHELL32(0000003C), ref: 00DE3220

Strings

find.db, xrefs: 00DE3162
@, xrefs: 00DE31F1
find.exe, xrefs: 00DE314C
-w %ws -d C -f %s, xrefs: 00DE31CC
<, xrefs: 00DE31DE

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: Resource$FilePathTemplstrcat$CloseCreateExecuteFreeHandleLoadLockShellSizeofVirtualWritelstrcpywsprintf
String ID: -w %ws -d C -f %s$<$@$find.db$find.exe
API String ID: 2504251837-265381321
Opcode ID: 3c01dd0f4cd7c8add7f8b8788bff880088ae4b699a8bd78e1d1ed2f3a893a3ee
Instruction ID: e5bb9f92c51fb5ce5625d233f9449bd22bf5741c446f74083cbb2ff9780e5da4
Opcode Fuzzy Hash: 3c01dd0f4cd7c8add7f8b8788bff880088ae4b699a8bd78e1d1ed2f3a893a3ee
Instruction Fuzzy Hash: F84128B1900259ABDB10EFA1DD84EDEBBBCFF89304F004156F608E6251DB745A858BB4

Function 00DD8E66 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 147filestringCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?), ref: 00DD8E8F
GetWindowTextW.USER32(00000000,?,00000104), ref: 00DD8EA2
lstrlenW.KERNEL32(-00000210,{Unknown},?,?), ref: 00DD8F0B
lstrcpyW.KERNEL32(-00000210,?,?,?), ref: 00DD8F58
CreateFileW.KERNEL32(?,00000004,00000001,00000000,00000004,00000080,00000000,?,?), ref: 00DD8F79
lstrlenW.KERNEL32(00DE4AD0,00000008,00000000,?,?), ref: 00DD8FA2
WriteFile.KERNEL32(?,00DE4AD0,00000000,?,?), ref: 00DD8FAE
WriteFile.KERNEL32(?,?,00000000,-00000008,00000000,?,?), ref: 00DD8FD2
lstrlenW.KERNEL32(00DE4AD0,-00000008,00000000,?,?), ref: 00DD8FE5
WriteFile.KERNEL32(?,00DE4AD0,00000000,?,?), ref: 00DD8FF1
lstrlenW.KERNEL32(?,00000008,00000000,?,?), ref: 00DD9003
WriteFile.KERNEL32(?,?,00000000,?,?), ref: 00DD9011
CloseHandle.KERNEL32(?,?,?), ref: 00DD901B

Part of subcall function 00DD35E5: lstrlenW.KERNEL32(00DE1E02,00000000,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD35EE
Part of subcall function 00DD35E5: lstrlenW.KERNEL32(00DE1E02,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD3605
Part of subcall function 00DD35E5: lstrcpyW.KERNEL32(?,00DE1E02,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD3620

Part of subcall function 00DD3335: lstrcatW.KERNEL32(00000000,750901C0,?,?,00DE3589,?,00DE1515,00DE3589,00DE35B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00DE3589,00000000,750901C0,00000000), ref: 00DD3365

Part of subcall function 00DD5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00DD5C2A,00000000,?,00DE10EE,?,?,00DE36B9), ref: 00DD5EAD

Strings

{Unknown}, xrefs: 00DD8EED

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: lstrlen$File$Write$Windowlstrcpy$CloseCreateForegroundFreeHandleTextVirtuallstrcat
String ID: {Unknown}
API String ID: 2314120260-4054869793
Opcode ID: 7ab99d7edab73a8c27735dfb22733e6bd6f1c6c76e4f79ad97cb55bf535d60d3
Instruction ID: db0798363575821615fe5fc8e9b790f738f004268336d1bcf1b4b5292785ef53
Opcode Fuzzy Hash: 7ab99d7edab73a8c27735dfb22733e6bd6f1c6c76e4f79ad97cb55bf535d60d3
Instruction Fuzzy Hash: 995150B1A01244AFDB11FF64DC95EAAB7A8EF44304F45406AF505EB361DB71AE04CB74

Function 00DDE3FA Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 237registryCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,?,?), ref: 00DDE407
DeleteCriticalSection.KERNEL32(?,?,?), ref: 00DDE41E
EnterCriticalSection.KERNEL32(00F1E020,?,?), ref: 00DDE42A

Part of subcall function 00DDDE1F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters,?,00F1E020,?,?,00DDE451,?,?), ref: 00DDDE51

RegCreateKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList,00000000,00000000,00000000,000F013F,00000000,?,?,00000000,00000000,?,?), ref: 00DDE5FF
RegSetValueExW.ADVAPI32(?,00000000,00000004,?,00000004,?,?), ref: 00DDE61A
RegCloseKey.ADVAPI32(?,?,?), ref: 00DDE623
LeaveCriticalSection.KERNEL32(00F1E020,00000000,00F1E07C,00F1E080,?,?), ref: 00DDE65E

Part of subcall function 00DD35E5: lstrlenW.KERNEL32(00DE1E02,00000000,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD35EE
Part of subcall function 00DD35E5: lstrlenW.KERNEL32(00DE1E02,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD3605
Part of subcall function 00DD35E5: lstrcpyW.KERNEL32(?,00DE1E02,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD3620

Part of subcall function 00DD3437: lstrcpyW.KERNEL32(00000000,00000000,00000000,?,?,00DE1E0A,00000000,00000000,00000000,.bss,00000000), ref: 00DD345C

Part of subcall function 00DD5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00DD5C2A,00000000,?,00DE10EE,?,?,00DE36B9), ref: 00DD5EAD

Part of subcall function 00DD3261: lstrlenW.KERNEL32(750901C0,00DD3646,?,?,?,00DE150A,00DE35B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00DE3589,00000000,750901C0,00000000), ref: 00DD3268

LeaveCriticalSection.KERNEL32(00F1E020,00000000,rpdp,00F1E080,00000000,rudp,00F1E07C,00F1E07C,00F1E080,?,?), ref: 00DDE6C4
LeaveCriticalSection.KERNEL32(00F1E020,00000000,?,?), ref: 00DDE6F4

Strings

rudp, xrefs: 00DDE459, 00DDE670
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList, xrefs: 00DDE5F5
rpdp, xrefs: 00DDE492, 00DDE691

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leavelstrlen$lstrcpy$CloseCreateDeleteEnterFreeInitializeOpenValueVirtual
String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList$rpdp$rudp
API String ID: 2046459734-177601018
Opcode ID: 227e7e47c4048d4ca0b927ee6bf844bc1f7fb8dbb0ae6edf3e7482e8c20a3bbe
Instruction ID: 014a9a9fa549c73cdb80161a8d6e902151dff1450283006b09c5e4b67564b56a
Opcode Fuzzy Hash: 227e7e47c4048d4ca0b927ee6bf844bc1f7fb8dbb0ae6edf3e7482e8c20a3bbe
Instruction Fuzzy Hash: AA719071600218ABDF14FB60DC96EEE7B29EF5C750B00442BF906AA392DF70AA45D771

Function 00DDEAFB Relevance: 19.6, APIs: 13, Instructions: 135pipethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00DDEA89: GetCurrentThreadId.KERNEL32 ref: 00DDEA95
Part of subcall function 00DDEA89: SetEvent.KERNEL32(00000000), ref: 00DDEAA9
Part of subcall function 00DDEA89: WaitForSingleObject.KERNEL32(00DE956C,00001388), ref: 00DDEAB6
Part of subcall function 00DDEA89: TerminateThread.KERNEL32(00DE956C,000000FE), ref: 00DDEAC7

CreatePipe.KERNEL32(00000000,00000000,?,00000000,?,?,00000000), ref: 00DDEB41
GetCurrentProcess.KERNEL32(00000000,00000000,00000001,00000002,?,00000000), ref: 00DDEB5E
GetCurrentProcess.KERNEL32(00000000,00000000,?,00000000), ref: 00DDEB64
DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 00DDEB6D
CreatePipe.KERNEL32(00000000,00000000,0000000C,00000000,?,00000000), ref: 00DDEB85
GetCurrentProcess.KERNEL32(00DE9560,00000000,00000000,00000002,?,00000000), ref: 00DDEB9E
GetCurrentProcess.KERNEL32(00000000,00000000,?,00000000), ref: 00DDEBA4
DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 00DDEBA7
GetCurrentProcess.KERNEL32(00DE9564,00000000,00000000,00000002,?,00000000), ref: 00DDEBBC
GetCurrentProcess.KERNEL32(00000000,00000000,?,00000000), ref: 00DDEBC2
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00DDEC18
CreateThread.KERNEL32(00000000,00000000,00DDE92A,00DE9558,00000000,00DE9570), ref: 00DDEC38
DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 00DDEBC5

Part of subcall function 00DDEC8C: CloseHandle.KERNEL32(00DE9568,00DE9558,00DDEADC,?,00000000,00DD2A8C,00000000,exit,00000000,start), ref: 00DDEC96

Part of subcall function 00DD362D: lstrcpyW.KERNEL32(00000000,750901C0,?,?,?,00DE150A,00DE35B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00DE3589,00000000,750901C0,00000000), ref: 00DD3657

Part of subcall function 00DDE891: CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000001,00000010,00000000,00000000,?,00000000,?,?,00000001), ref: 00DDE8E3

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: CurrentProcess$Create$Handle$DuplicateThread$EventPipe$CloseObjectSingleTerminateWaitlstrcpy
String ID:
API String ID: 337272696-0
Opcode ID: a9f7a7d2e26d94ca8380e8b02df53a105ab98b1d1acc5efd070d6a3a1e9d061a
Instruction ID: 730041187b91ad96e4f0b2733bb5ae8f56b2fba8f50a258e6c2469de934d9fda
Opcode Fuzzy Hash: a9f7a7d2e26d94ca8380e8b02df53a105ab98b1d1acc5efd070d6a3a1e9d061a
Instruction Fuzzy Hash: EF415B71A10309BADF15FBA5DD96FEEBB7CEF10741F100016B201AA2D1DBB0AA04CA71

Function 00DDD58D Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 71serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001), ref: 00DDD5A0
OpenServiceW.ADVAPI32(00000000,?,00000001), ref: 00DDD5B9
CloseServiceHandle.ADVAPI32(00000000), ref: 00DDD5C6
QueryServiceConfigW.ADVAPI32(00000000,00000000,00000000,?), ref: 00DDD5D5
GetLastError.KERNEL32 ref: 00DDD5DF
QueryServiceConfigW.ADVAPI32(00000000,00000000,?,?), ref: 00DDD600
CloseServiceHandle.ADVAPI32(00000000), ref: 00DDD611
CloseServiceHandle.ADVAPI32(00000000), ref: 00DDD614
CloseServiceHandle.ADVAPI32(00000000), ref: 00DDD624
CloseServiceHandle.ADVAPI32(00000000), ref: 00DDD627

Part of subcall function 00DD1099: GetProcessHeap.KERNEL32(00000000,00000000,00DE1E18,00000000,00000000,00000000,00000000,.bss,00000000), ref: 00DD109F
Part of subcall function 00DD1099: HeapFree.KERNEL32(00000000), ref: 00DD10A6

Strings

ServicesActive, xrefs: 00DDD597

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$ConfigHeapOpenQuery$ErrorFreeLastManagerProcess
String ID: ServicesActive
API String ID: 1929760286-3071072050
Opcode ID: b1e41099eec57ff25745dbb4e18f353f4d193870cdce1695f4e4a2e366d52f79
Instruction ID: 17e58fb1cd9cf6bea8005cce62eaf3e34adb1dff41b309915b83b505e6b445b2
Opcode Fuzzy Hash: b1e41099eec57ff25745dbb4e18f353f4d193870cdce1695f4e4a2e366d52f79
Instruction Fuzzy Hash: CF116D71500258BBCB20AB66ED89D9F7F6EEF857607140066F606DB310DA74DE00CBB0

Function 00DDDED2 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 324COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00DDDEEF

Part of subcall function 00DDFC58: GetCurrentProcess.KERNEL32(?,?,00DD2D84,?,00DE4648,?,?,00000000,?,?,?), ref: 00DDFC5C

PathFileExistsW.SHLWAPI(?), ref: 00DDE099
PathFileExistsW.SHLWAPI(?), ref: 00DDDF0D

Part of subcall function 00DDFDF0: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,00000000,00000000,?,?,?,00DD9A69,?,?,?), ref: 00DDFE07
Part of subcall function 00DDFDF0: GetLastError.KERNEL32(?,?,?,00DD9A69,?,?,?), ref: 00DDFE15

LeaveCriticalSection.KERNEL32(?,00000000), ref: 00DDE28C

Part of subcall function 00DDD9B6: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000102,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters), ref: 00DDD9EA

GetCurrentProcess.KERNEL32(SeDebugPrivilege), ref: 00DDE17F
LeaveCriticalSection.KERNEL32(?,00000000), ref: 00DDE2CC

Strings

SeDebugPrivilege, xrefs: 00DDE16F

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: CriticalFileSection$CurrentExistsLeavePathProcess$CreateEnterErrorLastOpen
String ID: SeDebugPrivilege
API String ID: 1717069549-2896544425
Opcode ID: 3557b5848ee5699372b49e4dc58f4f893741f156086d0e6fac53521429165da8
Instruction ID: 5e3e94e4926ff4d1110208491d5e7a8ea0af4ab6ff151fb04a4739ca0dcc5c92
Opcode Fuzzy Hash: 3557b5848ee5699372b49e4dc58f4f893741f156086d0e6fac53521429165da8
Instruction Fuzzy Hash: 2EB11971108345ABC714FBA0DC91DAEB7A9FF94344F44092FF59296291EB70EA08CB72

Function 00DDDCB2 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 111registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DD35E5: lstrlenW.KERNEL32(00DE1E02,00000000,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD35EE
Part of subcall function 00DD35E5: lstrlenW.KERNEL32(00DE1E02,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD3605
Part of subcall function 00DD35E5: lstrcpyW.KERNEL32(?,00DE1E02,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD3620

RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters,SYSTEM\CurrentControlSet\Services\TermService), ref: 00DDDCF3

Part of subcall function 00DE0FC3: RegQueryValueExW.ADVAPI32(?,750901C0,00000000,750901C0,00000000,00000000,?,00000000,00DE3589,?,?,?,00DE15B2,?,?,80000001), ref: 00DE0FE6
Part of subcall function 00DE0FC3: RegQueryValueExW.ADVAPI32(?,750901C0,00000000,750901C0,00000000,00000000,?,00DE15B2,?,?,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\), ref: 00DE100A

Part of subcall function 00DD5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00DD5C2A,00000000,?,00DE10EE,?,?,00DE36B9), ref: 00DD5EAD

Part of subcall function 00DE0FAE: RegCloseKey.KERNEL32(?,?,00DE112D,?,?,00DE36B9), ref: 00DE0FB8

StrStrW.SHLWAPI(?,svchost.exe,?,00000000,ImagePath,?), ref: 00DDDD57
StrStrW.SHLWAPI(?,svchost.exe -k), ref: 00DDDD65
RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?), ref: 00DDDD82

Strings

ServiceDll, xrefs: 00DDDD90
svchost.exe -k, xrefs: 00DDDD5D
SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 00DDDCCE
ImagePath, xrefs: 00DDDD05
SYSTEM\CurrentControlSet\Services\TermService, xrefs: 00DDDCBE
svchost.exe, xrefs: 00DDDD4F

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: OpenQueryValuelstrlen$CloseFreeVirtuallstrcpy
String ID: ImagePath$SYSTEM\CurrentControlSet\Services\TermService$SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll$svchost.exe$svchost.exe -k
API String ID: 2246401353-3333427388
Opcode ID: 3bd33c02657e1d6235e1cd5628ddd50f261fec9104cc20eab0e99f45fb62276d
Instruction ID: 03effc2fb5668fb3bcafe4b64641ea6ca01232b071168cc338897e4c3376bd26
Opcode Fuzzy Hash: 3bd33c02657e1d6235e1cd5628ddd50f261fec9104cc20eab0e99f45fb62276d
Instruction Fuzzy Hash: 1C41C571D00218ABDF14FBA1DD92AEEB779EF14740F50016AB501B6295EB70AB04CBB0

Function 00DD9ADF Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 229fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 00DD9AFC
GetLastError.KERNEL32 ref: 00DD9B09
CloseHandle.KERNEL32(00000000), ref: 00DD9B10
GetFileSize.KERNEL32(00000000,00000000), ref: 00DD9B1D
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00DD9B4C
CloseHandle.KERNEL32(00000000), ref: 00DD9B53

Strings

Password, xrefs: 00DD9CC3, 00DD9CAB, 00DD9CD7
Password, xrefs: 00DD9CDD

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateErrorLastReadSize
String ID: Password$Password
API String ID: 1366138817-7788977
Opcode ID: 8c487255d160d6861280eefebfe09578433c194eee2efd2c72f9ad871e216bd7
Instruction ID: ab901492c490c04f04b0efbf7b7c20f8d9488a2f49b7a8649a93711473bdb226
Opcode Fuzzy Hash: 8c487255d160d6861280eefebfe09578433c194eee2efd2c72f9ad871e216bd7
Instruction Fuzzy Hash: DA81F470C042846EEF25EBB8D8A5BBDBFA5EF55314F18405BE0416A382CB765E42C772

Function 00DDF80E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 130comCOMMON

Download Yara Rule

APIs

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00DDF825
CoInitialize.OLE32(00000000), ref: 00DDF82C
CoCreateInstance.OLE32(00DE4490,00000000,00000017,00DE6E60,?,?,?,?,?,?,?,?,?,00DD2D0C), ref: 00DDF84A
VariantInit.OLEAUT32(?), ref: 00DDF8CE

Strings

root\CIMV2, xrefs: 00DDF86A
WQL, xrefs: 00DDF8A6
Name, xrefs: 00DDF8E0
SELECT Name FROM Win32_VideoController, xrefs: 00DDF89C

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: Initialize$CreateInitInstanceSecurityVariant
String ID: Name$SELECT Name FROM Win32_VideoController$WQL$root\CIMV2
API String ID: 2382742315-3227336550
Opcode ID: aa625cfe7de376a671090edf7429b033067bcc48f420cd9efb4f8e9456551228
Instruction ID: c4eec83d0590f1ff35e821eefd9ac25b312f53dea9c3eafbb82e9b48944de285
Opcode Fuzzy Hash: aa625cfe7de376a671090edf7429b033067bcc48f420cd9efb4f8e9456551228
Instruction Fuzzy Hash: C341FB74A00249BFCB14DB96CC88E9FBBBDEFC9B14B104459F506EB290D670A905DB31

Function 00DE1F13 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 75sleepprocessmemoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00000000,750901C0,00000000), ref: 00DE1F25
IsWow64Process.KERNEL32(00000000), ref: 00DE1F2C
VirtualAlloc.KERNEL32(00000000,000000FF,00001000,00000040), ref: 00DE1F50
GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 00DE1F5E
lstrlenA.KERNEL32(00000000,\System32\cmd.exe,00000014), ref: 00DE1F6C
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00DE1FA9
Sleep.KERNEL32(000003E8), ref: 00DE1FB8

Strings

\System32\cmd.exe, xrefs: 00DE1F66

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: Process$AllocCreateCurrentDirectorySleepVirtualWindowsWow64lstrlen
String ID: \System32\cmd.exe
API String ID: 3151064845-2003734499
Opcode ID: 9afb375efd5c51205f039bdafdbd1f5b7015d6e1ef2d21692a3b5d249b0b2525
Instruction ID: 3a6a02d1614c87d70e7328018f9c8e03a27f860483b59027e1531a032c450f66
Opcode Fuzzy Hash: 9afb375efd5c51205f039bdafdbd1f5b7015d6e1ef2d21692a3b5d249b0b2525
Instruction Fuzzy Hash: 7B111FB6A00348BBE710B7B6AC89FAF766CEF44745F140025F705EA191DA709E0486B5

Function 00DDC118 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 56registrystringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths\,?,00000104,00000000), ref: 00DDC154
lstrcatW.KERNEL32(?,thunderbird.exe,?,00000104,00000000), ref: 00DDC162
RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00DDA729,?,00000104,00000000), ref: 00DDC17B
RegQueryValueExW.ADVAPI32(00DDA729,Path,00000000,?,?,?,?,00000104,00000000), ref: 00DDC198
RegCloseKey.ADVAPI32(00DDA729,?,00000104,00000000), ref: 00DDC1A1

Strings

Path, xrefs: 00DDC190
Software\Microsoft\Windows\CurrentVersion\App Paths\, xrefs: 00DDC14E
thunderbird.exe, xrefs: 00DDC15A

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValuelstrcatlstrcpy
String ID: Path$Software\Microsoft\Windows\CurrentVersion\App Paths\$thunderbird.exe
API String ID: 3135247354-1374996286
Opcode ID: b50abf7aa7c81e95f9734892ced413d1a60bc8ef5825c83ece54cb3cda4fed3a
Instruction ID: cfd3cf2dc0514135a172d8124bb09534cc7e4191754640324803170a4e37c599
Opcode Fuzzy Hash: b50abf7aa7c81e95f9734892ced413d1a60bc8ef5825c83ece54cb3cda4fed3a
Instruction Fuzzy Hash: A7111EB694025DBFEB10BBA5ED89FEE77BCEB14345F1000B6B605E6250E6709E048B71

Function 00DDC4A8 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 371fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00DDF76B: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000,?,00000000,?), ref: 00DDF79C

Part of subcall function 00DD3335: lstrcatW.KERNEL32(00000000,750901C0,?,?,00DE3589,?,00DE1515,00DE3589,00DE35B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00DE3589,00000000,750901C0,00000000), ref: 00DD3365

Part of subcall function 00DD5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00DD5C2A,00000000,?,00DE10EE,?,?,00DE36B9), ref: 00DD5EAD

PathFileExistsW.SHLWAPI(00000000,?,00000000,00000000,00000000,.tmp,00000000,00DE4684,.tmp,00000000,00DE4684,?,00000000), ref: 00DDC5A5
PathFileExistsW.SHLWAPI(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00DDC245), ref: 00DDC5AF
CopyFileW.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00DDC5C3
CopyFileW.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00DDC5CF

Part of subcall function 00DDCED9: LocalFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00DDC66B,?,?,00000000,?), ref: 00DDCF43
Part of subcall function 00DDCED9: LocalFree.KERNEL32(?,00000000,00000000,00000000,00000000,?,00DDC66B,?,?,00000000,?), ref: 00DDCF4C

Part of subcall function 00DDCF58: LocalAlloc.KERNEL32(00000040,-0000001F,?,?,?,00000000,?,00000000), ref: 00DDCFE0
Part of subcall function 00DDCF58: BCryptDecrypt.BCRYPT(?,0000000C,?,?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,?,00000000), ref: 00DDD00E
Part of subcall function 00DDCF58: LocalFree.KERNEL32(?), ref: 00DDD096

Part of subcall function 00DD33BF: lstrlenA.KERNEL32(?,750901C0,?,00DD5A4F,.bss,00000000), ref: 00DD33C8
Part of subcall function 00DD33BF: lstrlenA.KERNEL32(?,?,00DD5A4F,.bss,00000000), ref: 00DD33D5
Part of subcall function 00DD33BF: lstrcpyA.KERNEL32(00000000,?,?,00DD5A4F,.bss,00000000), ref: 00DD33E8

Part of subcall function 00DD3125: lstrcatA.KERNEL32(00000000,750901C0,?,00000000,?,00DD35C4,00000000,00000000,?,00DD4E98,?,?,?,?,?,00000000), ref: 00DD3151

Part of subcall function 00DD308C: lstrlenA.KERNEL32(00000000,00DD30B4,750901C0,00000000,00000000,?,00DD32DC,00DD350E,00000000,-00000001,750901C0,?,00DD350E,00000000,?,00000000), ref: 00DD3093

Strings

select signon_realm, origin_url, username_value, password_value from wow_logins, xrefs: 00DDC683
.tmp, xrefs: 00DDC4F3, 00DDC4FB, 00DDC531
select signon_realm, origin_url, username_value, password_value from logins, xrefs: 00DDC688, 00DDC692

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: FileFreeLocal$Pathlstrlen$CopyExistslstrcat$AllocCryptDecryptFolderSpecialVirtuallstrcpy
String ID: .tmp$select signon_realm, origin_url, username_value, password_value from logins$select signon_realm, origin_url, username_value, password_value from wow_logins
API String ID: 881303001-3832748974
Opcode ID: f567e8dab67195afab9d477b4807b91dda77f533ea3c35c7763376a2c271de59
Instruction ID: 542ccb648a61139cc6413b5c8abd1bd3e5ca93b546cce6cdf166f37a4478950e
Opcode Fuzzy Hash: f567e8dab67195afab9d477b4807b91dda77f533ea3c35c7763376a2c271de59
Instruction Fuzzy Hash: CDD10A72910209ABDF15FFA4DC92AEEB779EF54300F14442BF512A6291DF31AA05CB71

Function 00DE273A Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 175comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00DE274C
CoCreateInstance.OLE32(00DE45A0,00000000,00000001,00DE7410,00DE227B), ref: 00DE2779
CoUninitialize.OLE32 ref: 00DE2902

Part of subcall function 00DE2A6B: CoCreateInstance.OLE32(00DE45E0,00000000,00000001,00DE73F0,?,76CCE550,00000000,00000000,?,?,00DE27B0), ref: 00DE2A99

CoCreateInstance.OLE32(00DE45F0,00000000,00000001,00DE7400,?), ref: 00DE27CA

Part of subcall function 00DE24EB: CoTaskMemFree.OLE32(?,?,00000000,00DE2896), ref: 00DE24F9

Strings

Grabber, xrefs: 00DE27E8
vids, xrefs: 00DE2805
Source, xrefs: 00DE27D9

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: CreateInstance$FreeInitializeTaskUninitialize
String ID: Grabber$Source$vids
API String ID: 533512943-4200688928
Opcode ID: 924a90883cea97a1513dce1b2374f8a58aaf197b80811b1e20f7be4a3540ed8d
Instruction ID: d4a9088e4c9b8508b4217f14e398d67b8339fdcefe002873477a36cea873f56f
Opcode Fuzzy Hash: 924a90883cea97a1513dce1b2374f8a58aaf197b80811b1e20f7be4a3540ed8d
Instruction Fuzzy Hash: 34513B71A00249AFDB14EFA5C898EBEB7B9EF84705F08845DF515AB250CB719D05CB70

Function 00DD2961 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 108processthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00DE0F31: RegDeleteKeyW.ADVAPI32(80000001,?), ref: 00DE0F38

TerminateThread.KERNEL32(00000000,?,?), ref: 00DE1740
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 00DE17AD
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00DE1837
CloseHandle.KERNEL32(?), ref: 00DE1846
CloseHandle.KERNEL32(?), ref: 00DE184B
ExitProcess.KERNEL32 ref: 00DE184E

Strings

cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q , xrefs: 00DE17BB

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: CloseHandleProcess$CreateDeleteExitFileModuleNameTerminateThread
String ID: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
API String ID: 3630425516-84290196
Opcode ID: acd4e94e51c0841fbc7fb5b97a7c6136844216bb7f3dfaf0c0f3f629eb8fb1fa
Instruction ID: 268f2a2179e2de20202ec2f30433ccf6701467a83cfdaf34347ce4a5f88ce2c7
Opcode Fuzzy Hash: acd4e94e51c0841fbc7fb5b97a7c6136844216bb7f3dfaf0c0f3f629eb8fb1fa
Instruction Fuzzy Hash: F63137B6900659FBDB11FBA1DD86EEEBB7DEF04300F400466B205A6251DB74AE44CAB1

Function 00DDB559 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(vaultcli.dll,00000000,00DDB229), ref: 00DDB561

Part of subcall function 00DE0969: lstrcmpA.KERNEL32(?,00DE1BD0,?,open,00DE1BD0), ref: 00DE09A2

Strings

VaultGetItem, xrefs: 00DDB5B5
vaultcli.dll, xrefs: 00DDB55A
VaultCloseVault, xrefs: 00DDB589
VaultFree, xrefs: 00DDB5E0
VaultEnumerateItems, xrefs: 00DDB59F
VaultOpenVault, xrefs: 00DDB577

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: LibraryLoadlstrcmp
String ID: VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetItem$VaultOpenVault$vaultcli.dll
API String ID: 2493137890-3967309459
Opcode ID: b48c968e56970145a1cfc7d4b24edad5ba471e565979e0ff8b8cb8c2dd3a4801
Instruction ID: b5ac1c888945c218230f7e3a11e9bbdfe6e451f25780bf73baf094b0ba153b05
Opcode Fuzzy Hash: b48c968e56970145a1cfc7d4b24edad5ba471e565979e0ff8b8cb8c2dd3a4801
Instruction Fuzzy Hash: BF11EC30A01B41CFE724AB72B841BA676E5EB84755F58492FD49A9B346DB70A841CF30

Function 00DE19C9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\_rptls,00000000,000F003F,?,00000208,00F1CBF0,?,?,?,?,00DE1A78), ref: 00DE19E9
RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\_rptls,00000000,00000000,00000000,000F003F,00000000,?,?,?,?,?,?,00DE1A78), ref: 00DE1A06
lstrlenW.KERNEL32(00F1CBF0,?,?,?,?,00DE1A78,?,?,?,?,00DD57B9,?,00000000,00000000), ref: 00DE1A12
RegSetValueExW.ADVAPI32(?,Install,00000000,00000001,00F1CBF0,00000000,?,?,?,?,00DE1A78,?,?,?,?,00DD57B9), ref: 00DE1A28
RegCloseKey.ADVAPI32(?,?,?,?,?,00DE1A78,?,?,?,?,00DD57B9,?,00000000,00000000), ref: 00DE1A31

Strings

Install, xrefs: 00DE1A20
SOFTWARE\_rptls, xrefs: 00DE19DD, 00DE19E3, 00DE1A00

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: CloseCreateOpenValuelstrlen
String ID: Install$SOFTWARE\_rptls
API String ID: 2036214137-3226779556
Opcode ID: 791091114dcb2c6633da4b8fcde6bda83a25963b7db5704490e2e263e038a7ab
Instruction ID: f5a27608b61714a2c6a0ce72625c881974005e23f59392924a7eaa6483d89a60
Opcode Fuzzy Hash: 791091114dcb2c6633da4b8fcde6bda83a25963b7db5704490e2e263e038a7ab
Instruction Fuzzy Hash: 3DF04F76500198BFE720A797EC8DEEB7E7CEBC6751B000079BA05E2211D6615E44D6B4

Function 00DE1A3C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,00F1CBF0,00000208,00000000,00000000,?,?,?,00DD57B9,?,00000000,00000000), ref: 00DE1A58
IsUserAnAdmin.SHELL32 ref: 00DE1A5E

Part of subcall function 00DDFBFC: GetCurrentProcess.KERNEL32(00000008,00000000,750901C0,00000000,750901C0,00000000,?,?,?,?,00DE3589,?), ref: 00DDFC0E
Part of subcall function 00DDFBFC: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,00DE3589,?), ref: 00DDFC15
Part of subcall function 00DDFBFC: GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,00DE3589,?), ref: 00DDFC33
Part of subcall function 00DDFBFC: CloseHandle.KERNEL32(00000000), ref: 00DDFC48

Part of subcall function 00DE19C9: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\_rptls,00000000,000F003F,?,00000208,00F1CBF0,?,?,?,?,00DE1A78), ref: 00DE19E9
Part of subcall function 00DE19C9: RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\_rptls,00000000,00000000,00000000,000F003F,00000000,?,?,?,?,?,?,00DE1A78), ref: 00DE1A06
Part of subcall function 00DE19C9: lstrlenW.KERNEL32(00F1CBF0,?,?,?,?,00DE1A78,?,?,?,?,00DD57B9,?,00000000,00000000), ref: 00DE1A12
Part of subcall function 00DE19C9: RegSetValueExW.ADVAPI32(?,Install,00000000,00000001,00F1CBF0,00000000,?,?,?,?,00DE1A78,?,?,?,?,00DD57B9), ref: 00DE1A28
Part of subcall function 00DE19C9: RegCloseKey.ADVAPI32(?,?,?,?,?,00DE1A78,?,?,?,?,00DD57B9,?,00000000,00000000), ref: 00DE1A31

FindResourceW.KERNEL32(00000000,00000066,WM_DSP,?,?,?,?,00DD57B9,?,00000000,00000000), ref: 00DE1A87
LoadResource.KERNEL32(00000000,00000000,?,?,?,?,00DD57B9,?,00000000,00000000,?,?,?,?,?,?), ref: 00DE1A91
SizeofResource.KERNEL32(00000000,00000000,?,?,?,?,00DD57B9,?,00000000,00000000,?,?,?,?,?,?), ref: 00DE1A9B
LockResource.KERNEL32(00000000,?,?,?,?,00DD57B9,?,00000000,00000000,?,?,?,?,?,?,00000000), ref: 00DE1AA2

Part of subcall function 00DE1936: VirtualProtect.KERNEL32(00000000,000007D0,00000040,00000000,00000000,00000000,?,00000000,?,00DE1AB4,?,?,?,00DD57B9,?,00000000), ref: 00DE1974
Part of subcall function 00DE1936: VirtualAlloc.KERNEL32(00000000,000001FE,00001000,00000040,?,00000000,?,00DE1AB4,?,?,?,00DD57B9,?,00000000,00000000), ref: 00DE1988
Part of subcall function 00DE1936: GetWindowsDirectoryW.KERNEL32(00000000,00000104,?,00000000,?,00DE1AB4,?,?,?,00DD57B9,?,00000000,00000000), ref: 00DE1996
Part of subcall function 00DE1936: lstrlenW.KERNEL32(00000000,\System32\cmd.exe,00000028,?,00000000,?,00DE1AB4,?,?,?,00DD57B9,?,00000000,00000000), ref: 00DE19A4

Strings

WM_DSP, xrefs: 00DE1A7D

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: Resource$CloseOpenProcessTokenVirtuallstrlen$AdminAllocCreateCurrentDirectoryFileFindHandleInformationLoadLockModuleNameProtectSizeofUserValueWindows
String ID: WM_DSP
API String ID: 1403607128-506093727
Opcode ID: 0ef86ad10ef8cead73f06b0497c0ff0448d10ddc1aadcdf3a01190ffd7c7e6da
Instruction ID: e59b183d2b45755432cd6b5f77e3a2c3fbb408a57e0cef3d6650ebcfe478c83c
Opcode Fuzzy Hash: 0ef86ad10ef8cead73f06b0497c0ff0448d10ddc1aadcdf3a01190ffd7c7e6da
Instruction Fuzzy Hash: B1F062357413D06BDB2037B36C8DF6F2D5CDF91750F050425F506DA392DA3488818671

Function 00DD5CA3 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(USER32.DLL,?,00DE02E1,?,750901C0,00000000), ref: 00DD5CAB
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00DD5CB7
ExitProcess.KERNEL32 ref: 00DD5CDB

Strings

An assertion condition failed, xrefs: 00DD5CD0
MessageBoxA, xrefs: 00DD5CB1
Assert, xrefs: 00DD5CCB
USER32.DLL, xrefs: 00DD5CA4

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: AddressExitLibraryLoadProcProcess
String ID: An assertion condition failed$Assert$MessageBoxA$USER32.DLL
API String ID: 881411216-1361702557
Opcode ID: 6b5a838ce9769581b06b9609f96d88bbb932a20c8df19e08aaeab54f93af09c7
Instruction ID: 274cfbc046c777c316497f71dde9c6f43bf44262dfb053bbadd50e44f06bc13e
Opcode Fuzzy Hash: 6b5a838ce9769581b06b9609f96d88bbb932a20c8df19e08aaeab54f93af09c7
Instruction Fuzzy Hash: 82D05E307C13C1BEEE1037B33CDEF652A086B15F15F184015B641DA3C1D69284989534

Function 00DD5F6A Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 14libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(USER32.DLL), ref: 00DD5F6F
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00DD5F7B
ExitProcess.KERNEL32 ref: 00DD5F9A

Strings

MessageBoxA, xrefs: 00DD5F75
USER32.DLL, xrefs: 00DD5F6A
A pure virtual function was called. This is a fatal error, and indicates a serious error in the implementation of the application, xrefs: 00DD5F8F
PureCall, xrefs: 00DD5F8A

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: AddressExitLibraryLoadProcProcess
String ID: A pure virtual function was called. This is a fatal error, and indicates a serious error in the implementation of the application$MessageBoxA$PureCall$USER32.DLL
API String ID: 881411216-4134947204
Opcode ID: 942e9c304ebd9712930db57d8db379e02ecad05a6a74caed47b1c830cda65c45
Instruction ID: 9306d0732b11bfc5b0babbf7ee49483ca8412d8a650e6ba293891f7f3ceebb4c
Opcode Fuzzy Hash: 942e9c304ebd9712930db57d8db379e02ecad05a6a74caed47b1c830cda65c45
Instruction Fuzzy Hash: D2D0CA303C07C16EEA503BB3BCCEF282914AF15F06F040428BA05E82D1CAE09088AA79

Function 00DE0D24 Relevance: 12.2, APIs: 8, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00DE0D6A
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00DE0D83
CloseHandle.KERNEL32(00000000), ref: 00DE0D8E

Part of subcall function 00DD35E5: lstrlenW.KERNEL32(00DE1E02,00000000,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD35EE
Part of subcall function 00DD35E5: lstrlenW.KERNEL32(00DE1E02,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD3605
Part of subcall function 00DD35E5: lstrcpyW.KERNEL32(?,00DE1E02,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD3620

Part of subcall function 00DD3437: lstrcpyW.KERNEL32(00000000,00000000,00000000,?,?,00DE1E0A,00000000,00000000,00000000,.bss,00000000), ref: 00DD345C

Part of subcall function 00DD5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00DD5C2A,00000000,?,00DE10EE,?,?,00DE36B9), ref: 00DD5EAD

OpenProcess.KERNEL32(00001410,00000000,?,?), ref: 00DE0DF8
GetModuleFileNameExW.PSAPI(00000000,00000000,?,00000208), ref: 00DE0E2E
CloseHandle.KERNEL32(00000000,00000000,00DE4C14), ref: 00DE0E81
Process32NextW.KERNEL32(00000000,0000022C), ref: 00DE0EE5
CloseHandle.KERNEL32(00000000), ref: 00DE0EF7

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: CloseHandle$Process32lstrcpylstrlen$CreateFileFirstFreeModuleNameNextOpenProcessSnapshotToolhelp32Virtual
String ID:
API String ID: 3514491001-0
Opcode ID: 7831ab1e815d70b9f013c55caf94c1aaa4dc69cb7f8562c92aa1931dfea29081
Instruction ID: 5ab6cb6ebd4e6688f7618e253ad780a934738eb3ed658591a1afa5d934f7d2df
Opcode Fuzzy Hash: 7831ab1e815d70b9f013c55caf94c1aaa4dc69cb7f8562c92aa1931dfea29081
Instruction Fuzzy Hash: AD517E72D01259ABDB10FBA1DC89AEEBB78EF54710F050166F505B7280EB749B85CBB0

Function 00DE2D0A Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00DE2D1A
CoCreateInstance.OLE32(00DE45A0,00000000,00000001,00DE7410,0105EAC0,?,?), ref: 00DE2D32
CoCreateInstance.OLE32(00DE45F0,00000000,00000001,00DE7400,0105EACC,?,?,00DE4580,0105EAC4,?,?), ref: 00DE2D8C

Part of subcall function 00DE2A6B: CoCreateInstance.OLE32(00DE45E0,00000000,00000001,00DE73F0,?,76CCE550,00000000,00000000,?,?,00DE27B0), ref: 00DE2A99

Strings

Grabber, xrefs: 00DE2DAC
vids, xrefs: 00DE2DC6
Source, xrefs: 00DE2D9E

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: CreateInstance$Initialize
String ID: Grabber$Source$vids
API String ID: 1108742289-4200688928
Opcode ID: 51119b82048fbc20e8028d179c4920e7909913a78e61a44959ac0a0a3d22557d
Instruction ID: a1b3906482ab032b33cefe0098f2117cb5c6bc3fa2df028b658d8db0dce83f43
Opcode Fuzzy Hash: 51119b82048fbc20e8028d179c4920e7909913a78e61a44959ac0a0a3d22557d
Instruction Fuzzy Hash: AD515B71600245AFDB24EFA5CC85EAA3B69EF49700B144598F915AF295CB72E805CBB0

Function 00DD7948 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64sleepprocessmemoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,000000FF,00001000,00000040,00000000,?,?), ref: 00DD796B
GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 00DD7979
lstrlenA.KERNEL32(00000000,\System32\cmd.exe,00000014), ref: 00DD7987
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00DD79C1
Sleep.KERNEL32(000003E8), ref: 00DD79D0

Strings

\System32\cmd.exe, xrefs: 00DD7981

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: AllocCreateDirectoryProcessSleepVirtualWindowslstrlen
String ID: \System32\cmd.exe
API String ID: 2560724043-2003734499
Opcode ID: f23a6a131e46cd43b19a0b6e86fe997e4d8bb31e349d55d0e8ab4151ee4f3a22
Instruction ID: ee1f9a5f5f70092b6851c24bf2cf3cfea172fc2f6be206133247ef241c9ec549
Opcode Fuzzy Hash: f23a6a131e46cd43b19a0b6e86fe997e4d8bb31e349d55d0e8ab4151ee4f3a22
Instruction Fuzzy Hash: 0F113CB6600348BFE711ABE8DCC6FAF766CEB04745F000026F702EA291DA709E0486B5

Function 00DE1855 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38registrystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00DE1B3D,00DE6056,?,?,00DE1B3D,00DE6056,?), ref: 00DE185D
RegOpenKeyExA.ADVAPI32(80000001,Software\Classes\Folder\shell\open\command,00000000,00020006,?,?,?,00DE1B3D,00DE6056,?), ref: 00DE187A
SetLastError.KERNEL32(00000000,?,?,00DE1B3D,00DE6056,?), ref: 00DE1885
RegSetValueExA.ADVAPI32(?,00DE6056,00000000,00000001,00DE1B3D,00000000,?,?,00DE1B3D,00DE6056,?), ref: 00DE189D
RegCloseKey.ADVAPI32(?,?,?,00DE1B3D,00DE6056,?), ref: 00DE18A8

Strings

Software\Classes\Folder\shell\open\command, xrefs: 00DE1870

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: CloseErrorLastOpenValuelstrlen
String ID: Software\Classes\Folder\shell\open\command
API String ID: 1613093083-2536721355
Opcode ID: 62fda1b0bc8937c8197d677dc0c02520a4cbe4f2ded8d2e0c788f60ea8d0a784
Instruction ID: b09d437e2fb64418684057acc89f29b46ec9d325d4c1f6acadda745d3678a259
Opcode Fuzzy Hash: 62fda1b0bc8937c8197d677dc0c02520a4cbe4f2ded8d2e0c788f60ea8d0a784
Instruction Fuzzy Hash: 98F01D39A01354FBDF212FA1EC89FDA3B69AB05750F104160BA05AA260D6B19A00AAB4

Function 00DD7CB7 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,?,?,00DD86D6,00000000), ref: 00DD7CD3
GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 00DD7CE1
GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 00DD7CF2

Strings

ntdll.dll, xrefs: 00DD7CCE
RtlSetLastWin32Error, xrefs: 00DD7CE7
RtlNtStatusToDosError, xrefs: 00DD7CDB

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
API String ID: 667068680-2897241497
Opcode ID: dfa864da9b6890224a9da767e6d2012c9053ef0463d666c9a68d1426fed73af7
Instruction ID: 7e5ad558408b3d8f299481a4dacef49fb713c6264d44cb69a81cb908b2fb9e80
Opcode Fuzzy Hash: dfa864da9b6890224a9da767e6d2012c9053ef0463d666c9a68d1426fed73af7
Instruction Fuzzy Hash: F5F05E30244345DFDB04AF66AC59E7A7BA9AF89B01305846DFD09D33A0EBB09801DA30

Function 00DDCBA8 Relevance: 9.1, APIs: 6, Instructions: 73filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,00000000,00000000,?,00000000,?), ref: 00DDCBDC
GetFileSizeEx.KERNEL32(00000000,?,?,00000000,?), ref: 00DDCBF2
LocalAlloc.KERNEL32(00000040,?,?,?,00000000,?), ref: 00DDCC0D
ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,?), ref: 00DDCC25
CloseHandle.KERNEL32(00000000,?,00000000,?), ref: 00DDCC48

Part of subcall function 00DDCC54: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00DDCC73
Part of subcall function 00DDCC54: LocalAlloc.KERNEL32(00000040,?,?,00DDCBC6,?,00000000,?,00000000,?), ref: 00DDCC81
Part of subcall function 00DDCC54: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00DDCC97
Part of subcall function 00DDCC54: LocalFree.KERNEL32(?,?,00DDCBC6,?,00000000,?,00000000,?), ref: 00DDCCA5

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: FileLocal$AllocBinaryCryptString$CloseCreateFreeHandleReadSize
String ID:
API String ID: 4225742195-0
Opcode ID: 2d73acada72eee1313148c30f05dc172eabb8d752b20ac546fea3df7763722f8
Instruction ID: bb9f3a2a7dff5ab2bd1af38f26d603b8f65a56678e40077658a139d54af66cf9
Opcode Fuzzy Hash: 2d73acada72eee1313148c30f05dc172eabb8d752b20ac546fea3df7763722f8
Instruction Fuzzy Hash: 6D119071620215ABCB25AFADDC84AAEBBBCEB45750F044116FA09DA350D730ED01DB70

Function 00DD2CEC Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00DDF80E: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00DDF825
Part of subcall function 00DDF80E: CoInitialize.OLE32(00000000), ref: 00DDF82C
Part of subcall function 00DDF80E: CoCreateInstance.OLE32(00DE4490,00000000,00000017,00DE6E60,?,?,?,?,?,?,?,?,?,00DD2D0C), ref: 00DDF84A

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00DD2D1B

Part of subcall function 00DE1E21: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000,?,?,00DE349D), ref: 00DE1E4E
Part of subcall function 00DE1E21: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,00DE349D), ref: 00DE1E61
Part of subcall function 00DE1E21: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,00DE349D), ref: 00DE1E72
Part of subcall function 00DE1E21: CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,00DE349D), ref: 00DE1E7F

Part of subcall function 00DD35E5: lstrlenW.KERNEL32(00DE1E02,00000000,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD35EE
Part of subcall function 00DD35E5: lstrlenW.KERNEL32(00DE1E02,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD3605
Part of subcall function 00DD35E5: lstrcpyW.KERNEL32(?,00DE1E02,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD3620

Part of subcall function 00DDFA1F: GlobalMemoryStatusEx.KERNEL32(?), ref: 00DDFA30

Part of subcall function 00DDFC7E: GetComputerNameW.KERNEL32(00DD2D7F,00000010), ref: 00DDFCA1

Part of subcall function 00DDFC58: GetCurrentProcess.KERNEL32(?,?,00DD2D84,?,00DE4648,?,?,00000000,?,?,?), ref: 00DDFC5C

Part of subcall function 00DDFBFC: GetCurrentProcess.KERNEL32(00000008,00000000,750901C0,00000000,750901C0,00000000,?,?,?,?,00DE3589,?), ref: 00DDFC0E
Part of subcall function 00DDFBFC: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,00DE3589,?), ref: 00DDFC15
Part of subcall function 00DDFBFC: GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,00DE3589,?), ref: 00DDFC33
Part of subcall function 00DDFBFC: CloseHandle.KERNEL32(00000000), ref: 00DDFC48

Part of subcall function 00DDFA42: LoadLibraryA.KERNEL32(ntdll.dll), ref: 00DDFA5A
Part of subcall function 00DDFA42: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00DDFA6A

Part of subcall function 00DDFCB8: RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00000101,?,SOFTWARE\Microsoft\Cryptography,?,?,?,?,00000000,?,?,?), ref: 00DDFCFC

SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?,?,?,?), ref: 00DD2DDF
lstrcatW.KERNEL32(?,\Microsoft Vision\,?,?), ref: 00DD2DF1
CreateDirectoryW.KERNEL32(?,00000000,?,?), ref: 00DD2DFF

Part of subcall function 00DD990A: InitializeCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,00DD2E0D,?,00000001,?,?), ref: 00DD9916
Part of subcall function 00DD990A: DeleteCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,00DD2E0D,?,00000001,?,?), ref: 00DD992D
Part of subcall function 00DD990A: EnterCriticalSection.KERNEL32(00F1DB10,?,00000000,?,?,?,?,00DD2E0D,?,00000001,?,?), ref: 00DD9939
Part of subcall function 00DD990A: GetModuleHandleA.KERNEL32(00000000,?,00000000,?,?,?,?,00DD2E0D,?,00000001,?,?), ref: 00DD9949
Part of subcall function 00DD990A: LeaveCriticalSection.KERNEL32(00F1DB10,?,00000000), ref: 00DD999C

Strings

\Microsoft Vision\, xrefs: 00DD2DE5

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: CriticalFileSection$CreateHandleInitializeProcess$CloseCurrentModuleNameOpenTokenlstrlen$AddressComputerDeleteDirectoryEnterFolderGlobalInformationInstanceLeaveLibraryLoadMemoryPathProcReadSecuritySizeStatuslstrcatlstrcpy
String ID: \Microsoft Vision\
API String ID: 1987359387-1618823865
Opcode ID: c2d2718228b71eb84b9a630e77cb11a54344c2a6ca673d5709773fd3fc3a9cbf
Instruction ID: b2ac1c9bbee7442a5726f2f8ec8bb37e807e589ca19305894f2ae3372f6526fe
Opcode Fuzzy Hash: c2d2718228b71eb84b9a630e77cb11a54344c2a6ca673d5709773fd3fc3a9cbf
Instruction Fuzzy Hash: CE3180B1A10258BBDB14FBE4DC96DEEBB7CEF44300F40046AB506B6392DA705B458BB1

Function 00DE0B2A Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 61windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DE0969: lstrcmpA.KERNEL32(?,00DE1BD0,?,open,00DE1BD0), ref: 00DE09A2

MessageBoxA.USER32(00000000,Bla2,Bla2,00000000), ref: 00DE0B70

Part of subcall function 00DD35E5: lstrlenW.KERNEL32(00DE1E02,00000000,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD35EE
Part of subcall function 00DD35E5: lstrlenW.KERNEL32(00DE1E02,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD3605
Part of subcall function 00DD35E5: lstrcpyW.KERNEL32(?,00DE1E02,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD3620

Part of subcall function 00DE0BD9: CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,750901C0,00000000), ref: 00DE0C14

Part of subcall function 00DD5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00DD5C2A,00000000,?,00DE10EE,?,?,00DE36B9), ref: 00DD5EAD

Strings

Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper, xrefs: 00DE0B7E
C:\Users\Vitali Kremez\Documents\MidgetPorn\workspace\MsgBox.exe, xrefs: 00DE0BAE
Bla2, xrefs: 00DE0B67, 00DE0B6D, 00DE0B6E
VirtualQuery, xrefs: 00DE0B37

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: lstrlen$CreateFreeMessageProcessVirtuallstrcmplstrcpy
String ID: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper$Bla2$C:\Users\Vitali Kremez\Documents\MidgetPorn\workspace\MsgBox.exe$VirtualQuery
API String ID: 1196126833-2308542105
Opcode ID: f159a66d3f612c07ab373d496a74bfa7212a9e9546e72124361818d10fbc0b6b
Instruction ID: 323a01a1d6cba225fe7c467eb3277218638d4df7c8eeb50595b9625475ae7630
Opcode Fuzzy Hash: f159a66d3f612c07ab373d496a74bfa7212a9e9546e72124361818d10fbc0b6b
Instruction Fuzzy Hash: 49112EB1A00158BADB18FBA2ED56CEFBB7CEF54750B10005AB402B2281DB709F44C6B1

Function 00DE1936 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00DD1085: GetProcessHeap.KERNEL32(00000000,?,00DE1E36,00400000,?,?,00000000,?,?,00DE349D), ref: 00DD108B
Part of subcall function 00DD1085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00DE349D), ref: 00DD1092

VirtualProtect.KERNEL32(00000000,000007D0,00000040,00000000,00000000,00000000,?,00000000,?,00DE1AB4,?,?,?,00DD57B9,?,00000000), ref: 00DE1974
VirtualAlloc.KERNEL32(00000000,000001FE,00001000,00000040,?,00000000,?,00DE1AB4,?,?,?,00DD57B9,?,00000000,00000000), ref: 00DE1988
GetWindowsDirectoryW.KERNEL32(00000000,00000104,?,00000000,?,00DE1AB4,?,?,?,00DD57B9,?,00000000,00000000), ref: 00DE1996
lstrlenW.KERNEL32(00000000,\System32\cmd.exe,00000028,?,00000000,?,00DE1AB4,?,?,?,00DD57B9,?,00000000,00000000), ref: 00DE19A4

Strings

\System32\cmd.exe, xrefs: 00DE199E

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: HeapVirtual$AllocAllocateDirectoryProcessProtectWindowslstrlen
String ID: \System32\cmd.exe
API String ID: 2244922440-2003734499
Opcode ID: cc395eeb98025a1150d256803e06378526da6868f76ff94f8d36d1300d86ce3e
Instruction ID: cf435ffaed44939ee08a92e4c2483500bbe6e59fe71c83ad26a2be3e9ed2eba4
Opcode Fuzzy Hash: cc395eeb98025a1150d256803e06378526da6868f76ff94f8d36d1300d86ce3e
Instruction Fuzzy Hash: 6501F2727803917BE62177759C4AFAB3BACDB85B51F000025F709EE2C1C9E5AD4487B8

Function 00DDCE83 Relevance: 8.8, APIs: 7, Instructions: 35COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(?,00000000,00000000,00DDCAF5), ref: 00DDCE9A
LocalFree.KERNEL32(?,00000000,00000000,00DDCAF5), ref: 00DDCEA5
LocalFree.KERNEL32(?,00000000,00000000,00DDCAF5), ref: 00DDCEB0
LocalFree.KERNEL32(?,00000000,00000000,00DDCAF5), ref: 00DDCEBB
LocalFree.KERNEL32(?,00000000,00000000,00DDCAF5), ref: 00DDCEC6
LocalFree.KERNEL32(?,00000000,00000000,00DDCAF5), ref: 00DDCED1
LocalFree.KERNEL32(00000000,00000000,00000000,00DDCAF5), ref: 00DDCED4

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: FreeLocal
String ID:
API String ID: 2826327444-0
Opcode ID: 0ee2b70c44c65c176dda9a6da72558c032759b6a179229024fcdb557c73f78f1
Instruction ID: b544e5e461417fa25c3cf985b3435af3232d6f7f321194d7bae284221949e45c
Opcode Fuzzy Hash: 0ee2b70c44c65c176dda9a6da72558c032759b6a179229024fcdb557c73f78f1
Instruction Fuzzy Hash: D1F09C71020B159BD7366B26DC04767B7E1BF80305F09193AE58151A708775B896EF60

Function 00DD9D9A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,software\Aerofox\FoxmailPreview,00000000,00020019,?), ref: 00DD9DB5
RegQueryValueExA.ADVAPI32(?,Executable,00000000,00000000,00DE97B0,?), ref: 00DD9DDC
PathRemoveFileSpecA.SHLWAPI(00DE97B0), ref: 00DD9DE7

Strings

Executable, xrefs: 00DD9DD4
software\Aerofox\FoxmailPreview, xrefs: 00DD9DAB

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: FileOpenPathQueryRemoveSpecValue
String ID: Executable$software\Aerofox\FoxmailPreview
API String ID: 3687894118-2371247776
Opcode ID: 83953c4a65a288a67c7f6432a0c285dc6e79923a927b1ddd3fcce82ce404c124
Instruction ID: a2b9c88be8a9a4f676ce885a89ba722030ec818c461da57490e75ae3e7bf3323
Opcode Fuzzy Hash: 83953c4a65a288a67c7f6432a0c285dc6e79923a927b1ddd3fcce82ce404c124
Instruction Fuzzy Hash: C5F0A7B4640344BFEF20AF51DC9AFDABBBCDB41B88F100065FA01F5284E2B199099534

Function 00DDEF4F Relevance: 7.7, APIs: 5, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 1f3d72aaa85d2ad28a7cbc139bf7d89cf8b3096f592837e9d3fb2e3790760608
Instruction ID: 303a05328eba39cfb6c72ae5205f38541575fb4dc1bfd0b1fe8ddf83a20de330
Opcode Fuzzy Hash: 1f3d72aaa85d2ad28a7cbc139bf7d89cf8b3096f592837e9d3fb2e3790760608
Instruction Fuzzy Hash: 7761C371904618AAEB10DFA4DC85BEEB7B9FF05300F04806AF545AF382D7B5A945CBB1

Function 00DDEE9A Relevance: 7.6, APIs: 5, Instructions: 70networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 00DDEEB4
gethostbyname.WS2_32(?), ref: 00DDEEBD
htons.WS2_32(?), ref: 00DDEEE1
InetNtopW.WS2_32(00000002,?,?,00000802), ref: 00DDEF12
connect.WS2_32(00000000,?,00000010), ref: 00DDEF2B

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: InetNtopconnectgethostbynamehtonssocket
String ID:
API String ID: 2393792429-0
Opcode ID: 677cbdea71cfb82d88af426d9fa58cf571c6d35f9dabe1bb75209e5fc20837d1
Instruction ID: 64c8680060a43e6aad13a70c3e2406ce9bd8af6a2a2d59c55c42a2e479099f69
Opcode Fuzzy Hash: 677cbdea71cfb82d88af426d9fa58cf571c6d35f9dabe1bb75209e5fc20837d1
Instruction Fuzzy Hash: 1811E972D00394BBD710A7B4AC8AFBB77ACEF05324F044466F909DF291D670894487B0

Function 00DD990A Relevance: 7.5, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,00DD2E0D,?,00000001,?,?), ref: 00DD9916
DeleteCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,00DD2E0D,?,00000001,?,?), ref: 00DD992D
EnterCriticalSection.KERNEL32(00F1DB10,?,00000000,?,?,?,?,00DD2E0D,?,00000001,?,?), ref: 00DD9939
GetModuleHandleA.KERNEL32(00000000,?,00000000,?,?,?,?,00DD2E0D,?,00000001,?,?), ref: 00DD9949
LeaveCriticalSection.KERNEL32(00F1DB10,?,00000000), ref: 00DD999C

Part of subcall function 00DD1F4B: CreateThread.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 00DD1F60

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: CriticalSection$CreateDeleteEnterHandleInitializeLeaveModuleThread
String ID:
API String ID: 2964645253-0
Opcode ID: a3a53b316885b1280ecef7d0865835667ebf174dc7f50035cc800dc9c3205a11
Instruction ID: 6ee02fd05ec5e289b09c60fc7f8d90617233d448f15b4dd94c8287fa5b602eb5
Opcode Fuzzy Hash: a3a53b316885b1280ecef7d0865835667ebf174dc7f50035cc800dc9c3205a11
Instruction Fuzzy Hash: 7F015E76A04318ABCB10BB61AC99ADF7B7CEB85310F41801AF5069B352D7799485EBB0

Function 00DE0C79 Relevance: 7.5, APIs: 5, Instructions: 44processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00DE0C97
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00DE0CAC
Process32NextW.KERNEL32(00000000,0000022C), ref: 00DE0CC4
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00DE0CCF
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00DE0CE0

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32
String ID:
API String ID: 1789362936-0
Opcode ID: 4f8a9cb1403af092e675d8769f5bc24ac043cdf9a7834a9ec49a79407d4ddcdd
Instruction ID: 023a6537056434ab21267888a2a7d62f72f3351d7ab7b0b133f088879d97763f
Opcode Fuzzy Hash: 4f8a9cb1403af092e675d8769f5bc24ac043cdf9a7834a9ec49a79407d4ddcdd
Instruction Fuzzy Hash: 8301D631601354ABDB207BB6AC8CB7E7ABCEB44725F200155F605E6290D7B08C81CB70

Function 00DDB9A9 Relevance: 7.5, APIs: 5, Instructions: 25COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,00000001,?,00000000,00DDB132), ref: 00DDB9BA
FreeLibrary.KERNEL32(?,?,00000000,00DDB132), ref: 00DDB9CA
FreeLibrary.KERNEL32(?,?,00000000,00DDB132), ref: 00DDB9D8
FreeLibrary.KERNEL32(?,?,00000000,00DDB132), ref: 00DDB9E6
FreeLibrary.KERNEL32(?,?,00000000,00DDB132), ref: 00DDB9F4

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 9efa7308eae3fec042626a69f7bae58ad8132973c1ce1be75b23f21e891f8077
Instruction ID: 2f5629fe4c353f380bc748c1bc2fdbd97b7278922a1c25d6dae4c52f1d69811c
Opcode Fuzzy Hash: 9efa7308eae3fec042626a69f7bae58ad8132973c1ce1be75b23f21e891f8077
Instruction Fuzzy Hash: D8F0A571B00B16BED7495F768C84B86FE6AFF49260F01422B952C42221CB716474DFD2

Function 00DDB627 Relevance: 7.5, APIs: 5, Instructions: 25COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00000000,00DDABDF), ref: 00DDB638
FreeLibrary.KERNEL32(?,?,?,00000000,00DDABDF), ref: 00DDB648
FreeLibrary.KERNEL32(?,?,?,00000000,00DDABDF), ref: 00DDB656
FreeLibrary.KERNEL32(?,?,?,00000000,00DDABDF), ref: 00DDB664
FreeLibrary.KERNEL32(?,?,?,00000000,00DDABDF), ref: 00DDB672

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 9efa7308eae3fec042626a69f7bae58ad8132973c1ce1be75b23f21e891f8077
Instruction ID: 2f5629fe4c353f380bc748c1bc2fdbd97b7278922a1c25d6dae4c52f1d69811c
Opcode Fuzzy Hash: 9efa7308eae3fec042626a69f7bae58ad8132973c1ce1be75b23f21e891f8077
Instruction Fuzzy Hash: D8F0A571B00B16BED7495F768C84B86FE6AFF49260F01422B952C42221CB716474DFD2

Function 00DDB203 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 252COMMON

Download Yara Rule

APIs

Part of subcall function 00DDB559: LoadLibraryA.KERNEL32(vaultcli.dll,00000000,00DDB229), ref: 00DDB561

FreeLibrary.KERNEL32(?), ref: 00DDB506

Part of subcall function 00DD35E5: lstrlenW.KERNEL32(00DE1E02,00000000,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD35EE
Part of subcall function 00DD35E5: lstrlenW.KERNEL32(00DE1E02,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD3605
Part of subcall function 00DD35E5: lstrcpyW.KERNEL32(?,00DE1E02,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD3620

Part of subcall function 00DD3248: lstrcmpW.KERNEL32(?,?), ref: 00DD3252

Part of subcall function 00DD5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00DD5C2A,00000000,?,00DE10EE,?,?,00DE36B9), ref: 00DD5EAD

Part of subcall function 00DD3437: lstrcpyW.KERNEL32(00000000,00000000,00000000,?,?,00DE1E0A,00000000,00000000,00000000,.bss,00000000), ref: 00DD345C

Strings

4, xrefs: 00DDB4CE
8, xrefs: 00DDB4C9
Internet Explorer, xrefs: 00DDB2B4, 00DDB3CF

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: FreeLibrarylstrcpylstrlen$LoadVirtuallstrcmp
String ID: 4$8$Internet Explorer
API String ID: 708496175-747916358
Opcode ID: c7f205019a893439b7ea0bb4e14cb5ecaead3ad290780e2a3eaeb0f0dbde5d75
Instruction ID: 3c1047e3536f7f426ebce0472cf77f508c92fd9d100b9498b60d93f390645bdb
Opcode Fuzzy Hash: c7f205019a893439b7ea0bb4e14cb5ecaead3ad290780e2a3eaeb0f0dbde5d75
Instruction Fuzzy Hash: BFA1F2B1D00219ABDF15EFE5D8859EEBB79FF44714F14402AF405A7252EB30AA45CBB0

Function 00DE3251 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48stringCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000400,?), ref: 00DE327D
lstrcatW.KERNEL32(?,send.db), ref: 00DE328F

Part of subcall function 00DD35E5: lstrlenW.KERNEL32(00DE1E02,00000000,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD35EE
Part of subcall function 00DD35E5: lstrlenW.KERNEL32(00DE1E02,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD3605
Part of subcall function 00DD35E5: lstrcpyW.KERNEL32(?,00DE1E02,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD3620

Part of subcall function 00DD3437: lstrcpyW.KERNEL32(00000000,00000000,00000000,?,?,00DE1E0A,00000000,00000000,00000000,.bss,00000000), ref: 00DD345C

Part of subcall function 00DD5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00DD5C2A,00000000,?,00DE10EE,?,?,00DE36B9), ref: 00DD5EAD

Strings

send.db, xrefs: 00DE3283
5, xrefs: 00DE32C4

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$FreePathTempVirtuallstrcat
String ID: 5$send.db
API String ID: 891666058-2022884741
Opcode ID: 2b1e98901bce6efe1d06d3ac4dbdcad09cfe3e6b627d61d6817900c928a1344b
Instruction ID: c63d149a178db395c3b422462a45a606876dd6257ebab83e5554f82a5e521ae4
Opcode Fuzzy Hash: 2b1e98901bce6efe1d06d3ac4dbdcad09cfe3e6b627d61d6817900c928a1344b
Instruction Fuzzy Hash: C7015E71D4011CABDB10EB64DC46EEE77BCEF50304F008066B505A6281EB749B46CBF1

Function 00DE36E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringCOMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00DE3710
lstrcatW.KERNEL32(?,\Microsoft Vision\), ref: 00DE3722

Part of subcall function 00DD5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00DD5C2A,00000000,?,00DE10EE,?,?,00DE36B9), ref: 00DD5EAD

Strings

\Microsoft Vision\, xrefs: 00DE3716
;, xrefs: 00DE373D

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: FolderFreePathVirtuallstrcat
String ID: ;$\Microsoft Vision\
API String ID: 1529938272-253167065
Opcode ID: b8302bac7e434143f2f8b9c574856ddc4900698fb505e91e7dac483ad9795901
Instruction ID: 4cf95000f6dfe699ad13351248150af99dc528269f6047736c000605106e554b
Opcode Fuzzy Hash: b8302bac7e434143f2f8b9c574856ddc4900698fb505e91e7dac483ad9795901
Instruction Fuzzy Hash: 120109B1800219BADB10FBA0ED4ADDEBBB8EF14304F104156B505A6281EA34AB44CBF1

Function 00DDF4CE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ntdll.dll), ref: 00DDF4E6
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00DDF4F6

Strings

RtlGetVersion, xrefs: 00DDF4F0
ntdll.dll, xrefs: 00DDF4D7

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: RtlGetVersion$ntdll.dll
API String ID: 2574300362-1489217083
Opcode ID: 7ffdf8265d3ba43fb9afc105df25e1fa974905611e6566580293c1d461058098
Instruction ID: 9f6db22fc20098ac43ea65a060a82530441644a6247fbf2b0ce110946a5dca70
Opcode Fuzzy Hash: 7ffdf8265d3ba43fb9afc105df25e1fa974905611e6566580293c1d461058098
Instruction Fuzzy Hash: B4E0D83078039C19CB347F75BC0B6D77AA85B12745F8841B49143D1384DA74DA06CAF0

Function 00DDF51D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ntdll.dll), ref: 00DDF535
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00DDF545

Strings

RtlGetVersion, xrefs: 00DDF53F
ntdll.dll, xrefs: 00DDF526

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: RtlGetVersion$ntdll.dll
API String ID: 2574300362-1489217083
Opcode ID: 66c34b1d25aba93843cf12e705ff44a79cff5500cd25585918fe5fa7da8908c4
Instruction ID: cef8fa4053f223d12b56466b574643e57c474c3b11e8fb3771b06152574f9bf8
Opcode Fuzzy Hash: 66c34b1d25aba93843cf12e705ff44a79cff5500cd25585918fe5fa7da8908c4
Instruction Fuzzy Hash: 0EE0123074035C5ACB24BF72EC0AAD677A85B22749F4445A4E206E1280DA74C9498EB0

Function 00DE0C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,00DDFC6D,?,?,00DD2D84,?,00DE4648,?,?,00000000,?), ref: 00DE0C4B
GetProcAddress.KERNEL32(00000000), ref: 00DE0C52

Strings

kernel32, xrefs: 00DE0C44
IsWow64Process, xrefs: 00DE0C3F

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: IsWow64Process$kernel32
API String ID: 1646373207-3789238822
Opcode ID: 33e12f3a3f918f4edcf82a3e1fe3df147064dded33de48a268962f804b112c65
Instruction ID: 7ea0d4a9bf594a1e1e97b9aa9c19c7e74595d2363c2d12b2bbc73be2adbfc745
Opcode Fuzzy Hash: 33e12f3a3f918f4edcf82a3e1fe3df147064dded33de48a268962f804b112c65
Instruction Fuzzy Hash: 4DE0867A540344FFDB20EBA2DC49A8F776CDB14755B504044B001E2280D6B4DA04C7B0

Function 00DDD17D Relevance: 6.3, APIs: 5, Instructions: 92COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00DDD18E
LeaveCriticalSection.KERNEL32(?,?,?,?), ref: 00DDD1DD

Part of subcall function 00DD33F5: lstrcpyA.KERNEL32(00000000,?,?,00000000,?,00DD2A97,?,?,00000000,exit,00000000,start), ref: 00DD341A

Part of subcall function 00DD57FB: getaddrinfo.WS2_32(750901C0,00000000,00DD4EA0,00000000), ref: 00DD5848
Part of subcall function 00DD57FB: socket.WS2_32(00000002,00000001,00000000), ref: 00DD585F
Part of subcall function 00DD57FB: htons.WS2_32(00000000), ref: 00DD5885
Part of subcall function 00DD57FB: freeaddrinfo.WS2_32(00000000), ref: 00DD5895
Part of subcall function 00DD57FB: connect.WS2_32(?,?,00000010), ref: 00DD58A1

LeaveCriticalSection.KERNEL32(?), ref: 00DDD261
EnterCriticalSection.KERNEL32(?), ref: 00DDD27E
LeaveCriticalSection.KERNEL32(?), ref: 00DDD288

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$Enter$connectfreeaddrinfogetaddrinfohtonslstrcpysocket
String ID:
API String ID: 4195813003-0
Opcode ID: 237a04c5d5074d4d90bf0b124407f1677b32a4d8979f97e0fd4c4e1d906e9a8b
Instruction ID: fcf691ed4ee8c766fab176ab35e3875bce8367280641131b6cade3cd969f7a63
Opcode Fuzzy Hash: 237a04c5d5074d4d90bf0b124407f1677b32a4d8979f97e0fd4c4e1d906e9a8b
Instruction Fuzzy Hash: 18314371600706BBDB05EBB0DC51FAAB7ADFF15350F50461AF52992281EB70BA158BB0

Function 00DDF69F Relevance: 6.1, APIs: 4, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,?,00DDDCAA), ref: 00DDF6AA
FindResourceW.KERNEL32(00000000,00000001,00000010,?,00000000,00000002,?,?,?,00DDDCAA), ref: 00DDF6BE
LoadResource.KERNEL32(00000000,00000000,?,00000000,00000002,?,?,?,00DDDCAA), ref: 00DDF6CA
FreeLibrary.KERNEL32(00000000,?,00000000,00000002,?,?,?,00DDDCAA), ref: 00DDF70F

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: LibraryLoadResource$FindFree
String ID:
API String ID: 3272429154-0
Opcode ID: d7e4a50c978427b41ea751a8759f7d8f1f7d71c4505081ca693547860d0fdab9
Instruction ID: 603bd79e6d8f7a69aca63f9a20282c03c4d59de3a856cc2e22fc3d20f74ac78b
Opcode Fuzzy Hash: d7e4a50c978427b41ea751a8759f7d8f1f7d71c4505081ca693547860d0fdab9
Instruction Fuzzy Hash: 890180B5300B01AFD7085F69EC89AA6B7B4FF483147048239E42AC73A0D774D855C7B0

Function 00DDC9F2 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 00DDCC54: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00DDCC73
Part of subcall function 00DDCC54: LocalAlloc.KERNEL32(00000040,?,?,00DDCBC6,?,00000000,?,00000000,?), ref: 00DDCC81
Part of subcall function 00DDCC54: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00DDCC97
Part of subcall function 00DDCC54: LocalFree.KERNEL32(?,?,00DDCBC6,?,00000000,?,00000000,?), ref: 00DDCCA5

LocalFree.KERNEL32(?,00000000,-0000003A,00000000,?), ref: 00DDCA6C

Part of subcall function 00DDCA78: GetLastError.KERNEL32 ref: 00DDCADE

LocalFree.KERNEL32(?), ref: 00DDCA65

Part of subcall function 00DDCCB4: BCryptOpenAlgorithmProvider.BCRYPT(00000020,AES,00000000,00000000,?,00000000,?,?,?,00DDCA5F,?), ref: 00DDCCD1
Part of subcall function 00DDCCB4: BCryptSetProperty.BCRYPT(00000020,ChainingMode,ChainingModeGCM,00000020,00000000,?,00DDCA5F,?), ref: 00DDCCEA
Part of subcall function 00DDCCB4: BCryptGenerateSymmetricKey.BCRYPT(00000020,00DDCA5F,00000000,00000000,?,00000020,00000000,?,00DDCA5F,?), ref: 00DDCCFF

Strings

, xrefs: 00DDCA4B
DPAPI, xrefs: 00DDCA18

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: Crypt$Local$Free$BinaryString$AlgorithmAllocErrorGenerateLastOpenPropertyProviderSymmetric
String ID: $DPAPI
API String ID: 379455710-1819349886
Opcode ID: 1183dd3f2dfce2a7c2b3ea109b1d2abddf5bf5b3edd887a063584b29c25fd0cd
Instruction ID: c781967c6b2e69925e764407d4c9c6973f89f10308d4135c3759710738645d2e
Opcode Fuzzy Hash: 1183dd3f2dfce2a7c2b3ea109b1d2abddf5bf5b3edd887a063584b29c25fd0cd
Instruction Fuzzy Hash: D101C072A1060EFBCF10EBA5DD859DEB778EB44705F049266E800E6240E730AB45DBB0

Function 00DD47EA Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetLastInputInfo.USER32(?), ref: 00DD47FF
GetTickCount.KERNEL32 ref: 00DD4805
GetForegroundWindow.USER32 ref: 00DD4819
GetWindowTextW.USER32(00000000,?,00000100), ref: 00DD482C

Part of subcall function 00DD35E5: lstrlenW.KERNEL32(00DE1E02,00000000,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD35EE
Part of subcall function 00DD35E5: lstrlenW.KERNEL32(00DE1E02,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD3605
Part of subcall function 00DD35E5: lstrcpyW.KERNEL32(?,00DE1E02,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD3620

Part of subcall function 00DD5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00DD5C2A,00000000,?,00DE10EE,?,?,00DE36B9), ref: 00DD5EAD

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: Windowlstrlen$CountForegroundFreeInfoInputLastTextTickVirtuallstrcpy
String ID:
API String ID: 2567647128-0
Opcode ID: 391c54db5865ccb28507c6ab796421b327bdf5bc5be9ea8be0fb6ba358335d8f
Instruction ID: 456ee253367810d7f69ccf79fee0290a1a70e3cbee541f645628b71968d8eaad
Opcode Fuzzy Hash: 391c54db5865ccb28507c6ab796421b327bdf5bc5be9ea8be0fb6ba358335d8f
Instruction Fuzzy Hash: 331109B1D00208ABDB04EBA4E959ADDB7B9EF58305F004156B502A6291EF74AB54CBB4

Function 00DDEA89 Relevance: 6.0, APIs: 4, Instructions: 35threadsynchronizationCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00DDEA95
SetEvent.KERNEL32(00000000), ref: 00DDEAA9
WaitForSingleObject.KERNEL32(00DE956C,00001388), ref: 00DDEAB6
TerminateThread.KERNEL32(00DE956C,000000FE), ref: 00DDEAC7

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: Thread$CurrentEventObjectSingleTerminateWait
String ID:
API String ID: 2174867186-0
Opcode ID: ceeee2075a20af136c33a2640489b563112d0df8d17bbab4624a19e352b978f9
Instruction ID: 232a31e4d0695181b9622e8d08a67d63a318d2c2f7b6ecd32035c76aa20454dc
Opcode Fuzzy Hash: ceeee2075a20af136c33a2640489b563112d0df8d17bbab4624a19e352b978f9
Instruction Fuzzy Hash: DF0131310107019BD734BF14E989A99B3B2FF50311F540A2BE0529AAE1DBB06988CB71

Function 00DDFCB8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DD35E5: lstrlenW.KERNEL32(00DE1E02,00000000,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD35EE
Part of subcall function 00DD35E5: lstrlenW.KERNEL32(00DE1E02,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD3605
Part of subcall function 00DD35E5: lstrcpyW.KERNEL32(?,00DE1E02,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD3620

RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00000101,?,SOFTWARE\Microsoft\Cryptography,?,?,?,?,00000000,?,?,?), ref: 00DDFCFC

Part of subcall function 00DD5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00DD5C2A,00000000,?,00DE10EE,?,?,00DE36B9), ref: 00DD5EAD

Part of subcall function 00DE0FC3: RegQueryValueExW.ADVAPI32(?,750901C0,00000000,750901C0,00000000,00000000,?,00000000,00DE3589,?,?,?,00DE15B2,?,?,80000001), ref: 00DE0FE6
Part of subcall function 00DE0FC3: RegQueryValueExW.ADVAPI32(?,750901C0,00000000,750901C0,00000000,00000000,?,00DE15B2,?,?,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\), ref: 00DE100A

Part of subcall function 00DE0FAE: RegCloseKey.KERNEL32(?,?,00DE112D,?,?,00DE36B9), ref: 00DE0FB8

Strings

SOFTWARE\Microsoft\Cryptography, xrefs: 00DDFCDE
MachineGuid, xrefs: 00DDFD17

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: QueryValuelstrlen$CloseFreeOpenVirtuallstrcpy
String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
API String ID: 1903904756-1211650757
Opcode ID: 4742cd9326059456494b1af41775025c9816aa5380d03704194abe42a5ebed32
Instruction ID: ca0a98c891d592565a308577a86e0cb3baa51df9ee679c50764bac8c16c1c2c4
Opcode Fuzzy Hash: 4742cd9326059456494b1af41775025c9816aa5380d03704194abe42a5ebed32
Instruction Fuzzy Hash: 5E111F70E00159ABCB24FBA4DD528EDBB79EF54700B50056BF406A3291DBB05F45CBB1

Function 00DDDE1F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DD35E5: lstrlenW.KERNEL32(00DE1E02,00000000,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD35EE
Part of subcall function 00DD35E5: lstrlenW.KERNEL32(00DE1E02,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD3605
Part of subcall function 00DD35E5: lstrcpyW.KERNEL32(?,00DE1E02,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD3620

RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters,?,00F1E020,?,?,00DDE451,?,?), ref: 00DDDE51

Part of subcall function 00DE0FC3: RegQueryValueExW.ADVAPI32(?,750901C0,00000000,750901C0,00000000,00000000,?,00000000,00DE3589,?,?,?,00DE15B2,?,?,80000001), ref: 00DE0FE6
Part of subcall function 00DE0FC3: RegQueryValueExW.ADVAPI32(?,750901C0,00000000,750901C0,00000000,00000000,?,00DE15B2,?,?,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\), ref: 00DE100A

Part of subcall function 00DD5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00DD5C2A,00000000,?,00DE10EE,?,?,00DE36B9), ref: 00DD5EAD

Part of subcall function 00DE0FAE: RegCloseKey.KERNEL32(?,?,00DE112D,?,?,00DE36B9), ref: 00DE0FB8

Strings

ServiceDll, xrefs: 00DDDE5F
SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 00DDDE2C

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: QueryValuelstrlen$CloseFreeOpenVirtuallstrcpy
String ID: SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll
API String ID: 1903904756-387424650
Opcode ID: 913ee925cdbc23d328ad01f5e4bc611a5bf281efd977b6db7fed77ffd7f86c69
Instruction ID: d01d195edc9687d3154035d314eba6a9826166f110c8cec720db53ba0ba96ec6
Opcode Fuzzy Hash: 913ee925cdbc23d328ad01f5e4bc611a5bf281efd977b6db7fed77ffd7f86c69
Instruction Fuzzy Hash: 0D112E71D00108ABCF24FBA5D956CEEBB79EF94740B50015AB802B7285EB705F44CBB1

Function 00DDD9B6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DD35E5: lstrlenW.KERNEL32(00DE1E02,00000000,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD35EE
Part of subcall function 00DD35E5: lstrlenW.KERNEL32(00DE1E02,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD3605
Part of subcall function 00DD35E5: lstrcpyW.KERNEL32(?,00DE1E02,?,00DE1E02,00000000,00000000,.bss,00000000), ref: 00DD3620

RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000102,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters), ref: 00DDD9EA

Part of subcall function 00DE1039: RegSetValueExW.KERNEL32(?,750901C0,00000000,?,?,?,?,?,00DE1432,00000000,00000000,?,00000001,?,?,?), ref: 00DE1058

Part of subcall function 00DD5EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00DD5C2A,00000000,?,00DE10EE,?,?,00DE36B9), ref: 00DD5EAD

Part of subcall function 00DE0FAE: RegCloseKey.KERNEL32(?,?,00DE112D,?,?,00DE36B9), ref: 00DE0FB8

Strings

ServiceDll, xrefs: 00DDDA03
SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 00DDD9C2

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: lstrlen$CloseFreeOpenValueVirtuallstrcpy
String ID: SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll
API String ID: 2854241163-387424650
Opcode ID: e51f572084a95fac2b27e8802fda077d1d7780ede12496289788f70c50517a01
Instruction ID: ab9cd5a6636fece5efc518c1262506b6944984acb82253edb7403e7d3d78be2f
Opcode Fuzzy Hash: e51f572084a95fac2b27e8802fda077d1d7780ede12496289788f70c50517a01
Instruction Fuzzy Hash: 4C111F75D00258ABCB24FBA2DC96CFEBB79EF94700F40402AE50272285DB706A45CA71

Function 00DE2FD7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53processCOMMON

Download Yara Rule

APIs

Part of subcall function 00DD1085: GetProcessHeap.KERNEL32(00000000,?,00DE1E36,00400000,?,?,00000000,?,?,00DE349D), ref: 00DD108B
Part of subcall function 00DD1085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00DE349D), ref: 00DD1092

GetModuleFileNameA.KERNEL32(00000000,00000000,00000100,?,?,?,?,?,?,?,00000000,750901C0,00000000,00DE3628), ref: 00DE3008
WinExec.KERNEL32(00000000,00000000), ref: 00DE304E

Strings

powershell Add-MpPreference -ExclusionPath , xrefs: 00DE300E, 00DE3013, 00DE301A

Memory Dump Source

Source File: 00000000.00000002.3314587191.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000000.00000002.3314568689.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314609858.0000000000DE4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000DE9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314631166.0000000000F1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314694362.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dd0000_hb21QzBgft.jbxd

Yara matches

Similarity

API ID: Heap$AllocateExecFileModuleNameProcess
String ID: powershell Add-MpPreference -ExclusionPath
API String ID: 1183730998-2194938034
Opcode ID: e19ada67acc818ccc554a7cdfff8ce6411ab8b30b3d5a1ebfd52bc02be802c95
Instruction ID: 8bf82e2d8457a191af1466eaf62f9a48a2cc5bb37f65f66f00b461d551b0fa13
Opcode Fuzzy Hash: e19ada67acc818ccc554a7cdfff8ce6411ab8b30b3d5a1ebfd52bc02be802c95
Instruction Fuzzy Hash: 53F096B994035076F22032B16CCBFBF5A9CDF99751F040027F604E53C2EA689D4041B5

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, User Account: User Account Creation, User Account: User Account Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report hb21QzBgft.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: AveMaria

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Windows Analysis Report
hb21QzBgft.exe

Function 00DE290F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 138
comCOMMON

Function 00DD562F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 151
networkCOMMON

Function 00DE3435 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 188
registrystringCOMMON

Function 00DE1136 Relevance: 17.8, APIs: 4, Strings: 6, Instructions: 278
fileCOMMON

Function 00DDE703 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 121
COMMON

Function 00DD99A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 38
libraryCOMMON

Function 00DD57FB Relevance: 9.1, APIs: 6, Instructions: 75
networksynchronizationCOMMON

Function 00DD5CE2 Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Function 00DE1E21 Relevance: 6.0, APIs: 4, Instructions: 48
fileCOMMON

Function 00DDFBFC Relevance: 6.0, APIs: 4, Instructions: 37
COMMON

Function 00DD5A10 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 156
sleepCOMMON

Function 00DD3554 Relevance: 3.1, APIs: 2, Instructions: 54
COMMON

Function 00DE106C Relevance: 3.0, APIs: 2, Instructions: 47
registryCOMMON

Function 00DE1D0C Relevance: 3.0, APIs: 2, Instructions: 14
sleepCOMMON

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposesand to support other malicious activities, including distraction, hacktivism, and extortion.
Tactics:	Impact
Data Sources:	Application Log: Application Log Content, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Sensor Health: Host Status
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre