Edit tour

Windows Analysis Report
wce.exe

Overview

General Information

Sample name:	wce.exe
Analysis ID:	1581372
MD5:	4fb08ad6583c2d44a098e325699789cb
SHA1:	76af4d288f66b71f7cd275d4e71d6010ac0feeea
SHA256:	5884f3fc15c710fb754f31c368acaf37582ab1d63125233fd3cb91d50a9098af
Tags:	exeuser-windshock
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Allocates memory in foreign processes

Contains functionality to inject threads in other processes

Installs new ROOT certificates

Machine Learning detection for sample

Sigma detected: Cred Dump Tools Dropped Files

Writes to foreign memory regions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops certificate files (DER)

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain (may stop execution after checking a module file name)

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Uncommon Svchost Parent Process

Stores large binary data to the registry

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

wce.exe (PID: 5304 cmdline: "C:\Users\user\Desktop\wce.exe" MD5: 4FB08AD6583C2D44A098E325699789CB)

conhost.exe (PID: 1720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

lsass.exe (PID: 640 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)

svchost.exe (PID: 2440 cmdline: C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
wce.exe	iam_alt_iam_alt	Auto-generated rule - file iam-alt.exe	Florian Roth	0x1de24:$s4: Error in cmdline!. Bye!. 0x1e054:$s5: Error: Cannot open LSASS.EXE!. 0x1e150:$s5: Error: Cannot open LSASS.EXE!. 0x1e3b0:$s5: Error: Cannot open LSASS.EXE!. 0x1f47c:$s5: Error: Cannot open LSASS.EXE!. 0x1dfd4:$s6: nthash is too long!.

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.wce.exe.160000.0.unpack	iam_alt_iam_alt	Auto-generated rule - file iam-alt.exe	Florian Roth	0x1de24:$s4: Error in cmdline!. Bye!. 0x1e054:$s5: Error: Cannot open LSASS.EXE!. 0x1e150:$s5: Error: Cannot open LSASS.EXE!. 0x1e3b0:$s5: Error: Cannot open LSASS.EXE!. 0x1f47c:$s5: Error: Cannot open LSASS.EXE!. 0x1dfd4:$s6: nthash is too long!.
0.0.wce.exe.160000.0.unpack	iam_alt_iam_alt	Auto-generated rule - file iam-alt.exe	Florian Roth	0x1de24:$s4: Error in cmdline!. Bye!. 0x1e054:$s5: Error: Cannot open LSASS.EXE!. 0x1e150:$s5: Error: Cannot open LSASS.EXE!. 0x1e3b0:$s5: Error: Cannot open LSASS.EXE!. 0x1f47c:$s5: Error: Cannot open LSASS.EXE!. 0x1dfd4:$s6: nthash is too long!.

Sigma Signatures

System Summary

Sigma detected: Cred Dump Tools Dropped Files

Source: File created

Author: Teymur Kheirkhabarov, oscd.community: Data: EventID: 11, Image: C:\Users\user\Desktop\wce.exe, ProcessId: 5304, TargetFilename: C:\Users\user\AppData\Local\Temp\wceaux.dll

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc, CommandLine: C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\system32\lsass.exe, ParentImage: C:\Windows\System32\lsass.exe, ParentProcessId: 640, ParentProcessName: lsass.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc, ProcessId: 2440, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\system32\lsass.exe, CommandLine: C:\Windows\system32\lsass.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\lsass.exe, NewProcessName: C:\Windows\System32\lsass.exe, OriginalFileName: C:\Windows\System32\lsass.exe, ParentCommandLine: "C:\Users\user\Desktop\wce.exe", ParentImage: C:\Users\user\Desktop\wce.exe, ParentProcessId: 5304, ParentProcessName: wce.exe, ProcessCommandLine: C:\Windows\system32\lsass.exe, ProcessId: 640, ProcessName: lsass.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: wce.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\wceaux.dll

Avira: detection malicious, Label: HEUR/AGEN.1302736

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\wceaux.dll

ReversingLabs: Detection: 57%

Multi AV Scanner detection for submitted file

Source: wce.exe	ReversingLabs: Detection: 89%
Source: wce.exe	Virustotal: Detection: 85%			Perma Link

Machine Learning detection for sample

Source: wce.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\wce.exe

Code function: 0_2_00165610 CreateFileA,CryptAcquireContextA,CloseHandle,CryptCreateHash,CloseHandle,CryptReleaseContext,ReadFile,CryptHashData,_wprintf,CryptDestroyHash,CryptReleaseContext,CloseHandle,CloseHandle,CryptGetHashParam,_wprintf,CryptDestroyHash,CryptReleaseContext,CryptGetHashParam,_wprintf,CryptDestroyHash,CryptReleaseContext,CryptDestroyHash,CryptReleaseContext,

0_2_00165610

Source: wce.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: wce.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: lsass.exe, 00000002.00000000.2021518451.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000002.3264841677.00000140AE074000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://3csp.icrosof4m/ocp0
Source: lsass.exe, 00000002.00000002.3264964918.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000000.2021397989.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000000.2021582398.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000000.2021518451.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000002.3264745983.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000000.2021678638.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: lsass.exe, 00000002.00000002.3264942103.00000140AE19A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000000.2021582398.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000002.3264766452.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000000.2021439393.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000003.2624869775.00000140AE172000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: lsass.exe, 00000002.00000002.3265108043.00000140AE200000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: lsass.exe, 00000002.00000000.2021158842.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000003.2223243490.00000140AD8C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
Source: lsass.exe, 00000002.00000002.3264964918.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000000.2021582398.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000002.3264964918.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000000.2021518451.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000000.2021678638.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000000.2021678638.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: svchost.exe, 00000005.00000000.2234678531.000001428A88A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.3267309116.000001428A88A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: lsass.exe, 00000002.00000002.3264964918.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000000.2021397989.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000000.2021582398.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000000.2021518451.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000002.3264745983.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000000.2021678638.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: lsass.exe, 00000002.00000002.3265108043.00000140AE200000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 00000002.00000002.3264942103.00000140AE19A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000000.2021582398.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000002.3264766452.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000000.2021439393.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000003.2624869775.00000140AE172000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: lsass.exe, 00000002.00000000.2021158842.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000003.2223243490.00000140AD8C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
Source: lsass.exe, 00000002.00000002.3264964918.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000000.2021582398.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000002.3264964918.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000000.2021518451.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000000.2021678638.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000000.2021678638.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: lsass.exe, 00000002.00000002.3264942103.00000140AE19A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000000.2021582398.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000003.2624869775.00000140AE172000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: lsass.exe, 00000002.00000002.3264942103.00000140AE19A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000000.2021582398.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000002.3264766452.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000000.2021439393.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000003.2624869775.00000140AE172000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 00000002.00000000.2021158842.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000003.2223243490.00000140AD8C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
Source: lsass.exe, 00000002.00000002.3264964918.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000000.2021582398.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000002.3264964918.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000000.2021518451.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000000.2021678638.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000000.2021678638.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: svchost.exe, 00000005.00000002.3267282147.000001428A879000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.3267681087.000001428B11B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/
Source: lsass.exe, 00000002.00000000.2021158842.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000002.3264526846.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: lsass.exe, 00000002.00000000.2021158842.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000002.3264526846.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.2234563646.000001428A82B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.3267107761.000001428A82B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.3267725027.000001428B136000.00000004.00000001.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.5.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: svchost.exe, 00000005.00000002.3267131527.000001428A840000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab/D
Source: svchost.exe, 00000005.00000002.3267337195.000001428A8B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?7bafc37f94505
Source: svchost.exe, 00000005.00000002.3267131527.000001428A840000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabe.com3D
Source: svchost.exe, 00000005.00000002.3267051978.000001428A813000.00000004.00000001.00020000.00000000.sdmp, 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.5.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: svchost.exe, 00000005.00000000.2234583375.000001428A840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.3267282147.000001428A879000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.3267681087.000001428B11B000.00000004.00000001.00020000.00000000.sdmp, FB0D848F74F70BB2EAA93746D24D97490.5.dr, FB0D848F74F70BB2EAA93746D24D97491.5.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab
Source: svchost.exe, 00000005.00000000.2234649304.000001428A879000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab$
Source: svchost.exe, 00000005.00000002.3267681087.000001428B11B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?62d1aa58da7f7
Source: lsass.exe, 00000002.00000000.2021072712.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000002.3264438690.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
Source: lsass.exe, 00000002.00000000.2021099209.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000002.3264462364.00000140AD850000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: lsass.exe, 00000002.00000000.2021072712.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000002.3264438690.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: svchost.exe, 00000005.00000000.2234583375.000001428A840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.2234563646.000001428A82B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.2234812689.000001428A8FD000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.2234798148.000001428A8FB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.2234649304.000001428A879000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.2234544775.000001428A813000.00000004.00000001.00020000.00000000.sdmp, 80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868.5.dr, E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A0.5.dr, E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB6151870.5.dr, E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04.5.dr, E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB040.5.dr	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uN
Source: svchost.exe, 00000005.00000000.2234701922.000001428A8B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8
Source: lsass.exe, 00000002.00000002.3264942103.00000140AE19A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000002.3264964918.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000002.3265108043.00000140AE200000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000000.2021158842.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000000.2021397989.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000000.2021582398.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000002.3264766452.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000000.2021439393.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000000.2021518451.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000002.3264745983.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000000.2021678638.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000003.2624869775.00000140AE172000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000003.2223243490.00000140AD8C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: lsass.exe, 00000002.00000002.3264942103.00000140AE19A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000000.2021582398.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000003.2624869775.00000140AE172000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: lsass.exe, 00000002.00000002.3264964918.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000000.2021582398.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000002.3264964918.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000000.2021518451.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000000.2021678638.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000000.2021678638.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: lsass.exe, 00000002.00000002.3264942103.00000140AE19A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000000.2021582398.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000000.2021518451.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000003.2624869775.00000140AE172000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: lsass.exe, 00000002.00000000.2021072712.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000002.3264438690.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: lsass.exe, 00000002.00000000.2021072712.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000002.3264438690.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: lsass.exe, 00000002.00000000.2021099209.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000000.2021072712.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000002.3264438690.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000002.3264462364.00000140AD850000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: lsass.exe, 00000002.00000002.3264438690.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: lsass.exe, 00000002.00000000.2021072712.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000002.3264438690.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
Source: lsass.exe, 00000002.00000002.3264438690.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
Source: lsass.exe, 00000002.00000002.3264964918.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000000.2021582398.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000002.3264964918.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000000.2021518451.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000000.2021678638.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000000.2021678638.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0

Source: C:\Windows\System32\svchost.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	Jump to dropped file
Source: C:\Windows\System32\svchost.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	Jump to dropped file
Source: C:\Windows\System32\svchost.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: wce.exe, type: SAMPLE	Matched rule: Auto-generated rule - file iam-alt.exe Author: Florian Roth
Source: 0.2.wce.exe.160000.0.unpack, type: UNPACKEDPE	Matched rule: Auto-generated rule - file iam-alt.exe Author: Florian Roth
Source: 0.0.wce.exe.160000.0.unpack, type: UNPACKEDPE	Matched rule: Auto-generated rule - file iam-alt.exe Author: Florian Roth

Source: C:\Users\user\Desktop\wce.exe

Code function: 0_2_001674B0 OpenSCManagerA,OpenServiceA,QueryServiceStatus,DeleteService,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

0_2_001674B0

Source: C:\Windows\System32\svchost.exe

File deleted: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Jump to behavior

Source: C:\Users\user\Desktop\wce.exe	Code function: 0_2_0017AC81	0_2_0017AC81
Source: C:\Users\user\Desktop\wce.exe	Code function: 0_2_00178D25	0_2_00178D25
Source: C:\Users\user\Desktop\wce.exe	Code function: 0_2_00179276	0_2_00179276
Source: C:\Users\user\Desktop\wce.exe	Code function: 0_2_0016C6BF	0_2_0016C6BF
Source: C:\Users\user\Desktop\wce.exe	Code function: 0_2_00179EA3	0_2_00179EA3
Source: C:\Users\user\Desktop\wce.exe	Code function: 0_2_0016C2D7	0_2_0016C2D7
Source: C:\Users\user\Desktop\wce.exe	Code function: 0_2_0016B6D2	0_2_0016B6D2
Source: C:\Users\user\Desktop\wce.exe	Code function: 0_2_0016BF05	0_2_0016BF05
Source: C:\Users\user\Desktop\wce.exe	Code function: 0_2_0016BB67	0_2_0016BB67
Source: C:\Users\user\Desktop\wce.exe	Code function: 0_2_001797C7	0_2_001797C7

Source: C:\Users\user\Desktop\wce.exe	Code function: String function: 0016A932 appears 281 times
Source: C:\Users\user\Desktop\wce.exe	Code function: String function: 0016F690 appears 35 times

Source: wce.exe

Static PE information: Resource name: BINARY type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

Source: wce.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: wce.exe, type: SAMPLE	Matched rule: iam_alt_iam_alt date = 2015-07-10, author = Florian Roth, description = Auto-generated rule - file iam-alt.exe, score = 2ea662ef58142d9e340553ce50d95c1b7a405672acdfd476403a565bdd0cfb90, reference = http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.wce.exe.160000.0.unpack, type: UNPACKEDPE	Matched rule: iam_alt_iam_alt date = 2015-07-10, author = Florian Roth, description = Auto-generated rule - file iam-alt.exe, score = 2ea662ef58142d9e340553ce50d95c1b7a405672acdfd476403a565bdd0cfb90, reference = http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.wce.exe.160000.0.unpack, type: UNPACKEDPE	Matched rule: iam_alt_iam_alt date = 2015-07-10, author = Florian Roth, description = Auto-generated rule - file iam-alt.exe, score = 2ea662ef58142d9e340553ce50d95c1b7a405672acdfd476403a565bdd0cfb90, reference = http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: classification engine

Classification label: mal100.evad.winEXE@2/16@0/0

Source: C:\Users\user\Desktop\wce.exe

Code function: 0_2_001647A0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,

0_2_001647A0

Source: C:\Users\user\Desktop\wce.exe

Code function: OpenSCManagerA,CreateServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

0_2_00167410

Source: C:\Users\user\Desktop\wce.exe

Code function: 0_2_00163E30 _memset,__snprintf,CreateToolhelp32Snapshot,Process32First,CloseHandle,_memset,__snprintf,CloseHandle,Process32Next,CloseHandle,

0_2_00163E30

Source: C:\Users\user\Desktop\wce.exe

Code function: 0_2_00164DC0 FindResourceA,LoadResource,CloseHandle,LockResource,CloseHandle,CloseHandle,SizeofResource,CreateFileA,CloseHandle,CloseHandle,CreateFileMappingA,CloseHandle,CloseHandle,CloseHandle,DeleteFileA,MapViewOfFile,CloseHandle,CloseHandle,CloseHandle,CloseHandle,DeleteFileA,_memmove,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,

0_2_00164DC0

Source: C:\Users\user\Desktop\wce.exe

Code function: 0_2_00167890 StartServiceCtrlDispatcherA,

0_2_00167890

Source: C:\Users\user\Desktop\wce.exe

Code function: 0_2_00167890 StartServiceCtrlDispatcherA,

0_2_00167890

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1720:120:WilError_03

Source: C:\Users\user\Desktop\wce.exe

File created: C:\Users\user\AppData\Local\Temp\wceaux.dll

Jump to behavior

Source: wce.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\wce.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: wce.exe	ReversingLabs: Detection: 89%
Source: wce.exe	Virustotal: Detection: 85%

Source: unknown	Process created: C:\Users\user\Desktop\wce.exe "C:\Users\user\Desktop\wce.exe"
Source: C:\Users\user\Desktop\wce.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\wce.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wce.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\wce.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: wce.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: wce.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: wce.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: wce.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: wce.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: wce.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\wce.exe

Code function: 0_2_00163FA0 OpenProcess,_wprintf,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,_memset,_strncpy,_memset,_strncpy,VirtualAllocEx,_wprintf,CloseHandle,WriteProcessMemory,_wprintf,VirtualFreeEx,CloseHandle,VirtualAllocEx,_wprintf,VirtualFreeEx,CloseHandle,WriteProcessMemory,_wprintf,VirtualFreeEx,VirtualFreeEx,CloseHandle,WriteProcessMemory,_wprintf,VirtualFreeEx,VirtualFreeEx,CloseHandle,GetVersionExA,CreateRemoteThread,_wprintf,VirtualFreeEx,VirtualFreeEx,CloseHandle,WaitForSingleObject,ReadProcessMemory,_wprintf,VirtualFreeEx,VirtualFreeEx,CloseHandle,CloseHandle,VirtualFreeEx,VirtualFreeEx,CloseHandle,

0_2_00163FA0

Source: C:\Users\user\Desktop\wce.exe

Code function: 0_2_0016F6D5 push ecx; ret

0_2_0016F6E8

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\System32\lsass.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior
Source: C:\Windows\System32\lsass.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior

Source: C:\Users\user\Desktop\wce.exe

File created: C:\Users\user\AppData\Local\Temp\wceaux.dll

Jump to dropped file

Source: C:\Users\user\Desktop\wce.exe

Code function: 0_2_00167890 StartServiceCtrlDispatcherA,

0_2_00167890

Source: C:\Windows\System32\lsass.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Users\user\Desktop\wce.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wceaux.dll

Jump to dropped file

Source: C:\Users\user\Desktop\wce.exe

Evaded block: after key decision

graph_0-12346

Source: C:\Users\user\Desktop\wce.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

graph_0-12479

Source: C:\Users\user\Desktop\wce.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-13599

Source: C:\Windows\System32\svchost.exe TID: 2648

Thread sleep time: -90000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\svchost.exe

Thread delayed: delay time: 30000

Jump to behavior

Source: lsass.exe, 00000002.00000002.3264526846.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicshutdownNT SERVICE
Source: svchost.exe, 00000005.00000002.3267309116.000001428A88A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: "@Hyper-V RAW%\system32\NgcRecovery.dll,-100
Source: lsass.exe, 00000002.00000002.3264526846.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicvssNT SERVICE
Source: svchost.exe, 00000005.00000002.3267725027.000001428B136000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000005.00000002.3267337195.000001428A8D6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@q
Source: lsass.exe, 00000002.00000002.3264526846.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicheartbeatNT SERVICE
Source: lsass.exe, 00000002.00000002.3264414539.00000140AD813000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000000.2021052605.00000140AD813000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.2234737793.000001428A8D9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\wce.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\wce.exe

Code function: 0_2_0016F478 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0016F478

Source: C:\Users\user\Desktop\wce.exe

0_2_00163FA0

Source: C:\Users\user\Desktop\wce.exe

Code function: 0_2_0017878B __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

0_2_0017878B

Source: C:\Users\user\Desktop\wce.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\wce.exe	Code function: 0_2_0016F478 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0016F478
Source: C:\Users\user\Desktop\wce.exe	Code function: 0_2_00174E08 SetUnhandledExceptionFilter,	0_2_00174E08
Source: C:\Users\user\Desktop\wce.exe	Code function: 0_2_0016AB1A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0016AB1A

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\wce.exe	Memory allocated: C:\Windows\System32\lsass.exe base: 730000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\wce.exe	Memory allocated: C:\Windows\System32\lsass.exe base: 740000 protect: page execute and read and write			Jump to behavior

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\wce.exe

0_2_00163FA0

Writes to foreign memory regions

Source: C:\Users\user\Desktop\wce.exe	Memory written: C:\Windows\System32\lsass.exe base: 730000	Jump to behavior
Source: C:\Users\user\Desktop\wce.exe	Memory written: C:\Windows\System32\lsass.exe base: 740000	Jump to behavior
Source: C:\Users\user\Desktop\wce.exe	Memory written: C:\Windows\System32\lsass.exe base: 740818	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DCA0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DCA0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DCA0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DCA0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DCA0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DCA0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DCA0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DCA0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DCA0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DCA0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DCA0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DCD0000	Jump to behavior

Source: C:\Users\user\Desktop\wce.exe

Code function: 0_2_001683F0 CreateNamedPipeA,_wprintf,ConnectNamedPipe,GetLastError,_wprintf,FlushFileBuffers,DisconnectNamedPipe,

0_2_001683F0

Source: C:\Users\user\Desktop\wce.exe

Code function: 0_2_00175329 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00175329

Source: C:\Users\user\Desktop\wce.exe

Code function: 0_2_00173C69 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,__malloc_crt,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

0_2_00173C69

Source: C:\Users\user\Desktop\wce.exe

Code function: 0_2_001634D0 GetCurrentProcessId,ProcessIdToSessionId,ProcessIdToSessionId,_memset,GetVersionExA,

0_2_001634D0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Service Execution	14 Windows Service	1 Access Token Manipulation	1 Modify Registry	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	4 Native API	1 DLL Side-Loading	14 Windows Service	11 Virtualization/Sandbox Evasion	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	32 Process Injection	1 Access Token Manipulation	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	32 Process Injection	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	3 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Install Root Certificate	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 File Deletion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
wce.exe	89%	ReversingLabs	Win32.Hacktool.WinCredEd
wce.exe	86%	Virustotal		Browse
wce.exe	100%	Avira	TR/Gendal.6210125.5
wce.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\wceaux.dll	100%	Avira	HEUR/AGEN.1302736
C:\Users\user\AppData\Local\Temp\wceaux.dll	58%	ReversingLabs	Win32.Hacktool.WinCred

Source	Detection	Scanner	Label	Link
http://3csp.icrosof4m/ocp0	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	217.20.58.98	true	false		high
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.ver)	svchost.exe, 00000005.00000000.2234678531.000001428A88A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.3267309116.000001428A88A000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy	lsass.exe, 00000002.00000000.2021099209.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000000.2021072712.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000002.3264438690.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000002.3264462364.00000140AD850000.00000004.00000001.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702	lsass.exe, 00000002.00000000.2021072712.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000002.3264438690.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust	lsass.exe, 00000002.00000000.2021072712.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000002.3264438690.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/ws-sx/ws-trust/200512	lsass.exe, 00000002.00000000.2021099209.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000002.3264462364.00000140AD850000.00000004.00000001.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	lsass.exe, 00000002.00000000.2021072712.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000002.3264438690.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/09/policy	lsass.exe, 00000002.00000000.2021072712.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000002.3264438690.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/erties	lsass.exe, 00000002.00000000.2021072712.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000002.3264438690.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/soap12/	lsass.exe, 00000002.00000002.3264438690.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://3csp.icrosof4m/ocp0	lsass.exe, 00000002.00000000.2021518451.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000002.00000002.3264841677.00000140AE074000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	lsass.exe, 00000002.00000002.3264438690.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581372
Start date and time:	2024-12-27 14:13:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	wce.exe
Detection:	MAL
Classification:	mal100.evad.winEXE@2/16@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 14 Number of non-executed functions: 78
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 217.20.58.98, 192.229.221.95, 20.109.210.53, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ocsp.edge.digicert.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
08:14:24	API Interceptor	6x Sleep call for process: svchost.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	atw3.dll	Get hash	malicious	Gozi, Ursnif	Browse	192.229.221.95
	setup.msi	Get hash	malicious	Unknown	Browse	192.229.221.95
	ERTL09tA59.exe	Get hash	malicious	LummaC	Browse	192.229.221.95
	vJPhYDClT5.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	V2s8yjvIJw.exe	Get hash	malicious	Iris Stealer	Browse	192.229.221.95
	k6olCJyvIj.exe	Get hash	malicious	LummaC	Browse	192.229.221.95
	G6xnfES308.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	XM6cn2uNux.exe	Get hash	malicious	LummaC	Browse	192.229.221.95
	bG89JAQXz2.exe	Get hash	malicious	LummaC	Browse	192.229.221.95
	q8b3OisMC4.dll	Get hash	malicious	Unknown	Browse	192.229.221.95
default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	nXNMsYXFFc.exe	Get hash	malicious	Unknown	Browse	217.20.58.100
	5RaYXoKFn9.exe	Get hash	malicious	PureCrypter, PureLog Stealer	Browse	217.20.58.98
	msgde.exe	Get hash	malicious	Quasar	Browse	217.20.58.99
	atw3.dll	Get hash	malicious	Gozi, Ursnif	Browse	217.20.58.100
	WRD1792.docx.doc	Get hash	malicious	Dynamer	Browse	217.20.58.99
	GtEVo1eO2p.exe	Get hash	malicious	LummaC	Browse	217.20.58.98
	0442.pdf.exe	Get hash	malicious	Unknown	Browse	217.20.58.100
	#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe	Get hash	malicious	Unknown	Browse	217.20.58.100
	wUSt04rfJ0.exe	Get hash	malicious	Quasar	Browse	217.20.58.101
	#U5b89#U88c5#U52a9#U624b1.0.2.exe	Get hash	malicious	Unknown	Browse	217.20.58.99

Process:	C:\Windows\System32\svchost.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	471
Entropy (8bit):	7.156295391825961
Encrypted:	false
SSDEEP:	12:JuGnPXPG5qPGy+PXs9fZoQYvrlz1dB+rXs9378Tb:JZXPGINKXeoQARvAs94Tb
MD5:	ACD61F639CCB415A09197FE086D2873C
SHA1:	49049A623FEC36623BA104F8787E2EBC2879FB8D
SHA-256:	549A945A63FA842CC86ABE6C5802705C583C58E53BA9D40B53885B6FEAAA9D9B
SHA-512:	F5679C06958CAD73E60EBBF441F2729EF5B20BEB856312EE67FB4C3A560B9984AA5D98F203A343C61281A1E32796F55CEF11870FFD6210C1E887C042225F741B
Malicious:	false
Reputation:	low
Preview:	0..........0.....+.....0......0...0......N"T ....n..........9..20241226190220Z0s0q0I0...+........9.q...._..(.#..Y\C...N"T ....n..........9....n.U_$t...]......20241226190220Z....20250102190220Z0...*.H...............4..QSvr,.hL.<.nZ..1.'{.N.(.f:...1"..F=.....`..(.QS..K.Y<..CT..:~z......[F...V.?.M.=..9...7.....J...0b.6z.[....I.....4;.L...d....i!._..A.uP..b.....r.BSA.....Ii..]90....p3.0!........Bpg7.mX..\|..(....u..9...../m{....l..g=..`..uH..rtc.[.......

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	471
Entropy (8bit):	7.268468978894918
Encrypted:	false
SSDEEP:	12:JuGe25qPGu0M09f4xVbK1ACOrnq87T92VmK0sRO33Zb:J/IKcxVb0ACO7q8760JF
MD5:	5B893B223421743BCC9F6ECEF25EC015
SHA1:	036F17B237CB2FDEA6B221FD5DE9E599AE8FEEE9
SHA-256:	CDD88E3893A7CBF989C868D097A234D987E9302F7DBE67EE0647154DD80705E1
SHA-512:	0DA7B6BEEC2D8C4251FF1DE5662D5B66C043E9AF20CC06FA4EFD7F7464E50CEB7A9B982DA23648245B6790DEF833A190747FE9A904442BD0F06D20FB9B06BFD6
Malicious:	false
Reputation:	low
Preview:	0..........0.....+.....0......0...0......N"T ....n..........9..20241225190147Z0s0q0I0...+........9.q...._..(.#..Y\C...N"T ....n..........9....e&D.^=.8t.]......20241225190147Z....20250101190147Z0....H..............p.S.B}n.......}{4.....3.....Asv...2.~.8...P.:...d^.>f0.i..._3...RHuB...]..:...Y=....w.>Z....;K..i.,....F..W......M..........o!...&....wg.X..I.....T.r.._..\.... ....Q..2...GaU.$.=X....Ld.........a.?.......O...I..)D...Bq.KY.........`....?

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	471
Entropy (8bit):	7.243589743174413
Encrypted:	false
SSDEEP:	12:JuGnPY5qPGJpiPY67N0RVpqWN95Eqc8TylXbn:JZYIAuv7WjNjWlLn
MD5:	A4B8E9C05A62131AAEA2E28B49AFEE69
SHA1:	01D1B9B45300C75F644F80FA7D07B45A36C2C8C2
SHA-256:	AAABDEE16F3D16840257D1DBFFB70E4C28B0E78DE1CFD6EF7992E8383A901408
SHA-512:	45ED79A6C603792412A7DC6EE444A61AA2659D6E387976E90EB96354CE0A714CE57D542CEFD5947AAE322D500B7A0F50661EB7B94FB3925F1735AE0510643E33
Malicious:	false
Reputation:	low
Preview:	0..........0.....+.....0......0...0......N"T ....n..........9..20241226190253Z0s0q0I0...+........9.q...._..(.#..Y\C...N"T ....n..........9...C.P..5/..y.r..P....20241226190253Z....20250102190253Z0....H.............G.Dv...Ya..)vT.=i..h.$....js...cg....$.^..(w....\.p..!F.I.-..m}\|B.cn....t..s.....9.s&....D..5...=t]...^...0>..h".M. .}...0...Jx.~..N.s.g7..C%w....}.R.F%dV...........m(.q.&.d.-.a.].u{..oN.+jE.'....nMf...........O.z..\|+$.@....d..p..........o.a..m._.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 7796 bytes, 1 file, at 0x2c +A "pinrules.stl", number 1, 1 datablock, 0x1 compression
Category:	dropped
Size (bytes):	7796
Entropy (8bit):	7.971943145771426
Encrypted:	false
SSDEEP:	192:CPTIWKvNnUBBBL05O/b0evl2G6AXK+KMlYX82:CbevNUBDLlz0eN2dAXlKH
MD5:	FB60E1AFE48764E6BF78719C07813D32
SHA1:	A1DC74EF8495C9A1489DD937659B5C2875027E16
SHA-256:	EBF3E7290B8FD1E5509CAA69335251F22B61BAF3F9FF87B4E8544F3C1FEA279D
SHA-512:	92BAA53445EC1A6EC049AF875783619D255AB4A46241B456BD87AE0043C117740BD117406E2CF5440840C68D0C573CBA7B40F58587CE7796D254D0B06E9B7973
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF....t.......,...................I........E.........J.R .pinrules.stl..>N.#..ECK.[.T...O......l.$.)V.a...v.d.H...&.D.YA,(+Y...A.......c]."ka-.XW..I.....w..\|..9.........{...\|d..v.T..w.TMZ.\|...).F.rtAm.....f......T........n.z.:.t&.} EH.S.)2...SP.../~.Q..d..".@.5..r(..M.Zs..~{...>...p.p.^....[/p..~.....@......f..E0....9.i...Ds..^.d...N.R@..P%..9... .4Z)...z..h...@.......C<.]6....([.c=.9..l.....@..4......f.......z.!..0.`Jp.."$I..?`......H...].2...$....9v1./g.&.aIX.A..A.w..p.*.`r.........'!e.. ..d...H.d.hu`.\!w.Z..E.$....$..\|1..@.OC!c.......%.....p.uxC.~@....`...#.~ .P.!.Gb`)i...L..0.-.K.....xRx.e"..@.....5T..JP^.9.....#aH.E.@2..H..f.H..K...+x..$.WM..H}....=....`.PD:.qgn........I.....]uX..q...D...]n.4..0..b!.....m"a.Lz...d..S%P.I11,..^..".+At..To\@K.....c.h.C.....=...H.Xa...r.A.I..@!..0..eV...\|.h..$."r..hL9TR..}.v%...4).H..[.....r..\|]..+5..Y..I..hN...O=u..8.}U...#S...R..KQ..A..w....X\|.....8b...GC.4..h....6gG.>..}.8....!ql..A..1..X.C.q.j....

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.2218938275801796
Encrypted:	false
SSDEEP:	6:kKWsK81F9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:U0sDnLNkPlE99SNxAhUe/3
MD5:	292DA2B0E9743162BB6229FDC919A459
SHA1:	4B5DD24FABC462A09B81E1D8BE6F88D5EBB766DC
SHA-256:	3A617DA4E6F2CD49B6F905F6EFB32691D72C5F59CA8912F8694E41BA1402F392
SHA-512:	2B9B4670DA287760EA0C87F1D4506697D693C45AABA4D445805BCD7533FF58D211C0FC2083ADE194E993699B0B886EE25121F4BD8DF93D6D14E21D654DE37B13
Malicious:	false
Preview:	p...... ........S#..aX..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	412
Entropy (8bit):	3.6711660697208983
Encrypted:	false
SSDEEP:	6:kK9tG4+EszyfXlRNfOAUMivhClroFFKIhipStaHAaloq09Slscqsn:ldIsmxMiv8sFFKbpgal7BlSs
MD5:	05D3BCEC9F9E8F6362E25CE470A2619F
SHA1:	9C7222CCFDEC895B6680F86A305A47C3FCC8916A
SHA-256:	488A97B1CAA0A193EEA0B41A53115D683C8EF54C20DD9CBC02ECD9CF36D6EEAC
SHA-512:	BC858A98FC5E034948A30F18B20B849425C256B81DF8BB47CCECFC30F02C3CE01A8BB6BE06AD7A69F54E9C57EA8A0B5B4012817898FD6D9DA36047C7AE6EC70E
Malicious:	false
Preview:	p...... ....(....D.@aX..(.................................................*.H].. ........d.(UX.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.Q.5.0.o.t.x.%.2.F.h.0.Z.t.l.%.2.B.z.8.S.i.P.I.7.w.E.W.V.x.D.l.Q.Q.U.T.i.J.U.I.B.i.V.5.u.N.u.5.g.%.2.F.6.%.2.B.r.k.S.7.Q.Y.X.j.z.k.C.E.A.n.5.b.s.K.V.V.V.8.k.d.J.6.v.H.l.3.O.1.J.0.%.3.D...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	412
Entropy (8bit):	3.6754677651963403
Encrypted:	false
SSDEEP:	6:kKk5U+agk3skHXlRNfOAUMivhClroFFKIhipStaHAaloq09SlsQ30P7v+eWAkrn:phvmxMiv8sFFKbpgal7BlD30PLRWAkr
MD5:	223853D9FD05BC97744DC4312E42BC9B
SHA1:	EAB15A0CD97FE2E970051D73CAD56D5C7007F112
SHA-256:	5FE6C75520B93ED95E29F4537BD33144A26BF74C2BAB36E9822FEEE7FB1F6BCB
SHA-512:	89C0B5CC949838777A9D4F80E3DD80AEE1D20319266B1D10AA211A85DAA8A35F69266054D35358578EC9D0F22B92B6B2EFF81FA76CBC76E8920A1F6B11544E81
Malicious:	false
Preview:	p...... ....(...B.KdaX..(....................................................\.. .........7.UX.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.Q.5.0.o.t.x.%.2.F.h.0.Z.t.l.%.2.B.z.8.S.i.P.I.7.w.E.W.V.x.D.l.Q.Q.U.T.i.J.U.I.B.i.V.5.u.N.u.5.g.%.2.F.6.%.2.B.r.k.S.7.Q.Y.X.j.z.k.C.E.A.U.Z.Z.S.Z.E.m.l.4.9.G.j.h.0.j.1.3.P.6.8.w.%.3.D...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	412
Entropy (8bit):	3.672744077231722
Encrypted:	false
SSDEEP:	6:kKaV3sXvHXlRNfOAUMivhClroFFKIhipStaHAaloq09SlsbhQ6Shlrn:83svhmxMiv8sFFKbpgal7BlwhZg
MD5:	584EC63471BF09709C5D364D1E08ED0E
SHA1:	C5CB1B10DFF8A8140977FCD1D4027666E0C26FAD
SHA-256:	68F295B708E05176DF629122D3D334911B5EE0C9A30342918A717E9192807F08
SHA-512:	0D9C85BB9621A0927EA2BEDD5D0A19D1124598F5F3C25CD0D16394CBD631F2CD3946889C32CF98482F740528B154CCAE8E86824EBD08E1EF7A554595A6395195
Malicious:	false
Preview:	p...... ....(....*9RaX..(................................................l..H].. ........@\|~XX.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.Q.5.0.o.t.x.%.2.F.h.0.Z.t.l.%.2.B.z.8.S.i.P.I.7.w.E.W.V.x.D.l.Q.Q.U.T.i.J.U.I.B.i.V.5.u.N.u.5.g.%.2.F.6.%.2.B.r.k.S.7.Q.Y.X.j.z.k.C.E.A.p.D.q.V.C.b.A.T.U.v.i.Z.V.5.7.H.I.I.u.l.A.%.3.D...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	3.2174781523358154
Encrypted:	false
SSDEEP:	6:kK0K81wNScN+SkQlPlEGYRMY9z+4D1QuflIeyGIla1:L0VkPlE99Si1QyIeek
MD5:	AA3BEB54E9D4932BC592FBA6C29B979D
SHA1:	85BC56F8052AE16006864FF064246B76E76C8970
SHA-256:	11B5AD4689AB8DC7EA48E2C34CCAAC6BBCBA5C3A7E216FEBA5F277944B30B72F
SHA-512:	B1BFC98E571DACF867DB7388FC97DF0D30C2C93736AF200536166F7FF627635B86F5D6D304ED41A11CAFB6501586F091663C063E2820D8B1D82814AD42957090
Malicious:	false
Preview:	p...... .........S)waX..(....................................................... ........B@!........(...........t...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.p.i.n.r.u.l.e.s.s.t.l...c.a.b...".8.0.4.2.4.0.2.1.c.7.d.b.d.2.1.:.0."...

C:\Users\user\AppData\Local\Temp\wceaux.dll

Download File

Process:	C:\Users\user\Desktop\wce.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	53248
Entropy (8bit):	6.155087357851567
Encrypted:	false
SSDEEP:	768:TJUftYR1gkq7cbwcLrqFtAjlHTbLnXSiJUJchhvPkfmnhEDyURR2K0:GftYhq7Ew2qM9Tv/hvPjrFF
MD5:	8B5D6BA099F8D2C44DB68B7FD47687C7
SHA1:	C18BCCEB050BDB4E634B2441876D1BC0BABC6176
SHA-256:	64725AFDC6209DB9A5639AE4EC6004BA40FB6EC80F8F1CA5A4759FB414DA8BA6
SHA-512:	F08C14A216DE18FC203BECC7D260DE92A6DD6B9AD15352FA053C29B6C7B555E19A70FF76F264CC11B6D3233C3ACC6562124A66C4ED8016AD485EA7FAB379EE91
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 58%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x.bM<O..<O..<O..S9..*O..S9..2O..57..9O..<O..pO..S9..kO..S9..=O..S9..=O..Rich<O..........PE..L......M...........!.........^......E6....................................................@....................................<...............................\|.......................................@............................................text............................... ..`.rdata...#.......$..................@..@.data...l,..........................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	338
Entropy (8bit):	3.961493788271842
Encrypted:	false
SSDEEP:	6:kKi37S7e2cYJFN+SkQlPlEGYRMY9z+s3Ql2DUevat:uS7yzkPlE99SCQl2DUevat
MD5:	8223DC28F1887BE62EC96D6ACC6FDD9A
SHA1:	D2DA1391454E9B390D4E8E936098B0BE6D42CCC6
SHA-256:	C28BEAD58A3F615C97C852870F128B169BF113D48239786474CDD39420C53101
SHA-512:	3BC7341A0386F85CB8ABD18D684FE5E092855CC8FB2809B875AB04CC46D7D05BB3624A33AA53D6B26835F64C6113074656CDBEC5972F78B88FDDA8942458CC68
Malicious:	false
Preview:	p...... ........+.].....(...............S..>aX..Sn.[.X..S....X..........Sn.[.X.. .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	412
Entropy (8bit):	3.9533807210408023
Encrypted:	false
SSDEEP:	6:kKftrO8sYe8kt2alXlRNfOAUMivhClroFFKIhipStaHAaloq09Sls8hW0XSW83n:Q1zmxMiv8sFFKbpgal7BlvTCN3
MD5:	403FD57E5937F72267433567648E2A90
SHA1:	FBB1A62A4D119F0510165726A98CBFA34E1762F2
SHA-256:	A8F5ED766619476DA171E502C1460314F0B09084DAD854AA01113F89436A849A
SHA-512:	A364021E0ABB42BF8C187284D8052910D446ADCC4BA2B2ABCF3B9FE0AA94708D68E0D35975F98DBAD852A55D6C21FF85B3F6629738F79760C2D84D03E0E036E3
Malicious:	false
Preview:	p...... ....(...lMNdaX..(.......2...........,............................... ..........O.... ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.Q.5.0.o.t.x.%.2.F.h.0.Z.t.l.%.2.B.z.8.S.i.P.I.7.w.E.W.V.x.D.l.Q.Q.U.T.i.J.U.I.B.i.V.5.u.N.u.5.g.%.2.F.6.%.2.B.r.k.S.7.Q.Y.X.j.z.k.C.E.A.q.v.p.s.X.K.Y.8.R.R.Q.e.o.7.4.f.f.H.U.x.c.%.3.D...

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	412
Entropy (8bit):	3.9077266318075377
Encrypted:	false
SSDEEP:	6:kKftsElvXJty4/lXlRNfOAUMivhClroFFKIhipStaHAaloq09SlsbhQ6Shlrn:WMjy4/zmxMiv8sFFKbpgal7BlwhZg
MD5:	44F0B87844CBE1A7A1C74E90B8B97B50
SHA1:	3A7EFD734AC2CE88C931C6FA8CE959B36DB37236
SHA-256:	325C6189DC349B0FEEC71078289CBEA0B3FF83BF68C3EF1CAEA45E61CA2BE1F4
SHA-512:	CDB7A547CB680F18D30A77641452120172434971BE8B15E509A0FFE2F257D7BCAADDA5540D704592FBEC24BC81D98E98313DFE753157E26884F8F0480B55952C
Malicious:	false
Preview:	p...... ....(...lMNdaX..(.......2..........+......b..'....................b..'.. ............... ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.Q.5.0.o.t.x.%.2.F.h.0.Z.t.l.%.2.B.z.8.S.i.P.I.7.w.E.W.V.x.D.l.Q.Q.U.T.i.J.U.I.B.i.V.5.u.N.u.5.g.%.2.F.6.%.2.B.r.k.S.7.Q.Y.X.j.z.k.C.E.A.p.D.q.V.C.b.A.T.U.v.i.Z.V.5.7.H.I.I.u.l.A.%.3.D...

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	modified
Size (bytes):	330
Entropy (8bit):	3.427004540064023
Encrypted:	false
SSDEEP:	6:kKh7EtK8k38uScN+SkQlPlEGYRMY9z+4D1QuflIeyGIla1:VrukPlE99Si1QyIeek
MD5:	06F08EC86263D3065CE8672C2F428D89
SHA1:	5C033FFDD5872C35E0D6DC48B04FECEB39EB56BB
SHA-256:	490C4FE9A4987662AC10123E82093DF526231334CAA97CAB0E72B7B57D940C6F
SHA-512:	5C83A62FEC04F6A1DC5CFC148397E8C00E1CF2C20CA79E8328A5CD999364D648DEC0812F9493CD7EA45796E012887E61859B986DEC1F95C5AC5AD990A930157B
Malicious:	false
Preview:	p...... ........3z8.aX..(...............................................dK.L#... ........B@!........(...........t...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.p.i.n.r.u.l.e.s.s.t.l...c.a.b...".8.0.4.2.4.0.2.1.c.7.d.b.d.2.1.:.0."...

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\wce.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	195
Entropy (8bit):	4.869421196460925
Encrypted:	false
SSDEEP:	6:suTkT53GPF8FiY1QX8FwFtoQf/NQErVHONXi:suT4GPF8bFwvoIR9D
MD5:	385377B4C9661E7BFE2517F3F6C8D4F4
SHA1:	925B48A8F81A1E46089A847873E6CE8318806389
SHA-256:	62FAEFE221084BC17AAFC4DE728C3907DBBB8C3C3734F2F4ED6D15933D58EE34
SHA-512:	B1AB11240C8E1E07019AAC8233B794DC7487AA5BF1C4D6AFD54D8680C59EE1A5B2444B7D45B5517216E9D2E2554A70040B455A313A703128A9022F26C3988657
Malicious:	false
Preview:	WCE v1.2 (Windows Credentials Editor) - (c) 2010,2011 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)..Use -h for help.....CrossSessionCreateRemoteThread: Cannot create new thread..

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	6.463466926901483
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	wce.exe
File size:	199'680 bytes
MD5:	4fb08ad6583c2d44a098e325699789cb
SHA1:	76af4d288f66b71f7cd275d4e71d6010ac0feeea
SHA256:	5884f3fc15c710fb754f31c368acaf37582ab1d63125233fd3cb91d50a9098af
SHA512:	4175ca0866e8752afe71b3b3fd59c2dcfb5b1e6af288fbf17ce1b34b494e0b2426ef2f2b449e540c41f8b9b4d69e8047e09c49af244b22756f76e3a4ed16811c
SSDEEP:	3072:ECtjouR0BeV8nI7Xgn1wimOFLnmJLJPq9vcqIw2qkNJF0c:ECK60kV97XSwi3DRsqk
TLSH:	C9147B21B280C032E196007495A5C772AE397D335BB154C7BFD25EBA8E692F5E63831F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...G~..G~..G~.N....G~..1...G~..1...G~..?...G~..G..FG~..1..IG~..1...G~..1...G~.Rich.G~.........PE..L......M...................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40e73c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x4DAC1CD4 [Mon Apr 18 11:13:24 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	6bfe09efcb4ffde061ebdbafc4db84cf

Entrypoint Preview

Instruction
call 00007FCAD86D2D2Dh
jmp 00007FCAD86CBFDAh
mov edi, edi
push ebp
mov ebp, esp
push esi
mov esi, dword ptr [ebp+08h]
push esi
call 00007FCAD86CD703h
push eax
call 00007FCAD86D2DAEh
pop ecx
pop ecx
test eax, eax
je 00007FCAD86CC1BEh
call 00007FCAD86CAD05h
add eax, 20h
cmp esi, eax
jne 00007FCAD86CC146h
xor eax, eax
jmp 00007FCAD86CC151h
call 00007FCAD86CACF5h
add eax, 40h
cmp esi, eax
jne 00007FCAD86CC1A2h
xor eax, eax
inc eax
inc dword ptr [0042390Ch]
test dword ptr [esi+0Ch], 0000010Ch
jne 00007FCAD86CC190h
push ebx
push edi
lea edi, dword ptr [00423920h+eax*4]
cmp dword ptr [edi], 00000000h
mov ebx, 00001000h
jne 00007FCAD86CC162h
push ebx
call 00007FCAD86CF88Dh
pop ecx
mov dword ptr [edi], eax
test eax, eax
jne 00007FCAD86CC155h
lea eax, dword ptr [esi+14h]
push 00000002h
mov dword ptr [esi+08h], eax
mov dword ptr [esi], eax
pop eax
mov dword ptr [esi+18h], eax
mov dword ptr [esi+04h], eax
jmp 00007FCAD86CC14Fh
mov edi, dword ptr [edi]
mov dword ptr [esi+08h], edi
mov dword ptr [esi], edi
mov dword ptr [esi+18h], ebx
mov dword ptr [esi+04h], ebx
or dword ptr [esi+0Ch], 00001102h
xor eax, eax
pop edi
inc eax
pop ebx
jmp 00007FCAD86CC144h
xor eax, eax
pop esi
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
cmp dword ptr [ebp+08h], 00000000h
je 00007FCAD86CC169h
push esi
mov esi, dword ptr [ebp+0Ch]
test dword ptr [esi+0Ch], 00001000h
je 00007FCAD86CC15Bh
push esi
call 00007FCAD86CD6AFh
and dword ptr [esi+0Ch], 000000FFh

Rich Headers

Programming Language:

[C++] VS2010 build 30319
[ASM] VS2010 build 30319
[IMP] VS2008 SP1 build 30729
[ C ] VS2010 build 30319
[RES] VS2010 build 30319
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1e07c	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x27000	0xd070	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x35000	0x15a0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1db70	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1c000	0x25c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1a0f6	0x1a200	739513d765a82a727a8611e8c4308d55	False	0.5308107805023924	data	6.550717743060654	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1c000	0x2e36	0x3000	120f1771b9cf8cbc6d219e6c2a503561	False	0.3384602864583333	data	4.977139552757257	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1f000	0x7078	0x4800	74b2ac3e4a9c8948e083a10cf9565897	False	0.3193901909722222	data	5.29215301201221	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x27000	0xd070	0xd200	4b4950aeddca7e89d55402368be39ba4	False	0.49125744047619047	data	6.119202783400186	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x35000	0x1bca	0x1c00	38484abc43b956eff993de5d5095e7e7	False	0.6501116071428571	data	5.851907466520541	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
BINARY	0x27070	0xd000	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	English	United States	0.4951171875

Imports

DLL	Import
ADVAPI32.dll	AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, GetTokenInformation, NotifyChangeEventLog, OpenEventLogA, GetNumberOfEventLogRecords, GetOldestEventLogRecord, ReadEventLogA, CryptGetHashParam, CryptDestroyHash, CryptHashData, CryptReleaseContext, CryptCreateHash, CryptAcquireContextA, CloseServiceHandle, CreateServiceA, OpenSCManagerA, DeleteService, QueryServiceStatus, OpenServiceA, StartServiceA, ControlService, SetServiceStatus, RegisterServiceCtrlHandlerA, StartServiceCtrlDispatcherA, RegCloseKey, RegSetValueExA, RegOpenKeyExA, RegDeleteValueA, RegQueryValueExA, OpenThreadToken
Secur32.dll	LsaFreeReturnBuffer, LsaGetLogonSessionData, LsaEnumerateLogonSessions
WS2_32.dll	ntohl, ntohs, htonl
KERNEL32.dll	CreateFileW, GetProcessHeap, SetEndOfFile, WriteConsoleW, SetEnvironmentVariableA, CompareStringW, DeleteFileA, GetModuleHandleA, OpenProcess, Sleep, SetConsoleCtrlHandler, GetCurrentDirectoryA, GetTempPathA, GetVersionExA, ProcessIdToSessionId, GetCurrentProcessId, GetModuleFileNameA, Process32Next, CloseHandle, Process32First, CreateToolhelp32Snapshot, ReadProcessMemory, WaitForSingleObject, CreateRemoteThread, VirtualFreeEx, WriteProcessMemory, VirtualAllocEx, GetProcAddress, LoadLibraryA, GetCurrentProcess, TerminateProcess, MultiByteToWideChar, UnmapViewOfFile, MapViewOfFile, CreateFileMappingA, CreateFileA, SizeofResource, LockResource, LoadResource, FindResourceA, FreeResource, ResetEvent, GetLastError, CreateEventA, ReadFile, FreeLibrary, GetSystemWindowsDirectoryA, SetEvent, CreateThread, WriteFile, WaitNamedPipeA, DisconnectNamedPipe, FlushFileBuffers, ConnectNamedPipe, CreateNamedPipeA, WideCharToMultiByte, FileTimeToSystemTime, FileTimeToLocalFileTime, GetCurrentThread, GetModuleHandleW, ExitProcess, DecodePointer, HeapFree, HeapAlloc, EncodePointer, EnterCriticalSection, LeaveCriticalSection, HeapReAlloc, GetCommandLineA, HeapSetInformation, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, IsProcessorFeaturePresent, SetHandleCount, GetStdHandle, InitializeCriticalSectionAndSpinCount, GetFileType, GetStartupInfoW, DeleteCriticalSection, RtlUnwind, LoadLibraryW, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, GetModuleFileNameW, HeapCreate, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapSize, GetConsoleCP, GetConsoleMode, GetTimeZoneInformation, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, SetFilePointer, SetStdHandle, LCMapStringW, GetStringTypeW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 27, 2024 14:14:21.504282951 CET	1.1.1.1	192.168.2.5	0x6ab7	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 27, 2024 14:14:21.504282951 CET	1.1.1.1	192.168.2.5	0x6ab7	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.58.98	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:14:21.504282951 CET	1.1.1.1	192.168.2.5	0x6ab7	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.58.101	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:14:21.504282951 CET	1.1.1.1	192.168.2.5	0x6ab7	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.58.99	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:14:21.504282951 CET	1.1.1.1	192.168.2.5	0x6ab7	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.58.100	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:14:23.638422966 CET	1.1.1.1	192.168.2.5	0x2625	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 27, 2024 14:14:23.638422966 CET	1.1.1.1	192.168.2.5	0x2625	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:14:36.600439072 CET	1.1.1.1	192.168.2.5	0x89c0	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 27, 2024 14:14:36.600439072 CET	1.1.1.1	192.168.2.5	0x89c0	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	08:14:01
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\wce.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\wce.exe"
Imagebase:	0x160000
File size:	199'680 bytes
MD5 hash:	4FB08AD6583C2D44A098E325699789CB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	08:14:01
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	08:14:01
Start date:	27/12/2024
Path:	C:\Windows\System32\lsass.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\lsass.exe
Imagebase:	0x7ff654c90000
File size:	59'456 bytes
MD5 hash:	A1CC00332BBF370654EE3DC8CDC8C95A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	08:14:22
Start date:	27/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	102

Executed Functions

Function 00163FA0 Relevance: 103.7, APIs: 47, Strings: 12, Instructions: 463
libraryinjectionloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 00164032
_wprintf.LIBCMT ref: 00164054
LoadLibraryA.KERNEL32(kernel32.dll), ref: 00164068
GetProcAddress.KERNEL32(?,LoadLibraryA), ref: 00164080
GetProcAddress.KERNEL32(?,GetProcAddress), ref: 00164098
GetProcAddress.KERNEL32(?,FreeLibrary), ref: 001640B0
_memset.LIBCMT ref: 001640CA
_strncpy.LIBCMT ref: 001640E2
_memset.LIBCMT ref: 001640FF
_strncpy.LIBCMT ref: 00164117
VirtualAllocEx.KERNELBASE(000000FF,00000000,?,00001000,00000040), ref: 00164187
_wprintf.LIBCMT ref: 001641A1
CloseHandle.KERNEL32(00000000), ref: 001641B9
WriteProcessMemory.KERNELBASE(000000FF,00000000,?,?,?), ref: 001641FB
_wprintf.LIBCMT ref: 0016421B
VirtualFreeEx.KERNEL32(000000FF,00000000,00000000,00008000), ref: 00164241
CloseHandle.KERNEL32(00000000), ref: 00164257
VirtualAllocEx.KERNELBASE(000000FF,00000000,?,00001000,00000040), ref: 0016429D
_wprintf.LIBCMT ref: 001642B7
VirtualFreeEx.KERNEL32(000000FF,00000000,00000000,00008000), ref: 001642DD
CloseHandle.KERNEL32(00000000), ref: 001642F3
WriteProcessMemory.KERNELBASE(000000FF,00000000,?,00000814,?), ref: 00164321
_wprintf.LIBCMT ref: 0016433C
VirtualFreeEx.KERNEL32(000000FF,00000000,00000000,00008000), ref: 00164362
VirtualFreeEx.KERNEL32(000000FF,00000000,00000000,00008000), ref: 00164386
CloseHandle.KERNEL32(00000000), ref: 0016439C
WriteProcessMemory.KERNELBASE(000000FF,-00000818,00164720,?,00000814), ref: 001643CF
_wprintf.LIBCMT ref: 001643EC
VirtualFreeEx.KERNEL32(000000FF,00000000,00000000,00008000), ref: 00164412
VirtualFreeEx.KERNEL32(000000FF,00000000,00000000,00008000), ref: 00164436
CloseHandle.KERNEL32(00000000), ref: 0016444C
GetVersionExA.KERNEL32(0000009C), ref: 0016446A
CreateRemoteThread.KERNEL32(000000FF,00000000,00000000,-00000818,00000000,00000000,?), ref: 001644C4
_wprintf.LIBCMT ref: 0016451C
VirtualFreeEx.KERNEL32(000000FF,00000000,00000000,00008000), ref: 00164542
VirtualFreeEx.KERNEL32(000000FF,00000000,00000000,00008000), ref: 00164566
CloseHandle.KERNEL32(00000000), ref: 0016457C

Part of subcall function 00164840: _memset.LIBCMT ref: 0016484E
Part of subcall function 00164840: GetModuleHandleA.KERNEL32(ntdll.dll), ref: 00164869
Part of subcall function 00164840: _wprintf.LIBCMT ref: 0016487D

WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00164592
ReadProcessMemory.KERNEL32(000000FF,00000000,?,?,?), ref: 00164605
_wprintf.LIBCMT ref: 00164625
VirtualFreeEx.KERNEL32(000000FF,00000000,00000000,00008000), ref: 0016464B
VirtualFreeEx.KERNEL32(000000FF,00000000,00000000,00008000), ref: 0016466F
CloseHandle.KERNEL32(00000000), ref: 00164685
CloseHandle.KERNEL32(00000000), ref: 0016469F
VirtualFreeEx.KERNEL32(000000FF,00000000,00000000,00008000), ref: 001646C3
VirtualFreeEx.KERNEL32(000000FF,00000000,00000000,00008000), ref: 001646E7
CloseHandle.KERNEL32(00000000), ref: 001646FD

Strings

LoadLibraryA, xrefs: 00164074
FreeLibrary, xrefs: 001640A4
Cannot write data to remote process, xrefs: 00164216
Cannot write loader to remote process!, xrefs: 001643E7
Cannot write loader params to remote process!, xrefs: 00164337
Cannot open process with PID %d (%xh), xrefs: 0016404F
GetProcAddress, xrefs: 0016408C
Cannot run code in remote process! (mode:%d), xrefs: 00164517
Cannot allocate loader in remote process!, xrefs: 001642B2
Cannot read result from loader!., xrefs: 00164620
Cannot allocate RWX memory in remote process, xrefs: 0016419C
kernel32.dll, xrefs: 00164063

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: Virtual$Free$Handle$Close_wprintf$Process$Memory$AddressProcWrite_memset$Alloc_strncpy$CreateLibraryLoadModuleObjectOpenReadRemoteSingleThreadVersionWait
String ID: Cannot allocate RWX memory in remote process$Cannot allocate loader in remote process!$Cannot open process with PID %d (%xh)$Cannot read result from loader!.$Cannot run code in remote process! (mode:%d)$Cannot write data to remote process$Cannot write loader params to remote process!$Cannot write loader to remote process!$FreeLibrary$GetProcAddress$LoadLibraryA$kernel32.dll
API String ID: 1282970728-3127454624
Opcode ID: 6d02af90730016591c6015120ae858cebc3e8e54acc27938c613f716445cfa88
Instruction ID: 2b862b231a7869e76a5699a0af70c26f4220defc2f0cddb0ac95d6fdb0213359
Opcode Fuzzy Hash: 6d02af90730016591c6015120ae858cebc3e8e54acc27938c613f716445cfa88
Instruction Fuzzy Hash: 4E1229B5A40218EFEB24DB54CC59FAA73B5BB48705F1182D9F209A7280C7749ED4CFA1

Function 00164DC0 Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceA.KERNEL32(0016126C,?,BINARY), ref: 00164DD4
LoadResource.KERNEL32(0016126C,00000000), ref: 00164DF2
CloseHandle.KERNEL32(00000000), ref: 00164E05

Strings

BINARY, xrefs: 00164DC6

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: Resource$CloseFindHandleLoad
String ID: BINARY
API String ID: 3150125948-907554435
Opcode ID: f4eab8b04e26975b4af27a0429a457013037fc55276595dd6c072b57fc71b4da
Instruction ID: 5720b0ee0b60d1efed8d1a29fac7cafd6c3ad24d168e2f33b8abf69799901c15
Opcode Fuzzy Hash: f4eab8b04e26975b4af27a0429a457013037fc55276595dd6c072b57fc71b4da
Instruction Fuzzy Hash: 7951DD79A00209EFDB14DFB4DC59BAEBB74BB48701F108958FA16A7690C7789580CBA0

Function 00165610 Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 192
encryptionfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0016564D
CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000), ref: 00165672
CloseHandle.KERNEL32(000000FF), ref: 00165685
CryptCreateHash.ADVAPI32(00000000,00008004,00000000,00000000,00000000), ref: 001656A3
CloseHandle.KERNEL32(000000FF), ref: 001656B6
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 001656C8

Strings

Error: while hashing..., xrefs: 00165716
Error: HASH SIZE error or mismtach. HashSize: %d.., xrefs: 001657A7
Error: When obtaining hash value.., xrefs: 001657F9

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: Crypt$CloseContextCreateHandle$AcquireFileHashRelease
String ID: Error: HASH SIZE error or mismtach. HashSize: %d..$Error: When obtaining hash value..$Error: while hashing...
API String ID: 2095714343-3643478213
Opcode ID: 519c1dadf6f3cfcc040ef9d8555943ed5430f19723c748861d4eb5b473b35b32
Instruction ID: 2f7a75b2bed424c8889bbd456a92bfd0c82f3e1226c1623b81f6c848e69cde8b
Opcode Fuzzy Hash: 519c1dadf6f3cfcc040ef9d8555943ed5430f19723c748861d4eb5b473b35b32
Instruction Fuzzy Hash: 7C713C75E00209EFDB14DFE4CC49BEEB7BAAB08705F508518F206A6590D7789AD4CFA1

Function 00163E30 Relevance: 15.1, APIs: 10, Instructions: 97
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00163E5E
__snprintf.LIBCMT ref: 00163E7B
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00163E96

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: CreateSnapshotToolhelp32__snprintf_memset
String ID:
API String ID: 4273142971-0
Opcode ID: 1fda9187506d3a943a7e49061153c951c62af225a1b5f76c9a754919c21f66eb
Instruction ID: 512ae45169a155d737d3c4f662740c92a05d538928417012b58114920077dbaf
Opcode Fuzzy Hash: 1fda9187506d3a943a7e49061153c951c62af225a1b5f76c9a754919c21f66eb
Instruction Fuzzy Hash: 18316571D04218ABDB24EB70DC86BDAB37CAF58704F4045D8B61DA6181FB719B94CFA1

Function 001647A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000020,00000000), ref: 001647C4
OpenProcessToken.ADVAPI32(00000000), ref: 001647CB
LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 001647E2
CloseHandle.KERNELBASE(00000000), ref: 00164829

Strings

SeDebugPrivilege, xrefs: 001647DB

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: Process$CloseCurrentHandleLookupOpenPrivilegeTokenValue
String ID: SeDebugPrivilege
API String ID: 2654680240-2896544425
Opcode ID: 31b15da33378c13dd088472ead95e20e80a912e788a190c2a1f7fe0987d2c45a
Instruction ID: a2e822c97cd7b377f49fd948fca719d4221111ec48687ba2240544b244429c97
Opcode Fuzzy Hash: 31b15da33378c13dd088472ead95e20e80a912e788a190c2a1f7fe0987d2c45a
Instruction Fuzzy Hash: CE110C71E0020AEBEB14DFD0CC4ABAEBBB9EB14705F118159F605A7580D7B85A94CF91

Function 001634D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32(?), ref: 001634FD
ProcessIdToSessionId.KERNEL32(00000000), ref: 00163504
ProcessIdToSessionId.KERNELBASE(?,?), ref: 00163518
_memset.LIBCMT ref: 0016352C
GetVersionExA.KERNEL32(0000009C), ref: 00163545

Strings

lsass.exe, xrefs: 001634E3

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: Process$Session$CurrentVersion_memset
String ID: lsass.exe
API String ID: 946246566-3024872867
Opcode ID: fca44992c675a3f2263d3350543a0a8a61eeb747e5ac83a911c056f0ec7837f7
Instruction ID: 87d0b82af4697af2f2e83f2e438555c068ec33215ce4629391a53b7f517500a3
Opcode Fuzzy Hash: fca44992c675a3f2263d3350543a0a8a61eeb747e5ac83a911c056f0ec7837f7
Instruction Fuzzy Hash: EC115271E00318EFDB54DF60DC45BBA73B5AB04304F504599E50E97151EB30ABD48F92

Function 00165DD0 Relevance: 281.0, APIs: 94, Strings: 66, Instructions: 978libraryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00165E1C
_wprintf.LIBCMT ref: 00165E3B
_wprintf.LIBCMT ref: 00165E94
_memmove.LIBCMT ref: 00165EB1
LoadLibraryA.KERNEL32(LSASRV.DLL), ref: 00165ECE
_wprintf.LIBCMT ref: 00165EE8
_wprintf.LIBCMT ref: 00165F5B
_memset.LIBCMT ref: 00165F78
_wprintf.LIBCMT ref: 00165FA1

Strings

usersize: %.8xh, xrefs: 001666A1
domainOff: %.8Xh, xrefs: 00166A9D
unk1: %.8Xh, xrefs: 001668B9
usernameLen: %.8Xh, xrefs: 00166A61
Error: unknown target!., xrefs: 00165E8F
Error: cannot read key!., xrefs: 00166201
IV = , xrefs: 00166390
nextEntry: %.8Xh, xrefs: 0016664F
hashesRealLength: %.8Xh, xrefs: 00166938
Error: cannot read IV from memory!., xrefs: 00166373
userNamePtrUnicode: %.8xh, xrefs: 00166736
Key = , xrefs: 001662DE
domainLen: %.8Xh, xrefs: 00166A89
Domain/Workgroup/Machine Name: , xrefs: 00166DDC
usersize: %.8xh, xrefs: 0016671F
primaryLength: %.8Xh, xrefs: 001668CD
Error: Cannot read credentials!., xrefs: 00166802
LSASRV.DLL, xrefs: 00165EC9
h3DESKey = %.8Xh, xrefs: 00166225
usernameOff: %.8Xh, xrefs: 00166A75
Error: cannot read Logon session list address., xrefs: 0016643C
Key Offset: %.8Xh, xrefs: 0016626A
Username: , xrefs: 00166CA7
%.2Xh , xrefs: 00166196
nextEntry: %.8Xh, xrefs: 001665BB
machinePtrUnicode: %.8Xh, xrefs: 001666E6
Error: cannot List Session List Entry!., xrefs: 00166589
Error: cannot List Session List Entry!., xrefs: 0016661D
prevEntry: %.8Xh, xrefs: 0016668A
PkgId: %.8Xh, xrefs: 00166838
Cannot read key from memory!., xrefs: 001662C1
Error: unknown windows familiy., xrefs: 001663ED
Error: Cannot read machinePtrUnicode!., xrefs: 00166DBF
machineSize: %.8Xh, xrefs: 0016674D
primaryPtr: %.8Xh, xrefs: 001668E1
prevEntry: %.8Xh, xrefs: 00166708
Cannot read ptr to SK Table from LSASS!., xrefs: 001660E3
lsass.exe, xrefs: 00165F80
Error: cannot read Logon Session List Count!., xrefs: 001664B4
%.2Xh , xrefs: 001663CF
userNamePtrUnicode: %.8xh, xrefs: 001666B8
Session List Count: %d, xrefs: 001664E4
unk1: %.8Xh, xrefs: 00166824
Error: Cannot read usernamePtrUnicode!., xrefs: 00166C8A
Could not enable debug privileges. You must run WCE under an account with administrator privileges., xrefs: 00165F56
Error: cannot calculate relative addresses., xrefs: 00165EE3
Reading from memory (safe mode), xrefs: 00165E36
Cannot read ptr to DESXTable from LSASS!., xrefs: 00166137
%.2Xh , xrefs: 0016631D
L, xrefs: 00166580
Error: cannot discover key offset., xrefs: 00166246
DESXTable= , xrefs: 00166154
Cannot read IV from LSASS!., xrefs: 0016602F
Error: Cannot read credentials hash struct!., xrefs: 00166895
Cannot get LSASS.EXE PID!, xrefs: 00165F9C
IV = , xrefs: 0016604C
Error: Cannot open LSASS.EXE!., xrefs: 00165FD3
%.2Xh , xrefs: 0016608B
hashesLength: %.8Xh, xrefs: 001668F5
Error: cannor read hashes ptr!., xrefs: 0016698B
machinePtrUnicode: %.8Xh, xrefs: 00166764
Session List Address: %.8Xh, xrefs: 0016646C
hashesPtr: %.8Xh, xrefs: 00166909
ptrToCreds: %.8Xh, xrefs: 0016684C
NTLM_CREDS_BLOCK (decrypted):, xrefs: 00166A4D
machineSize: %.8Xh, xrefs: 001666CF

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: _wprintf$_memset$LibraryLoad_memmove
String ID: domainLen: %.8Xh$domainOff: %.8Xh$usernameLen: %.8Xh$usernameOff: %.8Xh$PkgId: %.8Xh$Username: $hashesLength: %.8Xh$hashesPtr: %.8Xh$hashesRealLength: %.8Xh$machinePtrUnicode: %.8Xh$machinePtrUnicode: %.8Xh$machineSize: %.8Xh$machineSize: %.8Xh$primaryLength: %.8Xh$primaryPtr: %.8Xh$ptrToCreds: %.8Xh$unk1: %.8Xh$unk1: %.8Xh$userNamePtrUnicode: %.8xh$userNamePtrUnicode: %.8xh$usersize: %.8xh$usersize: %.8xh$NTLM_CREDS_BLOCK (decrypted):$Domain/Workgroup/Machine Name: $%.2Xh $%.2Xh $%.2Xh $%.2Xh $Cannot get LSASS.EXE PID!$Cannot read IV from LSASS!.$Cannot read key from memory!.$Cannot read ptr to DESXTable from LSASS!.$Cannot read ptr to SK Table from LSASS!.$Could not enable debug privileges. You must run WCE under an account with administrator privileges.$DESXTable= $Error: cannot read IV from memory!.$Error: Cannot open LSASS.EXE!.$Error: Cannot read credentials hash struct!.$Error: Cannot read credentials!.$Error: Cannot read machinePtrUnicode!.$Error: Cannot read usernamePtrUnicode!.$Error: cannor read hashes ptr!.$Error: cannot List Session List Entry!.$Error: cannot List Session List Entry!.$Error: cannot calculate relative addresses.$Error: cannot discover key offset.$Error: cannot read Logon Session List Count!.$Error: cannot read Logon session list address.$Error: cannot read key!.$Error: unknown target!.$Error: unknown windows familiy.$IV = $IV = $Key = $Key Offset: %.8Xh$L$LSASRV.DLL$Reading from memory (safe mode)$Session List Address: %.8Xh$Session List Count: %d$h3DESKey = %.8Xh$lsass.exe$nextEntry: %.8Xh$nextEntry: %.8Xh$prevEntry: %.8Xh$prevEntry: %.8Xh
API String ID: 1815589828-1333691579
Opcode ID: 4594b40ea75ecee2840fb15684eb6e5c9de6c9234837aa1d7c245839709c5170
Instruction ID: 9408f7252d680d3b227ab2d76db99f37940e581c40a24d9cca86e185a4f0fba0
Opcode Fuzzy Hash: 4594b40ea75ecee2840fb15684eb6e5c9de6c9234837aa1d7c245839709c5170
Instruction Fuzzy Hash: D0927DB5D44268DBDB24DB54DC45BE973B4AF58304F0482E8E50AA7281E7709FD4CFA2

Function 00162A50 Relevance: 138.8, APIs: 49, Strings: 30, Instructions: 598filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00161C50: _wprintf.LIBCMT ref: 00161C5E
Part of subcall function 00161C50: _wprintf.LIBCMT ref: 00161C6B

_memset.LIBCMT ref: 00162AAC
_memset.LIBCMT ref: 00162AC2
GetTempPathA.KERNEL32(000003FF,?), ref: 00162AD6
GetCurrentDirectoryA.KERNEL32(000003F6,?), ref: 00162AF1
__snprintf.LIBCMT ref: 00162B26
SetConsoleCtrlHandler.KERNEL32(Function_000029C0,00000001), ref: 00162B35
_memset.LIBCMT ref: 00162B6E
_memset.LIBCMT ref: 00162B81
_memset.LIBCMT ref: 00162B94
_memset.LIBCMT ref: 00162BA7
_wprintf.LIBCMT ref: 00162C26
_wprintf.LIBCMT ref: 00162C6B
_wprintf.LIBCMT ref: 00162C97
_wprintf.LIBCMT ref: 00162D60
_memset.LIBCMT ref: 00162D7D
_strncpy.LIBCMT ref: 00162D98
_memset.LIBCMT ref: 00162E0F
_strncpy.LIBCMT ref: 00162E28
__wcstoi64.LIBCMT ref: 00162E4D
__wcstoi64.LIBCMT ref: 00162E68
_wprintf.LIBCMT ref: 00162EDA
_wprintf.LIBCMT ref: 00162F00
_wprintf.LIBCMT ref: 00162F0D
_wprintf.LIBCMT ref: 00162F23
_wprintf.LIBCMT ref: 00162F46
_wprintf.LIBCMT ref: 00162FD9
GetModuleHandleA.KERNEL32(00000000,00008A8A,C:\Users\user\AppData\Local\Temp\wceaux.dll), ref: 0016300F
_wprintf.LIBCMT ref: 00163027
_wprintf.LIBCMT ref: 00163055
_wprintf.LIBCMT ref: 001630BF
_fprintf.LIBCMT ref: 001630ED
Sleep.KERNEL32(?), ref: 00163120
_wprintf.LIBCMT ref: 00163194
GetModuleHandleA.KERNEL32(00000000,00008A8A,C:\Users\user\AppData\Local\Temp\wceaux.dll), ref: 001631CA
_wprintf.LIBCMT ref: 001631E2
_wprintf.LIBCMT ref: 00163210
_wprintf.LIBCMT ref: 0016322B
DeleteFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\wceaux.dll), ref: 0016324F
_wprintf.LIBCMT ref: 00163275
GetModuleHandleA.KERNEL32(00000000,00008A8A,C:\Users\user\AppData\Local\Temp\wceaux.dll), ref: 00163299
_wprintf.LIBCMT ref: 001632B1
DeleteFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\wceaux.dll), ref: 00163341
_wprintf.LIBCMT ref: 00163370
DeleteFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\wceaux.dll), ref: 00163384
_wprintf.LIBCMT ref: 001633AA
GetModuleHandleA.KERNEL32(00000000,00008A8A,C:\Users\user\AppData\Local\Temp\wceaux.dll), ref: 001633CE
_wprintf.LIBCMT ref: 001633E6
DeleteFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\wceaux.dll), ref: 00163410
_wprintf.LIBCMT ref: 00163426

Strings

Forced Safe Mode Error: Setting NTLM credentials requires code injection., xrefs: 00163270
Cannot extract auxiliary DLL!, xrefs: 001633E1
C:\Users\user\AppData\Local\Temp\wceaux.dll, xrefs: 00162AA7, 00162B21, 00163003, 001631BE, 0016324A, 0016328D, 0016333C, 0016337F, 001633C2, 0016340B
R., xrefs: 00162C85
Using WCE Windows Service.., xrefs: 00163421
No NTLM credentials were supplied!., xrefs: 00162CF7
Forced Safe Mode Error: cannot read credentials using 'safe mode'., xrefs: 0016318F
mv, xrefs: 00162C2E
, xrefs: 00162CCE
Using WCE Windows Service.., xrefs: 0016320B
Error: Cannot extract auxiliary DLL!, xrefs: 001631DD
Forced Safe Mode Error: Delete NTLM credentials requires code injection., xrefs: 001633A5
1|, xrefs: 00162CFC
Cannot set event hook, xrefs: 0016336B
|, xrefs: 00162C44
Error: Cannot extract auxiliary DLL!, xrefs: 00163022
-kKUSvflehHr::o:t:s:c:i:d:a:g:, xrefs: 00162BBC
Current Logon Session LUID: %.8Xh, xrefs: 00162F41
., xrefs: 00162C00
Forced Safe Mode Error: cannot read credentials using 'safe mode'., xrefs: 00162FD4
Could not enable debug privileges. You must run WCE under an account with administrator privileges., xrefs: 00162F1E
Refreshing every %d seconds.., xrefs: 00162EFB
wceaux.dll, xrefs: 00162B0B
Invalid addresses supplied!., xrefs: 00162C92
No command was supplied!., xrefs: 00162D5B
%s%s, xrefs: 00162B17
Cannot extract auxiliary DLL!, xrefs: 001632AC
No addresses were supplied!., xrefs: 00162C66
Using WCE Windows Service.., xrefs: 00163050
Using supplied addresses., xrefs: 00162ED5

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: _wprintf$_memset$DeleteFileHandleModule$__wcstoi64_strncpy$ConsoleCtrlCurrentDirectoryHandlerPathSleepTemp__snprintf_fprintf
String ID: Refreshing every %d seconds..$%s%s$-kKUSvflehHr::o:t:s:c:i:d:a:g:$.$C:\Users\user\AppData\Local\Temp\wceaux.dll$Cannot extract auxiliary DLL!$Cannot extract auxiliary DLL!$Cannot set event hook$Could not enable debug privileges. You must run WCE under an account with administrator privileges.$Current Logon Session LUID: %.8Xh$Error: Cannot extract auxiliary DLL!$Error: Cannot extract auxiliary DLL!$Forced Safe Mode Error: Delete NTLM credentials requires code injection.$Forced Safe Mode Error: Setting NTLM credentials requires code injection.$Forced Safe Mode Error: cannot read credentials using 'safe mode'.$Forced Safe Mode Error: cannot read credentials using 'safe mode'.$Invalid addresses supplied!.$No NTLM credentials were supplied!.$No addresses were supplied!.$No command was supplied!.$R.$Using WCE Windows Service..$Using WCE Windows Service..$Using WCE Windows Service..$Using supplied addresses.$wceaux.dll$1|$mv$$|
API String ID: 814218132-447319926
Opcode ID: 77c43738a492b46034c0c37063fd05a1f1f18a13946c3a860ea2661088fd0958
Instruction ID: c0b7894a231f7ca4ed6279d852b609304fe113a13bb92a710771a7861af4cee7
Opcode Fuzzy Hash: 77c43738a492b46034c0c37063fd05a1f1f18a13946c3a860ea2661088fd0958
Instruction Fuzzy Hash: A43217B1D40214EBEB24BB60DC47B6972B1AF31705F5441A8F51962182EB729BF8CF63

Function 00162190 Relevance: 57.9, APIs: 21, Strings: 12, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wprintf.LIBCMT ref: 001621B5
_wprintf.LIBCMT ref: 001621DE
OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 001621FB
_wprintf.LIBCMT ref: 00162215
LsaEnumerateLogonSessions.SECUR32(?,?), ref: 00162232
_wprintf.LIBCMT ref: 0016224B
_wprintf.LIBCMT ref: 0016226F
_malloc.LIBCMT ref: 0016227C
_wprintf.LIBCMT ref: 00162298
_strcat.LIBCMT ref: 001622C9
_wprintf.LIBCMT ref: 00162349
_wprintf.LIBCMT ref: 0016235A

Strings

LUID:%.8Xh, xrefs: 00162355
lsass.exe, xrefs: 001621BD
Reading by injecting code! (less-safe mode), xrefs: 001621B0
Cannot get PID of LSASS.EXE!, xrefs: 001621D9
C:\Users\user\AppData\Local\Temp\wceaux.dll, xrefs: 0016238B
Logon Sessions Found: %d, xrefs: 0016226A
Error in InjectDllAndCallFunction, xrefs: 001623A3
Cannot alloc wceparams!., xrefs: 00162293
%s\%s:%s, xrefs: 00162344
Can't enumerate logon sessions!, xrefs: 00162246
WCEGetNTLMCredentials, xrefs: 001622BD
Error: Cannot open LSASS.EXE!., xrefs: 00162210

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: _wprintf$EnumerateLogonOpenProcessSessions_malloc_strcat
String ID: LUID:%.8Xh$%s\%s:%s$C:\Users\user\AppData\Local\Temp\wceaux.dll$Can't enumerate logon sessions!$Cannot alloc wceparams!.$Cannot get PID of LSASS.EXE!$Error in InjectDllAndCallFunction$Error: Cannot open LSASS.EXE!.$Logon Sessions Found: %d$Reading by injecting code! (less-safe mode)$WCEGetNTLMCredentials$lsass.exe
API String ID: 4050452349-3166370154
Opcode ID: d9e4681230b3adb9e740af96a1913aba1bc189f2026fdb98102517cc4f4b55de
Instruction ID: 296d6ab1abd36b64cb935cebfb0ae1e6bf78a824e9b6db5d15455a39a777799f
Opcode Fuzzy Hash: d9e4681230b3adb9e740af96a1913aba1bc189f2026fdb98102517cc4f4b55de
Instruction Fuzzy Hash: 3571D5B5D402189BEB24EB54DC82FDA7374AF64308F0482E8F50966281EF746BD4CF92

Function 00164840 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0016484E
GetModuleHandleA.KERNEL32(ntdll.dll), ref: 00164869
_wprintf.LIBCMT ref: 0016487D
GetProcAddress.KERNEL32(00000000,NtCreateThreadEx), ref: 00164896
_wprintf.LIBCMT ref: 001648AA

Strings

NtCreateThreadEx, xrefs: 0016488D
ntdll.dll, xrefs: 00164864
$, xrefs: 001648BA
CrossSessionCreateRemoteThread: Cannot get ntdll.dll base address, xrefs: 00164878
CrossSessionCreateRemoteThread: cannot get function address, xrefs: 001648A5
CrossSessionCreateRemoteThread: Cannot create new thread, xrefs: 00164926

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: _wprintf$AddressHandleModuleProc_memset
String ID: $$CrossSessionCreateRemoteThread: Cannot create new thread$CrossSessionCreateRemoteThread: Cannot get ntdll.dll base address$CrossSessionCreateRemoteThread: cannot get function address$NtCreateThreadEx$ntdll.dll
API String ID: 4284075971-2308674594
Opcode ID: 4ac42d55760046ad4e254bee80ab2ba692528c60f30d96fed913ed46e3ea5897
Instruction ID: ef1b09b2a1d2e236f9b56ea712415a1ee26b4551bf8601c353965ea9504e35ee
Opcode Fuzzy Hash: 4ac42d55760046ad4e254bee80ab2ba692528c60f30d96fed913ed46e3ea5897
Instruction Fuzzy Hash: 27212BB0D40208AFDB10DFA4DC4ABDEBBB4AF58718F205218F515762C0E7B55658CF96

Function 00161880 Relevance: 18.2, APIs: 12, Instructions: 246
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LsaGetLogonSessionData.SECUR32(00000000,00000000), ref: 001618BB
LsaFreeReturnBuffer.SECUR32(00000000,00000000,00000000), ref: 001618D9
_memset.LIBCMT ref: 0016191A
_memset.LIBCMT ref: 001619EB
_memmove.LIBCMT ref: 00161A03
_memset.LIBCMT ref: 00161A19
_memset.LIBCMT ref: 00161AF0
_memmove.LIBCMT ref: 00161B0E
_memset.LIBCMT ref: 00161B24

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: _memset$_memmove$BufferDataFreeLogonReturnSession
String ID:
API String ID: 779817456-0
Opcode ID: 17ae38d4e0ca94848eb5e98c360b1f08f2cb8a5f5af9e657eac6f6f730746206
Instruction ID: ae5290123275c89f05f3d37efb6c5e1f11ac0577fb94012b793b5f2111aeb324
Opcode Fuzzy Hash: 17ae38d4e0ca94848eb5e98c360b1f08f2cb8a5f5af9e657eac6f6f730746206
Instruction Fuzzy Hash: C3B139B090425CEBDB14CF54CC90BE9BBB5AF44308F2881E8D6496B281D7749AD4CFA9

Function 001622DD Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wprintf.LIBCMT ref: 00162349
_wprintf.LIBCMT ref: 0016235A

Part of subcall function 0016A932: __stbuf.LIBCMT ref: 0016A980
Part of subcall function 0016A932: __output_l.LIBCMT ref: 0016A998
Part of subcall function 0016A932: __ftbuf.LIBCMT ref: 0016A9A9

_wprintf.LIBCMT ref: 001623A8
_free.LIBCMT ref: 001624A9
LsaFreeReturnBuffer.SECUR32(?,?,?,?,?,0016128C), ref: 001624B8

Strings

LUID:%.8Xh, xrefs: 00162355
C:\Users\user\AppData\Local\Temp\wceaux.dll, xrefs: 0016238B
Error in InjectDllAndCallFunction, xrefs: 001623A3
%s\%s:%s, xrefs: 00162344

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: _wprintf$BufferFreeReturn__ftbuf__output_l__stbuf_free
String ID: LUID:%.8Xh$%s\%s:%s$C:\Users\user\AppData\Local\Temp\wceaux.dll$Error in InjectDllAndCallFunction
API String ID: 770965578-12513507
Opcode ID: f96511cb391a8bb94354d59561c69e675818d7127f6afc921a2787744a2dd01e
Instruction ID: 3e337aad000c683acfc1805f30eb2affa69339ff5002df9081647618d437f0f7
Opcode Fuzzy Hash: f96511cb391a8bb94354d59561c69e675818d7127f6afc921a2787744a2dd01e
Instruction Fuzzy Hash: 18118175D006189BDB24DF84DC81EEA73B4BF64304F1486DCE409A7241EB71AE95CF91

Function 00165A60 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemWindowsDirectoryA.KERNEL32(?,000003FF), ref: 00165A7F
_memset.LIBCMT ref: 00165AA9
__snprintf.LIBCMT ref: 00165AC9

Strings

%s\system32\lsasrv.dll, xrefs: 00165AB8

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: DirectorySystemWindows__snprintf_memset
String ID: %s\system32\lsasrv.dll
API String ID: 1322642736-3821454140
Opcode ID: 28878445c677b0205ed2b1c164af67583faf5f9f12c99b30a98da08de56593c9
Instruction ID: 4dc676ff314c4d49ce4003e900c6050cca0be1d7d3cacf8fd60ab63015a31079
Opcode Fuzzy Hash: 28878445c677b0205ed2b1c164af67583faf5f9f12c99b30a98da08de56593c9
Instruction Fuzzy Hash: A62191B0900118DBDB64DF24DC81BA9B3B6EF08304F4085D8E709A7181EB709AE9CF94

Function 00161C50 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wprintf.LIBCMT ref: 00161C5E
_wprintf.LIBCMT ref: 00161C6B

Part of subcall function 0016A932: __stbuf.LIBCMT ref: 0016A980
Part of subcall function 0016A932: __output_l.LIBCMT ref: 0016A998
Part of subcall function 0016A932: __ftbuf.LIBCMT ref: 0016A9A9

Strings

WCE %s (Windows Credentials Editor) - (c) 2010,2011 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com), xrefs: 00161C59
Use -h for help., xrefs: 00161C66

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: _wprintf$__ftbuf__output_l__stbuf
String ID: Use -h for help.$WCE %s (Windows Credentials Editor) - (c) 2010,2011 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
API String ID: 2991887721-2980755961
Opcode ID: 172d913edec0293c8f7114115471a2904cdb7451f05c29c052249ea61af74d7b
Instruction ID: bf55d604f7ec09fd6d575396a4a6f7bfde9e2f550b94bda1e3e43b3dd69005d1
Opcode Fuzzy Hash: 172d913edec0293c8f7114115471a2904cdb7451f05c29c052249ea61af74d7b
Instruction Fuzzy Hash: 72C04CA29C42046BD1006AD56C4381732BC6B38B15B559074B90C55643E655B9A58AF3

Non-executed Functions

Function 001683F0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 55pipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeA.KERNEL32(\\.\pipe\WCEServicePipe,00000003,00000000,000000FF,0000FA00,0000FA00,00000000,00000000), ref: 00168419
_wprintf.LIBCMT ref: 00168431
ConnectNamedPipe.KERNEL32(00000000,00000000), ref: 0016843F
GetLastError.KERNEL32 ref: 00168455
_wprintf.LIBCMT ref: 0016847F
FlushFileBuffers.KERNEL32(?), ref: 00168497
DisconnectNamedPipe.KERNEL32(?), ref: 001684A1

Strings

Waiting for clients..., xrefs: 0016842C
Client connected!, xrefs: 0016847A
\\.\pipe\WCEServicePipe, xrefs: 00168414

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: NamedPipe$_wprintf$BuffersConnectCreateDisconnectErrorFileFlushLast
String ID: Client connected!$Waiting for clients...$\\.\pipe\WCEServicePipe
API String ID: 1579961968-1233419677
Opcode ID: 51758811d5cc5e36d84c0f73746de3bb1817605e35b35c15cb13ba1fa02bdc8d
Instruction ID: ad4aed31a6e19db351372f92b8c0584309cbbd20756b08a7c5b2badee2de06e6
Opcode Fuzzy Hash: 51758811d5cc5e36d84c0f73746de3bb1817605e35b35c15cb13ba1fa02bdc8d
Instruction Fuzzy Hash: 3C11E7B1B40205EBDB20DBA4EC0ABAD7774AB15700F244174F509666C1CF709690DB92

Function 001674B0 Relevance: 13.6, APIs: 9, Instructions: 73serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000001), ref: 001674D3
OpenServiceA.ADVAPI32(00000000,00000000,00010004), ref: 001674F3
QueryServiceStatus.ADVAPI32(00000000,?), ref: 0016750A
DeleteService.ADVAPI32(00000000), ref: 0016751E
CloseServiceHandle.ADVAPI32(00000000), ref: 0016752C

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: Service$Open$CloseDeleteHandleManagerQueryStatus
String ID:
API String ID: 661288909-0
Opcode ID: 4d22bf0e244b50a942dbd5f1f6ab6b6c4981fc567122a2eb1c62740097e31697
Instruction ID: d77a38f6a414b519968e061540905a3aaab6ab77ee0a0abb6bb104a79dbd6c2a
Opcode Fuzzy Hash: 4d22bf0e244b50a942dbd5f1f6ab6b6c4981fc567122a2eb1c62740097e31697
Instruction Fuzzy Hash: 3E211074E08208EBCB14DFB4DC48BAEB7B4AB08345F118998F517D6190EB74DAD0DBA0

Function 00167410 Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 830d60b50d9efbe57338475a639a1262402a14993400b55e48abfecd0fba96b0
Instruction ID: 308a914a381a60ca905341e7745e0e7a423c98cff61ce3ccb0ecd396b4d00708
Opcode Fuzzy Hash: 830d60b50d9efbe57338475a639a1262402a14993400b55e48abfecd0fba96b0
Instruction Fuzzy Hash: 3E115274648208FFDB14DFB4DD4DBAABB74AB08745F208558FA069A1C0DB749AD0DB90

Function 0016AB1A Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0016FB68
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0016FB7D
UnhandledExceptionFilter.KERNEL32(0017C33C), ref: 0016FB88
GetCurrentProcess.KERNEL32(C0000409), ref: 0016FBA4
TerminateProcess.KERNEL32(00000000), ref: 0016FBAB

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 682e164d68a252820de34c9af5f29e59f3523ca8a572e2b5bef69ffffdce6473
Instruction ID: c36fb7508c72c031516a6a153769c176b32ed1d0dad6981d9eccc02587a3230b
Opcode Fuzzy Hash: 682e164d68a252820de34c9af5f29e59f3523ca8a572e2b5bef69ffffdce6473
Instruction Fuzzy Hash: 3B21CEB4911600EFD718DF68FC846447BB4BB48B08F48601AE4A9D7F61E7B09BC18F55

Function 00167890 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

StartServiceCtrlDispatcherA.ADVAPI32(00181610), ref: 001678B6

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: CtrlDispatcherServiceStart
String ID:
API String ID: 3789849863-0
Opcode ID: 6d4797dd699fe91ce2d82557879c5519d4ca097a1bcaa13c50eaba82541187ae
Instruction ID: 9aa3e4dc7d308ab5771703fadc807f2f6a557c63ef4709af05b645e8ec801ca3
Opcode Fuzzy Hash: 6d4797dd699fe91ce2d82557879c5519d4ca097a1bcaa13c50eaba82541187ae
Instruction Fuzzy Hash: 5AE0BDB4C0020DABCB00EFD4CA096AEBBB8AB04308F6045989804B7240E7B45A188BE2

Function 00174E08 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00014DC6), ref: 00174E0D

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 3fe09349a3090c4a92d5e01edfbffe690fdb227d2b67128c3b376b9b47bc84f6
Instruction ID: 7eccf01b70db1c68e3ea8b5768190365b23034cc245869f868b8a0755b36038a
Opcode Fuzzy Hash: 3fe09349a3090c4a92d5e01edfbffe690fdb227d2b67128c3b376b9b47bc84f6
Instruction Fuzzy Hash: D79002602515008F961067F49C0D40A26F06B596167C14564604AC4495DB504180D555

Function 0016C6BF Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
Instruction ID: d19a32ea63ea278e384ef8910b8c2eb91f379257e54c1e5a696647f132489f87
Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
Instruction Fuzzy Hash: D9C18F73D0F5B6098B36462E48A823FEFA26E91B4131FC395DCD03F189D726AD6196D0

Function 0016C2D7 Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
Instruction ID: f363f2654c1356615691883489fc64ae56dc9441dfe803b81c7cb9c32ff687c9
Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
Instruction Fuzzy Hash: B4C19073D0E5B6058B35852E4CA823FEF62AE91B4131FC395CCD03F299D726AD6196D0

Function 0016BF05 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction ID: 65088db00fb1c3cbd72044ac1004aed7e915260c760297bce339c6a6fc56d6b2
Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction Fuzzy Hash: C0C18F73D0E4B6498B36462E4CA833BEFA2AE81B4031BC395DCD03F199D7266D6596D0

Function 0016BB67 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
Instruction ID: f2aec83169939825be56fee27372bb87f2764d40034a063271f75292406f01cf
Opcode Fuzzy Hash: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
Instruction Fuzzy Hash: 82B18133D0E4B6498B35452E48A823BEF62AE91B4131FC395DCD07F18DD727AEA196D0

Function 001695F0 Relevance: 94.8, APIs: 34, Strings: 20, Instructions: 324COMMON

Download Yara Rule

APIs

_wprintf.LIBCMT ref: 00169610
_wprintf.LIBCMT ref: 00169621
_wprintf.LIBCMT ref: 0016962E
_wprintf.LIBCMT ref: 00169651
_wprintf.LIBCMT ref: 00169676
_wprintf.LIBCMT ref: 0016969B
_wprintf.LIBCMT ref: 001696E3
_wprintf.LIBCMT ref: 001696F0
_wprintf.LIBCMT ref: 00169738
_wprintf.LIBCMT ref: 00169745

Strings

%d/%d/%d %d:%d:%d.%d, xrefs: 001698BC
RenewUntil: , xrefs: 001698C9
SessionKey, xrefs: 00169795
%d/%d/%d %d:%d:%d.%d, xrefs: 00169851
%d/%d/%d %d:%d:%d.%d, xrefs: 00169992
KeyExpirationTime: , xrefs: 001697E6
ClientName, xrefs: 00169671
AltTargetDomainName, xrefs: 00169740
TargetName, xrefs: 0016964C
TargetDomainName, xrefs: 001696EB
TimeSkew: , xrefs: 00169934
PKERB_EXTERNAL_TICKET:%.8Xh, xrefs: 0016961C
TicketFlags: %.8Xh, xrefs: 001697C5
%d/%d/%d %d:%d:%d.%d, xrefs: 00169927
DomainName, xrefs: 00169696
Flags: %.8Xh, xrefs: 001697D9
EncodedTicketSize: %d (%.8Xh), xrefs: 001699AD
StartTime: , xrefs: 001697F3
ServiceName, xrefs: 00169629
EndTime: , xrefs: 0016985E

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: _wprintf
String ID: %d/%d/%d %d:%d:%d.%d$%d/%d/%d %d:%d:%d.%d$%d/%d/%d %d:%d:%d.%d$%d/%d/%d %d:%d:%d.%d$AltTargetDomainName$ClientName$DomainName$EncodedTicketSize: %d (%.8Xh)$EndTime: $Flags: %.8Xh$KeyExpirationTime: $PKERB_EXTERNAL_TICKET:%.8Xh$RenewUntil: $ServiceName$SessionKey$StartTime: $TargetDomainName$TargetName$TicketFlags: %.8Xh$TimeSkew:
API String ID: 2738768116-1418653839
Opcode ID: 5d4cd587fd182149b0e428657253c558ac122a86ac1d755487f7c0420647c1d8
Instruction ID: 4776ad0ceb2a3f6bd71e37bc58915a02ec14ff2906ccf671364dd9b121c897dd
Opcode Fuzzy Hash: 5d4cd587fd182149b0e428657253c558ac122a86ac1d755487f7c0420647c1d8
Instruction Fuzzy Hash: 48C170B6D40209ABCB04EFD4CC428BE77B9BF68705F148159F90566241E738EA95CFE2

Function 0016A520 Relevance: 86.0, APIs: 31, Strings: 18, Instructions: 288libraryloaderthreadCOMMON

Download Yara Rule

APIs

_wprintf.LIBCMT ref: 0016A542

Part of subcall function 0016ADD2: __fsopen.LIBCMT ref: 0016ADDF

_wprintf.LIBCMT ref: 0016A56A

Part of subcall function 0016A932: __stbuf.LIBCMT ref: 0016A980
Part of subcall function 0016A932: __output_l.LIBCMT ref: 0016A998
Part of subcall function 0016A932: __ftbuf.LIBCMT ref: 0016A9A9

Part of subcall function 0016B06C: _doexit.LIBCMT ref: 0016B078

LoadLibraryA.KERNEL32(NTDLL.DLL), ref: 0016A57E
LoadLibraryA.KERNEL32(SECUR32.DLL), ref: 0016A58C
GetProcAddress.KERNEL32(?,RtlInitString), ref: 0016A59E
GetProcAddress.KERNEL32(?,LsaConnectUntrusted), ref: 0016A5B3
GetProcAddress.KERNEL32(?,LsaLookupAuthenticationPackage), ref: 0016A5C8
GetProcAddress.KERNEL32(?,LsaCallAuthenticationPackage), ref: 0016A5DA
GetProcAddress.KERNEL32(?,LsaDeregisterLogonProcess), ref: 0016A5EC
GetCurrentThread.KERNEL32 ref: 0016A5F8
OpenThreadToken.ADVAPI32(?,02000000,00000001,?), ref: 0016A619
GetCurrentProcess.KERNEL32(02000000,?), ref: 0016A62B
OpenProcessToken.ADVAPI32(00000000), ref: 0016A632
GetTokenInformation.ADVAPI32(?,0000000A(TokenIntegrityLevel),?,00000038,?), ref: 0016A64E
_wprintf.LIBCMT ref: 0016A66C
_memset.LIBCMT ref: 0016A684
_wprintf.LIBCMT ref: 0016A6BE
__fread_nolock.LIBCMT ref: 0016A6F0
_malloc.LIBCMT ref: 0016A70D

Part of subcall function 0016B63E: __FF_MSGBANNER.LIBCMT ref: 0016B657
Part of subcall function 0016B63E: __NMSG_WRITE.LIBCMT ref: 0016B65E
Part of subcall function 0016B63E: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,00171F01,?,00000001,?,?,00170767,00000018,0017DDA8,0000000C,001707F7), ref: 0016B683

_wprintf.LIBCMT ref: 0016A735
__fread_nolock.LIBCMT ref: 0016A755
_malloc.LIBCMT ref: 0016A761
_wprintf.LIBCMT ref: 0016A783
__fread_nolock.LIBCMT ref: 0016A7A0
_malloc.LIBCMT ref: 0016A7B3
_memmove.LIBCMT ref: 0016A829
_memmove.LIBCMT ref: 0016A844
_free.LIBCMT ref: 0016A8AF
_free.LIBCMT ref: 0016A8BE
_wprintf.LIBCMT ref: 0016A8EA
_wprintf.LIBCMT ref: 0016A8F7

Strings

Error: cannot find Kerberos auth package, xrefs: 0016A6B9
SECUR32.DLL, xrefs: 0016A587
3333""""$, xrefs: 0016A871, 0016A874
LsaCallAuthenticationPackage, xrefs: 0016A5D1
Done!, xrefs: 0016A8F2
RtlInitString, xrefs: 0016A595
Error: cannot open wce_krbtkts., xrefs: 0016A565
NTDLL.DLL, xrefs: 0016A579
%d kerberos tickets were added to the cache., xrefs: 0016A8E5
LsaLookupAuthenticationPackage, xrefs: 0016A5BF
Reading kerberos tickets from file 'wce_krbtkts'..., xrefs: 0016A53D
wce_krbtkts, xrefs: 0016A54F
LsaDeregisterLogonProcess, xrefs: 0016A5E3
Kerberos, xrefs: 0016A68C
LsaConnectUntrusted, xrefs: 0016A5AA
Error: cannot access LSA, xrefs: 0016A667
Fatal Error: cannot read sessionkey, xrefs: 0016A730
Fatal Error: cannot read ticket, xrefs: 0016A77E

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: _wprintf$AddressProc$Token__fread_nolock_malloc$CurrentLibraryLoadOpenProcessThread_free_memmove$AllocHeapInformation__fsopen__ftbuf__output_l__stbuf_doexit_memset
String ID: %d kerberos tickets were added to the cache.$3333""""$$Done!$Error: cannot access LSA$Error: cannot find Kerberos auth package$Error: cannot open wce_krbtkts.$Fatal Error: cannot read sessionkey$Fatal Error: cannot read ticket$Kerberos$LsaCallAuthenticationPackage$LsaConnectUntrusted$LsaDeregisterLogonProcess$LsaLookupAuthenticationPackage$NTDLL.DLL$Reading kerberos tickets from file 'wce_krbtkts'...$RtlInitString$SECUR32.DLL$wce_krbtkts
API String ID: 790501533-3336531733
Opcode ID: 18ed00a669a3781a9f26eccb0197de74dfecb166edaf16c90ff5d545d6892f5d
Instruction ID: c27b20e0a998eb81901062d4c255894809534fbe668e5b00529d159816b4deb7
Opcode Fuzzy Hash: 18ed00a669a3781a9f26eccb0197de74dfecb166edaf16c90ff5d545d6892f5d
Instruction Fuzzy Hash: 88C167B5D00208AFDB14EFA0DC85BAEB7B5BF58304F108158F505B7241EB75AA95CFA2

Function 001649C0 Relevance: 84.3, APIs: 41, Strings: 7, Instructions: 325libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,CreateProcessWithLogonW), ref: 00164A0A
GetProcAddress.KERNEL32(00000000), ref: 00164A11
_wprintf.LIBCMT ref: 00164A25
_malloc.LIBCMT ref: 00164A45
_malloc.LIBCMT ref: 00164A61
_malloc.LIBCMT ref: 00164A7D
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,00000000,-00000001), ref: 00164AC5
_wprintf.LIBCMT ref: 00164AD4
_free.LIBCMT ref: 00164AE0
_free.LIBCMT ref: 00164AEC
_free.LIBCMT ref: 00164AFB
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,00000000,-00000001), ref: 00164B28
_free.LIBCMT ref: 00164B42
_free.LIBCMT ref: 00164B51
_free.LIBCMT ref: 00164B36

Part of subcall function 0016B604: HeapFree.KERNEL32(00000000,00000000,?,00170C54,00000000,?,00171F01,?,00000001,?,?,00170767,00000018,0017DDA8,0000000C,001707F7), ref: 0016B61A
Part of subcall function 0016B604: GetLastError.KERNEL32(00000000,?,00170C54,00000000,?,00171F01,?,00000001,?,?,00170767,00000018,0017DDA8,0000000C,001707F7,?), ref: 0016B62C

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,00000000,-00000001), ref: 00164B81
_free.LIBCMT ref: 00164B8F
_free.LIBCMT ref: 00164B9B
_free.LIBCMT ref: 00164BAA

Strings

ERROR: CreateProcessWithLogonW, xrefs: 00164C1D
Can't find CreateProcessWithLogonW, xrefs: 00164A20
D, xrefs: 00164BDC
Error in GetTokenInformation, xrefs: 00164D49
Error, xrefs: 00164ACF
CreateProcessWithLogonW, xrefs: 00164A00
advapi32.dll, xrefs: 00164A05

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: _free$ByteCharMultiWide_malloc$_wprintf$AddressErrorFreeHeapLastLibraryLoadProc
String ID: Can't find CreateProcessWithLogonW$CreateProcessWithLogonW$D$ERROR: CreateProcessWithLogonW$Error$Error in GetTokenInformation$advapi32.dll
API String ID: 799445548-2671101016
Opcode ID: 2f2bfd9f6b6a1e7ef0207972477d627d45008e55f3d388015e29ab5347ef0080
Instruction ID: e771bdaa14f39d8354426e0e375ae5d171e15479f6fa3fa984f1c0bbc8d68228
Opcode Fuzzy Hash: 2f2bfd9f6b6a1e7ef0207972477d627d45008e55f3d388015e29ab5347ef0080
Instruction Fuzzy Hash: A8C164F1D04308EBEB24DBE4DC4AB9E7775AF64304F048528F50A9B281E77599A4CF52

Function 00161C80 Relevance: 77.1, APIs: 22, Strings: 22, Instructions: 70COMMON

Download Yara Rule

APIs

_wprintf.LIBCMT ref: 00161C88
_wprintf.LIBCMT ref: 00161C95

Part of subcall function 0016A932: __stbuf.LIBCMT ref: 0016A980
Part of subcall function 0016A932: __output_l.LIBCMT ref: 0016A998
Part of subcall function 0016A932: __ftbuf.LIBCMT ref: 0016A9A9

_wprintf.LIBCMT ref: 00161CA2
_wprintf.LIBCMT ref: 00161CAF
_wprintf.LIBCMT ref: 00161CBC
_wprintf.LIBCMT ref: 00161CC9
_wprintf.LIBCMT ref: 00161CD6
_wprintf.LIBCMT ref: 00161CE3
_wprintf.LIBCMT ref: 00161CF0
_wprintf.LIBCMT ref: 00161CFD
_wprintf.LIBCMT ref: 00161D0A
_wprintf.LIBCMT ref: 00161D17
_wprintf.LIBCMT ref: 00161D24
_wprintf.LIBCMT ref: 00161D31
_wprintf.LIBCMT ref: 00161D3E
_wprintf.LIBCMT ref: 00161D4B
_wprintf.LIBCMT ref: 00161D58
_wprintf.LIBCMT ref: 00161D65
_wprintf.LIBCMT ref: 00161D72
_wprintf.LIBCMT ref: 00161D7F
_wprintf.LIBCMT ref: 00161D8C
_wprintf.LIBCMT ref: 00161D99

Strings

-aUse Addresses., xrefs: 00161D39
-fForce 'safe mode'., xrefs: 00161D53
Optional: -r<refresh interval>., xrefs: 00161CB7
-KDump Kerberos tickets to file (unix & 'windows wce' format), xrefs: 00161D7A
Parameters: <addresses>, xrefs: 00161D46
Parameters: <password>., xrefs: 00161D6D
-kRead Kerberos tickets from file and insert into Windows cache, xrefs: 00161D87
-osaves all output to a file., xrefs: 00161CEB
Parameters: <luid>., xrefs: 00161D2C
-vverbose output., xrefs: 00161D94
Parameters: <luid>., xrefs: 00161D12
-gGenerate LM & NT Hash., xrefs: 00161D60
-rLists logon sessions and NTLM credentials indefinitely.Refreshes every 5 seconds if new sessions are found., xrefs: 00161CAA
-eLists logon sessions NTLM credentials indefinitely.Refreshes every time a logon event occurs., xrefs: 00161CDE
-cRun <cmd> in a new session with the specified NTLM credentials., xrefs: 00161CC4
-iSpecify LUID instead of use current logon session., xrefs: 00161D05
-dDelete NTLM credentials from logon session., xrefs: 00161D1F
Options: , xrefs: 00161C83
-sChanges NTLM credentials of current logon session.Parameters: <UserName>:<DomainName>:<LMHash>:<NTHash>., xrefs: 00161C9D
Parameters: <filename>., xrefs: 00161CF8
-lList logon sessions and NTLM credentials (default)., xrefs: 00161C90
Parameters: <cmd>., xrefs: 00161CD1

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: _wprintf$__ftbuf__output_l__stbuf
String ID: Optional: -r<refresh interval>.$Parameters: <addresses>$Parameters: <cmd>.$Parameters: <filename>.$Parameters: <luid>.$Parameters: <luid>.$Parameters: <password>.$-KDump Kerberos tickets to file (unix & 'windows wce' format)$-aUse Addresses.$-cRun <cmd> in a new session with the specified NTLM credentials.$-dDelete NTLM credentials from logon session.$-eLists logon sessions NTLM credentials indefinitely.Refreshes every time a logon event occurs.$-fForce 'safe mode'.$-gGenerate LM & NT Hash.$-iSpecify LUID instead of use current logon session.$-kRead Kerberos tickets from file and insert into Windows cache$-lList logon sessions and NTLM credentials (default).$-osaves all output to a file.$-rLists logon sessions and NTLM credentials indefinitely.Refreshes every 5 seconds if new sessions are found.$-sChanges NTLM credentials of current logon session.Parameters: <UserName>:<DomainName>:<LMHash>:<NTHash>.$-vverbose output.$Options:
API String ID: 2991887721-159169514
Opcode ID: b411bf543e032955fda97435c8d3d877aec679ba32fe855c70ad829a5c296d15
Instruction ID: 69fe9aed85bc0e6c3f37a0e814954b4b18b2d8f5e0c81e0747e424482799bf37
Opcode Fuzzy Hash: b411bf543e032955fda97435c8d3d877aec679ba32fe855c70ad829a5c296d15
Instruction Fuzzy Hash: 6711ACC2DC524527D4143EA46C0784B30745C70B2DBAAE0B9F44E71193FB66E63A0DD3

Function 001699F0 Relevance: 66.8, APIs: 24, Strings: 14, Instructions: 308timeCOMMON

Download Yara Rule

APIs

_wprintf.LIBCMT ref: 00169A11
_wprintf.LIBCMT ref: 00169A25

Part of subcall function 0016A932: __stbuf.LIBCMT ref: 0016A980
Part of subcall function 0016A932: __output_l.LIBCMT ref: 0016A998
Part of subcall function 0016A932: __ftbuf.LIBCMT ref: 0016A9A9

_wprintf.LIBCMT ref: 00169A5A
_wprintf.LIBCMT ref: 00169A67
_wprintf.LIBCMT ref: 00169ABD
_wprintf.LIBCMT ref: 00169ACA
_wprintf.LIBCMT ref: 00169B20
_wprintf.LIBCMT ref: 00169B2D
_wprintf.LIBCMT ref: 00169B83
_wprintf.LIBCMT ref: 00169B90
_wprintf.LIBCMT ref: 00169BE6

Part of subcall function 0016DE35: _fputc.LIBCMT ref: 0016DE2C

FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00169C16
FileTimeToSystemTime.KERNEL32(?,?), ref: 00169C24
_wprintf.LIBCMT ref: 00169C52
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00169C82
FileTimeToSystemTime.KERNEL32(?,?), ref: 00169C90
_wprintf.LIBCMT ref: 00169CBE
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00169CEE
FileTimeToSystemTime.KERNEL32(?,?), ref: 00169CFC
_wprintf.LIBCMT ref: 00169D2A
_wprintf.LIBCMT ref: 00169D53
_wprintf.LIBCMT ref: 00169D6E
_wprintf.LIBCMT ref: 00169D89
_wprintf.LIBCMT ref: 00169DA4

Strings

RenewTime: %d/%d/%d %d:%d:%d.%d, xrefs: 00169D25
End Time: %d/%d/%d %d:%d:%d.%d, xrefs: 00169CB9
TicketFlags: %.8Xh, xrefs: 00169D69
ClientName: , xrefs: 00169A62
BranchId: %Xh, xrefs: 00169D9F
KERB_QUERY_TKT_CACHE_EX2_RESPONSE.CountOfTickets: %d, xrefs: 00169A20
ClientRealm: , xrefs: 00169AC5
ServerName: , xrefs: 00169B28
EncryptionType %Xh (%d), xrefs: 00169D4E
KERB_QUERY_TKT_CACHE_EX2_RESPONSE.MessageType: %Xh (%d), xrefs: 00169A0C
SessionKeyType: %Xh, xrefs: 00169D84
Ticket #%d, xrefs: 00169A55
Start Time: %d/%d/%d %d:%d:%d.%d, xrefs: 00169C4D
ServerRealm: , xrefs: 00169B8B

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: _wprintf$Time$File$LocalSystem$__ftbuf__output_l__stbuf_fputc
String ID: BranchId: %Xh$ClientName: $ClientRealm: $EncryptionType %Xh (%d)$End Time: %d/%d/%d %d:%d:%d.%d$KERB_QUERY_TKT_CACHE_EX2_RESPONSE.CountOfTickets: %d$KERB_QUERY_TKT_CACHE_EX2_RESPONSE.MessageType: %Xh (%d)$RenewTime: %d/%d/%d %d:%d:%d.%d$ServerName: $ServerRealm: $SessionKeyType: %Xh$Start Time: %d/%d/%d %d:%d:%d.%d$Ticket #%d$TicketFlags: %.8Xh
API String ID: 2371443755-4268536054
Opcode ID: c0ea0ab9027815db81df398605b32e633bf1f91c15fc6ed5649eda4580ed1106
Instruction ID: e29242f9e48bcc4f1cc1678df91e0b5b7a0dbd107aadc5191cd355212cea9ca9
Opcode Fuzzy Hash: c0ea0ab9027815db81df398605b32e633bf1f91c15fc6ed5649eda4580ed1106
Instruction Fuzzy Hash: 1EC14FB2A00109EBCB08DF94D882CFEB7B9AFA8704F558159F9057B241E734D991CFA1

Function 00161DB0 Relevance: 54.5, APIs: 19, Strings: 12, Instructions: 293COMMON

Download Yara Rule

APIs

_wprintf.LIBCMT ref: 00161DFC
_wprintf.LIBCMT ref: 00161E4C
_wprintf.LIBCMT ref: 00161E68
_wprintf.LIBCMT ref: 00161EBB
_wprintf.LIBCMT ref: 00161ED7
_strcat.LIBCMT ref: 00161F00
_wprintf.LIBCMT ref: 00161F4C
_wprintf.LIBCMT ref: 00161F68
_strcat.LIBCMT ref: 00161F8B
_wprintf.LIBCMT ref: 00161FDA
_wprintf.LIBCMT ref: 00161FF6
_memmove.LIBCMT ref: 00162012
_wprintf.LIBCMT ref: 0016206F
_wprintf.LIBCMT ref: 0016208B
_memmove.LIBCMT ref: 001620A4
_memset.LIBCMT ref: 001620F0
__wcstoui64.LIBCMT ref: 0016211A
_memset.LIBCMT ref: 0016213B
__wcstoui64.LIBCMT ref: 0016215F

Strings

Error in cmdline!. Credentials format is wrong! too many ':' characters!, xrefs: 00161E47
domain is too long!., xrefs: 00161F47
, xrefs: 001620DE
lmhash is too long!., xrefs: 00161FD5
lmhash wrong format!., xrefs: 00161FF1
nthash is too long!., xrefs: 0016206A
nthash wrong format!., xrefs: 00162086
domain wrong format!., xrefs: 00161F63
Error in cmdline!. Bye!., xrefs: 00161DF7
username is too long!., xrefs: 00161EB6
username wrong format!., xrefs: 00161ED2
Error in cmdline!. Credentials format is wrong! too few ':' characters!, xrefs: 00161E63

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: _wprintf$__wcstoui64_memmove_memset_strcat
String ID: $Error in cmdline!. Bye!.$Error in cmdline!. Credentials format is wrong! too few ':' characters!$Error in cmdline!. Credentials format is wrong! too many ':' characters!$domain is too long!.$domain wrong format!.$lmhash is too long!.$lmhash wrong format!.$nthash is too long!.$nthash wrong format!.$username is too long!.$username wrong format!.
API String ID: 2045161836-2799369676
Opcode ID: 01dcb5e86c4937b733dccb3427b8cc48e0399eb64980fcbd625a62e1b70bee80
Instruction ID: 748aab4c59af2926ee2ac699f272813f0a0d4fa7c17774c7293a911840d9b437
Opcode Fuzzy Hash: 01dcb5e86c4937b733dccb3427b8cc48e0399eb64980fcbd625a62e1b70bee80
Instruction Fuzzy Hash: 58C14F70D042599BDF14DFA4CC92BEEBBB0BF29308F244158E90477282D7759A64CFA2

Function 00164F80 Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 144COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,BINARY), ref: 00164F94
LoadResource.KERNEL32(?,00000000), ref: 00164FB2
CloseHandle.KERNEL32(00000000), ref: 00164FC5

Strings

BINARY, xrefs: 00164F86

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: Resource$CloseFindHandleLoad
String ID: BINARY
API String ID: 3150125948-907554435
Opcode ID: 479a51db43359af9cc405db1e9072ef9887cd2171b2c7bf07361f1c57a3148cc
Instruction ID: eec1fc6f77b14bd11b1e6ca298765a27479f59e8070ab185e44ed54245db804f
Opcode Fuzzy Hash: 479a51db43359af9cc405db1e9072ef9887cd2171b2c7bf07361f1c57a3148cc
Instruction Fuzzy Hash: DF51BBB9E00209EFCB14DFA0DC59BAEB775AB4C701F109918F616A7690D77899C1CFA0

Function 001626B0 Relevance: 45.6, APIs: 13, Strings: 13, Instructions: 132COMMON

Download Yara Rule

APIs

_wprintf.LIBCMT ref: 001626D6
_wprintf.LIBCMT ref: 001626E9
_wprintf.LIBCMT ref: 00162700
_wprintf.LIBCMT ref: 00162711
_wprintf.LIBCMT ref: 00162722
_wprintf.LIBCMT ref: 00162733
_wprintf.LIBCMT ref: 00162766
_wprintf.LIBCMT ref: 0016277E
_wprintf.LIBCMT ref: 0016278F
_wprintf.LIBCMT ref: 001627A0
_wprintf.LIBCMT ref: 001627B1
_wprintf.LIBCMT ref: 001627C2

Part of subcall function 00164940: GetCurrentProcess.KERNEL32(00000008,?), ref: 00164963
Part of subcall function 00164940: OpenProcessToken.ADVAPI32(00000000), ref: 0016496A
Part of subcall function 00164940: GetTokenInformation.ADVAPI32(?,0000000A(TokenIntegrityLevel),?,00000038,?), ref: 00164989

_wprintf.LIBCMT ref: 0016280B

Strings

cannot run the specified command!, xrefs: 00162761
Changing NTLM credentials of new logon session %.8Xh to:, xrefs: 00162779
LMHash: %s, xrefs: 0016271D
LMHash: %s, xrefs: 001627AC
domain: %s, xrefs: 0016279B
Username: %s, xrefs: 001626FB
Changing NTLM credentials of logon session %.8Xh to:, xrefs: 001626E4
Changing NTLM credentials of current logon session (%.8Xh) to:, xrefs: 001626D1
NTHash: %s, xrefs: 001627BD
Username: %s, xrefs: 0016278A
domain: %s, xrefs: 0016270C
Using WCE Windows Service.., xrefs: 00162806
NTHash: %s, xrefs: 0016272E

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: _wprintf$ProcessToken$CurrentInformationOpen
String ID: Changing NTLM credentials of current logon session (%.8Xh) to:$Changing NTLM credentials of logon session %.8Xh to:$Changing NTLM credentials of new logon session %.8Xh to:$LMHash: %s$LMHash: %s$NTHash: %s$NTHash: %s$Username: %s$Username: %s$Using WCE Windows Service..$cannot run the specified command!$domain: %s$domain: %s
API String ID: 1524233808-1994602542
Opcode ID: a857a028111edcf98fa73c9bee312d48d5c20321f3564914f1c7c67f824dc4ec
Instruction ID: 92f772129906b53dcfc945f590d32fbfa88f00fc293a154a3a8c7c1b648da141
Opcode Fuzzy Hash: a857a028111edcf98fa73c9bee312d48d5c20321f3564914f1c7c67f824dc4ec
Instruction Fuzzy Hash: 1C41EFB6A40108ABDB04EF94DC42DAF37B9AF78704F558158FD0CA7241E774DD618BA2

Function 001624D0 Relevance: 43.9, APIs: 16, Strings: 9, Instructions: 139COMMON

Download Yara Rule

APIs

_wprintf.LIBCMT ref: 001624FE

Part of subcall function 0016B06C: _doexit.LIBCMT ref: 0016B078

OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 00162518
_wprintf.LIBCMT ref: 0016252C
_malloc.LIBCMT ref: 00162540
_wprintf.LIBCMT ref: 00162556
_strcat.LIBCMT ref: 0016257E
_memset.LIBCMT ref: 001625B0
_strncpy.LIBCMT ref: 001625C7
_memset.LIBCMT ref: 001625E4
_strncpy.LIBCMT ref: 001625F9
_memmove.LIBCMT ref: 00162618
_memmove.LIBCMT ref: 0016262F
_wprintf.LIBCMT ref: 00162658
_free.LIBCMT ref: 0016268E

Part of subcall function 0016B604: HeapFree.KERNEL32(00000000,00000000,?,00170C54,00000000,?,00171F01,?,00000001,?,?,00170767,00000018,0017DDA8,0000000C,001707F7), ref: 0016B61A
Part of subcall function 0016B604: GetLastError.KERNEL32(00000000,?,00170C54,00000000,?,00171F01,?,00000001,?,?,00170767,00000018,0017DDA8,0000000C,001707F7,?), ref: 0016B62C

Strings

An error occurred changing the NTLM credentials., xrefs: 0016267D
lsass.exe, xrefs: 001624E3
C:\Users\user\AppData\Local\Temp\wceaux.dll, xrefs: 0016263E
Error: Cannot open LSASS.EXE!., xrefs: 00162527
WCEAddNTLMCredentials, xrefs: 00162572
Cannot get LSASS.EXE PID!, xrefs: 001624F9
Cannot alloc wceparams!., xrefs: 00162551
NTLM credentials successfully changed!, xrefs: 0016266E
Error in InjectDllAndCallFunction, xrefs: 00162653

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: _wprintf$_memmove_memset_strncpy$ErrorFreeHeapLastOpenProcess_doexit_free_malloc_strcat
String ID: An error occurred changing the NTLM credentials.$C:\Users\user\AppData\Local\Temp\wceaux.dll$Cannot alloc wceparams!.$Cannot get LSASS.EXE PID!$Error in InjectDllAndCallFunction$Error: Cannot open LSASS.EXE!.$NTLM credentials successfully changed!$WCEAddNTLMCredentials$lsass.exe
API String ID: 664426524-1957168790
Opcode ID: a2c9438c91161c2591c8ce07157de1b01b79ef8ba97bc15f9376609f16248d41
Instruction ID: 85bdf67e65f07b02faedc09e72e952409a567424f1849cc42b1859836f1047b0
Opcode Fuzzy Hash: a2c9438c91161c2591c8ce07157de1b01b79ef8ba97bc15f9376609f16248d41
Instruction Fuzzy Hash: D25177B1D40208EBD710EB94DD56F9E7370AF64704F148078F90967282EB759F65CB92

Function 00170DAC Relevance: 42.1, APIs: 19, Strings: 5, Instructions: 109libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,0016E65B,0017DD20,00000014), ref: 00170DB4
__mtterm.LIBCMT ref: 00170DC0

Part of subcall function 00170AF9: DecodePointer.KERNEL32(00000002,00170F22,?,0016E65B,0017DD20,00000014), ref: 00170B0A
Part of subcall function 00170AF9: TlsFree.KERNEL32(00000004,00170F22,?,0016E65B,0017DD20,00000014), ref: 00170B24

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00170DD6
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00170DE3
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00170DF0
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00170DFD
TlsAlloc.KERNEL32(?,0016E65B,0017DD20,00000014), ref: 00170E4D
TlsSetValue.KERNEL32(00000000,?,0016E65B,0017DD20,00000014), ref: 00170E68
__init_pointers.LIBCMT ref: 00170E72
EncodePointer.KERNEL32(?,0016E65B,0017DD20,00000014), ref: 00170E83
EncodePointer.KERNEL32(?,0016E65B,0017DD20,00000014), ref: 00170E90
EncodePointer.KERNEL32(?,0016E65B,0017DD20,00000014), ref: 00170E9D
EncodePointer.KERNEL32(?,0016E65B,0017DD20,00000014), ref: 00170EAA
DecodePointer.KERNEL32(00170C7D,?,0016E65B,0017DD20,00000014), ref: 00170ECB
__calloc_crt.LIBCMT ref: 00170EE0
DecodePointer.KERNEL32(00000000,?,0016E65B,0017DD20,00000014), ref: 00170EFA
__initptd.LIBCMT ref: 00170F05
GetCurrentThreadId.KERNEL32 ref: 00170F0C

Strings

FlsAlloc, xrefs: 00170DD0
FlsGetValue, xrefs: 00170DD8
KERNEL32.DLL, xrefs: 00170DAF
FlsSetValue, xrefs: 00170DE5
FlsFree, xrefs: 00170DF2

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$Decode$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__initptd__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3732613303-3819984048
Opcode ID: 89234b3fe4c147500fa6caadb552041961e08fc5a285de2a7474570f3c56864b
Instruction ID: a4dbf6fd9a04a1a064d3cfd80eba003c3d2d0ff933a51cd47df6c9483e047f42
Opcode Fuzzy Hash: 89234b3fe4c147500fa6caadb552041961e08fc5a285de2a7474570f3c56864b
Instruction Fuzzy Hash: 5E314631944711DFD7226BB4EC09A157EB4BB49B60B98862AE42893AB1DB7086C1CF90

Function 00165140 Relevance: 35.1, APIs: 15, Strings: 5, Instructions: 89COMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0016514E
_wprintf.LIBCMT ref: 00165162
OpenEventLogA.ADVAPI32(00000000,Security), ref: 00165178
_wprintf.LIBCMT ref: 0016518C
CloseHandle.KERNEL32(00000000), ref: 00165198

Strings

SeekToLastRecord failed with, xrefs: 001651BA
Security, xrefs: 00165171
NotifyChangeEventLog failed with %lu., xrefs: 001651F8
Canont open EventLog, xrefs: 00165187
Cannot create event!, xrefs: 0016515D

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: Event_wprintf$CloseCreateHandleOpen
String ID: Cannot create event!$Canont open EventLog$NotifyChangeEventLog failed with %lu.$Security$SeekToLastRecord failed with
API String ID: 2955162075-239136800
Opcode ID: dd6e4a3763ac3774ab9c5369471b90af91eac3cfaf907c1cdd92ba242cded2b9
Instruction ID: d6b973050b1613a38115b32a6e2f0aaa49185f635ef3be64d44474d42b55b570
Opcode Fuzzy Hash: dd6e4a3763ac3774ab9c5369471b90af91eac3cfaf907c1cdd92ba242cded2b9
Instruction Fuzzy Hash: FD3182B9A40209EBDB10EBF0DC59B6E7775BF58305F10492CF91AA2180D7349A908FA1

Function 0016A320 Relevance: 33.4, APIs: 9, Strings: 10, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00168550: LoadLibraryA.KERNEL32(NTDLL.DLL,?,0016A338), ref: 00168558
Part of subcall function 00168550: LoadLibraryA.KERNEL32(SECUR32.DLL,?,0016A338), ref: 00168568

_wprintf.LIBCMT ref: 0016A341
_wprintf.LIBCMT ref: 0016A368

Strings

Converting and saving TGT in UNIX format to file wce_ccache..., xrefs: 0016A4A1
Converting and saving tickets in Windows WCE Format to file wce_krbtkts.., xrefs: 0016A4F5
Kerberos, xrefs: 0016A38F
Error: Cannot load needed libraries, xrefs: 0016A33C
No TGT is available!, xrefs: 0016A476
Error: could not convert and save TGT, xrefs: 0016A4C8
wce_ccache, xrefs: 0016A4B0
Error: cannot find Kerberos auth package, xrefs: 0016A3BF
Error: cannot dump TGT, xrefs: 0016A44A
Error: cannot access LSA, xrefs: 0016A363

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: LibraryLoad_wprintf
String ID: Converting and saving TGT in UNIX format to file wce_ccache...$Converting and saving tickets in Windows WCE Format to file wce_krbtkts..$Error: Cannot load needed libraries$Error: cannot access LSA$Error: cannot dump TGT$Error: cannot find Kerberos auth package$Error: could not convert and save TGT$Kerberos$No TGT is available!$wce_ccache
API String ID: 1430821717-3351687992
Opcode ID: fccdb7d6eee7a748619e291943d75cb76577235477ad4bce348c51fa623cfab2
Instruction ID: cd4e28de987c4dbcd6812ec93af0bc429e1f93ce74a833efad02775fd88ff240
Opcode Fuzzy Hash: fccdb7d6eee7a748619e291943d75cb76577235477ad4bce348c51fa623cfab2
Instruction Fuzzy Hash: C55165B1D402069BDB10EFA0DC4ABAE77B4AF28305F544568F60672141EBB59B54CFA3

Function 00162840 Relevance: 33.3, APIs: 10, Strings: 9, Instructions: 92COMMON

Download Yara Rule

APIs

_wprintf.LIBCMT ref: 00162878

Part of subcall function 0016B06C: _doexit.LIBCMT ref: 0016B078

OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 00162895
_wprintf.LIBCMT ref: 001628AF
_malloc.LIBCMT ref: 001628C3
_wprintf.LIBCMT ref: 001628DF
_strcat.LIBCMT ref: 00162922
_wprintf.LIBCMT ref: 0016295E
_wprintf.LIBCMT ref: 0016297C

Part of subcall function 0016A932: __stbuf.LIBCMT ref: 0016A980
Part of subcall function 0016A932: __output_l.LIBCMT ref: 0016A998
Part of subcall function 0016A932: __ftbuf.LIBCMT ref: 0016A9A9

_wprintf.LIBCMT ref: 0016298B
_free.LIBCMT ref: 001629A3

Strings

WCEDelNTLMCredentials, xrefs: 00162916
NTLM credentials successfully deleted!, xrefs: 00162977
C:\Users\user\AppData\Local\Temp\wceaux.dll, xrefs: 00162941
Cannot alloc wceparams!., xrefs: 001628DA
Cannot delete NTLM credentials, xrefs: 00162986
Cannot get PID of LSASS.EXE!, xrefs: 00162873
Error in InjectDllAndCallFunction, xrefs: 00162959
Error: Cannot open LSASS.EXE!., xrefs: 001628AA
lsass.exe, xrefs: 00162857

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: _wprintf$OpenProcess__ftbuf__output_l__stbuf_doexit_free_malloc_strcat
String ID: C:\Users\user\AppData\Local\Temp\wceaux.dll$Cannot alloc wceparams!.$Cannot delete NTLM credentials$Cannot get PID of LSASS.EXE!$Error in InjectDllAndCallFunction$Error: Cannot open LSASS.EXE!.$NTLM credentials successfully deleted!$WCEDelNTLMCredentials$lsass.exe
API String ID: 2494054735-912798575
Opcode ID: 5a947a949fd89435b7206a52700b94800eee5b0bffe96f67c5a3a655b0dadad0
Instruction ID: a1635158dd7263735f0880516b2c62ee826b6f3eaff85cdd0ad6bdb1ae9366b1
Opcode Fuzzy Hash: 5a947a949fd89435b7206a52700b94800eee5b0bffe96f67c5a3a655b0dadad0
Instruction Fuzzy Hash: A7319574D442149BEB24AF60DC46B9973B0AF64705F1482F8F40D66282EF74AED4CF92

Function 001678D0 Relevance: 31.6, APIs: 14, Strings: 4, Instructions: 136filepipeCOMMON

Download Yara Rule

APIs

WaitNamedPipeA.KERNEL32(\\.\pipe\WCEServicePipe,00004E20), ref: 001678E3
CreateFileA.KERNEL32(\\.\pipe\WCEServicePipe,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 00167908
_wprintf.LIBCMT ref: 0016791C

Strings

\\.\pipe\WCEServicePipe, xrefs: 00167903
Cannot allocate memory!, xrefs: 001679F8
Error: INVALID_HANDLE_VALUE, xrefs: 00167917
\\.\pipe\WCEServicePipe, xrefs: 001678DE

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: CreateFileNamedPipeWait_wprintf
String ID: Cannot allocate memory!$Error: INVALID_HANDLE_VALUE$\\.\pipe\WCEServicePipe$\\.\pipe\WCEServicePipe
API String ID: 276255076-1223086826
Opcode ID: 4f340e187c161c1b82d9998a737a1f444f993ed12dc599b5a1185363f501048f
Instruction ID: 51d5738778077af0c68446870fe0294763fef52c06396f40febad9f781ae7437
Opcode Fuzzy Hash: 4f340e187c161c1b82d9998a737a1f444f993ed12dc599b5a1185363f501048f
Instruction Fuzzy Hash: 8C515171E04219EFDB24EBA4DC49BAEB7B4FF48304F248998E519A7280D7745A90CF50

Function 00161360 Relevance: 31.6, APIs: 10, Strings: 8, Instructions: 136COMMON

Download Yara Rule

APIs

_fprintf.LIBCMT ref: 001613C7
_fprintf.LIBCMT ref: 001613E5
_fprintf.LIBCMT ref: 0016141C
_fprintf.LIBCMT ref: 0016142F
_fprintf.LIBCMT ref: 00161466

Strings

%s:%s:, xrefs: 001613DC
%.2X, xrefs: 001614E1
%.8X:, xrefs: 00161494
%s:%s:, xrefs: 001614AE
%.2X, xrefs: 00161413
%.2X, xrefs: 00161523
%.2X, xrefs: 0016145D
%.8X:, xrefs: 001613BE

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: _fprintf
String ID: %.2X$%.2X$%.2X$%.2X$%.8X:$%.8X:$%s:%s:$%s:%s:
API String ID: 1654120334-637162346
Opcode ID: b4dcf80f696e6f1d5f2c756f072718e9313e8b19bdd3d25232ec4bf45c973bfd
Instruction ID: b64b59573a3fd3371f828a34fa77614a5c3bb7a92b3f95b9029dd8bff470b84a
Opcode Fuzzy Hash: b4dcf80f696e6f1d5f2c756f072718e9313e8b19bdd3d25232ec4bf45c973bfd
Instruction Fuzzy Hash: F5516EB1940104FBDB04DB94CC46BAE77B5FF51305F2885A8F80A6B242D7719FA1EB92

Function 00167AC0 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 134filepipeCOMMON

Download Yara Rule

APIs

WaitNamedPipeA.KERNEL32(\\.\pipe\WCEServicePipe,00004E20), ref: 00167ADD
CreateFileA.KERNEL32(\\.\pipe\WCEServicePipe,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 00167B02
_wprintf.LIBCMT ref: 00167B16

Strings

\\.\pipe\WCEServicePipe, xrefs: 00167AFD
Error: INVALID_HANDLE_VALUE, xrefs: 00167B11
\\.\pipe\WCEServicePipe, xrefs: 00167AD8

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: CreateFileNamedPipeWait_wprintf
String ID: Error: INVALID_HANDLE_VALUE$\\.\pipe\WCEServicePipe$\\.\pipe\WCEServicePipe
API String ID: 276255076-2998164799
Opcode ID: aaf7bc6d3a3bdf1c1729f250f15f17fe31abd7a836044f50814e0326ab100dde
Instruction ID: 60aaf01c580a411b371076e0fff3204764765f405a9ca982b80662239deed754
Opcode Fuzzy Hash: aaf7bc6d3a3bdf1c1729f250f15f17fe31abd7a836044f50814e0326ab100dde
Instruction Fuzzy Hash: 7B517171A40209FBDB10EBB0DC4AFED7778AB08704F504598B609A61C1EB749BD4CF50

Function 00168550 Relevance: 29.8, APIs: 9, Strings: 8, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(NTDLL.DLL,?,0016A338), ref: 00168558
LoadLibraryA.KERNEL32(SECUR32.DLL,?,0016A338), ref: 00168568
FreeLibrary.KERNEL32(00000000,?,0016A338), ref: 00168592

Strings

LsaFreeReturnBuffer, xrefs: 00168611
RtlInitString, xrefs: 0016859F
LsaLookupAuthenticationPackage, xrefs: 001685CD
LsaDeregisterLogonProcess, xrefs: 001685FA
SECUR32.DLL, xrefs: 00168563
LsaConnectUntrusted, xrefs: 001685B6
LsaCallAuthenticationPackage, xrefs: 001685E3
NTDLL.DLL, xrefs: 00168553

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: Library$Load$Free
String ID: LsaCallAuthenticationPackage$LsaConnectUntrusted$LsaDeregisterLogonProcess$LsaFreeReturnBuffer$LsaLookupAuthenticationPackage$NTDLL.DLL$RtlInitString$SECUR32.DLL
API String ID: 2872008576-4260052665
Opcode ID: 14917991cb3ca9de59ff653fd7dda8c9d7bce5094897ccc6066df23a43dc3046
Instruction ID: c3bd0c858a324c7a99ef4d4b0452d4cd3650058aba96cf37431eeb0508805916
Opcode Fuzzy Hash: 14917991cb3ca9de59ff653fd7dda8c9d7bce5094897ccc6066df23a43dc3046
Instruction Fuzzy Hash: 431196B9950353FFC300AFB0FC4992537B8F70A726B204619F91692AA0FB7096C18F94

Function 00167E30 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 141fileCOMMON

Download Yara Rule

APIs

_wprintf.LIBCMT ref: 00167E48

Part of subcall function 001647A0: GetCurrentProcess.KERNEL32(00000020,00000000), ref: 001647C4
Part of subcall function 001647A0: OpenProcessToken.ADVAPI32(00000000), ref: 001647CB
Part of subcall function 001647A0: CloseHandle.KERNELBASE(00000000), ref: 00164829

GetModuleHandleA.KERNEL32(00000000,00008A8A,C:\Users\user\AppData\Local\Temp\wceaux.dll), ref: 00167E61

Part of subcall function 00164DC0: FindResourceA.KERNEL32(0016126C,?,BINARY), ref: 00164DD4

_wprintf.LIBCMT ref: 00167E79

Part of subcall function 0016A932: __stbuf.LIBCMT ref: 0016A980
Part of subcall function 0016A932: __output_l.LIBCMT ref: 0016A998
Part of subcall function 0016A932: __ftbuf.LIBCMT ref: 0016A9A9

DeleteFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\wceaux.dll), ref: 00167E92
WriteFile.KERNEL32(0016832A,00000000,00000008,?,00000000), ref: 00167ED6

Strings

C:\Users\user\AppData\Local\Temp\wceaux.dll, xrefs: 00167E55, 00167E8D
Call GetNTLMCredentials() function, xrefs: 00167E43
Error: Cannot extract auxiliary DLL!, xrefs: 00167E74

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: FileHandleProcess_wprintf$CloseCurrentDeleteFindModuleOpenResourceTokenWrite__ftbuf__output_l__stbuf
String ID: C:\Users\user\AppData\Local\Temp\wceaux.dll$Call GetNTLMCredentials() function$Error: Cannot extract auxiliary DLL!
API String ID: 1365154622-1970172050
Opcode ID: 45b86a5510a5af0f7fa38e5ff6343e5fccb2b370411be33f34e0297d312ac4e3
Instruction ID: 7681ca842ab0b64d811640dddf3863d29de7fb306aca1097fbd4b9b7ffd1e58a
Opcode Fuzzy Hash: 45b86a5510a5af0f7fa38e5ff6343e5fccb2b370411be33f34e0297d312ac4e3
Instruction Fuzzy Hash: F0518075A00209EFDB04EF94EC99FAE77B4EF54304F144568F909A7281DB70AA94CF91

Function 00161000 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 134COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0016102C
__snprintf.LIBCMT ref: 00161049
_wprintf.LIBCMT ref: 0016105D
_wprintf.LIBCMT ref: 00161081

Strings

Error: cannot generate LM Hash., xrefs: 0016107C
%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X, xrefs: 001611B1
Password: %s, xrefs: 00161058
%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X, xrefs: 00161117
Hashes: , xrefs: 001610BA
Error: cannot generate NT Hash., xrefs: 001610A8

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: _wprintf$__snprintf_memset
String ID: Password: %s$%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X$%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X$Error: cannot generate LM Hash.$Error: cannot generate NT Hash.$Hashes:
API String ID: 3072940087-2501730538
Opcode ID: 7e25b44646040fb499d228e7da6103aa5abcfe3219d7660bac06e221cc470052
Instruction ID: 524cdaca9433ffe6845996614b717c9a76a61035aaf4ecd5abab2a88744aa28b
Opcode Fuzzy Hash: 7e25b44646040fb499d228e7da6103aa5abcfe3219d7660bac06e221cc470052
Instruction Fuzzy Hash: 724144E29081E875CB2597E65C22AFEBAF90F5E701F4880D9B6D960182E63C87509F71

Function 001636E0 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 111sleepCOMMON

Download Yara Rule

APIs

_wprintf.LIBCMT ref: 001636F4
_wprintf.LIBCMT ref: 0016370A
Sleep.KERNEL32(000007D0,?,?,?,?,?,?,001612B4), ref: 0016371E
_wprintf.LIBCMT ref: 00163742
_wprintf.LIBCMT ref: 00163764
_malloc.LIBCMT ref: 001637AB
_memmove.LIBCMT ref: 001637E6
_memmove.LIBCMT ref: 00163803
__snprintf.LIBCMT ref: 00163818
__snprintf.LIBCMT ref: 00163839
_free.LIBCMT ref: 00163856

Strings

Error: cannot start & run WCE service, xrefs: 00163705
Install & Run Windows WCE Service.., xrefs: 001636EF
Error: cannot get credentials from WCE Service, xrefs: 0016373D
Stop & Uninstall Windows WCE Service.., xrefs: 0016375F

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: _wprintf$__snprintf_memmove$Sleep_free_malloc
String ID: Error: cannot get credentials from WCE Service$Error: cannot start & run WCE service$Install & Run Windows WCE Service..$Stop & Uninstall Windows WCE Service..
API String ID: 1585808594-2717280290
Opcode ID: fa0e38ac8dd5934f6d47c63efea8d3ff14325c14a10f3f0fa2618a332a511c2a
Instruction ID: bf88d49a485cfcd75229f40d814e78a2cec6d0a8e3143973569789ac0aba7cb9
Opcode Fuzzy Hash: fa0e38ac8dd5934f6d47c63efea8d3ff14325c14a10f3f0fa2618a332a511c2a
Instruction Fuzzy Hash: D041D4F0D00209ABDB04EB94DC47BBF7770AF60308F144128E51567282E7759BA48B92

Function 00167190 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(bcrypt.dll,?,?,001672A5), ref: 001671AF

Strings

BCryptEncrypt, xrefs: 00167215
BCryptGetProperty, xrefs: 001671ED
bcrypt.dll, xrefs: 001671AA
BCryptDecrypt, xrefs: 00167229
BCryptOpenAlgorithmProvider, xrefs: 001671C5
BCryptSetProperty, xrefs: 001671D9
BCryptGenerateSymmetricKey, xrefs: 00167201

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: LibraryLoad
String ID: BCryptDecrypt$BCryptEncrypt$BCryptGenerateSymmetricKey$BCryptGetProperty$BCryptOpenAlgorithmProvider$BCryptSetProperty$bcrypt.dll
API String ID: 1029625771-645198769
Opcode ID: 2d210d76f39778ca750b6c13fc9594488d5a525a6fc08f0e293ce74ca6d565a0
Instruction ID: a5d2f513029ef11cd9c1e2ea317e562d4ceb5ada46362bd00a94d7115330bc21
Opcode Fuzzy Hash: 2d210d76f39778ca750b6c13fc9594488d5a525a6fc08f0e293ce74ca6d565a0
Instruction Fuzzy Hash: D8213AB9904246EFEB10DBA0ED0876977B9F746309F210659F40192AA0F7758BC1DF90

Function 001615F0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00161689
_memcmp.LIBCMT ref: 001616AA

Strings

something terrible happened! could not allocate memory for new list!, xrefs: 001616FE

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: _memcmp
String ID: something terrible happened! could not allocate memory for new list!
API String ID: 2931989736-2067920347
Opcode ID: 4c8197fcbb072fde2709202efc7a64746e46252fd72051639bc2a9f5783ca411
Instruction ID: 95fef42586c01f1dd638bcaa5a9a3665bcb50436295fe3e037ccb34a16459b33
Opcode Fuzzy Hash: 4c8197fcbb072fde2709202efc7a64746e46252fd72051639bc2a9f5783ca411
Instruction Fuzzy Hash: B3718FB4E00209EBDB04DF58DD85BBE73B5FF54304F188628E905A7381D774AAA0CB94

Function 0016A080 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 168COMMON

Download Yara Rule

APIs

_wprintf.LIBCMT ref: 0016A0B6
_memset.LIBCMT ref: 0016A0CD
_wprintf.LIBCMT ref: 0016A104

Strings

%d kerberos tickets saved to file 'wce_ccache'., xrefs: 0016A269
%d kerberos tickets saved to file 'wce_krbtkts'., xrefs: 0016A27A
Error: cannot access LSA, xrefs: 0016A0B1
wce_krbtkts, xrefs: 0016A23E
Ticket #%d, xrefs: 0016A1B8
Error: cannot find Kerberos auth package, xrefs: 0016A0FF
Kerberos, xrefs: 0016A0D5

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: _wprintf$_memset
String ID: %d kerberos tickets saved to file 'wce_ccache'.$%d kerberos tickets saved to file 'wce_krbtkts'.$Error: cannot access LSA$Error: cannot find Kerberos auth package$Kerberos$Ticket #%d$wce_krbtkts
API String ID: 4245733127-468912919
Opcode ID: a14817490c128ca6781d538a23bea83fb4652b4e6677ce0325bed0ed923aa3f0
Instruction ID: f50f3294252fd446176dbb51a6453b6ea82b6d2e39a65256f8c52842b6c6010c
Opcode Fuzzy Hash: a14817490c128ca6781d538a23bea83fb4652b4e6677ce0325bed0ed923aa3f0
Instruction Fuzzy Hash: 4E613BB1D00109AFCB04EFE4DC95AEEB7B9BF19304F604519E501B7241EB35AA94CFA2

Function 00167C90 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 98filepipeCOMMON

Download Yara Rule

APIs

WaitNamedPipeA.KERNEL32(\\.\pipe\WCEServicePipe,00004E20), ref: 00167CAD
CreateFileA.KERNEL32(\\.\pipe\WCEServicePipe,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 00167CD2
_wprintf.LIBCMT ref: 00167CE6

Strings

Error: INVALID_HANDLE_VALUE, xrefs: 00167CE1
\\.\pipe\WCEServicePipe, xrefs: 00167CCD
\\.\pipe\WCEServicePipe, xrefs: 00167CA8

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: CreateFileNamedPipeWait_wprintf
String ID: Error: INVALID_HANDLE_VALUE$\\.\pipe\WCEServicePipe$\\.\pipe\WCEServicePipe
API String ID: 276255076-2998164799
Opcode ID: 75c52050d2902c077f799b585a09a61bc359c9a413ae11778e787095bc85aac2
Instruction ID: 7a1236f2fe1ea012d7939b8c8649b47f4ffa25584b42731d9e6d7e8423c9f8b8
Opcode Fuzzy Hash: 75c52050d2902c077f799b585a09a61bc359c9a413ae11778e787095bc85aac2
Instruction Fuzzy Hash: 2631EC75A54219EFDB20DBA4DC89BADB7B8EF08704F5049A8B50AE61C0D7745BC4CF60

Function 001653A0 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 97COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 001653C4

Part of subcall function 0016B63E: __FF_MSGBANNER.LIBCMT ref: 0016B657
Part of subcall function 0016B63E: __NMSG_WRITE.LIBCMT ref: 0016B65E
Part of subcall function 0016B63E: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,00171F01,?,00000001,?,?,00170767,00000018,0017DDA8,0000000C,001707F7), ref: 0016B683

ReadEventLogA.ADVAPI32(00000038,00000000,00000000,00000000,00000038,00000000,00000000), ref: 001653EF
GetLastError.KERNEL32 ref: 001653FD
_wprintf.LIBCMT ref: 001654A5

Part of subcall function 0016D9D6: _malloc.LIBCMT ref: 0016D9E4

_wprintf.LIBCMT ref: 00165434
ReadEventLogA.ADVAPI32(00000038,00000000,0000007A,00000000,00000038,00000000,00000000), ref: 0016546C
GetLastError.KERNEL32 ref: 00165476
_wprintf.LIBCMT ref: 00165488

Strings

Second ReadEventLog failed with %lu., xrefs: 00165483
&, xrefs: 00165496
Failed to reallocate memory for the record buffer (%d bytes)., xrefs: 0016542F
8, xrefs: 001653A6
ReadEventLog failed with %lu., xrefs: 001654A0

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: _wprintf$ErrorEventLastRead_malloc$AllocHeap
String ID: &$8$Failed to reallocate memory for the record buffer (%d bytes).$ReadEventLog failed with %lu.$Second ReadEventLog failed with %lu.
API String ID: 3506726304-2216783070
Opcode ID: a09f8dd075556b843dda20bc3786c48377edbf5d2dfb9c52aff3860688a12382
Instruction ID: 8937e90e96f4ca636a328d936e5b34589766a36817e69ffe9d8a2759d5cb7576
Opcode Fuzzy Hash: a09f8dd075556b843dda20bc3786c48377edbf5d2dfb9c52aff3860688a12382
Instruction Fuzzy Hash: 59310DB5E00109EFCB04DF94DC85AAEB7B9FF58301F108599F91597240EB74AA94CFA1

Function 00166F50 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 157COMMON

Download Yara Rule

Strings

BlockLength, xrefs: 00167020
ChainingModeCBC, xrefs: 00166FA7
3DES, xrefs: 00166F7B
ObjectLength, xrefs: 00166FE6
ChainingMode, xrefs: 00166FAC

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID:
String ID: 3DES$BlockLength$ChainingMode$ChainingModeCBC$ObjectLength
API String ID: 0-2391730222
Opcode ID: 7b43c438774956f8e3a4cd69472c6c8aca4b19bb323904b19f3aff660b81d566
Instruction ID: ce46403d1c93d0c6f83d1a73d410a34cbb3a1a3273e180b7c65d1b6d080f104a
Opcode Fuzzy Hash: 7b43c438774956f8e3a4cd69472c6c8aca4b19bb323904b19f3aff660b81d566
Instruction Fuzzy Hash: E25183B190421AABDB34DB60DC55FFAB378AB08300F1085E9B10AA6580EB709FD4DF60

Function 001611E0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 101fileCOMMON

Download Yara Rule

APIs

_wprintf.LIBCMT ref: 0016123C
GetModuleHandleA.KERNEL32(00000000,00008A8A,C:\Users\user\AppData\Local\Temp\wceaux.dll), ref: 00161260
_wprintf.LIBCMT ref: 00161278
DeleteFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\wceaux.dll), ref: 00161291
_wprintf.LIBCMT ref: 001612A7
_wprintf.LIBCMT ref: 00161311
_fprintf.LIBCMT ref: 00161339

Part of subcall function 00165DD0: _memset.LIBCMT ref: 00165E1C
Part of subcall function 00165DD0: _wprintf.LIBCMT ref: 00165E3B
Part of subcall function 00165DD0: _wprintf.LIBCMT ref: 00165E94

Strings

Using WCE Windows Service..., xrefs: 001612A2
Forced Safe Mode Error: cannot read credentials using 'safe mode'., xrefs: 00161237
Error: Cannot extract auxiliary DLL!, xrefs: 00161273
C:\Users\user\AppData\Local\Temp\wceaux.dll, xrefs: 00161254, 0016128C

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: _wprintf$DeleteFileHandleModule_fprintf_memset
String ID: C:\Users\user\AppData\Local\Temp\wceaux.dll$Error: Cannot extract auxiliary DLL!$Forced Safe Mode Error: cannot read credentials using 'safe mode'.$Using WCE Windows Service...
API String ID: 3876512577-3791912217
Opcode ID: 217ad25fd70dadb583828425f1e683cf7431e2bc3cbe614d558f71ad555e7aff
Instruction ID: 4052120fcb005dca9917e6f45801bd2701b73e9cdbb12990e2433d8c5faee01e
Opcode Fuzzy Hash: 217ad25fd70dadb583828425f1e683cf7431e2bc3cbe614d558f71ad555e7aff
Instruction Fuzzy Hash: B03192B5D44204FBD704EB90EC46B2D33B1AB22705F6C822CF819A6651E7319BA4CB52

Function 00167730 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 66registrysynchronizationthreadCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(WCE SERVICE,Function_000076B0), ref: 00167783
SetServiceStatus.ADVAPI32(00000000,00184660), ref: 001677B0
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 001677BE
SetServiceStatus.ADVAPI32(00000000,00184660), ref: 001677EE
CreateThread.KERNEL32(00000000,00000000,Function_000076A0,00000000,00000000,00000000), ref: 00167803
WaitForSingleObject.KERNEL32(00000000,00001388), ref: 00167814
SetServiceStatus.ADVAPI32(00000000,00184660), ref: 00167837
CloseHandle.KERNEL32(00000000), ref: 00167844
SetServiceStatus.ADVAPI32(00000000,00184660), ref: 00167877

Strings

WCE SERVICE, xrefs: 0016777E

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: Service$Status$Create$CloseCtrlEventHandleHandlerObjectRegisterSingleThreadWait
String ID: WCE SERVICE
API String ID: 535409839-1632131648
Opcode ID: ed1f10b7c51211152c936edb686c0b89b75ebe4676f2bb50abfda3b2bf93d83f
Instruction ID: e1bcd69c0d33f8f730a509515590b5fcd9f7ee184677b623034540ec8c4bf71d
Opcode Fuzzy Hash: ed1f10b7c51211152c936edb686c0b89b75ebe4676f2bb50abfda3b2bf93d83f
Instruction Fuzzy Hash: F631A3B5241302EBE3109F64FC5AF153BB4B786B04F244218F1159AAE0EBB497C5CBA4

Function 00167290 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 125COMMON

Download Yara Rule

Strings

3DES, xrefs: 001672BB
K, xrefs: 00167364
I, xrefs: 0016736C
ObjectLength, xrefs: 0016730E
ChainingMode, xrefs: 001672E3
ChainingModeCBC, xrefs: 001672DE

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID:
String ID: 3DES$ChainingMode$ChainingModeCBC$I$K$ObjectLength
API String ID: 0-3285708808
Opcode ID: 81e6a478cc2ee7297f1554c8de0e8809b2bf793c1fccc1a9aa391bb4d1f3c128
Instruction ID: 5c1bf91cce13c9dc53c1a26dd8b78bde940cb5576b536742b56f65ff40e319aa
Opcode Fuzzy Hash: 81e6a478cc2ee7297f1554c8de0e8809b2bf793c1fccc1a9aa391bb4d1f3c128
Instruction Fuzzy Hash: BB41FAB1E04209EFDB04DFE4DD85BEDBBB5BB48318F244419E902B7280E774A994DB64

Function 00168180 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00168308,?,00000004,?,00000000,?,?,?,?,?,?,00168308,?,?,?), ref: 00168196
GetModuleHandleA.KERNEL32(00000000,00008A8A,C:\Users\user\AppData\Local\Temp\wceaux.dll), ref: 001681CA
_wprintf.LIBCMT ref: 001681E2
WriteFile.KERNEL32(00000000,00000000,00000008,?,00000000), ref: 00168209

Strings

C:\Users\user\AppData\Local\Temp\wceaux.dll, xrefs: 001681BE, 00168226
Error: Cannot extract auxiliary DLL!, xrefs: 001681DD

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: File$HandleModuleReadWrite_wprintf
String ID: C:\Users\user\AppData\Local\Temp\wceaux.dll$Error: Cannot extract auxiliary DLL!
API String ID: 1724720484-1674787540
Opcode ID: 8e32c27c17f5f73d077d035bd214fd97a1a1b0aa23057290907a9ed6f122912d
Instruction ID: 3f07aa0f9ae816a74c24b1416e6f5472e420223a2ba9777fc161bf6ae3f1b1b0
Opcode Fuzzy Hash: 8e32c27c17f5f73d077d035bd214fd97a1a1b0aa23057290907a9ed6f122912d
Instruction Fuzzy Hash: 433123B5D40209EFEB00DFE4DC49BEE7BB8AB18705F108558FA05A6281DB749794CBE1

Function 001693D0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 51COMMON

Download Yara Rule

APIs

_wprintf.LIBCMT ref: 001693EE
_wprintf.LIBCMT ref: 00169409

Part of subcall function 0016A932: __stbuf.LIBCMT ref: 0016A980
Part of subcall function 0016A932: __output_l.LIBCMT ref: 0016A998
Part of subcall function 0016A932: __ftbuf.LIBCMT ref: 0016A9A9

_wprintf.LIBCMT ref: 00169416
_wprintf.LIBCMT ref: 0016944E
_wprintf.LIBCMT ref: 0016945D

Strings

Value: , xrefs: 00169411
%.2x , xrefs: 00169449
Length: (%d) (%xh), xrefs: 00169404
KeyType: (%s) (%xh), xrefs: 001693E9

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: _wprintf$__ftbuf__output_l__stbuf
String ID: KeyType: (%s) (%xh)$Length: (%d) (%xh)$Value: $%.2x
API String ID: 2991887721-2535179509
Opcode ID: 11062f84fe279af56e9de4e6fe0c324837470d4c70bdfca05f48cd4c2e06f117
Instruction ID: 15c1d2b245c8b43df82df1b83ea2584464f13bf13d0ea16a641b914b105d34a5
Opcode Fuzzy Hash: 11062f84fe279af56e9de4e6fe0c324837470d4c70bdfca05f48cd4c2e06f117
Instruction Fuzzy Hash: 131130B5A40204BBCB04EF84DD42C697779AFA4314F15C194F8495B342E731EE61CF92

Function 00168050 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 83fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,?,00000224,?,00000000), ref: 0016807C
GetModuleHandleA.KERNEL32(00000000,00008A8A,C:\Users\user\AppData\Local\Temp\wceaux.dll), ref: 001680A9
_wprintf.LIBCMT ref: 001680C1

Strings

Error: Cannot extract auxiliary DLL!, xrefs: 001680BC
C:\Users\user\AppData\Local\Temp\wceaux.dll, xrefs: 0016809D, 00168113

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: FileHandleModuleRead_wprintf
String ID: C:\Users\user\AppData\Local\Temp\wceaux.dll$Error: Cannot extract auxiliary DLL!
API String ID: 2601644046-1674787540
Opcode ID: 088d9e5b7d71491f7f207b42dc717e31beebb1892ba5ff846302ae54ac2bdef2
Instruction ID: 71eb2b5ec73c7c613d6f41b79558676a772554d336d94ad9bbdeccc26febf982
Opcode Fuzzy Hash: 088d9e5b7d71491f7f207b42dc717e31beebb1892ba5ff846302ae54ac2bdef2
Instruction Fuzzy Hash: 7A316471D00218EFDB14DFA4DC49BEE77B8EB18704F104598F60DA6181EB74AA94CFA1

Function 00165960 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON

Download Yara Rule

Strings

SystemFunction007, xrefs: 001659A8
advapi32.dll, xrefs: 0016598D

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID:
String ID: SystemFunction007$advapi32.dll
API String ID: 0-3703967615
Opcode ID: 547696176731eebd45f3179a0fb3adef3ce425c171b21420484998411a30ac50
Instruction ID: efd54985172aa611401e95664185f2f2dd972415b9eafcbbf16227fd522557aa
Opcode Fuzzy Hash: 547696176731eebd45f3179a0fb3adef3ce425c171b21420484998411a30ac50
Instruction Fuzzy Hash: 80213975D0020CEFDB14DFE0CC89BEE77B5AB18314F408569A416A7280EB749694CF91

Function 00166E70 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(LSASRV.DLL), ref: 00166E94
_malloc.LIBCMT ref: 00166EAE
_memmove.LIBCMT ref: 00166EDA
_memmove.LIBCMT ref: 00166EF9
_memmove.LIBCMT ref: 00166F1F
_free.LIBCMT ref: 00166F2B

Part of subcall function 0016B604: HeapFree.KERNEL32(00000000,00000000,?,00170C54,00000000,?,00171F01,?,00000001,?,?,00170767,00000018,0017DDA8,0000000C,001707F7), ref: 0016B61A
Part of subcall function 0016B604: GetLastError.KERNEL32(00000000,?,00170C54,00000000,?,00171F01,?,00000001,?,?,00170767,00000018,0017DDA8,0000000C,001707F7,?), ref: 0016B62C

FreeLibrary.KERNEL32(000000FF), ref: 00166F37

Strings

LSASRV.DLL, xrefs: 00166E8F

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: _memmove$FreeLibrary$ErrorHeapLastLoad_free_malloc
String ID: LSASRV.DLL
API String ID: 2360547179-957653126
Opcode ID: 59a4a29da392afe7492cf4c6dc39c02e5e765f2d984ff34adbd71f40c1e98c9c
Instruction ID: 910acaf6777e0417851b86d265f22d63daca47a1418086af921b2b8bb88fefdb
Opcode Fuzzy Hash: 59a4a29da392afe7492cf4c6dc39c02e5e765f2d984ff34adbd71f40c1e98c9c
Instruction Fuzzy Hash: 652162B5D04209FBCB04DFA4EC89AAE73B4AB58300F108568F915D7241E7359AA0CF95

Function 00165870 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 70COMMON

Download Yara Rule

Strings

SystemFunction006, xrefs: 001658B8
advapi32.dll, xrefs: 0016589D

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID:
String ID: SystemFunction006$advapi32.dll
API String ID: 0-1103752713
Opcode ID: 8cb80407ac28b7c3d178e8ce99adae2a4a97bee1de3cb4f41e7e2a5b88ade170
Instruction ID: 2b91e05346b1dacfedd519be2fce88ab9ccc3aa962868500fd24a5f90b872991
Opcode Fuzzy Hash: 8cb80407ac28b7c3d178e8ce99adae2a4a97bee1de3cb4f41e7e2a5b88ade170
Instruction Fuzzy Hash: 3F217F74900209EBDB14DB60CC49BED73B9AF18318F5085A8E54AA7181EBB49FD4DF90

Function 001692F0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 67COMMON

Download Yara Rule

APIs

_wprintf.LIBCMT ref: 00169312
_wprintf.LIBCMT ref: 00169327

Part of subcall function 0016A932: __stbuf.LIBCMT ref: 0016A980
Part of subcall function 0016A932: __output_l.LIBCMT ref: 0016A998
Part of subcall function 0016A932: __ftbuf.LIBCMT ref: 0016A9A9

_wprintf.LIBCMT ref: 00169334
_wprintf.LIBCMT ref: 0016935F
_wprintf.LIBCMT ref: 001693B3

Strings

NameCount: %u, xrefs: 00169322
Names, xrefs: 0016932F
NameType: (%s) %d, xrefs: 0016930D

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: _wprintf$__ftbuf__output_l__stbuf
String ID: NameCount: %u$NameType: (%s) %d$Names
API String ID: 2991887721-1433487181
Opcode ID: 248f9bf6449e618b56161ea4f4a67f357702b181f58460372947bdbe5c56afe9
Instruction ID: 7b8a2ad77ede21eb4cc7b382d1f2032bfa2b6a0cfc1049757865719f04059668
Opcode Fuzzy Hash: 248f9bf6449e618b56161ea4f4a67f357702b181f58460372947bdbe5c56afe9
Instruction Fuzzy Hash: 332150B1D00209EBCB04EFA4CC4297D77B5BFA4705F1580A9E8055B381F775AA61DB92

Function 00163590 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 56sleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001635B1
_memset.LIBCMT ref: 001635C7
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 001635DD
__snprintf.LIBCMT ref: 001635FF
Sleep.KERNEL32(00000064), ref: 0016362C

Part of subcall function 00167590: OpenSCManagerA.ADVAPI32(00000000,00000000,00000001), ref: 001675A3
Part of subcall function 00167590: OpenServiceA.ADVAPI32(00000000,00000001,00000014), ref: 001675BC
Part of subcall function 00167590: StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 001675D3
Part of subcall function 00167590: CloseServiceHandle.ADVAPI32(00000000), ref: 001675E0
Part of subcall function 00167590: CloseServiceHandle.ADVAPI32(00000000), ref: 001675F3

Strings

WCE SERVICE, xrefs: 00163632
%s -S, xrefs: 001635EE
WCE SERVICE, xrefs: 0016360E

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: Service$CloseHandleOpen_memset$FileManagerModuleNameSleepStart__snprintf
String ID: %s -S$WCE SERVICE$WCE SERVICE
API String ID: 66998917-898484323
Opcode ID: 3a483db7ec593af3562d54dc72a4b94ad2cc934b2a7efe1388963504f199d9d7
Instruction ID: de8673911a95fe2c4c2869af9e815beb7b2e69abe58815e3878435e165c9293d
Opcode Fuzzy Hash: 3a483db7ec593af3562d54dc72a4b94ad2cc934b2a7efe1388963504f199d9d7
Instruction Fuzzy Hash: F0118671E4021CABD714EB90DC4BBE97775AF18B04F400499F71D66182F7B15B988FA2

Function 00165300 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

GetOldestEventLogRecord.ADVAPI32(00000000,00000000), ref: 0016531C
GetLastError.KERNEL32 ref: 00165326
_wprintf.LIBCMT ref: 00165332
GetNumberOfEventLogRecords.ADVAPI32(00000000,00000000), ref: 00165346
GetLastError.KERNEL32 ref: 00165350
_wprintf.LIBCMT ref: 0016535C

Strings

GetOldestEventLogRecord failed with %lu., xrefs: 0016532D
GetOldestEventLogRecord failed with %lu., xrefs: 00165357

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: ErrorEventLast_wprintf$NumberOldestRecordRecords
String ID: GetOldestEventLogRecord failed with %lu.$GetOldestEventLogRecord failed with %lu.
API String ID: 1871152013-377973058
Opcode ID: 1ab379d73e96e429aa544fdb7be266ff8e5e139c12170c2b04e21697cb939ccc
Instruction ID: b4f888d4197b7b5ebaca4c1a85ed20ca80760571fe131e95220bef31966c64ba
Opcode Fuzzy Hash: 1ab379d73e96e429aa544fdb7be266ff8e5e139c12170c2b04e21697cb939ccc
Instruction Fuzzy Hash: 7A113574A00208EFCB04EFA8CC44A9DBBB9EF49744F518158E9098B340E771DA94CBA1

Function 0016A2A0 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 31fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(wce_ccache,?,00162C33), ref: 0016A2AB
DeleteFileA.KERNEL32(wce_krbtkts,?,00162C33), ref: 0016A2B6

Part of subcall function 00169550: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Lsa\Kerberos\Parameters,00000000,00000001,?,?,?,?,?,0016A2D2), ref: 00169568

_wprintf.LIBCMT ref: 0016A30D

Part of subcall function 00169470: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Lsa\Kerberos\Parameters,00000000,00000002,?,?,?,?,?,0016A2DB), ref: 00169488

_wprintf.LIBCMT ref: 0016A2E4

Strings

Done!, xrefs: 0016A308
wce_ccache, xrefs: 0016A2A6
Warning: I will not be able to extract the TGT session key, xrefs: 0016A2DF
wce_krbtkts, xrefs: 0016A2B1

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: DeleteFileOpen_wprintf
String ID: Done!$Warning: I will not be able to extract the TGT session key$wce_ccache$wce_krbtkts
API String ID: 427953825-4233650052
Opcode ID: b2d20972d53865a4c76976bbdb43ff1ab4dcb843a420da1a2791bdae2a5a9216
Instruction ID: 921e7e0b1e012ec60e334147e03cc6ca259f9bb1522e4a13134cef13947f436c
Opcode Fuzzy Hash: b2d20972d53865a4c76976bbdb43ff1ab4dcb843a420da1a2791bdae2a5a9216
Instruction Fuzzy Hash: 62F05E709C0204DBD7017BB49D0A75D76686F21309F508098FD0962282FB764AA4CFE3

Function 00163960 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 235COMMON

Download Yara Rule

APIs

__wgetenv.LIBCMT ref: 00163A99
_fprintf.LIBCMT ref: 00163B65

Strings

%s: option requires an argument -- %c, xrefs: 00163CA2
POSIXLY_CORRECT, xrefs: 00163A94
?, xrefs: 00163C85
%s: invalid option -- %c, xrefs: 00163B57

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: __wgetenv_fprintf
String ID: %s: invalid option -- %c$%s: option requires an argument -- %c$?$POSIXLY_CORRECT
API String ID: 699729447-850619729
Opcode ID: 7fe148f2c3a4e112c4885549a0a3f916c6c9b7647fa03e92138e8150aa6ecf7b
Instruction ID: 0309fc412075002a20bd94f7d6979fec783a47707e50856dd72a172c50e5aceb
Opcode Fuzzy Hash: 7fe148f2c3a4e112c4885549a0a3f916c6c9b7647fa03e92138e8150aa6ecf7b
Instruction Fuzzy Hash: 4FB157B4A00245DFDB18EF58EC90A6977F2FB46704F288249F8259B791C731ABA5CF41

Function 001654C0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 001653A0: _malloc.LIBCMT ref: 001653C4
Part of subcall function 001653A0: ReadEventLogA.ADVAPI32(00000038,00000000,00000000,00000000,00000038,00000000,00000000), ref: 001653EF
Part of subcall function 001653A0: GetLastError.KERNEL32 ref: 001653FD
Part of subcall function 001653A0: _wprintf.LIBCMT ref: 00165434

_wprintf.LIBCMT ref: 0016550B
_free.LIBCMT ref: 0016551D

Part of subcall function 0016B604: HeapFree.KERNEL32(00000000,00000000,?,00170C54,00000000,?,00171F01,?,00000001,?,?,00170767,00000018,0017DDA8,0000000C,001707F7), ref: 0016B61A
Part of subcall function 0016B604: GetLastError.KERNEL32(00000000,?,00170C54,00000000,?,00171F01,?,00000001,?,?,00170767,00000018,0017DDA8,0000000C,001707F7,?), ref: 0016B62C

Part of subcall function 001653A0: ReadEventLogA.ADVAPI32(00000038,00000000,0000007A,00000000,00000038,00000000,00000000), ref: 0016546C
Part of subcall function 001653A0: GetLastError.KERNEL32 ref: 00165476
Part of subcall function 001653A0: _wprintf.LIBCMT ref: 00165488

_free.LIBCMT ref: 0016558F
_wprintf.LIBCMT ref: 001655C0
_free.LIBCMT ref: 001655D2

Strings

ReadRecord sequential failed., xrefs: 001655BB
ReadRecord (priming read) failed., xrefs: 00165506

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: _wprintf$ErrorLast_free$EventRead$FreeHeap_malloc
String ID: ReadRecord (priming read) failed.$ReadRecord sequential failed.
API String ID: 2215106706-2447787395
Opcode ID: c879f2da7b41acd0c9187ffa59687935e43780945ff1e195426807d786d65c99
Instruction ID: 0d9ef108abab11fd20ee4afa6eb196856b476681ff16e55e4d5d48f3c38600ad
Opcode Fuzzy Hash: c879f2da7b41acd0c9187ffa59687935e43780945ff1e195426807d786d65c99
Instruction Fuzzy Hash: 81313CB1D0060AABEB14DF94DC4E7AF7B73AB10304F510518E1066B281D7B5DAA4CBD2

Function 00169550 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 51registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Lsa\Kerberos\Parameters,00000000,00000001,?,?,?,?,?,0016A2D2), ref: 00169568
RegQueryValueExA.ADVAPI32(?,allowtgtsessionkey,00000000,?,00000000,00000004), ref: 001695A0
RegCloseKey.ADVAPI32(?), ref: 001695AD

Strings

allowtgtsessionkey, xrefs: 00169597
System\CurrentControlSet\Control\Lsa\Kerberos\Parameters, xrefs: 0016955E
AllowTGTSessionKey: %d, xrefs: 001695CA

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: AllowTGTSessionKey: %d$System\CurrentControlSet\Control\Lsa\Kerberos\Parameters$allowtgtsessionkey
API String ID: 3677997916-1596152800
Opcode ID: 65fc1c7ad1e9eb4442057d88339a36936080b05508f165711e124f6159f388bb
Instruction ID: 7ca83752d137c10afc09c1ca7d8213fd45012822e479f76f15a083a9b0c07077
Opcode Fuzzy Hash: 65fc1c7ad1e9eb4442057d88339a36936080b05508f165711e124f6159f388bb
Instruction Fuzzy Hash: 1911A175940209FFDB15DFA0CC49BFE73BCBB04304F20465AE606A2180E3B18B98CBA1

Function 00169F10 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 117COMMON

Download Yara Rule

Strings

wce_ccache, xrefs: 0016A046
Error: could not convert and save Ticket, xrefs: 0016A05B

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID:
String ID: Error: could not convert and save Ticket$wce_ccache
API String ID: 0-3496376632
Opcode ID: e19e1377b7535cb9f4dcce05c770cee1271a96f720869216abcdf6d8d2239afb
Instruction ID: 60a65a3594fe760c09b695217fbd62604267d8973a4adfa1ed8a615a8d409865
Opcode Fuzzy Hash: e19e1377b7535cb9f4dcce05c770cee1271a96f720869216abcdf6d8d2239afb
Instruction Fuzzy Hash: DC413BB590020AEFCB04DF94D985BAFB7B4BF48304F208558E905AB391D775DA91CFA2

Function 00169DC0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 109COMMON

Download Yara Rule

Strings

wce_krbtkts, xrefs: 00169EE0
Error: cannot save ticket in WCE Windows format, xrefs: 00169EF5

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID:
String ID: Error: cannot save ticket in WCE Windows format$wce_krbtkts
API String ID: 0-751244346
Opcode ID: 8552621cf4d75072456407c77dc8739529eb06c4f9b5e2e26e425ccf6abc380f
Instruction ID: 549fbbdb8c8e7bf47fdca2baea78d4a2b4b8ee34bc611f27840c9199088c3990
Opcode Fuzzy Hash: 8552621cf4d75072456407c77dc8739529eb06c4f9b5e2e26e425ccf6abc380f
Instruction Fuzzy Hash: D9414CB590020AEFCB04DF94D994BAFB7B8BF48305F208558E905AB341E735DA95CFA1

Function 0016D1EC Relevance: 10.6, APIs: 7, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,0016D2F0,00162B45,0017DC80,0000000C,0016D31C,00162B45,?,00162B45), ref: 0016D201
DecodePointer.KERNEL32(?,?,?,?,?,0016D2F0,00162B45,0017DC80,0000000C,0016D31C,00162B45,?,00162B45), ref: 0016D20E
__realloc_crt.LIBCMT ref: 0016D24B
__realloc_crt.LIBCMT ref: 0016D261
EncodePointer.KERNEL32(00000000,?,?,?,?,?,0016D2F0,00162B45,0017DC80,0000000C,0016D31C,00162B45,?,00162B45), ref: 0016D273
EncodePointer.KERNEL32(00162B45,?,?,?,?,?,0016D2F0,00162B45,0017DC80,0000000C,0016D31C,00162B45,?,00162B45), ref: 0016D287
EncodePointer.KERNEL32(-00000004,?,?,?,?,?,0016D2F0,00162B45,0017DC80,0000000C,0016D31C,00162B45,?,00162B45), ref: 0016D28F

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: Pointer$Encode$Decode__realloc_crt
String ID:
API String ID: 4108716018-0
Opcode ID: f02dfab30213200fd521806d94502075b3261fa52b6d02bd7a8bad8869a8ca8a
Instruction ID: 790b2ee2de6b82339cb02161149b6e93e317cf4558ddc00dc907c8dddbe48451
Opcode Fuzzy Hash: f02dfab30213200fd521806d94502075b3261fa52b6d02bd7a8bad8869a8ca8a
Instruction Fuzzy Hash: 0511D332A04215AFDB105F75ECE089A7BE9EB40360321443EF809E7520EB71ED948B94

Function 00165260 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 00165300: GetOldestEventLogRecord.ADVAPI32(00000000,00000000), ref: 0016531C
Part of subcall function 00165300: GetLastError.KERNEL32 ref: 00165326
Part of subcall function 00165300: _wprintf.LIBCMT ref: 00165332

_wprintf.LIBCMT ref: 00165292
_wprintf.LIBCMT ref: 001652C6
_free.LIBCMT ref: 001652D8

Strings

ReadRecord failed seeking to record %lu., xrefs: 001652C1
GetLastRecordNumber failed., xrefs: 0016528D

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: _wprintf$ErrorEventLastOldestRecord_free
String ID: GetLastRecordNumber failed.$ReadRecord failed seeking to record %lu.
API String ID: 3573976781-2818593916
Opcode ID: fdb9a0384905364435e1ed78872882afb17f5a86a78ae7fbe22d18bd09d0a26f
Instruction ID: 563baa99eeb40970b38a5754ec80336842cf0225b43d16d19b24c14bfb77c5dd
Opcode Fuzzy Hash: fdb9a0384905364435e1ed78872882afb17f5a86a78ae7fbe22d18bd09d0a26f
Instruction Fuzzy Hash: 25118EB5D0020CFBDB10EBE4DC46B9E7779AB24304F1084A8E905A7241E775ABA4CF92

Function 001629C0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\wceaux.dll), ref: 001629DF
DeleteFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\wceaux.dll), ref: 001629EE
DeleteFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\wceaux.dll), ref: 001629FD
DeleteFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\wceaux.dll), ref: 00162A0C
DeleteFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\wceaux.dll), ref: 00162A1B

Strings

C:\Users\user\AppData\Local\Temp\wceaux.dll, xrefs: 001629DA, 001629E9, 001629F8, 00162A07, 00162A16

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: DeleteFile
String ID: C:\Users\user\AppData\Local\Temp\wceaux.dll
API String ID: 4033686569-3091589033
Opcode ID: cdd5cbc53207faf20c0034574912c63859d66d10cc9a3f77a975acd68607dcca
Instruction ID: cebfca258de19ae06b42c9b5320e5d159a2ae649e7aafda2d0db6d3fadeb605e
Opcode Fuzzy Hash: cdd5cbc53207faf20c0034574912c63859d66d10cc9a3f77a975acd68607dcca
Instruction Fuzzy Hash: FEF03630A35525EBC315ABF0AC155A97BB0DB0D743F568454F00AD6850EBB087909FA1

Function 00165B70 Relevance: 9.2, APIs: 6, Instructions: 181COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00165B98
_strncpy.LIBCMT ref: 00165BAA

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: _memset_strncpy
String ID:
API String ID: 3140232205-0
Opcode ID: aa5a17baead55dae8e5e9509481a2ff16e1e5181bf3767bec869037eb8480d79
Instruction ID: 3b17210738719fd139d1c9c5c7f392975c93c94737db8f5f2c1ffd5f1fafa4ca
Opcode Fuzzy Hash: aa5a17baead55dae8e5e9509481a2ff16e1e5181bf3767bec869037eb8480d79
Instruction Fuzzy Hash: 01711970D0461ADFCF18CFD4CC886AEB7B2FB54304F21856AE8166B281D7719AA4DF91

Function 00167F05 Relevance: 9.1, APIs: 6, Instructions: 83fileCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00167F2B
__snprintf.LIBCMT ref: 00167F71
__snprintf.LIBCMT ref: 00167FA3
_memmove.LIBCMT ref: 00167FC9
_memmove.LIBCMT ref: 00167FEF
WriteFile.KERNEL32(00000000,?,00000224,?,00000000), ref: 0016800D
FlushFileBuffers.KERNEL32(00000000), ref: 0016802A

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: File__snprintf_memmove$BuffersFlushWrite_memset
String ID:
API String ID: 3037722120-0
Opcode ID: 4b903717b8b84c4049c56785673735442c0d5023e219b2a6b1bd246799f7c73a
Instruction ID: 4b80a034bc0ed9db88c6180e66a0480c8d409c7d027c8a7a4d78a98ca943f994
Opcode Fuzzy Hash: 4b903717b8b84c4049c56785673735442c0d5023e219b2a6b1bd246799f7c73a
Instruction Fuzzy Hash: 38316E75A00108EBD714DF44EC95FBD73B5EF48309F048698EA0967782DB31AA95CF80

Function 0017163E Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0017164A

Part of subcall function 00170C63: __getptd_noexit.LIBCMT ref: 00170C66
Part of subcall function 00170C63: __amsg_exit.LIBCMT ref: 00170C73

__amsg_exit.LIBCMT ref: 0017166A
__lock.LIBCMT ref: 0017167A
InterlockedDecrement.KERNEL32(?), ref: 00171697
_free.LIBCMT ref: 001716AA
InterlockedIncrement.KERNEL32(014B1670), ref: 001716C2

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: c8edeec441a189e79b8596109b99bcc7726e1230f0b72720381ed7696c1e19b4
Instruction ID: 4e72164759b96e1e799b176f6524862ee51f9164df23ce09a3639a69a076bb31
Opcode Fuzzy Hash: c8edeec441a189e79b8596109b99bcc7726e1230f0b72720381ed7696c1e19b4
Instruction Fuzzy Hash: F6016132901711BBCB32AF289846B5D7770BF15720F188119F808A7691DBB469C1CFD5

Function 00169470 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Lsa\Kerberos\Parameters,00000000,00000002,?,?,?,?,?,0016A2DB), ref: 00169488
RegSetValueExA.ADVAPI32(?,allowtgtsessionkey,00000000,00000004,00000001,00000004), ref: 001694C7
RegCloseKey.ADVAPI32(?), ref: 001694D4

Strings

allowtgtsessionkey, xrefs: 001694BE
System\CurrentControlSet\Control\Lsa\Kerberos\Parameters, xrefs: 0016947E

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: CloseOpenValue
String ID: System\CurrentControlSet\Control\Lsa\Kerberos\Parameters$allowtgtsessionkey
API String ID: 779948276-1352724389
Opcode ID: c6affb6990e5cd8a05ab76dadc742b15c8b39df0bab45eae69353187ad0e741d
Instruction ID: e878c2b4dfffb5f9bddd0d96372e21c946bbe191c530c038e8c51eb23f9f42dd
Opcode Fuzzy Hash: c6affb6990e5cd8a05ab76dadc742b15c8b39df0bab45eae69353187ad0e741d
Instruction Fuzzy Hash: 2F014BB5900209FBDB14DFE4CD09BAEB7B8BB04704F204659EA05B6280D7B55A85CBA0

Function 001638E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00163590: _memset.LIBCMT ref: 001635B1
Part of subcall function 00163590: _memset.LIBCMT ref: 001635C7
Part of subcall function 00163590: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 001635DD
Part of subcall function 00163590: __snprintf.LIBCMT ref: 001635FF
Part of subcall function 00163590: Sleep.KERNEL32(00000064), ref: 0016362C

_wprintf.LIBCMT ref: 001638F2

Part of subcall function 0016B06C: _doexit.LIBCMT ref: 0016B078

Sleep.KERNEL32(000007D0,?,?,00162834,?,?,?,?,?,?,?), ref: 00163906
_wprintf.LIBCMT ref: 00163936

Strings

Error: cannot start & run WCE service, xrefs: 001638ED
Error: cannot delete credentials using WCE Service, xrefs: 00163931

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: Sleep_memset_wprintf$FileModuleName__snprintf_doexit
String ID: Error: cannot delete credentials using WCE Service$Error: cannot start & run WCE service
API String ID: 326890480-3275841638
Opcode ID: 6bca16689f0748879bc2a1aa446f2e45f0fd3c9a9585fc84021f76931df7fe9e
Instruction ID: 23fa31c374ae4a6472033c936a2e2f8591d64ee97b7b24c88a42caa7f9854a83
Opcode Fuzzy Hash: 6bca16689f0748879bc2a1aa446f2e45f0fd3c9a9585fc84021f76931df7fe9e
Instruction Fuzzy Hash: E6F062B1A44208BBCB50FFA49C42B5F36786F28718F104158F91D93282EB75DB608BA2

Function 001694F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Lsa\Kerberos\Parameters,00000000,00000002,?,?,0016A308), ref: 00169508
RegDeleteValueA.ADVAPI32(?,allowtgtsessionkey), ref: 00169524
RegCloseKey.ADVAPI32(?), ref: 00169531

Strings

System\CurrentControlSet\Control\Lsa\Kerberos\Parameters, xrefs: 001694FE
allowtgtsessionkey, xrefs: 0016951B

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID: System\CurrentControlSet\Control\Lsa\Kerberos\Parameters$allowtgtsessionkey
API String ID: 849931509-1352724389
Opcode ID: 2eacd790ad083dc2dc66e3336fec0d7a60825a4de200fc2ec7744644cc2776c0
Instruction ID: 94506e545eae480a3b0dbf319f62994e645b20bc7aa31d1c7c77f7c3fd91f7dc
Opcode Fuzzy Hash: 2eacd790ad083dc2dc66e3336fec0d7a60825a4de200fc2ec7744644cc2776c0
Instruction Fuzzy Hash: F6F08234A01208FBDB14DFB4DD09BAD777CA704701F1046A9B906A3280E7705AD1DB90

Function 00163870 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00163590: _memset.LIBCMT ref: 001635B1
Part of subcall function 00163590: _memset.LIBCMT ref: 001635C7
Part of subcall function 00163590: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 001635DD
Part of subcall function 00163590: __snprintf.LIBCMT ref: 001635FF
Part of subcall function 00163590: Sleep.KERNEL32(00000064), ref: 0016362C

_wprintf.LIBCMT ref: 00163882

Part of subcall function 0016B06C: _doexit.LIBCMT ref: 0016B078

Sleep.KERNEL32(000007D0,?,?,0016343A,?), ref: 00163896
_wprintf.LIBCMT ref: 001638B6

Strings

Error: cannot start & run WCE service, xrefs: 0016387D
Error: cannot delete credentials using WCE Service, xrefs: 001638B1

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: Sleep_memset_wprintf$FileModuleName__snprintf_doexit
String ID: Error: cannot delete credentials using WCE Service$Error: cannot start & run WCE service
API String ID: 326890480-3275841638
Opcode ID: 4bb340a5521738c59a01a919e721392e15c48f245d827a0cfd4c5f0a66f57566
Instruction ID: 13c6661b402a9c80f3a73b7e94e8d8e31754b3c768b8975181ad5a8a47436261
Opcode Fuzzy Hash: 4bb340a5521738c59a01a919e721392e15c48f245d827a0cfd4c5f0a66f57566
Instruction Fuzzy Hash: 54E06DA1D48308BBDA507BB09C0BB5E36785F34715F500160FD1DAA282FB769BB44AE3

Function 00167DF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 18pipeCOMMON

Download Yara Rule

APIs

_wprintf.LIBCMT ref: 00167DF8
FlushFileBuffers.KERNEL32(?,00000000), ref: 00167E04
DisconnectNamedPipe.KERNEL32(?), ref: 00167E0E
CloseHandle.KERNEL32(?), ref: 00167E18

Part of subcall function 0016B06C: _doexit.LIBCMT ref: 0016B078

Strings

Shutdown, xrefs: 00167DF3

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: BuffersCloseDisconnectFileFlushHandleNamedPipe_doexit_wprintf
String ID: Shutdown
API String ID: 505104530-3319367026
Opcode ID: 7c30fe85df421341e7c6cc956f912f5059001eaf01b496401c86b26bae429007
Instruction ID: 9a2fa4537f8077cd08cae52db8a95f9dbe56b7ffa9a4d6a0d7c37b626d5bd8bf
Opcode Fuzzy Hash: 7c30fe85df421341e7c6cc956f912f5059001eaf01b496401c86b26bae429007
Instruction Fuzzy Hash: C2D0127A140204F7CB10AFE0EC4A98A3B38AB64741F508418F90D46651DB35D5D48BE1

Function 0016E34B Relevance: 7.7, APIs: 5, Instructions: 160COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0016E3A6
_memcpy_s.LIBCMT ref: 0016E417
__read.LIBCMT ref: 0016E47A
__filbuf.LIBCMT ref: 0016E496

Part of subcall function 0016F645: __getptd_noexit.LIBCMT ref: 0016F645

_memset.LIBCMT ref: 0016E4D7

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_memcpy_s
String ID:
API String ID: 4048096073-0
Opcode ID: d49e911a3980906cf1a1a38c0045879ff791fbb5355fc9613c5dc1b7dc8bb88f
Instruction ID: ed3c93f0874a565cb737744e032b89e762dd306264b1af4429a6d2497a3228c4
Opcode Fuzzy Hash: d49e911a3980906cf1a1a38c0045879ff791fbb5355fc9613c5dc1b7dc8bb88f
Instruction Fuzzy Hash: 9B51D139A00205EBDF249FB9CC446AEBBF1BF50324F258329E82597290DB719E71DB51

Function 0016D9D6 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0016D9E4

Part of subcall function 0016B63E: __FF_MSGBANNER.LIBCMT ref: 0016B657
Part of subcall function 0016B63E: __NMSG_WRITE.LIBCMT ref: 0016B65E
Part of subcall function 0016B63E: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,00171F01,?,00000001,?,?,00170767,00000018,0017DDA8,0000000C,001707F7), ref: 0016B683

_free.LIBCMT ref: 0016D9F7

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: AllocHeap_free_malloc
String ID:
API String ID: 2734353464-0
Opcode ID: 993a2c52ff561b7df271ac9ee65ab28a795847b08a58de2446bda6da78ee92e7
Instruction ID: 4ccc9b33d421c747918a574ae55404800c12fed15a9e01bc9afea32556e2b9bb
Opcode Fuzzy Hash: 993a2c52ff561b7df271ac9ee65ab28a795847b08a58de2446bda6da78ee92e7
Instruction Fuzzy Hash: AB11A332A0D211ABCB267FB4FD056593BA59FA4374B218539F848D7161DF30CDA1C790

Function 00167610 Relevance: 7.5, APIs: 5, Instructions: 47serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000001,?,?,?,?,?,?,0016367E,WCE SERVICE), ref: 0016762D
OpenServiceA.ADVAPI32(00000000,00000001,00000024,?,?,?,?,?,?,0016367E,WCE SERVICE), ref: 00167646
ControlService.ADVAPI32(00000000,00000001,?), ref: 0016765F
CloseServiceHandle.ADVAPI32(00000000), ref: 0016766C
CloseServiceHandle.ADVAPI32(00000000), ref: 0016767F

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: Service$CloseHandleOpen$ControlManager
String ID:
API String ID: 2705437689-0
Opcode ID: 33b5b7c4df7353972eb88d2d69dc31350b2848c37d26cd21d08911a43c34c99c
Instruction ID: 0f94fa59b7574391c46c7bc4c2c91155f8d8dac853df595361d7d6bcf4e7c553
Opcode Fuzzy Hash: 33b5b7c4df7353972eb88d2d69dc31350b2848c37d26cd21d08911a43c34c99c
Instruction Fuzzy Hash: 0C11C974E04208EFDB14DFA8D889BDDBBB4AB48705F108558F509AB290D7759A84CFA0

Function 00167590 Relevance: 7.5, APIs: 5, Instructions: 41serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000001), ref: 001675A3
OpenServiceA.ADVAPI32(00000000,00000001,00000014), ref: 001675BC
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 001675D3
CloseServiceHandle.ADVAPI32(00000000), ref: 001675E0
CloseServiceHandle.ADVAPI32(00000000), ref: 001675F3

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: Service$CloseHandleOpen$ManagerStart
String ID:
API String ID: 1485051382-0
Opcode ID: af7971bdec2c2196fb53a1dae0527daeb1bba81ae4e419e41185acbc27256f83
Instruction ID: d1d1c7418d0da2483f35e36453de8d9537b5ef0a3fd7b7a9fa72784b65d479d1
Opcode Fuzzy Hash: af7971bdec2c2196fb53a1dae0527daeb1bba81ae4e419e41185acbc27256f83
Instruction Fuzzy Hash: B6014F78904208FFDB14DFE4DC49B9DBBB4AB04305F208498F606AB2C0D7759A84DF90

Function 00171DBF Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00171DCB

Part of subcall function 00170C63: __getptd_noexit.LIBCMT ref: 00170C66
Part of subcall function 00170C63: __amsg_exit.LIBCMT ref: 00170C73

__getptd.LIBCMT ref: 00171DE2
__amsg_exit.LIBCMT ref: 00171DF0
__lock.LIBCMT ref: 00171E00
__updatetlocinfoEx_nolock.LIBCMT ref: 00171E14

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 58d537cc064559a47d7ed942da52960ef1e21b416aa9d70bfc02489d4fd0f54a
Instruction ID: c5a6c99e3654881a604708ff7161ae7e77a975de46d47e14d4f202cbaf6e345f
Opcode Fuzzy Hash: 58d537cc064559a47d7ed942da52960ef1e21b416aa9d70bfc02489d4fd0f54a
Instruction Fuzzy Hash: 7CF06D32904711BBD636BBBCE84AB4E76B0AF14B20F11C149F418AA6E2CB645A818F55

Function 00169A36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

_wprintf.LIBCMT ref: 00169A5A
_wprintf.LIBCMT ref: 00169A67

Part of subcall function 0016A932: __stbuf.LIBCMT ref: 0016A980
Part of subcall function 0016A932: __output_l.LIBCMT ref: 0016A998
Part of subcall function 0016A932: __ftbuf.LIBCMT ref: 0016A9A9

_wprintf.LIBCMT ref: 00169ABD
_wprintf.LIBCMT ref: 00169ACA
_wprintf.LIBCMT ref: 00169B20
_wprintf.LIBCMT ref: 00169B2D
_wprintf.LIBCMT ref: 00169B83
_wprintf.LIBCMT ref: 00169B90
_wprintf.LIBCMT ref: 00169BE6

Part of subcall function 0016DE35: _fputc.LIBCMT ref: 0016DE2C

Strings

Ticket #%d, xrefs: 00169A55
ClientName: , xrefs: 00169A62

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: _wprintf$__ftbuf__output_l__stbuf_fputc
String ID: ClientName: $Ticket #%d
API String ID: 1210932002-1352260334
Opcode ID: 6d775224bbbb0cb96bd41ef80881f1ea624df839e9c4ec47b04f9d76eeaa80c2
Instruction ID: d8d3084da037962221af25970b3b8b36b39eceed6ef69dc2c89c6bfdc9be4d9d
Opcode Fuzzy Hash: 6d775224bbbb0cb96bd41ef80881f1ea624df839e9c4ec47b04f9d76eeaa80c2
Instruction Fuzzy Hash: EB014CB1E001059BCB08DF98C8929BDBBB6EFA4304F16C019E9056B345D731A8A1CFD5

Function 00166509 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(000000FF,?,?,0000004C,00000004), ref: 0016656B
_wprintf.LIBCMT ref: 0016658E
_wprintf.LIBCMT ref: 001665C0
ReadProcessMemory.KERNEL32(000000FF,?,?,0000008C,00000004), ref: 001665FC
_wprintf.LIBCMT ref: 00166622
_wprintf.LIBCMT ref: 0016668F
_wprintf.LIBCMT ref: 001666A6
_wprintf.LIBCMT ref: 001666BD
_wprintf.LIBCMT ref: 001666D4
_wprintf.LIBCMT ref: 001666EB
ReadProcessMemory.KERNEL32(000000FF,00000000,?,0000000C,0000008C), ref: 001667E4
_wprintf.LIBCMT ref: 00166807

Strings

Error: cannot List Session List Entry!., xrefs: 00166589
L, xrefs: 00166580

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: _wprintf$MemoryProcessRead
String ID: Error: cannot List Session List Entry!.$L
API String ID: 1336411900-1589785453
Opcode ID: 15ce87e20305d21cdf9d306861baf11f5e4e7481b3159f2611bbb410397df2af
Instruction ID: d290d5d9d5afcfbc8dda53057bd137226781175ee1d487c1a33567209f95581a
Opcode Fuzzy Hash: 15ce87e20305d21cdf9d306861baf11f5e4e7481b3159f2611bbb410397df2af
Instruction Fuzzy Hash: FC015AB4A08268CBCB24DF14CC91BE9B3B1EB48305F4082DCE20EA7140DB755ED08F95

Function 0016DEB9 Relevance: 6.1, APIs: 4, Instructions: 130COMMONLIBRARYCODE

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0016DF54
__flush.LIBCMT ref: 0016DF72
__write.LIBCMT ref: 0016DF99
__flsbuf.LIBCMT ref: 0016DFC4

Part of subcall function 0016F645: __getptd_noexit.LIBCMT ref: 0016F645

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 83ba5fab60c30f126f66c6f4e3d954d1715329a561fb13c6423154274ee2cb55
Instruction ID: bc509d455900a1699f57345f8de4b6b22fa0d7932c69d8ea7fccf4aab626d6bc
Opcode Fuzzy Hash: 83ba5fab60c30f126f66c6f4e3d954d1715329a561fb13c6423154274ee2cb55
Instruction Fuzzy Hash: B241CA31F00705EBDB24DF69EC84AAEBBB5AF90320F2585ADE41697180D771DD62CB40

Function 001785F0 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00178624
__isleadbyte_l.LIBCMT ref: 00178657
MultiByteToWideChar.KERNEL32(00000080,00000009,00000000,?,00000000,00000000,?,?,?,?,00000000,00000000), ref: 00178688
MultiByteToWideChar.KERNEL32(00000080,00000009,00000000,00000001,00000000,00000000,?,?,?,?,00000000,00000000), ref: 001786F6

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 88239dfb63e0520eff897786dbabb8ddbb05992dedce7c229397a34cec8aa785
Instruction ID: 86d042fdc1baee7b0c8cc7b4500e0c1f33247ac478ba2542aa5dbf28823bb313
Opcode Fuzzy Hash: 88239dfb63e0520eff897786dbabb8ddbb05992dedce7c229397a34cec8aa785
Instruction Fuzzy Hash: 94319E31A40246FFDB20DF64C8989BE7BB5BF01311B15C5A9F4698B1A2DB30DD90DBA1

Function 00172E65 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00172E8B

Part of subcall function 00172CB7: __fltout2.LIBCMT ref: 00172CE2

__cftog_l.LIBCMT ref: 00172EB1
__cftoe_l.LIBCMT ref: 00172EE3

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: 5deb5f9055b00a00f68b4e03f1888fda515970a01ca1e3a5bfb7fd6ba3f4791d
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: 9C11253244018ABBCF169E88CC028AE3F72BB28350F598515FA1C59131DB36C9B2AB81

Function 00163670 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00167610: OpenSCManagerA.ADVAPI32(00000000,00000000,00000001,?,?,?,?,?,?,0016367E,WCE SERVICE), ref: 0016762D
Part of subcall function 00167610: OpenServiceA.ADVAPI32(00000000,00000001,00000024,?,?,?,?,?,?,0016367E,WCE SERVICE), ref: 00167646
Part of subcall function 00167610: ControlService.ADVAPI32(00000000,00000001,?), ref: 0016765F
Part of subcall function 00167610: CloseServiceHandle.ADVAPI32(00000000), ref: 0016766C
Part of subcall function 00167610: CloseServiceHandle.ADVAPI32(00000000), ref: 0016767F

Sleep.KERNEL32(000007D0,00163771), ref: 00163689
Sleep.KERNEL32(000007D0), ref: 001636A7

Strings

WCE SERVICE, xrefs: 00163674
WCE SERVICE, xrefs: 00163695

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: Service$CloseHandleOpenSleep$ControlManager
String ID: WCE SERVICE$WCE SERVICE
API String ID: 2881204338-103427495
Opcode ID: 75396ea15cbbda5dde84f1127a5bab2908a21f5c6df9742b15bbf8e248881a31
Instruction ID: a012adfd276ed415616667d7e208f744d416e3dd65cb9e10e19a37f31a125192
Opcode Fuzzy Hash: 75396ea15cbbda5dde84f1127a5bab2908a21f5c6df9742b15bbf8e248881a31
Instruction Fuzzy Hash: EFE0E675D45208FFDA00AB95ED0F52D76749B15729F000155F80D61681E7B16F684BD2

Function 00168280 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

Error Reading from pipe!, xrefs: 001682BF

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID:
String ID: Error Reading from pipe!
API String ID: 0-1652627068
Opcode ID: a078b3c99ee78cc9dbdbd20da46c5a63489cf788525c9e6354667d03d5156acd
Instruction ID: 3e5070061b2a94f9741c036039594da0b4208a73946596ea23e8d75ab4c907a6
Opcode Fuzzy Hash: a078b3c99ee78cc9dbdbd20da46c5a63489cf788525c9e6354667d03d5156acd
Instruction Fuzzy Hash: 6E21C3B4C04248EBCF00DFA0DC456AE7B74BB14784F204669E90697341DB30DA65DBA1

Function 001684B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

_wprintf.LIBCMT ref: 001684E3
_wprintf.LIBCMT ref: 001684FA

Strings

%.2x , xrefs: 001684F5

Memory Dump Source

Source File: 00000000.00000002.3263694311.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3263664859.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263736707.000000000017C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263761210.000000000017F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263791159.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000187000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263820104.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_wce.jbxd

Similarity

API ID: _wprintf
String ID: %.2x
API String ID: 2738768116-1955163564
Opcode ID: 06018109646e7ed5396b563043e76e737450226b8c7e9b586c24efc89c6edf0d
Instruction ID: 0ceed09fca19ca7986ab769998618bad830da8cc801b17921c4701acd11dd8b7
Opcode Fuzzy Hash: 06018109646e7ed5396b563043e76e737450226b8c7e9b586c24efc89c6edf0d
Instruction Fuzzy Hash: A3F08970904109E7CB04DF44CD52B6D73B5DF61304F24C198E80967241EF30AF20AF91

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report wce.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

C:\Users\user\AppData\Local\Temp\wceaux.dll

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

\Device\ConDrv

Static File Info

General

File Icon

Windows Analysis Report
wce.exe

Function 00163FA0 Relevance: 103.7, APIs: 47, Strings: 12, Instructions: 463
libraryinjectionloaderCOMMON

Function 00164DC0 Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 144
COMMON

Function 00165610 Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 192
encryptionfileCOMMON

Function 00163E30 Relevance: 15.1, APIs: 10, Instructions: 97
processCOMMON

Function 001647A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 52
COMMON

Function 001634D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50
COMMON

Function 00162190 Relevance: 57.9, APIs: 21, Strings: 12, Instructions: 197
COMMON

Function 00164840 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 73
libraryloaderCOMMON

Function 00161880 Relevance: 18.2, APIs: 12, Instructions: 246
COMMON

Function 001622DD Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 53
COMMON

Function 00165A60 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70
COMMON

Function 00161C50 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12
COMMON