Play interactive tour

Edit tour

Windows Analysis Report capa.exe

Overview

General Information

Sample Name:	capa.exe
Analysis ID:	457941
MD5:	9ca015deaade0b450465c158b3d6d478
SHA1:	4e0db7ee62856ddbf7f1ade4b86540d315614bab
SHA256:	e54f0acc46db1c5541a0d98922e2dc9112b4fec47ecfd378187448a4e9f11671
Infos:
Most interesting Screenshot:

Detection

Xmrig

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Xmrig cryptocurrency miner

Tries to harvest and steal ftp login credentials

Contains capabilities to detect virtual machines

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Installs a raw input device (often for capturing keystrokes)

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

capa.exe (PID: 784 cmdline: 'C:\Users\user\Desktop\capa.exe' MD5: 9CA015DEAADE0B450465C158B3D6D478)

conhost.exe (PID: 4228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

capa.exe (PID: 1092 cmdline: 'C:\Users\user\Desktop\capa.exe' MD5: 9CA015DEAADE0B450465C158B3D6D478)

cmd.exe (PID: 5556 cmdline: C:\Windows\system32\cmd.exe /c 'ver' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\mine-cryptocurrency.yml	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x155:$s1: stratum+tcp://
C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\mine-cryptocurrency.yml	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
C:\Users\user\AppData\Local\Temp\_MEI7842\lief.cp38-win_amd64.pyd	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

Bitcoin Miner:

Yara detected Xmrig cryptocurrency miner

Show sources

Source: Yara match

File source: C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\mine-cryptocurrency.yml, type: DROPPED

Source: C:\Users\user\Desktop\capa.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI7842\rules\LICENSE.txt

Jump to behavior

Source: capa.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: capa.exe, 00000000.00000003.234678405.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\select.pdb source: capa.exe, 00000000.00000003.240187861.000002967D232000.00000004.00000001.sdmp, capa.exe, 00000005.00000002.292771024.00007FFB53083000.00000002.00020000.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: capa.exe, 00000000.00000003.234728498.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: capa.exe, 00000000.00000003.240314271.000002967D561000.00000004.00000001.sdmp, capa.exe, 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: capa.exe, 00000000.00000003.234134753.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: capa.exe, 00000000.00000003.234293481.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: capa.exe, 00000000.00000003.234060265.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: capa.exe, 00000000.00000003.234475523.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: capa.exe, 00000000.00000003.234638061.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\python38.pdb source: capa.exe, 00000005.00000002.287521436.00007FFB4E6DC000.00000002.00020000.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: capa.exe, 00000000.00000003.234751294.000002967D232000.00000004.00000001.sdmp, api-ms-win-crt-stdio-l1-1-0.dll.0.dr
Source:	Binary string: C:\A\34\b\bin\amd64\_decimal.pdb source: capa.exe, 00000000.00000003.233270555.000002967D257000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: capa.exe, 00000000.00000003.234198994.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: capa.exe, 00000000.00000003.234515071.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: capa.exe, 00000000.00000003.234436096.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: capa.exe, 00000000.00000003.234607708.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\pyexpat.pdb source: capa.exe, 00000000.00000003.239834900.000002967D257000.00000004.00000001.sdmp, capa.exe, 00000005.00000002.292560481.00007FFB53012000.00000002.00020000.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\_ssl.pdb source: capa.exe, 00000000.00000003.233912958.000002967D254000.00000004.00000001.sdmp
Source:	Binary string: D:\a01\_work\26\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: capa.exe, 00000000.00000003.232864942.000002967D247000.00000004.00000001.sdmp, capa.exe, 00000005.00000002.293545008.00007FFB54341000.00000002.00020000.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: capa.exe, 00000000.00000003.234086660.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\_overlapped.pdb source: capa.exe, 00000000.00000003.233679949.000002967D236000.00000004.00000001.sdmp, _overlapped.pyd.0.dr
Source:	Binary string: D:\a\lancelot\lancelot\target\release\deps\flirt.pdb source: capa.exe, 00000000.00000003.236266732.000002967D3E1000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: capa.exe, 00000000.00000003.234353373.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: capa.exe, 00000000.00000003.234019845.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: capa.exe, 00000000.00000003.234111569.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\_multiprocessing.pdb source: capa.exe, 00000000.00000003.233629714.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: capa.exe, 00000000.00000003.234575992.000002967D232000.00000004.00000001.sdmp, api-ms-win-crt-convert-l1-1-0.dll.0.dr
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb source: capa.exe, 00000000.00000003.237382972.000002967D453000.00000004.00000001.sdmp, libssl-1_1.dll.0.dr
Source:	Binary string: smda.common.labelprovider.PdbSymbolProvider source: capa.exe, 00000005.00000002.280121682.00000208DA410000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: capa.exe, 00000000.00000003.234387208.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: capa.exe, 00000000.00000003.240314271.000002967D561000.00000004.00000001.sdmp, capa.exe, 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\unicodedata.pdb source: capa.exe, 00000005.00000002.288605108.00007FFB4F0E5000.00000002.00020000.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: capa.exe, 00000000.00000003.234783589.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\_lzma.pdbMM source: capa.exe, 00000000.00000003.233529390.000002967D254000.00000004.00000001.sdmp, capa.exe, 00000005.00000002.292659169.00007FFB53049000.00000002.00020000.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\_bz2.pdb source: capa.exe, 00000000.00000003.232967878.000002967D232000.00000004.00000001.sdmp, capa.exe, 00000005.00000002.292726064.00007FFB5306F000.00000002.00020000.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: capa.exe, 00000000.00000003.234178346.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\_hashlib.pdb source: capa.exe, 00000000.00000003.233478000.000002967D236000.00000004.00000001.sdmp, capa.exe, 00000005.00000002.292467306.00007FFB52FE6000.00000002.00020000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: capa.exe, 00000000.00000003.234458018.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb?? source: capa.exe, 00000000.00000003.237382972.000002967D453000.00000004.00000001.sdmp, libssl-1_1.dll.0.dr
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: capa.exe, 00000000.00000003.234333639.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: capa.exe, 00000005.00000002.290029631.00007FFB527D8000.00000002.00020000.sdmp, libcrypto-1_1.dll.0.dr
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: capa.exe, 00000000.00000003.234039849.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: +smda.common.labelprovider.PdbSymbolProvider) source: capa.exe, 00000005.00000003.267322142.00000208D85AB000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: capa.exe, 00000000.00000003.234545063.000002967D232000.00000004.00000001.sdmp, api-ms-win-crt-conio-l1-1-0.dll.0.dr
Source:	Binary string: C:\A\34\b\bin\amd64\_socket.pdb source: capa.exe, 00000000.00000003.233894754.000002967D232000.00000004.00000001.sdmp, capa.exe, 00000005.00000002.292960742.00007FFB53099000.00000002.00020000.sdmp, _socket.pyd.0.dr
Source:	Binary string: C:\A\34\b\bin\amd64\_decimal.pdb## source: capa.exe, 00000000.00000003.233270555.000002967D257000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: capa.exe, 00000000.00000003.234261974.000002967D232000.00000004.00000001.sdmp, api-ms-win-core-localization-l1-2-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: capa.exe, 00000000.00000003.234697134.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\_ctypes.pdb source: capa.exe, 00000000.00000003.233167519.000002967D254000.00000004.00000001.sdmp, capa.exe, 00000005.00000002.293158556.00007FFB531D2000.00000002.00020000.sdmp, _ctypes.pyd.0.dr
Source:	Binary string: C:\A\34\b\bin\amd64\_lzma.pdb source: capa.exe, 00000000.00000003.233529390.000002967D254000.00000004.00000001.sdmp, capa.exe, 00000005.00000002.292659169.00007FFB53049000.00000002.00020000.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\_asyncio.pdb source: capa.exe, 00000000.00000003.232915314.000002967D230000.00000004.00000001.sdmp, _asyncio.pyd.0.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: capa.exe, 00000000.00000003.234371754.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: capa.exe, 00000000.00000003.234314180.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: capa.exe, 00000000.00000003.234804226.000002967D232000.00000004.00000001.sdmp, api-ms-win-crt-utility-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: capa.exe, 00000000.00000003.234403504.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: capa.exe, 00000000.00000003.234493096.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: C:\A\6\b\libcrypto-1_1.pdb source: libcrypto-1_1.dll.0.dr
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: capa.exe, 00000000.00000003.234421334.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: capa.exe, 00000000.00000003.234156164.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: capa.exe, 00000000.00000003.234712571.000002967D232000.00000004.00000001.sdmp, api-ms-win-crt-process-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: capa.exe, 00000000.00000003.234242058.000002967D232000.00000004.00000001.sdmp, api-ms-win-core-libraryloader-l1-1-0.dll.0.dr
Source:	Binary string: string: "Z:\\Dev\\dropper\\dropper.pdb" source: capa.exe, 00000000.00000003.243622845.000002967D23D000.00000004.00000001.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1k 25 Mar 2021built on: Tue Apr 6 11:26:02 2021 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: capa.exe, 00000005.00000002.290029631.00007FFB527D8000.00000002.00020000.sdmp, libcrypto-1_1.dll.0.dr
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: capa.exe, 00000000.00000003.234225953.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\_queue.pdb source: capa.exe, 00000000.00000003.233701099.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\_elementtree.pdb source: capa.exe, 00000000.00000003.233429406.000002967D257000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: capa.exe, 00000000.00000003.234659853.000002967D232000.00000004.00000001.sdmp, api-ms-win-crt-heap-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: capa.exe, 00000000.00000003.234767553.000002967D232000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\capa.exe	Code function: 0_2_00007FF775300208 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF775300208
Source: C:\Users\user\Desktop\capa.exe	Code function: 0_2_00007FF77530A020 FindFirstFileExW,	0_2_00007FF77530A020
Source: C:\Users\user\Desktop\capa.exe	Code function: 0_2_00007FF775300208 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF775300208
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FF775300208 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	5_2_00007FF775300208
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FF77530A020 FindFirstFileExW,	5_2_00007FF77530A020
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FF775300208 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	5_2_00007FF775300208
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FFB4E88301C FindFirstFileExW,FindNextFileW,FindClose,	5_2_00007FFB4E88301C

Source: capa.exe, 00000000.00000003.236730009.000002967D235000.00000004.00000001.sdmp, libffi-7.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: capa.exe, 00000000.00000003.236730009.000002967D235000.00000004.00000001.sdmp, libffi-7.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: capa.exe, 00000000.00000003.233679949.000002967D236000.00000004.00000001.sdmp, libssl-1_1.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: capa.exe, 00000000.00000003.236730009.000002967D235000.00000004.00000001.sdmp, libffi-7.dll.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: capa.exe, 00000000.00000003.236730009.000002967D235000.00000004.00000001.sdmp, libffi-7.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: capa.exe, 00000000.00000003.233679949.000002967D236000.00000004.00000001.sdmp, libssl-1_1.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: capa.exe, 00000000.00000003.236730009.000002967D235000.00000004.00000001.sdmp, libffi-7.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: capa.exe, 00000000.00000003.233679949.000002967D236000.00000004.00000001.sdmp, libssl-1_1.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: capa.exe, 00000000.00000003.236730009.000002967D235000.00000004.00000001.sdmp, libffi-7.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: capa.exe, 00000000.00000003.236730009.000002967D235000.00000004.00000001.sdmp, libffi-7.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: capa.exe, 00000000.00000003.233679949.000002967D236000.00000004.00000001.sdmp, libssl-1_1.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: capa.exe, 00000005.00000003.272860904.00000208DAA19000.00000004.00000001.sdmp	String found in binary or memory: http://docs.python.org/3/library/pprint.html#pprint.pprint
Source: capa.exe, 00000005.00000002.281916122.00000208DAC30000.00000004.00000001.sdmp	String found in binary or memory: http://github.com/ActiveState/appdirs
Source: capa.exe, 00000005.00000002.283341384.00000208DAE86000.00000004.00000001.sdmp, capa.exe, 00000005.00000003.271622686.00000208DAE84000.00000004.00000001.sdmp	String found in binary or memory: http://json.org
Source: capa.exe, 00000000.00000003.236730009.000002967D235000.00000004.00000001.sdmp, libffi-7.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: capa.exe, 00000000.00000003.236730009.000002967D235000.00000004.00000001.sdmp, libffi-7.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: capa.exe, 00000000.00000003.233679949.000002967D236000.00000004.00000001.sdmp, libssl-1_1.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: capa.exe, 00000000.00000003.236730009.000002967D235000.00000004.00000001.sdmp, libffi-7.dll.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: capa.exe, 00000005.00000002.281127681.00000208DA840000.00000004.00000001.sdmp	String found in binary or memory: http://opensource.apple.com/source/CF/CF-744.18/CFBinaryPList.c
Source: capa.exe, 00000005.00000003.273158663.00000208DA609000.00000004.00000001.sdmp	String found in binary or memory: http://pyparsing.wikispaces.com
Source: capa.exe, 00000005.00000002.287521436.00007FFB4E6DC000.00000002.00020000.sdmp	String found in binary or memory: http://python.org/dev/peps/pep-0263/
Source: capa.exe, 00000005.00000002.284776285.00000208DB3F0000.00000004.00000001.sdmp	String found in binary or memory: http://pyyaml.org/wiki/YAMLColonInFlowContext
Source: capa.exe, 00000000.00000003.247863129.000002967D248000.00000004.00000001.sdmp	String found in binary or memory: http://slackinvite.vertex.link/)
Source: capa.exe, 00000005.00000003.272238466.00000208DA8C5000.00000004.00000001.sdmp	String found in binary or memory: http://stackoverflow.com/questions/267399/how-do-you-match-only-valid-roman-numerals-with-a-regular-
Source: capa.exe, 00000000.00000003.236730009.000002967D235000.00000004.00000001.sdmp, libffi-7.dll.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: capa.exe, 00000000.00000003.236730009.000002967D235000.00000004.00000001.sdmp, libffi-7.dll.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: capa.exe, 00000000.00000003.236730009.000002967D235000.00000004.00000001.sdmp, libffi-7.dll.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: capa.exe, 00000000.00000003.247835875.000002967D248000.00000004.00000001.sdmp, LICENSE.txt0.0.dr	String found in binary or memory: http://www.apache.org/licenses/
Source: capa.exe, 00000000.00000003.247835875.000002967D248000.00000004.00000001.sdmp, LICENSE.txt0.0.dr	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: capa.exe, 00000005.00000002.281550906.00000208DAAC0000.00000004.00000001.sdmp	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: capa.exe, 00000005.00000003.276863134.00000208DAA77000.00000004.00000001.sdmp	String found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/ucs/wcwidth.c
Source: capa.exe, 00000000.00000003.233679949.000002967D236000.00000004.00000001.sdmp, libssl-1_1.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: capa.exe, 00000005.00000003.273719484.00000208DA6C0000.00000004.00000001.sdmp	String found in binary or memory: http://www.iana.org/time-zones/repository/tz-link
Source: capa.exe, 00000005.00000003.271569961.00000208DAEFE000.00000004.00000001.sdmp	String found in binary or memory: http://www.ntcore.com/files/richsign.htm
Source: capa.exe, 00000000.00000003.249744276.000002967D248000.00000004.00000001.sdmp, capa.exe, 00000005.00000003.276863134.00000208DAA77000.00000004.00000001.sdmp	String found in binary or memory: http://www.opengroup.org/onlinepubs/007904975/functions/wcswidth.html
Source: capa.exe, 00000000.00000003.249744276.000002967D248000.00000004.00000001.sdmp, capa.exe, 00000005.00000003.276863134.00000208DAA77000.00000004.00000001.sdmp	String found in binary or memory: http://www.opengroup.org/onlinepubs/007904975/functions/wcwidth.html
Source: capa.exe, 00000000.00000003.241065333.000002967D561000.00000004.00000001.sdmp, capa.exe, 00000005.00000002.281072568.00000208DA800000.00000004.00000001.sdmp	String found in binary or memory: http://www.python.org/dev/peps/pep-0205/
Source: capa.exe, 00000000.00000003.241065333.000002967D561000.00000004.00000001.sdmp, capa.exe, 00000005.00000002.280473196.00000208DA5C0000.00000004.00000001.sdmp	String found in binary or memory: http://www.python.org/download/releases/2.3/mro/.
Source: capa.exe, 00000000.00000003.249744276.000002967D248000.00000004.00000001.sdmp, capa.exe, 00000005.00000003.276863134.00000208DAA77000.00000004.00000001.sdmp	String found in binary or memory: http://www.unicode.org/unicode/reports/tr11/
Source: capa.exe, 00000005.00000002.281162685.00000208DA880000.00000004.00000001.sdmp	String found in binary or memory: http://yaml.org/type/float.html
Source: capa.exe, 00000005.00000002.284650150.00000208DB390000.00000004.00000001.sdmp	String found in binary or memory: http://yaml.org/type/merge.html
Source: capa.exe, 00000005.00000002.284650150.00000208DB390000.00000004.00000001.sdmp, capa.exe, 00000005.00000002.283341384.00000208DAE86000.00000004.00000001.sdmp	String found in binary or memory: http://yaml.readthedocs.io/en/latest/api.html#duplicate-keys
Source: inject-dll-reflectively.yml.0.dr	String found in binary or memory: https://0x00sec.org/t/reflective-dll-injection/3080
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://adblock.mydns.network/dns-query.
Source: capa.exe, 00000000.00000003.243622845.000002967D23D000.00000004.00000001.sdmp	String found in binary or memory: https://attack.mitre.org/)
Source: capa.exe, 00000005.00000002.285227247.00000208DB470000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/davidfraser/pyyaml/commits/d81df6eb95f20cac4a79eed95ae553b5c6f77b8c
Source: spoof-parent-pid.yml.0.dr	String found in binary or memory: https://blog.f-secure.com/detecting-parent-pid-spoofing/
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://bravedns.com/configure.
Source: migrate-process-to-active-window-station.yml.0.dr	String found in binary or memory: https://brianbondy.com/blog/100/understanding-windows-at-a-deeper-level-sessions-window-stations-and
Source: migrate-process-to-active-window-station.yml.0.dr	String found in binary or memory: https://cboard.cprogramming.com/windows-programming/144588-
Source: enumerate-domain-computers-via-ldap.yml.0.dr	String found in binary or memory: https://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/
Source: capa.exe, 00000000.00000003.247863129.000002967D248000.00000004.00000001.sdmp	String found in binary or memory: https://circleci.com/gh/vivisect/vivisect/tree/master)
Source: capa.exe, 00000000.00000003.247863129.000002967D248000.00000004.00000001.sdmp	String found in binary or memory: https://circleci.com/gh/vivisect/vivisect/tree/master.svg?style=svg)
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://cloudflare-dns.com/dns-query.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://cloudflare-dns.com/dns-query?ct=application/dns-json&name=
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://commons.host.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://dns-asia.wugui.zone/dns-query.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://dns.aa.net.uk/dns-query.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://dns.alidns.com/dns-query.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://dns.containerpi.com/dns-query.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://dns.containerpi.com/doh/family-filter/.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://dns.containerpi.com/doh/secure-filter/.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://dns.digitale-gesellschaft.ch/dns-query.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://dns.dns-over-https.com/dns-query.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://dns.dnshome.de/dns-query.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://dns.dnsoverhttps.net/dns-query.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://dns.flatuslifir.is/dns-query.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://dns.google.com/resolve?name=
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://dns.google/dns-query.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://dns.nextdns.io/
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://dns.rubyfish.cn/dns-query.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://dns.switch.ch/dns-query.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://dns.twnic.tw/dns-query.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://dns.wugui.zone/dns-query.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://dnsforge.de/dns-query.
Source: run-in-container.yml.0.dr	String found in binary or memory: https://docs.docker.com/engine/api/v1.24/
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://doh-2.seby.io/dns-query.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://doh-de.blahdns.com/dns-query.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://doh-jp.blahdns.com/dns-query.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://doh.42l.fr/dns-query.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://doh.applied-privacy.net/query.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://doh.armadillodns.net/dns-query.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://doh.captnemo.in/dns-query.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://doh.centraleu.pi-dns.com/dns-query.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://doh.cleanbrowsing.org/doh/family-filter/.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://doh.crypto.sx/dns-query.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://doh.dns.sb/dns-query.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://doh.dnslify.com/dns-query.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://doh.eastas.pi-dns.com/dns-query.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://doh.eastau.pi-dns.com/dns-query.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://doh.eastus.pi-dns.com/dns-query.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://doh.familyshield.opendns.com/dns-query.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://doh.ffmuc.net/dns-query.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://doh.li/dns-query.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://doh.libredns.gr/dns-query.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://doh.northeu.pi-dns.com/dns-query.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://doh.pi-dns.com/dns-query.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://doh.powerdns.org.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://doh.seby.io:8443/dns-query.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://doh.tiar.app/dns-query.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://doh.tiarap.org/dns-query.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://doh.westus.pi-dns.com/dns-query.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://doh.xfinity.com/dns-query.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://dohdot.coxlab.net/dns-query.
Source: 64-bit-execution-via-heavens-gate.yml.0.dr	String found in binary or memory: https://download.bitdefender.com/resources/files/News/CaseStudies/study/318/Bitdefender-TRR-Whitepap
Source: bypass-uac-via-scheduled-task-environment-variable.yml.0.dr	String found in binary or memory: https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://example.doh.blockerdns.com/dns-query.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://family.cloudflare-dns.com/dns-query.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://fi.doh.dns.snopyta.org/dns-query.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://free.bravedns.com/dns-query.
Source: compiled-with-autoit.yml.0.dr	String found in binary or memory: https://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/
Source: connect-tcp-socket.yml.0.dr	String found in binary or memory: https://gist.github.com/joeyadams/4158972
Source: peb-access.yml.0.dr	String found in binary or memory: https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/NtGlobalFlag.cpp
Source: peb-access.yml.0.dr	String found in binary or memory: https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/NtGlobalFlag.cpp#L41
Source: peb-access.yml.0.dr	String found in binary or memory: https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/NtGlobalFlag.cpp#L45
Source: check-processdebugflags.yml.0.dr	String found in binary or memory: https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/NtQueryInformationProces
Source: check-process-job-object.yml.0.dr	String found in binary or memory: https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/ProcessJob.cpp
Source: check-for-protected-handle-exception.yml.0.dr	String found in binary or memory: https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/SetHandleInformation_API
Source: check-for-software-breakpoints.yml.0.dr	String found in binary or memory: https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/SoftwareBreakpoints.cpp
Source: reference-anti-vm-strings.yml.0.dr	String found in binary or memory: https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp
Source: reference-anti-vm-strings.yml.0.dr	String found in binary or memory: https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L46
Source: enumerate-disk-properties.yml.0.dr	String found in binary or memory: https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L518
Source: reference-anti-vm-strings.yml.0.dr	String found in binary or memory: https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L699
Source: reference-anti-vm-strings.yml.0.dr	String found in binary or memory: https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L8
Source: get-system-firmware-table.yml.0.dr	String found in binary or memory: https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/Shared/Utils.cpp#L854
Source: capa.exe, 00000000.00000003.243622845.000002967D23D000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/MBCProject/mbc-markdown)
Source: linked-against-go-wmi-library.yml.0.dr	String found in binary or memory: https://github.com/StackExchange/wmi
Source: linked-against-xzip.yml.0.dr	String found in binary or memory: https://github.com/ValveSoftware/source-sdk-2013/blob/master/sp/src/public/XZip.cpp
Source: capa.exe, 00000005.00000003.276863134.00000208DAA77000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/astanin/python-tabulate
Source: reference-anti-vm-strings.yml.0.dr	String found in binary or memory: https://github.com/ctxis/CAPE/blob/master/modules/signatures/antivm_
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/curl/curl/wiki/DNS-over-HTTPS
Source: capa.exe, 00000000.00000003.241263624.000002967D234000.00000004.00000001.sdmp, README.md.0.dr	String found in binary or memory: https://github.com/fireeye/capa)
Source: capa.exe, 00000005.00000003.276151644.00000208DA6B6000.00000004.00000001.sdmp, capa.exe, 00000005.00000003.276715575.00000208DAF4E000.00000004.00000001.sdmp, capa.exe, 00000005.00000002.282343526.00000208DAD70000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/fireeye/capa-rules
Source: capa.exe, 00000000.00000003.241263624.000002967D234000.00000004.00000001.sdmp, README.md.0.dr	String found in binary or memory: https://github.com/fireeye/capa-rules/actions?query=workflow%3A%22CI%22)
Source: capa.exe, 00000000.00000003.243622845.000002967D23D000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/fireeye/capa-rules/tree/master/anti-analysis/)
Source: capa.exe, 00000000.00000003.243622845.000002967D23D000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/fireeye/capa-rules/tree/master/c2/)
Source: capa.exe, 00000000.00000003.243622845.000002967D23D000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/fireeye/capa-rules/tree/master/collection/)
Source: capa.exe, 00000000.00000003.243622845.000002967D23D000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/fireeye/capa-rules/tree/master/communication/)
Source: capa.exe, 00000000.00000003.243622845.000002967D23D000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/fireeye/capa-rules/tree/master/compiler/)
Source: capa.exe, 00000000.00000003.243622845.000002967D23D000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/fireeye/capa-rules/tree/master/data-manipulation/)
Source: capa.exe, 00000000.00000003.243622845.000002967D23D000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/fireeye/capa-rules/tree/master/executable/)
Source: capa.exe, 00000000.00000003.243622845.000002967D23D000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/fireeye/capa-rules/tree/master/host-interaction/)
Source: capa.exe, 00000000.00000003.243622845.000002967D23D000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/fireeye/capa-rules/tree/master/impact/)
Source: capa.exe, 00000000.00000003.243622845.000002967D23D000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/fireeye/capa-rules/tree/master/linking/)
Source: capa.exe, 00000000.00000003.243622845.000002967D23D000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/fireeye/capa-rules/tree/master/load-code/)
Source: capa.exe, 00000000.00000003.241263624.000002967D234000.00000004.00000001.sdmp, README.md.0.dr	String found in binary or memory: https://github.com/fireeye/capa-rules/tree/master/nursery)
Source: capa.exe, 00000000.00000003.243622845.000002967D23D000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/fireeye/capa-rules/tree/master/persistence/)
Source: capa.exe, 00000000.00000003.243622845.000002967D23D000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/fireeye/capa-rules/tree/master/runtime/)
Source: capa.exe, 00000000.00000003.243622845.000002967D23D000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/fireeye/capa-rules/tree/master/targeting/)
Source: capa.exe, 00000000.00000003.241263624.000002967D234000.00000004.00000001.sdmp, README.md.0.dr	String found in binary or memory: https://github.com/fireeye/capa-rules/workflows/CI/badge.svg)
Source: capa.exe, 00000005.00000003.271348290.00000208DAA42000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/fireeye/capa-ruleszJdefault
Source: capa.exe, 00000000.00000003.243622845.000002967D23D000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/fireeye/capa-testfiles)
Source: capa.exe, 00000000.00000003.243622845.000002967D23D000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/fireeye/capa/blob/master/scripts/capafmt.py)
Source: capa.exe, 00000000.00000003.243622845.000002967D23D000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/fireeye/capa/blob/master/scripts/lint.py)
Source: enumerate-files-via-ntdll-functions.yml.0.dr	String found in binary or memory: https://github.com/hfiref0x/TDL/blob/cc4b46ae1c939b14a22a734a727b163f873a41b5/Source/Furutaka/sup.c#
Source: capa.exe, 00000000.00000003.249744276.000002967D248000.00000004.00000001.sdmp, capa.exe, 00000005.00000003.276863134.00000208DAA77000.00000004.00000001.sdmp, __init__.cpython-38.pyc.0.dr	String found in binary or memory: https://github.com/jquast/wcwidth
Source: capa.exe, 00000005.00000002.281916122.00000208DAC30000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/pypa/packaging
Source: capa.exe, 00000005.00000002.281916122.00000208DAC30000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/pypa/packagingEI7842_
Source: capa.exe, 00000005.00000003.272238466.00000208DA8C5000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/python/mypy/issues/3216
Source: encrypt-data-using-hc-128.yml.0.dr	String found in binary or memory: https://github.com/rost1993/hc128/blob/master/hc128.c
Source: capa.exe, 00000005.00000002.284448912.00000208DB2C0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/tqdm/tqdm#contributions
Source: capa.exe, 00000005.00000002.284331994.00000208DB280000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/tqdm/tqdm/issues/481)
Source: capa.exe, 00000005.00000002.284331994.00000208DB280000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/tqdm/tqdm/issues/481)0
Source: capa.exe, 00000000.00000003.247863129.000002967D248000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/vivisect/vivisect
Source: capa.exe, 00000005.00000002.283721793.00000208DAF15000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/vivisect/vivisect/blob/7be4037b1cecc4551b397f840405a1fc606f9b53/PE/carve.py#L19
Source: capa.exe, 00000000.00000003.247863129.000002967D248000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/vivisect/vivisect/issues)
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://ibksturm.synology.me/dns-query.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://ibuki.cgnat.net/dns-query.
Source: capa.exe, 00000000.00000003.241263624.000002967D234000.00000004.00000001.sdmp, README.md.0.dr	String found in binary or memory: https://img.shields.io/badge/license-Apache--2.0-green.svg)
Source: capa.exe, 00000000.00000003.241263624.000002967D234000.00000004.00000001.sdmp, README.md.0.dr	String found in binary or memory: https://img.shields.io/badge/rules-579-blue.svg)
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://jcdns.fun/dns-query.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://jp.tiar.app/dns-query.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://jp.tiarap.org/dns-query.
Source: capa.exe, 00000000.00000003.243475811.000002967D23D000.00000004.00000001.sdmp, encrypt-data-using-sosemanuk.yml.0.dr	String found in binary or memory: https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/
Source: capa.exe, 00000005.00000002.284526546.00000208DB300000.00000004.00000001.sdmp	String found in binary or memory: https://msg.pyyaml.org/load
Source: packaged-as-a-nsis-installer.yml.0.dr	String found in binary or memory: https://nsis.sourceforge.io/Main_Page
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://odvr.nic.cz/doh.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://ordns.he.net/dns-query.
Source: resolve-function-by-hash.yml.0.dr	String found in binary or memory: https://pastebin.com/ci5XYW4P
Source: capa.exe, 00000005.00000002.285316675.00000208DB4B0000.00000004.00000001.sdmp	String found in binary or memory: https://pythex.org
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://rdns.faelix.net/.
Source: capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	String found in binary or memory: https://resolver-eu.lelux.fi/dns-query.
Source: capa.exe, 00000005.00000003.272294884.00000208D857F000.00000004.00000001.sdmp	String found in binary or memory: https://setuptools.readthedocs.io/en/latest/pkg_resources.html#basic-resource-access
Source: capa.exe, 00000005.00000002.284151923.00000208DB240000.00000004.00000001.sdmp	String found in binary or memory: https://stackoverflow.com/a/10455937/2692667
Source: capa.exe, 00000005.00000002.285583782.00000208DB5B0000.00000004.00000001.sdmp	String found in binary or memory: https://stackoverflow.com/a/9147327/87207
Source: capa.exe, 00000005.00000003.272167219.00000208DAA2A000.00000004.00000001.sdmp	String found in binary or memory: https://stackoverflow.com/questions/18603270/
Source: capa.exe, 00000005.00000003.273270781.00000208DA625000.00000004.00000001.sdmp	String found in binary or memory: https://wiki.debian.org/XDGBaseDirectorySpecification#state
Source: reference-114dns-dns-server.yml.0.dr	String found in binary or memory: https://www.114dns.com/
Source: reference-114dns-dns-server.yml.0.dr	String found in binary or memory: https://www.amazon.com/ask/questions/Tx27CUHKMM403NP
Source: impersonate-file-version-information.yml.0.dr	String found in binary or memory: https://www.carbonblack.com/blog/threat-analysis-dont-forget-about-kangaroo-ransomware/
Source: capa.exe, 00000000.00000003.236730009.000002967D235000.00000004.00000001.sdmp, libffi-7.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: inject-pe.yml.0.dr	String found in binary or memory: https://www.elastic.co/de/blog/ten-process-injection-techniques-technical-survey-common-and-trending
Source: resolve-function-by-hash.yml.0.dr	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2012/11/precalculated-string-hashes-reverse-engineering
Source: persist-via-active-setup-registry-key.yml.0.dr	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/02/spear_phishing_techn.html
Source: hook-routines-via-microsoft-detours.yml.0.dr	String found in binary or memory: https://www.fireeye.com/content/dam/fireeye-www/global/en/blog/threat-research/Flare-On%202017/Chall
Source: gather-ftpgetter-information.yml.0.dr	String found in binary or memory: https://www.ftpgetter.com/
Source: check-for-peb-ntglobalflag-flag.yml.0.dr	String found in binary or memory: https://www.geoffchappell.com/studies/windows/win32/ntdll/structs/peb/index.htm
Source: gather-total-commander-information.yml.0.dr	String found in binary or memory: https://www.ghisler.com/
Source: packed-with-mew.yml.0.dr	String found in binary or memory: https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/
Source: migrate-process-to-active-window-station.yml.0.dr	String found in binary or memory: https://www.installsetupconfig.com/win32programming/windowstationsdesktops13_1.html
Source: inject-dll-reflectively.yml.0.dr	String found in binary or memory: https://www.ired.team/offensive-security/code-injection-process-injection/reflective-dll-injection
Source: check-for-unmoving-mouse-cursor.yml.0.dr	String found in binary or memory: https://www.joesecurity.org/blog/5852460122427342172
Source: 64-bit-execution-via-heavens-gate.yml.0.dr	String found in binary or memory: https://www.malwaretech.com/2014/02/the-0x33-segment-selector-heavens-gate.html
Source: gather-fling-ftp-information.yml.0.dr	String found in binary or memory: https://www.nchsoftware.com/fling/index.html
Source: gather-netdrive-information.yml.0.dr	String found in binary or memory: https://www.netdrive.net/
Source: capa.exe, 00000000.00000003.237382972.000002967D453000.00000004.00000001.sdmp, capa.exe, 00000005.00000002.291457468.00007FFB528CF000.00000002.00020000.sdmp, libssl-1_1.dll.0.dr	String found in binary or memory: https://www.openssl.org/H
Source: reference-ncr-atm-library-routines.yml.0.dr	String found in binary or memory: https://www.pcworld.com/article/2824572/leaked-programming-manual-may-help-criminals-develop-more-at
Source: encrypt-data-using-rc4-with-custom-key-via-winapi.yml.0.dr	String found in binary or memory: https://www.phdcc.com/cryptorc4.htm
Source: gather-smart-ftp-information.yml.0.dr	String found in binary or memory: https://www.smartftp.com/en-us/
Source: bypass-uac-via-scheduled-task-environment-variable.yml.0.dr	String found in binary or memory: https://www.tiraniddo.dev/2017/05/exploiting-environment-variables-in.html
Source: compiled-with-autohotkey.yml.0.dr	String found in binary or memory: https://www.trendmicro.com/en_us/research/20/l/stealth-credential-stealer-targets-us-canadian-bank-c
Source: enumerate-domain-computers-via-ldap.yml.0.dr	String found in binary or memory: https://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html
Source: gather-wise-ftp-information.yml.0.dr	String found in binary or memory: https://www.wise-ftp.de/en/

Source: log-keystrokes-via-raw-input-data.yml.0.dr

Binary or memory string: - api: user32.GetRawInputData

Source: Yara match

File source: C:\Users\user\AppData\Local\Temp\_MEI7842\lief.cp38-win_amd64.pyd, type: DROPPED

Source: C:\Users\user\Desktop\capa.exe	Code function: 0_2_00007FF77530E2F8	0_2_00007FF77530E2F8
Source: C:\Users\user\Desktop\capa.exe	Code function: 0_2_00007FF775308ECC	0_2_00007FF775308ECC
Source: C:\Users\user\Desktop\capa.exe	Code function: 0_2_00007FF7752F4150	0_2_00007FF7752F4150
Source: C:\Users\user\Desktop\capa.exe	Code function: 0_2_00007FF775308138	0_2_00007FF775308138
Source: C:\Users\user\Desktop\capa.exe	Code function: 0_2_00007FF775300208	0_2_00007FF775300208
Source: C:\Users\user\Desktop\capa.exe	Code function: 0_2_00007FF775311588	0_2_00007FF775311588
Source: C:\Users\user\Desktop\capa.exe	Code function: 0_2_00007FF775309DF0	0_2_00007FF775309DF0
Source: C:\Users\user\Desktop\capa.exe	Code function: 0_2_00007FF7752FCDA4	0_2_00007FF7752FCDA4
Source: C:\Users\user\Desktop\capa.exe	Code function: 0_2_00007FF775308ECC	0_2_00007FF775308ECC
Source: C:\Users\user\Desktop\capa.exe	Code function: 0_2_00007FF7752FF050	0_2_00007FF7752FF050
Source: C:\Users\user\Desktop\capa.exe	Code function: 0_2_00007FF7752F7850	0_2_00007FF7752F7850
Source: C:\Users\user\Desktop\capa.exe	Code function: 0_2_00007FF7752FD020	0_2_00007FF7752FD020
Source: C:\Users\user\Desktop\capa.exe	Code function: 0_2_00007FF775301078	0_2_00007FF775301078
Source: C:\Users\user\Desktop\capa.exe	Code function: 0_2_00007FF775302874	0_2_00007FF775302874
Source: C:\Users\user\Desktop\capa.exe	Code function: 0_2_00007FF77530C850	0_2_00007FF77530C850
Source: C:\Users\user\Desktop\capa.exe	Code function: 0_2_00007FF7752F80A0	0_2_00007FF7752F80A0
Source: C:\Users\user\Desktop\capa.exe	Code function: 0_2_00007FF77530EC98	0_2_00007FF77530EC98
Source: C:\Users\user\Desktop\capa.exe	Code function: 0_2_00007FF775300208	0_2_00007FF775300208
Source: C:\Users\user\Desktop\capa.exe	Code function: 0_2_00007FF77530C380	0_2_00007FF77530C380
Source: C:\Users\user\Desktop\capa.exe	Code function: 0_2_00007FF7752FCB28	0_2_00007FF7752FCB28
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FF77530E2F8	5_2_00007FF77530E2F8
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FF775308ECC	5_2_00007FF775308ECC
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FF775308138	5_2_00007FF775308138
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FF7752F4150	5_2_00007FF7752F4150
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FF775311588	5_2_00007FF775311588
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FF775309DF0	5_2_00007FF775309DF0
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FF7752FCDA4	5_2_00007FF7752FCDA4
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FF775300208	5_2_00007FF775300208
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FF775308ECC	5_2_00007FF775308ECC
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FF7752FF050	5_2_00007FF7752FF050
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FF7752F7850	5_2_00007FF7752F7850
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FF7752FD020	5_2_00007FF7752FD020
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FF775301078	5_2_00007FF775301078
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FF775302874	5_2_00007FF775302874
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FF77530C850	5_2_00007FF77530C850
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FF7752F80A0	5_2_00007FF7752F80A0
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FF77530EC98	5_2_00007FF77530EC98
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FF775300208	5_2_00007FF775300208
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FF77530C380	5_2_00007FF77530C380
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FF7752FCB28	5_2_00007FF7752FCB28
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FFB4E851F30	5_2_00007FFB4E851F30
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FFB4E81EED0	5_2_00007FFB4E81EED0
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FFB4E821080	5_2_00007FFB4E821080
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FFB4E812FA0	5_2_00007FFB4E812FA0
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FFB4E82EFC4	5_2_00007FFB4E82EFC4
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FFB4E81FCB0	5_2_00007FFB4E81FCB0
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FFB4E817CC0	5_2_00007FFB4E817CC0
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FFB4E81BD10	5_2_00007FFB4E81BD10
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FFB4E831D14	5_2_00007FFB4E831D14
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FFB4E8B5E44	5_2_00007FFB4E8B5E44
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FFB4E815E48	5_2_00007FFB4E815E48
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FFB4E8B8DD8	5_2_00007FFB4E8B8DD8
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FFB4E82CB30	5_2_00007FFB4E82CB30
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FFB4E830B90	5_2_00007FFB4E830B90
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FFB4E835AC0	5_2_00007FFB4E835AC0
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FFB4E83BC1C	5_2_00007FFB4E83BC1C
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FFB4E882C28	5_2_00007FFB4E882C28
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FFB4E877BFC	5_2_00007FFB4E877BFC
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FFB4E81F910	5_2_00007FFB4E81F910
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FFB4E882A48	5_2_00007FFB4E882A48
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FFB4E81C9E0	5_2_00007FFB4E81C9E0
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FFB4E8126F8	5_2_00007FFB4E8126F8
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FFB4E83E7F0	5_2_00007FFB4E83E7F0
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FFB4E81F590	5_2_00007FFB4E81F590

Source: C:\Users\user\Desktop\capa.exe	Code function: String function: 00007FF7752F19F0 appears 80 times
Source: C:\Users\user\Desktop\capa.exe	Code function: String function: 00007FF7752F1A50 appears 142 times

Source: capa.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: capa.exe, 00000000.00000003.234387208.000002967D232000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs capa.exe
Source: capa.exe, 00000000.00000003.233679949.000002967D236000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename_overlapped.pyd. vs capa.exe
Source: capa.exe, 00000000.00000003.233529390.000002967D254000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs capa.exe
Source: capa.exe, 00000000.00000003.239834900.000002967D257000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamepyexpat.pyd. vs capa.exe
Source: capa.exe, 00000000.00000003.233478000.000002967D236000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs capa.exe
Source: capa.exe, 00000000.00000003.233894754.000002967D232000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs capa.exe
Source: capa.exe, 00000000.00000003.232915314.000002967D230000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename_asyncio.pyd. vs capa.exe
Source: capa.exe, 00000000.00000003.233270555.000002967D257000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs capa.exe
Source: capa.exe, 00000000.00000003.233701099.000002967D232000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs capa.exe
Source: capa.exe, 00000000.00000003.233912958.000002967D254000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs capa.exe
Source: capa.exe, 00000000.00000003.232967878.000002967D232000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs capa.exe
Source: capa.exe, 00000000.00000003.232864942.000002967D247000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs capa.exe
Source: capa.exe, 00000000.00000003.233629714.000002967D232000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename_multiprocessing.pyd. vs capa.exe
Source: capa.exe, 00000000.00000003.233429406.000002967D257000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename_elementtree.pyd. vs capa.exe
Source: capa.exe, 00000000.00000003.240314271.000002967D561000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameucrtbase.dllj% vs capa.exe
Source: capa.exe, 00000000.00000003.233167519.000002967D254000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs capa.exe
Source: capa.exe, 00000000.00000003.240187861.000002967D232000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs capa.exe
Source: capa.exe, 00000000.00000003.237382972.000002967D453000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamelibsslH vs capa.exe
Source: capa.exe	Binary or memory string: OriginalFilename vs capa.exe
Source: capa.exe, 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameucrtbase.dllj% vs capa.exe
Source: capa.exe, 00000005.00000002.292792849.00007FFB53086000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs capa.exe
Source: capa.exe, 00000005.00000002.277790442.00000208D86A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs capa.exe
Source: capa.exe, 00000005.00000002.292584438.00007FFB5301D000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamepyexpat.pyd. vs capa.exe
Source: capa.exe, 00000005.00000002.287866619.00007FFB4E7E7000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamepython38.dll. vs capa.exe
Source: capa.exe, 00000005.00000002.292499172.00007FFB52FEB000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs capa.exe
Source: capa.exe, 00000005.00000002.293249116.00007FFB531DE000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs capa.exe
Source: capa.exe, 00000005.00000002.292999552.00007FFB530A3000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs capa.exe
Source: capa.exe, 00000005.00000002.292746212.00007FFB53075000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs capa.exe
Source: capa.exe, 00000005.00000002.291457468.00007FFB528CF000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs capa.exe
Source: capa.exe, 00000005.00000002.280315636.00000208DA4D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs capa.exe
Source: capa.exe, 00000005.00000002.293564707.00007FFB54346000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs capa.exe
Source: capa.exe, 00000005.00000002.292683021.00007FFB53056000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs capa.exe
Source: capa.exe, 00000005.00000002.288637817.00007FFB4F0EB000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs capa.exe

Source: C:\Users\user\Desktop\capa.exe

Section loaded: python3.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\mine-cryptocurrency.yml, type: DROPPED

Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://minergate.com/faq/what-pool-address

Source: classification engine

Classification label: mal52.spyw.mine.winEXE@6/685@0/0

Source: C:\Users\user\Desktop\capa.exe

Code function: 0_2_00007FF7752F4F30 GetLastError,FormatMessageW,

0_2_00007FF7752F4F30

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4228:120:WilError_01

Source: C:\Users\user\Desktop\capa.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI7842

Jump to behavior

Source: capa.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\capa.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\capa.exe

File read: C:\Users\user\Desktop\capa.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\capa.exe 'C:\Users\user\Desktop\capa.exe'
Source: C:\Users\user\Desktop\capa.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\capa.exe	Process created: C:\Users\user\Desktop\capa.exe 'C:\Users\user\Desktop\capa.exe'
Source: C:\Users\user\Desktop\capa.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c 'ver'
Source: C:\Users\user\Desktop\capa.exe	Process created: C:\Users\user\Desktop\capa.exe 'C:\Users\user\Desktop\capa.exe'	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c 'ver'	Jump to behavior

Source: C:\Users\user\Desktop\capa.exe

File opened: C:\Users\user\Desktop\pyvenv.cfg

Jump to behavior

Source: capa.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: capa.exe

Static file information: File size 33262761 > 1048576

Source: capa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: capa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: capa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: capa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: capa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: capa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: capa.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: capa.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: capa.exe, 00000000.00000003.234678405.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\select.pdb source: capa.exe, 00000000.00000003.240187861.000002967D232000.00000004.00000001.sdmp, capa.exe, 00000005.00000002.292771024.00007FFB53083000.00000002.00020000.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: capa.exe, 00000000.00000003.234728498.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: capa.exe, 00000000.00000003.240314271.000002967D561000.00000004.00000001.sdmp, capa.exe, 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: capa.exe, 00000000.00000003.234134753.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: capa.exe, 00000000.00000003.234293481.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: capa.exe, 00000000.00000003.234060265.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: capa.exe, 00000000.00000003.234475523.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: capa.exe, 00000000.00000003.234638061.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\python38.pdb source: capa.exe, 00000005.00000002.287521436.00007FFB4E6DC000.00000002.00020000.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: capa.exe, 00000000.00000003.234751294.000002967D232000.00000004.00000001.sdmp, api-ms-win-crt-stdio-l1-1-0.dll.0.dr
Source:	Binary string: C:\A\34\b\bin\amd64\_decimal.pdb source: capa.exe, 00000000.00000003.233270555.000002967D257000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: capa.exe, 00000000.00000003.234198994.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: capa.exe, 00000000.00000003.234515071.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: capa.exe, 00000000.00000003.234436096.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: capa.exe, 00000000.00000003.234607708.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\pyexpat.pdb source: capa.exe, 00000000.00000003.239834900.000002967D257000.00000004.00000001.sdmp, capa.exe, 00000005.00000002.292560481.00007FFB53012000.00000002.00020000.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\_ssl.pdb source: capa.exe, 00000000.00000003.233912958.000002967D254000.00000004.00000001.sdmp
Source:	Binary string: D:\a01\_work\26\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: capa.exe, 00000000.00000003.232864942.000002967D247000.00000004.00000001.sdmp, capa.exe, 00000005.00000002.293545008.00007FFB54341000.00000002.00020000.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: capa.exe, 00000000.00000003.234086660.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\_overlapped.pdb source: capa.exe, 00000000.00000003.233679949.000002967D236000.00000004.00000001.sdmp, _overlapped.pyd.0.dr
Source:	Binary string: D:\a\lancelot\lancelot\target\release\deps\flirt.pdb source: capa.exe, 00000000.00000003.236266732.000002967D3E1000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: capa.exe, 00000000.00000003.234353373.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: capa.exe, 00000000.00000003.234019845.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: capa.exe, 00000000.00000003.234111569.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\_multiprocessing.pdb source: capa.exe, 00000000.00000003.233629714.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: capa.exe, 00000000.00000003.234575992.000002967D232000.00000004.00000001.sdmp, api-ms-win-crt-convert-l1-1-0.dll.0.dr
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb source: capa.exe, 00000000.00000003.237382972.000002967D453000.00000004.00000001.sdmp, libssl-1_1.dll.0.dr
Source:	Binary string: smda.common.labelprovider.PdbSymbolProvider source: capa.exe, 00000005.00000002.280121682.00000208DA410000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: capa.exe, 00000000.00000003.234387208.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: capa.exe, 00000000.00000003.240314271.000002967D561000.00000004.00000001.sdmp, capa.exe, 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\unicodedata.pdb source: capa.exe, 00000005.00000002.288605108.00007FFB4F0E5000.00000002.00020000.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: capa.exe, 00000000.00000003.234783589.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\_lzma.pdbMM source: capa.exe, 00000000.00000003.233529390.000002967D254000.00000004.00000001.sdmp, capa.exe, 00000005.00000002.292659169.00007FFB53049000.00000002.00020000.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\_bz2.pdb source: capa.exe, 00000000.00000003.232967878.000002967D232000.00000004.00000001.sdmp, capa.exe, 00000005.00000002.292726064.00007FFB5306F000.00000002.00020000.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: capa.exe, 00000000.00000003.234178346.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\_hashlib.pdb source: capa.exe, 00000000.00000003.233478000.000002967D236000.00000004.00000001.sdmp, capa.exe, 00000005.00000002.292467306.00007FFB52FE6000.00000002.00020000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: capa.exe, 00000000.00000003.234458018.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb?? source: capa.exe, 00000000.00000003.237382972.000002967D453000.00000004.00000001.sdmp, libssl-1_1.dll.0.dr
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: capa.exe, 00000000.00000003.234333639.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: capa.exe, 00000005.00000002.290029631.00007FFB527D8000.00000002.00020000.sdmp, libcrypto-1_1.dll.0.dr
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: capa.exe, 00000000.00000003.234039849.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: +smda.common.labelprovider.PdbSymbolProvider) source: capa.exe, 00000005.00000003.267322142.00000208D85AB000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: capa.exe, 00000000.00000003.234545063.000002967D232000.00000004.00000001.sdmp, api-ms-win-crt-conio-l1-1-0.dll.0.dr
Source:	Binary string: C:\A\34\b\bin\amd64\_socket.pdb source: capa.exe, 00000000.00000003.233894754.000002967D232000.00000004.00000001.sdmp, capa.exe, 00000005.00000002.292960742.00007FFB53099000.00000002.00020000.sdmp, _socket.pyd.0.dr
Source:	Binary string: C:\A\34\b\bin\amd64\_decimal.pdb## source: capa.exe, 00000000.00000003.233270555.000002967D257000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: capa.exe, 00000000.00000003.234261974.000002967D232000.00000004.00000001.sdmp, api-ms-win-core-localization-l1-2-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: capa.exe, 00000000.00000003.234697134.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\_ctypes.pdb source: capa.exe, 00000000.00000003.233167519.000002967D254000.00000004.00000001.sdmp, capa.exe, 00000005.00000002.293158556.00007FFB531D2000.00000002.00020000.sdmp, _ctypes.pyd.0.dr
Source:	Binary string: C:\A\34\b\bin\amd64\_lzma.pdb source: capa.exe, 00000000.00000003.233529390.000002967D254000.00000004.00000001.sdmp, capa.exe, 00000005.00000002.292659169.00007FFB53049000.00000002.00020000.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\_asyncio.pdb source: capa.exe, 00000000.00000003.232915314.000002967D230000.00000004.00000001.sdmp, _asyncio.pyd.0.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: capa.exe, 00000000.00000003.234371754.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: capa.exe, 00000000.00000003.234314180.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: capa.exe, 00000000.00000003.234804226.000002967D232000.00000004.00000001.sdmp, api-ms-win-crt-utility-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: capa.exe, 00000000.00000003.234403504.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: capa.exe, 00000000.00000003.234493096.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: C:\A\6\b\libcrypto-1_1.pdb source: libcrypto-1_1.dll.0.dr
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: capa.exe, 00000000.00000003.234421334.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: capa.exe, 00000000.00000003.234156164.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: capa.exe, 00000000.00000003.234712571.000002967D232000.00000004.00000001.sdmp, api-ms-win-crt-process-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: capa.exe, 00000000.00000003.234242058.000002967D232000.00000004.00000001.sdmp, api-ms-win-core-libraryloader-l1-1-0.dll.0.dr
Source:	Binary string: string: "Z:\\Dev\\dropper\\dropper.pdb" source: capa.exe, 00000000.00000003.243622845.000002967D23D000.00000004.00000001.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1k 25 Mar 2021built on: Tue Apr 6 11:26:02 2021 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: capa.exe, 00000005.00000002.290029631.00007FFB527D8000.00000002.00020000.sdmp, libcrypto-1_1.dll.0.dr
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: capa.exe, 00000000.00000003.234225953.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\_queue.pdb source: capa.exe, 00000000.00000003.233701099.000002967D232000.00000004.00000001.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\_elementtree.pdb source: capa.exe, 00000000.00000003.233429406.000002967D257000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: capa.exe, 00000000.00000003.234659853.000002967D232000.00000004.00000001.sdmp, api-ms-win-crt-heap-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: capa.exe, 00000000.00000003.234767553.000002967D232000.00000004.00000001.sdmp

Source: capa.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: capa.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: capa.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: capa.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: capa.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\capa.exe

Code function: 0_2_00007FF7752F4DA0 MultiByteToWideChar,MultiByteToWideChar,LoadLibraryA,GetProcAddress,GetProcAddress,

0_2_00007FF7752F4DA0

Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FFB4E839DA5 push rdi; ret		5_2_00007FFB4E839DAB
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FFB4E839887 push rdi; ret		5_2_00007FFB4E839892

Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\capstone\lib\capstone.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\libffi-7.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\flirt.cp38-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\_elementtree.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\yaml\_yaml.cp38-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\msgpack\_cmsgpack.cp38-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\python38.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\lief.cp38-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI7842\_ruamel_yaml.cp38-win_amd64.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\capa.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI7842\rules\LICENSE.txt

Jump to behavior

Source: C:\Users\user\Desktop\capa.exe

Code function: 0_2_00007FF7752F2B20 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00007FF7752F2B20

Source: C:\Users\user\Desktop\capa.exe

File opened / queried: C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\anti-vm\vm-detection\reference-anti-vm-strings-targeting-vmware.yml

Jump to behavior

Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\capstone\lib\capstone.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\flirt.cp38-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\_elementtree.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\msgpack\_cmsgpack.cp38-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\lief.cp38-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\capa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI7842\_overlapped.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\capa.exe

API coverage: 9.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\capa.exe	Code function: 0_2_00007FF775300208 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF775300208
Source: C:\Users\user\Desktop\capa.exe	Code function: 0_2_00007FF77530A020 FindFirstFileExW,	0_2_00007FF77530A020
Source: C:\Users\user\Desktop\capa.exe	Code function: 0_2_00007FF775300208 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF775300208
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FF775300208 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	5_2_00007FF775300208
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FF77530A020 FindFirstFileExW,	5_2_00007FF77530A020
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FF775300208 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	5_2_00007FF775300208
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FFB4E88301C FindFirstFileExW,FindNextFileW,FindClose,	5_2_00007FFB4E88301C

Source: capa.exe, 00000000.00000003.294938385.000002967D223000.00000004.00000001.sdmp, capa.exe, 00000005.00000002.277399202.00000208D84E3000.00000004.00000020.sdmp	Binary or memory string: xrules\anti-analysis\anti-vm\vm-detection\reference-anti-vm-strings-targeting-qemu.ymlp
Source: capa.exe, 00000000.00000003.294938385.000002967D223000.00000004.00000001.sdmp, capa.exe, 00000005.00000002.277399202.00000208D84E3000.00000004.00000020.sdmp	Binary or memory string: xrules\anti-analysis\anti-vm\vm-detection\reference-anti-vm-strings-targeting-qemu.yml
Source: capa.exe, 00000005.00000002.277790442.00000208D86A0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: capa.exe, 00000005.00000002.280182716.00000208DA450000.00000004.00000001.sdmp	Binary or memory string: vtrace.platforms.vmware
Source: capa.exe, 00000005.00000002.277399202.00000208D84E3000.00000004.00000020.sdmp	Binary or memory string: xrules\nursery\reference-the-vmware-io-port.yml
Source: capa.exe, 00000005.00000002.277399202.00000208D84E3000.00000004.00000020.sdmp	Binary or memory string: xrules\anti-analysis\anti-vm\vm-detection\reference-anti-vm-strings-targeting-vmware.ymlp
Source: capa.exe, 00000005.00000002.277399202.00000208D84E3000.00000004.00000020.sdmp	Binary or memory string: xrules\nursery\reference-the-vmware-io-port.ymlP
Source: capa.exe, 00000005.00000003.275343781.00000208DA626000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: capa.exe, 00000005.00000002.280646349.00000208DA638000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW'
Source: capa.exe, 00000000.00000003.249109633.000002967D257000.00000004.00000001.sdmp	Binary or memory string: vtrace/platforms/__pycache__/vmware.cpython-38.pyc,,
Source: capa.exe, 00000000.00000003.249109633.000002967D257000.00000004.00000001.sdmp	Binary or memory string: vtrace/platforms/vmware.py,sha256=fLSCFr2_9t4dVUwDbDC7I2CQ8H1c4Prg8LfrRtukHfY,4023
Source: capa.exe, 00000005.00000003.267322142.00000208D85AB000.00000004.00000001.sdmp	Binary or memory string: vtrace.platforms.vmware)
Source: capa.exe, 00000005.00000002.277399202.00000208D84E3000.00000004.00000020.sdmp	Binary or memory string: xrules\anti-analysis\anti-vm\vm-detection\reference-anti-vm-strings-targeting-vmware.yml
Source: capa.exe, 00000000.00000003.294845310.000002967D24A000.00000004.00000001.sdmp	Binary or memory string: RE53D5~1.YMLreference-anti-vm-strings-targeting-vmware.yml-in
Source: capa.exe, 00000005.00000002.277790442.00000208D86A0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: reference-anti-vm-strings.yml.0.dr	Binary or memory string: description: Microsoft Hyper-V or Windows Virtual PC
Source: capa.exe, 00000005.00000002.277790442.00000208D86A0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: capa.exe, 00000005.00000002.280524196.00000208DA600000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: reference-the-vmware-io-port.yml.0.dr	Binary or memory string: name: reference the VMWare IO port
Source: capa.exe, 00000005.00000002.277790442.00000208D86A0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: reference-anti-vm-strings.yml.0.dr	Binary or memory string: - string: /Hyper-V/i

Source: C:\Users\user\Desktop\capa.exe

Code function: 0_2_00007FF775303964 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF775303964

Source: C:\Users\user\Desktop\capa.exe

Code function: 0_2_00007FF7752F4DA0 MultiByteToWideChar,MultiByteToWideChar,LoadLibraryA,GetProcAddress,GetProcAddress,

0_2_00007FF7752F4DA0

Source: C:\Users\user\Desktop\capa.exe

Code function: 0_2_00007FF77530B9A0 GetProcessHeap,

0_2_00007FF77530B9A0

Source: C:\Users\user\Desktop\capa.exe	Code function: 0_2_00007FF7752F8780 SetUnhandledExceptionFilter,_invalid_parameter_noinfo,	0_2_00007FF7752F8780
Source: C:\Users\user\Desktop\capa.exe	Code function: 0_2_00007FF7752F8928 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7752F8928
Source: C:\Users\user\Desktop\capa.exe	Code function: 0_2_00007FF7752F9120 SetUnhandledExceptionFilter,	0_2_00007FF7752F9120
Source: C:\Users\user\Desktop\capa.exe	Code function: 0_2_00007FF775303964 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF775303964
Source: C:\Users\user\Desktop\capa.exe	Code function: 0_2_00007FF7752F8F84 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7752F8F84
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FF7752F8780 SetUnhandledExceptionFilter,_invalid_parameter_noinfo,	5_2_00007FF7752F8780
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FF7752F8928 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00007FF7752F8928
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FF7752F9120 SetUnhandledExceptionFilter,	5_2_00007FF7752F9120
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FF775303964 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00007FF775303964
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FF7752F8F84 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00007FF7752F8F84
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FFB4E880F00 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00007FFB4E880F00
Source: C:\Users\user\Desktop\capa.exe	Code function: 5_2_00007FFB4E859974 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00007FFB4E859974

Source: C:\Users\user\Desktop\capa.exe	Process created: C:\Users\user\Desktop\capa.exe 'C:\Users\user\Desktop\capa.exe'			Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c 'ver'			Jump to behavior

Source: C:\Users\user\Desktop\capa.exe

Code function: 0_2_00007FF7753113D0 cpuid

0_2_00007FF7753113D0

Source: C:\Users\user\Desktop\capa.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,		5_2_00007FFB4E87F8A0
Source: C:\Users\user\Desktop\capa.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,		5_2_00007FFB4E87FA28

Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\pyexpat.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\vivisect-1.0.3-py3.8.egg-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\vivisect-1.0.3-py3.8.egg-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\yaml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\yaml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\yaml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\yaml\_yaml.cp38-win_amd64.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\yaml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842\_ruamel_yaml.cp38-win_amd64.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\Desktop\capa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI7842 VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\capa.exe

Code function: 0_2_00007FF7752F8E6C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF7752F8E6C

Source: C:\Users\user\Desktop\capa.exe

Code function: 0_2_00007FF77530E2F8 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00007FF77530E2F8

Source: C:\Users\user\Desktop\capa.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\Desktop\capa.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-bitkinex-information.yml	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-3d-ftp-information.yml	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-alftp-information.yml	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-frigate3-information.yml	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-blazeftp-information.yml	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-ftpgetter-information.yml	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-cuteftp-information.yml	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-ftprush-information.yml	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-ftpinfo-information.yml	Jump to behavior
Source: C:\Users\user\Desktop\capa.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-leapftp-information.yml	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	DLL Side-Loading1	Process Injection11	Virtualization/Sandbox Evasion1	OS Credential Dumping1	System Time Discovery2	Remote Services	Input Capture11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Application Shimming1	DLL Side-Loading1	Process Injection11	Input Capture11	Security Software Discovery31	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Application Shimming1	Deobfuscate/Decode Files or Information1	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Data from Local System1	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	File and Directory Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	DLL Side-Loading1	LSA Secrets	System Information Discovery33	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
capa.exe	6%	Virustotal		Browse
capa.exe	9%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://doh.captnemo.in/dns-query.	0%	Avira URL Cloud	safe
https://free.bravedns.com/dns-query.	0%	Avira URL Cloud	safe
https://doh.seby.io:8443/dns-query.	0%	Avira URL Cloud	safe
https://doh.eastau.pi-dns.com/dns-query.	0%	Avira URL Cloud	safe
https://jp.tiarap.org/dns-query.	0%	Avira URL Cloud	safe
https://dns.google/dns-query.	0%	Avira URL Cloud	safe
https://doh-2.seby.io/dns-query.	0%	Avira URL Cloud	safe
https://cloudflare-dns.com/dns-query?ct=application/dns-json&name=	0%	Avira URL Cloud	safe
https://ibksturm.synology.me/dns-query.	0%	Avira URL Cloud	safe
https://dnsforge.de/dns-query.	0%	Avira URL Cloud	safe
https://doh.libredns.gr/dns-query.	0%	Avira URL Cloud	safe
https://doh.applied-privacy.net/query.	0%	Avira URL Cloud	safe
https://www.ired.team/offensive-security/code-injection-process-injection/reflective-dll-injection	0%	Avira URL Cloud	safe
https://doh.centraleu.pi-dns.com/dns-query.	0%	Avira URL Cloud	safe
https://doh.westus.pi-dns.com/dns-query.	0%	Avira URL Cloud	safe
https://doh.tiar.app/dns-query.	0%	Avira URL Cloud	safe
https://resolver-eu.lelux.fi/dns-query.	0%	Avira URL Cloud	safe
https://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/	0%	Avira URL Cloud	safe
https://jp.tiar.app/dns-query.	0%	Avira URL Cloud	safe
https://dns.wugui.zone/dns-query.	0%	Avira URL Cloud	safe
https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup	0%	Avira URL Cloud	safe
https://doh.42l.fr/dns-query.	0%	Avira URL Cloud	safe
https://doh.eastas.pi-dns.com/dns-query.	0%	Avira URL Cloud	safe
https://doh.pi-dns.com/dns-query.	0%	Avira URL Cloud	safe
https://www.phdcc.com/cryptorc4.htm	0%	Avira URL Cloud	safe
https://dns.containerpi.com/doh/secure-filter/.	0%	Avira URL Cloud	safe
http://slackinvite.vertex.link/)	0%	Avira URL Cloud	safe
https://cloudflare-dns.com/dns-query.	0%	Avira URL Cloud	safe
http://pyyaml.org/wiki/YAMLColonInFlowContext	0%	Avira URL Cloud	safe
https://www.netdrive.net/	0%	Avira URL Cloud	safe
https://dns.digitale-gesellschaft.ch/dns-query.	0%	Avira URL Cloud	safe
https://dns.containerpi.com/doh/family-filter/.	0%	Avira URL Cloud	safe
https://adblock.mydns.network/dns-query.	0%	Avira URL Cloud	safe
https://dohdot.coxlab.net/dns-query.	0%	Avira URL Cloud	safe
https://dns.rubyfish.cn/dns-query.	0%	Avira URL Cloud	safe
https://www.joesecurity.org/blog/5852460122427342172	0%	Avira URL Cloud	safe
https://dns.twnic.tw/dns-query.	0%	Avira URL Cloud	safe
https://doh.tiarap.org/dns-query.	0%	Avira URL Cloud	safe
https://www.ftpgetter.com/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://doh.captnemo.in/dns-query.	capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://free.bravedns.com/dns-query.	capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://doh.seby.io:8443/dns-query.	capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.opengroup.org/onlinepubs/007904975/functions/wcswidth.html	capa.exe, 00000000.00000003.249744276.000002967D248000.00000004.00000001.sdmp, capa.exe, 00000005.00000003.276863134.00000208DAA77000.00000004.00000001.sdmp	false		high
https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/SetHandleInformation_API	check-for-protected-handle-exception.yml.0.dr	false		high
https://github.com/fireeye/capa-rules	capa.exe, 00000005.00000003.276151644.00000208DA6B6000.00000004.00000001.sdmp, capa.exe, 00000005.00000003.276715575.00000208DAF4E000.00000004.00000001.sdmp, capa.exe, 00000005.00000002.282343526.00000208DAD70000.00000004.00000001.sdmp	false		high
https://doh.eastau.pi-dns.com/dns-query.	capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/NtGlobalFlag.cpp#L41	peb-access.yml.0.dr	false		high
https://jp.tiarap.org/dns-query.	capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp	reference-anti-vm-strings.yml.0.dr	false		high
https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/NtQueryInformationProces	check-processdebugflags.yml.0.dr	false		high
https://github.com/fireeye/capa-rules/tree/master/runtime/)	capa.exe, 00000000.00000003.243622845.000002967D23D000.00000004.00000001.sdmp	false		high
https://bitbucket.org/davidfraser/pyyaml/commits/d81df6eb95f20cac4a79eed95ae553b5c6f77b8c	capa.exe, 00000005.00000002.285227247.00000208DB470000.00000004.00000001.sdmp	false		high
https://dns.google/dns-query.	capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://doh-2.seby.io/dns-query.	capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/	capa.exe, 00000000.00000003.243475811.000002967D23D000.00000004.00000001.sdmp, encrypt-data-using-sosemanuk.yml.0.dr	false		high
https://github.com/fireeye/capa/blob/master/scripts/lint.py)	capa.exe, 00000000.00000003.243622845.000002967D23D000.00000004.00000001.sdmp	false		high
https://download.bitdefender.com/resources/files/News/CaseStudies/study/318/Bitdefender-TRR-Whitepap	64-bit-execution-via-heavens-gate.yml.0.dr	false		high
http://www.python.org/download/releases/2.3/mro/.	capa.exe, 00000000.00000003.241065333.000002967D561000.00000004.00000001.sdmp, capa.exe, 00000005.00000002.280473196.00000208DA5C0000.00000004.00000001.sdmp	false		high
https://github.com/fireeye/capa-rules/tree/master/targeting/)	capa.exe, 00000000.00000003.243622845.000002967D23D000.00000004.00000001.sdmp	false		high
https://cloudflare-dns.com/dns-query?ct=application/dns-json&name=	capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://stackoverflow.com/questions/267399/how-do-you-match-only-valid-roman-numerals-with-a-regular-	capa.exe, 00000005.00000003.272238466.00000208DA8C5000.00000004.00000001.sdmp	false		high
https://github.com/pypa/packaging	capa.exe, 00000005.00000002.281916122.00000208DAC30000.00000004.00000001.sdmp	false		high
https://nsis.sourceforge.io/Main_Page	packaged-as-a-nsis-installer.yml.0.dr	false		high
https://github.com/curl/curl/wiki/DNS-over-HTTPS	capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	false		high
https://ibksturm.synology.me/dns-query.	capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/NtGlobalFlag.cpp	peb-access.yml.0.dr	false		high
https://dnsforge.de/dns-query.	capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.fireeye.com/content/dam/fireeye-www/global/en/blog/threat-research/Flare-On%202017/Chall	hook-routines-via-microsoft-detours.yml.0.dr	false		high
https://github.com/vivisect/vivisect/issues)	capa.exe, 00000000.00000003.247863129.000002967D248000.00000004.00000001.sdmp	false		high
https://pastebin.com/ci5XYW4P	resolve-function-by-hash.yml.0.dr	false		high
https://doh.libredns.gr/dns-query.	capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/NtGlobalFlag.cpp#L45	peb-access.yml.0.dr	false		high
https://doh.applied-privacy.net/query.	capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ired.team/offensive-security/code-injection-process-injection/reflective-dll-injection	inject-dll-reflectively.yml.0.dr	false	Avira URL Cloud: safe	unknown
http://www.python.org/dev/peps/pep-0205/	capa.exe, 00000000.00000003.241065333.000002967D561000.00000004.00000001.sdmp, capa.exe, 00000005.00000002.281072568.00000208DA800000.00000004.00000001.sdmp	false		high
https://github.com/fireeye/capa-rules/tree/master/data-manipulation/)	capa.exe, 00000000.00000003.243622845.000002967D23D000.00000004.00000001.sdmp	false		high
https://doh.centraleu.pi-dns.com/dns-query.	capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://img.shields.io/badge/license-Apache--2.0-green.svg)	capa.exe, 00000000.00000003.241263624.000002967D234000.00000004.00000001.sdmp, README.md.0.dr	false		high
https://doh.westus.pi-dns.com/dns-query.	capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://json.org	capa.exe, 00000005.00000002.283341384.00000208DAE86000.00000004.00000001.sdmp, capa.exe, 00000005.00000003.271622686.00000208DAE84000.00000004.00000001.sdmp	false		high
https://doh.tiar.app/dns-query.	capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://resolver-eu.lelux.fi/dns-query.	capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://yaml.org/type/merge.html	capa.exe, 00000005.00000002.284650150.00000208DB390000.00000004.00000001.sdmp	false		high
https://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/	enumerate-domain-computers-via-ldap.yml.0.dr	false	Avira URL Cloud: safe	unknown
https://github.com/fireeye/capa-ruleszJdefault	capa.exe, 00000005.00000003.271348290.00000208DAA42000.00000004.00000001.sdmp	false		high
https://www.carbonblack.com/blog/threat-analysis-dont-forget-about-kangaroo-ransomware/	impersonate-file-version-information.yml.0.dr	false		high
https://jp.tiar.app/dns-query.	capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/fireeye/capa-rules/tree/master/persistence/)	capa.exe, 00000000.00000003.243622845.000002967D23D000.00000004.00000001.sdmp	false		high
https://github.com/tqdm/tqdm/issues/481)0	capa.exe, 00000005.00000002.284331994.00000208DB280000.00000004.00000001.sdmp	false		high
https://dns.switch.ch/dns-query.	capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	false		high
https://www.elastic.co/de/blog/ten-process-injection-techniques-technical-survey-common-and-trending	inject-pe.yml.0.dr	false		high
https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L699	reference-anti-vm-strings.yml.0.dr	false		high
https://dns.wugui.zone/dns-query.	capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup	bypass-uac-via-scheduled-task-environment-variable.yml.0.dr	false	Avira URL Cloud: safe	unknown
https://circleci.com/gh/vivisect/vivisect/tree/master)	capa.exe, 00000000.00000003.247863129.000002967D248000.00000004.00000001.sdmp	false		high
https://circleci.com/gh/vivisect/vivisect/tree/master.svg?style=svg)	capa.exe, 00000000.00000003.247863129.000002967D248000.00000004.00000001.sdmp	false		high
https://www.smartftp.com/en-us/	gather-smart-ftp-information.yml.0.dr	false		high
https://stackoverflow.com/a/9147327/87207	capa.exe, 00000005.00000002.285583782.00000208DB5B0000.00000004.00000001.sdmp	false		high
https://github.com/tqdm/tqdm#contributions	capa.exe, 00000005.00000002.284448912.00000208DB2C0000.00000004.00000001.sdmp	false		high
https://odvr.nic.cz/doh.	capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	false		high
https://github.com/vivisect/vivisect/blob/7be4037b1cecc4551b397f840405a1fc606f9b53/PE/carve.py#L19	capa.exe, 00000005.00000002.283721793.00000208DAF15000.00000004.00000001.sdmp	false		high
https://doh.42l.fr/dns-query.	capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.nchsoftware.com/fling/index.html	gather-fling-ftp-information.yml.0.dr	false		high
https://setuptools.readthedocs.io/en/latest/pkg_resources.html#basic-resource-access	capa.exe, 00000005.00000003.272294884.00000208D857F000.00000004.00000001.sdmp	false		high
http://github.com/ActiveState/appdirs	capa.exe, 00000005.00000002.281916122.00000208DAC30000.00000004.00000001.sdmp	false		high
https://doh.eastas.pi-dns.com/dns-query.	capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://doh.pi-dns.com/dns-query.	capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://wiki.debian.org/XDGBaseDirectorySpecification#state	capa.exe, 00000005.00000003.273270781.00000208DA625000.00000004.00000001.sdmp	false		high
https://www.amazon.com/ask/questions/Tx27CUHKMM403NP	reference-114dns-dns-server.yml.0.dr	false		high
https://github.com/fireeye/capa-rules/tree/master/linking/)	capa.exe, 00000000.00000003.243622845.000002967D23D000.00000004.00000001.sdmp	false		high
https://www.phdcc.com/cryptorc4.htm	encrypt-data-using-rc4-with-custom-key-via-winapi.yml.0.dr	false	Avira URL Cloud: safe	unknown
https://dns.containerpi.com/doh/secure-filter/.	capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/fireeye/capa-rules/tree/master/communication/)	capa.exe, 00000000.00000003.243622845.000002967D23D000.00000004.00000001.sdmp	false		high
http://slackinvite.vertex.link/)	capa.exe, 00000000.00000003.247863129.000002967D248000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/fireeye/capa-rules/tree/master/collection/)	capa.exe, 00000000.00000003.243622845.000002967D23D000.00000004.00000001.sdmp	false		high
https://www.wise-ftp.de/en/	gather-wise-ftp-information.yml.0.dr	false		high
https://cloudflare-dns.com/dns-query.	capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L8	reference-anti-vm-strings.yml.0.dr	false		high
http://pyyaml.org/wiki/YAMLColonInFlowContext	capa.exe, 00000005.00000002.284776285.00000208DB3F0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/StackExchange/wmi	linked-against-go-wmi-library.yml.0.dr	false		high
https://www.netdrive.net/	gather-netdrive-information.yml.0.dr	false	Avira URL Cloud: safe	unknown
https://www.geoffchappell.com/studies/windows/win32/ntdll/structs/peb/index.htm	check-for-peb-ntglobalflag-flag.yml.0.dr	false		high
https://gist.github.com/joeyadams/4158972	connect-tcp-socket.yml.0.dr	false		high
https://dns.digitale-gesellschaft.ch/dns-query.	capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/ProcessJob.cpp	check-process-job-object.yml.0.dr	false		high
https://blog.f-secure.com/detecting-parent-pid-spoofing/	spoof-parent-pid.yml.0.dr	false		high
https://github.com/astanin/python-tabulate	capa.exe, 00000005.00000003.276863134.00000208DAA77000.00000004.00000001.sdmp	false		high
https://github.com/jquast/wcwidth	capa.exe, 00000000.00000003.249744276.000002967D248000.00000004.00000001.sdmp, capa.exe, 00000005.00000003.276863134.00000208DAA77000.00000004.00000001.sdmp, __init__.cpython-38.pyc.0.dr	false		high
https://dns.containerpi.com/doh/family-filter/.	capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://adblock.mydns.network/dns-query.	capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dohdot.coxlab.net/dns-query.	capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L46	reference-anti-vm-strings.yml.0.dr	false		high
https://dns.rubyfish.cn/dns-query.	capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.joesecurity.org/blog/5852460122427342172	check-for-unmoving-mouse-cursor.yml.0.dr	false	Avira URL Cloud: safe	unknown
https://dns.twnic.tw/dns-query.	capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://doh.tiarap.org/dns-query.	capa.exe, 00000000.00000003.242697187.000002967D239000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/Shared/Utils.cpp#L854	get-system-firmware-table.yml.0.dr	false		high
https://github.com/vivisect/vivisect	capa.exe, 00000000.00000003.247863129.000002967D248000.00000004.00000001.sdmp	false		high
https://www.ftpgetter.com/	gather-ftpgetter-information.yml.0.dr	false	Avira URL Cloud: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	457941
Start date:	02.08.2021
Start time:	15:21:53
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	capa.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal52.spyw.mine.winEXE@6/685@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 66.7% (good quality ratio 60%) Quality average: 61.4% Quality standard deviation: 32.7%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtQueryVolumeInformationFile calls found. Report size getting too big, too many NtSetInformationFile calls found. Report size getting too big, too many NtWriteFile calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\_MEI7842\Include\pyconfig.h Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	21096
Entropy (8bit):	5.30196060437062
Encrypted:	false
SSDEEP:	384:rG3tApdkHRMYURIn1/8BsRV4ig8as8Ji2MgsdgTaXgDV:rG3tApWySE+aPfZXvV
MD5:	31FEF4BD7506D25D27BF596F949A2066
SHA1:	41F1D3A07B331220DAEA0B106D29D2A2DB74B45E
SHA-256:	12347EF4F8CA786D33CAC569DDF61ACBDC506F986D1AA34F3BAAD8C062543DD3
SHA-512:	062A1EF84DB04D91810CF81604A23E5226326E0BAD0B66077A22D05AC3EF6A06B36EFEBC0552FE2C0FAA17221275E95E77D11B952A29B6D3C3DB144622336B77
Malicious:	false
Reputation:	low
Preview:	#ifndef Py_CONFIG_H..#define Py_CONFIG_H..../* pyconfig.h. NOT Generated automatically by configure.....This is a manually maintained version used for the Watcom,..Borland and Microsoft Visual C++ compilers. It is a..standard part of the Python distribution.....WINDOWS DEFINES:..The code specific to Windows should be wrapped around one of..the following #defines....MS_WIN64 - Code specific to the MS Win64 API..MS_WIN32 - Code specific to the MS Win32 (and Win64) API (obsolete, this covers all supported APIs)..MS_WINDOWS - Code specific to Windows, but all versions...Py_ENABLE_SHARED - Code if the Python core is built as a DLL.....Also note that neither "_M_IX86" or "_MSC_VER" should be used for..any purpose other than "Windows Intel x86 specific" and "Microsoft..compiler specific". Therefore, these should be very rare.......NOTE: The following symbols are deprecated:..NT, USE_DL_EXPORT, USE_DL_IMPORT, DL_EXPORT, DL_IMPORT..MS_CORE_DLL.....WIN32 is still required for the locale modul

C:\Users\user\AppData\Local\Temp\_MEI7842\VCRUNTIME140.dll Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	96120
Entropy (8bit):	6.440691568981583
Encrypted:	false
SSDEEP:	1536:dkb0wrlWxdV4tyfa/PUFSAM/HQUucN2f0MFOqH+F3fecbTUEuvw:dWD4eUp+HQpcNg0MFnH+F3fecbTUED
MD5:	4A365FFDBDE27954E768358F4A4CE82E
SHA1:	A1B31102EEE1D2A4ED1290DA2038B7B9F6A104A3
SHA-256:	6A0850419432735A98E56857D5CFCE97E9D58A947A9863CA6AFADD1C7BCAB27C
SHA-512:	54E4B6287C4D5A165509047262873085F50953AF63CA0DCB7649C22ABA5B439AB117A7E0D6E7F0A3E51A23E28A255FFD1CA1DDCE4B2EA7F87BCA1C9B0DBE2722
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........~.[...[...[.......Y...R...P...[...w.......V.......K.......D.......Z......Z.......Z...Rich[...................PE..d....R^`.........." .........^......`.....................................................`A.........................................A..4....I...............`..L....T..x#..........H,..T............................,..8............................................text............................... ..`.rdata...?.......@..................@..@.data...@....P.......<..............@....pdata..L....`.......@..............@..@_RDATA.......p.......L..............@..@.rsrc................N..............@..@.reloc...............R..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\_asyncio.pyd Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	64688
Entropy (8bit):	5.9117195037149735
Encrypted:	false
SSDEEP:	768:YVtJbo/5NQQQ2cA27ZKky1qSwr2ysMqBOf/nLeuK1P/dIIYn8sKDG4yMhb:YFborVdW7s1qx737K1P/dIIYndOyQ
MD5:	0400B1958D0F7AA0D2AD409EA12FFEC7
SHA1:	CE1A5C61192FFE489A53F029AC0A95D4ABB3D2B9
SHA-256:	6E25AA5931F175B971DFD05AAB7A24CEF29EDD8F4B524341C414D0577C07A200
SHA-512:	8790F3F9C69823D55350EA63A1B8EBB3DAD64942B6E6752109D2932B3BB848A5101E2A9A4645E93A476A8C4E5C8B27E15EB39B33FCC772A876B0E8AB9FD5EEFA
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........%e.ZD..ZD..ZD..S<..XD..60..XD..60..QD..60..RD..60..YD..0..YD...,..XD..ZD...D..0..[D..0..[D..0..[D..0..[D..RichZD..................PE..d...k.`.........." .....\................................................... ......Tk....`.........................................0...P.......d...............................\|....v..T............................v..8............p..0............................text....[.......\.................. ..`.rdata..hJ...p...L...`..............@..@.data...8 ..........................@....pdata..............................@..@.rsrc...............................@..@.reloc..\|...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\_bz2.pyd Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	87216
Entropy (8bit):	6.403867997493897
Encrypted:	false
SSDEEP:	1536:eKpLuz7t0fjOUSKdvOKJbdV/qj1M9D8WAPpP3JuFIIMVRy7:VizTTmbJJV/qj1M6WAPpP3JuFIIMVI
MD5:	A49C5F406456B79254EB65D015B81088
SHA1:	CFC2A2A89C63DF52947AF3610E4D9B8999399C91
SHA-256:	CE4EF8ED1E72C1D3A6082D500A17A009EB6E8ED15022BF3B68A22291858FECED
SHA-512:	BBAFEFF8C101C7425DC9B8789117FE4C5E516D217181D3574D9D81B8FEC4B0BD34F1E1FE6E406AE95584DC671F788CD7B05C8D700BAF59FBF21DE9C902EDF7AE
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[..>...m...m...m...m...ms..l...my.bm...ms..l...ms..l...ms..l...m..l...mD..l...m...m~..m..l...m..l...m.`m...m..l...mRich...m........................PE..d.....`.........." .........h......D................................................=....`..........................................&..H....'.......`.......P..4....8.......p..........T...............................8...............H............................text............................... ..`.rdata...C.......D..................@..@.data........@......................@....pdata..4....P....... ..............@..@.rsrc........`.......*..............@..@.reloc.......p.......6..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\_ctypes.pyd Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	127152
Entropy (8bit):	5.922573045872942
Encrypted:	false
SSDEEP:	3072:psrzScwzPzuoUxXVxQXKIAqoFQufLTA/1mj9AItH5IIBPmQl:a//wWX8XKIABfLTcmXlyk
MD5:	291A0A9B63BAE00A4222A6DF71A22023
SHA1:	7A6A2AAD634EC30E8EDB2D2D8D0895C708D84551
SHA-256:	820E840759EED12E19F3C485FD819B065B49D9DC704AE3599A63077416D63324
SHA-512:	D43EF6FC2595936B17B0A689A00BE04968F11D7C28945AF4C3A74589BD05F415BF4CB3B4E22AC496490DAFF533755999A69D5962CCFFD12E09C16130ED57FD09
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t....x...x...x..m...x..ay...x..a}...x..a\|...x..a{...x..ay...x..}\|...x..}y...x.@\|y...x...y.?.x..au...x..ax...x..a....x..az...x.Rich..x.................PE..d...\|.`.........." ................h_....................................... .......-....`.........................................`t.......t......................................t-..T............................-..8............ ..p............................text............................... ..`.rdata..0p... ...r..................@..@.data....?.......:...x..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\_decimal.pyd Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	268976
Entropy (8bit):	6.513233394587999
Encrypted:	false
SSDEEP:	6144:OLYg4UlD9GwglHVbM+J3OFBwsgW8w9NoL+Tv9qWMa3pLW1AHGZJXOSRQOGONHPj1:O3lD9GwUVZowsgWP/oL+dAZBR1vjYM
MD5:	A2B554D61E6CF63C6E5BBAFB20AE3359
SHA1:	26E043EFDAAA52E9034602CEBEB564D4F9714A7F
SHA-256:	30EEA56A4D1DD78F9D65FCB6168AB189CFA8098C38AAD47EE770756A056749CA
SHA-512:	5EA99FA23E7657E9F01DC155741D5F93945A2E6C90F1494873AA7C35A8DA0001815B31B387B239EF7DE1695B8F416028166DD94DB259D246D8DC10A37E20DA97
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Q..H0.H0.H0.AH@.F0.$D.J0.$D.D0.$D.@0.$D.L0..D.K0..X.J0.H0..0..D.I0..D.G0..D.I0..D,.I0..D.I0.RichH0.........................PE..d...q.`.........." .........H...............................................0............`.............................................P........................+........... ..`.......T...........................0...8...............(............................text...Z........................... ..`.rdata..............................@..@.data...X*.......$..................@....pdata...+.......,..................@..@.rsrc...............................@..@.reloc..`.... ......................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\_elementtree.pyd Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	179888
Entropy (8bit):	6.344951581234927
Encrypted:	false
SSDEEP:	3072:RYsocTfzwonX/c4J2nK7pz4Km+lT/9IO00FOlekUhkt6D98m+8o190vn1IIkfTG:RYgTLLvhYnK7pz40bIOpMPC+um90vn3
MD5:	8216378D8E15D65DBFCB7BA68BBD923A
SHA1:	91E3A9A89C236D7018854F7F163BC291A46397C2
SHA-256:	00D68D3879AB410601E7E8FB2348D4995CEC2EE78B3A07EA59520D35F9953BB4
SHA-512:	2610324AE9510B68745C5500E7A99366E5EAA0A935A43EB951DD78789772DED6CFE9581B6108540A5CAC9F848173C9375EE6FD91E40CB6A982114905F7CFD578
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......aG.M%&..%&..%&..,^d.)&..IR..'&..IR...&..IR..-&..IR..&&...R..'&..~N..&&..%&...&...R..!&...R..$&...R..$&...R..$&..Rich%&..................PE..d...n.`.........." .................................................................&....`..........................................g..X....g.......... .......x...............d.......T...............................8...............H............................text............................... ..`.rdata...{.......\|..................@..@.data................h..............@....pdata..x............z..............@..@.rsrc... ...........................@..@.reloc..d...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\_hashlib.pyd Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	47280
Entropy (8bit):	6.001614750733328
Encrypted:	false
SSDEEP:	768:E0mbG0HUxzB7992zIyYsw3jYXjV4h6HgevWASdIIYIASDG4ybhMD:Tma00xVMn08x4EBvAdIIYIA2ymD
MD5:	5E5AF52F42EAF007E3AC73FD2211F048
SHA1:	1A981E66AB5B03F4A74A6BAC6227CD45DF78010B
SHA-256:	A30CF1A40E0B09610E34BE187F1396AC5A44DCFB27BC7FF9B450D1318B694C1B
SHA-512:	BC37625005C3DAD1129B158A2F1E91628D5C973961E0EFD61513BB6C7B97D77922809AFCA8039D08C11903734450BC098C6E7B63655FF1E9881323E5CFD739FD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?...^..^..^..&e.^.....^.....^.....^.....^..U..^...6..^..)7..^..^...^..U..^..U..^..U..^..U*..^..Rich.^..........................PE..d.....`.........." .....B...\.......1....................................................`.........................................@...P...........................................4h..T............................h..8............`...............................text...6@.......B.................. ..`.rdata...5...`...6...F..............@..@.data...x............\|..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\_lzma.pyd Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	163504
Entropy (8bit):	6.7646371024623475
Encrypted:	false
SSDEEP:	3072:LIVa3V86CLON9lUm+/3i4p9qZqznfY9mNovvFOhYIlLvyFIID15x:LIVa3V81LwlC//q+gYOvPIBvy7
MD5:	CF9FD17B1706F3044A8F74F6D398D5F1
SHA1:	C5CD0DEBBDE042445B9722A676FF36A0AC3959AD
SHA-256:	9209CCC60115727B192BF7771551040CA6FDD50F9BF8C3D2EACBFD424E8245E4
SHA-512:	5FE922C00C6F7FD3CD9BC56FC51DE1F44ADFFBDB0AFC0583F1BB08008BE628B9AC16F8560B0C3BA16138E1CDCAF1C525EF24241BED804804CDEB5961AED6385A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Q...0.C.0.C.0.C.HOC.0.C.D.B.0.C.D.B.0.C.D.B.0.C.D.B.0.C>D.B.0.C.X.B.0.C.0.C.0.C>D.B.0.C>D.B.0.C>D#C.0.C>D.B.0.CRich.0.C........................PE..d.....`.........." .....\|...........3..............................................F.....`.........................................P7..L....7..x............`.......b..........4.......T...........................p...8...............0............................text...i{.......\|.................. ..`.rdata..v...........................@..@.data........P.......4..............@....pdata.......`.......<..............@..@.rsrc................T..............@..@.reloc..4............`..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\_multiprocessing.pyd Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	30384
Entropy (8bit):	6.046255166198458
Encrypted:	false
SSDEEP:	768:JyJ9dDNuElddhJDueNIIAtWSDG4yBvWLhq:Jg3bJDueNIIAtW2yNB
MD5:	5CADB7186DF07CA4CA5A8654CB00C9F1
SHA1:	513B9160A849A3D7D510F59FFA5E201809D0161B
SHA-256:	54C28DCF2F2A72FC854F49C76FB021BBF2B53675FE5B5ED021C61EFE9467197B
SHA-512:	F853C618CA243B5DA04E53079D3E6A0C6A9E4E358BB5020196B49638F28BF4171A487DB7CE0E5E2C46DF6A643C04434F967F1C614086121D1EDDDCF891F5A409
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-...C...C...C.......C..B...C..F...C..G...C..@...C.e.B...C..B...C...B...C.e.N...C.e.C...C.e.....C.e.A...C.Rich..C.................PE..d...n.`.........." ....."...:......X...............................................m.....`.........................................0Q..`....Q..x.......(....p.......Z...............C..T........................... D..8............@...............................text...w .......".................. ..`.rdata.......@.......&..............@..@.data...x....`.......B..............@....pdata.......p.......H..............@..@.rsrc...(............L..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\_overlapped.pyd Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	46768
Entropy (8bit):	6.073078500813003
Encrypted:	false
SSDEEP:	768:4ALlM4CwMgcpx3F3O6FNnZoYWEpNQ0vnIzRIIttyFDG4ycD7hQ:4CM4a3F3hrJQ0vnIzRIIttyPyr
MD5:	7D5BB2A3E4FBCEADDFEEF929A21E610C
SHA1:	942B69E716EE522EF01BDE792434C638E3D5497A
SHA-256:	5F92C163B9FE6ABB0F8B106A972F6A86F84271B2E32C67F95737387C85719837
SHA-512:	8C44F1683FDEA0D8121FF2FE36F2582313980EF20EE1985AF7FF36ACB022ACBB7617E85D2DD3B8E75715444DC0CFC4487C81B43D0222BD832AAC867875AFBE30
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X-q..L...L...L...4...L..p8...L..p8...L..p8...L..p8...L...8...L..G$...L..G$...L...L..hL...8...L...8...L...8...L...8...L..Rich.L..................PE..d...o.`.........." .....B...Z......h.....................................................`.............................................X...X.......................................`g..T............................g..8............`...............................text...*A.......B.................. ..`.rdata...5...`...6...F..............@..@.data...p............\|..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\_queue.pyd Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	29360
Entropy (8bit):	6.095688203137414
Encrypted:	false
SSDEEP:	768:UbErqQu06rhuOUrRm4MH5IImUVDG4yaC97hP:wuqXhuOC84a5IImUfydL
MD5:	DD146E2FA08302496B15118BF47703CF
SHA1:	D06813E2FCB30CBB00BB3893F30C2661686CF4B7
SHA-256:	67E4E888559EA2C62FF267B58D7A7E95C2EC361703B5AA232AA8B2A1F96A2051
SHA-512:	5B93A782C9562370FC5B3F289CA422B4D1A1C532E81BD6C95A0063F2E3889ECF828003E42B674439FC7CD0FA72F64AD607BAB6910ABE9D959A4FB9FB08DF263C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........%a.ZD..ZD..ZD..S<..XD..60..XD..60..QD..60..RD..60..YD..0..YD...,..XD..ZD...D..0..[D..0..[D..0..[D..0..[D..RichZD..........PE..d...o.`.........." ..... ...8.......................................................U....`..........................................B..L...<C..d....p.......`..0....V..........x...L3..T............................3..8............0..8............................text............ .................. ..`.rdata.......0.......$..............@..@.data........P.......@..............@....pdata..0....`.......D..............@..@.rsrc........p.......H..............@..@.reloc..x............T..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\_ruamel_yaml.cp38-win_amd64.pyd Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	276480
Entropy (8bit):	6.187946632071743
Encrypted:	false
SSDEEP:	3072:mqryJ7DTZ8n+tHWAcfUnWSIJvy199W5KjYN9MKENb/5jpsFU2YZUs+RSl4ArT:jWJvTZ8ns+cnWby199W92b/DsFU/UsX
MD5:	C8358CA316D2012D668D5AB0D7E8C25E
SHA1:	F0971D597430D5AAFBE3DC83C0A4A6C36549FF6B
SHA-256:	CC4C3BC6889D60DEC78CBD7031A73ADD070B8251BFDA28349CBB2C2C48D9C857
SHA-512:	718B230D113AD5173EF88A8EB1634AD4B92FC3EE164D4C3E9ABB3E1A45E15159295FD820CFA3ECDDCF6F9699B40E5AB8082335CE5AA0F258D6CBF70A797EDF3B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ij....}...}...}.p.}...}.}.\|...}.c.\|...}.g.}...}.}.\|...}.}.\|...}.}.\|...}cf.\|...}...}O..}.}.\|...}.}.\|...}.}.}...}.}.\|...}Rich...}........................PE..d......`.........." .....x..........<.....................................................`.............................................h............p.......P.. ...............P......................................8............................................text....w.......x.................. ..`.rdata...I.......J...\|..............@..@.data....c.......R..................@....pdata.. ....P......................@..@.rsrc........p.......0..............@..@.reloc..P............2..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\_socket.pyd Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	80048
Entropy (8bit):	6.104103948567744
Encrypted:	false
SSDEEP:	1536:OnzkyYf2r+ciQG5fF3/1NmaA189/s+7+pMXFxRjD3mh5IIBwlyin:Zy62r+P7VnfA189/se+pYxRPK5IIBw7
MD5:	4827652DE133C83FA1CAE839B361856C
SHA1:	182F9A04BDC42766CFD5FB352F2CB22E5C26665E
SHA-256:	87832A3B89E2ADA8F704A8F066013660D591D9CE01CE901CC57A3B973F0858BA
SHA-512:	8D66D68613FDBA0820257550DE3C39B308B1DCE659DCA953D10A95FF2CF89C31AFE512D30ED44422B31117058DC9FA15279E5AC84694DA89B47F99B0AD7E338A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R...<...<...<.......<...=...<...9...<...8...<...?...<.'.=...<...=...<...=.I.<.'.1...<.'.<...<.'....<.'.>...<.Rich..<.................PE..d.....`.........." .....z..........(........................................`............`.........................................@...P............@.......0..8............P......,...T...............................8............................................text...Dx.......z.................. ..`.rdata...w.......x...~..............@..@.data...............................@....pdata..8....0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\_ssl.pyd Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	155824
Entropy (8bit):	5.904431204688982
Encrypted:	false
SSDEEP:	3072:PBgil+Nig7FXVxb/8lwiaibUixhk980VUuOazbAOXLkdWXxZIIkjVD6XFIIM7y:PBgi8iWXVxbI/Xhk9gazbRqo3
MD5:	D4DFD8C2894670E9F8D6302C09997300
SHA1:	C3A6CC8D8079A06A4CAC8950E0BABA2B43FB1F8E
SHA-256:	0A721FC230ECA278A69A2006E13DFA00E698274281378D4DF35227E1F68EA3E0
SHA-512:	1422BF45D233E2E3F77DCE30BA0123625F2A511F73DFDF42EE093B1755963D9ABC371935111C28F0D2C02308C5E82867DE2546D871C35E657DA32A7182026048
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......4b{.p...p...p...y{..v....w..r....w..\|....w..x....w..s....w..r....j..t...+k..w...p........w..r....w..q....w.q....w..q...Richp...........PE..d.....`.........." .........................................................p......W.....`.............................................d...t........P.......@.......D.......`..........T...............................8............................................text...]........................... ..`.rdata..............................@..@.data... n.......h..................@....pdata.......@....... ..............@..@.rsrc........P.......*..............@..@.reloc.......`.......6..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-console-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	12232
Entropy (8bit):	6.593400064300514
Encrypted:	false
SSDEEP:	192:gYtWphWvWSawTyihVWQ4eWwueSquXqnajZasdyI:gkWphWgwGyVS1lNNx
MD5:	8C1EA3DE9B06DCA5A17ECC851C46FB07
SHA1:	1A85BBD40DB8BDF972834F288542157AA8CA9D63
SHA-256:	3909FB4F509418EE6AACC708340BDC386F58F395B985689960FA02C497B7014A
SHA-512:	B8A75B6099255A67AD5D24515E86FE14E3A34FA02390E44ADC019EFF478F405B6D3F715376F0C6D475A02D575DC06078403B31CBCA9C9695D219AB093F8FBAED
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d................" .........................................................0............`.........................................`...,............ ...................!..............T............................................................................rdata..P...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-datetime-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	11928
Entropy (8bit):	6.616418214858396
Encrypted:	false
SSDEEP:	192:Pn3WphWPWSawTyihVWQ4WWomRd7T0q11qnajVtPxu:vWphWAwGy6Rd7Tplxbu
MD5:	6EA580C3387B6F526D311B8755B8B535
SHA1:	902718609A63FB0439B62C2367DC0CCBD3A71D53
SHA-256:	275AF628666478FABA0442CB4F2227F6F3D43561EA52ECDEC47E4CBDF5F2ABAC
SHA-512:	4146F0FAA09E2B23EE7F970829664031FA4B7B7ACBDB6F27D075EB1DA0D63B2D41AC50E386AC0668157532DB69499CE0588563A9E891D6DD74479788D56494D2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d......P.........." .........................................................0......y.....`.........................................`................ ..................."..............T............................................................................rdata..4...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-debug-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	11720
Entropy (8bit):	6.606191850818759
Encrypted:	false
SSDEEP:	192:tWphWCcWSawTyihVWQ4eWapfkwqnaj0hFoHg:tWphWGwGyv7lIna
MD5:	B826AC6E0225DB2CFB753D12B527EED3
SHA1:	3EC659EB846B8216A5F769B8109B521B1DAEFDDE
SHA-256:	40F595ADE9F60CA8630870D9122BF5EFC85C1A52AADAD4E4E5ABA3156FA868D5
SHA-512:	00CE60BDF31A687DE63939ECF0F4D5123BAB4DE80B4798712769CD8A0B49B764F8B6E0D7AFDF749B8B574FC447DBA9B78BA59E430C1FE9CF4F8008D9BE5B897D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d.....m..........." .........................................................0...........`.........................................`................ ...................!..............T............................................................................rdata..@...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-errorhandling-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	11928
Entropy (8bit):	6.6809296260677185
Encrypted:	false
SSDEEP:	192:imxD3TzWphWWWSawTyihVWQ4WWXpaED2D8KN3qnajV2MVornuFaw:iczWphWLwGy/EDt2lxnorn8
MD5:	E6506F25A2D7E47E02ECF4F96395BB38
SHA1:	BBB7D458F619DE7FDEF55583198BFEAB1E8E01FB
SHA-256:	F040D06FAC81AEB3CBDAE559785C58F39532F92307E1BCEF4AFDE4114195EDF7
SHA-512:	CA50727A68F6E58AA803FA251934F93D8A607AB12FD8CF149F68457A685660E422B530F5BCDB7086AE3B71F8578CE77B6B347888A510BF7AE094E42623EFB905
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d...}............" .........................................................0...........`.........................................`................ ..................."..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-file-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	15512
Entropy (8bit):	6.568348091811147
Encrypted:	false
SSDEEP:	192:YIAuVYPvVX8rFTsRWphWiWSawTyihVWQ4WWYIStJqnajjqP6G8rgUr:cBPvVX7WphW/wGyxtJlvCz8rgC
MD5:	DE967E2D473D8E55C095DB1094695708
SHA1:	A7C3278F2E84AD8F2148776E611A0B8481AF7670
SHA-256:	318975CC9090747AAEF2D7FEA2B0CEADDB5F8347D01A90F94E7130ED1AD0BD5A
SHA-512:	DB937D171D31E82D26C146254F8A88B7948C9E90B53BA805B5D5DCD56B9273BE02C1B500105FB3C2B42435F7863D023CA7F0B8060FD4DCA5B04B2966219E9F14
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d...V4E@.........." .........................................................@............`.........................................`................0..................."..............T............................................................................rdata..(...........................@..@.rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-file-l1-2-0.dll Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	11928
Entropy (8bit):	6.6392158841399125
Encrypted:	false
SSDEEP:	192:B+WphWN8WSawTyihVWQ4SWxQz52D8KN3qnajV2MVorWHLm:sWphWNFwGyD5t2lxnorWHLm
MD5:	CC44206C303277D7ADDB98D821C91914
SHA1:	9C50D5FAC0F640D9B54CD73D70063667F0388221
SHA-256:	9B7895C39EE69F22A3ADC24FE787CBA664AD1213CEA8BC3184ED937D5121E075
SHA-512:	E79DF82D7B2281987D6F67780C1C2104E0135C9CFBCB825055F69835B125DEDB58DCD1D5C08CD4E8666F598D49602B36289B077E3A528DB88F02EE603A6E8819
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d...b..-.........." .........................................................0.......7....`.........................................`...L............ ..................."..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-file-l2-1-0.dll Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	11720
Entropy (8bit):	6.7335547816165295
Encrypted:	false
SSDEEP:	192:QVPlWphWYWSawTyihVWQ4eWINt9tCNxXeRqnajRWBs:QVdWphWpwGyZ3t4JeRlF
MD5:	7816039FC35232C815B933C47D864C88
SHA1:	E68FB109A6921F64AE05104BA1AFC1952B868B9A
SHA-256:	9C8F443B3A42E9E1AAA110B12C85F99B3D42CE22849CC3072CF56E29CCDD8401
SHA-512:	943B5EAE98337652B3EE8C0AD88172D5CC22BBEE14E517A91C0D67B89CFBBC68CB854A3F53BADCB49D355EC6E748DE5579E8BF6A0F8EE28F85BA11808FB79E25
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d....j............" .........................................................0......;.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-handle-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	11928
Entropy (8bit):	6.641210440202195
Encrypted:	false
SSDEEP:	192:UWphWZmWSawTyihVWQ4WWYg7T0q11qnajVtPx/e:UWphWZ7wGy87Tplxbm
MD5:	4ABBE981F41D2DE2ABAF96AB760FAB83
SHA1:	09A40758A7C280D08ACBB98320A3902933DDC207
SHA-256:	6BA4E1AC6E8AB26879298D4951FBA25352B6076B346AEC220892454220410875
SHA-512:	C63727B2FEC31FD3B302301E0E7CD6FD7F028A5B7F4C713B0D4763047A5B7918539A0207A1D8D2E10716B10684884682C565630AFE562CC0DC9C34185E6191E6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d....]............" .........................................................0............`.........................................`...`............ ..................."..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-heap-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	12440
Entropy (8bit):	6.6020677191345625
Encrypted:	false
SSDEEP:	192:1ZlBVWphW2WSawTyihVWQ4WWa+jrc2D8KN3qnajV2MVornxu:HljWphWrwGygct2lxnorxu
MD5:	605275C17E1CF88B83BE9EF4C330F86B
SHA1:	4A43EA1171BA60F0EA55BD825173E0B113D3C3DA
SHA-256:	3BBBE0FDF572EB5BF3A800D625FAA1FE0D864B126C95425D529870F719DF7315
SHA-512:	CC59F53AA07C4FC6FF5EEF13A9A09CAC8B38BA38226461AD63AB53213D9934430CA297714CBACF36688573C2A867181D36330AE35D525416EE505789F945C115
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d.....<..........." .........................................................0.......L....`.........................................`................ ..................."..............T............................................................................rdata..(...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-interlocked-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	11928
Entropy (8bit):	6.688798103865209
Encrypted:	false
SSDEEP:	192:gWphWOWSawTyihVWQ4WWE3SUAOT2XNfqnajVAilG835FH:gWphWTwGy/k9flx6S
MD5:	1763AC0AF41B1BBC75D576A4D86F1BC2
SHA1:	92BBE9320592FBD46AB3875AF4FC4304B16A973A
SHA-256:	F57902B8877ADE936A37448317A01CD79B36CDA8159A17D3CD86A08D53BA7240
SHA-512:	C1BA2D2420CC53377863964D353689FB67E4F8D4821CC337880858486C8909FB7ACF77CB6591E29EE46C20429D479C44820E63F04C16645A6E458F3CC2A9A2CF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d..............." .........................................................0.......d....`.........................................`................ ..................."..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-libraryloader-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	12952
Entropy (8bit):	6.607919598680885
Encrypted:	false
SSDEEP:	192:nvuBL3B5LGWphWLWSawTyihVWQ4WW1VB7T0q11qnajVtPxm:nvuBL3BsWphWEwGy67Tplxbm
MD5:	83E0D47925476B83941B11A0813A8851
SHA1:	B4EC57FF7B20F2915B80152DD13C580AC7220D36
SHA-256:	A085103240813E53FE1EC04A9676B3A983BA8958786D3F90E34A59733E614357
SHA-512:	AB9683B708EBB1F7C37FC62BB106E7B7626138C3333774338BE1A10D2F21A9CC97246F7F9220F9FABC6EB88B3FD109749F42649CEF1536811E2AABB521324747
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d...{!H..........." .........................................................0.......2....`.........................................`................ ..................."..............T............................................................................rdata..D...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-localization-l1-2-0.dll Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	14488
Entropy (8bit):	6.680202388702566
Encrypted:	false
SSDEEP:	384:FOMw3zdp3bwjGfue9/0jCRrndbpWphWywGyc1rhKtklxtW:FOMwBprwjGfue9/0jCRrndbUV3W
MD5:	BCEB3A4FD70578A2BB1E5138EDEEEEB3
SHA1:	9796AFC837C53A83A8E77D4C2BC88C26B31FF525
SHA-256:	8A4B5A175D575D1037A046156630DF4CA5389B4919A9746E1A2F5D456CA50BD8
SHA-512:	7FCC7C22032A22E79B6438F86E491A179F74A9A33CE64D8A6EBC3FB6F9FF1F2E2ECE15CBA19FE756A90B104C6BEEA8F892A98193770B478FECB9DEDB1B66CD25
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d...C............." .........................................................0......>.....`.........................................`................ ..................."..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-memory-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	12232
Entropy (8bit):	6.652287122511192
Encrypted:	false
SSDEEP:	192:itfZa/GG3m3WphWBWSawTyihVWQ4eWvEcuXqnajZK:z3qWphWWwGyFPlN
MD5:	329FE3E93CFF33D04AF93BEB7AAFB90A
SHA1:	516F6455B2076B9388C8C1E214ECB9A1D7BC86CB
SHA-256:	1541B5811A7AF089ECE0C781F934DA011F0C5667A83F3D1234B4EE5403EB334F
SHA-512:	62C4FA04CF84B81B303E166F6F7C1E90165C67F2EE60CF8A5CFA7719F42C2D793A2DE10F55B3CD270287D91E3F309E5AD1742990092F26BBE2AAE193A4AD4662
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d...G..[.........." .........................................................0............`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-namedpipe-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	11920
Entropy (8bit):	6.746045829861457
Encrypted:	false
SSDEEP:	192:KWphWD2WSawTyihVWQ4SWm01usUDR0qnajVXj9ISv:KWphWvwGyu1uQlxze+
MD5:	5FDED5599461319595639569B49E7E53
SHA1:	71B9F74BAF50D7DB3335806FA25891ACC5943198
SHA-256:	D5E2F838A5BA030BB9ACE8F179E78409B32E0CA0C47839A49A265046B6B73888
SHA-512:	8F8DB3DBE90F7366269A5D27A6E5776E01CFD4931DA34C678642D6AC370741316CB95B5344E27154F539DB2EACBCC1BE872F1E0A7B82E025848F266BCE93AF4D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d......D.........." .........................................................0.......N....`.........................................`................ ..................."..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-processenvironment-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	12952
Entropy (8bit):	6.610758515135146
Encrypted:	false
SSDEEP:	192:VVqWphWbcWSawTyihVWQ4WWhBWz9blDJ5iqnajVss1xos:VVqWphWblwGydz95DKlxT1xos
MD5:	9A9D6258A5AB98BB10B3D36233EADDE9
SHA1:	1053730D49A03CF72EC129E6B6047062F6D8212E
SHA-256:	713CCEA0E9E6F7EA39F88AED12812B16911C38BA0A9234F6D0770C29ED5A3E1F
SHA-512:	187B0C18D12348BB32940B22F6DB37DAF1A18638DEC2CB8A9A0D5A230E430490E732256ACB5AD52E23BD24F2F18310FF9255C96F4A706B02C66029D172219CC7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d...w............." .........................................................0............`.........................................`...H............ ..................."..............T............................................................................rdata..x...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-processthreads-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	14488
Entropy (8bit):	6.533005363293854
Encrypted:	false
SSDEEP:	384:MmGJC8k1JzBcKcIvVWphW+wGy+95DKlxT1xg/Q:vcKc1h15Dmg/Q
MD5:	F00887195128EBD4B8F7E95436E86A98
SHA1:	E121114DF338F20666FFADBB86043B0695F0D0CA
SHA-256:	ADB851F8DE3154F32D74B3E65577E2DA195ACE2F78701EB52E09313B271D7544
SHA-512:	799D5D2FE101DB17C0E0EEFED83BA9D1FD003480AAB55CFF6169586A2F771D89532E3798635CB5915DB74953ACA425F55EEE09AA0394285FB374CBA431F595AE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d....5............" .........................................................0.......4....`.........................................`................ ..................."..............T............................................................................rdata.. ...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-processthreads-l1-1-1.dll Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	12232
Entropy (8bit):	6.65874861166986
Encrypted:	false
SSDEEP:	192:QvtxDfIeSHWphW/WSawTyihVWQ4eWuAdVNCNxXeRqnajR:itxDfIeSHWphWQwGyGDN4JeRlF
MD5:	C58E2F3828248F84280F0719FDA08FD2
SHA1:	9679C51B4035DA139A1CC9B689CB2EA1C2E7CDEC
SHA-256:	A1B79943CDF8DED063CDAEC144F8A170DE8BBE97B696445885709573C5E0FAEB
SHA-512:	57CCC658870E9D446F9C9D130ADDE6B96428999697B007E844B7714998D2A23EABED92460C1275A92F1CECA29BE232D5D97E29F0D4D07CC749CDE41BCB5F8729
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d...k............." .........................................................0.......S....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-profile-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	11416
Entropy (8bit):	6.785349571526316
Encrypted:	false
SSDEEP:	192:jG+WphWkWSawTyihVWQ4WW8EHAOT2XNfqnajVAilG83lrl:j/WphW9wGycHk9flx6Erl
MD5:	29611D3442A5096FFC8EAF94D0AEFE1A
SHA1:	FBB3510D6E3974A69242FB743B8B15B6BDE0EE33
SHA-256:	775C77F0C4D2A87B207C9678DFDBFF3496559561A95086DCC6ADA33C47082A4C
SHA-512:	925F430B8FC079776AF9388BFB6B741B7C580A6E226EE88E1817BBEE0A1584703B83A5195CC3C24AD3373C8E30789BE4847B07B68FABB13925DB1CE8C3CED726
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d................." .........................................................0......x.....`.........................................`................ ..................."..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-rtlsupport-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	12440
Entropy (8bit):	6.607179155749351
Encrypted:	false
SSDEEP:	192:dGeV6WphWeWSawTyihVWQ4WWcsa9blDJ5iqnajVss1xPyo:dGeV6WphWDwGyJ95DKlxT1xPyo
MD5:	9F434A6837E8771D461F4000A52AB643
SHA1:	46994247C06B055F5CE5AAECDCD69E00A680F1E5
SHA-256:	8A6B6C7731F6922E6E125FECEACA919E4D26A96349C7B0C90E469396B34B29C7
SHA-512:	31A0A88672406A047DA8C06BE7AA7E3356D2108D0EF507665409D8D38ECAD285DE5BA29763F26BFE27F502F2171697CED2884A6542E4BE4F39E94572FAFA0A4D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d................." .........................................................0......<.....`.........................................`................ ..................."..............T............................................................................rdata..<...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-string-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	11720
Entropy (8bit):	6.680987524368224
Encrypted:	false
SSDEEP:	192:jyMvqWphWkWSawTyihVWQ4eWjfykwqnaj0ZNF:jyMvqWphW9wGyxlIZn
MD5:	32E739B5F838DCFB8C1AF0D3FF93EEA0
SHA1:	98BD2CA3C6BB7E5E750A7245A254906F38A70C05
SHA-256:	B250B0E69FD96F5F398FC6A0E16DF54F632BC9D575D568E885CF25082BD80A8A
SHA-512:	818EB27E6B0B1D5E9487B588BDF492BF3EF176D43A83A039F651AACD8EC748BF8225966D6957489383D05E1AC63F69E98E91E557719C41BAB690C1A2FF4C780E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d.....(..........." .........................................................0......A.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-synch-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	13768
Entropy (8bit):	6.57490566503125
Encrypted:	false
SSDEEP:	384:0dv3V0dfpkXc0vVaTWphWXpwGyF4JeRlF:0dv3VqpkXc0vVaCG1
MD5:	1E5D2D2D6BA5379DB875E46665E05D8E
SHA1:	2B6BD4815C6CC44C3F7B18471849961146C60D03
SHA-256:	F64FABCE8AED2F16D65D8533AFE11EA814E7C01DC7A839F370C7505EACC556AC
SHA-512:	A996BB2F83C5961E9C5D415DFFD630D4798968DEC4F99CEB00C6A32B96ED48CD5F93D6975C28530AB2AB666A074D4C9C7ED5CE32BD57418B94BA84E29B2E8E0A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d....u!..........." .........................................................0......qW....`.........................................`...X............ ...................!..............T............................................................................rdata..\|...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-synch-l1-2-0.dll Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	12432
Entropy (8bit):	6.722419738952607
Encrypted:	false
SSDEEP:	192:ontZ39hcWphWD5WSawTyihVWQ4SWEZK1usUDR0qnajVXj92:utZ39hcWphWSwGyY1uQlxz4
MD5:	5FD759382CEC7F4C280BDC5F3215D22A
SHA1:	7FA466C8482BED4A4AB4745275DB357C9A84CF3C
SHA-256:	36F418F9EEB0C3366BB3F6FBC3F91F37117632C0A5ECA697D76792AA5C2165FA
SHA-512:	101FF9F83F704EEAF38EA20428FA5501F63AEDD69AD808498564B43F37F7059FC9CAA484C4A878819881508309F1082C72809D3E704384EF159BBD512DC24F3D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d...;.?A.........." .........................................................0......?.....`.........................................`...x............ ..................."..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-sysinfo-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	12952
Entropy (8bit):	6.608967943815084
Encrypted:	false
SSDEEP:	192:/KIMFUXWphW1WSawTyihVWQ4WWeeFhPv7T0q11qnajVtPxY2:/BXWphWywGye37TplxbY2
MD5:	33791965A25F3F37D87AF734AADE8BDC
SHA1:	6BD02E05BAB12A636A7DE002F48760B74EDD28BC
SHA-256:	162A0D97D99794A5B7D686ED8AB27BD09D083AD3C02C2721104C19CF68164FDB
SHA-512:	E1C79E606D4887C0E5F7EF582D2AC2E3D767C24636A3FFA35032A0C4D46DE40EB660F71127FB75ECFF6105D9A1EA2C5C0F891C589A4CA5AD8EA9431097F6A412
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d....Ak6.........." .........................................................0......J.....`.........................................`...H............ ..................."..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-timezone-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	12440
Entropy (8bit):	6.7165053983195415
Encrypted:	false
SSDEEP:	192:tSWphWCWSawTyihVWQ4WWKzUeghKEwkqnajVkL23:tSWphWfwGyP1ghKtklxt3
MD5:	842D23AF3A6A12B10C9A4EE4D79EC1C1
SHA1:	2CD46EBDD418B12444DC351C0073DAFC5B9EABD5
SHA-256:	33ADAC3484118F56F3D8D8745431CEF241D643B46956E08FBB62A63A6F2236DA
SHA-512:	45A8238862B6AD157D261E5120D1BFD3925FA7E429025D7470CE82F64E51C209F4231F37B3445A4CD3F6649C4B0222BFBD845A16C0E5E022685B081B39CD9296
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d.....8..........." .........................................................0.......#....`.........................................`...P............ ..................."..............T............................................................................rdata..t...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-core-util-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	11928
Entropy (8bit):	6.628780928175106
Encrypted:	false
SSDEEP:	192:qoIeWphWnWSawTyihVWQ4WWuB9blDJ5iqnajVss1xHDFi5:qo9WphWowGyT95DKlxT1xHRi5
MD5:	9966AA5043C9B7BBB1B710A882E88D4C
SHA1:	A66BA8F5813A1C573CFCBAF91677323745BDEA91
SHA-256:	514BE125E573F7D0E92F36F9DC3A2DEBB39A8CAE840CBD6C7876296E6D4529B7
SHA-512:	3FBBECEF13E3C8BAF13072BD14348DAA5F824C58D7B04BCB65246A6B03C9D7B6EC97A78645F1A0DFB6347DB4A698E770ED33F1F9FE1378292C3DFA1040FA71C6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d...D............." .........................................................0............`.........................................`...<............ ..................."..............T............................................................................rdata..\...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-crt-conio-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	12952
Entropy (8bit):	6.635659329072802
Encrypted:	false
SSDEEP:	192:aEWphWbWSawTyihVWQ4WWiHJqnajjqP6G8rg50Lp:aEWphW0wGyRJlvCz8rgcp
MD5:	D3D084A56D8CBE2F410DB77CE5A79CDB
SHA1:	0DD30E1F1FEB93A58B8C47CD26F951388D1F867C
SHA-256:	B009AD33C5ECC934791565E8B38C55B4712F79D53A257A04295561D12B4A122A
SHA-512:	23C954818BA45A7AB777042A44A0ABC5712217D2CFCD3714FE043DA1AC22132E0F69B9C795B712A84C21CAEDC405C59AB43DA9B58F86407085609723C44BC881
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d....(C~.........." .........................................................0.......j....`.........................................0................ ..................."..............T............................................................................rdata.. ...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-crt-convert-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	15816
Entropy (8bit):	6.4300870012171805
Encrypted:	false
SSDEEP:	192:089M0wd8dc9cy1WphWGWSawTyihVWQ4eWMAkwqnaj0:0t0wd8xy1WphWbwGyKlI
MD5:	A50F84E5BDF067A7E67A5417818E1130
SHA1:	EE707C7F537F7E5CD75E575A6244139E017589A5
SHA-256:	47CD1BF8DED816D84200DAC308AA8D937188BDDBB2B427145B54D4CD46D266F4
SHA-512:	892DB3BE7CB4C7F700A9DBE1B56331B2F6C6CE98A63F56AB6810EC1E51B362CA6577271AEFA70CF4FBE867F5762044965B0B81DA1F43D65120B4A860AA0454B4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d...b.&..........." .........................................................@............`.........................................0................0...................!..............T............................................................................rdata..............................@..@.rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-crt-environment-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	12232
Entropy (8bit):	6.589979077155519
Encrypted:	false
SSDEEP:	192:9KNcWphW6WSawTyihVWQ4eW19NuXqnajZMVw:9KNcWphWnwGyU0lN9
MD5:	252077D2DF92B6AD8B9CFEAAA78AD447
SHA1:	1C3E8B683F1B4CD5555A26FE0BAD692C2E8F9FD9
SHA-256:	7BD17163AA56783867B42A267A3805B342DF6D7E832E6AE8F0045D80D73543C6
SHA-512:	7FF85C1ADBE350247B49F8698B5D7706806BC14C488D8D9E6CAF14E4E678DC340A76CEBE858B96365309616AEAAB443791CCFF7A6CA62DDEB0A28F1EEECFF822
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d...X.&..........." .........................................................0............`.........................................0..."............ ...................!..............T............................................................................rdata..R...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-crt-filesystem-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	13768
Entropy (8bit):	6.644112079500101
Encrypted:	false
SSDEEP:	192:zt/PGnWlC0i5C9WphW6WSawTyihVWQ4eWEsbtkwqnaj0nOa:VunWm5C9WphWnwGyy5lInOa
MD5:	0B1C38C9BABECBE7664C80E0DC2C0E68
SHA1:	EBA69FFB10487780C1B5E35430DBEF0E43B8CBD0
SHA-256:	CAD6471E8393046FF3C623454FC904B33E6166E58ED05F98DC36C122309DB618
SHA-512:	3FCA96585F4F6F3968B9D76757B5428531C7AA3B72D0390CD552F567E47B7937B522BB417AF06326ED04E45F83F228312774AE64C438BDD628F1EEFB057ADCB0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d...M%I..........." .........................................................0............`.........................................0................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-crt-heap-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	12952
Entropy (8bit):	6.584779333540128
Encrypted:	false
SSDEEP:	192:LaY17aFBRQWphWr+uWSawTyihVWQ4WWR2Gw4ZLqnajVxo+twGdi:TVWphWmwGyHGw6lx2+tLdi
MD5:	EFBC21D545D6C4C57C6A66E836E33A32
SHA1:	4A4C267E2D6181F2AA71F6B3BB6904BE47E06A07
SHA-256:	48A564E05E98D10A327FDD41B1051C7407EADA1530802EFB470B7425AD07742C
SHA-512:	2D9842B3BD1A8E8883202D3B0BFF79440D01086D9B464F893C113EACC57171F74C7D2E003C1A15696B411FB054CDFD24CF539612DEB0BC594815A7442FF1D52C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d...+..<.........." .........................................................0......[.....`.........................................0................ ..................."..............T............................................................................rdata..F...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-crt-locale-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	12464
Entropy (8bit):	6.705059986408883
Encrypted:	false
SSDEEP:	192:NWphWfpWSawTyihVWQ4PGWcQV0hbdiqnajBCI:NWphWmwGyrphsl9n
MD5:	C0EFC253C1CFF5778CD23E62060AF6A8
SHA1:	EA760A8BC2248F2066938E16DE849A2D1CC5C539
SHA-256:	525C9A51B70233BDCA0FD0DFD61D7051615616698374CEA0B3CA55B8EF5792A7
SHA-512:	92BADE19F0140A851CB9B5E6C6B1ECAAA84484D4B47DDBB91D99FD6C332A42D50ABD2CD58F5DE3B28851BB0910C5215A340FD4A3082B184DACC4A6B05AD6494C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d....u.).........." .........................................................0............`.........................................0...e............ ..................."..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-crt-math-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	21144
Entropy (8bit):	6.218550846690576
Encrypted:	false
SSDEEP:	384:gJI2M4Oe59Ckb1hgmLZWphWdwGyKXeGw6lx2+tE:gi2Mq59Bb1jE+F/ptE
MD5:	DCD968FB42D0FF67E82FE0CE6FF312DD
SHA1:	920E52AB298274FAE942C5CBB478780566CE183E
SHA-256:	A2F7FB5D09670E2D785720D07D2541D064D939F3265DE725D79DBEC07A953B63
SHA-512:	BC518EF9C2C640BCAD1F8D9009C4961307754ECBC4455BD543D80057D1D5707FC7F87A001539CD5F21387A69640F73B9B4B5C3E1FCC5B15CD5E0B0314A98C9CD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d................." .........,...............................................P............`.........................................0....%...........@...............0..."..............T............................................................................rdata...&.......(..................@..@.rsrc........@.......,..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-crt-process-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	12976
Entropy (8bit):	6.6076799883738735
Encrypted:	false
SSDEEP:	192:wnqjd71WphW5WSawTyihVWQ4CW8CnbdiqnajBCIej:wn8WphW+wGyEsl9nej
MD5:	4142A4627D4D537389B641545DCDA4CE
SHA1:	D05DAEFC74C4C089F5DF7F3D2E333B2F0D2889D5
SHA-256:	C8D3C40EA5C4EE9167C79AFF577BA9598C1C95B649CB363F980FE72EB3641F56
SHA-512:	11FFF083D8E64EAD33AD980C459D3661DBE3AEC34EA40AD1A4D54EA996985D964C09773F027932BB544C168C3A1E37D50ED82739ABBB66D1C67D809BAD0FBB89
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d....k............" .........................................................0......@.....`.........................................0...x............ ..................."..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-crt-runtime-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	16536
Entropy (8bit):	6.456296069225527
Encrypted:	false
SSDEEP:	192:zaajPrpJhhf4AN5/KipWphW6WSawTyihVWQ4SW1tJqnajjqP6G8rgvM3:zlbr7fWphWnwGyCJlvCz8rgU3
MD5:	9886BA5285EF26AA6FB093B284BE99AF
SHA1:	BDB8B82F95CE7B309D7CBE0AEA4501455C2F435B
SHA-256:	44FC35755A1865D293E8F9B61D35127474717C03CB8D5C8E400BB288D6624D0B
SHA-512:	C1E172CC0F59DA04CC5CCB44A33851F86CE47BCF308AFA6521B64E5132BAF52245F46A9A376DD5B922E3CF18D0339EC8B9424FF59A0B3695771C5F0E5AC59FD7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d...J.E..........." .........................................................@............`.........................................0...4............0..................."..............T............................................................................rdata..d...........................@..@.rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-crt-stdio-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	17864
Entropy (8bit):	6.393264759906024
Encrypted:	false
SSDEEP:	192:GpPLNPjFuWYFxEpah7WphWJWSawTyihVWQ4eWyellCNxXeRqnajRyGdFP:G19OFVh7WphWuwGyg34JeRlFyGPP
MD5:	6424969D1330DE668F119587744A77DC
SHA1:	161D63E1B491B673F617843B66AEFA506860C333
SHA-256:	1EA135CDE9495900F7D1339384F4A93DD00053796209F8D625F49C3A3D191AE4
SHA-512:	430EF56DC7D19F2B3565FB03BFAD39D7F9ED67E676FA42337021131E908F93B8442D5D231A259EB43AE08F59E19D726C55E51C2CD684FC71C3A8A30657B608B8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d...&8............" ......... ...............................................@......n.....`.........................................0...a............0...............$...!..............T............................................................................rdata..............................@..@.rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-crt-string-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	18376
Entropy (8bit):	6.271794979288617
Encrypted:	false
SSDEEP:	384:JFvU4x0C5yguNvZ5VQgx3SbwA7yMVIkFGl3WphW/wGyxOilNH:35yguNvZ5VQgx3SbwA71IkFxc7
MD5:	E849ABBFCA44C1A5489E92E6307AA9DC
SHA1:	9E97D3744989F8EE8284AECCA29BFD235B4EDB24
SHA-256:	11311E78B47CE86CBCE9D3FBA59A8CABAD36874F3FE58B4BE6EFAAF40A5E318B
SHA-512:	B2BF9D892DB8C8B779D3C50EAD5D2B275A2EEAC9B9C5592E1159F6D2C04D287DD77D243AF2B9BA1E507D5B1C8C21B742A85E0E2EB17F8E852176D4D31D224422
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d...W.>4.........." ........."...............................................@............`.........................................0................0...............&...!..............T............................................................................rdata..............................@..@.rsrc........0......."..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-crt-time-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	14280
Entropy (8bit):	6.535643188678725
Encrypted:	false
SSDEEP:	192:iy5NDSWphWuWSawTyihVWQ4eWfguCNxXeRqnajRAQN:iUEWphWzwGyHu4JeRlFA
MD5:	57B9F090AF61F408BBCF4D6A30F80C89
SHA1:	6EBB3353FEB3885846CC68F163B903AA3D58BDFB
SHA-256:	C2C826953847A616B59EAAA261A0C7712037691DD92DF01D9B339C2BA752EF1C
SHA-512:	4DE6EC03B25C5577A8CF8809F38891C9DBEA104FC3001F0A7A16E9000533426D4C65F6704816449B2A6234ABB00F78462149C0A77F662A65100534A25E1C10CE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d....y.?.........." .........................................................0......a^....`.........................................0................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\api-ms-win-crt-utility-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	12232
Entropy (8bit):	6.678177184128737
Encrypted:	false
SSDEEP:	192:DI6fHQduHWphWm4WSawTyihVWQ4eWtEyRpqCNxXeRqnajRMqXMxbh:xfxWphWuwGydy/q4JeRlF2xbh
MD5:	0FC56003FFA56CCBB9E7B4E361F8675F
SHA1:	D3B6C0EFC553D058D115A20ECE9B28A29DD97B6A
SHA-256:	E85F92BAB9228A9F68ED1DD45F10FD08A6E69CEB476CB2A62A2A4B43BF572C3D
SHA-512:	DBE5CF5CE11A797E13A0628AB737D85DAF67005634A5168558FD683AAC8DD90962742C5F071E1BE746B0BDAA5179399F49835CC5CEAD525A683713E3948CBAE5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d................." .........................................................0.......d....`.........................................0...^............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\base_library.zip Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	786502
Entropy (8bit):	5.450051645724445
Encrypted:	false
SSDEEP:	12288:om7QfluqmvPyVRKnyV8h9rfsEND1Jykmrdbbco/:H7QflgvVnyV8h9rfsENxibbd/
MD5:	FE4EEBC2920EAE722B8256BA01C0E088
SHA1:	A5028099F845473AAD6D2EB24BC0FB55E52B97F6
SHA-256:	79A0A02E0133E5939E037C3425DC2E05B1F59AB372501558B86081DFE0861F74
SHA-512:	821133F66FFD0BDB0ACC7292D2198E8576D2F6CC1C64CAD2B0CECC1A0AB0620B6CD152BC762EEA1AB6D8AF2B63A2B37918396098ED6F675A2BC1B6311ACC3222
Malicious:	false
Preview:	PK..........!..............._bootlocale.pycU............e.....................@...sz...d.Z.d.d.l.Z.d.d.l.Z.e.j...d...r,d.d.d...Z.nJz.e.j...W.n4..e.k.rj......e.e.d...r\d.d.d...Z.n.d.d.d...Z.Y.n.X.d.d.d...Z.d.S.).z.A minimal subset of the locale module used at interpreter startup.(imported by the _io module), in order to reduce startup time...Don't import directly from third-party code; use the `locale` module instead!......N..winTc....................C...s....t.j.j.r.d.S.t.....d...S.).N..UTF-8.....)...sys..flags..utf8_mode.._locale.._getdefaultlocale....do_setlocale..r.....?c:\hostedtoolcache\windows\python\3.8.10\x64\lib\_bootlocale.py..getpreferredencoding....s..........r......getandroidapilevelc....................C...s....d.S.).Nr....r....r....r....r....r....r........s......c....................C...s....t.j.j.r.d.S.d.d.l.}.\|...\|...S.).Nr....r....).r....r....r......localer....).r....r....r....r....r....r........s............c....................C...s6...\|.r.t...t.j.j.r.d.S.t...t.

C:\Users\user\AppData\Local\Temp\_MEI7842\capa.exe.manifest Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1499
Entropy (8bit):	5.273007428939795
Encrypted:	false
SSDEEP:	24:2dt4+iNP4igOMPgi0iiNK+bkgxIme7cb3jgMkb4+GE:cSFP4igOSEK+bkgxImeMcn3GE
MD5:	16BD2E5CDBEC4537604A99573E781C17
SHA1:	053B66C00BC940F0F1CB4F5D601FEA266D9685B9
SHA-256:	90E016D15725B913E55EB939976CAA1CD64EB48B22D4DFC6776F67E8B6CD27D5
SHA-512:	E042D3D8FCABD72FABBECC5695C0B29F439922B63FEAACAEF27D5748EA27D775067834008455DDCCCFEE12397560DD6D098628A2EDE4FCD88A095EEBCDFDC07C
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity type="win32" name="pyinstaller" processorArchitecture="amd64" version="1.0.0.0"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">.. <security>.. <requestedPrivileges>.. <requestedExecutionLevel level="asInvoker" uiAccess="false"/>.. </requestedPrivileges>.. </security>.. </trustInfo>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" language="" processorArchitecture="" version="6.0.0.0" publicKeyToken="6595b64144ccf1df"/>.. <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"/>.. </dependentAssembly>.. </dependency>.. <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">.. <application>.. <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>.. <supportedOS Id="{35138b9a-5d96-4fbd-8

C:\Users\user\AppData\Local\Temp\_MEI7842\capstone\lib\capstone.dll Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	5031424
Entropy (8bit):	3.684641871644132
Encrypted:	false
SSDEEP:	24576:MchrWQMZVUrUnvx+zFUQWR1jEbWT1BII8q4Gir1p2:jhrWQMZVUr2x+zERZEiTh4G
MD5:	1C0A3D7DEC9513CD4C742A7038C73445
SHA1:	8A7DCF7371B8C6711B6F49D85CEC25196A885C03
SHA-256:	F59984896A7F3F35B5F169E3D0CC6F4429A363B0F2BF779FFF8EF4CCDCC6B26A
SHA-512:	35182912D37265170B2AB3B2C417E26E49211EB5006B7FE8EAE90F3C1C806DB2477C5652065173E35F5BA7BE4155A89286A6831DDBFFCCD82D526839BB54A596
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........n,Y...Y...Y...<..~S...<..~_...<..~......~G......~V......~Q...<..~Z...Y..........~a......~X......~X...RichY...........PE..d.....^.........." .........*@...............................................M.......L...`...........................................3.......3.(.....J......@J..H............J..n....2............................. .2..............................................text...@........................... ..`.rdata..2o&......p&.................@..@.data...h.... 3.......3.............@....pdata...H...@J..J....J.............@..@.rsrc.........J......TJ.............@..@.reloc...n....J..p...VJ.............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\flirt.cp38-win_amd64.pyd Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	426496
Entropy (8bit):	6.261919091059479
Encrypted:	false
SSDEEP:	6144:HN6/+OKFoinXgER72JMXSGYlu1JhI/7QeCfgNadOSiDDsMitJzV:H5voidlgMmgJ27TCfuadOSL
MD5:	A48DC93AAD0B22C1807B2819C927CD56
SHA1:	50D2E45F9B51F70FC0409C5C25BDB84A13CB6D83
SHA-256:	F3C937A8320B6AF5728BC631366CE244992946C551223FD93DC6F34B5C4BEEAA
SHA-512:	A51A595C2913EC1E5E052F05D11B28DFD4C8B3D3F5C64F843D2DB953B126D0D87F73153E0A48B4F74869D16E31ECB76ECC9E2ED1B627B147B7F1BC2540297FB3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............D..D..D.....D.k.A..D.k.@..D.k.G..D..E..D.k.E..D..E.4.D..D..D.h.D..D.h.F..D.Rich..D.........................PE..d....K.`.........." .....D...<......0I....................................................`..........................................U..h....U...................(..............8...`...T.......................(.......8............`..0............................text....B.......D.................. ..`.rdata.......`.......H..............@..@.data...x....p.......N..............@....pdata...(..........R..............@..@.reloc..8............\|..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\libcrypto-1_1.dll Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	3406016
Entropy (8bit):	6.095119740432485
Encrypted:	false
SSDEEP:	98304:ZX+SicVMcqx5q6ypQ821CPwDv3uFfJwwzS:1FicVMcqx5q6yX21CPwDv3uFfJwwz
MD5:	89511DF61678BEFA2F62F5025C8C8448
SHA1:	DF3961F833B4964F70FCF1C002D9FD7309F53EF8
SHA-256:	296426E7CE11BC3D1CFA9F2AEB42F60C974DA4AF3B3EFBEB0BA40E92E5299FDF
SHA-512:	9AF069EA13551A4672FDD4635D3242E017837B76AB2815788148DD4C44B4CF3A650D43AC79CD2122E1E51E01FB5164E71FF81A829395BDB8E50BB50A33F0A668
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x...<.<.<.5.;...n...>.n...7.n...4.n...?.g...7.<.......!.....E.....=...W.=.....=.Rich<.................PE..d....El`.........." .....f$..........s........................................4......F4...`..............................................h...3.@.....3.\|.....1.......3.......4..O...~,.8........................... .,...............3..............................text....d$......f$................. ..`.rdata........$......j$.............@..@.data....z...p1..,...L1.............@....pdata..d.....1......x1.............@..@.idata...#....3..$...43.............@..@.00cfg........3......X3.............@..@.rsrc...\|.....3......Z3.............@..@.reloc...x....4..z...b3.............@..B........................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\libffi-7.dll Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	32792
Entropy (8bit):	6.3566777719925565
Encrypted:	false
SSDEEP:	384:2nypDwZH1XYEMXvdQOsNFYzsQDELCvURDa7qscTHstU0NsICwHLZxXYIoBneEAR8:2l0Vn5Q28J8qsqMttktDxOpWDG4yKRF
MD5:	EEF7981412BE8EA459064D3090F4B3AA
SHA1:	C60DA4830CE27AFC234B3C3014C583F7F0A5A925
SHA-256:	F60DD9F2FCBD495674DFC1555EFFB710EB081FC7D4CAE5FA58C438AB50405081
SHA-512:	DC9FF4202F74A13CA9949A123DFF4C0223DA969F49E9348FEAF93DA4470F7BE82CFA1D392566EAAA836D77DDE7193FED15A8395509F72A0E9F97C66C0A096016
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6.3.r}]Ar}]Ar}]A{..Ap}]A .\@p}]A..\@q}]Ar}\AU}]A .X@~}]A .Y@z}]A .^@q}]A..Y@t}]A..^@s}]A..]@s}]A.._@s}]ARichr}]A........................PE..d......].........." .....F...$.......I....................................................`..........................................j.......m..P....................f...............b...............................b...............`.. ............................text....D.......F.................. ..`.rdata..H....`.......J..............@..@.data................^..............@....pdata...............`..............@..@.reloc...............d..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\libssl-1_1.dll Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	690368
Entropy (8bit):	5.529996741069741
Encrypted:	false
SSDEEP:	12288:XXnznrSRNaJkxbpdM2QJCCMHxtfz8Irj0R6wQHPRv8Fl4tekY2U2lvz:vSTxbpd/Rrj0R6nd+SJnU2lvz
MD5:	50BCFB04328FEC1A22C31C0E39286470
SHA1:	3A1B78FAF34125C7B8D684419FA715C367DB3DAA
SHA-256:	FDDD0DA02DCD41786E9AA04BA17BA391CE39DAE6B1F54CFA1E2BB55BC753FCE9
SHA-512:	370E6DFD318D905B79BAF1808EFBF6DA58590F00006513BDAAED0C313F6FA6C36F634EA3B05F916CEE59F4DB25A23DD9E6F64CAF3C04A200E78C193027F57685
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...BkT.BkT.BkT.:.T.BkT.jU.BkT.jU.BkT.nU.BkT.oU.BkT.hU.BkT(+jU.BkT.BjThCkT(+oU.BkT(+kU.BkT(+.T.BkT(+iU.BkTRich.BkT........................PE..d....El`.........." ........H.......%...................................................`..............................................N..05..........s........K...l..........L.......8........................... ................ ..0............................text....(.......*.................. ..`.rdata...%...@...&..................@..@.data...!M...p...D...T..............@....pdata..`T.......V..................@..@.idata...V... ...X..................@..@.00cfg...............F..............@..@.rsrc...s............H..............@..@.reloc..5............P..............@..B................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\lief.cp38-win_amd64.pyd Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	21789696
Entropy (8bit):	5.78613887630946
Encrypted:	false
SSDEEP:	98304:1jCclTCdK0bHP5cOAVs9JiLyFKnkFs2SG:lz0LhWiiGFKnkFxS
MD5:	BF3A415A52ABD0FD721BF19F3D294F1E
SHA1:	399D67A346C357D2790648345AD28044F3610E65
SHA-256:	FC5A096FB7FC4625FAF4FF7CFC8DBBB2D308872E38A45F11BA536CEDC0024628
SHA-512:	B835FCBDC5D8A6438872773E84DAF541A3C371737A0F59682C03C20AD06CC9B39641705DB5FAD04EBCF3B6DDC1EF489E1790046608B353703CAE18D609853BFF
Malicious:	false
Yara Hits:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Local\Temp\_MEI7842\lief.cp38-win_amd64.pyd, Author: Joe Security
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........9.uij.uij.uij..mk.uij..jk.uij..lkiuijK.j.uijk.mk.uijk.jk.uijk.lkEuij..hk.uijC.hk.uij.uhj.tijM.mk.uijM.lkCtijM.ik.uijM.kk.uijRich.uij........................PE..d...u..`.........." ..........>.....$.........................................M.......L...`.........................................0.;.H...x.;.<.....L.......A..S............M.4q....5.......................5.(.....5.8............................................text............................... ..`.rdata..$.-.......-.................@..@.data........;.......;.............@....pdata...S....A..T....@.............@..@_RDATA........L.......L.............@..@.rsrc.........L.......L.............@..@.reloc..4q....M..r....L.............@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\msgpack\_cmsgpack.cp38-win_amd64.pyd Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.150448515402666
Encrypted:	false
SSDEEP:	1536:hXXKj5CbtO1Lmimn/PXUdvq/dMpY+inIAnL4s8mG/UUFMf0E3sHjsj6wdsyXPJm/:hHKYPFHWvQMpsjnER7i8rwds4P+h
MD5:	04646100FD3CE31362411B61FD105108
SHA1:	C2E9884AD47CA3FF17C8421B52545CF4815D4E7D
SHA-256:	1528DD357E3F48CB48DEBC451557C19A1C976EDA25D238DBBD34BA643006A93D
SHA-512:	65DE19DEAEA2BC0EE929F99944C2E67C444FE269792429FC74296FBD9C815DF8C56459AFDD2775E2FF5B9BC1EAE2D421307BE063C632E0378B4C5F2E76017838
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C.c...c...c.......c..P....c.......c..P....c..P....c..P....c..Y....c...c..'c..y....c..y....c..y.o..c..y....c..Rich.c..........PE..d...@^._.........." .....0..........T........................................0............`.............................................`... ...d............................ ......................................@...8............@...............................text...8/.......0.................. ..`.rdata.......@.......4..............@..@.data....1.......&..................@....pdata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\pyexpat.pyd Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	192176
Entropy (8bit):	6.31703230082655
Encrypted:	false
SSDEEP:	3072:s/aC72KSgM/ehOrwkSW8chDNcKNOxywSXaFUAKLnVzPOvNRyfIvfTZvZ3OFVnVvU:QaQX/UehaTSW8chOFTiLndkyfiTJ0VvU
MD5:	2AE23047648257AFA90D0CA96811979F
SHA1:	0833CF7CCAE477FAA4656C74D593D0F59844CADD
SHA-256:	5CAF51F12406BDB980DB1361FAB79C51BE8CAC0A2A0071A083ADF4D84F423E95
SHA-512:	13052EB183BB7EB8BB2740FF39F63805B69E920F2E21B482657A9995AA002579A88296B81EC415942511D2ED146689D1868B446F7E698E72DA22F5C182706030
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[.;f..U5..U5..U5...5..U5s.T4..U5s.P4..U5s.Q4..U5s.V4..U5..T4..U5D.T4..U5..T5o.U5..X4..U5..U4..U5..5..U5..W4..U5Rich..U5........PE..d...u.`.........." ................8...............................................M.....`............................................P... ........................................5..T............................6..8............ ...............................text...c........................... ..`.rdata..F.... ......................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\python38.dll Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	4211376
Entropy (8bit):	6.417768211607164
Encrypted:	false
SSDEEP:	49152:7szv0pyfz43jjWo2tAfHkhPAXCZT8nyhhA2i2hLX5CSwkINazHO+MJnjPabxTdOF:7P/kuARjoNYH5MJubFiH
MD5:	26BA25D468A778D37F1A24F4514D9814
SHA1:	B64FE169690557656EDE3AE50D3C5A197FEA6013
SHA-256:	2F3E368F5BCC1DDA5E951682008A509751E6395F7328FD0F02C4E1A11F67C128
SHA-512:	80471BFEEAB279CE4ADFB9EE1962597FB8E1886B861E31BDFF1E3AA0DF06D93AFEB3A3398E9519BAB7152D4BD7D88FA9B328A2D7EB50A91EB60FEAD268912080
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........`....................................................................j...q...j.......j.....j.......Rich............................PE..d...a.`.........." ..........".....$.........................................C.....4.@...`.........................................`.8.......9.\|....pB......p@......&@.......B.\t...q!.T...........................0r!.8............. .h............................text............................... ..`.rdata........ .....................@..@.data...l.....9.......9.............@....pdata.......p@.......=.............@..@.rsrc........pB.......?.............@..@.reloc..\t....B..v....?.............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\.git Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	30
Entropy (8bit):	3.898068512058838
Encrypted:	false
SSDEEP:	3:vW5ctmK:vZtP
MD5:	74697666F2CD75FC9979F2E85DE15086
SHA1:	9222282710ADC9BF797728D45A5A9B81164CDD5B
SHA-256:	A59DD52B5FF1EDA2D29F3DCEE29C615E833D68D30DB82D08DF5B3D192A6A164E
SHA-512:	1CCF9E063BF6AD60FAF95E70178B41F187619F12911DEC0E1FA7EF08162BC82DE4A2B969950CABC138D4D10B5B76CC7A151F37E9B4A3C51CE637336CB020AF20
Malicious:	false
Preview:	gitdir: ../.git/modules/rules.

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\.gitattributes Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	243
Entropy (8bit):	4.481824890447673
Encrypted:	false
SSDEEP:	6:SRZgC1oED9dSkAjFNcFqragyEfF72OW5Jexo4pIFGDBuRcXjrSiKydA:kX98jTGlEf92Odvp8czrHFA
MD5:	DCFDDC36C5D9A5AC9A3F361A3B723202
SHA1:	7ACFD48A680B475D1D40DABB5C125ABEADCAD754
SHA-256:	331BA68BA5A42BB8E0383E8B3687F6BA6C42C6D474873E0757DED1824E21A061
SHA-512:	A871F6AB9A4CF90A73D429854D52F0D28F4EEA7A430806E3B61E36C34B084E4D5C8F637F11010351BC156E5B964FD0DB3B97650712D5462D5689A0CC9C01DB0F
Malicious:	false
Preview:	# Set the default behavior, in case people don't have core.autocrlf set...* text=auto....# Explicitly declare text files you want to always be normalized and converted..# to native line endings on checkout....yml text...md text..*.txt text..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\.github\ISSUE_TEMPLATE\false_negative.md Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	839
Entropy (8bit):	4.894787761405779
Encrypted:	false
SSDEEP:	24:A74OywRazEGbSr/cGYPCRX0rctN17GaOJ5r:YyUazwVYm0Q97GaWR
MD5:	017D8A8ED0B50423A743E5A521033B30
SHA1:	27CAC13F3EFA8E4C7DAEDB85B241408E0B0C2313
SHA-256:	D195539D68720B75B51AE19725276E286AB6DAF69972A68B7FAFC9642B3B85EA
SHA-512:	57FB69FBCC679E65AA504DAE5A331AF0EBB7559FA18F81833BDBB2349263B19A523C7A50A39DD7460C98AC621BCAF9FC759F6A2DE71289DCBE81BC1763CDD9C3
Malicious:	false
Preview:	---..name: False negative..about: Report a sample that should have matched but didn't (false negative)..title: "[RULE NAME]"..labels: false negative....---.... ....Have you read capa's Code of Conduct? By filing an Issue, you are expected to comply with it, including treating everyone with respect: https://github.com/fireeye/capa/blob/master/CODE_OF_CONDUCT.md..-->....## Summary.... Rule name and one paragraph explanation of the false negative. -->....## Examples.... If you can, please include a hash for the sample you'd expect capa to match. If you've reverse engineered the sample please also include offsets or any additional information. -->....## Possible improvements.... How can the rule be improved? -->....## Additional context.... Add any other context or screenshots about the false negative here. -->..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\.github\ISSUE_TEMPLATE\false_positive.md Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	797
Entropy (8bit):	4.88907117055268
Encrypted:	false
SSDEEP:	24:AfhBERazEGbSr/cGYPMBIRX0rctN17GaOJ5r:GUazwJYYc0Q97GaW5
MD5:	ADC0584CAC0009468096C222B914A7E3
SHA1:	8EDEF1C465DAEC8DF9EE357F194E923C46809851
SHA-256:	95664F4E33F85BD54E2400F7C672436D7489F638483C33C3E020532F85C75F7D
SHA-512:	BE8689A8EB35C015A44015A8D59EAF987EC0467AF7573D79ED9195AB868A20DAC664DAB4D04B746963FF3FC291E57A7FE7796A0A41D8F1874DD2A87675870C65
Malicious:	false
Preview:	---..name: False positive..about: Report a false positive rule match..title: "[RULE NAME]"..labels: false positive....---.... ....Have you read capa's Code of Conduct? By filing an Issue, you are expected to comply with it, including treating everyone with respect: https://github.com/fireeye/capa/blob/master/CODE_OF_CONDUCT.md..-->....## Summary.... Rule name and one paragraph explanation of the false positive. -->....## Examples.... If you can, please include a hash for the false positive rule match. If you've reverse engineered the sample please also include offsets or any additional information. -->....## Possible improvements.... How can the rule be improved? -->....## Additional context.... Add any other context or screenshots about the false positive here. -->..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\.github\ISSUE_TEMPLATE\rule_idea.md Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2027
Entropy (8bit):	4.882102368290966
Encrypted:	false
SSDEEP:	48:b9EXe7+tFazyBZAHhD0Yf810LcX7GaWLr/Noqll:hZ7+tFIyB+BD0AL+Gp/Noqll
MD5:	C6AA6E9535407C522C4861CB23B04A6E
SHA1:	DA915A7D8EDA0A7DD7AD306CFD926B1F4BB40A10
SHA-256:	13C8BCB4113128E281FF7CD8F1284E4D6C83E4BDE1735E860BB6686B1B9C65CA
SHA-512:	0CFEF53D69C572F78436D588C8631CE5BBF4F5B5CED8C59079C8661FFB64EAA625306221AC34A52B51EBB6462F8346F01690C328D40E71DB64FFE157B1E6CCEF
Malicious:	false
Preview:	---..name: Rule idea..about: Suggest a new rule for capa..title: "[RULE NAME]"..labels: rule idea....---.... ..Please use your proposed rule name as issue title. See convention at https://github.com/fireeye/capa-rules/blob/master/doc/format.md#rule-name.....The more information you can provide the better. However, we would rather collect more ideas than miss an interesting rule because of the amount of required data. So in that case you submit whatever you can. ....Have you read capa's Code of Conduct? By filing an Issue, you are expected to comply with it, including treating everyone with respect: https://github.com/fireeye/capa/blob/master/CODE_OF_CONDUCT.md..-->....## Prerequisites....* [ ] Put an X between the brackets on this line if you have done all of the following:.. * Checked that your rule idea isn't already filed: [search](https://github.com/fireeye/capa-rules/issues?q=is%3Aissue+is%3Aopen+)....## Summary.... Rule name and/or one paragraph explanation of the ca

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\.github\scripts\changelog_author.py Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	318
Entropy (8bit):	4.687895987477412
Encrypted:	false
SSDEEP:	6:IbAYPQi5WL+QEoGORx9a9wO66Z0ewf43h9KncyloE7jmyFyrJitAwr52:9UBWLxiIaqt6ifMfJitCWAitAi2
MD5:	165BC1C2BF9060E5D795C13871021231
SHA1:	538147801CDD658CB4F6AC809A33A9900CCF2FAE
SHA-256:	18550BFCBD13640A9DC3A0115E4DD2835D6984B67377C8A2024D79D2363137E8
SHA-512:	171ADC7283B0A472E2B60150FC4527E1A2713D80290473F2BD226933F2C53FA55F1DCE2B663CFEB8DC123ACE234FA7AFBAEC4E7C8AA702A2C83C73D44C073F47
Malicious:	false
Preview:	import yaml..import sys....rule_file = sys.argv[1]..with open(rule_file, 'r') as stream:.. rule_yaml = yaml.safe_load(stream)....author_value = rule_yaml["rule"]["meta"]["author"]..if isinstance(author_value, list): # list of authors.. print(" ".join(author_value))..else: # one author.. print(author_value)..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\.github\workflows\sync.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	3334
Entropy (8bit):	4.814231995228557
Encrypted:	false
SSDEEP:	48:a1kaw6Bf1GWMTfs8rBFeQ1v7nfjwBnCyBs5NOm71GWMrf6Ocq/l8i6Bqu1leLYAP:u+TprXbmCyOorx/eDBqglIYnm6rMMw
MD5:	68BDAAC4581EED953CD48959DB408925
SHA1:	E36602B2D0FA36C792E4532820A32B5630C5246D
SHA-256:	24D19E52A956E3834EC10B5232EB5948729DBCCA5FC45B9CEC5FF74AFE576BA0
SHA-512:	28C76C430E911F244C9ADB06A08C6B9F29823BFE3537063BDAD5E4EF6ACD162EF4CEAEEC1601E06AF08B696CAFAD49EA1FA86E86790A269E9B8F7327B5A54357
Malicious:	false
Preview:	name: Update rules number badge and sync rules submodule in capa..on:.. push:.. branches: [ master ]..jobs:.. update_num_rules:.. runs-on: ubuntu-20.04.. steps:.. - name: Checkout capa-rules.. uses: actions/checkout@v2.. - name: Update rules number badge in README.. run: \|.. num_rules=$(find . -type f -name '.yml' -not -path './.github/' \| wc -l).. sed -i "s/rules-[0-9]*-blue\.svg/rules-$num_rules-blue.svg/" README.md.. - name: Commit changes.. run: \|.. git config user.email 'capa-dev@fireeye.com'.. git config user.name 'Capa Bot'.. # Do not fail the action if rules number doesn't change.. git add -A.. git diff-index --quiet HEAD \|\| git commit -am 'Update rules number badge'.. - name: Push changes to capa-rules.. uses: ad-m/github-push-action@master.. with:.. github_token: ${{ secrets.GITHUB_TOKEN }}.... sync_submodule_capa:.. runs-on: ubuntu-20.04.. needs: update_num_rules.

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\.github\workflows\tests.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2855
Entropy (8bit):	4.614027929043786
Encrypted:	false
SSDEEP:	48:ILa8MQ6ixB4ZvBqu1z9U8iVQMM/+btR4tFRou6B4ZaV1EG/cNpyklqS:IBk+CxBqgz9T2QW5R4tPopCoMWcNpaS
MD5:	2414272BD53AD49B54AF6E52E00F5000
SHA1:	97CC3F5DE8B694C6B95C11E3A4ACBC495BE3A02D
SHA-256:	7185A9C5606FF53B635EF8D02EF5557C1FFEE8A861A62B04B413B2983F275092
SHA-512:	16C7302217E70042514FDC5135C8CC3010B4FF75999805878EF77462D04C2966567A9355D33CDE43A7C3187BDE6CE9D2C4E73F45B62D0F6C11AEF687F364ED2B
Malicious:	false
Preview:	name: CI....on:.. push:.. branches: [ master ].. pull_request:.. branches: [ master ]....# save workspaces to speed up testing..env:.. CAPA_SAVE_WORKSPACE: "True"....jobs:.. rule_linter:.. runs-on: ubuntu-20.04.. steps:.. # We check the submodules separately as the rules submodule's reference may not be our PR/master.. - name: Checkout capa without submodules.. uses: actions/checkout@v2.. with:.. repository: fireeye/capa.. - name: Checkout capa-rules.. uses: actions/checkout@v2.. with:.. path: rules.. - name: Checkout capa-testfiles.. uses: actions/checkout@v2.. with:.. repository: fireeye/capa-testfiles.. path: tests/data.. - name: Set up Python 3.9.. uses: actions/setup-python@v2.. with:.. python-version: 3.9.. - name: Install capa.. run: pip install -e ... # Regular lint is fast, so do this first.. - name: Run regular lint on all rules.. run: python scripts/li

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\LICENSE.txt Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	11560
Entropy (8bit):	4.476377058372447
Encrypted:	false
SSDEEP:	192:qf9qG4QSAVOSbwF1wOFXuFJyQtxmG3ep/7rlzKfHbxc+Xq0rhlkT8SHfH2:kOu9b01DY/rGBt+dc+aclkT8SH+
MD5:	D273D63619C9AEAF15CDAF76422C4F87
SHA1:	47B573E3824CD5E02A1A3AE99E2735B49E0256E4
SHA-256:	3DDF9BE5C28FE27DAD143A5DC76EEA25222AD1DD68934A047064E56ED2FA40C5
SHA-512:	4CC5A12BFE984C0A50BF7943E2D70A948D520EF423677C77629707AACE3A95AA378D205DE929105D644680679E70EF2449479B360AD44896B75BAFED66613272
Malicious:	false
Preview:	.. Apache License.. Version 2.0, January 2004.. http://www.apache.org/licenses/.... TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION.... 1. Definitions..... "License" shall mean the terms and conditions for use, reproduction,.. and distribution as defined by Sections 1 through 9 of this document..... "Licensor" shall mean the copyright owner or entity authorized by.. the copyright owner that is granting the License..... "Legal Entity" shall mean the union of the acting entity and all.. other entities that control, are controlled by, or are under common.. control with that entity. For the purposes of this definition,.. "control" means (i) the power, direct or indirect, to cause the.. direction or management of such entity, whether by contract or.. otherwise, or (ii) ownership of fifty percent (50%) or more of the.. outstanding shares, or

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\README.md Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	5895
Entropy (8bit):	4.802043182344783
Encrypted:	false
SSDEEP:	96:/3S8tS4dZTk8VmHs1di5HNAbs2Myw8ycZ8kBXNcz6iU015xaVgsLQSx:/zthzTk8sHs1dcuTMyw8yeBXNcz6iU0S
MD5:	F7CEE4266CCCE1B565D93F1B2E50012B
SHA1:	4F330C6E093133DA3B62567AAF2A01DB541BAB7D
SHA-256:	4C87EB69300EC3E7C6F6A2EA1DD004403F359FC04543173C2833C755636684D0
SHA-512:	F4F709821BA4D399C9C65ECAB9348C852ECD941082D0972EB8FA3AFB78DCF9E3C20FEDD25A089A82670CB55BE72A886FD70D5DAE8CFC8CC25E432FF294783159
Malicious:	false
Preview:	# capa rules....[![Rule linter status](https://github.com/fireeye/capa-rules/workflows/CI/badge.svg)](https://github.com/fireeye/capa-rules/actions?query=workflow%3A%22CI%22)..[![Number of rules](https://img.shields.io/badge/rules-579-blue.svg)](rules)..[![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt)....This is the standard collection of rules for [capa](https://github.com/fireeye/capa) - the tool to automatically identify capabilities of programs.....## philosophy..Rule writing should be easy and fun! ..A large rule corpus benefits everyone in the community and we encourage all kinds of contributions.....Anytime you see something neat in malware, we want you to think of expressing it in a capa rule...Then, we'll make it as painless as possible to share your rule here and distribute it to the capa users.....## rule development....capa uses a collection of rules to identify capabilities within a program...These rules are easy to write, even for thos

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\anti-av\check-for-sandbox-and-av-modules.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1396
Entropy (8bit):	4.531277214385309
Encrypted:	false
SSDEEP:	24:mMWbzliZKU0Enju2rblOmGYktLuEztDp7rFE2v:mMWnverxx0KMnPiS
MD5:	5FFF89F41EAF6DE4213846698D3ABB30
SHA1:	B47B80BD16830CF9E79E720EFA26D2403FEC7CBB
SHA-256:	602B8C4CAAF7CC62A710C794C3DE824E35621C49B47D3F90A78DAE7F8DB4B4DF
SHA-512:	9AF5CF91E12C83FE196F4226243BA47E0543C1FA1964649C97E2544CBF3898CA220D0246AC417CAD7BE1AC16DB0F72338DF9A34F3FC7468ED0B29426EA2FB51E
Malicious:	false
Preview:	rule:.. meta:.. name: check for sandbox and av modules.. namespace: anti-analysis/anti-av.. author: "@_re_fox".. scope: basic block.. mbc:.. - Anti-Behavioral Analysis::Virtual Machine Detection [B0009].. - Anti-Behavioral Analysis::Sandbox Detection [B0007].. examples:.. - ccbf7cba35bab56563c0fbe4237fdc41:0x0040a4a0.. features:.. - and:.. - api: GetModuleHandle.. - or:.. - string: /avghook(x\|a)\.dll/i.. description: AVG.. - string: /snxhk\.dll/i.. description: Avast.. - string: /sf2\.dll/i.. description: Avast.. - string: /sbiedll\.dll/i.. description: Sandboxie.. - string: /dbghelp\.dll/i.. description: WindBG.. - string: /api_log\.dll/i.. description: iDefense Lab.. - string: /dir_watch\.dll/.. description: iDefense Lab.. - string: /pstorec\.dll/i.. description: SunBelt Sandbox.. - string: /vmcheck\.dll

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\anti-debugging\debugger-detection\check-for-debugger-via-api.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	795
Entropy (8bit):	4.913075850765477
Encrypted:	false
SSDEEP:	12:mdmGpil/Dp5fFftKUgYz888jycA+Y2QM5EIz/hximzrXqY8nXq4vXqMWJ:mMrlLH3KUgYA88jycA52EYj6Y86z5
MD5:	98900CE4D8636436E7C1FC4D1C5183D3
SHA1:	3BF24D5A422C2742C809D6FE653D45989494DFDB
SHA-256:	CB3145176EEC6907BECD14DA78DE63C9C042B00D8C78C3763FEF87598AB46220
SHA-512:	348E814D1FD88D5A27B4059A0AA96F309DBA20CF1E22EB804BC65C037A94E7C0597CE2D53F04321E7606DB43FF5DBD71E89D4D1CB608BF09238232137BD252DC
Malicious:	false
Preview:	rule:.. meta:.. name: check for debugger via API.. namespace: anti-analysis/anti-debugging/debugger-detection.. author: michael.hunhoff@fireeye.com.. scope: function.. mbc:.. - Anti-Behavioral Analysis::Debugger Detection::CheckRemoteDebuggerPresent [B0001.002].. - Anti-Behavioral Analysis::Debugger Detection::WudfIsAnyDebuggerPresent [B0001.031].. references:.. - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/CheckRemoteDebuggerPresent.cpp.. examples:.. - al-khaser_x86.exe_:0x420000.. features:.. - or:.. - api: kernel32.CheckRemoteDebuggerPresent.. - api: WUDFPlatform.WudfIsAnyDebuggerPresent.. - api: WUDFPlatform.WudfIsKernelDebuggerPresent.. - api: WUDFPlatform.WudfIsUserDebuggerPresent..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\anti-debugging\debugger-detection\check-for-hardware-breakpoints.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	726
Entropy (8bit):	4.93533773235236
Encrypted:	false
SSDEEP:	12:mdmGpopCl/Dp5fFftKU1cA+Y2QM5EI5hxiIX9FM43+M/qGwIFsv:mM7ClLH3KU1cA52EIrI43TqvIFsv
MD5:	1EAEBCE0EDAC89FF2F9DD1F79CF32350
SHA1:	D509EC2C32E582B3BC4A03B92B0E037DA1B43D15
SHA-256:	2B82363CAE34F1C2A0DBF1542661F2B67572617249097D5F10CC9ED13584BB25
SHA-512:	12A3E49D3B95E0995F66AA66A9DB3C41856E0C3EA805BDA17110F5107F530E142DC62D9AB75464C906D1E9A092A4D15BD35607A0968305DB0571548AE95D7100
Malicious:	false
Preview:	rule:.. meta:.. name: check for hardware breakpoints.. namespace: anti-analysis/anti-debugging/debugger-detection.. author: michael.hunhoff@fireeye.com.. scope: function.. mbc:.. - Anti-Behavioral Analysis::Debugger Detection::Hardware Breakpoints [B0001.005].. references:.. - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/HardwareBreakpoints.cpp.. examples:.. - al-khaser_x86.exe_:0x42035D.. features:.. - and:.. - api: kernel32.GetThreadContext.. - number: 0x10010 = CONTEXT_DEBUG_REGISTERS.. - offset: 0x4 = DR0.. - offset: 0x8 = DR1.. - offset: 0xC = DR2.. - offset: 0x10 = DR3.. - count(mnemonic(cmp)): 4 or more..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\anti-debugging\debugger-detection\check-for-kernel-debugger-via-shared-user-data-structure.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	878
Entropy (8bit):	4.720415822192775
Encrypted:	false
SSDEEP:	12:mdmGpJxgl/Dp5fFftKUwoycA+Y2QM5EIvQmw8PG45hxiZkNXZmCzBM:mMsmlLH3KUwoycA52Efj8Iqy
MD5:	AF9B8A68F8BA5F91502ED08551946D0F
SHA1:	EA55A1DCB6D2494EB825E9FF5BA322FBCDD3CB6C
SHA-256:	B4C933769821EA85D6DB503F63496D75C3EDB8F9676B0B393884AE424D7CEA2D
SHA-512:	442CB04B275D345E6401B30AD74FEBCE84A68221D13C39371D2E36427C0CFD06C37BC080F4909A085B1CE1145C286F673E643663779590A42814F4E47C84B8B2
Malicious:	false
Preview:	rule:.. meta:.. name: check for kernel debugger via shared user data structure.. namespace: anti-analysis/anti-debugging/debugger-detection.. author: michael.hunhoff@fireeye.com.. scope: function.. mbc:.. - Anti-Behavioral Analysis::Debugger Detection [B0001].. references:.. - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/SharedUserData_KernelDebugger.cpp.. - http://www.geoffchappell.com/studies/windows/km/ntoskrnl/structs/kuser_shared_data.htm.. examples:.. - al-khaser_x86.exe_:0x430E60.. features:.. - and:.. - number: 0x7FFE02D4 = UserSharedData->KdDebuggerEnabled.. - basic block:.. - and:.. - mnemonic: and.. - number: 0x2 = KdDebuggerNotPresent.. - basic block:.. - and:.. - mnemonic: and.. - number: 0x1 = KdDebuggerEnabled..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\anti-debugging\debugger-detection\check-for-outputdebugstring-error.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	498
Entropy (8bit):	4.786323768855046
Encrypted:	false
SSDEEP:	6:hAvlmGsWVxtq5lmUiqImGKJClESgyZlKUCZGVZTHv5owdnvcCh38GG7/bv/b7Zl:mdmGpNq5l/Dp5/wKUrVPbnvcChwLj
MD5:	90F32AB5DC3C69FAD3478D065A4B27BE
SHA1:	8D442A3B96AAF86CEDB092526AD5EE986F02BF3E
SHA-256:	C28094FC4D4FDB1540257D4E914EDA70B69502D0DF59C172B9035F4BF0589997
SHA-512:	75D33F6255F2825B8C16C8C9C4395BF6E3F1AD9146D5B06DB9247BFE6CCB581B233143A6C990E6DB6363C12C8258C2D07F6462EA5B03E216C8AF6BF245C12D2D
Malicious:	false
Preview:	rule:.. meta:.. name: check for OutputDebugString error.. namespace: anti-analysis/anti-debugging/debugger-detection.. author: michael.hunhoff@fireeye.com.. scope: basic block.. mbc:.. - Anti-Behavioral Analysis::Debugger Detection::OutputDebugString [B0001.016].. examples:.. - Practical Malware Analysis Lab 16-02.exe_:0x401020.. features:.. - and:.. - api: kernel32.SetLastError.. - api: kernel32.GetLastError.. - api: kernel32.OutputDebugString..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\anti-debugging\debugger-detection\check-for-peb-beingdebugged-flag.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	542
Entropy (8bit):	4.771029254691361
Encrypted:	false
SSDEEP:	12:mdmGp4l/Dp3C/wKUSGWrfeXcAdnvhX4nbnvwXz+:mMJlLZC4KUSGWrWXcAhhXYzwXK
MD5:	82CFAF8CDE42D02554F959462833C2BB
SHA1:	A2ACEB263D0B2D3BDBBD2198F331383C4FB32D6B
SHA-256:	D391A358F57D7B81B01CC6778F5DE8EAAAACA61B37F9D2E6C1AE2F823519C694
SHA-512:	E4538E04A9FEF3A20DB43982B6C3763F46C886AD48496F020EA9F9F786E83A18968A2E5E941317CA6F00770415372F601FB68A56E5E52C464272115E6FA40221
Malicious:	false
Preview:	rule:.. meta:.. name: check for PEB BeingDebugged flag.. namespace: anti-analysis/anti-debugging/debugger-detection.. author: moritz.raabe@fireeye.com.. scope: basic block.. mbc:.. - Anti-Behavioral Analysis::Debugger Detection::Process Environment Block BeingDebugged [B0001.035].. references:.. - Practical Malware Analysis, Chapter 16, p. 353.. examples:.. - Practical Malware Analysis Lab 16-01.exe_:0x403530.. features:.. - and:.. - match: PEB access.. - offset: 2 = PEB.BeingDebugged..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\anti-debugging\debugger-detection\check-for-peb-ntglobalflag-flag.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1066
Entropy (8bit):	4.845719201071461
Encrypted:	false
SSDEEP:	24:mMszDlLZC3KUSGWr6LcAhhXnSfQ3hzw11ACnApAUnA2hSiV:mM8Dx0apWcKBnQYhz6pnSDnrhhV
MD5:	897CE601592AC687887593F1CBC1289D
SHA1:	CB935CF45D686049BEE289AE432BEF20DD7C4AA5
SHA-256:	EDEE6F34447658129BDCBF427A478385730AA5076FAD7122CC224593E0C5FD60
SHA-512:	F38F1B292CA276263C836EBFDFED2DE9594297729683AD5E376E3727D376CDE6B1564653E5E40AFCBF94667C9D497A8301D8DABF34B56748A0A64D284014E761
Malicious:	false
Preview:	rule:.. meta:.. name: check for PEB NtGlobalFlag flag.. namespace: anti-analysis/anti-debugging/debugger-detection.. author: moritz.raabe@fireeye.com.. scope: function.. mbc:.. - Anti-Behavioral Analysis::Debugger Detection::Process Environment Block NtGlobalFlag [B0001.036].. references:.. - Practical Malware Analysis, Chapter 16, p. 355.. - https://www.geoffchappell.com/studies/windows/win32/ntdll/structs/peb/index.htm.. examples:.. - Practical Malware Analysis Lab 16-01.exe_:0x403530.. features:.. - and:.. - basic block:.. - and:.. - match: PEB access.. - or:.. - or:.. - offset/x32: 0x68 = PEB.NtGlobalFlag.. - offset/x64: 0xBC = PEB.NtGlobalFlag.. - and:.. - mnemonic: add.. - or:.. - number/x32: 0x68 = PEB.NtGlobalFlag.. - number/x64: 0xBC = PEB.NtGlobalFlag.. - number: 0x70 = (FLG_HEAP_ENABLE_TAIL_CH

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\anti-debugging\debugger-detection\check-for-protected-handle-exception.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	640
Entropy (8bit):	4.74050471689074
Encrypted:	false
SSDEEP:	12:mdmGp07Ewl/Dp5fFftKUtqAsKu7cA+Y2QM5EIrMAsKLFwhxi9YLAsKcfNv:mMhlLH3KUMj7cA52EFaw9Lpv
MD5:	70872AFE346DFB0D8A4A38657478C2DB
SHA1:	F49BB6B0D5C35C265C64D84EEB1EFBC9E759AAAD
SHA-256:	A1DACEAE13188E3FAEC104DEDD7E5074987BDA843EF6FAB2E4E309840727A657
SHA-512:	D0D8CE82303B48CD4DAA544FC3F57694645C7B3A5C5AAF07F00B02AF961E272EDAB41691EFFE1B4C8243CD89A7998D38282838CDE15CB39146A6A98DB61043D8
Malicious:	false
Preview:	rule:.. meta:.. name: check for protected handle exception.. namespace: anti-analysis/anti-debugging/debugger-detection.. author: michael.hunhoff@fireeye.com.. scope: function.. mbc:.. - Anti-Behavioral Analysis::Debugger Detection::SetHandleInformation [B0001.024].. references:.. - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/SetHandleInformation_API.cpp.. examples:.. - al-khaser_x86.exe_:0x430D20.. features:.. - and:.. - basic block:.. - and:.. - count(number(2)): 2 or more.. - api: SetHandleInformation.. - api: CloseHandle..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\anti-debugging\debugger-detection\check-for-software-breakpoints.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	703
Entropy (8bit):	4.507777271942169
Encrypted:	false
SSDEEP:	12:mdmGprpCl/Dp5fFftKUKJcA+Y2QM5EIChxii5FF/xLv+:mM2ClLH3KUKJcA52Ebd5XxLm
MD5:	86913CD31CD2B47F203F2EC268F540FF
SHA1:	0C592D4DA81124A0424BB61493CAF9F1C9A9A630
SHA-256:	1C79C5DC48FBE7828AA5C537BAAB3E7F534952C8F5282E49B51DF6101DBDE54C
SHA-512:	B412396E654DA0B5E41CB4DD5D5202BB2312668CD374B9D2688CD66929A59F774FE966575B6E1EEA70A6DB9E6393CBC21FECA9D2D8C5BBB56D7B4B2B220C322E
Malicious:	false
Preview:	rule:.. meta:.. name: check for software breakpoints.. namespace: anti-analysis/anti-debugging/debugger-detection.. author: michael.hunhoff@fireeye.com.. scope: function.. mbc:.. - Anti-Behavioral Analysis::Debugger Detection::Software Breakpoints [B0001.025].. references:.. - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/SoftwareBreakpoints.cpp.. examples:.. - al-khaser_x86.exe_:0x431020.. features:.. - and:.. - basic block:.. - and:.. - mnemonic: cmp.. - or:.. - number: 0xCC.. - and:.. - number: 0xCD.. - number: 0x3.. - match: contain loop..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\anti-debugging\debugger-detection\check-for-time-delay-via-gettickcount.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	454
Entropy (8bit):	4.841554556756799
Encrypted:	false
SSDEEP:	6:hAvlmGsWVRzZVOd6lmUiqImGKJClES4FftKUCZ4V4/Bowdnv+kAhC8Gt/c21qrv:mdmGp/Ztl/Dp5fFftKUFCbnv+JcBgv
MD5:	C31326CCE4DB1EF0525E77A928C12967
SHA1:	69D43C89AF848463C55CDA018343A114AFADE6BC
SHA-256:	D3A93B51CCDCBE59B1CD49AF9488C9EDC84872B792AF6B73AF8E34C5E2083BBC
SHA-512:	ABC87BE59ED31FFBD49114FABECEBDF16DA576E4205D72FC07DF452FAC1BB3C508A4D4F691ECAC6BE17041C869AFEFEF6A15A3AD8201D9DE12C310EE49AA0E14
Malicious:	false
Preview:	rule:.. meta:.. name: check for time delay via GetTickCount.. namespace: anti-analysis/anti-debugging/debugger-detection.. author: michael.hunhoff@fireeye.com.. scope: function.. mbc:.. - Anti-Behavioral Analysis::Debugger Detection::Timing/Delay Check GetTickCount [B0001.032].. examples:.. - Practical Malware Analysis Lab 16-03.exe_:0x4013d0.. features:.. - and:.. - count(api(kernel32.GetTickCount)): 2 or more..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\anti-debugging\debugger-detection\check-for-time-delay-via-queryperformancecounter.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	487
Entropy (8bit):	4.807127839587724
Encrypted:	false
SSDEEP:	6:hAvlmGsWVRzJxmylmUiqImGKJClES4FftKUCZgxmr3Cowdnv+kAh+FzGt/cFYxmx:mdmGp/nrl/Dp5fFftKUz6Cbnv+JrzAv
MD5:	2C5F115F0FE3BD13ECDE5914CAADBB6D
SHA1:	AE03F5671F9B539F98D780BCED8D17F4B1BF543D
SHA-256:	566EF0C6F504C663BA5F5BDEC8046CE2B090DFA868245517EB7DAC1F8336B658
SHA-512:	92E125D1E6E743A9D1B8EA3F9191D55A475098143F13278469B2F17F7581634CC834AB50190C5A9C759BFD129499E49EB73E1B6369E5B6A708143C982D962EDB
Malicious:	false
Preview:	rule:.. meta:.. name: check for time delay via QueryPerformanceCounter.. namespace: anti-analysis/anti-debugging/debugger-detection.. author: michael.hunhoff@fireeye.com.. scope: function.. mbc:.. - Anti-Behavioral Analysis::Debugger Detection::Timing/Delay Check QueryPerformanceCounter [B0001.033].. examples:.. - Practical Malware Analysis Lab 16-03.exe_:0x4011e0.. features:.. - and:.. - count(api(kernel32.QueryPerformanceCounter)): 2 or more..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\anti-debugging\debugger-detection\check-for-trap-flag-exception.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	965
Entropy (8bit):	4.371986174147642
Encrypted:	false
SSDEEP:	24:mMfonlLH4KUwoycA52Et0C6+of8L40NxNav:mMfonxHLQyc3Eth6+U8L4cmv
MD5:	C8AEC7BD80A50643494F2DFE85DA1A7C
SHA1:	F824E9E408E3AFBE8DC8157D325E48214191D75F
SHA-256:	DC9822EBA817AD740ED43C31ADFB4168927F185169B68F6E25118EB34AF66D73
SHA-512:	D5B0885EE8BF30193E766DD380775CAADD9ED84D1A1F123A2A1F1D96108CE111BEB003533AEA7C95D1F8206B3AFC0A83AABE10155C0CA01C47B502D692360DD7
Malicious:	false
Preview:	rule:.. meta:.. name: check for trap flag exception.. namespace: anti-analysis/anti-debugging/debugger-detection.. author: michael.hunhoff@fireeye.com.. scope: basic block.. mbc:.. - Anti-Behavioral Analysis::Debugger Detection [B0001].. references:.. - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/TrapFlag.cpp.. examples:.. - al-khaser_x86.exe_:0x431680.. - al-khaser_x64.exe_:0x140030CB0.. features:.. - and:.. - or:.. - description: read/write EFLAGS register.. - and:.. - mnemonic: pushf.. - mnemonic: popf.. - and:.. - mnemonic: pushfd.. - mnemonic: popfd.. - and:.. - mnemonic: pushfq.. - mnemonic: popfq.. - or:.. - description: set trap flag.. - and:.. - mnemonic: or.. - number: 0x100.. - and:.. - mnemonic: bts.. - number: 0x8..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\anti-debugging\debugger-detection\check-for-unexpected-memory-writes.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	542
Entropy (8bit):	4.798587606652986
Encrypted:	false
SSDEEP:	12:mdmGpuEkVwl/Dp5/wKU/OcA+Y2QM5EITZhxikv:mMVTVwlLH4KU/OcA52Euhv
MD5:	5E025B6C20D30072ED39103C9443E2F4
SHA1:	6F61947482F46AB8ECAACCCC084D5B48E97B98F9
SHA-256:	80B9EB1F70771C371679C46195FE69A5D6D4EBB3303CB920099DEFC17639071C
SHA-512:	BD6B8E4F61393C2A7C70CD50874C509B492663AC39101AC2B5D31F794899BA7CE8B5C277047A1E32641465411C570AA27AF51DC8499F5D701445B2CB1FECF2BF
Malicious:	false
Preview:	rule:.. meta:.. name: check for unexpected memory writes.. namespace: anti-analysis/anti-debugging/debugger-detection.. author: michael.hunhoff@fireeye.com.. scope: basic block.. mbc:.. - Anti-Behavioral Analysis::Debugger Detection::Memory Write Watching [B0001.010].. references:.. - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/WriteWatch.cpp.. examples:.. - al-khaser_x86.exe_:0x431EBC.. features:.. - and:.. - api: kernel32.GetWriteWatch.. - number: 0x0..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\anti-debugging\debugger-detection\check-process-job-object.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	751
Entropy (8bit):	4.806682429175652
Encrypted:	false
SSDEEP:	12:mdmG5Pl/Dp5fFftKUwoycA+Y2QM5EI40yVs5hxihLvZoUBBg6D2+N:mMWPlLH3KUwoycA52EX075ALrg6q+N
MD5:	9A64149392051604F9FA9449A116F1E1
SHA1:	069AB401AB25B870A40747746ECF2568FE6C1CC8
SHA-256:	DBE73C79E8DB775E9554472E194AF143E4F8450FDF636416576CD5B0D24ECB14
SHA-512:	A595B54F1B78CBB9F16D1B73E298836DD72B3AA9D65874F03F1E16B6E58DA6E291599CDC8F574AA80C888FFC5AF57868BCE0F304B525EDDE8F612B04A7433D64
Malicious:	false
Preview:	rule:.. meta:.. name: check process job object.. namespace: anti-analysis/anti-debugging/debugger-detection.. author: michael.hunhoff@fireeye.com.. scope: function.. mbc:.. - Anti-Behavioral Analysis::Debugger Detection [B0001].. references:.. - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/ProcessJob.cpp.. examples:.. - al-khaser_x86.exe_:0x426730.. features:.. - and:.. - match: contain loop.. - basic block:.. - and:.. - api: kernel32.QueryInformationJobObject.. - number: 0x3 = JobObjectBasicProcessIdList.. - basic block:.. - and:.. - api: kernel32.OpenProcess.. - number: 0x400 = PROCESS_QUERY_INFORMATION..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\anti-debugging\debugger-detection\check-processdebugport.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	546
Entropy (8bit):	4.774964768519088
Encrypted:	false
SSDEEP:	12:mdmGc6Ro4l/Dp5/wKUcQcA+Y2QM5EIzBqRRtPqVRov:mMb6O4lLH4KU3cA52EWcRnyVOv
MD5:	AAD7263DDA967BAAAE35A2479BF35B05
SHA1:	173B92ABD7E328DE13B7279A08ED9B69F8F4173C
SHA-256:	3B4203C2C07A25712D8F0BC61687650B065CF71822963CA88EA3F000DDB42838
SHA-512:	BDE908B1A2906EE8DC15B18920886259457CFA369960334D71C40863FCFE941F8F3DFF7F3DA544CBA1E6404C29077B1BE1A993496881DABE746649AB1E70683F
Malicious:	false
Preview:	rule:.. meta:.. name: check ProcessDebugPort.. namespace: anti-analysis/anti-debugging/debugger-detection.. author: michael.hunhoff@fireeye.com.. scope: basic block.. mbc:.. - Anti-Behavioral Analysis::Debugger Detection.. references:.. - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/NtQueryInformationProcess_ProcessDebugPort.cpp.. examples:.. - kernel32.dll_:0x7DD97899.. features:.. - and:.. - api: NtQueryInformationProcess.. - number: 0x7 = ProcessDebugPort..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\anti-debugging\debugger-detection\execute-anti-debugging-instructions.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	458
Entropy (8bit):	4.683593625809857
Encrypted:	false
SSDEEP:	6:hAvlmAYHKWolmUiqImGK3CS4FftKUCZzqWDPBowdnv+kAh1WSinQ27Fv:mdmltol/Dp3CfFftKUaDBbnv+JcQY
MD5:	71748DA4B95AA66386713A55CC80A9A0
SHA1:	9CDC07486548755A90F1978AE54A7DCD082244D9
SHA-256:	C03255ECFA2ECAFB14BC86DBBD6C2EC47A6695BE37FDBE9A13F3C503A11BA1B0
SHA-512:	19556D0896CD060CA04EBE1E615011DA4646076D6D18C5ECCC4414AF6E6BAA7156116A456FD40983E90891A87A728A56BBE6F0151AD1832FB910C379B363C2AA
Malicious:	false
Preview:	rule:.. meta:.. name: execute anti-debugging instructions.. namespace: anti-analysis/anti-debugging/debugger-detection.. author: moritz.raabe@fireeye.com.. scope: function.. mbc:.. - Anti-Behavioral Analysis::Debugger Detection::Anti-debugging Instructions [B0001.034].. examples:.. - Practical Malware Analysis Lab 16-03.exe_:0x401300.. features:.. - or:.. - count(mnemonic(rdtsc)): 2 or more.. - mnemonic: icebp..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\anti-disasm\64-bit-execution-via-heavens-gate.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1260
Entropy (8bit):	4.840939943853885
Encrypted:	false
SSDEEP:	24:mM/S6HYlerTWorKMDmNjcAIYbTX29fJYPHid/3D4JcShWYqfj0TB:mMakYQoMDm1cXMyhUHiVDC3iqB
MD5:	239EB2D0C2021C190C7C18B0C44C02F5
SHA1:	4E8F3E0CAF1A379C2F056F0E33A57A53BC3F55BD
SHA-256:	6F2D069137724FF211A3F816AEAE0C5AF2B4F5587C8CBCEA1E9A75DFFE59A523
SHA-512:	E22103670AC0C4C661266A3A879620975500A5D27EAC85BD75C1A0C036270164D020239C8B742FEC5683A6B5C24AAAF498BD87395F6577D64C8BC20465B3020F
Malicious:	false
Preview:	rule:.. meta:.. name: 64-bit execution via heavens gate.. namespace: anti-analysis/anti-disasm.. author: awillia2@cisco.com.. description: Looks for instructions related to executing 64-bit code from a 32-bit process (Heaven's Gate).. scope: function.. mbc:.. - Defense Evasion::Disable or Evade Security Tools::Heavens Gate [F0004.008].. references:.. - https://download.bitdefender.com/resources/files/News/CaseStudies/study/318/Bitdefender-TRR-Whitepaper-Maze-creat4351-en-EN-GenericUse.pdf.. - https://www.malwaretech.com/2014/02/the-0x33-segment-selector-heavens-gate.html.. examples:.. - 79abd17391adc6251ecdc58d13d76baf:0x10002385.. features:.. - and:.. - and:.. - or:.. - mnemonic: push = 'push 33h'.. - mnemonic: mov = cover any mov ESP / EBP equivalents.. - number: 0x33 = set up retf to push 0x33 to CS indicating 64-bit mode.. - mnemonic: call = 'call $+5' pushes the current EIP onto the stack, +

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\anti-disasm\contain-anti-disasm-techniques.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	369
Entropy (8bit):	4.638941429580134
Encrypted:	false
SSDEEP:	6:hAvlmG+j9WyglmUiqIeS3CSkOy/lK5e1R/C+tBowcHEzG89WYGGv:mdmG+AJl/iCDnlK5CR/C+TYN8wGv
MD5:	15AC13554F118EE212F9E21C4BDC4EB0
SHA1:	035C4AB9891B62C7E5C8F88D8583DB63DE7F0F82
SHA-256:	1BD6F289B500C6A2D0F530BF311DC8B5AF2B0E751CD9686719B77AC570674CD7
SHA-512:	5996A511F7C85B83E12BC5FB8100FBFE72FB00185703DA793813E85F9B5BEAF9FDE4442728E282E0D21ABF892FA8E0ABB54A7310DB7392B526D060B8E5B8E376
Malicious:	false
Preview:	rule:.. meta:.. name: contain anti-disasm techniques.. namespace: anti-analysis/anti-disasm.. author: moritz.raabe@fireeye.com.. scope: file.. mbc:.. - Anti-Static Analysis::Disassembler Evasion [B0012].. examples:.. - a5c70086b3bc4fe64f4e7a0aa452e620.. features:.. - or:.. - count(match(contain pusha popa sequence)): 10 or more..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\anti-emulation\wine\check-if-process-is-running-under-wine.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	769
Entropy (8bit):	4.84106158094707
Encrypted:	false
SSDEEP:	12:mdmGDgNl/DAi6Ffy+Wc8AJGfKUkgcA+Y2QM5EIerH7zkL2Aem0tJWaxGou:mMmylfV7/AofKUkgcA52ELrbzeh0E
MD5:	3F2A56466FD65039095B40F031D233AF
SHA1:	19DC32B24B20ED616D157C1E1F38D61D01CBC835
SHA-256:	FB9222090CF32649D78A575903FD86EA6ABA463326169230AFE47FAC1240F693
SHA-512:	A3C0FF21705116B80A5B18E772F625AE7533082BD4D5823D0BBA2D6D04BFE944545455A6BB18552248987A6C0BCD92E6E3209CE66709A769B656AA52E0949F77
Malicious:	false
Preview:	rule:.. meta:.. name: check if process is running under wine.. namespace: anti-analysis/anti-emulation/wine.. author: "@_re_fox".. scope: function.. att&ck:.. - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001].. mbc:.. - Anti-Behavioral Analysis::Emulator Detection [B0004].. references:.. - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Wine.cpp.. examples:.. - ccbf7cba35bab56563c0fbe4237fdc41:0x40d750.. features:.. - or:.. - string: /SOFTWARE\\Wine/i.. - and:.. - api: GetModuleHandle.. - api: GetProcAddress.. - string: "wine_get_unix_file_name".. - or:.. - string: "kernel32.dll".. - string: "ntdll.dll"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\anti-forensic\clear-logs\clear-the-windows-event-log.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	608
Entropy (8bit):	4.879251966226067
Encrypted:	false
SSDEEP:	12:mdmGr72jil/qfFfyOrLTf3yVjmgXiS2w3fAe/aIHe+3sNA7v:mMtGlSUOfT3yVjmgXP2wPAe/aI++3sNs
MD5:	A799587CF0D2B4FD7AB69F8744FBBD43
SHA1:	F66A27B906A0241215CE6A5ADB52C6CAEFEAFBD5
SHA-256:	DBBCFCF01FF7E0B71623808AE4313EFFA021F6ABB185E57F690A5D9E96D4DFDB
SHA-512:	03DC5AF4A51D8C4ACC1BBBA1DC14977BAD77834B2F49A6B6F63B392CD93B42AE20301D898F75222FAEE68C3DB252FFA2E0B214F1D47EF432B5F77911CC7E55A1
Malicious:	false
Preview:	rule:.. meta:.. name: clear the Windows event log.. namespace: anti-analysis/anti-forensic/clear-logs.. author: michael.hunhoff@fireeye.com.. scope: function.. att&ck:.. - Defense Evasion::Indicator Removal on Host::Clear Windows Event Logs [T1070.001].. examples:.. - 82BF6347ACF15E5D883715DC289D8A2B:0x14005E0C0.. - mimikatz.exe_:0x45228B.. features:.. - and:.. - or:.. - api: advapi32.ElfClearEventLogFile.. - api: advapi32.ClearEventLog.. - optional:.. - api: advapi32.OpenEventLog.. - api: advapi32.GetNumberOfEventLogRecords..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\anti-forensic\crash-the-windows-event-logging-service.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	559
Entropy (8bit):	5.0083105885131936
Encrypted:	false
SSDEEP:	12:mdmGjaxQl/i/hqoUNV0cA+Y29lDmgXiSdWeBW1WecWWv:mMcrlKJqNqcAClDmgXPVW4WWv
MD5:	1F2DDB8BA60AF62B4662C09B57C5204B
SHA1:	3B4B155E2B5258578D6F889BF76AB5ADCBDF6513
SHA-256:	C1AE23795BAD4365099006006DA6B8A8BDB5ACA74254D69733CACB84A25FCCA8
SHA-512:	AE2802FBAC4D64EE77CAEF086EE6BAC6322662FCA3078DBBE8A3F8F84235EF4EDFE9034497CA8967C08EF3B126E805C662E77954D3958A91C433CCFAE1B882F6
Malicious:	false
Preview:	rule:.. meta:.. name: crash the Windows event logging service.. namespace: anti-analysis/anti-forensic.. author: michael.hunhoff@fireeye.com.. scope: basic block.. att&ck:.. - Defense Evasion::Impair Defenses::Disable Windows Event Logging [T1562.002].. references:.. - https://github.com/limbenjamin/LogServiceCrash.. examples:.. - 82BF6347ACF15E5D883715DC289D8A2B:0x14005E0C0.. features:.. - and:.. - count(api(advapi32.ElfClearEventLogFileW)): 3 or more.. - count(api(advapi32.OpenEventLogA)): 1 or more..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\anti-forensic\impersonate-file-version-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1029
Entropy (8bit):	4.696108204854605
Encrypted:	false
SSDEEP:	24:mMwl4rxp7SXIV2PMot4LiG6odihOfaocAwjtaAfNg9Kx:mMwW7SXIV2T4LiG6oAhOiocT8AfWKx
MD5:	63E187D8DBA01C21BAD974EA7B59FAA9
SHA1:	DED132A5C7E09AF933DD07181BA23A016FC4262B
SHA-256:	F726CB8FBAED79441C7B2C9F541B95237E232A294E07D09D3499277ACD6B3A10
SHA-512:	6EC0A8D1DA4AC4768B98A16A97F013A6FF8153D8B29FDC51BA44622E94A26C318A316B04CFC9664EF5E4C4CE0F61DE7708EC717AF041541312FDE35396572DB5
Malicious:	false
Preview:	rule:.. meta:.. name: impersonate file version information.. namespace: anti-analysis/anti-forensic.. author: awillia2@cisco.com.. description: Looks for Windows API calls associated with reading and then writing file version information of executables on disk. Malware can use these calls to overwrite its own version information with that of a legitimate executable on the system (for instance, explorer.exe) to make it appear to be a legitimate application... scope: function.. att&ck:.. - Defense Evasion::Indicator Removal on Host [T1070].. references:.. - https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-updateresourcea.. - https://www.carbonblack.com/blog/threat-analysis-dont-forget-about-kangaroo-ransomware/.. examples:.. - e5369ac309f1be6d77afeeb3edab0ed8:0x4025A0.. features:.. - and:.. - match: get file version info.. - api: kernel32.BeginUpdateResource.. - api: kernel32.UpdateResource.. - api:

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\anti-forensic\patch-process-command-line.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1624
Entropy (8bit):	4.467393369616456
Encrypted:	false
SSDEEP:	48:mMx/dzecz2ZA7Uq3mMFRNVUbB+BiQUhHolcBiBihB+Bi9:JtdSOR13mGNGbsWRT4is8
MD5:	67B417064394E0CE77E79C7ED00A5FFD
SHA1:	4C5D4CB8F140578BA75538A8C543EFAE011A270E
SHA-256:	7B2699F3CE97D48EB6D4518E2937328B5C503273CCBD88C655D4522F904B199B
SHA-512:	96AB341766AB4C3B9BBF1AEC5DA0398EB35F383A040237C2C4F9E0BA83158380D6B2B5FF1325D6CAE843E5F4E7F1E80B027864D1A65ABE91848BB3627148181D
Malicious:	false
Preview:	rule:.. meta:.. name: patch process command line.. namespace: anti-analysis/anti-forensic.. author:.. - william.ballenthin@fireeye.com.. - "@_re_fox".. scope: function.. references:.. - https://stackoverflow.com/q/24754844/87207.. - https://blog.xpnsec.com/how-to-argue-like-cobalt-strike/.. examples:.. - e353d3fbfb5c3738a77a622adff9a416:0x401626.. features:.. - or:.. - and:.. - basic block:.. # example:.. # mov rbx, gs:60h.. # lea r9, [rsp+4A0h+flOldProtect] ; lpflOldProtect.. # mov edx, 8 ; dwSize.. # mov rcx, [rbx+20h].. # add rcx, 70h ; 'p' ; lpAddress.. # lea r8d, [rdx-4] ; flNewProtect.. # call cs:VirtualProtect.. # test eax, eax.. - and:.. - characteristic: gs access.. - offset/x64: 0x60 = PEB.. - offset/x64: 0x20 = PEB->ProcessParameters..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\anti-forensic\self-deletion\self-delete-via-comspec-environment-variable.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	705
Entropy (8bit):	4.739538969333784
Encrypted:	false
SSDEEP:	12:mdmWmuiKoeYl/plS5fFfyOrLTfxM4y9KPyojbnvH3FlUJGIVdz32zIRIHsV5RNn:mMcDYlhkUOfT24aK6ojzXHMG8UMRIAvN
MD5:	59864E7A36CDCE5E1C45F4EF905C4396
SHA1:	8246E60C6A25AB2D062F64E9018FE7DF089C9E1E
SHA-256:	1DD7237E5FCEF39FD52600BB2E2ED7D697B73D0B06E203807BBCD95FD8F41EFC
SHA-512:	6CB90E3F8E430B85FA309FE2591CE27FB6E3B50F1F57C871CF6B1A6FBEC30BDD5541E388ADB82AC2625BB5CEC48C15272FD3355BDC01DAB6B68307AC90C236DC
Malicious:	false
Preview:	rule:.. meta:.. name: self delete via COMSPEC environment variable.. namespace: anti-analysis/anti-forensic/self-deletion.. author: michael.hunhoff@fireeye.com.. scope: function.. att&ck:.. - Defense Evasion::Indicator Removal on Host::File Deletion [T1070.004].. mbc:.. - Defense Evasion::Self Deletion::COMSPEC Environment Variable [F0007.001].. examples:.. - Practical Malware Analysis Lab 14-02.exe_:0x401880.. features:.. - and:.. - match: get COMSPEC environment variable.. - match: create process.. - string: /\/c\sdel\s/.. description: "/c del".. - optional:.. - string: /\s>\snul\s*/.. description: "> nul"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\anti-forensic\timestomp\timestomp-file.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	611
Entropy (8bit):	4.590523088000078
Encrypted:	false
SSDEEP:	12:mdmKYl/BCfFfyOrLTfubnvLSqNg8MvIV1qr:mMKYlpCUOfTuzLS1Oo
MD5:	26A93098EC884A680105B67892A25DC9
SHA1:	0C053AD89B27DB216F5E52B00D88ADBCFB411072
SHA-256:	DC648011227CC6E0114B73BF7BC531D33BE432602664809229C4E877D8754118
SHA-512:	C47B56E289F5E0CB6B099AE3C0E893D9D8E9B37625887412590763D28B3D2C5DFBE088A5C14523A25EB9CE44F8C4466E0F1B1EA62A062DFBED3D50AD5303258C
Malicious:	false
Preview:	rule:.. meta:.. name: timestomp file.. namespace: anti-analysis/anti-forensic/timestomp.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Defense Evasion::Indicator Removal on Host::Timestomp [T1070.006].. examples:.. - Practical Malware Analysis Lab 03-04.exe_:0x4014e0.. features:.. - and:.. - or:.. - api: kernel32.GetSystemTime.. - api: kernel32.FileTimeToLocalFileTime.. - api: kernel32.GetSystemTimeAsFileTime.. - api: kernel32.SystemTimeToFileTime.. - api: kernel32.GetFileTime.. - api: kernel32.SetFileTime..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\anti-vm\vm-detection\check-for-microsoft-office-emulation.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	645
Entropy (8bit):	4.950862395338932
Encrypted:	false
SSDEEP:	12:mdmGphHv/Swl/yEgh6Ffy+Wc8AJGfKUGlWocA+Y2dca5JkRReVkSmCVtIHln:mMwPRlsV7/AofKU0WocAq3OeVIiIFn
MD5:	E5F20CBB6C9C62D09A27DF2341434237
SHA1:	392E1B4C254BB3CA9291047A8F3C5A050B02539E
SHA-256:	3EEE1DA924745CF02171E65F46D3355A2A0D094705EA040B654D95B7DC20A89D
SHA-512:	B18784C31D2F9B5DB2C2443EF8B65F1A5A7F7D568E4C6E16ADFFFCA452CA54E534999F4388D19849FE1A8BDF7AFDEBF460BBAF57431EF2D91D1DB3CBD4FF33F1
Malicious:	false
Preview:	rule:.. meta:.. name: check for microsoft office emulation.. namespace: anti-analysis/anti-vm/vm-detection.. author: "@_re_fox".. scope: function.. att&ck:.. - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001].. mbc:.. - Anti-Behavioral Analysis::Virtual Machine Detection::Product Key/ID Testing [B0007.005].. references:.. - https://github.com/LloydLabs/wsb-detect.. examples:.. - 773290480d5445f11d3dc1b800728966:0x140001140.. features:.. - and:.. - string: /OfficePackagesForWDAG/.. - api: GetWindowsDirectory.. - optional:.. - api: CreateFile..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\anti-vm\vm-detection\check-for-sandbox-username.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2635
Entropy (8bit):	4.581588121027297
Encrypted:	false
SSDEEP:	24:mMWwlsV7QKU0EDcAq3rbz/M4Omnt8BQap8G6psumsiZiKhOp:mMWw2XEc53rX/n3t8KvpDWZdUp
MD5:	833B079D499DF546351EC4AA34E878B2
SHA1:	8AEA2A4D81AA8981D1A471DCA5BCC3953BA3F864
SHA-256:	B7C4D6691190481C440D90D0B77E1E539E7E6CE08C7E7271ADB819D4EA1EA0A1
SHA-512:	147A8C78070B40D622920A527D220441C8ACE8E5EFEBCBDD404B0502F86247942899E57E995696DAF73FED0AD44442EBE9307A4C8600632EF335EA6C96647FB6
Malicious:	false
Preview:	rule:.. meta:.. name: check for sandbox username.. namespace: anti-analysis/anti-vm/vm-detection.. author: "@_re_fox".. scope: function.. att&ck:.. - Defense Evasion::Virtualization/Sandbox Evasion [T1497].. mbc:.. - Anti-Behavioral Analysis::Virtual Machine Detection [B0009].. references:.. - https://github.com/LloydLabs/wsb-detect.. examples:.. - ccbf7cba35bab56563c0fbe4237fdc41:0x402B90.. features:.. - and:.. - api: GetUserName.. - or:.. - string: /MALTEST/i.. description: Betabot Username Check.. - string: /TEQUILABOOMBOOM/i.. description: VirusTotal Sandbox.. - string: /SANDBOX/i.. description: Gookit Username Check.. - string: /^VIRUS/i.. description: Satan Username Check.. - string: /MALWARE/i.. description: Betabot Username Check.. - string: /SAND\sBOX/i.. description: Betabot Username Check.. - string: /Test\sUser/i..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\anti-vm\vm-detection\check-for-unmoving-mouse-cursor.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	622
Entropy (8bit):	5.06404516285361
Encrypted:	false
SSDEEP:	12:mdmGp0K5l/yEgtxqFfy+WcwcDaAffKUGlDm8cA+Y1dYJVg/S0VI3C3nnrv:mMa5l6l7lcWAffKU01cAtcd0VIy7v
MD5:	F635BDF79BDF8D19B29C7F23F8E8F802
SHA1:	CEBFF90C22D9B0EA1A34E884BFFA883FCD3B23DC
SHA-256:	1FFEF7CF7600332660AC5A6DBE3E58204ED5F9E23871DE84E648EED3E075074D
SHA-512:	155DDE6D901C86F7967BA211BC3885AEC8AEEB172345609D19BC34A99B5B51BB87D5D7E1188A777921A9ED35EDC0992DED69CF2B63C2D61BFC2585ABF566EE08
Malicious:	false
Preview:	rule:.. meta:.. name: check for unmoving mouse cursor.. namespace: anti-analysis/anti-vm/vm-detection.. author: BitsOfBinary.. scope: function.. att&ck:.. - Defense Evasion::Virtualization/Sandbox Evasion::User Activity Based Checks [T1497.002].. mbc:.. - Anti-Behavioral Analysis::Virtual Machine Detection::Human User Check [B0009.012].. references:.. - https://www.joesecurity.org/blog/5852460122427342172.. examples:.. - d7ff81ff775d4ab50d31ac1e962c8c4dea7ff9f280aa2b42ddd06760a5665002:0x401118.. features:.. - and:.. - count(api(user32.GetCursorPos)): 2 or more..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\anti-vm\vm-detection\check-for-windows-sandbox-via-device.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	576
Entropy (8bit):	5.024434956484312
Encrypted:	false
SSDEEP:	12:mdmGpjXl/yEghih+Wc8AJGfKUGlEDcA+Y2dca5JkRReVkSmCo/UQ5gv:mMmlsm7/AofKU0EDcAq3OeVIB/1gv
MD5:	E5563600E40C0C605D3F328A7322AADD
SHA1:	DB1251D307454176A93108EA3B60844D9176C0B9
SHA-256:	56689AE78FCC7C15866D07F182E949EF999BD21078F27B9C7009FE6A6DFF8B12
SHA-512:	E09E876E483B24D369D745F68B1AD7CAB910686D91C043E9B110CDC85E1BB34EC232A640DA42130220BEC90C08116752A193DCE4F3ADBC4B49264F4C5318FF89
Malicious:	false
Preview:	rule:.. meta:.. name: check for windows sandbox via device.. namespace: anti-analysis/anti-vm/vm-detection.. author: "@_re_fox".. scope: basic block.. att&ck:.. - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001].. mbc:.. - Anti-Behavioral Analysis::Virtual Machine Detection [B0009].. references:.. - https://github.com/LloydLabs/wsb-detect.. examples:.. - 773290480d5445f11d3dc1b800728966:0x140001140.. features:.. - and:.. - api: CreateFile.. - string: "\\\\.\\GLOBALROOT\\device\\vmsmb"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\anti-vm\vm-detection\check-for-windows-sandbox-via-dns-suffix.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	628
Entropy (8bit):	4.883424452324377
Encrypted:	false
SSDEEP:	12:mdmGpjOwl/yEgh6Ffy+Wc8AJGfKUGlEDcA+Y2dca5JkRReVkSmCWRcOCOhfLv+:mMvwlsV7/AofKU0EDcAq3OeVIRRdfLm
MD5:	D25DE0E92687C6D7DEAD68535E82335B
SHA1:	4C52BC4190DB137B2402590A8E56BF7ECC8E34CD
SHA-256:	00F567C6B7EFE50FECF79665129CD3CD97EA4DFDCCF2A11CE64371E4FB15FD6C
SHA-512:	F89E8713E749ACCF27C80C5F430EA6E7EA952AE4360BCA371F46503F8491770BFA946D426C58C1707E4355CAB0ABF6C0C1419F73F52714F56B516C2E31FCE7DC
Malicious:	false
Preview:	rule:.. meta:.. name: check for windows sandbox via dns suffix.. namespace: anti-analysis/anti-vm/vm-detection.. author: "@_re_fox".. scope: function.. att&ck:.. - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001].. mbc:.. - Anti-Behavioral Analysis::Virtual Machine Detection [B0009].. references:.. - https://github.com/LloydLabs/wsb-detect.. examples:.. - 773290480d5445f11d3dc1b800728966:0x140001140.. features:.. - and:.. - api: GetAdaptersAddresses.. - string: "mshome.net".. - offset: 0x38 = DnsSuffix.. - match: contain loop..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\anti-vm\vm-detection\check-for-windows-sandbox-via-genuine-state.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	707
Entropy (8bit):	4.840056932414173
Encrypted:	false
SSDEEP:	12:mdmGpj92Yl/yEgh6Ffy+Wc8AJGfKUGlEDcA+Y2dca5JkRReVkSmC/VXzMpfls:mM22YlsV7/AofKU0EDcAq3OeVIEEfls
MD5:	422BC66CAA96CF23850D3AF1CF2FF679
SHA1:	A34244CCDEE94B0C6A0517BED56B80AA181AA96F
SHA-256:	1C8716AA4E9DB8EB173E1BBC08AD4AEDB733DD02D4C7F65A9A5B2AC0060DDD2A
SHA-512:	4AD15A676FC04B7D51C8E90C799FA452AF51CB4498C51A2CEA8A2DF76396B01A9EAA11981BB29122D55F97888A0F55E34793A8E2AFF5E899552B49F2E696F42E
Malicious:	false
Preview:	rule:.. meta:.. name: check for windows sandbox via genuine state.. namespace: anti-analysis/anti-vm/vm-detection.. author: "@_re_fox".. scope: function.. att&ck:.. - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001].. mbc:.. - Anti-Behavioral Analysis::Virtual Machine Detection [B0009].. references:.. - https://github.com/LloydLabs/wsb-detect.. examples:.. - 773290480d5445f11d3dc1b800728966:0x140001140.. features:.. - and:.. - basic block:.. - and:.. - api: SLIsGenuineLocal.. - basic block:.. - and:.. - api: UuidFromString.. - string: "55c92734-d682-4d71-983e-d6ec3f16059f"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\anti-vm\vm-detection\check-for-windows-sandbox-via-process-name.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	570
Entropy (8bit):	4.9058339666873865
Encrypted:	false
SSDEEP:	12:mdmGpjF9Jl/yEgh6Ffy+Wc8AJGfKUGlEDcA+Y2dca5JkRReVkSmCJB/GwZgMr:mM0lsV7/AofKU0EDcAq3OeVIsGRMr
MD5:	D00E91A7163BA57657D07F34AB45AE3B
SHA1:	DD18A87A1BE1EBB02917D8EA86C71C80B9A0B9DE
SHA-256:	FA19992CE5D0EF7E59EEC5FBDDCA769ED76887FE78028076A2665CE7BC01395B
SHA-512:	7A516B200D473EC33D8E1DE31811322DCDC9A58D8CB612A1EE086A03EFF21D2F229C44E13D2C9022569E97434FDB6EEEB76B8215823A5352E028B10B0D1F40B8
Malicious:	false
Preview:	rule:.. meta:.. name: check for windows sandbox via process name.. namespace: anti-analysis/anti-vm/vm-detection.. author: "@_re_fox".. scope: function.. att&ck:.. - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001].. mbc:.. - Anti-Behavioral Analysis::Virtual Machine Detection [B0009].. references:.. - https://github.com/LloydLabs/wsb-detect.. examples:.. - 773290480d5445f11d3dc1b800728966:0x140001140.. features:.. - and:.. - match: enumerate processes.. - string: "CExecSvc.exe"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\anti-vm\vm-detection\check-for-windows-sandbox-via-registry.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	690
Entropy (8bit):	5.036766104549098
Encrypted:	false
SSDEEP:	12:mdmGpj4WUl/yEgh6Ffy+Wc8AJGfKUGlEDcA+Y2dca5JkRReVkSmCwim97/SV5zXq:mMBWUlsV7/AofKU0EDcAq3OeVIj1/Wl6
MD5:	04E32DBEAA158DBDF969BA73EF076522
SHA1:	150234766BCA09F6FD391A5FD1902A091CAEC57E
SHA-256:	17C6A1A604175BE4E87DAB72C0699E132287CF1CEC7E2074E227A733A55D52A0
SHA-512:	6E9266F4B255DF67DC6FD9A77FEF1C73310FDD2963D5DF373D73655DBA0AB7EC4008819978DA868F27206CA2DD158BF65E5A776A03D477E01D9A5456717B3911
Malicious:	false
Preview:	rule:.. meta:.. name: check for windows sandbox via registry.. namespace: anti-analysis/anti-vm/vm-detection.. author: "@_re_fox".. scope: function.. att&ck:.. - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001].. mbc:.. - Anti-Behavioral Analysis::Virtual Machine Detection [B0009].. references:.. - https://github.com/LloydLabs/wsb-detect.. examples:.. - 773290480d5445f11d3dc1b800728966:0x140001140.. features:.. - and:.. - api: RegOpenKeyEx.. - api: RegEnumValue.. - string: /\\Microsoft\\Windows\\CurrentVersion\\RunOnce/.. - string: /wmic useraccount where \"name='WDAGUtilityAccount'\"/i..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\anti-vm\vm-detection\execute-anti-vm-instructions.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	719
Entropy (8bit):	4.601641050718202
Encrypted:	false
SSDEEP:	12:mdml1l/yEg3C/h+Wc8AJGfKUGldELbnvLpYXWCFyzEo2rW+LW4WYG:mMDloCJ7/AofKU0GLzL2xFAurW1F/
MD5:	ADDEF748E0C04CB36415B5DACE68B63C
SHA1:	91AB647E4C0C43063A8B30B735C875F8738EABC9
SHA-256:	FEE471F24B41F04845A33559EA5DE9FC31AAABD2285EE989A181C2214C4D5200
SHA-512:	BFD384D7AB3998ACE250328D7C9C2E4774E98FB6FAA4B88CE9AC608020732AD4E147FA2FDF9063573E09720868851DA0C8BAA0BC6333AC93AD48041A44BCEE92
Malicious:	false
Preview:	rule:.. meta:.. name: execute anti-VM instructions.. namespace: anti-analysis/anti-vm/vm-detection.. author: moritz.raabe@fireeye.com.. scope: basic block.. att&ck:.. - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001].. mbc:.. - Anti-Behavioral Analysis::Virtual Machine Detection::Instruction Testing [B0009.029].. examples:.. - Practical Malware Analysis Lab 17-03.exe_:0x401A80.. features:.. - or:.. - mnemonic: sidt.. - mnemonic: sgdt.. - mnemonic: sldt.. - mnemonic: smsw.. - mnemonic: str.. - mnemonic: in.. # many misleading hits in runtime code, see #194.. # - mnemonic: cpuid.. - mnemonic: vpcext..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\anti-vm\vm-detection\reference-anti-vm-strings-targeting-parallels.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	664
Entropy (8bit):	4.740466234396274
Encrypted:	false
SSDEEP:	12:mdmH6fQ4+O4l/yEg5Dnq+Wc8AJGfKUGlEDcA+Y2QM5EImahxRFZjNbWV3Xw:mMH6h+O4l6Dnq7/AofKU0EDcA52EWH6w
MD5:	90D167922EB1859B9CD1F63D56E737C2
SHA1:	B797E2490FF0A8E9692FA15BBD09E242698A72D7
SHA-256:	16A758D78F019FF12113912D184FA38B53A74AD390FEDDB44F783ED4F1FE66DB
SHA-512:	02026C667F939C0D5750717F64F4435689A8814EADDC99E5D92DEE1191D80AA460C15F6C4562F227423B996BF5CD6312D91AD413E55F46E35401531C5D60265F
Malicious:	false
Preview:	rule:.. meta:.. name: reference anti-VM strings targeting Parallels.. namespace: anti-analysis/anti-vm/vm-detection.. author: michael.hunhoff@fireeye.com.. scope: file.. att&ck:.. - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001].. mbc:.. - Anti-Behavioral Analysis::Virtual Machine Detection [B0009].. references:.. - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Parallels.cpp.. examples:.. - al-khaser_x86.exe_.. features:.. - or:.. - string: /Parallels/i.. - string: /prl_cc.exe/i.. - string: /prl_tools.exe/i.. - string: /prl hyperv/i..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\anti-vm\vm-detection\reference-anti-vm-strings-targeting-qemu.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	636
Entropy (8bit):	4.801511858478378
Encrypted:	false
SSDEEP:	12:mdmH6fQ4+igl/yEg5Dnq+Wc8AJGfKUGlEDcA+Y2QM5EIpJhxRFLNmI7v:mMH6h+5l6Dnq7/AofKU0EDcA52EW1J
MD5:	0EE27627026E665293A5C8FE6A5535AC
SHA1:	48FBE49B13862250B623385FD6974E2FB5259673
SHA-256:	FD310606F3A921269565F3E710DD939B5EC5BFC1A6A2259E4D4E9277868399A3
SHA-512:	17BA2D4B1BECCF1156230F5F11EFD0D131877663DD2927FD8B8D4F82F5D93BBC768C3C6A42F675F542DCC155518596F250B7788B83E721454E998D8E70A8721E
Malicious:	false
Preview:	rule:.. meta:.. name: reference anti-VM strings targeting Qemu.. namespace: anti-analysis/anti-vm/vm-detection.. author: michael.hunhoff@fireeye.com.. scope: file.. att&ck:.. - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001].. mbc:.. - Anti-Behavioral Analysis::Virtual Machine Detection [B0009].. references:.. - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Qemu.cpp.. examples:.. - al-khaser_x86.exe_.. features:.. - or:.. - string: /Qemu/i.. - string: /qemu-ga.exe/i.. - string: /BOCHS/i.. - string: /BXPC/i..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\anti-vm\vm-detection\reference-anti-vm-strings-targeting-virtualbox.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2942
Entropy (8bit):	4.866637242534475
Encrypted:	false
SSDEEP:	48:mMa8CwADq8oCEc3EagouRlKWDnTnfen3nAnuCN9OKcu:JhCwADqpXIAouRzTfe3Aj9lcu
MD5:	8A5758C53C4D0F7B9F766266C93B09CB
SHA1:	B66DC1A7216ABD5316FE1FD7DD5737A970CA2290
SHA-256:	D9CE5C3ABB87C16F67EB31EB4D840FB05C9C544A9932C03FBE342FF519B7FDE0
SHA-512:	8BD3C634B63AAE4DB259B35C617051CC556FC171FF7E595A925938B749C78FF37A0490A3EE3DB96D0D058A7EE37ADA623477D0D3D6B6C587FA2BD5C06694A950
Malicious:	false
Preview:	rule:.. meta:.. name: reference anti-VM strings targeting VirtualBox.. namespace: anti-analysis/anti-vm/vm-detection.. author: michael.hunhoff@fireeye.com.. scope: file.. att&ck:.. - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001].. mbc:.. - Anti-Behavioral Analysis::Virtual Machine Detection [B0009].. references:.. - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/VirtualBox.cpp.. examples:.. - al-khaser_x86.exe_.. features:.. - or:.. - string: /VBOX/i.. - string: /VEN_VBOX/i.. - string: /VirtualBox/i.. - string: /06/23/99/i.. - string: /HARDWARE\\ACPI\\DSDT\\VBOX__/i.. - string: /HARDWARE\\ACPI\\FADT\\VBOX__/i.. - string: /HARDWARE\\ACPI\\RSDT\\VBOX__/i.. - string: /SOFTWARE\\Oracle\\VirtualBox Guest Additions/i.. - string: /SYSTEM\\ControlSet001\\Services\\VBoxGuest/i.. - string: /SYSTEM\\ControlSet001\\Services\\VBoxMouse/i.. -

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\anti-vm\vm-detection\reference-anti-vm-strings-targeting-virtualpc.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	707
Entropy (8bit):	4.888116249535538
Encrypted:	false
SSDEEP:	12:mdmH6fQ4+stCl/yEg5Dnq+Wc8AJGfKUGlEDcA+Y2QM5EICKhxRFI06p2o+2lcO:mMH6h+mCl6Dnq7/AofKU0EDcA52EQE++
MD5:	1410A01718AC32EE8B3E850BFABC3AD9
SHA1:	C3CFA8C31E56F2AE5F7548130DA60308E0D2D034
SHA-256:	39FA5CD0D898818797E3DCEB3FD6D60ED523A2EF00A56E8A348336EAFD8BC511
SHA-512:	B36C06E5E659AFD93AA7992BFE728C51D87FAEC5AB5524DEBEA3668D9BED3AD738D12881C9B1960701BFF8630016B5EE531082A578D2ED7CFB062954776C29F1
Malicious:	false
Preview:	rule:.. meta:.. name: reference anti-VM strings targeting VirtualPC.. namespace: anti-analysis/anti-vm/vm-detection.. author: michael.hunhoff@fireeye.com.. scope: file.. att&ck:.. - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001].. mbc:.. - Anti-Behavioral Analysis::Virtual Machine Detection [B0009].. references:.. - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/VirtualPC.cpp.. examples:.. - al-khaser_x86.exe_.. features:.. - or:.. - string: /VirtualPC/i.. - string: /VMSrvc.exe/i.. - string: /VMUSrvc.exe/i.. - string: /SOFTWARE\\Microsoft\\Virtual Machine\\Guest\\Parameters/i..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\anti-vm\vm-detection\reference-anti-vm-strings-targeting-vmware.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1780
Entropy (8bit):	4.621072315231717
Encrypted:	false
SSDEEP:	24:mMH6h+Vl6Dnq7/AofKU0EDcA52EaCXN3ebFAnBn210tV25B:mMa8VADq8oCEc3EaCX4bFAnBnZ32L
MD5:	990B812AB1111A60BDD34D3F5372D4DC
SHA1:	0A23883F24A61B354476CFD0D182AFE106161120
SHA-256:	AA560363D089C43C74F1BAA42F66EE6ED3618A97117FC0B1345F2AAA84DBB9AA
SHA-512:	D11F6217188ED26B52DD09EBF68FD0C8DEEDD2A81051D44C4DE636989FB023336AE9DD0C22CC738B02C1B48C21755C0575B5939A378524C3F811692839725E25
Malicious:	false
Preview:	rule:.. meta:.. name: reference anti-VM strings targeting VMWare.. namespace: anti-analysis/anti-vm/vm-detection.. author: michael.hunhoff@fireeye.com.. scope: file.. att&ck:.. - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001].. mbc:.. - Anti-Behavioral Analysis::Virtual Machine Detection [B0009].. references:.. - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/VMWare.cpp.. examples:.. - al-khaser_x86.exe_.. features:.. - or:.. - string: /VMWare/i.. - string: /VMTools/i.. - string: /SOFTWARE\\VMware, Inc\.\\VMware Tools/i.. - string: /vmnet.sys/i.. - string: /vmmouse.sys/i.. - string: /vmusb.sys/i.. - string: /vm3dmp.sys/i.. - string: /vmci.sys/i.. - string: /vmhgfs.sys/i.. - string: /vmmemctl.sys/i.. - string: /vmx86.sys/i.. - string: /vmrawdsk.sys/i.. - string: /vmusbmouse.sys/i.. - string: /vmkdb.sys/i.. - str

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\anti-vm\vm-detection\reference-anti-vm-strings-targeting-xen.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	681
Entropy (8bit):	4.763331258068179
Encrypted:	false
SSDEEP:	12:mdmH6fQ4+i+wl/yEg5Dnq+Wc8AJGfKUGlEDcA+Y2QM5EIPy5hxRFMHRhyWRhBs3:mMH6h+yl6Dnq7/AofKU0EDcA52EWy5IS
MD5:	E318FBD18ECDBF13853E2650D0F68CD7
SHA1:	3C148C857EC343C7DA8E17802A2742F0679C3431
SHA-256:	680B2BF012985EE75DA86D7B213FFE0B2662179CB04A5E72F507A34102B243BC
SHA-512:	09ED614B7DE222667B928C69089A807970DCFB045D45FDB212E4D09B9B42E41D1288590F6AB0F6F626320A31830D204D5BDF1D788DFE9FCCD0F3281C631B0EDB
Malicious:	false
Preview:	rule:.. meta:.. name: reference anti-VM strings targeting Xen.. namespace: anti-analysis/anti-vm/vm-detection.. author: michael.hunhoff@fireeye.com.. scope: file.. att&ck:.. - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001].. mbc:.. - Anti-Behavioral Analysis::Virtual Machine Detection [B0009].. references:.. - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Xen.cpp.. examples:.. - al-khaser_x86.exe_.. features:.. - or:.. - string: /^Xen/i.. - string: /XenVMMXenVMM/i.. - string: /xenservice.exe/i.. - string: /XenVMMXenVMM/i.. - string: /HVM domU/i..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\anti-vm\vm-detection\reference-anti-vm-strings.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2510
Entropy (8bit):	4.974964473566236
Encrypted:	false
SSDEEP:	48:mMabZDq8oCEceExCazYwiZ8PHCfcZuExC6+oUySExC4+5NyUHExCEKC:JwZDqpXj6CwUypZu6Aok6af6h1
MD5:	C8D9C8A921D3A4F1184FC6848002F13D
SHA1:	CC7CF226FE13735E8F786ECF3AF351D0F6FBFC6D
SHA-256:	FEBE8109B29A62F19D5D2FACA40BD1F6F34C11DC2026CC78B3A35C39ADBD08E7
SHA-512:	303B65273D3BCB9CE020E0F15D2DFA3EB4E7C91723E6D50E30B354BD78A71865738FE8DD818D39E29DA9ACB605850151334A88AA85DF2DF1DDE6E394BEB84CAD
Malicious:	false
Preview:	rule:.. meta:.. name: reference anti-VM strings.. namespace: anti-analysis/anti-vm/vm-detection.. author: moritz.raabe@fireeye.com.. scope: file.. att&ck:.. - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001].. mbc:.. - Anti-Behavioral Analysis::Virtual Machine Detection [B0009].. references:.. - https://github.com/ctxis/CAPE/blob/master/modules/signatures/antivm_*.. - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp.. examples:.. - Practical Malware Analysis Lab 17-02.dll_.. features:.. - or:.. - string: /HARDWARE\\ACPI\\(DSDT\|FADT\|RSDT)\\BOCHS/i.. - string: /HARDWARE\\DESCRIPTION\\System\\(SystemBiosVersion\|VideoBiosVersion)/i.. - string: /HARDWARE\\DESCRIPTION\\System\\CentralProcessor/i.. - string: /HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0/i.. - string: /SYSTEM\\(CurrentControlSet\|ControlSet001)\\Enum\\

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\obfuscation\obfuscated-with-callobfuscator.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	341
Entropy (8bit):	4.958217460938871
Encrypted:	false
SSDEEP:	6:hAvlmKSnTJJyaCglmUKA1Oy/qhu1y5wVsLQPMKGowBjBMLUrGjRvW:mdmKSTJMol/KA1nqSimsKGtUQ
MD5:	D2D095FC8B2CD6E7E770AAC0A11A1AC6
SHA1:	F6D375480E7B524B079462F90B11A4323C14202D
SHA-256:	D977DF4B74892558E76EB2E5DA6D300C185186ED24DCBDD2539DA6F8EDAD785F
SHA-512:	2A6373822FAA0674C29D5714B116E468C23F1EE8FC79CE219432C9CB876E52AF0EDC16F64A06552BDD2C3DE38B1EF34104C4BD6CF98BF395CA004E4902DA5F01
Malicious:	false
Preview:	rule:.. meta:.. name: obfuscated with callobfuscator.. namespace: anti-analysis/obfuscation.. author: johnk3r.. scope: file.. att&ck:.. - Defense Evasion::Obfuscated Files or Information [T1027].. examples:.. - 71A4F9B800D81FF6632B9892A6A502C412C141341E46D697A8C004E2F460913B.. features:.. - section: .cobf..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\obfuscation\string\stackstring\contain-obfuscated-stackstrings.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	515
Entropy (8bit):	4.786185440376516
Encrypted:	false
SSDEEP:	12:mdmG+vAQW6l/KWC/hSimsKJTK5CR/y+Ejbnv+JEMoXEhc67:mMSQJlLCJmTK5CR/yzjz+JEMoXUc67
MD5:	281CE20B816B3058F101587E09DDBF50
SHA1:	8008C140CB72066A1DBB2E5C51E8D23850E0B73C
SHA-256:	6C3E89DDAAE503C59864B21BACCAF784188EBC8136FAFFBDE393467B27B0A293
SHA-512:	A967AE0AF276B0B076ABB2304459CBF64E852E925688CB80AC9F49E345CFFB288FAB10DE58FD40915BC1EF917E62E1995D0D4ED9DCADAEBF81F206B62C0709E5
Malicious:	false
Preview:	rule:.. meta:.. name: contain obfuscated stackstrings.. namespace: anti-analysis/obfuscation/string/stackstring.. author: moritz.raabe@fireeye.com.. scope: basic block.. att&ck:.. - Defense Evasion::Obfuscated Files or Information::Indicator Removal from Tools [T1027.005].. mbc:.. - Anti-Static Analysis::Disassembler Evasion::Argument Obfuscation [B0012.001].. examples:.. - Practical Malware Analysis Lab 16-03.exe_:0x4013D0.. features:.. - characteristic: stack string..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\packer\amber\packed-with-amber.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	500
Entropy (8bit):	4.849174787329842
Encrypted:	false
SSDEEP:	12:mdmJcl//Z2HrjnqSimsKkYuKR2MycA+Y218sHOD/5yN4r:mMWlH0LjnqzYuKR2MycAzsHcr
MD5:	B246DFD1F998F7E44F6D33C60D14290F
SHA1:	B2FAE34AADE83501B619F65F919626239D3D28EE
SHA-256:	1EA581A0B34F87F097BC8E12517F176F1F426317EEE27760E0E07EDE25DDA58E
SHA-512:	8013EDFC8761A8348BA1E27C189B0BCF5D4042D8E14CF393AD0A7A35F65B367C81BA3D3DC8537FA3882F1C493D8CB395218CCE52CBFD5B06FCABEDD8B0A34232
Malicious:	false
Preview:	rule:.. meta:.. name: packed with amber.. namespace: anti-analysis/packer/amber.. author: "john.gorman@fireeye.com".. scope: file.. att&ck:.. - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002].. mbc:.. - Anti-Static Analysis::Software Packing [F0001].. references:.. - https://github.com/EgeBalci/amber.. examples:.. - bb7922d368a9a9c8d981837b5ad988f1.. features:.. - or:.. - string: "Amber - Reflective PE Packer"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\packer\aspack\packed-with-aspack.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	815
Entropy (8bit):	4.767048385431013
Encrypted:	false
SSDEEP:	12:mdmJZal/YwRDnqSimsKkYuKR2MycA+LY+Uyi+GFj0tnFivt8jVp6F6BB3djFZ3Y:mMGlvDnqzYuKR2MycAJyQB0t84Is3x3Y
MD5:	BE582B25E7CCEA777237A5449B20D04B
SHA1:	897E9CE21A897C0AA191849541D04B4DCC71F8EF
SHA-256:	E2DA9C4931600157F6E337086AD3CF979DAB960BEE243BDE37345D6903825927
SHA-512:	C3E038868F7FA572EFAC51F0008506204323B2B1C6172564DA20F6A4B2EBD5819B1FE75493727FDE1FD87C1E0B7E74140E65A4A9078559092B93073DDF08E518
Malicious:	false
Preview:	rule:.. meta:.. name: packed with ASPack.. namespace: anti-analysis/packer/aspack.. author: william.ballenthin@fireeye.com.. scope: file.. att&ck:.. - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002].. mbc:.. - Anti-Static Analysis::Software Packing [F0001].. references:.. - http://www.aspack.com/.. - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/.. examples:.. - 2055994ff75b4309eee3a49c5749d306.. features:.. - or:.. - section: .aspack.. - section: .adata.. - section: .ASPack.. - section: ASPack.. - string: "The procedure entry point %s could not be located in the dynamic link library %s".. - string: "The ordinal %u could not be located in the dynamic link library %s"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\packer\confuser\packed-with-confuser.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	456
Entropy (8bit):	4.864481858961871
Encrypted:	false
SSDEEP:	12:mdmJEl/egWkRDnqSimsKkYuKR22Dp0ZqE:mMSlHDnqzYuKR22DpnE
MD5:	A9E21395A60A0CDB0F1165C10E324E39
SHA1:	BC71FBCF4E432EEC811BBFB13C319EB0D99F8617
SHA-256:	5C33587C0BB968B0ED3F1991CB980B13F5B9696A0DB023EF5499E519AF73AC0E
SHA-512:	282F4B3457B9C0079603BECD590FFFC7BD9C153D7F705E0E767B8EC18F8D561892DF661AE6866A0C13259B0F6FE8D8A8BC1A958F5C7365D6E85ED8145F9FF9F2
Malicious:	false
Preview:	rule:.. meta:.. name: packed with Confuser.. namespace: anti-analysis/packer/confuser.. author: william.ballenthin@fireeye.com.. scope: file.. att&ck:.. - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002].. mbc:.. - Anti-Static Analysis::Software Packing::Confuser [F0001.009].. examples:.. - b9f5bd514485fb06da39beff051b9fdc.. features:.. - or:.. - string: "ConfusedByAttribute"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\packer\generic\packed-with-generic-packer.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	719
Entropy (8bit):	4.5376614207604415
Encrypted:	false
SSDEEP:	12:mdmJdt4l/FRfFfySimsKkYuKR2rB5OVSbnvLKNvZov4CvyXEhEPFvLvW:mM3t4lDUzYuKR2rPzGNRy4CKXUiFvLO
MD5:	84D9E104F5867C53CDB73E1F1A6EE1AA
SHA1:	D09074F3C8FF68B026B66BEE21A0C44A7D496F14
SHA-256:	18EB381E7DD11F38E2A1C48593BFFE8D85EB230DED40D961F12495367B31CE83
SHA-512:	9FD602FFACEAE3601AF9925FFAA5ED0BFF15719BF0C88A9D2FAE9206D055CB4E8DDDFCD6FA413C56052CD2BD2476B6402C5E56B58E283D21F2BDD8795ED3E9A0
Malicious:	false
Preview:	rule:.. meta:.. name: packed with generic packer.. namespace: anti-analysis/packer/generic.. author: william.ballenthin@fireeye.com.. scope: function.. att&ck:.. - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002].. mbc:.. - Anti-Static Analysis::Software Packing::Standard Compression [F0001.002].. examples:.. - Practical Malware Analysis Lab 18-01.exe_:0x409dc0.. features:.. - and:.. - or:.. - mnemonic: pusha.. - mnemonic: pushad # vivisect.. - or:.. - mnemonic: popa.. - mnemonic: popad # vivisect.. - characteristic: cross section flow.. - not:.. - match: contain pusha popa sequence..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\packer\kkrunchy\packed-with-kkrunchy.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	554
Entropy (8bit):	4.909123654330015
Encrypted:	false
SSDEEP:	12:mdmJ31Yl/yFZmnqSimsKkYuKR2MycA+LKEY+Uyi+GFjp+:mMd1Yl6FZmnqzYuKR2MycAsqyQB4
MD5:	077933BE8F90E33E0C43BF39798A2167
SHA1:	01F6F53B2FC53C1F0D638DA7E57EC305742BC414
SHA-256:	E87250B47721EF36F59386DCA65363DADE6CC7AACF138023F935B961D9A5A3D3
SHA-512:	52D05423BB1D13BE27FCB7479D86A741F10D7078749EDDFD9049544FE78C680DC4EA9FBA84D64EB540E8228A02A6B954A7818A10174D5D3900255F228DB350AE
Malicious:	false
Preview:	rule:.. meta:.. name: packed with kkrunchy.. namespace: anti-analysis/packer/kkrunchy.. author: "@_re_fox".. scope: file.. att&ck:.. - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002].. mbc:.. - Anti-Static Analysis::Software Packing [F0001].. references:.. - http://www.farbrausch.de/~fg/kkrunchy/.. - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/.. examples:.. - f9ac6b16273556b3a57bf2c6d7e7db97.. features:.. - or:.. - section: kkrunchy..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\packer\nspack\packed-with-nspack.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	547
Entropy (8bit):	4.802650014112988
Encrypted:	false
SSDEEP:	12:mdmJdl/NmnqSimsKkYuKR2MycA+Y+Uyi+GFjrdTyTXMXaZ:mMLlVmnqzYuKR2MycAlyQB1yTXMXaZ
MD5:	64782C1E3AB85EF1D6D8BC0B997AE51E
SHA1:	FCB5E6961D82AA96ABF24218BD4E32D58D5BCD1B
SHA-256:	F57680006FB1D41FFF825BB9B45ACEC6CD17DA8E0536347E9EDDCED39FE5A7E2
SHA-512:	2605E12196D139FB32FB5937E8B03D79751DD393C41C5A24413205541C6B286250367CBAA9AA0BE0450FBCF0410F9D4B57035BDC5D00ACF497929915AB657F2F
Malicious:	false
Preview:	rule:.. meta:.. name: packed with nspack.. namespace: anti-analysis/packer/nspack.. author: "@_re_fox".. scope: file.. att&ck:.. - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002].. mbc:.. - Anti-Static Analysis::Software Packing [F0001].. references:.. - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/.. examples:.. - 02179f3ba93663074740b5c0d283bae2.. features:.. - or:.. - section: .nsp0.. - section: .nsp1.. - section: .nsp2..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\packer\pebundle\packed-with-pebundle.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	533
Entropy (8bit):	4.841006099157159
Encrypted:	false
SSDEEP:	12:mdmJ9vgl/SvRmnqSimsKkYuKR2MycA+Y+Uyi+GFjnBo0Zvjn:mMn4l65mnqzYuKR2MycAlyQBrr
MD5:	8887AEE1FC6F046FC58386D6B5BED592
SHA1:	18B286A276D4A826C6A01841A93479E256A71192
SHA-256:	24E1243A18A10205A34A22CC78C663019DA47D5B42A3AF15FC3C48501CFDCD7F
SHA-512:	512C06995BDCFF843B3F411F0E633BD72EB5449F8BA295434B63A66FF0CF33A2235BDA45CA2CE684272EA78F2991DC540301E52A654A2A5C0939C64FAD2737B9
Malicious:	false
Preview:	rule:.. meta:.. name: packed with pebundle.. namespace: anti-analysis/packer/pebundle.. author: "@_re_fox".. scope: file.. att&ck:.. - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002].. mbc:.. - Anti-Static Analysis::Software Packing [F0001].. references:.. - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/.. examples:.. - db9fe790b4e18abf55df31aa0b81e558.. features:.. - or:.. - section: pebundle.. - section: PEBundle..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\packer\pelocknt\packed-with-pelocknt.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	506
Entropy (8bit):	4.905437882103343
Encrypted:	false
SSDEEP:	12:mdmJBLl/uumnqSimsKkYuKR2MycA+Y+Uyi+GFjV0GHGDCA1A:mMTLlmumnqzYuKR2MycAlyQBO3A
MD5:	B608BE2AAF4453D4FD07CD5EDFD12B77
SHA1:	8BF906267C38833BC94085F0FD8CA6A456736602
SHA-256:	9F50473214219F84BEBA265B6CD15172DB01D1996BDB5B1EE4BB36A55C7605D3
SHA-512:	1AB5915624D9F7D4C7C0E8693F2F9E867D425037A242C00391F8E33A1CB57A59A59ED2D6DC6A867D27FF2455314E74EFCE3189055DA2C114FAC85856B30FA069
Malicious:	false
Preview:	rule:.. meta:.. name: packed with pelocknt.. namespace: anti-analysis/packer/pelocknt.. author: "@_re_fox".. scope: file.. att&ck:.. - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002].. mbc:.. - Anti-Static Analysis::Software Packing [F0001].. references:.. - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/.. examples:.. - f0a6a1bd6d760497623611e8297a81df.. features:.. - or:.. - section: PELOCKnt..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\packer\peshield\packed-with-peshield.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	579
Entropy (8bit):	4.936563266069383
Encrypted:	false
SSDEEP:	12:mdmJtl/kmmnqSimsKkYuKR2MycA+Y+Uyi+GFjAs+40ZhSv:mM/lcmmnqzYuKR2MycAlyQBj+pS
MD5:	0055852232AB4F52695C9012BA6FEAAD
SHA1:	5F047CE6BE3BA59DBDFE769459BE27D58BC53096
SHA-256:	2E2175A5B53AED7BE2234F0BF3D1F4D06544D679C90AD5A45737D7BA46A1A7B1
SHA-512:	167E8E2B2CF5ABB64535B1180727B09A43EF66B810955821679DD27A832EF864F303FF055A753889202A45ADAA4F774E8AEE539A654DFE4347EFA3EA050FEC11
Malicious:	false
Preview:	rule:.. meta:.. name: packed with peshield.. namespace: anti-analysis/packer/peshield.. author: "@_re_fox".. scope: file.. att&ck:.. - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002].. mbc:.. - Anti-Static Analysis::Software Packing [F0001].. references:.. - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/.. examples:.. - a3c0a2425ea84103adde03a92176424c.. features:.. - or:.. - section: PESHiELD.. - section: PESHiELD_1.. - string: / PE-SHiELD v[0-9]\.[0-9]/..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\packer\petite\packed-with-petite.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	501
Entropy (8bit):	4.82851624043613
Encrypted:	false
SSDEEP:	12:mdmJ8Jl/QxmnqSimsKkYuKR2MycA+Y+Uyi+GFj4JZas:mMKJlIxmnqzYuKR2MycAlyQB4JZas
MD5:	18F5FF0F1C7CD98EE47C5107C14402B3
SHA1:	22433EF9BCFB8FEC7D941011E40D72B6B279C824
SHA-256:	22B22711569BFBF496CB70EABB7BB634316A83EF862997F030D7373351C94D22
SHA-512:	1A4C175AA7072620722331D89111A2A155DF876B79E464771EDC083937FAE4FB7A5A144DCC6316C2FEBBBD865AFAC4C0FF3D0A9D577F506D2FC21CE145ED4C32
Malicious:	false
Preview:	rule:.. meta:.. name: packed with petite.. namespace: anti-analysis/packer/petite.. author: "@_re_fox".. scope: file.. att&ck:.. - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002].. mbc:.. - Anti-Static Analysis::Software Packing [F0001].. references:.. - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/.. examples:.. - 2a7429d60040465f9bd27bbae2beef88.. features:.. - or:.. - section: .petite..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\packer\rlpack\packed-with-rlpack.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	527
Entropy (8bit):	4.88070058306466
Encrypted:	false
SSDEEP:	12:mdmJ+l/jGZmnqSimsKkYuKR2MycA+Y+Uyi+GFjkAh:mMol7GZmnqzYuKR2MycAlyQBkAh
MD5:	09AF0B1CD075DD127D155D014393B60E
SHA1:	F96632F92425D9CE505DC59031087FDE2677C842
SHA-256:	80F5E124C9531411078D28916781515D24F0A79D4CBE8593E5DC661BF5895DBD
SHA-512:	70B8344209E1FC8B6409C32A45373D4D8D74222FE401B33D7595DFE95E495D4E3B4EF25FEC0184A14DC181D8D6ECA7341BE039935F049C666D2A4A873186F479
Malicious:	false
Preview:	rule:.. meta:.. name: packed with rlpack.. namespace: anti-analysis/packer/rlpack.. author: "@_re_fox".. scope: file.. att&ck:.. - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002].. mbc:.. - Anti-Static Analysis::Software Packing [F0001].. references:.. - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/.. examples:.. - 068a76d4823419b376d418cf03215d5c.. features:.. - or:.. - section: .RLPack.. - section: .packed..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\packer\upack\packed-with-upack.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	558
Entropy (8bit):	4.859610424001799
Encrypted:	false
SSDEEP:	12:mdmJCYl/RmnqSimsKkYuKR2MycA+Y+Uyi+GFjktn:mMRl5mnqzYuKR2MycAlyQBkp
MD5:	0492D78226A67179BB670ABDF77DE564
SHA1:	9685CF93AFAADB63B4BD760C1B03C8C32557A170
SHA-256:	224CE949CA5A39D2C7D18742AC9D09ACB12302E6EA7ABEBD3342AFA7236DEDAD
SHA-512:	488D6D1687AE62A11B00FAA22415A5D9BD7FA51DFE2E933C140E360E77100514BC33F56BE660B8FCD224EF47CE21B65B505C9738DB5ECBA66FD9B62FCA262F3B
Malicious:	false
Preview:	rule:.. meta:.. name: packed with upack.. namespace: anti-analysis/packer/upack.. author: "@_re_fox".. scope: file.. att&ck:.. - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002].. mbc:.. - Anti-Static Analysis::Software Packing [F0001].. references:.. - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/.. examples:.. - 9d98f8519d9fee8219caca5b31eef0bd.. features:.. - or:.. - section: .Upack.. - section: .ByDwing.. - string: "UpackByDwing@"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\packer\upx\packed-with-upx.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	509
Entropy (8bit):	4.934674472869577
Encrypted:	false
SSDEEP:	12:mdmJzYl/kwRDnqSimsKkYuKR2DFVnnvLRz3Y:mM5YlsyDnqzYuKR2x5LR7Y
MD5:	C2C9183EFD90F5395C3E4D3C6B0FC443
SHA1:	24627336466B8AA03E86E21A3EC6DF7D7D1DA625
SHA-256:	AB1D2A7C0AB784892FABC33D9C6FAAB7C8343EC42485E0C1C7D84B90D333351E
SHA-512:	442D34A51FD0848289F6BCDCAC72EF59075B07FB612C4AD66B21688C1A483DECC09E04A13A39FC9E3A8EEE5C32A1832DA58065BB53E5A2F6512B19EA81534C71
Malicious:	false
Preview:	rule:.. meta:.. name: packed with UPX.. namespace: anti-analysis/packer/upx.. author: william.ballenthin@fireeye.com.. scope: file.. att&ck:.. - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002].. mbc:.. - Anti-Static Analysis::Software Packing::UPX [F0001.008].. examples:.. - CD2CBA9E6313E8DF2C1273593E649682.. - Practical Malware Analysis Lab 01-02.exe_:0x0401000.. features:.. - or:.. - section: UPX0.. - section: UPX1..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\packer\vmprotect\packed-with-vmprotect.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1022
Entropy (8bit):	4.849845885327943
Encrypted:	false
SSDEEP:	24:mMnHlteDnqzYuKR2IcA5TqU78lRfLyQBHub00z1fZyVLnzAlSQcvN/8:mMnH6DqzIMIcsuU7QTyQBOJyCjcvV8
MD5:	D5721419800D1D6B21C1873024797956
SHA1:	A6EAD2FBB98B96F13477673BCFFEA152AFD386B7
SHA-256:	760125EF89A0FF77AED900337A6FDCCB0E3B9FB02DC856811DCC6BBAEA6A29EB
SHA-512:	ED5794640D17C55B25698D562A881E5CE92F5E0009123DAA3F6C6BC3E9A58DD9B46C655838110485077E0DF9FBAC84AFFE39DDAF9758B899736B705C3F359006
Malicious:	false
Preview:	rule:.. meta:.. name: packed with VMProtect.. namespace: anti-analysis/packer/vmprotect.. author: william.ballenthin@fireeye.com.. scope: file.. att&ck:.. - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002].. mbc:.. - Anti-Static Analysis::Software Packing::VMProtect [F0001.010].. references:.. - https://www.pcworld.com/article/2824572/leaked-programming-manual-may-help-criminals-develop-more-atm-malware.html.. - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/.. examples:.. - 971e599e6e707349eccea2fd4c8e5f67.. features:.. - or:.. - string: "A debugger has been found running in your system.".. - string: "Please, unload it from memory and restart your program.".. - string: "File corrupted!. This program has been manipulated and maybe".. - string: "it's infected by a Virus or cracked. This file won't work anymore.".. - section: .vmp0.. - section: .vmp1..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\packer\y0da\packed-with-y0da-crypter.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	551
Entropy (8bit):	4.807143873615207
Encrypted:	false
SSDEEP:	12:mdmJ1Gl/1fmnqSimsKkYuKR2MycA+Y+Uyi+GFj+WoFHV79y:mMul5mnqzYuKR2MycAlyQBtqHm
MD5:	B3E94931CDDADCE91FD7DD5A241A75AB
SHA1:	3F688B6BEAB4E9DD389820B4AEB4FDE36A15CC7D
SHA-256:	5A71FD57E9D44786A7FA55DBB133D91A70324B0E32CC6586E70639AD86DFBD44
SHA-512:	CDD5E342913924818B0C8BEA0C83F033F3E012465079A6CA1996FE0AC51E6214849CAAC5814A6A0359EBC4CE433AD524183AC500DE5899E8C07B76834E10B49E
Malicious:	false
Preview:	rule:.. meta:.. name: packed with y0da crypter.. namespace: anti-analysis/packer/y0da.. author: "@_re_fox".. scope: file.. att&ck:.. - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002].. mbc:.. - Anti-Static Analysis::Software Packing [F0001].. references:.. - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/.. examples:.. - 0cd2b334aede270b14868db28211cde3.. features:.. - or:.. - section: .y0da.. - section: .y0da_1.. - section: .yP..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\anti-analysis\reference-analysis-tools-strings.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1564
Entropy (8bit):	4.4958827410166435
Encrypted:	false
SSDEEP:	24:mMH6SJl7DnlKNSWzPGycA52Ewbr3bNOk/QsDVgrsrXZ7:mMa8FDcPbGyc3EwbVz/jBggrV
MD5:	9A53760A7D0957C1F59489F6CE42B5DE
SHA1:	26840170DB20C4834B92C8E5B6AA9AA5B783B7CB
SHA-256:	D19B597864CBED8EC979F4B321312DE5BD2A021A169C7986DC7399873022988A
SHA-512:	B4F006AD7C9E8011A8A48A4B282FB357848E767CB4DB5D2DD8CDE1592072D9FBBDD4ED307F229E08A5CB74357FEA8494AF6B18C1EB302D1C1E79D023B3A5F6B4
Malicious:	false
Preview:	rule:.. meta:.. name: reference analysis tools strings.. namespace: anti-analysis.. author: michael.hunhoff@fireeye.com.. scope: file.. mbc:.. - Discovery::Analysis Tool Discovery::Process Detection [B0013.001].. references:.. - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiAnalysis/process.cpp.. examples:.. - al-khaser_x86.exe_.. features:.. - or:.. - string: /ollydbg.exe/i.. - string: /ProcessHacker.exe/i.. - string: /tcpview.exe/i.. - string: /autoruns.exe/i.. - string: /autorunsc.exe/i.. - string: /filemon.exe/i.. - string: /procmon.exe/i.. - string: /regmon.exe/i.. - string: /procexp.exe/i.. - string: /idaq.exe/i.. - string: /idaq64.exe/i.. - string: /ImmunityDebugger.exe/i.. - string: /Wireshark.exe/i.. - string: /dumpcap.exe/i.. - string: /HookExplorer.exe/i.. - string: /ImportREC.exe/i.. - string: /PETools.exe/i.. - string: /

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\c2\file-transfer\download-and-write-a-file.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	505
Entropy (8bit):	4.745760084316482
Encrypted:	false
SSDEEP:	12:mdmM1SnYlkxaCfFfylYUi6NeKqYTswvljvjW7ZHv:mMDnYlkxaCUe6NeK/swvljvjodv
MD5:	22DEB7EFF17AF9A6141CC21CD39A2354
SHA1:	B3EC112C39F9717808D1D2BD995FCB943A2FBC6E
SHA-256:	5216022486DD76ABDF8C11B989ECA768C5BFB7A70ED48ADB816AC42B94440382
SHA-512:	60611E02FF8671107C249814A3EC4FBA505AA5D15D6ACDA8AE80F94DB72D3DFB1E94CCBCF58DD010964257C9F2C74790A148EEC1BDF7E4FC9DF7164D2BFBE5C6
Malicious:	false
Preview:	rule:.. meta:.. name: download and write a file.. namespace: c2/file-transfer.. maec/malware-category: downloader.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Command and Control::Ingress Tool Transfer [T1105].. mbc:.. - Command and Control::C2 Communication::Server to Client File Transfer [B0030.003].. examples:.. - 5D7C34B6854D48D3DA4F96B71550A221:0x401346.. features:.. - and:.. - match: receive data.. - match: write file..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\c2\file-transfer\write-and-execute-a-file.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	455
Entropy (8bit):	4.754888085901597
Encrypted:	false
SSDEEP:	12:mdmSMsLnYlkxmLQCfFftKTehAGPMnnvLR7muZHHUJGz:mMStLnYlkxJC3KahApvLRKudHMGz
MD5:	76A7DDFEEABE64CBADEF5EC2756711C9
SHA1:	76069D99C1252A231D5C4799563F3B8401D4E049
SHA-256:	9BBAF4578A276FFBCF8B0E9E0EDF8BA2CEB5473EDB3E79877960D732FD1E9322
SHA-512:	936447E70E26908B65128EE2D56E36FB2410C1FE20DDE3BEB93EEA1DD6F24B267FAEA2F667B2B4089942F5013CECC577E9B1B5D9838E47847539A980BF989D2D
Malicious:	false
Preview:	rule:.. meta:.. name: write and execute a file.. namespace: c2/file-transfer.. maec/malware-category: launcher.. author: moritz.raabe@fireeye.com.. scope: function.. mbc:.. - Execution::Install Additional Program [B0023].. examples:.. - 9324D1A8AE37A36AE560C37448C9705A:0x403A40.. - Practical Malware Analysis Lab 01-04.exe_:0x4011FC.. features:.. - and:.. - match: write file.. - match: create process..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\c2\shell\create-reverse-shell.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	912
Entropy (8bit):	4.56019571454566
Encrypted:	false
SSDEEP:	24:mM2NwlkHN3CU5uZaK+jlmt1aS9/TGJoHYGcHcWkC:mM26CHwU5uH+jk5JDC
MD5:	00FEDC00D48EA6086F413F2FF71BE70E
SHA1:	96F294DE29D0B551392ADBD6EA046EA93BD6CBFC
SHA-256:	A82D9980D4D0754F481BAA7B2C240F0C390728F5C629EE8192D24DCB77FA71E8
SHA-512:	0E00EE0665846F6A1BE3017B5F7C22A2E565D76C5A9AC479AFD9861CA741DCF919CC5BDA2DBC2092A94B24700992E7136AF6CF4D64007F0ACB0DD9918F58E679
Malicious:	false
Preview:	rule:.. meta:.. name: create reverse shell.. namespace: c2/shell.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Execution::Command and Scripting Interpreter::Windows Command Shell [T1059.003].. mbc:.. - Impact::Remote Access::Reverse Shell [B0022.001].. examples:.. - C91887D861D9BD4A5872249B641BC9F9:0x401A77.. features:.. - or:.. - and:.. - match: create pipe.. - api: kernel32.PeekNamedPipe.. - api: kernel32.CreateProcess.. - api: kernel32.ReadFile.. - api: kernel32.WriteFile.. - and:.. - match: create process.. - match: read pipe.. - match: write pipe.. - and:.. - match: create pipe.. - match: create process.. - basic block:.. - and:.. - count(api(SetHandleInformation)): 2 or more.. - number: 1 = HANDLE_FLAG_INHERIT..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\c2\shell\execute-shell-command-and-capture-output.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	962
Entropy (8bit):	4.622770034968123
Encrypted:	false
SSDEEP:	24:mM3JlkHNGuEU5uZJcAwjtV+WihzDosaHaKwIWo:mM3JCH41U5ubcTeWQzDKaxI3
MD5:	CA7C820C1A71B80B49C803976AEB45AB
SHA1:	361A6862883C8D82793C0968D80183EA50B13E4B
SHA-256:	51C66B3069918302703FE448C62B67DA0F6819A82F8F36ADB63F7698CBC1D435
SHA-512:	D5FCD1449FFA4627E9FE96722BBE676F91D208D18641194907A7B0DF27010CFC86EF6A152C2FC6FED055A026DD51FD85D62AED53B093F29498460AEE6EB24FAA
Malicious:	false
Preview:	rule:.. meta:.. name: execute shell command and capture output.. namespace: c2/shell.. author: matthew.williams@fireeye.com.. scope: function.. att&ck:.. - Execution::Command and Scripting Interpreter::Windows Command Shell [T1059.003].. references:.. - https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/ns-processthreadsapi-startupinfoa.. examples:.. - Practical Malware Analysis Lab 14-02.exe_:0x4011C0.. features:.. - and:.. - match: create a process with modified I/O handles and window.. - match: create pipe.. - or:.. - match: get COMSPEC environment variable.. - string: "\\cmd.exe".. - string: "cmd.exe".. - string: "cmd.exe /c ".. - string: "C:\\Windows\\system32\\cmd.exe".. - optional:.. - api: kernel32.GetSystemDirectory.. - api: kernel32.SetCurrentDirectory.. - match: create thread.. - match: read pipe..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\acquire-credentials-from-windows-credential-manager.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	796
Entropy (8bit):	4.67858696563046
Encrypted:	false
SSDEEP:	24:NVQw6clkFCUvPdl2am+IXxoyXYFI8GlICa:MGC4Unb2am+qxoyXYFI1Ip
MD5:	DAAFBCB6F0639C0EF0A480F608ACA106
SHA1:	D6956A32AD10E3073EE2F48780E9CA07338A3D70
SHA-256:	4599A3294C3669E6877D9B302C55EDE2A23C694B3E5633E821EA2EE2B4530220
SHA-512:	7050F3EB1A02C1B1052D069F3BC49EA02CB4D71EFF8592525CB69E7ED69D5D1A137348E830EF5BB5881DFE5D89B98B67F07679BB12CF183A6D4152F8A388D288
Malicious:	false
Preview:	# generated using capa explorer for IDA Pro..rule:.. meta:.. name: acquire credentials from Windows Credential Manager.. namespace: collection.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores::Windows Credential Manager [T1555.004].. examples:.. - c56af5561e3f20bed435fb4355cffc29:0x411A41.. features:.. - or:.. - string: ".vcrd".. - string: "*.vcrd".. - string: "Policy.vpol".. - string: /AppData\\Local\\Microsoft\\(Vault\|Credentials)/.. - api: CredEnumerate.. - and:.. - optional:.. - match: create process.. - or:.. - string: /vaultcmd(\.exe)?/.. - string: /\/listcreds:/.. - string: /"Windows Credentials"/..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\browser\gather-firefox-profile-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1018
Entropy (8bit):	4.752927874175906
Encrypted:	false
SSDEEP:	24:mMCyzO2KlkXKVvSDXoIKD9/gXVwR8IZQ5FzaTMQS:mMDz3KCXKeYIYhgXVvIZKzxL
MD5:	E32A3387862305836A177523AC3D36EC
SHA1:	B436C38F84661E8A2134D128DA6FBAA265C2276D
SHA-256:	B2D520D97591F5548A6B98372E80A405435972A0B22B3862F798C628183A1F57
SHA-512:	5D7EA70C7908BBBFFB71A391C719AF5A48AC5121C1AFBF644A0A7AE7B7A612CFDD3B604BF313FC34066F02EE250C2C31B4B7E5C5B3FF8DA4419B57EE704DA33A
Malicious:	false
Preview:	rule:.. meta:.. name: gather firefox profile information.. namespace: collection/browser.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores::Credentials from Web Browsers [T1555.003].. examples:.. - 7204e3efc2434012e13ca939db0d0b02:0x4073c0.. features:.. - 2 or more:.. - string: /\\Mozilla\\Firefox\\profiles(\.ini)?/i.. - string: /\\signons\.sqlite/i.. - string: /SELECT\s+[a-z,\s]{5,}FROM moz_(logins\|cookies)/i.. - string: /FROM moz_(logins\|cookies)/i.. - string: /WHERE moz_cookies.host LIKE/.. - optional:.. - or:.. - string: "encryptedUsername".. - string: "encryptedPassword".. - string: "usernameField".. - string: "formSubmitURL".. - string: "httpRealm".. - string: "passwordField".. - string: "timeCreated".. - string: "timeLastUsed".. - string: "timePasswordChanged".. - str

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\credit-card\parse-credit-card-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1774
Entropy (8bit):	3.904562810769636
Encrypted:	false
SSDEEP:	24:mMblko8Kd3KehZUd8Pr8yq8k58taKF0E0IdzLwVCc3:mMbCad3ZhZUqPwMk2t1F0E0IdzLwEc3
MD5:	985B9389D170B226ABCD003C9CB6687C
SHA1:	62095887FF20994994DB93169B0C3FE038EE8018
SHA-256:	4079F14AE2BF9494B0BA761A4327460DE4556939DC7CAFB1BAFDB81322D62DDD
SHA-512:	FA05A1E65D00A1D43B8C679FAE048146C81F433754F9A8077E26359A9728CB3ADF87A4927BAE6F9B00139053BE96305A6240F59D21C14D5EABBA6830EF03544F
Malicious:	false
Preview:	rule:.. meta:.. name: parse credit card information.. namespace: collection/credit-card.. author: "@_re_fox".. scope: function.. mbc:.. - Data::Check String [C0019].. examples:.. - 1d8fd13c890060464019c0f07b928b1a:0x402860.. features:.. - and:.. - 4 or more:.. - basic block:.. - and:.. - mnemonic: cmp.. - number: 0x5E = '^' (Track 1 separator).. - basic block:.. - and:.. - mnemonic: cmp.. - number: 0x3D = '=' (Track 2 separator).. - basic block:.. - and:.. - mnemonic: cmp.. - number: 0x25 = '%' (Track 1 start sentinel).. - basic block:.. - and:.. - mnemonic: cmp.. - number: 0x42 = 'B' (Format code).. - basic block:.. - and:.. - mnemonic: cmp.. - number: 0x44 = 'D' (Format code).. - basic block:.. - and:.. - mnemonic: cmp.. -

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\database\sql\reference-sql-statements.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	364
Entropy (8bit):	4.989751539939851
Encrypted:	false
SSDEEP:	6:hAvlmHeGg6Rvd/ClkiEkv0JFBO2S4FfyhrlMKxdMVuowWAm7Pm9GeLnj3qBDn:mdmH66R1/ClknkvwRfFfylNxd2uwJ7eE
MD5:	C8DBD85D15EF872D93E200D35534854C
SHA1:	70536287CC37D5EBE9F16D54850BB19848027357
SHA-256:	FB96D74F3B5DBB0B6CFFE3C7DCB60F4B8CF0A174E7A2A0E63508098E3D06CCA4
SHA-512:	322DA1A1A30881D168623D786A8F9DF4B43DD8253BBDD1C5B5FCC382435AE278E51E894307471088F2B672C00A39181DA04FCCD63B4B0C902C07A5FF575552BE
Malicious:	false
Preview:	rule:.. meta:.. name: reference SQL statements.. namespace: collection/database/sql.. author: william.ballenthin@fireeye.com.. scope: function.. att&ck:.. - Collection::Data from Information Repositories [T1213].. examples:.. - 5F66B82558CA92E54E77F216EF4C066C:0x42B1DF.. features:.. - and:.. - string: /SELECT.FROM.WHERE/..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\database\wmi\reference-wmi-statements.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	450
Entropy (8bit):	4.989429640338362
Encrypted:	false
SSDEEP:	12:mdmH6ow/R1/ClknkOpfFfylNxd2uhxi9v6PHBYey:mMH6owZ1/ClkkOpUltrPS
MD5:	776987C3B9D5383F2E2498616CF7C0B6
SHA1:	17EEFF56DF9AA5C18509B0C576C1343EE4BD7486
SHA-256:	9D294EC4B77EC29FCCC58DF61285E492A4B4CF0BA2917F1D5A8DE1712411BABE
SHA-512:	010A3924DF948AFB3EBE797E3818BA4F5D98863E70B1E6085531C85EA550645E046671B86C6E0D340E2749115791CBE1D9E6556D06B59A989B416C3338935F48
Malicious:	false
Preview:	rule:.. meta:.. name: reference WMI statements.. namespace: collection/database/wmi.. author: michael.hunhoff@fireeye.com.. scope: function.. att&ck:.. - Collection::Data from Information Repositories [T1213].. examples:.. - al-khaser_x86.exe_:0x433490.. features:.. - or:.. - string: /SELECT\s+\\s+FROM\s+CIM_./.. - string: /SELECT\s+\\s+FROM\s+Win32_./.. - string: /SELECT\s+\*\s+FROM\s+MSAcpi_./..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-3d-ftp-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	471
Entropy (8bit):	4.718408657692609
Encrypted:	false
SSDEEP:	12:mdmCdcfwlkjN36FfybzXmkJcA+YBS5OvTy2pQ44IHsV5F:mMCzlkjRVvncAHoO7WIA/
MD5:	14A3676D5E97ADFD5F41E495B3F9ED8F
SHA1:	D722375CA7693411B1B52882DD324DD161E169A0
SHA-256:	FD329FEAB5C9C6385C01A86F5F60C8D9F4D02DDB5CE32E19D079DF3425E2282C
SHA-512:	49D3A381D80E015806B32A4ECB8C20C39CE0C378C24DE9F7A499D0DC3E72871E88E3A3DA9B7514B5AC012B63ED46C1A407AA870B85F975E9C5CA7D4784260219
Malicious:	true
Preview:	rule:.. meta:.. name: gather 3d-ftp information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. references:.. - https://www.3dftp.com/.. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x40CA59.. features:.. - and:.. - string: "3D-FTP".. - string: "sites.ini".. - optional:.. - string: /\\SiteDesigner/..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-alftp-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	521
Entropy (8bit):	4.879556312790892
Encrypted:	false
SSDEEP:	12:mdmCWRLcfwlkjN36FfybzXmkJcA+YdMqGYNKNnJOvTIG/dVOV5O:mMCWflkjRVvncAnZMnJO77oQ
MD5:	30103D7C9006991F612B818D2CD713AA
SHA1:	6180B99F3B948CD96730E03D50D8196347DD4F34
SHA-256:	D4FE7CA18AAF5F9569F85E69B4DF55E5714CF4FEF3CB5D9C2EBFF3F3BF8372AD
SHA-512:	BECC9178BB43BE17A17A5EA642874E70D31D2B61301F6FA54160FCF8A30D70419283C9276AE1BCDA75D79E2EC0AAA42D367E25C4CF73817C3DE790A3A45D8701
Malicious:	true
Preview:	rule:.. meta:.. name: gather alftp information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. references:.. - https://en.wikipedia.org/wiki/ALFTP.. - https://www.altools.co.kr/Main/Default.aspx.. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x40A257.. features:.. - and:.. - string: "ESTdb2.dat".. - string: "QData.dat".. - string: /\\Estsoft\\ALFTP/..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-bitkinex-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	431
Entropy (8bit):	4.778337897446475
Encrypted:	false
SSDEEP:	12:mdmCLXcfwlkjN36FfybzXmkJcA+rWjOvTD1CaV5IWn:mMCLNlkjRVvncAQyO7/eWn
MD5:	FDB1BEBA9BCDECB397EBB2D771BF812F
SHA1:	55C5D2E18519A91660778336E6AB4962A900A2AA
SHA-256:	BDE12290A97E4B5722A15D99047EDFCD123F72D34F4BB62135C2EC35A7DA11D8
SHA-512:	C8E38B298F1417FFAF4EEC33016CECB5358693C3C2983C4A6B340C95ACBF2BA8BE5938046F7199AC7E0A8AD050DE5E73B06C33EABC711959A0D6FA3752D93A90
Malicious:	true
Preview:	rule:.. meta:.. name: gather bitkinex information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. references:.. - http://www.bitkinex.com/ftp/.. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x406D14.. features:.. - and:.. - string: /bitkinex\.ds/.. - string: /\\BitKinex/..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-blazeftp-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	631
Entropy (8bit):	4.694076871527979
Encrypted:	false
SSDEEP:	12:mdmC3cfwlkjN36FfybzXmkJcA+YRWNjOvTsknpQ9aVeEMTBNWmnyD:mMCtlkjRVvncA/GO73kRNE
MD5:	64658C5EB5C42CCB2B348AF5D7A253FE
SHA1:	E5EDACCC06646CA43B5247613EB4D76130BF884C
SHA-256:	380D306AC022C3F876ED13952C4F663AB42FDE8FCB14A6AE8088551BD45F5919
SHA-512:	4092EEA256792399CA90AD5A8F9A6CB98F54FDF9554F49EC7F0B07B063B9E58C6CE0CF3B22227B6695AD6802791DFCB2C7F927DB915C646EA6013F0EC9986BE7
Malicious:	true
Preview:	rule:.. meta:.. name: gather blazeftp information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. references:.. - https://www.slimjet.com/blazeftp/.. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x40C823.. features:.. - and:.. - string: "BlazeFtp".. - string: "site.dat".. - or:.. - string: "LastPassword".. - string: "LastAddress".. - string: "LastUser".. - string: "LastPort".. - string: /Software\\FlashPeak\\BlazeFtp\\Settings/..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-bulletproof-ftp-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	885
Entropy (8bit):	4.62644012172401
Encrypted:	false
SSDEEP:	24:mMCWlkjRVvncA+O78IN9ebtNPaNPnN9ebqNe:mMFCjrPcxO7xne505ne+0
MD5:	6EC0BA14EC3CEAE866D25ABC5AF4BF0F
SHA1:	E7531287249D40C928A5D24D8CB816B1B268768F
SHA-256:	AE8B8D359A6117747331B57001EC960B0E32A6C4AD0C91A5098C3B9054008425
SHA-512:	272479D73962B0DB77F2FD048E81242302C98F943D1310729F7734F4C728B78AF456A808ACB517C6D8995B46E54790A4620D630073D09D281DC3D07FB65A8405
Malicious:	false
Preview:	rule:.. meta:.. name: gather bulletproof-ftp information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. references:.. - https://bpftp.com/.. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x405CCA.. features:.. - or:.. - and:.. - string: ".dat".. - string: ".bps".. - and:.. - or:.. - string: /Software\\BPFTP\\Bullet Proof FTP\\Main/.. - string: /Software\\BulletProof Software\\BulletProof FTP Client\\Main/.. - string: /Software\\BulletProof Software\\BulletProof FTP Client\\Options/.. - string: /Software\\BPFTP\\Bullet Proof FTP\\Options/.. - string: /Software\\BPFTP/.. - or:.. - string: "LastSessionFile".. - string: "SitesDir"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-classicftp-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	455
Entropy (8bit):	4.87590707441873
Encrypted:	false
SSDEEP:	12:mdmCFZcfwlkjN36FfybzXmkJcA+Yt/pXJOvTmBNQ6sp:mMCFflkjRVvncARXJO7wNQF
MD5:	88065549B14720AB75AAE6A18837DD90
SHA1:	375C183F3A8ADE3EB1C0B6C9260DE66F99394F66
SHA-256:	E6D8BD5474D771673627F3415EA2C4266FAD266623AED17A1197F73939312620
SHA-512:	E6FB8DAB1876DCB2C0697911B7C400B02222C19100432DDFE9BDF91160F7EEBE5C4C405410DA33CE000785A9A9D3D9CA7191597AF0A8231A1829D897AA96990B
Malicious:	false
Preview:	rule:.. meta:.. name: gather classicftp information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. references:.. - https://www.nchsoftware.com/classic/index.html.. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x40735E.. features:.. - or:.. - string: /Software\\NCH Software\\ClassicFTP\\FTPAccounts/..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-coreftp-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	533
Entropy (8bit):	4.704813946753935
Encrypted:	false
SSDEEP:	12:mdmCIcfwlkjN36FfybzXmkJcA+jqOvTbBN6XcokfXH7vn:mMCQlkjRVvncAUqO7tN6C7n
MD5:	F98A567B9BAD1C225806E3EC777FD622
SHA1:	7838E94AC36EAAD43AC8BD03A1CD4C92FBE33155
SHA-256:	3D5A48C0464A0B60C8101F24F23EA7559B21167ECDFDBC1877886526CD046913
SHA-512:	1C0CC31C1C4358B7DB9CD67230E929A10CDAFA482E2110BCA9F187717E5242639C6F551DA9E549EEF21F8A15592DBA500BEDE83BB2A4CE1B7D5AB116CE6FE3E5
Malicious:	false
Preview:	rule:.. meta:.. name: gather coreftp information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. references:.. - http://www.coreftp.com/.. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x4063FD.. features:.. - or:.. - string: /Software\\FTPWare\\COREFTP\\Sites/.. - and:.. - string: "Host".. - string: "User".. - string: "Port".. - string: "PthR"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-cuteftp-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	589
Entropy (8bit):	4.827555849834812
Encrypted:	false
SSDEEP:	12:mdmCEcfwlkjN36FfybzXmkJcA+YdMqwNbY5bqwOvT83V5jHCPV5aWV5aogV5i:mMCMlkjRVvncAnZTO78FBidAaAPU
MD5:	164E41E361CAF3E49944C777AD750851
SHA1:	CD3C86906EAB77E4D325E30C73B5BDB9C149FE1C
SHA-256:	6024A34C6B6100FB2F9E2D67EF8CB471BC12CAC1674C7A0750B0C81F8BC834D1
SHA-512:	3201D63277D32EF947D3C62BADE096075DCF02F04A0E5B6C72C9A981CDEDB6F420A5B2B7D7F1406FA471C01DBE8A5FCBB192C4ED53372068CB40FB64B9155F27
Malicious:	true
Preview:	rule:.. meta:.. name: gather cuteftp information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. references:.. - https://en.wikipedia.org/wiki/CuteFTP.. - https://www.globalscape.com/cuteftp.. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x40531A.. features:.. - and:.. - string: /\\sm\.dat/.. - or:.. - string: /\\GlobalSCAPE\\CuteFTP/i.. - string: /\\GlobalSCAPE\\CuteFTP Pro/i.. - string: /\\CuteFTP/..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-cyberduck-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	471
Entropy (8bit):	4.693943798345135
Encrypted:	false
SSDEEP:	12:mdmCW2cfwlkjN36FfybzXmkJcA+YofjOvT2hV5dtS:mMCWWlkjRVvncA6rO72nY
MD5:	8F621E37D6C35F5150C9CE78B021594A
SHA1:	1633ED8CFE5F87D05C0F022BCF997D761F61D64B
SHA-256:	B003534C26D97446E796DA28E0A13EF8443470DC02575281C448897103CE3259
SHA-512:	0541AA560FD4AEF284EAF16F8688F8520D8B6899CB1D30FF430A6BE6CABD6CBD78680AAF0CD6C0A802C21C135892F3865270DDFB9F9042C7F84FD4E8C68B4E34
Malicious:	false
Preview:	rule:.. meta:.. name: gather cyberduck information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. references:.. - https://cyberduck.io/ftp/.. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x40D965.. features:.. - and:.. - string: /\\Cyberduck/.. - or:.. - string: "user.config".. - string: ".duck"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-direct-ftp-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1139
Entropy (8bit):	4.630393519948161
Encrypted:	false
SSDEEP:	24:mMC7RlkjRVvncA6qO70KdNcZw9CIKy4MZY4Z4Ft3R/U9:mMcRCjrPcuO70E6Zw9CIKy4Mu4eFt3Ri
MD5:	652A12A208AB8E022DEEA98E47C87AC4
SHA1:	F41E4979614F4DA7ADC5251C79FA2AE07865375B
SHA-256:	7A626122D6CC8686F9F8581B302D06D6B5E7C2BCC3208571FBF0BE68399F8D46
SHA-512:	0522CC699D0DABB35157A6229E2350FF505DA8DB8266A5CC0DBDFD49DC0A93F90A592DAF429A979BC5312E088367396A8460CC0C35EC719BB96DBDF023D4A714
Malicious:	false
Preview:	rule:.. meta:.. name: gather direct-ftp information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. references:.. - https://www.coffeecup.com/software/.. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x40DC62.. features:.. - or:.. - string: /Software\\CoffeeCup Software\\Internet\\Profiles/.. - string: /\\CoffeeCup Software/.. - and:.. - string: "Password".. - string: "HostName".. - string: "Port".. - string: "Username".. - string: "HostDirName".. - 2 or more:.. - string: /\\SharedSettings\.ccs/.. - string: /\\SharedSettings\.sqlite/.. - string: /\\SharedSettings[0-9_\.]{2,7}\.ccs/.. - string: /\\SharedSettings[0-9_\.]{2,7}\.sqlite/.. - and:.. - string: "FTP destination server".. - string: "FTP destination user".. - string: "FTP desti

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-directory-opus-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	500
Entropy (8bit):	4.774998859814839
Encrypted:	false
SSDEEP:	12:mdmCQgKcfwlkjN36FfybzXmkJcA+YpIOvTMVV5vb8L0zAHg:mMCIlkjRVvncAcO7M7y4
MD5:	CE85FDB510DE9481069064ABCD2CD56A
SHA1:	89510D5C0DD499F14442783DDB10DAF8A63F13AE
SHA-256:	2F68D2C70FBF04341762268A0F8111E70368A022AC7F1FC05BB318F10839D261
SHA-512:	F944259021BFC8BE45525D91D7E0BBEC2AB47A5863BEF0868D7366C9859CDB3503B2E8F051D3F30B64DEBC917302BAE14B18D135B368F09E16DEFBB3420E7151
Malicious:	false
Preview:	rule:.. meta:.. name: gather directory-opus information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. references:.. - https://www.gpsoft.com.au/.. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x4076F3.. features:.. - and:.. - string: /\\GPSoftware\\Directory Opus/.. - string: ".oxc".. - string: ".oll".. - string: "ftplast.osd"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-expandrive-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	561
Entropy (8bit):	4.7115857745649095
Encrypted:	false
SSDEEP:	12:mdmCLjVcfwlkjN36FfybzXmkJcA+YwahOvTWBNdpzxiBNdYijV5Bt:mMCrlkjRVvncAnhO7gNHz2Nrhft
MD5:	2E29C94FE69897605AAAF12C75D595ED
SHA1:	3B8B8CD70F732F8EE8A20728263E5C67DF6C38CD
SHA-256:	7B3609B58BF60945036B837E444F145C2D84240208091911FA1C26F06D1ED832
SHA-512:	C891B2822BCEA32F3E4BA9A7B884AC6BA92E3F8378579C28578C8C59D3BD7063A22A980706F6F6F28E270E3C05DEACDD25F54AFA018C31C8997D67D4CB6BB99A
Malicious:	false
Preview:	rule:.. meta:.. name: gather expandrive information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. references:.. - https://www.expandrive.com/.. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x407086.. features:.. - and:.. - or:.. - string: /Software\\ExpanDrive\\Sessions/.. - string: /Software\\ExpanDrive/.. - or:.. - string: /ExpanDrive_Home/.. - string: /\\drives\.js/..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-faststone-browser-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	443
Entropy (8bit):	4.746344974361532
Encrypted:	false
SSDEEP:	12:mdmCc6dlcfwlkjN36FfybzXmkJcA+YVNOvTMwwdSAK:mMCZdLlkjRVvncA1O7Mzk
MD5:	1868C1D76D8444A4F7F81A1FBCFB5A0B
SHA1:	4F15EA3CA44574F5D95EAE94D9C8B697A08F033D
SHA-256:	F9A4940E3910B5795D1EAD1DD5A4D0F79BC3C6F99C4AAA82F7888DD6FD854E8B
SHA-512:	C03925B699BA8CBFAC01EBEBBFF9412CFBD3F0A2D3F301B723E83325CFA5952A6786586D1644BED974607F2EFA73A655CAD725A8709812EF391799C5CD80E66E
Malicious:	false
Preview:	rule:.. meta:.. name: gather faststone-browser information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. references:.. - https://www.faststone.org/.. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x40E04F.. features:.. - and:.. - string: /FastStone Browser/.. - string: "FTPList.db"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-fasttrack-ftp-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	452
Entropy (8bit):	4.655852370812459
Encrypted:	false
SSDEEP:	12:mdmCDdcfwlkjN36FfybzXmkJcA+eyDCOvTkV9hAtw:mMC3lkjRVvncATVO70
MD5:	AFF8DA61A742CB8B9109CA7702C0AF89
SHA1:	93E03E3CE4819C8F13BF4D70177FFA664FE7931B
SHA-256:	CCEA52C476454F480CCE1130CB59249FDD8588283C40A0B0F336C41C57D81833
SHA-512:	31741381AE584E3D37C6C041A9B2F13E4E9017763C6AD937FB4E5CAC51B4E56726927717AA388686784EC32A76C92A9DA8D35340EF81B1C39B42A7AC1325C9C0
Malicious:	false
Preview:	rule:.. meta:.. name: gather fasttrack-ftp information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. references:.. - http://www.fasttracksoft.com/.. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x40F906.. features:.. - or:.. - and:.. - string: "FastTrack".. - string: "ftplist.txt"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-ffftp-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	761
Entropy (8bit):	4.5763578258823046
Encrypted:	false
SSDEEP:	12:mdmCUucfwlkjN36FfybzXmkJcA+fqfJOvTcwxBNrhqBNrDzYRGWSMi:mMCzlkjRVvncA0qfJO7jNrONrJ
MD5:	2DF756EA22A2D8A89E7D29FDB2F05ED2
SHA1:	FD2AA2BEBDE250B872F05C55E38F4C939A8D95A0
SHA-256:	05A0B19ED15FB88DE13D0EAB4D5B42C0AB40CEE8E7D021655A21976FE4FC6E8D
SHA-512:	76C6380127CEC235ABE583D218ED2422D354CB917B794657EC7AC2B1D85DC341A5B49C6BD7101C47BE70121467A06677D26A502E3567EB5236AF5A2AA15B6736
Malicious:	false
Preview:	rule:.. meta:.. name: gather ffftp information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. references:.. - http://www2.biglobe.ne.jp/sota/ffftp-e.html.. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x40614B.. features:.. - or:.. - and:.. - or:.. - string: /Software\\Sota\\FFFTP\\Options/.. - string: /Software\\Sota\\FFFTP/.. - or:.. - string: /CredentialSalt/.. - string: /CredentialCheck/.. - and:.. - string: "Password".. - string: "UserName".. - string: "HostAdrs".. - string: "RemoteDir".. - string: "Port"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-filezilla-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1014
Entropy (8bit):	4.508341128310773
Encrypted:	false
SSDEEP:	24:mMC1ZlkjRVvncAt3O78CT6SNVJOuRNVJvllocbLzn:mM4CjrPciO7fT6SD0QDhn
MD5:	A9DD4A6DCC5859B40849AAA3863899CC
SHA1:	D4B7168AB771DD8929DFA7301718C4E2D8F5565F
SHA-256:	A63DF4514CEEAB67BE2EE0C3DF4FB1FCE9B4568A801541C758AE5005E81C2A98
SHA-512:	A33F464DC5BCCE9359FF961FCFE0C042CC47CFF5BCF4EA18C5B7E3BBB4F889D87E3B65316207E4FD405B0CB3B4852873B7C69B03F37B50ECB3D9462963895D6C
Malicious:	false
Preview:	rule:.. meta:.. name: gather filezilla information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. references:.. - https://filezilla-project.org/.. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x4057A7.. features:.. - or:.. - and:.. - string: /\\sitemanager\.xml/.. - string: /\\recentservers\.xml/.. - string: /\\filezilla.xml/.. - and:.. - string: /Software\\FileZilla/.. - string: "Install_Dir".. - string: /Software\\FileZilla Client/.. - 3 or more:.. - string: "Server Type".. - string: "Remote Dir".. - string: "Server.Port".. - string: "Server.Host".. - string: "Server.User".. - string: "Last Server Type".. - string: "Last Server Port".. - string: "Last Server User".. - string: "Last Server Host".. - string: "Last

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-flashfxp-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	600
Entropy (8bit):	4.653846729697011
Encrypted:	false
SSDEEP:	12:mdmCdcfwlkjN36FfybzXmkJcA+YuRbRCOvT8lBNWjXwNfahV5KsV5ZsV5tXev:mMCzlkjRVvncAMkO78DNksfMIgPgiv
MD5:	CA21FA37072BF642E2A105C1D9C78E3B
SHA1:	E694D95C119411D4EE9B7581668541BBDD5760C7
SHA-256:	34BA4BE75B2C29172F5781F69C0EBD3DADC7FFFD068FC253DCFC92838B968A51
SHA-512:	CCC893FF123EB80A3F1B58267BF163896EDE09CAA94177B5B29538017707D7AACB10A1F9E020F8EA6526D9BEA2B7A04CF0459558CCF7C8063F24D140FB4C8388
Malicious:	false
Preview:	rule:.. meta:.. name: gather flashfxp information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. references:.. - https://www.flashfxp.com/.. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x4055ED.. features:.. - or:.. - and:.. - string: /Software\\FlashFXP/.. - string: /DataFolder/.. - string: /Install Path/.. - and:.. - string: /\\Sites.dat/.. - string: /\\Quick.dat/.. - string: /\\History.dat/..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-fling-ftp-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	623
Entropy (8bit):	4.7950152043644865
Encrypted:	false
SSDEEP:	12:mdmCKcfwlkjN36FfybzXmkJcA+Yt/GaXJOvTw2x+cgs0oFvogEgRg4Hy:mMCKlkjRVvncAOaXJO7hB3S
MD5:	4F68B417B785E9E4BA0967B33AC21E61
SHA1:	560D260B609FD51B90629C83F669FAC4D7E38942
SHA-256:	5B7E8AC2BBD7DDE8EB8905D769E5F0921407F42086148C3EC232045B4814EA01
SHA-512:	B10C78E0F0ACD9C2D6540C73379EECD1DB1A4CDC211F900A179103503F73065A716A80CA65595DD6A7682983F6E7461DB3A23346265245E73FBCE2328A469042
Malicious:	false
Preview:	rule:.. meta:.. name: gather fling-ftp information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. references:.. - https://www.nchsoftware.com/fling/index.html.. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x4073A7.. features:.. - or:.. - string: /SOFTWARE\\NCH Software\\Fling\\Accounts/.. - and:.. - string: "FtpPassword".. - string: "_FtpPassword".. - string: "FtpServer".. - string: "FtpUserName".. - string: "FtpDirectory"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-freshftp-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	366
Entropy (8bit):	4.761059299725239
Encrypted:	false
SSDEEP:	6:hAvlmCvULGMKcfwlkjXPFI8BAFfyh9zzXqNDwny5owxDSP/nTKGzGeLmxHCeLd:mdmCvULucfwlkjN36FfybzXmkCOvTL0d
MD5:	89FD00CBCFB7FD37888B075545705D6D
SHA1:	5E17314DE586176D9732793266637BFC47AACBF4
SHA-256:	C07B14C1976577B23C97511A67C41D06D3F92ECDF69C21468CC91BD82BAE1387
SHA-512:	111CDAB57DEF6126031F2B14318F086C82FE39D257679EBDC33B34198D3C6880F4A77DEE593D91E8362B72019673B7742FBAFEC2D80489EFB6C04ABBA7BCE04A
Malicious:	false
Preview:	rule:.. meta:.. name: gather freshftp information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x40C7AB.. features:.. - and:.. - string: "FreshFTP".. - string: ".SMF"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-frigate3-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	436
Entropy (8bit):	4.784447725413853
Encrypted:	false
SSDEEP:	12:mdmCyzcfwlkjN36FfybzXmkJcA+JbS5OvTUj/jsV5+:mMCyJlkjRVvncAeS5O7GEM
MD5:	D5ED39CBB4BBE4952159C0DF710728BD
SHA1:	A39F7E69D1A201AE0B0BEAD1EFB8AECBDD9D946F
SHA-256:	227B34951894C13FC0A1C43897453BE84DDD5A24D2D11CE03EE59753CF6FAADD
SHA-512:	48F7DB257786738FA8A4E23F693790FC2296C2FD85379C2405A689B445061ABB52D98C1CE84AE4FFB8D729B8F77320C6EF8A4CC1DE77A4B0B889A0BAFACEF380
Malicious:	true
Preview:	rule:.. meta:.. name: gather frigate3 information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. references:.. - http://www.frigate3.com/index.php.. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x4069A0.. features:.. - and:.. - string: /FtpSite\.xml/.. - string: /\\Frigate3/..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-ftp-commander-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	512
Entropy (8bit):	4.654118533903384
Encrypted:	false
SSDEEP:	12:mdmCXUlcfwlkjN36FfybzXmkJcA+YGPzOvT8mtGRalxpAtw:mMCXalkjRVvncAizO78mA0j
MD5:	4A5F296A89F559F4ADA6497315B77F37
SHA1:	61DBAFF99D93647C83C33FA90238F13F9F4B03F8
SHA-256:	692D46E15A5BE19C236C7BA284379D71C74AF45C2A5F0526F3383988D7B8D1A9
SHA-512:	0F87B81E2B98D5A03FAC9AFB6F78AB662E9113E56BC6452F796095666740134E4794465DBAA330969A77E2C8F199512FFD58F60E5A56BD362DA7009B8F1C55EB
Malicious:	false
Preview:	rule:.. meta:.. name: gather ftp-commander information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. references:.. - https://www.ftpcommander.com/free.htm.. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x405BC0.. features:.. - and:.. - or:.. - string: /FTP Navigator/.. - string: /FTP Commander/.. - or:.. - string: "ftplist.txt"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-ftp-explorer-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	799
Entropy (8bit):	4.622479273773562
Encrypted:	false
SSDEEP:	12:mdmCXLcfwlkjN36FfybzXmkJcA+aCOvTUfeCyvBN62m9CliBN62DmV52xlRkpsqS:mMCXRlkjRVvncAKO7xVN6FN6X4hV
MD5:	457D9626CCF4A26D0977C61062D4DDB2
SHA1:	DCAD65352534A067EFBA4F4F1D3379DE19B2D78F
SHA-256:	B2CD8AB3F80FE75A351BF43AA0085D6BA0E691E56D81AE6D3F5D0D2A17F718A9
SHA-512:	8478B3D04C6885965E553552A67F174D71E9E141B898CB60C4E70E7E5CBF9D54B25B9A1460555C46F5C1E5BA7906406817AED34CC7F08F2E18FE59C5E4456CA8
Malicious:	false
Preview:	rule:.. meta:.. name: gather ftp-explorer information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. references:.. - http://www.ftpx.com/.. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x406915.. features:.. - or:.. - and:.. - string: /profiles\.xml/.. - or:.. - string: /Software\\FTP Explorer\\FTP Explorer\\Workspace\\MFCToolBar-224/.. - string: /Software\\FTP Explorer\\Profiles/.. - string: /\\FTP Explorer/.. - and:.. - string: "Password".. - string: "Host".. - string: "Login".. - string: "InitialPath".. - string: "PasswordType".. - string: "Port"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-ftp-voyager-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	514
Entropy (8bit):	4.878064732933049
Encrypted:	false
SSDEEP:	12:mdmCXOKcfwlkjN36FfybzXmkJcA+Yi0dKyhOvTZV5l3HAUIATAUIA+:mMCXOKlkjRVvncAI0dDO7/zWAyA+
MD5:	A51E83391F167608AE9FD32CAA90C1D7
SHA1:	E3F0D8CB532097F37048E92800260B9F52E9FF17
SHA-256:	A88D20F1A1C615A3E72CF47348A2A3FE6978B097607A6C948A126D249E519EA4
SHA-512:	8EF1EBADD352B8E2B50795095A16A5883B99DC62DC6770EE571ECD3298ED081D7ADE9A789E1EFA6C56692D1432965E4CD2AA57A8751749161384D3EBB7D47086
Malicious:	false
Preview:	rule:.. meta:.. name: gather ftp-voyager information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. references:.. - https://www.serv-u.com/free-tools/ftp-voyager-ftp-client-for-windows.. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x408FD3.. features:.. - and:.. - string: /\\RhinoSoft.com/.. - string: "FTPVoyager.ftp".. - string: "FTPVoyager.qc"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-ftpgetter-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	430
Entropy (8bit):	4.742265581379979
Encrypted:	false
SSDEEP:	12:mdmCXjucfwlkjN36FfybzXmkJcA+YXkOvTIPW/p3YUV5U:mMCXjelkjRVvncASO7+WlK
MD5:	5DDEEB7FB2457AE9C222E5778F17E888
SHA1:	FF3BE3CB1D2486AD93F55630391D14C8E4FA290B
SHA-256:	698E53DD23A1F559DA4B78493410944F3B8110FC3573BE84598FFCCAEBF8497D
SHA-512:	42BCB0556CB5EABBF8553B5232783747B988DB88CE4FA3FEADA64D7220E6A849B1ACCEBCA629742309A97E8FFADEB73396CAAD590B9204014E46835F09B463FA
Malicious:	true
Preview:	rule:.. meta:.. name: gather ftpgetter information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. references:.. - https://www.ftpgetter.com/.. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x40A21C.. features:.. - and:.. - string: "servers.xml".. - string: /\\FTPGetter/..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-ftpinfo-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	522
Entropy (8bit):	4.766603510086329
Encrypted:	false
SSDEEP:	12:mdmCXFnXzcfwlkjN36FfybzXmkJcA+YNOvT09JLUOBNV/KYaX:mMCXFXJlkjRVvncAvO7kNo
MD5:	11EB1EC32837ACF5324D4A212D20DB07
SHA1:	B50E1695D4F0BBDA44C411C51F48DECD12A19099
SHA-256:	78B0AE872E795DB97FBF1A94F586CAE7C92DB62273AC47394D653EBD815F2AD0
SHA-512:	56C5533D8EBAA5BDB862240554D07FBF15B3CCC536D541712D3763622A8455E03B268142F19832AC5ABE8F0DFC5454C1767F538C5699889829D5E6F2F076FBD9
Malicious:	true
Preview:	rule:.. meta:.. name: gather ftpinfo information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. references:.. - https://www.ftpinfo.ru/.. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x40DF62.. features:.. - and:.. - string: "ServerList.xml".. - string: "DataDir".. - or:.. - string: /Software\\MAS-Soft\\FTPInfo\\Setup/.. - string: /FTPInfo/..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-ftpnow-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	394
Entropy (8bit):	4.733025101460622
Encrypted:	false
SSDEEP:	12:mdmCXIacfwlkjN36FfybzXmkCOvTxAcLaAG0WapQJ:mMCXJlkjRVvwO7oz
MD5:	8219D5642E301049051B22E2EAB769FF
SHA1:	7EA9F885FE10B30343576DCE7A49B6F5D034AF89
SHA-256:	2C9DBF8553B29361408627DC84B37F8C0FA2C3C7239A05020B6DEF222105CEBB
SHA-512:	22C4FB41DC13A54E53B6C65BD4C9E215A882B49C682FEEAD200145712F449311200D6FB006CB708B6F76A24B9AD08A3E5B4D7C476BAB4D38E01AFD379A531046
Malicious:	false
Preview:	rule:.. meta:.. name: gather ftpnow information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x40CFF0.. features:.. - and:.. - string: "FTPNow".. - string: "FTP Now".. - string: "sites.xml"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-ftprush-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	440
Entropy (8bit):	4.818557398573716
Encrypted:	false
SSDEEP:	12:mdmCXTjcfwlkjN36FfybzXmkJcA+YghOvT8V550Nn:mMCXVlkjRVvncAmO7QPe
MD5:	4C17CA18847C2EF45032C18F5A86777F
SHA1:	88BA3D36851EB7516D6B043059F898954CF6F4AC
SHA-256:	02DB93368E541AE7D30F7D4A49FB776E517E8C4DB5F303363C8F451FE0291548
SHA-512:	0DAF08BB2E82E531B9C1949897587F1B354311ECF0B0102941C772ACF2F34C82ADD26A3B66438B9357EC49CD48797C5932150DB22BFA99D09A41D25D3A27A6FF
Malicious:	true
Preview:	rule:.. meta:.. name: gather ftprush information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. references:.. - https://www.wftpserver.com/ftprush.htm.. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x406AE0.. features:.. - and:.. - string: /\\FTPRush/.. - string: /RushSite\.xml/..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-ftpshell-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	426
Entropy (8bit):	4.747594940159546
Encrypted:	false
SSDEEP:	12:mdmCX6KcfwlkjN36FfybzXmkJcA+Y7OvT+A1Ao:mMCX6KlkjRVvncARO7B
MD5:	0CCAAC431FA36D6C3554C60A34FDAE0A
SHA1:	3A399EBBC7A1BFA5F4B2D63700E98DDF83510A30
SHA-256:	A00DD8984D1ACB206845444B09C815ED6922F0243A64CFA7C5AF0647494EF707
SHA-512:	2B2A877316FF595394E889B70D3EEFC3815DA589048A8832AE7E8BEA0A962CB60487B17853AEA320CC877A4D1395C678EAF66E6B65A4DCB45FF4C9403CC798E6
Malicious:	false
Preview:	rule:.. meta:.. name: gather ftpshell information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. references:.. - https://www.ftpshell.com/.. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x40DEE4.. features:.. - and:.. - string: "FTPShell".. - string: "ftpshell.fsi"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-global-downloader-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	440
Entropy (8bit):	4.789414666089731
Encrypted:	false
SSDEEP:	12:mdmC2cfwlkjN36FfybzXmkJcA+hdCOvTRV5aHGSJoi:mMCWlkjRVvncAK4O73AmTi
MD5:	4316F99EE06ECD36EAE721E47FCFDBCB
SHA1:	24266DCF4C35F5C4D8B39B3896B4BE2BF7DFDFFD
SHA-256:	5096D3A0206358C45BB9D604EB210F6DD2ADF01D991D12A71E8B773F18AFDEFA
SHA-512:	99DA9DF61D6E23B24494B574C1034425D0990AF5F0642B7A5976A6EA2015F65DBE8527B9EBBF49E56B991F0BF2123D1A9788AEE829D9D047B5E7884D9A766C89
Malicious:	false
Preview:	rule:.. meta:.. name: gather global-downloader information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. references:.. - http://www.actysoft.com/.. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x40C732.. features:.. - and:.. - string: /\\Global Downloader/.. - string: "SM.arch"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-goftp-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	420
Entropy (8bit):	4.744192931519311
Encrypted:	false
SSDEEP:	12:mdmC3cfwlkjN36FfybzXmkJcA+YHOvT19d4xJZw:mMCtlkjRVvncAFO7d4xw
MD5:	4B03503A599217215253663747CF8925
SHA1:	CB2655299AFD128AACDA2A5B8EC39944E81B3561
SHA-256:	0EDE0C565956ED7D0CDCB8A8089470CE7B91B5C432DABF5F4B477CCEDF576B87
SHA-512:	61D386F99C6CFE49018C08C60BC708A219CC4DD0299A4856F8C9072B927F8BA4A1E8297FFCA719762C6C19791DFFF82FD0923DAB422C606D17F2EF62F49D4168
Malicious:	false
Preview:	rule:.. meta:.. name: gather goftp information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. references:.. - https://www.goftp.com/.. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x40C9E8.. features:.. - and:.. - string: "GoFTP".. - string: "Connections.txt"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-leapftp-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	683
Entropy (8bit):	4.471285006529558
Encrypted:	false
SSDEEP:	12:mdmC7/UKcfwlkjN36FfybzXmkCOvTLjRMrpQEXpQ4e2dV5pDaCpQEnpQ4kd:mMCAKlkjRVvwO73k34
MD5:	9CE9F7B4C992F436466992437B0DCB50
SHA1:	100624721BF28655014EDD54204D68DB97CE05DD
SHA-256:	CC5BD56A9CE5B5CD3A8DF0DEE5350B538304E6EFCABA6198DCACAC2062DF803D
SHA-512:	7E283E6296F7F4218E9A5784844ECF168BF1949992F22C6ECF0B0A37ECD273547DDA6043F0347CA770756D1AD82D874B12C0FCFD3BE0FAE7E4E1692CCAD821DC
Malicious:	true
Preview:	rule:.. meta:.. name: gather leapftp information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x407A33.. features:.. - or:.. - and:.. - string: "InstallPath".. - string: "DataDir".. - string: "sites.dat".. - string: "sites.ini".. - and:.. - or:.. - string: /SOFTWARE\\LeapWare/.. - string: /\\LeapWare\\LeapFTP/.. - 2 or more:.. - string: "sites.dat".. - string: "sites.ini".. - string: "leapftp"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-netdrive-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	427
Entropy (8bit):	4.759046033102424
Encrypted:	false
SSDEEP:	12:mdmCccfwlkjN36FfybzXmkJcA+Y7XyOvT3h4iz0V5fy:mMC0lkjRVvncAhXyO73Ns9y
MD5:	00375532499526B610A8D66B3AF92C96
SHA1:	49601E7160FDD22AC4878AC2A1B5562DCC818D98
SHA-256:	017BE2BCADD5404E77B8D3C97E610F2803661DE00DF56E2C2BE33F106D04DF59
SHA-512:	EA801AF2A0B2B0C9B096619F822F728BAD2913E1D22CA5D5FC90037F4759CD62D8D133ED41A95DA49CFDE7446A6F34197395F95B057AF6C70E301D0EF763357F
Malicious:	false
Preview:	rule:.. meta:.. name: gather netdrive information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. references:.. - https://www.netdrive.net/.. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x407ED1.. features:.. - and:.. - string: "NDSites.ini".. - string: /\\NetDrive/..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-nexusfile-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	424
Entropy (8bit):	4.729674688467226
Encrypted:	false
SSDEEP:	12:mdmCucfwlkjN36FfybzXmkJcA+YGjOvTpLhThAb/v:mMCelkjRVvncAwO7l6v
MD5:	CDE439CEED14960152189EF454D11181
SHA1:	AC560A314161F03636FBD762FD7C1D112C35819D
SHA-256:	44B0BD2FF0421328BE04BD5E56DB46BF762B85EF19E7876A8C00A4691A3CA3E9
SHA-512:	895F80E59CC92E767E1A90C47571AA1107397F44E328C5A64617A8F4877017CF0EA9A955B600929F88B57BED4ADFB3971B79358416FCA67514A4CE95C3E1977A
Malicious:	false
Preview:	rule:.. meta:.. name: gather nexusfile information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. references:.. - https://www.xiles.app/.. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x40DFD1.. features:.. - and:.. - string: "NexusFile".. - string: "ftpsite.ini"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-nova-ftp-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	402
Entropy (8bit):	4.79868487977468
Encrypted:	false
SSDEEP:	12:mdmC1I1cfwlkjN36FfybzXmkCOvTMksCMV54M:mMCC7lkjRVvwO7MrXOM
MD5:	3021DCD2A8EDE719B5180BE7E74C6ED9
SHA1:	16B1F262925F5F1ED3AC5FECA25E2F046F98E31F
SHA-256:	C90441866D6633DC306EB7EB95B23A73D2675F8439FD5A8952B00E8358A7FFC2
SHA-512:	FA2677C4A5256337B5F203FCDFBDCB01DC1FAD92CD82A7D394758A66F85815095C5B0D0B06B0BE5AC38665BE4896A25BFD4FB16EDCBB9B0B58F44A28E094607E
Malicious:	false
Preview:	rule:.. meta:.. name: gather nova-ftp information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x40E5FF.. features:.. - or:.. - and:.. - string: "NovaFTP.db".. - string: /\\INSoftware\\NovaFTP/..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-robo-ftp-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	741
Entropy (8bit):	4.589458284701882
Encrypted:	false
SSDEEP:	12:mdmCipjcfwlkjN36FfybzXmkJcA+Y98OvTS26HvV5OmJacAzRJ0bsYsqhXJk:mMCiflkjRVvncAkO7YdHalR
MD5:	0BC374425F87080AB11F2064A5623170
SHA1:	D59C67F8676899C105772A0AE415FD80FA6F16EA
SHA-256:	37E852820C5C18D0D4FA899FD59404217A2C7048363E6836446C58333A3D1750
SHA-512:	7BF4689E9BDBF9E0FBF3EB8749C89B5F364A1677C346E05D79B27F4FDCE342FFC0FD96C36F213E50FE4FEAD5CEC91D45100430297BDC6FCBE16F43C07BFC9D55
Malicious:	false
Preview:	rule:.. meta:.. name: gather robo-ftp information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. references:.. - https://www.robo-ftp.com/.. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x40D2CB.. features:.. - or:.. - and:.. - string: /SOFTWARE\\Robo-FTP/.. - or:.. - string: /\\FTPServers/.. - string: /FTP File/.. - string: "FTP Count".. - and:.. - string: "Password".. - string: "ServerName".. - string: "UserID".. - string: "PortNumber".. - string: "InitialDirectory".. - string: "ServerType"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-securefx-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	588
Entropy (8bit):	4.784978076995054
Encrypted:	false
SSDEEP:	12:mdmCXWDcfwlkjN36FfybzXmkJcA+Y9wFTaXJOvTUhy9V5ia6nR7CkkiBNrBl:mMCXW5lkjRVvncAv+mXJO74EW7VnNdl
MD5:	7AD13B5EBDC02570274100C40EA1B60C
SHA1:	2428DC3A568495CD88802BBD75D79D0D57707989
SHA-256:	52BD2BD3E3871AA817EB6933CA4A1CE28B5C856A4EC7777741DF8062328CA3E1
SHA-512:	41EF56B0C053FDF7EBEEEAC9F82910CFB908332C36C5EFE17DEA6DFCF3283B454498669B4DFD9AC89E030FE14CA19497D560BD53C0FC1307BB0946B1B6C6F1CA
Malicious:	false
Preview:	rule:.. meta:.. name: gather securefx information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. references:.. - https://www.vandyke.com/products/securefx/index.html.. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x4069DB.. features:.. - and:.. - string: /\\Sessions/.. - string: ".ini".. - string: /Config Path/.. - or:.. - string: /_VanDyke\\Config\\Sessions/.. - string: /Software\\VanDyke\\SecureFX/..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-smart-ftp-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	516
Entropy (8bit):	4.6894850850033665
Encrypted:	false
SSDEEP:	12:mdmCv1cfwlkjN36FfybzXmkJcA+YNJOvT8hIV5HKsiEBfB:mMCv7lkjRVvncAvJO78h8p
MD5:	8C353F58061B8DDFDF930AE644C0AA22
SHA1:	E4CC9DC1A2631CC4DAC4DB622526A4EC9926CA2D
SHA-256:	12510B12BA1C25248271748A2132C7F982A0155B36CD5E71989A51C43F5507F5
SHA-512:	506D32B9ECB00918B688DA9C81F1134C5D277E3C2FC4497895D45FD2F7179D64D1CB237671AF46B57B4192374DBAF858B715AACD532403C156FA1E6B9143796D
Malicious:	false
Preview:	rule:.. meta:.. name: gather smart-ftp information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. references:.. - https://www.smartftp.com/en-us/.. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x405DE8.. features:.. - or:.. - and:.. - string: /\\SmartFTP/.. - string: ".xml".. - string: /Favorites\.dat/i.. - string: /History\.dat/i..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-softx-ftp-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	473
Entropy (8bit):	4.833651266410501
Encrypted:	false
SSDEEP:	12:mdmCYcfwlkjN36FfybzXmkJcA+5JwYJOvToBN6CcBNYePX:mMCAlkjRVvncAWeYJO7GN6HNF
MD5:	41F326F0297F35D36F589E9877D88A68
SHA1:	C6CCF9A00F82B352FFA847B26999F0EC2B78FB8B
SHA-256:	3406719E80CB60B7FF2DEFBFB17E79804AF5F0F12C2C7DA44424320570152668
SHA-512:	41C977353ADEC3D2D7B33749C8A2FB6BB6D507BA38BE20AEA85D800C20878AD8EDFD17D4FC741871C4D6A1AB5B908D9CD05D9FECFECEEBAA4F75F984C963AD22
Malicious:	false
Preview:	rule:.. meta:.. name: gather softx-ftp information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. references:.. - http://www.softx.org/ftp.html.. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x407685.. features:.. - or:.. - string: /Software\\FTPClient\\Sites/.. - string: /Software\\SoftX.org\\FTPClient\\Sites/..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-southriver-webdrive-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	646
Entropy (8bit):	4.728252849784589
Encrypted:	false
SSDEEP:	12:mdmCpcfwlkjN36FfybzXmkJcA+YFw2wOvTOLBNQdZ9xGKAXHJk:mMCPlkjRVvncAHlwO7gNQdV
MD5:	406ACB3DE9E1A3FD404C80094188C5C6
SHA1:	3BABD1FB92FC7ACE723E09B57F75CD1CE9193876
SHA-256:	9E85E935EC2203328FE4CB803C2C9BE017166C5107A05AB7801B37A9B035FEA8
SHA-512:	99B2D280D8B7D3DDE28AFE8EA903B487176F6C651C12E3A5715D68B11B79B613494DE7FF46737FBFE8FCDB2F9382FF52218C1BDC86C2DE6FEE9C2B84E05B627C
Malicious:	false
Preview:	rule:.. meta:.. name: gather southriver-webdrive information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. references:.. - https://southrivertech.com/products/webdriveclient/.. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x407F0C.. features:.. - or:.. - string: /Software\\South River Technologies\\WebDrive\\Connections/.. - and:.. - string: "PassWord".. - string: "UserName".. - string: "RootDirectory".. - string: "Port".. - string: "ServerType"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-staff-ftp-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	443
Entropy (8bit):	4.732508917651642
Encrypted:	false
SSDEEP:	12:mdmCicfwlkjN36FfybzXmkJcA+YjQsdjOvTtJ/pQ4v:mMCylkjRVvncA1QspO75
MD5:	36C898FD4BC3986B3DFA82B6348D3555
SHA1:	6EE22180F47FCE0E2020BD381650C18C993910F6
SHA-256:	0FE0B6792FE72579828D7A0DB68CED75F530FA0F4BACCD38F61E67E7168E821D
SHA-512:	21A6620B6DC368571948A2290AC9D8220B850B22FC8F4BFEB9CC8E0161F025C520DEEA0ED8A7AF116D29D8DFA7D39C17B9B1BE329AE30AB970FB9E05A055FF55
Malicious:	false
Preview:	rule:.. meta:.. name: gather staff-ftp information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. references:.. - https://www.gsa-online.de/product/staffftp/.. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x40C516.. features:.. - and:.. - string: "Staff-FTP".. - string: "sites.ini"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-total-commander-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	640
Entropy (8bit):	4.726928440670304
Encrypted:	false
SSDEEP:	12:mdmCMlcfwlkjN36FfybzXmkJcA+YBOvTOyBN/IjxaBNcUxpg9EXt13V5qyEj3:mMCilkjRVvncAXO7OUNA1sNc0UE91FUz
MD5:	8EC6E0FE8C794FEB5087DD294B6EE6BD
SHA1:	B718BFC5CAC6FF3572276A6C8FA9507574E22F59
SHA-256:	0CA00A52A667D5BE0ED105437E21F41067E1613B0CC086E71113061B50DFE61C
SHA-512:	9F3179AB35BEB837335EBAE140330AF25837CC710AEF3E556191800338ADFCE8C70145EF7CBB9C682C6B45374A843352EBB232C36FDB497C7232E2816F624F83
Malicious:	false
Preview:	rule:.. meta:.. name: gather total-commander information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. references:.. - https://www.ghisler.com/.. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x404B1E.. features:.. - and:.. - or:.. - string: /Software\\Ghisler\\Total Commander/.. - string: /Software\\Ghisler\\Windows Commander/.. - or:.. - string: "FtpIniName".. - string: "wcx_ftp.ini".. - string: /\\GHISLER/.. - string: "InstallDir"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-turbo-ftp-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	582
Entropy (8bit):	4.615879838904189
Encrypted:	false
SSDEEP:	12:mdmCoFjcfwlkjN36FfybzXmkJcA+YgwOvT876TtYGBNJV5x/:mMCoblkjRVvncAGwO787uNPv/
MD5:	35AEB1C8B9F845C8595BC87057A4C672
SHA1:	F5BE2EB882E617642611A37E514A6BF9CACF2A23
SHA-256:	3E393D161A13F4C7B6ACBF4D31689E033910347EFA32A6BAD38A599C01BF0B99
SHA-512:	7530BE8C7810F79D42A41C874739297C1382D1432C00A2947A7D6CB562DB7F589ED8901D6B13AD54428A0EB777B61B61336A88A508876A7E81F5427827C17306
Malicious:	false
Preview:	rule:.. meta:.. name: gather turbo-ftp information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. references:.. - https://www.tbsoftinc.com/.. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x405E8B.. features:.. - or:.. - and:.. - string: "addrbk.dat".. - string: "quick.dat".. - and:.. - string: /installpath/.. - or:.. - string: /Software\\TurboFTP/.. - string: /\\TurboFTP/..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-ultrafxp-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	374
Entropy (8bit):	4.7752351851227655
Encrypted:	false
SSDEEP:	6:hAvlmCsYNMKcfwlkjXPFI8BAFfyh9zzXqNDwny5owxDSP/nTTGeLcXhLV5hyn:mdmCpcfwlkjN36FfybzXmkCOvTfmdV5Q
MD5:	A25F9688932E395F15E90D7807F7051F
SHA1:	965ED4E82EDFD9EF681D80ED814E0928FA7F2DF7
SHA-256:	A7D98426559ECC43EC1FA907BE54E295820DC3B7045CE20E031B305C9DF36B92
SHA-512:	8395BA8B435548DE07D3F0EB688E7D4C72F1E93A4870785AB8649040ACA4EAD5BC8329D81E0DAB160BDA8488F3FC694905C24781CEC2B6E3E4BB69FC8E9DF96E
Malicious:	false
Preview:	rule:.. meta:.. name: gather ultrafxp information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x406A5C.. features:.. - and:.. - string: /UltraFXP/.. - string: /\\sites\.xml/..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-winscp-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	553
Entropy (8bit):	4.7127786925259185
Encrypted:	false
SSDEEP:	12:mdmCVcfwlkjN36FfybzXmkJcA+YxSDwOvT6VxFnerFHA3S:mMCblkjRVvncATpO7H
MD5:	96C98E356BD6801AB98537D0436B01CB
SHA1:	99E16BF524DC72A1759C72C6F6D782D9921BBDC7
SHA-256:	1B5CB19700F65330244EA76841E9303D3BB3A55F57B46AFB933A9A9068384ABB
SHA-512:	56EBB6B73692797A7590DAC1B0F220880F0FDBE3F3F6D36B3AF4B122E9B8545CD4FA001B9C857CF33B28290E0F599AE7E408FDFBD02EC644D8553A588FE20001
Malicious:	false
Preview:	rule:.. meta:.. name: gather winscp information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. references:.. - https://winscp.net/eng/download.php.. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x407BBA.. features:.. - and:.. - string: "Password".. - string: "HostName".. - string: "UserName".. - string: "RemoteDirectory".. - string: "PortNumber".. - string: "FSProtocol"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-winzip-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	710
Entropy (8bit):	4.783091321452905
Encrypted:	false
SSDEEP:	12:mdmCscfwlkjN36FfybzXmkJcA+YEma3aXJOvTMS2BNLQuQpBNLQuQMF9JJbs7HNr:mMCklkjRVvncAU3aXJO7MSANcuQPNcuY
MD5:	35FFF640A6D87089D184B68D5A987A0E
SHA1:	F7D223954A72C3444D249024824297148B1BE3E6
SHA-256:	907C2FFB403A09358A6049C86FC9408751A8FFA16D6182E11B0087EA591EE3E3
SHA-512:	94602A7993125F69795A1A2E20EDCF6E3D0D20BE305A96052102E67145A1DE752B5E7482D925CDDA9C49CC009758862022FF6723F57506A165F894634F88A173
Malicious:	false
Preview:	rule:.. meta:.. name: gather winzip information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. references:.. - https://www.winzip.com/win/en/pages/old-brands/nico-mak-computing/index.html.. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x40E237.. features:.. - or:.. - and:.. - string: /Software\\Nico Mak Computing\\WinZip\\FTP/.. - string: /Software\\Nico Mak Computing\\WinZip\\mru\\jobs/.. - and:.. - string: "Site".. - string: "UserID".. - string: "xflags".. - string: "Port".. - string: "Folder"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-wise-ftp-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	626
Entropy (8bit):	4.581332518742527
Encrypted:	false
SSDEEP:	12:mdmCGcfwlkjN36FfybzXmkJcA+YZDBYOvTz6tvMtu3titgV5hIBNZXQD:mMCGlkjRVvncAmO7z2Uud+UbmNZXQD
MD5:	5C29AD80DB4AABEACEB3ECED414D5C67
SHA1:	66CBE8A2B13832187BC96E08963FF330272C1399
SHA-256:	40229FFBD032C55EA89CE5376F9140BAC6E8CCE6F2F2D816057ECE0F1B82987B
SHA-512:	D66391ACD9AE52CA65ECA43090C4F8F6E5FA503F33F93A158A993C9C1719F4C6705DD3388160953E8E0410B02DF4423B5B294A9E7E7DABA0C22EBFFEC8E9327F
Malicious:	false
Preview:	rule:.. meta:.. name: gather wise-ftp information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. references:.. - https://www.wise-ftp.de/en/.. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x408E0D.. features:.. - or:.. - and:.. - string: "wiseftpsrvs.ini".. - string: "wiseftp.ini".. - string: "wiseftpsrvs.bin".. - and:.. - string: "wiseftpsrvs.bin".. - or:.. - string: /\\AceBIT/.. - string: /Software\\AceBIT/..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-ws-ftp-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	468
Entropy (8bit):	4.829244637262221
Encrypted:	false
SSDEEP:	12:mdmCwcfwlkjN36FfybzXmkJcA+YCOvT8U1V50ZV5raM:mMCIlkjRVvncAIO78Ub49X
MD5:	5BC93CE549889D96539C0A08AABDD8E8
SHA1:	C0A05C540D2F19FC1DEC7393B680C19406ECE0EA
SHA-256:	B5FB907F2DC585F723EE69BAA677660DBEAD7984B2C4C81225BCB43907F5F7FF
SHA-512:	3C0C0B71D67D807A91598DD71D73E9B5DE948AF6E7849914B5953EE3A879BA50D8E3094BFBA6BAB3B1A64FA5237CC1EAC25B13C3F7496432A0EE4128AA7E16C4
Malicious:	false
Preview:	rule:.. meta:.. name: gather ws-ftp information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. references:.. - https://www.ipswitch.com/ftp-server.. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x40504B.. features:.. - and:.. - string: /\\Ipswitch\\WS_FTP/.. - string: /\\win\.ini/.. - string: /WS_FTP/..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\file-managers\gather-xftp-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	435
Entropy (8bit):	4.766689955801597
Encrypted:	false
SSDEEP:	12:mdmC7cfwlkjN36FfybzXmkJcA+Yl8imjOvTdCV5k:mMChlkjRVvncAjriO78K
MD5:	30C4EF741C5D52DC46119C99E1434E69
SHA1:	638982DE027ED9CD9AEDA1700725CB7466A275C7
SHA-256:	79710DE9F0A07A99B28821E5E85A39186F76FBC5DECD94A4C349A9E3F784B577
SHA-512:	4F40EEFD4F6A1AD7FD58EA7BE6A970F62BE876B7A287C1D8ABA3264FEF5F4DA288256D727C6BC6D83B84F0D54315674EB0125F55F9F910DC439A5F22961206B3
Malicious:	false
Preview:	rule:.. meta:.. name: gather xftp information.. namespace: collection/file-managers.. author: "@_re_fox".. scope: function.. att&ck:.. - Credential Access::Credentials from Password Stores [T1555].. references:.. - https://www.netsarang.com/en/xftp-download/.. examples:.. - 5a2f620f29ca2f44fc22df67b674198f:0x40CBEE.. features:.. - and:.. - string: ".xfp".. - string: /\\NetSarang/..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\get-geographical-location.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	957
Entropy (8bit):	4.557933879087173
Encrypted:	false
SSDEEP:	24:NVQCZlkFNTHoF/BIHGmVmJUDRl6cOldzhmK2pSEvUfu/:MwCDT2/BbmES94c8dmK2pSEvUm/
MD5:	40882CFCE004647F05B483746AB6C00F
SHA1:	50F65FD37DD060E9170CFB3793F9DD301332BAB6
SHA-256:	D5ECCA78202CF625607A92C6B1C33D87E82BB7FA4475EDBD57C695215B2905D2
SHA-512:	F805CE818C9BAECDB78EBE8BE72B350F2979D0E9EE7AA90F3B9D2995C0CE72B358F890B5C8FB1788F1C9A0CAF3093AADA7E08E3A50ED6484D14D2C46A244E340
Malicious:	false
Preview:	# generated using capa explorer for IDA Pro..rule:.. meta:.. name: get geographical location.. namespace: collection.. author: moritz.raabe.. scope: function.. att&ck:.. - Discovery::System Location Discovery [T1614].. examples:.. - 9879D201DC5ACA863F357184CD1F170E:0x10001A99.. features:.. - or:.. - api: GetLocaleInfo.. - api: GetLocaleInfoEx.. # strings part of requests or parsed from response.. # "geo" and "zip" are too short.. # "region" results in FPs mostly related to memory.. - string: /geolocation/i.. - string: /geo-location/i.. - string: /^city/i.. - string: /region_code/i.. - string: /region_name/i.. - string: /^country/i.. - string: /country_code/i.. - string: /countrycode/i.. - string: /country_name/i.. - string: /continent_code/i.. - string: /continent_name/i.. - string: /^latitude/i.. - string: /^longitude/i..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\keylog\log-keystrokes-via-application-hook.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	528
Entropy (8bit):	4.7978982967346635
Encrypted:	false
SSDEEP:	12:mdmRj4lkv7pfFfylNLJfKG9ZrknjbnvYzFFg3Y:mMRUlkv7pUlBJfKGfknjzYzFl
MD5:	8B89C479F8A9CCF489D5A9AA82D6FF2D
SHA1:	6FD1F54AD35E071129C60A89BA5D0935F2E67FF4
SHA-256:	579B0BF9258036616F5CAC10C0607B32DD85F7F272DE07CA1778160E366AF75F
SHA-512:	E18C759B9B1641FA236B5C8108ECFF21B70BB6CC8B72493ED229B907CFB37ECDAE804D881D0AEDF2204C879709D1D18E0C4C03501C68D0F89A065562C8343355
Malicious:	false
Preview:	rule:.. meta:.. name: log keystrokes via application hook.. namespace: collection/keylog.. author: michael.hunhoff@fireeye.com.. scope: function.. att&ck:.. - Collection::Input Capture::Keylogging [T1056.001].. mbc:.. - Collection::Keylogging::Application Hook [F0002.001].. examples:.. - Practical Malware Analysis Lab 12-03.exe_:0x401000.. features:.. - and:.. - match: set application hook.. - or:.. - number: 13 = WH_KEYBOARD_LL.. - number: 2 = WH_KEYBOARD..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\keylog\log-keystrokes-via-polling.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	595
Entropy (8bit):	4.75531515770058
Encrypted:	false
SSDEEP:	12:mdmR2Dlkv7pfFfylNLJfKG95bnv+BfyFwQFw1CwbFYb6Y0m:mMR2Dlkv7pUlBJfKGrz+BfWwMw1CwymC
MD5:	1050C00AE87769EB3713E947E0DF1818
SHA1:	A4BE6129C7B5644FE5C0C8409A25F71A8DDD75B9
SHA-256:	550A2B47C8DACFFBAC7304C98A9B3D33C458B0124EF296BABABB19CF07C8E8D1
SHA-512:	0DB678F8039AC79B82F2968535D90B160D79EA7FCDDA5E2ADB49F659E28F45E0D47F2002BB363FB8D0E86310470C6D5397CB9CB523ACB1F91F25AE52539394E0
Malicious:	false
Preview:	rule:.. meta:.. name: log keystrokes via polling.. namespace: collection/keylog.. author: michael.hunhoff@fireeye.com.. scope: function.. att&ck:.. - Collection::Input Capture::Keylogging [T1056.001].. mbc:.. - Collection::Keylogging::Polling [F0002.002].. examples:.. - Practical Malware Analysis Lab 11-03.dll_:0x10001030.. features:.. - or:.. - api: user32.GetAsyncKeyState.. - api: user32.GetKeyState.. - api: user32.GetKeyboardState.. - api: user32.VkKeyScan.. - api: user32.VkKeyScanEx.. - api: user32.GetKeyNameText..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\keylog\log-keystrokes.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	724
Entropy (8bit):	4.715465873317648
Encrypted:	false
SSDEEP:	12:mdmR1lkv7HCfFfylNLJjKQinXtF6fX44q+P40Uw0PfyFIl7JguSKR:mMR1lkv7HCUlBJjlITkX44b4Jw0PfWIx
MD5:	6D682E4EEBCF02CD206422FE14BADF21
SHA1:	C97AE6A8DADBE712793D854F918A151E10FFB720
SHA-256:	D010527E2592EE8ED64FE5209BA594DA595B310AABC64531B9F7DF9E88962DE7
SHA-512:	A42622779FF12E77164ABF6227C66DA724B6403E1379EA6CEC5AC49115156F80A465D98945DD68C2EB28C3E64B4A592B8D904B08D0E4728AD5E27EEACECFBFA6
Malicious:	false
Preview:	rule:.. meta:.. name: log keystrokes.. namespace: collection/keylog.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Collection::Input Capture::Keylogging [T1056.001].. examples:.. - C91887D861D9BD4A5872249B641BC9F9:0x4015FD.. features:.. - or:.. - and:.. - api: SetWindowsHookEx.. - api: GetKeyState.. - and:.. - api: RegisterHotKey.. - api: user32.keybd_event.. - api: UnregisterHotKey.. - and:.. - api: CallNextHookEx.. - api: user32.GetKeyNameText.. - api: user32.GetAsyncKeyState.. - api: user32.GetForgroundWindow.. - api: user32.AttachThreadInput.. - api: user32.MapVirtualKey..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\microphone\capture-microphone-audio.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	394
Entropy (8bit):	4.631793472032109
Encrypted:	false
SSDEEP:	6:hAvlmGA2+YDfwlkLYJ/FI8BAFfyhrRuwdLowCqgGaAjzeLXu2LmXLXGtov:mdmGmm4lkU6FfylEwhDETmbAy
MD5:	83C58C0FCC3C8A0E770986E77B649EA5
SHA1:	021509E53FCC0E04963F2BBCF51C74CF33666520
SHA-256:	8F66722F1A4454B18F9294115E552D22E269E0C73C819B02A414096002AD6B97
SHA-512:	39FC339C46B5A2DE0D18E582202E926C5A2E0F389296453F19A7CAF679EB521DFAF05C2E065CDD49D91484312122991D941C9C3A237A399E4C6A03A140B1CC35
Malicious:	false
Preview:	rule:.. meta:.. name: capture microphone audio.. namespace: collection/microphone.. author: "@_re_fox".. scope: function.. att&ck:.. - Collection::Audio Capture [T1123].. examples:.. - a70052c45e907820187c7e6bcdc7ecca:0x405B40.. features:.. - and:.. - api: mciSendString.. - string: /^open/i.. - string: /waveaudio/i.. - string: /^record/i..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\network\capture-network-configuration-via-ipconfig.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	574
Entropy (8bit):	4.707242685417041
Encrypted:	false
SSDEEP:	12:mdmGcBglkvIihHeRod5HneLNaIH7JVUZJiyft:mMRglkgmH2od50NaIjc0y1
MD5:	D0A9D21EB0C986D02C8294432C83B71C
SHA1:	AB851DCFA25FA3DB4A90FA447467EBD7A348274A
SHA-256:	4C3748B94C559EE520E6C59FD095DC8F4EED7B0746AFF502665ABD5DDF181A4D
SHA-512:	F2D31CBE99CCFA8389DEDCDC67E818D8318DCDD31B068B5BE2EDA5A646269623053F2150BD56AE5AEAA19E8E5D9DB5D878D7D9A1F8A87587EEE6BEC8D82B6978
Malicious:	false
Preview:	rule:.. meta:.. name: capture network configuration via ipconfig.. namespace: collection/network.. author: "@_re_fox".. scope: basic block.. att&ck:.. - Discovery::System Network Configuration Discovery [T1016].. examples:.. - 7204e3efc2434012e13ca939db0d0b02:0x403028.. features:.. - and:.. - string: /ipconfig(\.exe)?/i.. - api: msvcr100.system.. - optional:.. - and:.. - string: "ipconfig.txt".. - string: /\[Windows IP Configuration\]/.. description: Arkei Stealer Filename and Banner..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\network\capture-public-ip.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	835
Entropy (8bit):	4.63340633857501
Encrypted:	false
SSDEEP:	12:mdmG98lkvI6FfyHeRod5fyXxwoxfUPduLKn2faJgwsAMu5owGnEnXDIgsn:mMjlkgVH2od5fyBwoxfUl7hW4s
MD5:	B41E689149C4B20F371AD4A060025CDB
SHA1:	80EE0C02F8A526EECEFB08B98A8B0EEAA949BFA7
SHA-256:	3FF72756615AB097287A65B7CD59AC63E9AD412B20524EA9E5F87E2F26CC9B50
SHA-512:	04DD24E31230E44BC985FA20336F5B34A83497971361CAA45CBB76D0FEF6200EA6C84294F070CB8C7D0DDE4BE8A7F7E6CCE981E1016820E1B0F76AE72EA9791A
Malicious:	false
Preview:	rule:.. meta:.. name: capture public ip.. namespace: collection/network.. author: "@_re_fox".. scope: function.. att&ck:.. - Discovery::System Network Configuration Discovery [T1016].. examples:.. - 84f1b049fa8962b215a77f51af6714b3:0x100061e5.. features:.. - and:.. - api: InternetOpen.. - api: InternetOpenUrl.. - api: InternetReadFile.. - or:.. - string: /bot\.whatismyipaddress\.com/.. - string: /ipinfo\.io\/ip/.. - string: /checkip\.dyndns\.org/.. - string: /ifconfig\.me/.. - string: /ipecho\.net\/plain/.. - string: /api\.ipify\.org/.. - string: /checkip\.amazonaws\.com/.. - string: /icanhazip\.com/.. - string: /wtfismyip\.com/text/.. - string: /api\.myip\.com/.. - string: /ip\-api\.com\/line/..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\network\get-domain-trust-relationships.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	546
Entropy (8bit):	4.6212020180412345
Encrypted:	false
SSDEEP:	12:mdmCMEkYlkvoFfy5CcB88ZoMulm5VbQpVQzqViv:mMCMEnlkz5CcBXDfbeYOM
MD5:	E12EBF5A4B1651BE773D0401B7CA29D9
SHA1:	9DD86C61E18756B47D4BF91F6F713B43961B8C13
SHA-256:	6675C71D98C3EA2334C64BB6DE2CBA152EDF5546451B96C6AAB653E6669E6563
SHA-512:	593133958C4E1FE68898F4209533CB7C30EAD14FE6A8DB4A5302065EFCA810DB4AEF69A5EAB88A3674BDBC5A4D5F598B263976FAF505EA393C51F39ED95C2AE3
Malicious:	false
Preview:	rule:.. meta:.. name: get domain trust relationships.. namespace: collection/network.. author: johnk3r.. scope: function.. att&ck:.. - Discovery::Domain Trust Discovery [T1482].. examples:.. - 0796f1c1ea0a142fc1eb7109a44c86cb:0x40222F.. - 0731679c5f99e8ee65d8b29a3cabfc6b:0x40408E.. features:.. - or:.. - and:.. - string: /nltest/i.. - or:.. - string: /\/domain_trusts/i.. - string: /\/dclist/i.. - string: /\/all_trusts/i.. - api: DsEnumerateDomainTrusts..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\network\get-mac-address.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	725
Entropy (8bit):	4.992373146270315
Encrypted:	false
SSDEEP:	12:mdmCLlkv0CfFfyINoo/BhkNB7AypJ+pxbpzfYYpHkypzeYppfIHsX3XRXRXRXRX8:mMCLlk8CUEoo/B+37Ay3+LbaYVtMYpVk
MD5:	0AA9B51AA05B6B0C13ACBD818D3C535B
SHA1:	05BA5B05D3033ED4F81B4AD017A0821B0B198C7B
SHA-256:	2F069780C4D91CD552AE31959E4CE799CA73D450E96656E1BFE4CDB3B3C41F08
SHA-512:	47E0D7F1BE2741FB0D9665575EB77863D00942B574FC275AABCA991B375202C9F3ADF9FA83A146A70E9A2ED655E108D8D81D98FC2B498D900C5F1DD22339A25F
Malicious:	false
Preview:	rule:.. meta:.. name: get MAC address.. namespace: collection/network.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Discovery::System Information Discovery [T1082].. examples:.. - al-khaser_x64.exe_:0x14001A1BC.. features:.. - and:.. - api: iphlpapi.GetAdaptersInfo.. - or:.. - offset: 0x194 = IP_ADAPTER_INFO.Address.. - offset: 0x195 = IP_ADAPTER_INFO.Address+1.. - offset: 0x196 = IP_ADAPTER_INFO.Address+2.. - offset: 0x197 = IP_ADAPTER_INFO.Address+3.. - offset: 0x198 = IP_ADAPTER_INFO.Address+4.. - offset: 0x199 = IP_ADAPTER_INFO.Address+5.. - optional:.. - string: "%02X-%02X-%02X-%02X-%02X-%02X"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\password-manager\steal-keepass-passwords-using-keefarce.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	587
Entropy (8bit):	4.628420158189824
Encrypted:	false
SSDEEP:	12:mdmWz0ISqlkSXzScnqbzXmz3IcA+Y2upYDtwzfJXs8fBIHs1raT:mMZIVlkQScnqvNcAEezJXs2BIF
MD5:	0C32BB1C4E9896439BB0D0E6B6026AF2
SHA1:	B1E00812790887317F82C55B65584F38E23C6871
SHA-256:	9985966647D6B0E6A02AC4925EFDD610CE93FC5EC8A1800DBD0FA90C1FA4DBFD
SHA-512:	3274EBABAC955BBBC4F7CAF24010A6D6760765DDCD825654F62419DEE073B3A726D99C7F6323D7B6C005B922D010FFE3CA3FB0D9D65B627C52F277E5F4D0F1AF
Malicious:	false
Preview:	rule:.. meta:.. name: steal KeePass passwords using KeeFarce.. namespace: collection/password-manager.. author: "@Ana06".. scope: file.. att&ck:.. - Credential Access::Credentials from Password Stores::Password Managers [T1555.005].. references:.. - https://github.com/denandz/KeeFarce.. - https://keepass.info/help/kb/sec_issues.html.. examples:.. - 1e609dffd12a59ea5d5c9b3055939b1f.. features:.. - and:.. - match: inject dll.. - string: /KeePass/i.. - optional:.. - string: /Bootstrap/.. - string: /KeeFarce/..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\collection\screenshot\capture-screenshot.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1152
Entropy (8bit):	4.602225883585021
Encrypted:	false
SSDEEP:	24:mM/lkcCz6QYUlyKG+mjMJlutBNL4Iz6qewkr3XUm:mM/Czz6UzpmjMVImBUm
MD5:	F785FE3CC700BA4BC7EC1F683FACE0D4
SHA1:	38C13E8738B5E41CE362BB163919E095D10283F4
SHA-256:	07DAAFC52365E7E8A37626318F14EDB57E5AF5628BC4A192A3450A8FAEEE1F66
SHA-512:	D73CABCF291FA5F3266AB1CD8719988F4AE55FB6407F55FBD09450883879D89BB1D69353500816571AAD8A2913E1A9D06D53FA41C19C791D86951974063796FE
Malicious:	false
Preview:	rule:.. meta:.. name: capture screenshot.. namespace: collection/screenshot.. author:.. - moritz.raabe@fireeye.com.. - "@_re_fox".. - michael.hunhoff@fireeye.com.. scope: function.. att&ck:.. - Collection::Screen Capture [T1113].. mbc:.. - Collection::Screen Capture::WinAPI [E1113.m01].. examples:.. - BFB9B5391A13D0AFD787E87AB90F14F5:0x1314610A.. - 7204e3efc2434012e13ca939db0d0b02:0x414070.. - 50D5EE1CE2CA5E30C6B1019EE64EEEC2:0x406E07.. features:.. - or:.. - and:.. - or:.. - api: user32.GetWindowDC.. - api: user32.GetDC.. - and:.. - api: gdi32.CreateDCA.. - string: "DISPLAY".. - or:.. - api: gdi32.BitBlt.. - api: gdi32.GetDIBits.. - api: gdi32.CreateCompatibleDC.. - api: gdi32.CreateCompatibleBitmap.. - optional:.. - or:.. - api: user32.GetSystemMetrics = fetch screen dimensions.. - ap

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\communication\dns\reference-dns-over-https-endpoints.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	4115
Entropy (8bit):	4.64715389570696
Encrypted:	false
SSDEEP:	96:JzwClbo3x/DtUBhqcijVb7lvXhmnKZoxGAHfGNMm66dHRzi4n3mBJPtdYKYLUJoi:JzwCOmttN
MD5:	B9C60F2B8DC5B311F8F71B745A9A566D
SHA1:	481B76D6499795CE6F8592C3BA4745412E8FA6ED
SHA-256:	2F2B76F23C7BFD99972F2FF844FC7141166C4604FB1AC6B9174E3755C5E5D450
SHA-512:	B84C4F2D6E65780935372367ACCB0F34E352262118745B6EB76F378F54D2374C6A2067F21686F7F2C9748CDDF99989D3214A8A011C67BE7AF97101E92770F36E
Malicious:	false
Preview:	rule:.. meta:.. name: reference DNS over HTTPS endpoints.. namespace: communication/dns.. author: markus.neis@swisscom.com / @markus_neis.. scope: file.. references:.. - https://github.com/curl/curl/wiki/DNS-over-HTTPS.. examples:.. - 749e7becf00fccc6dff324a83976dc0d:0x00004589 # https://dns.google.com/resolve?name=.. - 749e7becf00fccc6dff324a83976dc0d:0x000045d6 # https://cloudflare-dns.com/dns-query?ct=application/dns-json&name= .. features:.. - or:.. - string: /https://doh.seby.io:8443/dns-query./i.. - string: /https://family.cloudflare-dns.com/dns-query./i.. - string: /https://free.bravedns.com/dns-query./i.. - string: /https://doh.familyshield.opendns.com/dns-query./i.. - string: /https://doh-de.blahdns.com/dns-query./i.. - string: /https://adblock.mydns.network/dns-query./i.. - string: /https://bravedns.com/configure./i.. - string: /https://cloudflare-dns.com/dns-query./i.. - string: /htt

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\communication\ftp\send\send-file-using-ftp-via-wininet.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	616
Entropy (8bit):	4.564109958561538
Encrypted:	false
SSDEEP:	12:mdmWO/lkjfFftKui79kcCbnvsvauFYIHsmPYev:mMVlkj3K7DCzmvFYInYev
MD5:	E8775E064442A1477E2263C4C7750688
SHA1:	6DB5813F02EC5D62C94CD83A2A22F373C1C0F312
SHA-256:	38AF5FAE1391B61E2A71A02B98EF6C4503EDEBEFB0656BE9B2672D19705176C6
SHA-512:	DE9B939CFFB7EE9D4E5575DDC7F5E15F8959F2D94A409C9E9D5911C3D92E9CFAC00CD035903139EB32A85C220254C1E8DAA798D6CD61CE5B8B1D4429946D1851
Malicious:	false
Preview:	rule:.. meta:.. name: send file using FTP via wininet.. namespace: communication/ftp/send.. author: michael.hunhof@fireeye.com.. scope: function.. mbc:.. - Communication::FTP Communication::Send File [C0004.001].. - Communication::FTP Communication::WinINet [C0004.002].. examples:.. - Practical Malware Analysis Lab 20-02.exe_:0x401380.. features:.. - and:.. - api: wininet.FtpPutFile.. - optional:.. - or:.. - api: wininet.FtpSetCurrentDirectory.. - and:.. - api: wininet.InternetConnect.. - number: 0x15 = IPPORT_FTP..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\communication\http\client\check-http-status-code.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	898
Entropy (8bit):	4.643484367000866
Encrypted:	false
SSDEEP:	12:mdmGLIYlkECfFftKbxC/BEEggUMtdbeIH4HPHZ7nvNFYHsSyey:mMAjlkEC3Kc/BEE8cdbeIYHvZDvWLy
MD5:	C07CFCD2BAA405B014589B121BD27FD5
SHA1:	BC3633DD709208F8EE07318EEF9B70096C35ED6F
SHA-256:	51DAE339E22EC02BB983DD46C441BC1E1806FDF7BF78A37A05E72EBBE0A1D9F8
SHA-512:	731B030455BEADA92ADBF647E1A94612390667986CEC564B057FAD2756EA1509EDE3EFE4BF312BBCC8049215B981ADDD3F8DA0592167CD6295F906BC9871BDA3
Malicious:	false
Preview:	rule:.. meta:.. name: check HTTP status code.. namespace: communication/http/client.. author: moritz.raabe@fireeye.com.. scope: function.. mbc:.. - Communication::HTTP Communication::Read Header [C0002.014].. examples:.. - 54ac78733552a62d1d05ea4ba3fc604bb49fe000d7fc948da45335b726e64d75:0x10001a20.. features:.. - and:.. - or:.. - number: 0x20000013 = HTTP_QUERY_FLAG_NUMBER \| HTTP_QUERY_STATUS_CODE.. - number: 0x13 = HTTP_QUERY_STATUS_CODE.. - optional:.. - api: atoi.. - api: wininet.HttpQueryInfo.. - basic block:.. - and:.. - or:.. - mnemonic: cmp.. - mnemonic: test.. - or:.. - number: 200 = OK.. - number: 400 = Bad Request.. - number: 401 = Unauthorized.. - number: 403 = Forbidden.. - number: 404 = Not Found..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\communication\http\client\connect-to-http-server.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	424
Entropy (8bit):	4.645112047042607
Encrypted:	false
SSDEEP:	12:mdmGClkWfFftKbOPXfUjSlDAcIHsgy5RkPo:mMllkW3KSsjANI+PAo
MD5:	A9D221A72BC14108D8B8AE487AE3F52D
SHA1:	CA67F784A7AC8205DAC2C312AB9E055E1DC56E18
SHA-256:	99FEB35956B45E84AAC4D579D1E196E3ADA1AEBD99D2243CA6D12BE032D3B14B
SHA-512:	A6770F82B38551C7579E2BB37C2D4EA83127198AA3FB60FB3FB98E6F08D648AC676DAF6835CDC8F75CB05F3BB4DF6AB631E929D16694ABC5273AF57A26F2BA95
Malicious:	false
Preview:	rule:.. meta:.. name: connect to HTTP server.. namespace: communication/http/client.. author: michael.hunhoff@fireeye.com.. scope: function.. mbc:.. - Communication::HTTP Communication::Connect to Server [C0002.009].. examples:.. - 6f99a2c8944cb02ff28c6f9ced59b161:0x40E2F0.. features:.. - and:.. - optional:.. - match: create HTTP request.. - api: wininet.InternetConnect..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\communication\http\client\connect-to-url.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	407
Entropy (8bit):	4.698870853982609
Encrypted:	false
SSDEEP:	12:mdmGX4lkWfFftKb/hn5SlDAcIHsgy5RkWo:mMzlkW3KvANI+PBo
MD5:	0B9C8061A11407CEC3076E2E414E04EA
SHA1:	CC33807474E462AC73F3A06471CBC094B4F8EBAC
SHA-256:	70548672D0EA0F7CB47B9BDA509E843078EC90ABC54B4744FD2C93A5D8D5DCEF
SHA-512:	E28FC154CA8ECD3C2BF9A03E0610FFA4E697C027F1204B92B8EF477756CFEA14129E9CC67D84C5618F4835E971C8D4736F77016B3BB72082EC31FD29C5E02DC6
Malicious:	false
Preview:	rule:.. meta:.. name: connect to URL.. namespace: communication/http/client.. author: michael.hunhoff@fireeye.com.. scope: function.. mbc:.. - Communication::HTTP Communication::Open URL [C0002.004].. examples:.. - 6f99a2c8944cb02ff28c6f9ced59b161:0x40E2F0.. features:.. - and:.. - optional:.. - match: create HTTP request.. - api: wininet.InternetOpenUrl..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\communication\http\client\create-bits-job.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1067
Entropy (8bit):	5.023306672729872
Encrypted:	false
SSDEEP:	24:NVQKlkEUcAgMZ1zHfJft7lltws4dtwOTeUYIFr0Bivv:MKClc3Y7hftJgNePIp0iv
MD5:	E6D160E64D3BAC351F3B90C6FC8D1F9E
SHA1:	32C80A0E8F57707BF18417F89AAA0D2BB7C1DDEE
SHA-256:	DBD0B6DD9E5BBFAF0B48EC59FC61F60F69A8092F11C3BBF66425414C4B7B2B0B
SHA-512:	C58DE9F5C0B8947C59797ABD113C3ED2C6033466B55AE1850E2ACFA60E5F7C7D5F52B9951B3DCBD0DDB82BB72B07FD181203AE77AD4BF2567F17348C16BBD4DC
Malicious:	false
Preview:	# generated using capa explorer for IDA Pro..rule:.. meta:.. name: create BITS job.. namespace: communication/http/client.. author: "@mr-tz".. description: BITS jobs can be used to download data or achieve persistence (via SetNotifyCmdLine).. scope: function.. references:.. - https://www.fireeye.com/blog/threat-research/2021/03/attacker-use-of-windows-background-intelligent-transfer-service.html.. examples:.. - 08ac667c65d36d6542917655571e61c8.exe_:0x401E78.. features:.. - and:.. - and:.. - bytes: 0D 4C E3 5C C9 0D 1F 4C 89 7C DA A1 B7 8C EE 7C = IBackgroundCopyManager.. - bytes: 4B D3 91 49 A1 80 91 42 83 B6 33 28 36 6B 90 97 = BITS_ControlClass.. - offset: 0xC = IBackgroundCopyManagerVtbl.CreateJob.. - offset: 0x10 = IBackgroundCopyJobVtbl.AddFile.. - optional:.. - description: SetNotifyCmdLine may be use to persist.. - bytes: 39 07 B5 54 6F 68 EB 45 9D FF D6 A9 A0 FA A9 AF = IBackgroundCopyJob2..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\communication\http\client\create-http-request.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	421
Entropy (8bit):	4.689860501292736
Encrypted:	false
SSDEEP:	12:mdmG3gy5RJlkWfFftKbTpASlDA5AXwIH9H+v:mMwPJlkW3KeA1gIMv
MD5:	1D028DF1F30704DEAD65C0DFC08F7F44
SHA1:	95338010870ACEC6D201E21B1AF31EEB18FAC11C
SHA-256:	84F7443B560E869B2181D96EE7EB83F0D0E5F98A712C42F3D86162EFD7C9E1C7
SHA-512:	314BA10AE3AF4C4AD0B1EE59B260F0E7ECDB3990A8D369275AFA05A2FD7F3A9EACAF9C6E915F2671DC7DB6413EEA269139A70DCDF7684265A8FCB79DFA4FA663
Malicious:	false
Preview:	rule:.. meta:.. name: create HTTP request.. namespace: communication/http/client.. author: michael.hunhoff@fireeye.com.. scope: function.. mbc:.. - Communication::HTTP Communication::Create Request [C0002.012].. examples:.. - 6f99a2c8944cb02ff28c6f9ced59b161:0x40E2F0.. features:.. - and:.. - api: wininet.InternetOpen.. - optional:.. - api: wininet.InternetCloseHandle..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\communication\http\client\decompress-http-response-via-iencodingfilterfactory.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	464
Entropy (8bit):	4.85062774103733
Encrypted:	false
SSDEEP:	12:mdmhuRouChlkvuEfFftKbw4VlXvjGFSf9ERC6:mMhruChlkvuE3KMMlX7GYV2C6
MD5:	500D4507D59DB01017207CFBE7B39F42
SHA1:	9377D363A9638B662429FA5C2C2B2C9C9EC27528
SHA-256:	FF00DEAF3B4304F63144E1F746C890715CEB9563438DD303D2BEE4AF7B721E96
SHA-512:	6B2A4412FBA5DF0B31C8801229AF5BDBC99189998541C0A5FB166BCED3C3C6FFFFC033137E38DDEA235A868E1CCD31DA2ED97E839BC6766E1F332B19BD681FE7
Malicious:	false
Preview:	rule:.. meta:.. name: decompress HTTP response via IEncodingFilterFactory.. namespace: communication/http/client.. author: matthew.williams@fireeye.com.. scope: function.. mbc:.. - Communication::HTTP Communication::Get Response [C0002.017].. examples:.. - FBBAAF569B63F6398503E4F1979CABEF:0x4067F0.. features:.. - and:.. - match: get HTTP response content encoding.. - match: decompress data via IEncodingFilterFactory..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\communication\http\client\download-url-to-file.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	467
Entropy (8bit):	4.922899080807441
Encrypted:	false
SSDEEP:	12:mdmMXYlkvuEfFftKbA8ZhPmBWRHwfnnvBY/bpyn:mMMXYlkvuE3K083mBWHwfvBYbpyn
MD5:	42297B53F846B8D100E884572DFC7E69
SHA1:	1DF557500E70F63A9A267B3B73D27829EB004545
SHA-256:	D87ECB004870B4BDA4499B1A98BA9A8926DFA964F6B18A854CD75767D10122B3
SHA-512:	1451BF62E1837CF37AC27B5E06AC530CA8D730BCB0D2F480E3524A69CB5C9D9818E450DB24A50959F1ADE0465BB1044337F9829439824D1E063E75AAF1AA14EE
Malicious:	false
Preview:	rule:.. meta:.. name: download URL to file.. namespace: communication/http/client.. author: matthew.williams@fireeye.com.. scope: function.. mbc:.. - Communication::HTTP Communication::Download URL [C0002.006].. examples:.. - F5C93AC768C8206E87544DDD76B3277C:0x100020F0.. - Practical Malware Analysis Lab 20-01.exe_:0x401040.. features:.. - or:.. - api: urlmon.URLDownloadToFile.. - api: urlmon.URLDownloadToCacheFile..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\communication\http\client\extract-http-body.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	662
Entropy (8bit):	5.119635968062803
Encrypted:	false
SSDEEP:	12:mdmcTlkvuEfFftKbeiLycA+YSDHJiAzZpDkrpEho5kmiedALqVbRyywb8:mMYlkvuE3KakycAwjYAPkahkkm3ALwb3
MD5:	26CEF8DB4220033251EC648D88A96E93
SHA1:	FC4797380AA4CF89BE34D46B0CC14832E34E5418
SHA-256:	798A229A0E56D068A02F86D370F58543744D99072C080A8E5D8332011EA9BE2F
SHA-512:	ABEBC5E02ADCB12267A07C1ACBB9A0224F188CDEB902DF991AF5883F3E8807967777179CA7D7F2BB10B98F841AD51374728435A5062E963AAC99981E4B6C77C5
Malicious:	false
Preview:	rule:.. meta:.. name: extract HTTP body.. namespace: communication/http/client.. author: matthew.williams@fireeye.com.. scope: function.. mbc:.. - Communication::HTTP Communication::Extract Body [C0002.011].. references:.. - https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/aa752574(v=vs.85).. examples:.. - 395EB0DDD99D2C9E37B6D0B73485EE9C:0x4020A9.. features:.. - and:.. - bytes: 25 44 2C 33 CB 26 D0 11 B4 83 00 C0 4F D9 01 19 = CLSID_IHTMLDocument2.. - offset: 0x24 = IHTMLDocument2Vtbl.get_body.. - offset: 0xF0 = IHTMLElementVtbl.get_innerText..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\communication\http\client\get-http-document-via-iwebbrowser2.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	817
Entropy (8bit):	5.012932590176702
Encrypted:	false
SSDEEP:	24:mMCyHXlkvuE3KMwcAwjYAPk7ZhMUh9BB5v:mM33Cv1aMwcTcCk7PNh9BBx
MD5:	DE24864F833F711A6F2B75114C7137F3
SHA1:	D67E885B445C7039FF6C44834C4B233B87EED756
SHA-256:	036703B2EBCE2D9C6B36B88581262E176E3324001437B6893888ABC52990C79C
SHA-512:	D8DEBDB59E8F3D2DF8C7033E32656C987811EAF5764AB21013AE7AE0A2BC3BB59CE74C2707C509639F560E4061C2B6FCDB6B2A5053B6BDC58D7ADD787C976C11
Malicious:	false
Preview:	rule:.. meta:.. name: get HTTP document via IWebBrowser2.. namespace: communication/http/client.. author: matthew.williams@fireeye.com.. scope: function.. mbc:.. - Communication::HTTP Communication::Get Response [C0002.017].. - Communication::HTTP Communication::IWebBrowser [C0002.010].. references:.. - https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/aa752127(v%3Dvs.85).. examples:.. - 395EB0DDD99D2C9E37B6D0B73485EE9C:0x402000.. features:.. - and:.. - api: oleaut32.SysAllocString.. - api: oleaut32.VariantInit.. - offset: 0x2C = pBrowser2->Navigate.. - offset: 0x48 = pBrowser2->get_Document.. - offset: 0x80 = pBrowser2->Quit.. - count(characteristic(indirect call)): 3 or more..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\communication\http\client\get-http-response-content-encoding.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	428
Entropy (8bit):	5.0668386715613964
Encrypted:	false
SSDEEP:	6:hAvlmC0Ye1YlkEeM9FqHluESgyZlKI8EQa33Adbzhow+6XvjnzG+JePH/R4maxNo:mdmC/TlkvuE/wKbw4VlXvj0PHVGK
MD5:	A391EA0AA3830CA6AFA2012E75A14C90
SHA1:	93FBD59DC53C6FB41225EBABA56C9F3F057BBACC
SHA-256:	86FE82C6FFE66DF6087D6453507490610F0ED9FDF181942412D025B8173736DD
SHA-512:	03246F73B483AA923669ED2F5C5BD058F0F423CAE44F2B669B3C81742F05739C5B75F39D791EE85746BF05BD71DB60B0E87790F35FD75D5A9BA82546AB9D9B84
Malicious:	false
Preview:	rule:.. meta:.. name: get HTTP response content encoding.. namespace: communication/http/client.. author: matthew.williams@fireeye.com.. scope: basic block.. mbc:.. - Communication::HTTP Communication::Get Response [C0002.017].. examples:.. - FBBAAF569B63F6398503E4F1979CABEF:0x4068D9.. features:.. - and:.. - api: wininet.HttpQueryInfo.. - number: 0x1D = HTTP_QUERY_CONTENT_ENCODING..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\communication\http\client\prepare-http-request.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	366
Entropy (8bit):	4.8810587293370595
Encrypted:	false
SSDEEP:	6:hAvlm2Ewy5RJlkEeM9FhClES4FftKI8EQa+kEpcBowIfze/obkKjGFA:mdm2ty5RJlkWfFftKbTpA+CqFGFA
MD5:	BB62C1FFF4E1513ACE099340F604DE7A
SHA1:	566B1699BBB1BB8295CF27F72EB632BF546D77E9
SHA-256:	EE6C59C141A75FC6945A185759F0770423CFBDE164914A061662BE5C4362CFFC
SHA-512:	C902C12EF64BB97C48AC18BD64DF1D47C3957302352843AB03A55CC23F6F1C7C5EA6FABDC7047FCACEB939231298AC7D070D5874BCA5706AA2CC605595FCC30F
Malicious:	false
Preview:	rule:.. meta:.. name: prepare HTTP request.. namespace: communication/http/client.. author: michael.hunhoff@fireeye.com.. scope: function.. mbc:.. - Communication::HTTP Communication::Create Request [C0002.012].. examples:.. - 6A352C3E55E8AE5ED39DC1BE7FB964B1:0x10002650.. features:.. - or:.. - api: winhttp.WinHttpOpenRequest..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\communication\http\client\read-data-from-internet.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	534
Entropy (8bit):	4.543842406152
Encrypted:	false
SSDEEP:	12:mdm78lkWfFftKbw4VSlDSIHYLL+LLYclU9l3v:mM4lkW3KMMAmI4LL+LLFUnf
MD5:	657499A6D30DCD17467F107376A18691
SHA1:	E47CFF381E7EDE48EFA5B67FFD43AA475C176BB1
SHA-256:	A9B7BB2A138385180FA0680F4E53DE12CE26BBC2D649CF430C9593C181786CD8
SHA-512:	48B9CFB7ECE3EE3C9F9418A2641A8A82F55414F1C9E8194940AE24CA569B211716A1ACF99B010BF1A6500CC22C7386DB168B2A7A5006FDF9F2242760638FE608
Malicious:	false
Preview:	rule:.. meta:.. name: read data from Internet.. namespace: communication/http/client.. author: michael.hunhoff@fireeye.com.. scope: function.. mbc:.. - Communication::HTTP Communication::Get Response [C0002.017].. examples:.. - 6f99a2c8944cb02ff28c6f9ced59b161:0x40D590.. features:.. - and:.. - optional:.. - or:.. - match: connect to HTTP server.. - match: connect to URL.. - or:.. - api: wininet.InternetReadFile.. - api: wininet.InternetReadFileEx..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\communication\http\client\receive-http-response.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	496
Entropy (8bit):	4.7812650890806045
Encrypted:	false
SSDEEP:	12:mdmtANClkWfFftKbw4V+CBF+NxFThIHEF7B9:mMtAglkW3KMMXc/9hIkFB9
MD5:	95CDDE6845EA20FBC6B1A5ADDE0767DE
SHA1:	EEE9210077E55E3A0DAB14FA49971B34017B0800
SHA-256:	C5A3E5A434169418D974787DA8E5EB1A2B0B9C2F511BE98B5E4C527170E158BB
SHA-512:	45D1B97758A065716EAA7941CBC6C34FB02128DA00D13D55BB5BCC09B47C13D473AF91A794904BAEEEF0C59156518660499A459BCF3A9D8141E07EAA06915964
Malicious:	false
Preview:	rule:.. meta:.. name: receive HTTP response.. namespace: communication/http/client.. author: michael.hunhoff@fireeye.com.. scope: function.. mbc:.. - Communication::HTTP Communication::Get Response [C0002.017].. examples:.. - 6A352C3E55E8AE5ED39DC1BE7FB964B1:0x10002790.. features:.. - or:.. - api: winhttp.WinHttpReceiveResponse.. - and:.. - api: winhttp.WinHttpReadData.. - optional:.. - api: winhttp.WinHttpQueryDataAvailable..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\communication\http\client\send-file-via-http.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	473
Entropy (8bit):	4.681995631631727
Encrypted:	false
SSDEEP:	12:mdmWOm4lkvuE/wKb4YjkC5cIHYLL+LLY13j9n:mMxlkvuE4KJkC5cI4LL+LLoj9n
MD5:	B6D8BB7ED74773F538C7B35E104649DF
SHA1:	84CCCBE547631DECC087E327298403EEF9BF2842
SHA-256:	A5DF6FADCCFECCC7D6EF3F9999187065CEB641177D4398965CA91D9BFEA6FAA7
SHA-512:	D8C862B4AD44D64394293E6A4735812F6070012AE583F1196267A643CA35FB3B7F45A1CDC56CBAB9ED1562D66AFDB37123EEC166BCFAD7732EF503954B8446EB
Malicious:	false
Preview:	rule:.. meta:.. name: send file via HTTP.. namespace: communication/http/client.. author: matthew.williams@fireeye.com.. scope: basic block.. mbc:.. - Communication::HTTP Communication::Send Data [C0002.005].. examples:.. - EAAD7DFC78304B977D3844CC63577152:0x4500CB.. features:.. - and:.. - optional:.. - or:.. - match: connect to HTTP server.. - match: connect to URL.. - api: wininet.InternetWriteFile..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\communication\http\client\send-http-request.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	889
Entropy (8bit):	4.573042858396554
Encrypted:	false
SSDEEP:	24:mM6PJlkEC3KaOzyYfQUvXUEPIjcFR8qtO:mMiCbaaOOYfQUvXUkIjcn8KO
MD5:	3148C9592853605C2B9393F65C5F9B2C
SHA1:	31F137C25C118517AAB544B4E1FC06773992A748
SHA-256:	5ACE1890FDE810931CEB442F1BCC12F72FFDC8BBDCC85D1AF86BF9E33ADAD215
SHA-512:	41204F29FC547CAF9D447C31CE9B81E8B506E0D93055F42EB93513B236D3283F5BCB7FD7DDD54743676A7BC7DF2FCD52BF43B531249778D8D7D7828D74161868
Malicious:	false
Preview:	rule:.. meta:.. name: send HTTP request.. namespace: communication/http/client.. author: moritz.raabe@fireeye.com.. scope: function.. mbc:.. - Communication::HTTP Communication::Send Request [C0002.003].. examples:.. - BFB9B5391A13D0AFD787E87AB90F14F5:0x13145D60.. - 6A352C3E55E8AE5ED39DC1BE7FB964B1:0x100026E0.. features:.. - or:.. - and:.. - or:.. - api: wininet.HttpOpenRequest.. - api: wininet.InternetConnect.. - or:.. - api: wininet.HttpSendRequest.. - api: wininet.HttpSendRequestEx.. - and:.. - api: winhttp.WinHttpSendRequest.. - api: winhttp.WinHttpWriteData.. - optional:.. - or:.. - api: winhttp.WinHttpOpenRequest.. - api: winhttp.WinHttpConnect.. - and:.. - match: send data on socket.. - string: /HTTP/i..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\communication\http\initialize-iwebbrowser2.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	680
Entropy (8bit):	4.990789489735774
Encrypted:	false
SSDEEP:	12:mdmY4Nwlk3uE/wKbR0IcA+YSDHJiAzZpDkrvZh9g6eWa9+Efl:mMKlk3uE4KLcAwjYAPk7Zh9acc
MD5:	F1C376CCD774097522015DD61C962800
SHA1:	CEF0EB47FE940193EE5D49D2460C56EFDA852C86
SHA-256:	BCF7BE7472A8841A5C01EC954B2E0081F5178892EC7ED118D8F8C13FF7FFF1BC
SHA-512:	F316027C7988D39B1CF12CBA0DE005590C7DADC8BA91EF5DD79EA3489D5DB1282735A35F2930E9A4ED65FED69555578895F11205DEF36B8A02C5CB531412A557
Malicious:	false
Preview:	rule:.. meta:.. name: initialize IWebBrowser2.. namespace: communication/http.. author: matthew.williams@fireeye.com.. scope: basic block.. mbc:.. - Communication::HTTP Communication::IWebBrowser [C0002.010].. references:.. - https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/aa752127(v%3Dvs.85).. examples:.. - 395EB0DDD99D2C9E37B6D0B73485EE9C:0x402130.. features:.. - and:.. - api: ole32.CoCreateInstance.. - bytes: 01 DF 02 00 00 00 00 00 C0 00 00 00 00 00 00 46 = CLSID_InternetExplorer.. - bytes: 61 16 0C D3 AF CD D0 11 8A 3E 00 C0 4F C9 E2 6E = IID_IWebBrowser2..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\communication\http\initialize-winhttp-library.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	352
Entropy (8bit):	4.9013320704308265
Encrypted:	false
SSDEEP:	6:hAvlmMky21CEvNFwlkEeMPClES4FftKI8EQaRFtjxLowIfze/osVGUkKjGt:mdm1VglkOfFftKbMj9+Cd5FGt
MD5:	E590215CB3A11361425DE67675180782
SHA1:	02A7B67C004ED72011931F52E3DD734D632ECCB7
SHA-256:	6EB67D8DF9479B3D712531146D9D3EB5EB1B6037ADCA3EE97EDB3E758A62BB33
SHA-512:	78A87CFE410AF6D978DB55F8BD1EC296942C59D90378392BF953B20B870ED8B0AA6DA1DC429290594D65E89F60F34C875A664A926A9A1239B493C2AB08B03BD1
Malicious:	false
Preview:	rule:.. meta:.. name: initialize WinHTTP library.. namespace: communication/http.. author: michael.hunhoff@fireeye.com.. scope: function.. mbc:.. - Communication::HTTP Communication::WinHTTP [C0002.008].. examples:.. - 6A352C3E55E8AE5ED39DC1BE7FB964B1:0x1000E670.. features:.. - and:.. - api: winhttp.WinHttpOpen..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\communication\http\read-http-header.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	354
Entropy (8bit):	4.889674873916704
Encrypted:	false
SSDEEP:	6:hAvlmX3ilkEeMPClES4FftKI8EQalSp3y/BowIfze/u8GUkKjYSXc:mdmXylkOfFftKbxC/B+CZF3s
MD5:	04875991A5D307354DBDEF18FBF9DD52
SHA1:	27019735B1D315E76644EBB0814868EDCFE8395A
SHA-256:	3C7478053F69AED57F009ADB79151A04168CC784499EFD47B0EABF11DDED7291
SHA-512:	B41585C5D76E1678A0385E53F77CDCB8F1782ABFF8C08DD9A54F1915527C1C3E6C5B49AC1154B9D9110EFA2794506204ADB1025E74DF963E8CA238CE560626C2
Malicious:	false
Preview:	rule:.. meta:.. name: read HTTP header.. namespace: communication/http.. author: michael.hunhoff@fireeye.com.. scope: function.. mbc:.. - Communication::HTTP Communication::Read Header [C0002.014].. examples:.. - 6A352C3E55E8AE5ED39DC1BE7FB964B1:0x10002A30.. features:.. - and:.. - api: winhttp.WinHttpQueryHeaders..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\communication\http\server\receive-http-request.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	852
Entropy (8bit):	5.060852540186892
Encrypted:	false
SSDEEP:	12:mdmt5RJlkCfFftKbEBpr+CqCvXKCeJKex0AmroDb0AdzZSJSNcrRqx0ArcnZy:mMtPJlkC3K4zwCvXYRp3dztmriGy
MD5:	349D770BC1AB05443609D7B4C2DA96C3
SHA1:	58A9ADEC61403973AF3F3910E301F37ABB404561
SHA-256:	FBE318CA07397A7057C65A8A625FA0146B5C6F7C2EF48379A2A1AF6EB6D90289
SHA-512:	7876E14A61BD31DF58C4503F9FA4EA2A032805CE0A8725B2458F5A23349D3C1EA83B25010BB51247D65B01ECD399920142BE3E0A2B11D928D7CA7AAD832DD6A5
Malicious:	false
Preview:	rule:.. meta:.. name: receive HTTP request.. namespace: communication/http/server.. author: michael.hunhoff@fireeye.com.. scope: function.. mbc:.. - Communication::HTTP Communication::Receive Request [C0002.015].. examples:.. - 6A352C3E55E8AE5ED39DC1BE7FB964B1:0x10001D30.. - 6A352C3E55E8AE5ED39DC1BE7FB964B1:0x100027D0.. features:.. - or:.. - and:.. - api: httpapi.HttpReceiveHttpRequest.. - or:.. - number: 0.. - number: 1 = HTTP_RECEIVE_REQUEST_FLAG_COPY_BODY.. - number: 2 = HTTP_RECEIVE_REQUEST_FLAG_FLUSH_BODY.. - and:.. - api: httpapi.HttpReceiveRequestEntityBody.. - or:.. - number: 0 = Must be zero on Windows Server 2003 with SP1 and Windows XP with SP2.. - number: 1 = HTTP_RECEIVE_REQUEST_ENTITY_BODY_FLAG_FILL_BUFFER..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\communication\http\server\send-http-response.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	414
Entropy (8bit):	4.865055741949231
Encrypted:	false
SSDEEP:	6:hAvlmWOheANClkEeM9ClES4FftKI8EQaYdbo5owIfze/q9m8pNv4MLj:mdmWOYANClkCfFftKbls+Ciw4NvBLj
MD5:	1B2BCCF6AC8C45E1F185CDD77B3A8D3B
SHA1:	0E4D5037E64DC9B6D8D855B0039BF2E4502C5AB7
SHA-256:	687E8BD69360019DFEC0F301CB5AFE22B1C041F179134400FACA539C8B41C84D
SHA-512:	4176A9C9ACFD46AD3ACA4DC03EADA37BEE8FC05C15580993E5F90D30B8B9E96990DC5D46F63B3D73A0174C4FA7C9ABDB16B5B6836177AF38797FA7DB93FBE2D4
Malicious:	false
Preview:	rule:.. meta:.. name: send HTTP response.. namespace: communication/http/server.. author: michael.hunhoff@fireeye.com.. scope: function.. mbc:.. - Communication::HTTP Communication::Send Response [C0002.016].. examples:.. - 6A352C3E55E8AE5ED39DC1BE7FB964B1:0x10001B20.. features:.. - or:.. - api: httpapi.HttpSendHttpResponse.. - api: httpapi.HttpSendResponseEntityBody..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\communication\http\server\start-http-server.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	415
Entropy (8bit):	4.792766516369366
Encrypted:	false
SSDEEP:	6:hAvlmWUilkEeM9ClES4FftKI8EQa+AyBpbCowIfze/KVGBjiHodFJrIMYn:mdmWUilkCfFftKbbXf++CS0+IHJOn
MD5:	717FF6927AB9A56B8A919E75229E7F53
SHA1:	6627F246DB5162C5A5AB29A6F3A84C975E775944
SHA-256:	6642D1FE1796E8113341377DF7748BC3AD0467FC5C5622965E2289DA4338C06F
SHA-512:	EF78E9EDABCDD3FEB4ED73A90A87BD1DF08418E4BFFFEA90464166AD5822E317755733E4DDFBABA5498C391B0774930587D5F2E30353E7316A4461BFC124A625
Malicious:	false
Preview:	rule:.. meta:.. name: start HTTP server.. namespace: communication/http/server.. author: michael.hunhoff@fireeye.com.. scope: function.. mbc:.. - Communication::HTTP Communication::Start Server [C0002.018].. examples:.. - 6A352C3E55E8AE5ED39DC1BE7FB964B1:0x10001970.. features:.. - and:.. - api: httpapi.HttpInitialize.. - optional:.. - api: httpapi.HttpTerminate..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\communication\http\set-http-header.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	357
Entropy (8bit):	4.894082654912059
Encrypted:	false
SSDEEP:	6:hAvlmW0ilkEeMPClES4FftKI8EQajtIpJowIfze/gsVGUkKjIB2OW92:mdmWFlkOfFftKb8tQJ+Cl5F82OWw
MD5:	05E65BA4D2F831BF1B9AC7D2383D0D00
SHA1:	FCF112203A36E45A739FCF38045FF10634C368B3
SHA-256:	CA95BEB8CEFAFF460E433D747A4C40804BC64C953BFB8425337BE2B3382B29ED
SHA-512:	9A65291F39E1FAC6FAE4EA6A360EFAA15CF421BA75639486E2FD6DCBDBEAF214819530780E72E665B2BB2BEF59A659152FD2C98F8C5E777B1F4B726848A3883E
Malicious:	false
Preview:	rule:.. meta:.. name: set HTTP header.. namespace: communication/http.. author: michael.hunhoff@fireeye.com.. scope: function.. mbc:.. - Communication::HTTP Communication::Set Header [C0002.013].. examples:.. - 6A352C3E55E8AE5ED39DC1BE7FB964B1:0x1000E230.. features:.. - and:.. - api: winhttp.WinHttpAddRequestHeaders..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\communication\icmp\send-icmp-echo-request.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	657
Entropy (8bit):	4.509022020939324
Encrypted:	false
SSDEEP:	12:mdmWOhYRJlk8cfFftK7OkvcA+YSDHflghxiREXDwIHV/2/Sv:mMUJlkD3KrcAwjtgpEI1/2/Sv
MD5:	BC72AF97F9A738FCC51CE3BFFE1853DC
SHA1:	97416A1CA2CDE6505A29E726ABD8B211BC15AEDE
SHA-256:	64104F67A4C3FF3B5001436DEE2CDFF2A024D1C39F62F77DBB35912796AB39CC
SHA-512:	958D22E85BD820D0E1DA3030AE7B41C5186BF30346DB14720EC5F6152828EE2DDA05C00591A43AD26F37E4FAC1615A0A7F173F86A7619771B062C27C54BE8B17
Malicious:	false
Preview:	rule:.. meta:.. name: send ICMP echo request.. namespace: communication/icmp.. author: michael.hunhoff@fireeye.com.. scope: function.. mbc:.. - Communication::ICMP Communication::Echo Request [C0014.002].. references:.. - https://docs.microsoft.com/en-us/windows/win32/api/icmpapi/.. examples:.. - al-khaser_x86.exe_:0x449510.. features:.. - and:.. - or:.. - api: IcmpSendEcho.. - api: IcmpSendEcho2.. - api: IcmpSendEcho2Ex.. - api: Icmp6SendEcho2.. - optional:.. - or:.. - api: IcmpCreateFile.. - api: Icmp6CreateFile.. - api: IcmpCloseHandle..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\communication\named-pipe\connect\connect-pipe.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	547
Entropy (8bit):	4.619954941254655
Encrypted:	false
SSDEEP:	12:mdmGIlkSW/CGhfFftKTKT6AEKLDuka0g3:mMHlkT/CO3KuTTBU
MD5:	44838105D24BF94CF4A849DA71BB5364
SHA1:	5D41D086C373D74CD3B9054C29A75391C49CBCFF
SHA-256:	DD47596403A03F6AF9F13C2528C2104C004DCDAB2BE47E62CBE89853EDCA3E5E
SHA-512:	BB06626C22E3CFFAF92D15648579B3D15EA41D51B2D21D00FAFC6DF4C8F5E6616A59E8709BA91DAA0A5BFA3A60F383590F4CCC936F1A775F833A421723548090
Malicious:	false
Preview:	rule:.. meta:.. name: connect pipe.. namespace: communication/named-pipe/connect.. author:.. - moritz.raabe@fireeye.com.. - michael.hunhoff@fireeye.com.. scope: function.. mbc:.. - Communication::Interprocess Communication::Connect Pipe [C0003.002].. examples:.. # Windows msdt.exe.. - 152d4c9f63efb332ccb134c6953c0104:0x42e400.. features:.. - or:.. - api: kernel32.ConnectNamedPipe.. - api: kernel32.CallNamedPipe.. description: connect, read, write from pipe in single operation..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\communication\named-pipe\create\create-pipe.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	406
Entropy (8bit):	4.5547128287125025
Encrypted:	false
SSDEEP:	12:mdmG3ZklkSefCfFftKTKTN8njbnvLJ9R4:mMcklkffC3KuTNIjzL+
MD5:	52B9FB043C946D36501D802F1ED1035F
SHA1:	C54ACE6E9C3EB8B93B8DB1C2CFFC3DABD7A18466
SHA-256:	B8F18ED3C59F15019B0271405417B3D3D4BBA321BED6B38688B4803C542CC17B
SHA-512:	39B86DBA306BF71F442B2615CD5C90EA7D1E7C0D6E9B743829841528240FA5307F9C5B6ACD07BDD3569B8B6C11D708245D257A062B3D6BDBF6513AC8285631F5
Malicious:	false
Preview:	rule:.. meta:.. name: create pipe.. namespace: communication/named-pipe/create.. author: moritz.raabe@fireeye.com.. scope: function.. mbc:.. - Communication::Interprocess Communication::Create Pipe [C0003.001].. examples:.. - Practical Malware Analysis Lab 03-02.dll_:0x10003a13.. features:.. - or:.. - api: kernel32.CreatePipe.. - api: kernel32.CreateNamedPipe..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\communication\named-pipe\create\create-two-anonymous-pipes.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	386
Entropy (8bit):	4.604232540507976
Encrypted:	false
SSDEEP:	12:mdmG3ciglkSeOuEfFftKTKTN8njbnvH5uIk:mM/lkfOuE3KuTNIjzMT
MD5:	79E6912CDF51ABDB4AC0D8FA21BD06DE
SHA1:	113E5EBE400C540D5F057602AD720D11222F2B4A
SHA-256:	38B65A36413659B0AE245885EDCA0DC573C30DDC968DCCFABBA06E39BEFA1E56
SHA-512:	DC3CB79B7D0C0EC0BD4B3346B99170E7294014AC5DE198387D079518166886280FC85BD360E4C3CAEDD0894E1F0CBCA5ECB21EBA490F7A5FA8E2B13A209E3A7D
Malicious:	false
Preview:	rule:.. meta:.. name: create two anonymous pipes.. namespace: communication/named-pipe/create.. author: matthew.williams@fireeye.com.. scope: function.. mbc:.. - Communication::Interprocess Communication::Create Pipe [C0003.001].. examples:.. - Practical Malware Analysis Lab 14-02.exe_:0x4011C0.. features:.. - and:.. - count(api(CreatePipe)): 2..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\communication\named-pipe\read\read-pipe.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	941
Entropy (8bit):	4.534149251700138
Encrypted:	false
SSDEEP:	12:mdmvDlkS8CGhHgWfJ0CXNc0YDEGq7guDAFftKTKTpCbnvHrbVPnuP3:mMvDlkFCOzJD5YIGoqKuT8zLbY
MD5:	247219DE5C492D3EC54464B19D0CEA9D
SHA1:	278801936BFA91EE57E8882F1247ACBB7041DE0A
SHA-256:	8AFAB8A1D66011B36CAAE64FDB397037837B3F08B1931771FD7BA0FB4D51901B
SHA-512:	AFF91893C9E473FB47B703551883AF4B7D48DF508CDDF94391E7F4EDA7F68D0AF669D6A345AD4F1590302A43D3BCD25EDC3EE9457F29BDBA1392B731D561284B
Malicious:	false
Preview:	rule:.. meta:.. name: read pipe.. namespace: communication/named-pipe/read.. author:.. - moritz.raabe@fireeye.com.. - michael.hunhoff@fireeye.com.. description: PeekNamedPipe isn't required to read from a pipe; however, pipes are often utilized to capture the output of a cmd.exe process. In a multi-thread instance, a new thread is created that calls PeekNamedPipe and ReadFile to obtain the command output... scope: function.. mbc:.. - Communication::Interprocess Communication::Read Pipe [C0003.003].. examples:.. - Practical Malware Analysis Lab 14-02.exe_:0x4014C0.. features:.. - or:.. - and:.. - api: kernel32.PeekNamedPipe.. - api: kernel32.ReadFile.. - api: kernel32.TransactNamedPipe.. description: writes and reads pipe in single operation.. - api: kernel32.CallNamedPipe.. description: connects, writes, and reads pipe in single operation..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\communication\named-pipe\write\write-pipe.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	711
Entropy (8bit):	4.5518205454143885
Encrypted:	false
SSDEEP:	12:mdmSdlkSXCGhfFftKTKTK5KQinIZDLL689/VPnuP3:mMSdlk8CO3KuT6lmmDLLP9/Y
MD5:	3F6C4D78BD10C71476D289132780A6AB
SHA1:	0BDB3A4746A8FC92DEBDAC1D4D4B9E2A0285545C
SHA-256:	EB6301DCDAA805F1A782DFA924CCD61BFB6C6C4FB817DF20DA203123941AB1D4
SHA-512:	49DE569E2F5ECAE087A6243612261F7E937373097E5E67D7E5E60D84F7E5AA09D1A472A4755B0D4FB8336F34297D199542EB73ECDE6C73C492FEDC0F1986A255
Malicious:	false
Preview:	rule:.. meta:.. name: write pipe.. namespace: communication/named-pipe/write.. author:.. - moritz.raabe@fireeye.com.. - michael.hunhoff@fireeye.com.. scope: function.. mbc:.. - Communication::Interprocess Communication::Write Pipe [C0003.004].. examples:.. - C91887D861D9BD4A5872249B641BC9F9:0x401A77.. features:.. - or:.. - and:.. - or:.. - match: create pipe.. - match: connect pipe.. - api: kernel32.WriteFile.. - api: kernel32.TransactNamedPipe.. description: writes and reads pipe in single operation.. - api: kernel32.CallNamedPipe.. description: connects, writes, and reads pipe in single operation..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\communication\receive-data.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	511
Entropy (8bit):	4.695291773180046
Encrypted:	false
SSDEEP:	12:mdmL4lkVwRQ5luhcX4KTmFftKqYFkn8p8/:mMMlksQPusJQK5m/
MD5:	82296C53E7CB43A3D2D84C737C4287EF
SHA1:	CA8EBF24D13BA3B5CE09756B7C4D45CF79067ADA
SHA-256:	32880EF13975B105022C77A12DD8A76781FAD2CA45FE6045D7E257D895167A15
SHA-512:	9210995A193339BE86F1509647D92366A300C4FEFE6A9882072279C858A4B97CF8412F5116FC246A13490370BA450A93571F8D38B3A09F0D6C93946EA8CFAADC
Malicious:	false
Preview:	rule:.. meta:.. name: receive data.. namespace: communication.. author: william.ballenthin@fireeye.com.. description: all known techniques for receiving data from a potential C2 server.. scope: function.. mbc:.. - Command and Control::C2 Communication::Receive Data [B0030.002].. examples:.. - BFB9B5391A13D0AFD787E87AB90F14F5:0x13145D60.. features:.. - or:.. - match: receive data on socket.. - match: read data from Internet.. - match: download URL to file..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\communication\send-data.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	490
Entropy (8bit):	4.721529381786447
Encrypted:	false
SSDEEP:	12:mdmWO9JlkVwRQ5luF9TmFftKqYfjkf5R8bVv:mMvJlksQPubTQKrjGP8p
MD5:	AE0A93EB92C1180517240774CE570860
SHA1:	2C89450DC894615996CDDBED622ABF5A89C9AE1E
SHA-256:	7FF9E4D0B45281B335B3C33CF114F699EC115A29C4B18582AEB4156F356CF773
SHA-512:	FF3003DB5162913903D70793F9040235CB3BFDEE688CEB7F78AEED27B4A68637F63ED5ABD0D58BBEBB7D5820281D58761306FFD257D21C1CFAE9F537FAEB5892
Malicious:	false
Preview:	rule:.. meta:.. name: send data.. namespace: communication.. author: william.ballenthin@fireeye.com.. description: all known techniques for sending data to a potential C2 server.. scope: function.. mbc:.. - Command and Control::C2 Communication::Send Data [B0030.001].. examples:.. - BFB9B5391A13D0AFD787E87AB90F14F5:0x13145D60.. features:.. - or:.. - match: send HTTP request.. - match: send data on socket.. - match: send file via HTTP..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\communication\socket\get-socket-status.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	431
Entropy (8bit):	4.865711063947603
Encrypted:	false
SSDEEP:	6:hAvlmCg16lkEeM3cClES4FfyhdOJzNoxVJ9KI3ARMIQa3wJBowIfze/NzG4pA:mdmCgwlkXfFfyHeRod9KQ0pi+Cy
MD5:	68B3D1306B3648405E8FDF4C8EB9276B
SHA1:	6D9AE6873792188AC27E19B735251427B7B24883
SHA-256:	210CDDA1A9F46F53CE1B142990826630058AA439D54C532C11EA9C39FE45F634
SHA-512:	D21D1BB44E5E546D67BB92F6E5758C5CEA39BC9569EC491AD1038C9E8DEA35C017A6F20A4DFC3E7F03450EF70452319346097543ECDBC5F31FD621C7A3D4408C
Malicious:	false
Preview:	rule:.. meta:.. name: get socket status.. namespace: communication/socket.. author: michael.hunhoff@fireeye.com.. scope: function.. att&ck:.. - Discovery::System Network Configuration Discovery [T1016].. mbc:.. - Communication::Socket Communication::Get Socket Status [C0001.012].. examples:.. - 6A352C3E55E8AE5ED39DC1BE7FB964B1:0x1000C1F0.. features:.. - and:.. - api: ws2_32.select..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\communication\socket\initialize-winsock-library.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	373
Entropy (8bit):	4.911989988328557
Encrypted:	false
SSDEEP:	6:hAvlmMkyNJkvNFwlkEeM3cClES4FftKI3ARMIQa3qyyNpu4owIfze/iCvVGWiXr:mdmomglkXfFftKQ09qFu4+CqCvR0r
MD5:	F0B585F4CBA86EAC3D2E4EC4377AEBB5
SHA1:	C77010B57564B664B1FA1B16105C52F07F993E0A
SHA-256:	7B0E8D5F4E5A959839AA0CD63D2EC3967FA694AD00EBAC1786D8FDF449F3552A
SHA-512:	1DFB5C8D98D38DCC34B2AA2021754435B815AC06AAA491E0AE9841B8EBC2DF0E970112DC25499965DE26844CD93E8C4A9263A7E15DAD3FC2A0CC492ED3905469
Malicious:	false
Preview:	rule:.. meta:.. name: initialize Winsock library.. namespace: communication/socket.. author: michael.hunhoff@fireeye.com.. scope: function.. mbc:.. - Communication::Socket Communication::Initialize Winsock Library [C0001.009].. examples:.. - 6A352C3E55E8AE5ED39DC1BE7FB964B1:0x10001D30.. features:.. - and:.. - api: ws2_32.WSAStartup..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\communication\socket\receive\receive-data-on-socket.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	556
Entropy (8bit):	4.72150452698702
Encrypted:	false
SSDEEP:	12:mdmIzlkDCfFftKQ0rbnvLR4URX9BgPLT/y:mMqlkDC3KNrzLRhX9WPvy
MD5:	7C4FBF12F46156B7212B3AE6881C08B7
SHA1:	A6474D6C601232E6ABB3749DFC8F8C627E6B60E9
SHA-256:	CA88CF19D14989FC968884F684A933CBFFC48341A0C62AD0C79E9F08DE8B9841
SHA-512:	2C768B9BC1EE4283F210E6DBCEAD749BC333266CB0349674DEB301E39B0980750FFD70BD1F049A5BC0112A3B18BB2C88B5CE2109FDCCB32B2701FB77F4D64645
Malicious:	false
Preview:	rule:.. meta:.. name: receive data on socket.. namespace: communication/socket/receive.. author: moritz.raabe@fireeye.com.. scope: function.. mbc:.. - Communication::Socket Communication::Receive Data [C0001.006].. examples:.. - Practical Malware Analysis Lab 01-01.dll_:0x10001010.. features:.. - or:.. - api: ws2_32.recv.. - api: ws2_32.recvfrom.. - api: ws2_32.WSARecv.. - api: ws2_32.WSARecvDisconnect.. - api: ws2_32.WSARecvEx.. - api: ws2_32.WSARecvFrom.. - api: ws2_32.WSARecvMsg..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\communication\socket\send\send-data-on-socket.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	473
Entropy (8bit):	4.669202536560799
Encrypted:	false
SSDEEP:	12:mdmWO9bzlkCCfFftKQ0BbnvLR4URxfJ2W2C/Cv:mMv/lkCC3KNBzLRhxfJSv
MD5:	B3949CD35F2E038795FF54C20C758C00
SHA1:	EB4930CA63BB84D86A88873DA45802C697A1F339
SHA-256:	851E6E49BF082F60D412F4007450814491870339D8D07D714B8B02A653727509
SHA-512:	A129C0D6755618D8E549CB3EDDD78A218C05B4AB5EED9C84D96747F2FB09BD2AA5160F229C4FC29118A3B87DFC3D127517A43347155CFFCF3A75A3379C32723D
Malicious:	false
Preview:	rule:.. meta:.. name: send data on socket.. namespace: communication/socket/send.. author: moritz.raabe@fireeye.com.. scope: function.. mbc:.. - Communication::Socket Communication::Send Data [C0001.007].. examples:.. - Practical Malware Analysis Lab 01-01.dll_:0x10001010.. features:.. - or:.. - api: ws2_32.send.. - api: ws2_32.sendto.. - api: ws2_32.WSASend.. - api: ws2_32.WSASendMsg.. - api: ws2_32.WSASendTo..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\communication\socket\set-socket-configuration.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	394
Entropy (8bit):	4.791595131819134
Encrypted:	false
SSDEEP:	6:hAvlmW/QIgfwlkEeM3cClES4FftKI3ARMIQajcXjowIfze/Nzt/sOHDcOJ:mdmWJKwlkXfFftKQ0Vyj+CbsOHD/J
MD5:	9811D0D039EC989B17D177228BD98FE8
SHA1:	1A97818F5EFFAA6EACD25CE957F8E93E38A29883
SHA-256:	CF62400394800F178B0B32104003B6DB94BFE5A5480171375B07ABBF7BD40D0B
SHA-512:	3C119D9A510AF67AF822762A25A08B70DB6FCC29F0C11329DAC1DF9DC82B6F48D949018DFD2F89AD0879DD40625442C13B9386B6E4CF9E336747E294A404A781
Malicious:	false
Preview:	rule:.. meta:.. name: set socket configuration.. namespace: communication/socket.. author: michael.hunhoff@fireeye.com.. scope: function.. mbc:.. - Communication::Socket Communication::Set Socket Config [C0001.001].. examples:.. - 6A352C3E55E8AE5ED39DC1BE7FB964B1:0x1000C1F0.. features:.. - or:.. - api: ws2_32.setsockopt.. - api: ws2_32.ioctlsocket..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\communication\socket\tcp\connect-tcp-socket.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1222
Entropy (8bit):	4.56560547022457
Encrypted:	false
SSDEEP:	24:mMrlkBC3KNaIzLRhdk8MTI55pHNFGMPO3Ezb/EXjM1PM:mMrCcaNRzNhi8MTI55pQUHsXjM1k
MD5:	2BB0F3107655633948EFF230729A96F8
SHA1:	DD81A0BF6233A87C1D1E1A3769825F4C7A647E51
SHA-256:	01C1B2894B679FEB5C117B691FA201BD12422A5B70771E6C41ED5C8D7146C2CB
SHA-512:	9C00E1A8C5D2EF1D21C2DE527C457DC59074F3D8F7F677E3013C79A64F2517BB67C3239EF21D5B32DE0CD851B45A538BE1F9D6CB61087E59B1D8353C64FD7112
Malicious:	false
Preview:	rule:.. meta:.. name: connect TCP socket.. namespace: communication/socket/tcp.. author: moritz.raabe@fireeye.com.. scope: function.. mbc:.. - Communication::Socket Communication::Connect Socket [C0001.004].. examples:.. - Practical Malware Analysis Lab 01-01.dll_:0x10001010.. features:.. - and:.. - match: create TCP socket.. - or:.. - api: ws2_32.connect.. - api: ws2_32.WSAConnect.. - api: ConnectEx.. - and:.. - basic block:.. # candidate for GUID: WSAID_CONNECTEX/25a207b9-ddf3-4660-8ee9-76e58c74063e.. - and:.. - number: 0x25A207B9.. - number: 0x4660DDF3.. - number: 0xE576E98E.. - number: 0x3E06748C.. - basic block:.. - and:.. - api: WSAIoctl.. - number: 0xC8000006 = SIO_GET_EXTENSION_FUNCTION_POINTER.. - basic block:.. - and:.. - api: setsockopt..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\communication\socket\tcp\create-tcp-socket.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	513
Entropy (8bit):	4.721549879279693
Encrypted:	false
SSDEEP:	12:mdmG3+lkqR/wKQ0RO++jbnvLR4UR0DmFolg3Gxy:mMPlkQ4KNRO++jzLRh0Dmme3x
MD5:	F450536A2EFE82B8C8AA1BB016BF318D
SHA1:	61CEA717F4A167A94FA9B9406C73B5C55BFA4BB3
SHA-256:	5F27B042BD154593CCCF6252F3667EFC359EEC884273C04DB3CB4C9F181F3803
SHA-512:	2CEDC63F82F9DEA1F309AF97E2A0C45A5DB7085E8863ED7DBC034615ED6A1CD8E8135059C7F3B29B5FC0B47472A2913B1E59336C2FCF5F713A64A7ACF37747F5
Malicious:	false
Preview:	rule:.. meta:.. name: create TCP socket.. namespace: communication/socket/tcp.. author: william.ballenthin@fireeye.com.. scope: basic block.. mbc:.. - Communication::Socket Communication::Create TCP Socket [C0001.011].. examples:.. - Practical Malware Analysis Lab 01-01.dll_:0x10001010.. features:.. - and:.. - number: 6 = IPPROTO_TCP.. - number: 1 = SOCK_STREAM.. - number: 2 = AF_INET.. - or:.. - api: ws2_32.socket.. - api: ws2_32.WSASocket..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\communication\socket\tcp\send\send-tcp-data-via-wfp-api.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	429
Entropy (8bit):	5.0391902215772495
Encrypted:	false
SSDEEP:	12:mdmWO5lkHIfFftKQ0Q/Bp6tc78jIRccLrd0M:mMDlkHI3KNQ/Bp6tfM+cLrp
MD5:	D3C5A59C586B267A0157727710B4AE43
SHA1:	636C5CFB565DE30A653E0BEFE0DBA482114D2D47
SHA-256:	6538AE97C2159AB50B08261385537F3507B17AD522139E044D435BBF446081A2
SHA-512:	2EA59069669FB73DF9C0186F69D33DF4FF88A7207D3CF3614C33A9E2B9E2A5BBBD3A4E9854BD8D8B8AC4DB84FE3065612E36966A060ABC115B5623673FE2CBE3
Malicious:	false
Preview:	rule:.. meta:.. name: send TCP data via WFP API.. namespace: communication/socket/tcp/send.. author: michael.hunhoff@fireeye.com.. scope: function.. mbc:.. - Communication::Socket Communication::Send TCP Data [C0001.014].. examples:.. - 493167E85E45363D09495D0841C30648:0x404560.. features:.. - and:.. - api: fwpkclnt.FwpsStreamInjectAsync0.. - number: 0x10000 = FWPS_STREAM_FLAG_SEND..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\communication\socket\udp\send\create-udp-socket.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	496
Entropy (8bit):	4.997573075748057
Encrypted:	false
SSDEEP:	6:hAvlmG3rF4lkEeM31AGCSgyZlKI3ARMIQa+dlZ+HjowL8HC9GHAfYR35dGtnvlce:mdmG3B4lkuC/wKQ0y8DmzN35acKvGxy
MD5:	9349A5485CEC4A0251AA55F772701FCF
SHA1:	C14D32A60ED7FCC1BBD5E1DC0C194099F7A287A7
SHA-256:	667F1FFDDA06421930507A64EE3CA7750E8FD1D6DFD280DAEE62BD494C2AA0BD
SHA-512:	F077BA82899BC369A0A21E70C99795C8E1056C768BD856F9717211E3C2A2F1DB211E03CF4839E56E44E1724EDDB400B1920569C39CB5BD8315E9DCFDCF963268
Malicious:	false
Preview:	rule:.. meta:.. name: create UDP socket.. namespace: communication/socket/udp/send.. author: moritz.raabe@fireeye.com.. scope: basic block.. mbc:.. - Communication::Socket Communication::Create UDP Socket [C0001.010].. examples:.. - 203BD48BCC18434314AD60F4C8BC21E3D3422EB0624B22B827410F9BC63B4082:0x401240.. features:.. - and:.. - count(number(2 = AF_INET/SOCK_DGRAM)): 2 or more.. - or:.. - api: ws2_32.socket.. - api: ws2_32.WSASocket..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\communication\tcp\client\act-as-tcp-client.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	367
Entropy (8bit):	4.549155178691046
Encrypted:	false
SSDEEP:	6:hAvlmEmVLgFYlkEeMhMAUFMJFBO2S4FftKI3ARMIQaFpBALowdnvLR4URdGoKLLG:mdmtLlkL4RfFftKQ0VGbnvLR4URSLLG
MD5:	390EEEDFA2C852974EBFBD4881B0F54A
SHA1:	3C4DA655F934FAF617BADA3168F2281107AA8246
SHA-256:	479F41976E6EF7B12DC8705377428AE5C35F6B1B338022966B4EDF0B55E0CCA3
SHA-512:	E768BFAAE71549400E5A11B7F3DCB5BE32EAE8E1E0E85C723121329D2FAB36F4916CCCCB91DAFBE5F7E76B7465AFA5CE5473A8C3255235D5694AE84E0C2195A1
Malicious:	false
Preview:	rule:.. meta:.. name: act as TCP client.. namespace: communication/tcp/client.. author: william.ballenthin@fireeye.com.. scope: function.. mbc:.. - Communication::Socket Communication::TCP Client [C0001.008].. examples:.. - Practical Malware Analysis Lab 01-01.dll_:0x10001010.. features:.. - and:.. - match: connect TCP socket..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\communication\tcp\serve\start-tcp-server.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	444
Entropy (8bit):	4.647222825085977
Encrypted:	false
SSDEEP:	6:hAvlmW7clkEeMaTneJFBO2S4FftKI3ARMIQajB1LowO0Odjzg/+GoRRfPYXhqFdm:mdmW7clkPTWRfFftKQ0Rj3Om/24kdP+
MD5:	C5529BC8104BC8A176A7289D9B8F4E55
SHA1:	3178350070CB29E452331776598E1A6D0355D15A
SHA-256:	DF224405ED170DE888F373BEC5A7FC5AEDE150C7A611392B6F22E2A0C86E1D50
SHA-512:	41EF0EAFB5DD468BDC3BCF995F0493CC4B6CE76C487ADA607CD890B5986BB417F46EEDE5DAC6227C8B365CEE631E1E46749A2C147A2B0C6B449237C8D7E304A7
Malicious:	false
Preview:	rule:.. meta:.. name: start TCP server.. namespace: communication/tcp/serve.. author: william.ballenthin@fireeye.com.. scope: function.. mbc:.. - Communication::Socket Communication::Start TCP Server [C0001.005].. examples:.. - AF2F4142463F42548B8650A3ADF5CEB2:0x10010880.. features:.. - and:.. - match: create TCP socket.. - api: listen.. - or:.. - api: accept.. - api: WSAAccept..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\compiler\autohotkey\compiled-with-autohotkey.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	556
Entropy (8bit):	5.008014465305132
Encrypted:	false
SSDEEP:	12:mdmGNSjlkHWTnq50FacA+YB/5TmCt2tmfgYdMq0/M/gLsPhfv:mMjlk2Tnq5tcARKuZZ1/IK
MD5:	73CB26565084BEECCAAFB451D7D58422
SHA1:	A700962ED7E3C5E77FDE835593E766C254ED288E
SHA-256:	CBAAD851ADE9D5031F3E9FB7186BDD14FD7CBAD37F893D307009A930A29E7B06
SHA-512:	99A35A8C088535C02F8273F34B5A555EAC0F11837BDB917B2EB7DF98FD2EEF44B7616EC709439454B637F835DF659B712CA0109ECF18A1AD71CB99CC74C55A91
Malicious:	false
Preview:	rule:.. meta:.. name: compiled with AutoHotKey.. namespace: compiler/autohotkey.. author: awillia2@cisco.com.. scope: file.. att&ck:.. - Execution::Command and Scripting Interpreter [T1059].. references:.. - https://www.trendmicro.com/en_us/research/20/l/stealth-credential-stealer-targets-us-canadian-bank-customers.html.. - https://en.wikipedia.org/wiki/AutoHotkey.. examples:.. - 92D8EA10EA30E8B534334A1C9857A455.. features:.. - and:.. - string: ">AUTOHOTKEY SCRIPT<".. - string: "AutoHotkeyGUI"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\compiler\autoit\compiled-with-autoit.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	5.001096124691619
Encrypted:	false
SSDEEP:	24:mMClkcDnq5tcAV/l94uYYPxSm3ETGfCXHy:mMCCcDq5tco/P4uYTs8S
MD5:	D0FDB156F25E9872368C77C7C7205888
SHA1:	37635B6A202934241431159936DFD062E655A610
SHA-256:	B3D0FED59C41640D7576FBD24A6F551FD4F5B18A616AFDFC8A66152954603721
SHA-512:	C38A536F709411D06121C7B88DBB9DD89D8D4E7019E8B401948D9E55717031600FE5AF2B953FA3B22DC365DA7AEE6119B27CAE2822172BD855723F0C5D34C3C7
Malicious:	false
Preview:	rule:.. meta:.. name: compiled with AutoIt.. namespace: compiler/autoit.. author: william.ballenthin@fireeye.com.. scope: file.. att&ck:.. - Execution::Command and Scripting Interpreter [T1059].. references:.. - https://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/.. examples:.. - 55D77AB16377A8A314982F723FCC6FAE.. features:.. - or:.. - string: "AutoIt has detected the stack has become corrupt.\n\nStack corruption typically occurs when either the wrong calling convention is used or when the function is called with the wrong number of arguments.\n\nAutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.".. - string: "AutoIt Error".. - string: />>>AUTOIT SCRIPT<<</.. - string: ">>>AUTOIT NO CMDEXECUTE<<<"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\compiler\d\compiled-with-dmd.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	343
Entropy (8bit):	4.4452888942534425
Encrypted:	false
SSDEEP:	6:hAvlmGTFIlkmj8BcOy/oceGGF+Wf2oowoQBzGZgfsZchjD:mdmGWlkxmnocA+Y2o1DD
MD5:	E08F26AA88E52A98E29083B6619703DD
SHA1:	F3C1E1FAD9E26F7C4A33BD7A1649C43B926EB359
SHA-256:	7BF0C26322841994E07D5AA7E1D2F5E01D00C8A846DAA9D15AB05882FC82577B
SHA-512:	7625FBF9AC6B0E17E54ECDF65A17E480E744CA2C1EFAE131C4E662F8414DDF0A75F80B3B0F8697538AE9E28B71D509D36C4CC4542676140385C2AC234C979509
Malicious:	false
Preview:	rule:.. meta:.. name: compiled with dmd.. namespace: compiler/d.. author: "@_re_fox".. scope: file.. references:.. - https://github.com/dlang/dmd.. examples:.. - 321338196a46b600ea330fc5d98d0699.. features:.. - and:.. - section: ._deh.. - section: .tp.. - section: .dp.. - section: .minfo..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\compiler\delphi\compiled-with-borland-delphi.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	445
Entropy (8bit):	4.933053993574324
Encrypted:	false
SSDEEP:	12:mdmGS2lkboRDnBtOmXS2qOSW/SJtXrtH+IU:mMClkuDnBtR/+pJU
MD5:	7C2A3A30D2D4C84761A2FE36B63C0637
SHA1:	DBBFABD8089C6DF0FFCEA530EC105B3584703547
SHA-256:	E89EAC86BC9D953C413568B40B5BEFE9F0985342BDFBFF31F150D27E6A6CB89C
SHA-512:	F85B442A88575464F3B56FA3C810884D4D5EC7AC29EBBDAAF30CA4CEFEFBD96966D663CC235319C3486A082A085337C22896BE98C89CF92507B817139B021E57
Malicious:	false
Preview:	rule:.. meta:.. name: compiled with Borland Delphi.. namespace: compiler/delphi.. author: william.ballenthin@fireeye.com.. scope: file.. examples:.. - 4BDD67FF852C221112337FECD0681EAC.. features:.. - or:.. - string: "Borland C++ - Copyright 2002 Borland Corporation".. - string: /SOFTWARE\\Borland\\Delphi\\RTL/.. - string: "Sysutils::Exception".. - string: "TForm1".. - import: "BORLNDMM.DLL"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\compiler\exe4j\compiled-with-exe4j.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	636
Entropy (8bit):	4.812465763440115
Encrypted:	false
SSDEEP:	12:mdmG/lkLnBiynWakZHWaGacU+lUOKFOKN7nj+GajpH+gy:mMmlkLnBi9h2pXZHufd0pegy
MD5:	FDEFA9A8B53B5E74AD0BED5D0D2EAAD6
SHA1:	CA2D5628C2570DC262AC756C6687DF228066613D
SHA-256:	FF3939D40AB3C879C162BC855F3303141C6CA5E40401C77CD99E49D9DB2F7523
SHA-512:	A7566BCCDB651B2864FA7E4C0CC1F84AFA28278A8166B9B5731D7538F35065A1B9CD2E8E2F3ECC97444CF58A09F4077B99894BFDD763109F166F36A89E90FB03
Malicious:	false
Preview:	rule:.. meta:.. name: compiled with exe4j.. namespace: compiler/exe4j.. author: johnk3r.. scope: file.. examples:.. - 6b25f1e754ef486bbb28a66d46bababe:0x404EDE.. features:.. - or:.. - string: "exe4j_log".. - string: "install4j_log".. - string: "exe4j_java_home".. - string: "install4j".. - string: "exe4j.isinstall4j".. - string: /com/exe4j/runtime/exe4jcontroller/i.. - string: /com/exe4j/runtime/winlauncher/i.. - string: "EXE4J_LOG".. - string: "INSTALL4J_LOG".. - string: "EXE4J_JAVA_HOME".. - string: "INSTALL4J".. - string: "EXE4J.ISINSTALL4J"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\compiler\go\compiled-with-go.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	305
Entropy (8bit):	4.54572754998346
Encrypted:	false
SSDEEP:	6:hAvlmGTFpSwlkdJClESkOy/BowDVc7Hv/9TLl9xjLSULl9xWv:mdmGVlkbDnBdu7n5l9ZSSl9ov
MD5:	64B55C2DBB3481480BDFA6529C3D3144
SHA1:	0D9ED8E9DAF8D6C7A365E8F18EC052EA6BB3B0DA
SHA-256:	B3F09422A490FB9A44CB1CC12C4FDB6884321BC0DFD0F69F8A80CBE40053C036
SHA-512:	1479E4110CAD2BB1FEB19C0EAAE5E730D982B507D7E49FA5536499CB70EE266C11E8868A2254F923A71D032200A35BC8C5241BC91C387A30840357BB0D57981E
Malicious:	false
Preview:	rule:.. meta:.. name: compiled with Go.. namespace: compiler/go.. author: michael.hunhoff@fireeye.com.. scope: file.. examples:.. - 49a34cfbeed733c24392c9217ef46bb6.. features:.. - or:.. - string: /Go build ID:/.. - string: /go.buildid/.. - string: /Go buildinf:/..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\compiler\mingw\compiled-with-mingw-for-windows.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	345
Entropy (8bit):	4.66697609941778
Encrypted:	false
SSDEEP:	6:hAvlmGTFtRulClkjWJFBO2SkOy/Bow2crXdTGeLXgHU8LFYn2X+llu+my:mdmGM4lkiRDnBQWxYFY2Xamy
MD5:	30560AD4E9F4D33C695A0A9745BF448B
SHA1:	2482FB4C7CDCF1E3954574173FD226D221586A6A
SHA-256:	039E0E689BDC0B3F827AA114ADC35C48E06542BD3EBA0338887993096256B20C
SHA-512:	717B4655602824EFB95A25A151F11640456F6FECA91AC871D49605084B020246B4884D89E0740F9868C37DAA3AE67FCFDB488B43DFC762E8A349E2B62384E919
Malicious:	false
Preview:	rule:.. meta:.. name: compiled with MinGW for Windows.. namespace: compiler/mingw.. author: william.ballenthin@fireeye.com.. scope: file.. examples:.. - 5b3968b47eb16a1cb88525e3b565eab1.. features:.. - and:.. - string: "Mingw runtime failure:".. - string: "_Jv_RegisterClasses".. description: from GCC..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\compiler\nim\compiled-with-nim.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	460
Entropy (8bit):	4.523530920190292
Encrypted:	false
SSDEEP:	12:mdmG26lkswDnBhzPLoAFAEActAYLcNSgQmQ7S9T:mMUlkswDnBhzzRSrp
MD5:	0BF8F7C8A4F891577410B8F8409F01FE
SHA1:	0407E85C3302822B463CBBC09CDC9F7E14603D58
SHA-256:	D3282D133510010605E9750D4CD1BF2946DC074569722D18E849B0E832C300A7
SHA-512:	11A0325C836DFB68DCAADF34D5D3E078B1547D34FD6D28FA089A9AC9B2701B37BC4640B1618C60442C1D473E7FC9325B3FC9D4468F26E50A944B91CECF5B3742
Malicious:	false
Preview:	rule:.. meta:.. name: compiled with Nim.. namespace: compiler/nim.. author: michael.hunhoff@fireeye.com.. scope: file.. examples:.. - 580c37831fe98a254eb6c61c692c70d8.exe_.. features:.. - or:.. - string: /NimMain/.. - string: /NimMainModule/.. - string: /NimMainInner/.. - string: /io.nim$/.. - string: /fatal.nim$/.. - string: /system.nim$/.. - string: /alloc.nim$/.. - string: /osalloc.nim$/..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\compiler\perl2exe\compiled-with-perl2exe.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	418
Entropy (8bit):	4.6431870903589205
Encrypted:	false
SSDEEP:	6:hAvlmGTF34lkyyUy8BAFfJowuz0AcNZPojhG+dvNFNUvNFmLXih4yCKzot+XOLOY:mdmGylkbE6FfJZZQRIsY4rmHy
MD5:	D117D57A8525AC642F7241E0F24508FA
SHA1:	2B09A5DB4DE8E71F99E9029A1EFF93573B69FD39
SHA-256:	DF8A5D70621A07CF03521960BEC5794C7CE983DEBEF2D5FC30FDA6F12CFB3361
SHA-512:	E3A0343DB2A08FE95747C7121CA3536A04DCB6A1FC2C45453B109F7B0592EC1E79E9E775787E1F9BB9ABFA1A223BBCC81700C83BF5DABA3C5E9A680C49A4BF21
Malicious:	false
Preview:	rule:.. meta:.. name: compiled with perl2exe.. namespace: compiler/perl2exe.. author: "@_re_fox".. scope: function.. examples:.. - 873275ce8bf88ef66e9fa0c74b5c2a1e:0x4011C9.. features:.. - and:.. - api: LoadLibrary.. - api: FreeLibrary.. - string: /^p2x[a-z0-9]{1,10}\.dll/i.. - basic block:.. - and:.. - api: GetProcAddress.. - string: "RunPerl"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\compiler\ps2exe\compiled-with-ps2exe.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	397
Entropy (8bit):	4.67691425342386
Encrypted:	false
SSDEEP:	6:hAvlmGTF8lkyQAdg8BcOy/oceGGF+Wf2qDWPJAtow2vO3oGoKZq0FFmLOCeLzLd9:mdmGulkOfmnocA+Y2bJo4vO3nZSUnz
MD5:	79F574A68AD5B6984D2507EB237DF6EB
SHA1:	152E1721E305D83D1633295C23AA7664EE620355
SHA-256:	324D0D9BD8CF28ECE58CE0A8A32CF11B4A9961B61CBCC7ACA174E4DE93F46778
SHA-512:	830078668B3A12F68A640BAC1101F3B604EC9948CCC63D4057D5801486267E6F02150DE95360B86BA4B7F6026E7EA85E8D522F4A92E41E605F87E99DFBE16800
Malicious:	false
Preview:	rule:.. meta:.. name: compiled with ps2exe.. namespace: compiler/ps2exe.. author: "@_re_fox".. scope: file.. references:.. - https://github.com/ikarstein/ps2exe.. examples:.. - 8775ed26068788279726e08ff9665aab.. features:.. - and:.. - match: compiled to the .NET platform.. - string: "PS2EXEApp".. - string: "PS2EXE".. - string: "PS2EXE_Host"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\compiler\py2exe\compiled-with-py2exe.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	274
Entropy (8bit):	4.761089125697639
Encrypted:	false
SSDEEP:	6:hAvlmGTFKlkymAdg8BIyZBowYUwWBjhGeLaUov:mdmGAlkvyiYGW1hBy
MD5:	8F3C4BE05EF51BC2854D7F5E4079A370
SHA1:	94A923C9992F09046EC20316F130E38088987B96
SHA-256:	5C3FA4E665CEBEF6A0FD8D72AC7F1400E4F16BAC034477376EED1FB05375DA1E
SHA-512:	864F2DDAFB963D91B560898DED09514772AB80A66D033F08F61A99A4584012BB1A60FC5FC8FA6AE323435FD2357DE90E90ED388FDB94D0DCCD63571E4CDA73C1
Malicious:	false
Preview:	rule:.. meta:.. name: compiled with py2exe.. namespace: compiler/py2exe.. author: "@_re_fox".. scope: basic block.. examples:.. - ed888dc2f04f5eac83d6d14088d002de:0x40194A.. features:.. - and:.. - string: "PY2EXE_VERBOSE".. - api: getenv..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\compiler\pyarmor\compiled-with-pyarmor.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	621
Entropy (8bit):	5.01036604626706
Encrypted:	false
SSDEEP:	12:mdmGBJlkf9nq50FvFTNimsKkY1cA+Y9MGpUvRDPR+40cFinBE:mMGJlkf9nq5sT2Y1cAwG6vrT2E
MD5:	26A8F4C63A5E7128A331723D38C952D5
SHA1:	7859592E42ABE53EB40A544C5028C95BDD7DC475
SHA-256:	2948C461FD4525EBA42C999890987B62E89624C35A1E2F7AC18739DB33003991
SHA-512:	8C55DC206B5203446B89654478BF4C7E2F4C65C6927D4BFE167ADDA34768143620FBAF69D6E7590E1390576DA7440E6EFDAC49AA95F1E3F7938A4DFC60A3B228
Malicious:	false
Preview:	rule:.. meta:.. name: compiled with pyarmor.. namespace: compiler/pyarmor.. author: "@stvemillertime, @itreallynick".. scope: file.. att&ck:.. - Execution::Command and Scripting Interpreter::Python [T1059.006].. - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002].. references:.. - https://twitter.com/stvemillertime/status/1349032548580483073.. examples:.. - a0fb20bc9aa944c3a0a6c4545c195818.. features:.. - or:.. - string: "pyarmor_runtimesh".. - string: "PYARMOR".. - string: "__pyarmor__".. - string: "PYARMOR_SIGNATURE"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\compiler\rust\compiled-with-rust.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	375
Entropy (8bit):	4.81356156102525
Encrypted:	false
SSDEEP:	6:hAvlmGTF9W6lkw6dg8BAFfJowTA46cd2NGKtuL1MUtd3l7tuL4Uf:mdmG26lkwsf6FfJed424TFlu44
MD5:	5740A14EF34C21FF96CC7D95813DC6B4
SHA1:	8BE5B8AA4E47C924567933733783D5577FAE7822
SHA-256:	90E81F2CEB8C5B658D839C1A60EFD3853D144897A2FA331FE5D65A9A7B1CD64C
SHA-512:	B214BC9B2475D1C3DFF7992C4ED3C085FB1DCFE81E30CD26AFBE3336524D4E6DC635DE5657693FE53A92666ABCDDD884DEACD05F7E8E38AEFB5049D355E06E3A
Malicious:	false
Preview:	rule:.. meta:.. name: compiled with rust.. namespace: compiler/rust.. author: "@_re_fox".. scope: function.. examples:.. - c3341b7dfbb9d43bca8c812e07b4299f:0x45F490.. features:.. - and:.. - basic block:.. - string: /run with \`RUST_BACKTRACE=1\` environment variable/.. - basic block:.. - string: /thread '' panicked at '',/..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\compiler\vb\compiled-from-visual-basic.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	276
Entropy (8bit):	4.698415148285535
Encrypted:	false
SSDEEP:	6:hAvlmGTJYwlk0IvXqBSuOy/BoweSsO0m4U8GeLf3sKBx3oA:mdmGtzlk0SXgnB113wPNhoA
MD5:	016D3917EEB3AE65948F2CB58A2862C7
SHA1:	4EE74400C38CE605584FA2A427CFFBB0265BB1B0
SHA-256:	6C0DAFE757F05E494C2ACDBB97797B582B0585F3B5603CE7EFAD7D3851C00DEC
SHA-512:	1DFDDE223BEC57A4A160655F679CF97BED70C7760077E6C591BA8A7DC7B0A1732EF4F9D49FFF3C7EEAEFC99C797B044830469040DC27997D5030CB008C19DE5B
Malicious:	false
Preview:	rule:.. meta:.. name: compiled from Visual Basic.. namespace: compiler/vb.. author: "@williballenthin".. scope: file.. examples:.. - 9bca6b99e7981208af4c7925b96fb9cf.. features:.. - and:.. - string: /VB5!.*/.. - import: msvbvm60.ThunRTMain..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\checksum\adler32\compute-adler32-checksum.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1984
Entropy (8bit):	4.269099263144113
Encrypted:	false
SSDEEP:	48:mMA2u1aFUcCmunF3A+9ACTDrhwWe+FAiIxss0:JA2u1MUP7FK0
MD5:	6192D51C6B9392E7361C30E38A20AD9A
SHA1:	8180CEBC8802E38E1A5A9F5147AAD337B36C4902
SHA-256:	EF2A7448B45B82D0EE8A8A04AA053EC82D434F1BDE0B770BEE77AA06D22CC42C
SHA-512:	3EB0FD9257E5F53154A83CE8EDCABDC1013646A5A47D9BEE595DACF28CC1E800F86AA0B9D720F020BCA04C3B8288361D51C61E0994C9D4462AEF7F64EADDE2F7
Malicious:	false
Preview:	rule:.. meta:.. name: compute adler32 checksum.. namespace: data-manipulation/checksum/adler32.. author: matthew.williams@fireeye.com.. scope: function.. mbc:.. - Data::Checksum::Adler [C0032.005].. references:.. - https://en.wikipedia.org/wiki/Adler-32.. examples:.. - 42E81CC1145BA3C1936A6CF9B8DA0CCD:0x10001000.. features:.. - and:.. - basic block:.. - and:.. - number: 0x80078071.. - number: 0xF.. - mnemonic: shr.. - mnemonic: mul.. - mnemonic: imul.. - or:.. - and:.. - number: 0xFFFF000F = -65521.. - mnemonic: add.. - and:.. - number: 0xFFF1 = 65521.. - mnemonic: sub.. # Examples:.. # The sequence below performs mod 65521 using the example 262089 % 65521 = 5:.. # mov eax, 80078071h ; ecx = 262089 (0x3FFC9).. # mul ecx ; 0x3FFC9 * 0x80078071 = 0x20002802767B9

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\checksum\crc32\hash-data-with-crc32.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	674
Entropy (8bit):	4.733166505762234
Encrypted:	false
SSDEEP:	12:mdmnVDNwlxm3CfFftKArj2lmxHc4Hv9YQwjh1FAXdXEhKYXEhuJQ:mMnVD6leC3KojImxV6zjbedXUKYXUuJQ
MD5:	4AEDBB879B0BF9AC407639519BFB41D3
SHA1:	BEBDABF804CD266E918C66520E7AE595AB12BB60
SHA-256:	C46306C8E2C0DA7C0009CEE19F4757A2A5690C19F09B6D9EFE63CBBF4D385A51
SHA-512:	A20D284967DA1A009FE59D3F2BDC200BE877A84EACCFB48A60598CFDA1F55CC6008305B40662EDC914F9035A07EEF48114B350DB8055F57C239F685E3E305EAB
Malicious:	false
Preview:	rule:.. meta:.. name: hash data with CRC32.. namespace: data-manipulation/checksum/crc32.. author: moritz.raabe@fireeye.com.. scope: function.. mbc:.. - Data::Checksum::CRC32 [C0032.001].. examples:.. - 2D3EDC218A90F03089CC01715A9F047F:0x403CBD.. - 7D28CB106CB54876B2A5C111724A07CD:0x402350 # RtlComputeCrc32.. - 7EFF498DE13CC734262F87E6B3EF38AB:0x100084A6.. features:.. - or:.. - and:.. - mnemonic: shr.. - number: 0xEDB88320.. - number: 8.. - characteristic: nzxor.. - and:.. - number: 0x8320.. - number: 0xEDB8.. - characteristic: nzxor.. - api: RtlComputeCrc32..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\checksum\luhn\validate-payment-card-number-using-luhn-algorithm.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	534
Entropy (8bit):	4.809367441882132
Encrypted:	false
SSDEEP:	12:mdmLhRZZ4lxt+h6FftK4CoJ6u9ZhRZZKh9ZhRZZKNE:mMfQl7M8K4CK6u9NivNiNE
MD5:	E7CAC6B80D4A1EFD89E136507CA81E11
SHA1:	1A6549B146223808F44757877E8B6D92BD8A46B7
SHA-256:	D6D297637831E8479421B74104C15DF09759E66716506DFE792D72C5961D3932
SHA-512:	4BA085428E08F6C04D7B193007F3A699C09B44A6C245090483695D6D12F36E31FE2B3375CA09901540D8943ACF68CB395FDE234746B2B76E60DA96588B4DE72B
Malicious:	false
Preview:	rule:.. meta:.. name: validate payment card number using luhn algorithm.. namespace: data-manipulation/checksum/luhn.. author: "@_re_fox".. scope: function.. mbc:.. - Data::Checksum::Luhn [C0032.002].. examples:.. - 1d8fd13c890060464019c0f07b928b1a:0x401920.. - 6fcc13563aad936c7d0f3165351cb453:0x4026C0.. features:.. - or:.. - match: validate payment card number using luhn algorithm with no lookup table.. - match: validate payment card number using luhn algorithm with lookup table..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\compression\compress-data-via-winapi.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	911
Entropy (8bit):	4.835547404603945
Encrypted:	false
SSDEEP:	24:mMTTlTCUlV7kOaKc55cnAEMqEElPqTBEDHXqfRMHERRXHRoy:mMTTQUhc55cn5++c
MD5:	42DA68A71F5F07FD9F3A59DCA6490032
SHA1:	6534C98024E701223C4D079BDCB8DF2B7C4FCC14
SHA-256:	79312075D5F26BEB606090BDBC8ACC937EEA165C5394D2BF9260948A3D731459
SHA-512:	95AF68423977D935BFB177F0955C489BE1F56E6F14C6C625F8677369FF41E90C7D8999ABE6412A6D3612D6E3782251309A311E0CCF249EA1AA632091BC0120C5
Malicious:	false
Preview:	rule:.. meta:.. name: compress data via WinAPI.. namespace: data-manipulation/compression.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Collection::Archive Collected Data::Archive via Library [T1560.002].. mbc:.. - Data::Compress Data [C0024].. examples:.. - 638dcc3d37b3a574044233c9637d7288:0x401020.. features:.. - or:.. # these APIs are not typically intended for user mode programs... # they're only accessible via GetProcAddress on ntoskrnl/ntdll... - api: RtlDecompressBuffer.. - string: "RtlDecompressBuffer".... - api: RtlDecompressBufferEx.. - string: "RtlDecompressBufferEx".... - api: RtlDecompressBufferEx2.. - string: "RtlDecompressBufferEx2".... - api: RtlCompressBuffer.. - string: "RtlCompressBuffer".... - api: RtlCompressBufferLZNT1.. - string: "RtlCompressBufferLZNT1"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\compression\decompress-data-using-aplib.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	933
Entropy (8bit):	4.6839086919651445
Encrypted:	false
SSDEEP:	24:mMhsnl4z8CBCcAewG5zxFvlJw6Dq8Z9h0Lm:mMinSHBCcI0N/uSq8Zf0Lm
MD5:	43271690DC18BE78BB0E0A2BBFF61ED2
SHA1:	2CFCC8776553320BCB455CE2EB631987E47F2B52
SHA-256:	101540D1AF2EBB1AF640E67D6613BDB20A448B8072A57EB0B7F5061EE55DE36F
SHA-512:	58406ADBF7841DDF060E939EE9384C31D78369C190B6B158A622B41CC01456AED4002E9A2903CF23B5CBF4ECBD7B9C73E41AB40C7241314D0168B724D8DE50CE
Malicious:	false
Preview:	rule:.. meta:.. name: decompress data using aPLib.. namespace: data-manipulation/compression.. author:.. - "@r3c0nst (Frank Boldewin)".. - moritz.raabe@fireeye.com.. description: detects decompression function of library aPLib.. scope: function.. references:.. - https://ibsensoftware.com/files/aPLib-1.1.1.zip.. examples:.. - DAA13AE302FE8B618DDBF590537443EF:0x419F50.. - B43FCA5283BFC7022553EFF663683834:0x424.. - 6CE584F4F2157C63D5DD239A12A3DCEC:0x40AC20.. features:.. - and:.. - description: aP_depack.. - basic block:.. - and:.. - mnemonic: cmp.. - number: 32000.. - basic block:.. - and:.. - mnemonic: cmp.. - or:.. - number: 127.. - number: 128.. - count(characteristic(calls from)): 2 or more.. description: calls aP_getbit and aP_getgamma.. - match: contain loop..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\compression\decompress-data-using-quicklz.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1685
Entropy (8bit):	4.3214814606091165
Encrypted:	false
SSDEEP:	48:mMiI1671SycvgUzXS2VNsykoFKnrOYuUfie:JiI1KSy21++j2
MD5:	79CB782089CA13B88D97EC1EBD0D6891
SHA1:	34CE751FF9207426CA987FDE1DC30F5CFF8843AA
SHA-256:	2A68BB6732A91F17FE56F96E0395AB02C7AC815473201760B4F28098259DBD25
SHA-512:	EC806E84C59E250C8609C10A07D4008BCAC2EAF11FF9BBD42D5BD40497C3E5253A15C250DFF6E47AAF27018C2CAEC8567C7DA06212C12676DE56F2D7453A344F
Malicious:	false
Preview:	rule:.. meta:.. name: decompress data using QuickLZ.. namespace: data-manipulation/compression.. author: david@edeca.net.. description: detects the inner decompression loop from QuickLZ.. scope: function.. mbc:.. - Data::Decompress Data::QuickLZ [C0025.001].. references:.. - http://www.quicklz.com/.. examples:.. - 64d9f7d96b99467f36e22fada623c3bb:0x10001510.. - 234c8034e88b2d097d2da51a85253825:0x100015B0.. - f54a09e966bb929e68f5c01fa3087a3a:0x10001590.. - d115f4b2ec8579be33fe883219c00ae2:0x1800015E0.. - 831083e1614090dbb5815dba36faa2f3:0x1800016E0.. - 7e0b974f004e4e0523fe4d9b9d89e5ad:0x1800016B0.. - 6a352c3e55e8ae5ed39dc1be7fb964b1:0x10010DE0.. features:.. - or:.. - basic block:.. - and:.. - description: Mode 1 decompression.. - mnemonic: xor.. - mnemonic: shr.. - mnemonic: and.. - number: 0xC.. - number: 0xFFF.. - or:.. - offse

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\compression\decompress-data-via-iencodingfilterfactory.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	774
Entropy (8bit):	4.987722208553561
Encrypted:	false
SSDEEP:	24:mMhs2ChlquE3K1QCFlcAPClX7INmhDCWIxDJhCACORjmv:mMi2YY1a1QklcLx76gDahfrR0
MD5:	DF4CF72174025222266826654D4B5668
SHA1:	0501923355D3D4E85DAAE65057C59B516FCFCB23
SHA-256:	60B8BC1EDC114DF5FF773524667B534BFE3ABC331D30049AB30093A68CCFC02A
SHA-512:	63445FC7C4E0A9FF3FDB6215A72AA37D5CCBBABAC950B94294DB84CDD313006B35638D680BD70EE9EA0D80AE097FCE56E2F722EDF1D5238DB2DEA7B5EE154BC7
Malicious:	false
Preview:	rule:.. meta:.. name: decompress data via IEncodingFilterFactory.. namespace: data-manipulation/compression.. author: matthew.williams@fireeye.com.. scope: function.. mbc:.. - Data::Decompress Data::IEncodingFilterFactory [C0025.002].. references:.. - https://www.virusbulletin.com/virusbulletin/2012/09/urlzone-reloaded-new-evolution/.. examples:.. - FBBAAF569B63F6398503E4F1979CABEF:0x40691F.. features:.. - and:.. - api: ole32.CoCreateInstance.. - bytes: D0 7C C3 54 44 D9 D0 11 A9 F4 00 60 97 94 23 11 = StdEncodingFilterFac.. - bytes: 00 DE BD 70 8E C1 D0 11 A9 CE 00 60 97 94 23 11 = IEncodingFilterFactory.. - count(offset(0x10 = IEncodingFilterFactory.GetDefaultFilter and <filter>.DoDecode)): 2 or more..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\encoding\base64\decode-data-using-base64-via-dword-translation-table.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1577
Entropy (8bit):	3.768590856870949
Encrypted:	false
SSDEEP:	12:mdmhiz5tU1dlxbQ0PfFfySimsKuKjimsKkOEC2z/ejwD3l/LbFXLvn90Nrq8g7sd:mMhazGdlBHUPKTt2zWjOtP5LlI7h2c7V
MD5:	5A0EA67C174D5E9CDC12BD7C1C68B4AF
SHA1:	E2C58C8E1EAA5924D2507988F33C4196EDC46FB1
SHA-256:	5D2BA32177B4BE4C79319B74918DA5E81DE308FAD14CB94F3462D622349CD744
SHA-512:	60C5483A9AFCB63A1F905D88528AF10CD46B8804DFDEAC46362E0FEE7624CB246A3A6F31528B2A9CBE6AF0B456C84CA6E0E10B5EF2279B5EFC17B2AB3D19DB2F
Malicious:	false
Preview:	rule:.. meta:.. name: decode data using Base64 via dword translation table.. namespace: data-manipulation/encoding/base64.. author: gilbert.elliot@fireeye.com.. scope: function.. att&ck:.. - Defense Evasion::Obfuscated Files or Information [T1027].. mbc:.. - Defense Evasion::Obfuscated Files or Information::Encoding-Standard Algorithm [E1027.m02].. - Data::Encode Data::Base64 [C0026.001].. examples:.. - 9efa86b43b4367bcdc1591aee59bda25:0x10001000.. features:.. - and:.. - mnemonic: shl.. - or:.. - mnemonic: sar.. - mnemonic: shr.. - match: contain loop.. - number: 2.. - number: 3.. - number: 4.. - number: 6.. - number: 0xF.. - bytes: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\encoding\base64\decode-data-using-base64-via-winapi.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	544
Entropy (8bit):	4.992107698327338
Encrypted:	false
SSDEEP:	12:mdmhiCglxbI/h2XGwjsKUhcLgz3HG3HK3H0ER:mMhClBIJ2XyckVR
MD5:	2DAD10E064BFECA8C29BB9A9A87CD018
SHA1:	2ABC79ACCB169CC85148EAB6C14D05BD9F4B730B
SHA-256:	4105A1BC99DF0CCCD1ACB4DDC935D128E5C1C5357BBB8A0B5D3375D4EC50B78F
SHA-512:	FEA4C4703176C5FCBB0029B50AE5000E028D1FAFB4897966DF5AB2E088148170EA2D4B83BBCD25F890E74A2C22B493E00D3BC7EFC256EA90ABDCFD8F5E4140AF
Malicious:	false
Preview:	rule:.. meta:.. name: decode data using Base64 via WinAPI.. namespace: data-manipulation/encoding/base64.. author: michael.hunhoff@fireeye.com.. scope: basic block.. att&ck:.. - Defense Evasion::Deobfuscate/Decode Files or Information [T1140].. examples:.. - mimikatz.exe_:0x40D742.. features:.. - and:.. - or:.. - number: 0x1 = dwFlags=CRYPT_STRING_BASE64.. - number: 0x6 = dwFlags=CRYPT_STRING_BASE64_ANY.. - number: 0x7 = dwFlags=CRYPT_STRING_ANY.. - api: CryptStringToBinary..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\encoding\base64\encode-data-using-base64-via-winapi.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	409
Entropy (8bit):	4.889788841864552
Encrypted:	false
SSDEEP:	6:hAvlmAZn/CNFwlCsb2PCSgyZqhu1y5wVsLQPMKGowKbH9GmS8+Hn/M:mdm0CglxbqC/hSimsKGcbHZS3H/M
MD5:	EF2895EAFE062F265B91FE9627E63397
SHA1:	6A01209C3A57F59389AB3EA28A6A628C2820ADCC
SHA-256:	A829EBB79D32D8C96CA53DC3FF132A9FECDACB7A57A112E2B67A6A54AE95E4AA
SHA-512:	59396FB2D134197C9A189E48C01902AE67871AB638391AB842D060E9638E0D1BA6717038AC43368921ADAD7A707AEB1270DD6EC044CF831653B8DD3FF1B89BB2
Malicious:	false
Preview:	rule:.. meta:.. name: encode data using Base64 via WinAPI.. namespace: data-manipulation/encoding/base64.. author: moritz.raabe@fireeye.com.. scope: basic block.. att&ck:.. - Defense Evasion::Obfuscated Files or Information [T1027].. examples:.. - mimikatz.exe_:0x40622D.. features:.. - and:.. - number: 1 = dwFlags=CRYPT_STRING_BASE64.. - api: CryptBinaryToString..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\encoding\base64\encode-data-using-base64.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1044
Entropy (8bit):	5.008431924374571
Encrypted:	false
SSDEEP:	24:mMWlBqCUPKTt2zWjOSmKW3S2HELNIWteK+C6uSH:mMW1Uy8Wj9NWDHELNIx1CTG
MD5:	4DA92BEC2F8FB6476BEBCACDE1B71D27
SHA1:	245986B91A80AD284F9A24ECBF7DDA92719412FD
SHA-256:	4CD1F2DB6DA6CEFF211F1BA77B580DD38733C0219CC2F88F9F44F4EC88E88BC4
SHA-512:	24687CC01CCB0D2FF7DE32FF37472F6BB26851B1CA3DF2537AE7CFD97D741FA412DAAA21F424F725FD19E44F4E4C822A3520A3D50C91D8B51EA3D9BE38B2CDE5
Malicious:	false
Preview:	rule:.. meta:.. name: encode data using Base64.. namespace: data-manipulation/encoding/base64.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Defense Evasion::Obfuscated Files or Information [T1027].. mbc:.. - Defense Evasion::Obfuscated Files or Information::Encoding-Standard Algorithm [E1027.m02].. - Data::Encode Data::Base64 [C0026.001].. examples:.. - BFB9B5391A13D0AFD787E87AB90F14F5:0x1314889C.. - 074072B261FC27B65C72671F13510C05:0x100049B2.. - 5DB2D2BE20D59AA0BE6709A6850F1775:0x18001CC30.. - 08AC667C65D36D6542917655571E61C8:0x406EAA.. features:.. - and:.. - mnemonic: shl.. - mnemonic: shr.. - number: 0x3F = modulo 64.. - or:.. - number: 0x3D = '='.. - number: 0x3D3D = '=='.. - match: contain loop.. - optional:.. - number: 2.. - number: 3.. - number: 4.. - number: 6.. - number: 0xF.. - string: "ABCDEFGHIJKLMNOPQRSTUVW

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\encoding\base64\reference-base64-string.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	563
Entropy (8bit):	5.268269514347209
Encrypted:	false
SSDEEP:	12:mdmH6vlxbqCDnqSimsKuKR/e/3kjQVSCtoovmNKzuzjC6LO5Sfp:mMH6vlBqCDnqPKRW/3TSC7eK+C6uSh
MD5:	5E4745284F72B6B4B124C35C45A5C17E
SHA1:	6B1294DAFCAB7069792FBC6D88FAD6197A6C379B
SHA-256:	F7AF7DD2B359C2835643F0BC1A1B514C640156B81986CB7A899536DF6D685BDD
SHA-512:	0B312431C446532B6E514E942691C950EB07CE004F9B29E8C8401901AD8C601247E8869AFAA7E8256E7737AC6B8C6924F40EBAD4BEA1FA3B72B30B71F6B6E0D5
Malicious:	false
Preview:	rule:.. meta:.. name: reference Base64 string.. namespace: data-manipulation/encoding/base64.. author: moritz.raabe@fireeye.com.. scope: file.. att&ck:.. - Defense Evasion::Obfuscated Files or Information [T1027].. mbc:.. - Data::Encode Data::Base64 [C0026.001].. - Data::Check String [C0019].. examples:.. - BFB9B5391A13D0AFD787E87AB90F14F5.. - 074072B261FC27B65C72671F13510C05.. - 5DB2D2BE20D59AA0BE6709A6850F1775.. features:.. - string: /ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\encoding\xor\encode-data-using-xor.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1854
Entropy (8bit):	4.578538121039613
Encrypted:	false
SSDEEP:	24:mMylBsxCJPKTt2zvImxhXUNXU8FSOWz1EoyGKPoo9Ca6Si4cntRoYftZHnVRo1f8:mMyAsJy8v/BUFU8FSH7
MD5:	05065C2F0382339A73C94DCF8B5D49FB
SHA1:	D79AAB72C7D1131A0E3962C0C255CA99B24A8859
SHA-256:	6C8E07AEE00ECA0B7063D17036942055931D61A47AE5BC403B69DC86AE3A2338
SHA-512:	A4614D679BCDDD17E1AE40C81793FEDE325B28E9E4BB8C89449841501870772FC8874EB98094A1BB671C18C93586F79FF89AAA5AB2E989F82C4753934E0643A4
Malicious:	false
Preview:	rule:.. meta:.. name: encode data using XOR.. namespace: data-manipulation/encoding/xor.. author: moritz.raabe@fireeye.com.. scope: basic block.. att&ck:.. - Defense Evasion::Obfuscated Files or Information [T1027].. mbc:.. - Defense Evasion::Obfuscated Files or Information::Encoding-Standard Algorithm [E1027.m02].. - Data::Encode Data::XOR [C0026.002].. examples:.. - 2D3EDC218A90F03089CC01715A9F047F:0x403D7E.. features:.. - and:.. - characteristic: tight loop.. - characteristic: nzxor.. - not:.. - description: filter for potential false positives.. - or:.. - or:.. - description: unsigned bitwise negation operation (~i).. - number: 0xFFFFFFFF = bitwise negation for unsigned 32 bits.. - number: 0xFFFFFFFFFFFFFFFF = bitwise negation for unsigned 64 bits.. - or:.. - description: signed bitwise negation operation (~i).. - number: 0x0FFFFFFF = b

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\encryption\aes\decrypt-data-using-aes-via-x86-extensions.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	624
Entropy (8bit):	4.822849648069367
Encrypted:	false
SSDEEP:	12:mdmhIeZBlxbfqdCfFfy2XGwjsKUFK/UkjgD8gAJnMW0aBeAJbWA:mMhI+lBfqdCU2XqKBjgD8gAx0aBeAUA
MD5:	CA727763CBC890839BA1D7B5478935A5
SHA1:	9570AE0C13DEECFA88D91FB67BDFF7C923A3E117
SHA-256:	AD12FF9A689F73DD6B36098A37D71C1333994CBDEFA0F7E1DF5BEFD336F2BBE6
SHA-512:	99357C0834C06FC63EBBB9410CCAFDE00C67580F956B2066C90403199947FCF16F3AC27A36F405ECDD4805F14EE5D9FE4E82A8763D0A0D9D2B7EF7B454807FD8
Malicious:	false
Preview:	rule:.. meta:.. name: decrypt data using AES via x86 extensions.. namespace: data-manipulation/encryption/aes.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Defense Evasion::Deobfuscate/Decode Files or Information [T1140].. mbc:.. - Cryptography::Decrypt Data::AES [C0031.001].. examples:.. - 66602B5FAB602CB4E6F754748D249542:0x4097D0.. features:.. - or:.. - mnemonic: aesdec = Perform One Round of an AES Decryption Flow.. - mnemonic: vaesdec.. - mnemonic: aesdeclast = Perform Last Round of an AES Decryption Flow.. - mnemonic: vaesdeclast..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\encryption\aes\encrypt-data-using-aes-via-net.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	609
Entropy (8bit):	4.897578685530085
Encrypted:	false
SSDEEP:	12:mdmiyZDrZwlxbfqWRDnqSimsKuKjimsKXZZEC5BUEQjDpu6BZ3JqV:mMiiVwlBfqEDnqPKXZZtzQjDp0V
MD5:	D7C057B72D68DB5B4DA8A89A5C68AEEA
SHA1:	E7B2FA39B9C7E0069934DF815A38D6062A615204
SHA-256:	BAD13CE3FDE94400C2D390EFD9219BEF1E742B5825A9CF5584716B9AE870F9C3
SHA-512:	77A4D7C753C99E2BB83606FF295742FC212C92D8F68E5B7E7E73EF00C540FC73E5ADBC1528C2EE86BE012B7E89F341AE233B07E6227254BAADA31ACBD57CE7DB
Malicious:	false
Preview:	rule:.. meta:.. name: encrypt data using AES via .NET.. namespace: data-manipulation/encryption/aes.. author: william.ballenthin@fireeye.com.. scope: file.. att&ck:.. - Defense Evasion::Obfuscated Files or Information [T1027].. mbc:.. - Defense Evasion::Obfuscated Files or Information::Encryption-Standard Algorithm [E1027.m05].. - Cryptography::Encrypt Data::AES [C0027.001].. examples:.. - b9f5bd514485fb06da39beff051b9fdc.. features:.. - and:.. - string: "RijndaelManaged".. - string: "CryptoStream".. - string: "System.Security.Cryptography"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\encryption\aes\encrypt-data-using-aes-via-winapi.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	954
Entropy (8bit):	4.787216744428963
Encrypted:	false
SSDEEP:	12:mdmiyZ4glxbfqdCfFfySimsKuKjimsKXZZEC5BUEQjpg+JxR3irRIHdVisk:mMiMlBfqdCUPKXZZtzQjptvWRIPiH
MD5:	027359A7ABA70873BBF8FE0FA03B816B
SHA1:	6E06E63341E0773C9B3F9AF7B36082B87F08F3DF
SHA-256:	2BBEE85521A29E42296576FE84A7D03EE9D64F2960478F4D8B17F4637FE3F83F
SHA-512:	85FC1BDE1AE691D999E06BB50631CFDDE8ABAA79CBC5B5E395FE7D989D3638E63D9B1E4AE4AE9FC3E06253532C8566E78BB453369A34C98EE1983CD30C1CBEC7
Malicious:	false
Preview:	rule:.. meta:.. name: encrypt data using AES via WinAPI.. namespace: data-manipulation/encryption/aes.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Defense Evasion::Obfuscated Files or Information [T1027].. mbc:.. - Defense Evasion::Obfuscated Files or Information::Encryption-Standard Algorithm [E1027.m05].. - Cryptography::Encrypt Data::AES [C0027.001].. examples:.. - BC577119D1A5B7DA489E7B5817D3CC38:0x10002FAC.. features:.. - and:.. - or:.. - number: 0x6611 = CALG_AES.. - number: 0x660E = CALG_AES_128.. - number: 0x660F = CALG_AES_192.. - number: 0x6610 = CALG_AES_256.. - or:.. - api: CryptGenKey.. - api: CryptDeriveKey.. - api: CryptImportKey.. - optional:.. - or:.. - number: 1 = PROV_RSA_FULL.. - api: CryptAcquireContext.. - api: CryptEncrypt.. - api: CryptDecrypt..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\encryption\blowfish\encrypt-data-using-blowfish.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	3120
Entropy (8bit):	4.20559421395013
Encrypted:	false
SSDEEP:	96:JiTrcsKOTS8285j40mgsdCSCmupqkj6ecPmr:JiTrcsBOCr1kCDmugFPmr
MD5:	08ECBF59053F45ACEE65CE58A30C47E8
SHA1:	F5A6D4A1C3AA9A67D93B8F50588E9C54C3D87524
SHA-256:	386B6CBB36CC3A57FFF6D8815A8CC9A999602469BBE11C3E66B38753D4589326
SHA-512:	F7C1C4D679ECAFF814EFE7D1E594DE0D9F0DB101C12D69AC592F751938CB24DD06AA3F51F3AD4FAE1A6CD1D4314C24E5384CFA9794ABB3C4647C61D430EAA929
Malicious:	false
Preview:	rule:.. meta:.. name: encrypt data using blowfish.. namespace: data-manipulation/encryption/blowfish.. author: "@_re_fox".. scope: basic block.. att&ck:.. - Defense Evasion::Obfuscated Files or Information [T1027].. mbc:.. - Defense Evasion::Obfuscated Files or Information::Encryption-Standard Algorithm [E1027.m05].. - Cryptography::Encrypt Data::Blowfish [C0027.002].. examples:.. - 0761142efbda6c4b1e801223de723578:0x653E19E5.. features:.. - or:.. - and:.. - number: 0x3a39ce37 = u32 ks3 sbox4.. - number: 0xe93d5a68 = u32 ks2 sbox3.. - number: 0x4b7a70e9 = u32 ks1 sbox2.. - number: 0xd1310ba6 = u32 ks0 sbox1.. - or:.. - bytes: 88 6a 3f 24 d3 08 a3 85 2e 8a 19 13 44 73 70 03 22 38 09 a4 d0 31 9f 29 98 fa 2e 08 89 6c 4e ec e6 21 28 45 77 13 d0 38 cf 66 54 be 6c 0c e9 34 b7 29 ac c0 dd 50 7c c9 b5 d5 84 3f 17 09 47 b5 d9 d5 16 92 1b fb 79 89 = ps.. - bytes: a6 0b 31 d1 ac b5 df 98 db 72 fd 2f

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\encryption\camellia\encrypt-data-using-camellia.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	5000
Entropy (8bit):	4.349673746705766
Encrypted:	false
SSDEEP:	96:JiVrLosgTG3GnvLJ+EnPaVGwiJQ5STGHKOgxo/RX9vFs0cgV8ZZX:JiVrssyG6DJ+xGwiJQuGqOv/397ul
MD5:	068F361EB6FD8E12ACCEE0161A7F1DC7
SHA1:	8326ABC979F2F9216B3D1C2C8394356C0A2743FD
SHA-256:	9F05584F05A3CB71424A819896B30DB8E53A40EC5D9757288353F9D38F5D077D
SHA-512:	B703327EC443E5AC45D2AA7BB92954CCAB8908F2ECF73485780FE7743D285B3FAEBD11D0F17744EFF3F28AF696A391DAE1E813BED7B6012DEDF03F90339824F7
Malicious:	false
Preview:	rule:.. meta:.. name: encrypt data using Camellia.. namespace: data-manipulation/encryption/camellia.. author: '@_re_fox'.. scope: basic block.. att&ck:.. - Defense Evasion::Obfuscated Files or Information [T1027].. mbc:.. - Defense Evasion::Obfuscated Files or Information::Encryption-Standard Algorithm [E1027.m05].. - Cryptography::Encrypt Data::Camellia [C0027.003].. examples:.. - 0761142efbda6c4b1e801223de723578:0x6541CD50.. - 112f9f0e8d349858a80dd8c14190e620:0x4CE3B2.. features:.. - or:.. - bytes: 00 70 70 70 00 82 82 82 00 2c 2c 2c 00 ec ec ec 00 b3 b3 b3 00 27 27 27 00 c0 c0 c0 00 e5 e5 e5 00 e4 e4 e4 00 85 85 85 00 57 57 57 00 35 35 35 00 ea ea ea 00 0c 0c 0c 00 ae ae ae 00 41 41 41 00 23 23 23 00 ef ef ef 00 6b 6b 6b 00 93 93 93 00 45 45 45 00 19 19 19 00 a5 a5 a5 00 21 21 21 00 ed ed ed 00 0e 0e 0e 00 4f 4f 4f 00 4e 4e 4e 00 1d 1d 1d 00 65 65 65 00 92 92 92 00 bd bd bd 00 86 86 86 00 b8 b8 b8 00 af af af 00 8f 8f 8f 00 7c

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\encryption\des\encrypt-data-using-des-via-winapi.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	857
Entropy (8bit):	4.736180235650942
Encrypted:	false
SSDEEP:	12:mdmiyQ4glxbfq26FfySimsKuKjimsKXZZEC5BBf5wJkXbXu3Y8YCeRIHQVisk:mMiLTlBfq2VPKXZZtFRi8gLYVRIeiH
MD5:	7932A80B18B214D6F9F30ED82F3BFF34
SHA1:	EB349CCE25786C15C5ADFA835CD7059AA6E89495
SHA-256:	6BD621FB09E7C8842FE75229621A6838F1955789A4DD089B1F609A2B0AB7EEAA
SHA-512:	C426C69FD4AD3C2093805350EE74BDD5CA4E4352274795E501AE3D9BBFCE58F4504D2CFB04ABF99A3596B9661E41452D2CD1CC77BDF41ECC729850F421404336
Malicious:	false
Preview:	rule:.. meta:.. name: encrypt data using DES via WinAPI.. namespace: data-manipulation/encryption/des.. author: "@_re_fox".. scope: function.. att&ck:.. - Defense Evasion::Obfuscated Files or Information [T1027].. mbc:.. - Defense Evasion::Obfuscated Files or Information::Encryption-Standard Algorithm [E1027.m05].. - Cryptography::Encrypt Data::3DES [C0027.004].. examples:.. - 5f66b82558ca92e54e77f216ef4c066c:0x403377.. features:.. - and:.. - or:.. - number: 0x6601 = CALG_DES.. - number: 0x6603 = CALG_3DES.. - number: 0x6609 = CALG_3DES_112.. - or:.. - api: CryptGenKey.. - api: CryptDeriveKey.. - api: CryptImportKey.. - optional:.. - or:.. - api: CryptAcquireContext.. - api: CryptEncrypt.. - api: CryptDecrypt..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\encryption\des\encrypt-data-using-des.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	3590
Entropy (8bit):	3.9764994465183046
Encrypted:	false
SSDEEP:	96:Ji/rOsp7bEt5eqZBxsshKv6Fvy0+F0fZRFovxUMjSIc1q:Ji/rOs5bEDegxssS4y0+FCejgq
MD5:	9F12923448C5119E945BE1CD74152C5B
SHA1:	FCA5DF2B839F279863A2E09FBB42FB7A3BE5D6EF
SHA-256:	F4D6111A3FD95440C4DB5609BC845B1B22F446692DCEEC0E020AA5DF30CB835E
SHA-512:	1A5F16028CE09C6DD66D750597FA5791E0DFB03343B6ECAC05B8AA849F043CECEB946049A0ADB09C8826F2CF60DD919235F6DA0168938E329E272428DE0A29AC
Malicious:	false
Preview:	rule:.. meta:.. name: encrypt data using DES.. namespace: data-manipulation/encryption/des.. author: "@_re_fox".. scope: basic block.. att&ck:.. - Defense Evasion::Obfuscated Files or Information [T1027].. mbc:.. - Defense Evasion::Obfuscated Files or Information::Encryption-Standard Algorithm [E1027.m05].. - Cryptography::Encrypt Data::3DES [C0027.004].. examples:.. - 91a12a4cf437589ba70b1687f5acad19:0x47F5E8.. features:.. - or:.. - bytes: 0e 04 0d 01 02 0f 0b 08 03 0a 06 0c 05 09 00 07 00 0f 07 04 0e 02 0d 01 0a 06 0c 0b 09 05 03 08 04 01 0e 08 0d 06 02 0b 0f 0c 09 07 03 0a 05 00 0f 0c 08 02 04 09 01 07 05 0b 03 0e 0a 00 06 0d = SBOX S1.. - bytes: 0f 01 08 0e 06 0b 03 04 09 07 02 0d 0c 00 05 0a 03 0d 04 07 0f 02 08 0e 0c 00 01 0a 06 09 0b 05 00 0e 07 0b 0a 04 0d 01 05 08 0c 06 09 03 02 0f 0d 08 0a 01 03 0f 04 02 0b 06 07 0c 00 05 0e 09 = SBOX S2.. - bytes: 0a 00 09 0e 06 03 0f 05 01 0d 0c 07 0b 04 02 08 0d 07 00 09 03 04 06

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\encryption\dpapi\encrypt-data-using-dpapi.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	542
Entropy (8bit):	4.787705224147634
Encrypted:	false
SSDEEP:	12:mdmiyQlxbfqI/IRfFfySimsKuK7eFw9MOQ8o8Cn:mMinlBfqIiUPK6Fg/en
MD5:	5C5B5716CA974A2B4EE7BAF3FD36AA76
SHA1:	B41E0B2294CA3A5F49A222F669C9C5C6BE609836
SHA-256:	367FE90CC8C88EC8651B36A17367CA384CC7C8332D148827C2616C44A2F325DD
SHA-512:	1E955A09AD182D21197A73D508E285F368261BECDB47783F4DA65E79C36ADE9DBB8C94032CF7BA9632E77261FA7F9C40EEA8D2A158561245FCE6608C7EFB5168
Malicious:	false
Preview:	rule:.. meta:.. name: encrypt data using DPAPI.. namespace: data-manipulation/encryption/dpapi.. author: william.ballenthin@fireeye.com.. scope: function.. att&ck:.. - Defense Evasion::Obfuscated Files or Information [T1027].. mbc:.. - Cryptography::Encrypt Data [C0027].. examples:.. - 6cc148363200798a12091b97a17181a1:0x1400CE9A0.. features:.. - or:.. - api: CryptProtectMemory.. - api: CryptUnprotectMemory.. - api: crypt32.CryptProtectData.. - api: crypt32.CryptUnprotectData..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\encryption\elliptic-curve\encrypt-data-using-curve25519.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	806
Entropy (8bit):	4.705308338121315
Encrypted:	false
SSDEEP:	24:mMi/glBfqYprJzBG4tPG4LfGwJfGF5H+Js0:mMiIrxrJz5N/5a5H+Js0
MD5:	AA4F6D680EA96EB951310358F0991D6F
SHA1:	669FEE3979D66E8BBBB091BEEDA480BF80F68B7E
SHA-256:	E4468A822DB8D3C3A1AB27FB48A0EDFE297D218E7759321231E176C16164E686
SHA-512:	59D847AA8CF01A86501470A1742CFC83CA21EDA965A67AFA5EAD279F3B0DB27B28A3DD13FE175BAEDDD2EF6A54531C20B0E5FAA20819EBFE116FA6AC942E0D67
Malicious:	false
Preview:	rule:.. meta:.. name: encrypt data using Curve25519.. namespace: data-manipulation/encryption/elliptic-curve.. author: dimiter.andonov@fireeye.com.. scope: basic block.. att&ck:.. - Defense Evasion::Obfuscated Files or Information [T1027].. examples:.. - 0a0882b8da225406cc838991b5f67d11:0x4135f6.. - 0a0882b8da225406cc838991b5f67d11:0x416f51.. - 80372de850597bd9e7e021a94f13f0a1:0x406480.. - 80372de850597bd9e7e021a94f13f0a1:0x4086f4.. features:.. # initializes a 32-byte array with .. # array[0] = 0xf8, .. # array[31] = array[31] & 0x3f \| 0x40.. - and:.. - and:.. - number: 0xf8.. - mnemonic: and.. - and:.. - number: 0x3f.. - mnemonic: and.. - and:.. - number: 0x40.. - mnemonic: or..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\encryption\encrypt-or-decrypt-via-wincrypt.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	637
Entropy (8bit):	4.5775102035592345
Encrypted:	false
SSDEEP:	12:mdmiBBlxbfqd3CfFfySimsKuK/DBe0ZMrwTs3IHQVwy:mMiBBlBfqNCUPKLQGwIewy
MD5:	DCD27CE17DDA311533D9CB2FA64F390B
SHA1:	7E9781AB4243DEAE8764553B36E0054C858512E9
SHA-256:	AD35752B48F629E7AB552FAAFE2227FA2BAD8612662F953167726CB032DA7163
SHA-512:	3620E1346870DBDE55FF86CB0A382BA756E45A3D83D4C8151C245DAFCA71C2BB052719DA16289BBB3CFF3E160867CE5912B0797AA7A27231B4038D89766D017A
Malicious:	false
Preview:	rule:.. meta:.. name: encrypt or decrypt via WinCrypt.. namespace: data-manipulation/encryption.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Defense Evasion::Obfuscated Files or Information [T1027].. mbc:.. - Cryptography::Decrypt Data [C0031].. - Cryptography::Encrypt Data [C0027].. examples:.. - A45E377DBB98A6B44FD4034BC3FFF9B0:0x4017A0.. features:.. - and:.. - or:.. - api: CryptEncrypt.. - api: CryptDecrypt.. - optional:.. - or:.. - api: CryptAcquireContext.. - api: CryptGenKey.. - api: CryptImportKey..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\encryption\get-outbound-credentials-handle-via-credssp.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	647
Entropy (8bit):	4.902736738095628
Encrypted:	false
SSDEEP:	12:mdmCmBJlxbfqdGuE/hSimsK1cA+YSDHflSABYSDHfl0I5BcApgbo8JCNux:mMCm7lBfqouEJicAwjtBjt0I5BckgUA3
MD5:	A5E2810B3B44DE2F90DED1F2401E8885
SHA1:	9BA22E8AB2D2C98384BEB188053A073277A79A03
SHA-256:	47E94D818B0D92565F33B214D4F4638D420A276D429BB27895754659ABFFE0F4
SHA-512:	BA7E3E521B7754B6DBFCCFF110754EE37C0F51E30C938E8904C27459FF1F81E0CB935AEF7FFB63920119B3A593B9B507D2BB1280E25E823CCD336670C59E8707
Malicious:	false
Preview:	rule:.. meta:.. name: get outbound credentials handle via CredSSP.. namespace: data-manipulation/encryption.. author: matthew.williams@fireeye.com.. scope: basic block.. att&ck:.. - Defense Evasion::Obfuscated Files or Information [T1027].. references:.. - https://docs.microsoft.com/en-us/windows/win32/api/sspi/nf-sspi-acquirecredentialshandlea.. - https://docs.microsoft.com/en-us/windows/win32/secauthn/getting-schannel-credentials.. examples:.. - mimikatz.exe_:0x457AAB.. features:.. - and:.. - api: secur32.AcquireCredentialsHandle.. - number: 2 = fCredentialUse=SECPKG_CRED_OUTBOUND..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\encryption\hc-128\encrypt-data-using-hc-128.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1984
Entropy (8bit):	4.795659909552774
Encrypted:	false
SSDEEP:	24:mMimnlBfqdaXVPKXZZtV9ucAIYbTX4h2dJh/+rrOxe7NH9MU+tWathSt:mMimnrtlyJZ9ucXMy2dv/wTmet
MD5:	8912353F09600566E545041C2163B5F9
SHA1:	42191F454754DF206C5CE4A6258D3F2F22D3ED85
SHA-256:	429A1F1FD6FDC755942624E2DF7F7AF71469E1736B4271279F9B9C16373C000D
SHA-512:	BDB6CC51FD8CB067481067F5FA0252E87D94C5FCC19C63B0C8C17CE5D38A03368391EC9859463266C4609380D947B5D5D79873A9C7CAF536CB7CA711B1B1CE57
Malicious:	false
Preview:	rule:.. meta:.. name: encrypt data using HC-128.. namespace: data-manipulation/encryption/hc-128.. author: awillia2@cisco.com.. description: Looks for instruction mnemonics associated with initialization of the HC-128 stream cipher.. scope: basic block.. att&ck:.. - Defense Evasion::Obfuscated Files or Information [T1027].. mbc:.. - Defense Evasion::Obfuscated Files or Information::Encryption-Standard Algorithm [E1027.m05].. - Cryptography::Encrypt Data::HC-128 [C0027.006].. references:.. - https://download.bitdefender.com/resources/files/News/CaseStudies/study/318/Bitdefender-TRR-Whitepaper-Maze-creat4351-en-EN-GenericUse.pdf.. - https://github.com/rost1993/hc128/blob/master/hc128.c.. examples:.. - e69a8eb94f65480980deaf1ff5a431a6:0x405D0D.. features:.. - and:.. - and:.. - number: 0x0F = (v << (32 - 17)) from ROTR32(x, 17) in F2(x).. - mnemonic: shl.. - and:.. - number: 0x11 = (v >> 17) from R

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\encryption\import-public-key.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	542
Entropy (8bit):	4.755200586252885
Encrypted:	false
SSDEEP:	12:mdm8ZlxbfqdwRfFftKi3j1bsf6FV7yYIH3E8:mMElBfqU3Ki3j1bS637yYI08
MD5:	DB692D076A44883633DA2438BA2E4E9D
SHA1:	387FD6B955FD2C38AC9BB071BD4F5670F8033A70
SHA-256:	6E2F34A037E8B0D938216DE9B76303CBFC6EEA677748C19D097046CCD4C26CE3
SHA-512:	69C3508E8FFFE6E77F7471C3836C144B029F8B83F6669A6E7B30C51C090D71247B89A45275EFF5EA42286EB71CDFD38A1AB3AFEC14ED52FFF9916E4786F96A90
Malicious:	false
Preview:	rule:.. meta:.. name: import public key.. namespace: data-manipulation/encryption.. author: william.ballenthin@fireeye.com.. scope: function.. mbc:.. - Cryptography::Encryption Key::Import Public Key [C0028.001].. examples:.. - ffeae4a391a1d5203bd04b4161557227:0x4047A0.. features:.. - and:.. - api: advapi32.CryptAcquireContext.. - api: crypt32.CryptImportPublicKeyInfo.. - optional:.. - and:.. - api: crypt32.CryptStringToBinary.. - api: crypt32.CryptDecodeObjectEx..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\encryption\rc4\encrypt-data-using-rc4-ksa.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1599
Entropy (8bit):	4.660685487617915
Encrypted:	false
SSDEEP:	48:mMiDrfUyVJRUSlvKs5kUcjWgcZS63KUIZ:JiDrfUOACrLI66U6
MD5:	7F45BA8FF741FD69C37C83097691C87D
SHA1:	155362C9A4CFB3E8C902E310A8B57AB8857FAEE8
SHA-256:	B6A56C1F847D65204EAFF1A4B37B084DC9F4BD8ABDD4AB36D43BC844E9D0D17F
SHA-512:	88B58C6159302BA84A010D815185C1FEC88158F909E3173C1DC51A8264A5009981A9D39321A45378A34A53A1CC566DD5695470ACD0EF7CA4280DFBF3E54454F0
Malicious:	false
Preview:	rule:.. meta:.. name: encrypt data using RC4 KSA.. namespace: data-manipulation/encryption/rc4.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Defense Evasion::Obfuscated Files or Information [T1027].. mbc:.. - Cryptography::Encrypt Data::RC4 [C0027.009].. - Cryptography::Encryption Key::RC4 KSA [C0028.002].. examples:.. - 34404A3FB9804977C6AB86CB991FB130:0x403D40.. - C805528F6844D7CAF5793C025B56F67D:0x4067AE.. - 9324D1A8AE37A36AE560C37448C9705A:0x404950.. - 782A48821D88060ADF0F7EF3E8759FEE3DDAD49E942DAAD18C5AF8AE0E9EB51E:0x405C42.. - 73CE04892E5F39EC82B00C02FC04C70F:0x40646E.. features:.. - or:.. - and:.. - basic block:.. - and:.. - description: initialize S.. # misses if regular loop is used,.. # however we cannot model that a loop contains a certain number.. - characteristic: tight loop.. - or:.. - number: 0xFF.

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\encryption\rc4\encrypt-data-using-rc4-prga.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1197
Entropy (8bit):	4.907309471607106
Encrypted:	false
SSDEEP:	24:mMi6lBfqvCUPKVbAfO5pVhsKNxXjqdzoRcWOc1KKZ1Ynu3LNIhj:mMi6rfUyVUfOvvsKNxzYzgcBSKcKiLNA
MD5:	FE04C5CDE259379F2FF3EF1E1C0D7477
SHA1:	017F120CE7742D6E6A27BEC9BC5144D98F1E8BBC
SHA-256:	58B3CD6A5D2AA97BDDAE7834E898672636E95015147005E9AD1778FAA5961B08
SHA-512:	9DDFB1A890ED33E4C542053AFCAF04D4737D62681B31C7AFEC295BB013CD6F0D566B0B9E4AD9F907DD465B76D3CBD25EF8DB7996911337DE1790A6A6D06DA2B5
Malicious:	false
Preview:	rule:.. meta:.. name: encrypt data using RC4 PRGA.. namespace: data-manipulation/encryption/rc4.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Defense Evasion::Obfuscated Files or Information [T1027].. mbc:.. - Cryptography::Encrypt Data::RC4 [C0027.009].. - Cryptography::Generate Pseudo-random Sequence::RC4 PRGA [C0021.004].. examples:.. - 34404A3FB9804977C6AB86CB991FB130:0x403DB0.. - 34404A3FB9804977C6AB86CB991FB130:0x403E50.. - 9324D1A8AE37A36AE560C37448C9705A:0x4049F0.. - 73CE04892E5F39EC82B00C02FC04C70F:0x4064C6.. features:.. - and:.. # TODO: maybe add characteristic for nzxor reg size.. - count(characteristic(nzxor)): 1.. - or:.. - match: calculate modulo 256 via x86 assembly.. # compiler may do this via zero-extended mov from 8-bit register.. - count(mnemonic(movzx)): 4 or more.. # should not call (many) functions.. - count(characteristic(calls from)): (

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\encryption\rc4\encrypt-data-using-rc4-via-winapi.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	882
Entropy (8bit):	4.835938750790576
Encrypted:	false
SSDEEP:	12:mdmiykglxbfqvCfFfySimsKuKjimsKXZZEC5Bxc09rOoVEh/jRIHdVisk:mMiylBfqvCUPKXZZt1czNRIPiH
MD5:	E03B98439F0EF4937DC3A41218B1F28C
SHA1:	EADCCBA2A2AC23C2A4BA6328BE977EF718F5DEC6
SHA-256:	9F6E716F39B7DAF2C12A45ADEF7563D3CE8EDC7F27580828DD4F12EBA03E2A61
SHA-512:	307728FB13AD95F1808C63BECFD4F97A3C62889051CA1C3357E3002318A4836F5824F3AC2D073E30E3D2BB84F23A680A49B6808F546F4DCF89E825709CAEC73A
Malicious:	false
Preview:	rule:.. meta:.. name: encrypt data using RC4 via WinAPI.. namespace: data-manipulation/encryption/rc4.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Defense Evasion::Obfuscated Files or Information [T1027].. mbc:.. - Defense Evasion::Obfuscated Files or Information::Encryption-Standard Algorithm [E1027.m05].. - Cryptography::Encrypt Data::RC4 [C0027.009].. examples:.. - 2A584DFC657348D164274A12BFF9BBD8:0x404D42.. - 32BB43F8847ECF158C1E96891ED9A28C:0x10003A88.. features:.. - and:.. - or:.. - number: 0x6801 = CALG_RC4.. - or:.. - api: CryptGenKey.. - api: CryptDeriveKey.. - api: CryptImportKey.. - optional:.. - or:.. - number: 1 = PROV_RSA_FULL.. - api: CryptAcquireContext.. - api: CryptEncrypt.. - api: CryptDecrypt..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\encryption\rc4\encrypt-data-using-rc4-with-custom-key-via-winapi.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1885
Entropy (8bit):	4.655553800521825
Encrypted:	false
SSDEEP:	48:mMiurkByJprcFb7s/1mfVzpJsc8PxiLWjIf:JiurkBsprM0Iv8JoN
MD5:	E3C1C98E4DBFDD5E47F53E2EFAD15C0D
SHA1:	00301199B68E73DAACA105E942457187EF0E3281
SHA-256:	723595BD2814C2385288CCB814ACD746A06203D6E8644FD378053E1073255EB0
SHA-512:	CF35C3F9709395FBD83D17BEE309F83230EF348EE632313F0457802A0C33039E7CE2E3C1A045B18824FD0A96E970F680318BC886661AA49F7FB49141EC8B338B
Malicious:	false
Preview:	rule:.. meta:.. name: encrypt data using RC4 with custom key via WinAPI.. namespace: data-manipulation/encryption/rc4.. author: blaine.stancill@mandiant.com.. scope: function.. att&ck:.. - Defense Evasion::Obfuscated Files or Information [T1027].. mbc:.. - Defense Evasion::Obfuscated Files or Information::Encryption-Standard Algorithm [E1027.m05].. - Cryptography::Encrypt Data::RC4 [C0027.009].. references:.. - https://www.phdcc.com/cryptorc4.htm.. examples:.. - 4E9C546A54E40D0DA89BB4616DD7F8C4:0x140007B70.. - A563C50C5FA0FD541248ACAF72CC4E7D:0x401AF0.. features:.. - and:.. - api: CryptImportKey.. - number: 0x4C = SimpleBlobRC4KeyTemplate size.. - bytes: 01 02 00 00 01 68 00 00 00 A4 00 00 = SimpleBlobRC4KeyTemplate header.. - number: 0x134 = PrivateKeyWithExponentOfOne size.. - bytes: 07 02 00 00 00 A4 00 00 52 53 41 32 00 02 00 00 01 00 00 00 AB EF FA C6 7D E8 DE FB 68 38 09 92 D9 42 7E 6B 89 9E 21 D7

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\encryption\rc6\encrypt-data-using-rc6.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	805
Entropy (8bit):	4.961732079203511
Encrypted:	false
SSDEEP:	24:mMigJlBfqQUPKXZZtlcAgYMCk4BSBdmLA:mMigJrtUyJhcNCk4B8MLA
MD5:	82DDCDA30EFCEF1D45EFF64C263F42A4
SHA1:	4EC3476F3C5790ADB9E6676898B38AAA163E2164
SHA-256:	80E0223ACEAB1391B687CB9DB1586F3864EE9764FD70A1B074ED572EF66FCA6A
SHA-512:	74AD3A207EC52421E1D67A88B5EFD855B6838CBB3D0DBC70021373C6431158686C6AAAEF8DCDA35C21FC1012A1784E8453733D43AE9282F489225790410BF71C
Malicious:	false
Preview:	rule:.. meta:.. name: encrypt data using RC6.. namespace: data-manipulation/encryption/rc6.. author: william.ballenthin@fireeye.com.. scope: function.. att&ck:.. - Defense Evasion::Obfuscated Files or Information [T1027].. mbc:.. - Defense Evasion::Obfuscated Files or Information::Encryption-Standard Algorithm [E1027.m05].. - Cryptography::Encrypt Data::RC6 [C0027.010].. references:.. - ref: https://github.com/stamparm/cryptospecs/blob/master/symmetrical/sources/rc6.c#L66.. examples:.. - D87BA0BFCE1CDB17FD243B8B1D247E88:0x402390.. features:.. - and:.. - number: 0xB7E15163 = RC5 and RC6 (more common).. - or:.. - number: 0x9e3779b9 = encrypt via add an unsigned.. - number: 0x61C88647 = encrypt via subtract an unsigned..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\encryption\rsa\reference-public-rsa-key.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	999
Entropy (8bit):	4.526345085498369
Encrypted:	false
SSDEEP:	24:mMH6ZlBfq4C3KiHxZxTDYhFmzKLEDMx8c/r+RRl/9Hw8o6Yr:mMaZrCaQpTDYhFmzKoDCD/KNCVr
MD5:	D44A74C1AFDECB9CB1C9FA2BB6F676DF
SHA1:	7436E92344CC8E247669E87CA4E7A5A760D8A4B3
SHA-256:	80646644B903CABE60D969B34736BA08C3F3439BF968D93E819D121AAC62C9E2
SHA-512:	FF5688EA44A2ED8CC1817D98464B2645F9AC4339CA450EE4FD27C077CAD254567004F97159428A17545ECF9C45EF03FB4586AD038AB9F57FA1365B6F15BF6DFE
Malicious:	false
Preview:	rule:.. meta:.. name: reference public RSA key.. namespace: data-manipulation/encryption/rsa.. author: moritz.raabe@fireeye.com.. scope: function.. mbc:.. - Cryptography::Encryption Key [C0028].. examples:.. - b7b5e1253710d8927cbe07d52d2d2e10:0x417DF0.. features:.. - or:.. # typedef struct _PUBLICKEYSTRUC {.. # BYTE bType;.. # BYTE bVersion;.. # WORD reserved;.. # ALG_ID aiKeyAlg;.. # } BLOBHEADER, PUBLICKEYSTRUC;.. #.. # typedef struct _RSAPUBKEY {.. # DWORD magic;.. # DWORD bitlen;.. # DWORD pubexp;.. # } RSAPUBKEY;.. #.. - bytes: 06 02 00 00 00 A4 00 00 52 53 41 31.. # ^^ bType = PUBLICKEYBLOB.. # ^^ bVersion = CUR_BLOB_VERSION.. # ^^ ^^ reserved.. # ^^ ^^ ^^ ^^ aiKeyAlg = CALG_RSA_KEYX.. # ^^ ^^ ^^ ^^ magic = RSA1 for public keys..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\encryption\skipjack\encrypt-data-using-skipjack.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1291
Entropy (8bit):	4.531499712901493
Encrypted:	false
SSDEEP:	24:mMixlBfqB2mPKXZZtgP0fpe1afQuZwQwQv7Y5qzwZWj6JxoNSLdFWPy7S:mMixrOHyJEPupeCfbM0z6WmJxBSyG
MD5:	8CA9B55333AA3659516B4C08CF03530F
SHA1:	2806FAC166CFE5ED491B16E985B7309E88F77CDE
SHA-256:	D06FA9E7A4AF2F17DF6F356C6B130CDE67BCE63054CAFC6EB192473839EB6D93
SHA-512:	2D1F9902713E9BA223AD94D0C13E4DCF61447C9B279DD961F503BB8E23AE4C554BEF1359BFB545108689C44A04126AF95112E452D0426CAC4A1B44D47FA21A1E
Malicious:	false
Preview:	rule:.. meta:.. name: encrypt data using skipjack.. namespace: data-manipulation/encryption/skipjack.. author: "@_re_fox".. scope: basic block.. att&ck:.. - Defense Evasion::Obfuscated Files or Information [T1027].. mbc:.. - Defense Evasion::Obfuscated Files or Information::Encryption-Standard Algorithm [E1027.m05].. - Cryptography::Encrypt Data::Skipjack [C0027.013].. examples:.. - 94d3c854aadbcfde46b2f82801015c31:0x429C0730.. features:.. - and:.. - bytes: a3 d7 09 83 f8 48 f6 f4 b3 21 15 78 99 b1 af f9 e7 2d 4d 8a ce 4c ca 2e 52 95 d9 1e 4e 38 44 28 0a df 02 a0 17 f1 60 68 12 b7 7a c3 e9 fa 3d 53 96 84 6b ba f2 63 9a 19 7c ae e5 f5 f7 16 6a a2 39 b6 7b 0f c1 93 81 1b ee b4 1a ea d0 91 2f b8 55 b9 da 85 3f 41 bf e0 5a 58 80 5f 66 0b d8 90 35 d5 c0 a7 33 06 65 69 45 00 94 56 6d 98 9b 76 97 fc b2 c2 b0 fe db 20 e1 eb d6 e4 dd 47 4a 1d 42 ed 9e 6e 49 3c cd 43 27 d2 07 d4 de c7 67 18 89 cb 30 1f 8d c6 8f aa c8 74 dc c9 5d 5c 31 a4 70 88 6

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\encryption\sosemanuk\encrypt-data-using-sosemanuk.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2543
Entropy (8bit):	4.594630424905811
Encrypted:	false
SSDEEP:	48:mMiCMrZFyJDAUcJ86XTLTzFLDAGK5AhznIR8n092kwdvSkrS:JiJrbs0UujJL05Qznhzkwdvd+
MD5:	601B82F20646D5ACE6AD4B10893AEC0C
SHA1:	6A3CA4D70F81E23B7C515BDB42A85981D0BC9097
SHA-256:	6662A16D27A1A431DA7393EF34CEE3E62AAEF32954C64DDBD274F098BB2BC033
SHA-512:	B910941D670582A63840746B7BF1F6A875CC0E7AE3D8C44270D3C205D6EB107691FBC631010319E62768CB7E517F470E8C7949DD0757A8016FB574206B5D4FD2
Malicious:	false
Preview:	rule:.. meta:.. name: encrypt data using Sosemanuk.. namespace: data-manipulation/encryption/sosemanuk.. author: awillia2@cisco.com.. description: Looks for cryptographic constants associated with the Sosemanuk stream cipher.. scope: basic block.. att&ck:.. - Defense Evasion::Obfuscated Files or Information [T1027].. mbc:.. - Defense Evasion::Obfuscated Files or Information::Encryption-Standard Algorithm [E1027.m05].. - Cryptography::Encrypt Data::Sosemanuk [C0027.008].. references:.. - https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/.. examples:.. - ea7bb99e03606702c1cbe543bb32b27e:0x10003350.. features:.. - or:.. - bytes: 00 00 00 00 E1 9F CF 13 6B 97 37 26 8A 08 F8 35 D6 87 6E 4C 37 18 A1 5F BD 10 59 6A 5C 8F 96 79 05 A7 DC 98 E4 38 13 8B 6E 30 EB BE 8F AF 24 AD D3 20 B2 D4 32 BF 7D C7 B8 B7 85 F2 59 28 4A E1 0A E7 11 99 EB 78 DE 8A 61 70 26 BF 80 EF E9 AC DC 60 7F D5 3D FF B0 C

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\encryption\twofish\encrypt-data-using-twofish.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	4792
Entropy (8bit):	4.106423108681286
Encrypted:	false
SSDEEP:	96:JiDrasCGk3dRqr70QzITVCWD5fSewdBfFpRMo5vfKRE/fG8ht9tV:JiDrasXERqrB4CWDV4VXvfGyfG8h9V
MD5:	7F29BC171B06C78771221D4377E6438A
SHA1:	07B5A5D66DEE44FFB71D3F3549A968466C8A7812
SHA-256:	6A1C6F330F76AE2D2E34296BA33072FD30C97EA16B389FFE5F49FA784AE21B65
SHA-512:	D71E78A6BD2C1DD29265396F3B3FF96B678C6B724F96E2FA3FB40B0B17D45CA69BBB6AD7F5887AB42850897EB0BCE3B0F1B22CEC4602F94E0DD0CB261D896D91
Malicious:	false
Preview:	rule:.. meta:.. name: encrypt data using twofish.. namespace: data-manipulation/encryption/twofish.. author: "@_re_fox".. scope: basic block.. att&ck:.. - Defense Evasion::Obfuscated Files or Information [T1027].. mbc:.. - Defense Evasion::Obfuscated Files or Information::Encryption-Standard Algorithm [E1027.m05].. - Cryptography::Encrypt Data::Twofish [C0027.005].. examples:.. - 0761142efbda6c4b1e801223de723578:0x653F801C.. features:.. - or:.. - bytes: A9 67 B3 E8 04 FD A3 76 9A 92 80 78 E4 DD D1 38 0D C6 35 98 18 F7 EC 6C 43 75 37 26 FA 13 94 48 F2 D0 8B 30 84 54 DF 23 19 5B 3D 59 F3 AE A2 82 63 01 83 2E D9 51 9B 7C A6 EB A5 BE 16 0C E3 61 C0 8C 3A F5 73 2C 25 0B BB 4E 89 6B 53 6A B4 F1 E1 E6 BD 45 E2 F4 B6 66 CC 95 03 56 D4 1C 1E D7 FB C3 8E B5 E9 CF BF BA EA 77 39 AF 33 C9 62 71 81 79 09 AD 24 CD F9 D8 E5 C5 B9 4D 44 08 86 E7 A1 1D AA ED 06 70 B2 D2 41 7B A0 11 31 C2 27 90 20 F6 60 FF 96 5C B1 AB 9E 9C 52 1B 5F 93 0A EF 91 85 49 EE

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\encryption\vest\encrypt-data-using-vest.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1579
Entropy (8bit):	4.489337205049745
Encrypted:	false
SSDEEP:	48:mMik6r9OyJVc04UNFfO8Ry7mj/CYkdDewA:Jik6r9OsVwn8RyUKbDrA
MD5:	6E65EDAFC546719DDDD52039A8290655
SHA1:	31DF032CE12C19AB69DEDFB8B121B6CD221957C1
SHA-256:	F5214A3A4A648E28F3D65913BB2D814F9605AD0AE4F7A402CFC709D5C437B2E6
SHA-512:	653321DDD06930EDBF833885CB0543F982B1242E520FC75FAE687379099D334C805D86E29398619D093D62E0DCBBCDBB363B0D9E2458543BA8B733BAAFBF728B
Malicious:	false
Preview:	rule:.. meta:.. name: encrypt data using vest.. namespace: data-manipulation/encryption/vest.. author: "@_re_fox".. scope: basic block.. att&ck:.. - Defense Evasion::Obfuscated Files or Information [T1027].. mbc:.. - Defense Evasion::Obfuscated Files or Information::Encryption-Standard Algorithm [E1027.m05].. - Cryptography::Encrypt Data [C0027].. references:.. - https://www.ecrypt.eu.org/stream/vest.html.. examples:.. - 9a00ebe67d833edb70ed6dd0f4652592:0x180003EE9.. features:.. - or:.. - bytes: 07 56 d2 37 3a f7 0a 52 5d c6 2c 87 da 05 c1 d7 f4 1f 8c 34 = vest_sbox.. - bytes: 41 4b 1b dd 0d 65 72 ee 09 e7 a1 93 3f 0e 55 9c 63 89 3f b2 ab 5a 0e cb 2f 13 e3 9a c7 09 c5 8d c9 09 0d d7 59 1f a2 d6 cb b0 61 e5 39 44 f8 c5 8b c6 e5 b2 bd e3 82 d2 ab 04 dd d6 1f 94 ca ec 73 43 e7 94 5d 52 66 86 4f 4b 05 d4 ad 0f 66 a3 f9 15 9c c6 c9 3e 3a b8 9d 31 65 f8 c7 9a ce e0 6d bd 18 8d 63 f5 0a cd 11 b4 b5 ee 9b 28 9c a5 93 78 5b d1 d3 b

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\hashing\djb2\hash-data-using-djb2.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	676
Entropy (8bit):	4.558816111243025
Encrypted:	false
SSDEEP:	12:mdmnCxXwlx/CnPFftKqmI0/dcA+YuFNdOJpuARUGaZjk/H:mMnEglynKqmH/dcAAFuJlCZjEH
MD5:	59F65B5E27517B9CCF6A2D4A1D8790A6
SHA1:	5DC8685265CDB01F41232BC552250C0F318ECA85
SHA-256:	B6515D65D4A767363E344A680018628CC64460EF684635703E74736CC2A9E456
SHA-512:	F063FA06B605A5B371AF65FA5557B12DBD6F6678BA5ABC26575C4F1889A2189569BE27DA9930E588BF7E21487AB7C423086BB77D0C93421E2CF2A255735245E8
Malicious:	false
Preview:	rule:.. meta:.. name: hash data using djb2.. namespace: data-manipulation/hashing/djb2.. author: awillia2@cisco.com.. scope: function.. mbc:.. - Data::Non-Cryptographic Hash [C0030].. references:.. - https://twitter.com/r3c0nst/status/1392405576131436546.. - http://www.cse.yorku.ca/~oz/hash.html.. examples:.. - 6be0ae5cb7c3155f70d608fc7670d2d9:0x41DD19.. features:.. - and:.. - basic block:.. - and:.. - description: hash = 5381.. - mnemonic: mov.. - number: 5381.. - basic block:.. - and:.. - description: hash << 5.. - mnemonic: shl.. - number: 5..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\hashing\fnv\hash-data-using-fnv.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1205
Entropy (8bit):	4.8136770084856435
Encrypted:	false
SSDEEP:	24:mMnxlICz6QYApCKqm41lcAnZSvM4FGfISXU/iS3S1zyghXUxx:mMnxZz6ApRqmAcCwFGfIkUKS3S1zygBy
MD5:	1819A388FD80326C9B5B8F34B0AFA9D8
SHA1:	5079C58052CE85AECCFAB2F61B991E3CF0678D4A
SHA-256:	7E8A15459DD6D22621595018CA04EEF6237E210460373A89EB277BF83345053B
SHA-512:	4B166B594D2059B18446E8628C5451304F8117D93545E445ACD9163929F7F3DABD373BB36BD08E08F05F2560F9121DB7B940E8D64F33DDEB4EDA7365A49AA99E
Malicious:	false
Preview:	rule:.. meta:.. name: hash data using fnv.. namespace: data-manipulation/hashing/fnv.. author:.. - moritz.raabe@fireeye.com.. - "@_re_fox".. - michael.hunhoff@fireeye.com.. description: can be any Fowler-Noll-Vo (FNV) hash variant, including FNV-1, FNV-1a, FNV-0.. scope: function.. mbc:.. - Data::Non-Cryptographic Hash::FNV [C0030.005].. references:.. - https://en.wikipedia.org/wiki/Fowler%E2%80%93Noll%E2%80%93Vo_hash_function.. - http://isthe.com/chongo/tech/comp/fnv/.. - https://create.stephan-brumme.com/fnv-hash/.. examples:.. - ad4229879180e267f431ac6666b6a0a2:0x14007B4D4.. features:.. - and:.. - optional:.. - characteristic: loop.. - number: 0xcbf29ce484222325 = FNV_offset_basis, unused by FNV-0.. - number: 0x811c9dc5 = FNV_offset_basis, unused by FNV-0.. - or:.. - number: 0x100000001b3 = FNV prime.. - number: 0x01000193 = FNV prime.. - basic block:.. # FNV

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\hashing\hash-data-via-wincrypt.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	591
Entropy (8bit):	4.608017496657462
Encrypted:	false
SSDEEP:	12:mdmnDlxDpfFftKJ/4LidBAgIHUBMyNmPIoH6Pl:mMnDlRp3KJ/4LidBAgI0BrmHHal
MD5:	A3999A58F09B17292D2E974CAD1F9A8A
SHA1:	AC8C50D91B91987D1801FE0E9C147EFBD23A7598
SHA-256:	0D827EA5D2E970FF32C0507F0AABA2B994545B175E6CEFDB1B2A87CF2CFAAD74
SHA-512:	542131CF2F5B4DF4DC30D09B2C60C1311BA7182CFD6F8530CFE70016A58C853FB2E4A4449079285B15C226B61BCC0880ECF19D361031E77B9D9DCC2B697D0EC1
Malicious:	false
Preview:	rule:.. meta:.. name: hash data via WinCrypt.. namespace: data-manipulation/hashing.. author: michael.hunhoff@fireeye.com.. scope: function.. mbc:.. - Cryptography::Cryptographic Hash [C0029].. examples:.. - 03B236B23B1EC37C663527C1F53AF3FE:0x18002E46B.. features:.. - and:.. - api: advapi32.CryptHashData.. - optional:.. - basic block:.. - and:.. - api: advapi32.CryptGetHashParam.. - or:.. - number: 1 = HP_ALGID.. - number: 2 = HP_HASHVAL.. - number: 4 = HP_HASHSIZE..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\hashing\md5\hash-data-with-md5.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1007
Entropy (8bit):	4.66343399699083
Encrypted:	false
SSDEEP:	24:mMnVrlGCqcASQ55zLP7eFzBg6eKFhIvlQ5o/4:mMnVrDqcsXzGFa65FhIOaQ
MD5:	631D383FD144863697CC06D84A3B3B4B
SHA1:	AF3973CD94339F90284222C508C04BB7D225AD4D
SHA-256:	4875A93A0BCB6B65978807BA785BF2E470BAF794224E5B1DAB5AE8531E1ACE06
SHA-512:	7416BA1260DB39ED26ABBCE4AEF2DCE62BF258D42375A0245F99001E9D9A6DA1DDDBBBB1019A91C9E05A42696638EED7A7EFD8357F6493BDADECC4434740DA5F
Malicious:	false
Preview:	rule:.. meta:.. name: hash data with MD5.. namespace: data-manipulation/hashing/md5.. author: moritz.raabe@fireeye.com.. scope: function.. references:.. - https://github.com/rwfpl/rewolf-x86-virtualizer/blob/master/src/test_app/main.cpp.. examples:.. - Practical Malware Analysis Lab 05-01.dll_:0x100108ED.. features:.. - or:.. - and:.. - description: magic initialization constants from MD4 and MD5.. - number: 0x67452301 = A.. - number: 0xefcdab89 = B.. - number: 0x98badcfe = C.. - number: 0x10325476 = D.. - not:.. - number: 0xc3d2e1f0 = likely SHA1.. - optional:.. - description: specific compilation from https://github.com/rwfpl/rewolf-x86-virtualizer/blob/master/src/test_app/main.cpp.. - and:.. - offset: -0x28955B88.. - offset: -0x173848AA.. - basic block:.. - and:.. - number: 0x8003 = CALG_MD5.. - api: advapi32.CryptCreat

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\hashing\murmur\hash-data-using-murmur3.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1933
Entropy (8bit):	4.506906455227037
Encrypted:	false
SSDEEP:	48:mMngRaqm/lycpA3Q1sin1FDKwo8FDK0IsChi21:JgRalybQ1se1FDKwo8FDKwCp1
MD5:	EC1466B6A987292217F3C7779C68CC31
SHA1:	EFCAD0114F5DE5702D5C7562946ED7CA11A1715C
SHA-256:	EA071DE300ECDB3EE0EF808FA3822F52D1BCD059F04F0642D769EC4B985D2292
SHA-512:	70F0BD82DD3B5DC91C6929E59BF966266015F44983EDBFCF36865E33D3A1F6498F880B87E6F8DF7C6593E7B4CD0AEEE8AA7A8764CB7698D2223D794AFE2B2C7B
Malicious:	false
Preview:	rule:.. meta:.. name: hash data using murmur3.. namespace: data-manipulation/hashing/murmur.. author: william.ballenthin@fireeye.com.. scope: function.. mbc:.. - Data::Non-Cryptographic Hash::MurmurHash [C0030.001].. references:.. - https://github.com/aappleby/smhasher/blob/master/src/MurmurHash3.cpp.. examples:.. - c66172b12971a329f8d5ff01665f204b:0x404A18.. features:.. - or:.. - and:.. - number: 0x85ebca6b = 32-bit finalization mix constant 1.. - number: 0xc2b2ae35 = 32-bit finalization mix constant 2.. - and:.. - number: 0xff51afd7ed558ccd = 64-bit finalization mix constant 1.. - number: 0xc4ceb9fe1a85ec53 = 64-bit finalization mix constant 2.. - and:.. - number: 0xcc9e2d51 = c1 32-bit hash.. - number: 0x1b873593 = c2 32-bit hash.. - and:.. - number: 0x239b961b = 32-bit c1 for 128-bit hash.. - number: 0xab0e9789 = 32-bit c2 for 128-bit hash.. - number: 0x38b34a

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\hashing\sha1\hash-data-using-sha1.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	791
Entropy (8bit):	4.79906536632125
Encrypted:	false
SSDEEP:	12:mdmnCLlxTF/FCfFftKNPm0+U3JXFKsbEK/onFK0iKV+NLvkt:mMnilNHC3K00+UJ74v/+NLv4
MD5:	ED9A0451C3421CEC93A321DC4F7DF705
SHA1:	D041BFFF22BB6529C8281AFFF6A81374749C6F09
SHA-256:	3B13FA0CB15696D925F75452D90A3EDF3D14049194F3F0FDECD88E198B980F26
SHA-512:	C9BDFB2AB14F5EA51012B60319AEE2FC4ECFBA168C6FABA887AF49060C8252D37166974DD2F59BA1351C712DC178C3933E31A4D2B10FD984D9C3C21030562701
Malicious:	false
Preview:	rule:.. meta:.. name: hash data using SHA1.. namespace: data-manipulation/hashing/sha1.. author: moritz.raabe@fireeye.com.. scope: function.. mbc:.. - Cryptography::Cryptographic Hash::SHA1 [C0029.002].. examples:.. - D063B1804E8D2BB26BD2E097141C1BBC:0x4344D0.. features:.. - or:.. - and:.. - description: Magic initialization constants used in SHA1.. - number: 0x67452301 = A, also used by MD5.. - number: 0xEFCDAB89 = B, also used by MD5.. - number: 0x98BADCFE = C, also used by MD5.. - number: 0x10325476 = D, also used by MD5.. - number: 0xC3D2E1F0 = specific to SHA1, not MD4 nor MD5.. - basic block:.. - and:.. - number: 0x8004 = CALG_SHA1.. - api: advapi32.CryptCreateHash..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\hashing\sha224\hash-data-using-sha224.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	548
Entropy (8bit):	4.772717332985815
Encrypted:	false
SSDEEP:	12:mdmnCdYlx6fCfFftKNU5JM/qSFrcCfbNbP:mMnUYlsfC3KiJHS5fbp
MD5:	2721DC912AB268F763F8CFC964A61F5F
SHA1:	622C55A8B0EE87D5740201A36F691D8B7FFFE93C
SHA-256:	ADE10FED1129843B27B40F99CD727D3636AB9FE2047331F6C0E416FB28CC2663
SHA-512:	693DF24F24076722156F6CA579E87B554C10F6D29272169E671A126DEE99D15AD8CC6ABC9D358AC9B6CC3B6049FFC03EF29370E7C915719C7C9780F90E7037FD
Malicious:	false
Preview:	rule:.. meta:.. name: hash data using SHA224.. namespace: data-manipulation/hashing/sha224.. author: moritz.raabe@fireeye.com.. scope: function.. mbc:.. - Cryptography::Cryptographic Hash::SHA224 [C0029.004].. examples:.. - 6CC148363200798A12091B97A17181A1:0x14011FEB0.. features:.. - and:.. - number: 0xc1059ed8.. - number: 0x367cd507.. - number: 0x3070dd17.. - number: 0xf70e5939.. - number: 0xffc00b31.. - number: 0x68581511.. - number: 0x64f98fa7.. - number: 0xbefa4fa4..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\hashing\sha256\hash-data-using-sha256.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	602
Entropy (8bit):	4.868388425457696
Encrypted:	false
SSDEEP:	12:mdmnCvJlxhCfFftKNdEQmd9MfUCkStA4Fahoe:mMnklbC3K4QM9YUCk2JFahoe
MD5:	F679C6B61853F39A441BBD1265D67E9B
SHA1:	6EF681935619D4927B36F04DCA7DEBD9BE326659
SHA-256:	F328D035A8E25FB9AFF717CD57A3F1F0F94E41A45BFBC4D8B5DAE4C4103742F8
SHA-512:	372799F68BF0335863A7B0407811BB6277929B5B8FEA9DA682EA81FAA632D15D0D08067A5EE53E70CE7D2B72A90947141E7060DAFCDF9991F21E4A4A287A3E8C
Malicious:	false
Preview:	rule:.. meta:.. name: hash data using SHA256.. namespace: data-manipulation/hashing/sha256.. author: moritz.raabe@fireeye.com.. scope: function.. mbc:.. - Cryptography::Cryptographic Hash::SHA256 [C0029.003].. examples:.. - C0CFFCF211035A839E28D542DE300298:0x180011400.. - 6CC148363200798A12091B97A17181A1:0x140120240.. features:.. - and:.. - number: 0x6A09E667.. - number: 0xBB67AE85.. - number: 0x3C6EF372.. - number: 0xA54FF53A.. - number: 0x510E527F.. - number: 0x9B05688C.. - number: 0x1F83D9AB.. - number: 0x5BE0CD19..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\hashing\tiger\hash-data-using-tiger.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2756
Entropy (8bit):	4.1449782639846715
Encrypted:	false
SSDEEP:	48:mMn+2MlBQvH7fWr9lf5Q93r4jVKRbrqPb3BeUZFfBTuCyFBZ26cl+22qUl:J+WP7fsa93kRKRbrz0B8V26cgJl
MD5:	DC495CE0C5A35B67EADC72112C9B2F2D
SHA1:	3C16B959304A4557EE89A3D17A48BE65D1185E81
SHA-256:	88BD613CAAA0AECB1C20AF68678596FEA1052ACF032A7AF597C687D950ADEB8F
SHA-512:	7434E1797335B266F5E100167EAD09F0D9EB38D42EC4E1091B572975875F86BA6CA8D78D1F0EEA24CA91283861AFDAB2F41656531D57E8C61E79BCE0DB2BDEE0
Malicious:	false
Preview:	rule:.. meta:.. name: hash data using tiger.. namespace: data-manipulation/hashing/tiger.. author: "@_re_fox".. scope: basic block.. mbc:.. - Cryptography::Cryptographic Hash::Tiger [C0029.005].. examples:.. - 0761142efbda6c4b1e801223de723578:0x65471B97.. features:.. - or:.. - bytes: 5e 0c e9 f7 7c b1 aa 02 ec a8 43 e2 03 4b 42 ac d3 fc d5 0d e3 5b cd 72 3a 7f f9 f6 93 9b 01 6d 93 91 1f d2 ff 78 99 cd e2 29 80 70 c9 a1 73 75 c3 83 2a 92 6b 32 64 b1 70 58 91 04 ee 3e 88 46 e6 ec 03 71 05 e3 ac ea 5c 53 a3 08 b8 69 41 c5 7c c4 de 8d 91 54 e7 4c 0c f4 0d dc df f4 a2 0a fa be 4d a7 18 6f b7 10 6a ab d1 5a 23 b6 cc c6 ff e2 2f 57 21 61 72 13 1e 92 9d 19 6f 8c 48 1a ca 07 00 da f4 f9 c9 4b c7 41 52 e8 f6 e6 f5 26 b6 47 59 ea db 79 90 85 92 8c 9e c9 c5 85 18 4f 4b 86 6f a9 1e 76 8e d7 7d c1 b5 = sbox1.. - bytes: 38 21 a1 05 5a be a6 e6 98 7c f8 b4 a5 22 a1 b5 90 69 0b 14 89 60 3c 56 d5 5d 1f 39 2e cb 46 4c 34 94 b7 c9 db ad 32 d9 f5 af 15 20 e4 70 ea

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\hmac\authenticate-hmac.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	844
Entropy (8bit):	4.730294597684841
Encrypted:	false
SSDEEP:	24:mMJBl+CqcAXmRStcjcHw/8Ax/xLRZ4IswK:mMJB7qcpUtc4Hw8AZxLRWIi
MD5:	C04CA3DB2C55E76A39A7BB9D07C0C300
SHA1:	D26A7B37B1F80847A2086F56A34B3AABEBA1DA8C
SHA-256:	126703E89F402568B397DC4CB8A32861FEAFC27AA02C8C7B9293DFB2AF885CD7
SHA-512:	BC5D82186856BD8EA9D162F2293143F72AC91D1C8A5BFCA6A8098ED8BE58105664E18134B36BA7ABCFC56388FDD72B9771CB77BFBF2EA9547F3D54C82CA7A85A
Malicious:	false
Preview:	rule:.. meta:.. name: authenticate HMAC.. namespace: data-manipulation/hmac.. author: moritz.raabe@fireeye.com.. scope: function.. references:.. - https://tools.ietf.org/html/rfc2104.. - https://tools.ietf.org/html/rfc4634.. - https://github.com/ogay/hmac.. examples:.. - mimikatz.exe_:0x403408.. features:.. - and:.. # block-sized inner padding, consisting of repeated bytes valued 0x36.. - number: 0x36 = inner padding byte value.. # block-sized outer padding, consisting of repeated bytes valued 0x5c.. - number: 0x5C = outer padding byte value.. - match: contain loop.. - count(characteristic(nzxor)): 2 or more.. - optional:.. - description: block size.. - number: 64 = MD5, SHA-1, SHA-224, or SHA-256.. - number: 128 = SHA-384 or SHA-512..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\prng\generate-random-numbers-via-winapi.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	741
Entropy (8bit):	4.866745878229955
Encrypted:	false
SSDEEP:	12:mdmC/g0glx0hQFftKVmyjqvohkjIHwfl/xlBm:mMCgle6KYOqvuMI6lplBm
MD5:	C3BC8B6FF0F49312168F22ED22A159ED
SHA1:	446EE6C3E865590E2863CE524FB9BD0F16862D01
SHA-256:	CBC766CFE7C4F6147BF2C797C060C52A6B7A2DBEDEA501FA9036FD8FD387EB2F
SHA-512:	801C08698E5144263C98C346FACACD2DF9B9BC8057D33705F57FFE2EC9B00EA10847A2AD117FCBB7EC3C21D53376215F013945A536E6D7E3D4B71C00F1679CB4
Malicious:	false
Preview:	rule:.. meta:.. name: generate random numbers via WinAPI.. namespace: data-manipulation/prng.. author:.. - michael.hunhoff@fireeye.com.. - johnk3r.. scope: function.. mbc:.. - Cryptography::Generate Pseudo-random Sequence::Use API [C0021.003].. examples:.. - ba947eb07d8c823949316a97364d060f:0x1400031E0.. - 3ca359f5085bb96a7950d4735b089ffe:0x403A80.. - e59ffeaf7acb0c326e452fa30bb71a36:0x40403E.. - 1195d0d18be9362fb8dd9e1738404c9d:0x404E90.. features:.. - and:.. - or:.. - api: BCryptGenRandom.. - api: CryptGenRandom.. - optional:.. - api: BCryptOpenAlgorithmProvider.. - api: BCryptCloseAlgorithmProvider.. - api: CryptAquireContext..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\data-manipulation\prng\mersenne\generate-random-numbers-using-a-mersenne-twister.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	580
Entropy (8bit):	4.818442011666258
Encrypted:	false
SSDEEP:	12:mdmC/gMoFjlxqCfFftKVmqFhOgTZ1W0JAuoPJ9:mMCQlkC3KYqF5w+ih9
MD5:	8CADF46CB62D2D36235821DBF49B9873
SHA1:	A7611D8DF003352F91A69B664FACED25D54C6835
SHA-256:	9BEBBD6D7B25EFD56AC61EF3037A2C526ACB372166CB8D67C9780D5ABB1D2FC9
SHA-512:	BCF392D68BEEB7EFB758540EAF366B2B1D1B0E034D9ED3936935ACBAEFEF6BE292CD00EB95606C80750A8887113C1C92A2715E5C7BBEFBDF139DA2903262E54A
Malicious:	false
Preview:	rule:.. meta:.. name: generate random numbers using a Mersenne Twister.. namespace: data-manipulation/prng/mersenne.. author: moritz.raabe@fireeye.com.. scope: function.. mbc:.. - Cryptography::Generate Pseudo-random Sequence::Mersenne Twister [C0021.005].. examples:.. - D9630C174B8FF5C0AA26168DF523E63E:0x41A850.. features:.. - or:.. - number: 0x6C078965.. - number: 0x9908B0DF.. - number: 0x9D2C5680.. - number: 0xEFC60000.. - number: 0xFF3A58AD.. - number: 0xB5026F5AA96619E9.. - number: 0x71D67FFFEDA60000..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\doc\format.md Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	24791
Entropy (8bit):	4.922097066153053
Encrypted:	false
SSDEEP:	384:jTkcsHeYBo72fdQMRJw5BUnaA/TDgA56+tdu7JVvVtEI2TU9isTFan26lDekfkoR:vbsHqEdQeJOX3p2TdsTzwDZkBY
MD5:	E9E0B9EB47ECD33185089924195EA9B3
SHA1:	72C990E1A869BDEF278E13061A6722ED93E69E90
SHA-256:	39797040C42C0DF9B3AFECA0D153C42AB494CBF50324DD701FC27779104714C7
SHA-512:	36F1B45AD13EBA9D8D7582CE5456A64899D4119FA7DE0F3EA5564B059A6C32B7C492891BB8486E341AA39EEAB3E2562B98703D79771DB9B312FB3C9A9184735E
Malicious:	false
Preview:	# rule format....capa uses a collection of rules to identify capabilities within a program...These rules are easy to write, even for those new to reverse engineering...By authoring rules, you can extend the capabilities that capa recognizes...In some regards, capa rules are a mixture of the OpenIOC, Yara, and YAML formats.....Here's an example rule used by capa:....```yaml..rule:.. meta:.. name: hash data with CRC32.. namespace: data-manipulation/checksum/crc32.. author: moritz.raabe@fireeye.com.. scope: function.. examples:.. - 2D3EDC218A90F03089CC01715A9F047F:0x403CBD.. - 7D28CB106CB54876B2A5C111724A07CD:0x402350 # RtlComputeCrc32.. features:.. - or:.. - and:.. - mnemonic: shr.. - number: 0xEDB88320.. - number: 8.. - characteristic: nzxor.. - api: RtlComputeCrc32..```....This document defines the available structures and features that you can use as you write capa rules...We'll start at the high level structure and

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\executable\installer\iexpress\packaged-as-an-iexpress-self-extracting-archive.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	755
Entropy (8bit):	4.9390818359222655
Encrypted:	false
SSDEEP:	12:mdmJeXsST6lxZOXIdTnocA+YdMqV7qF7qF2VjSqFjMAxtMJceXnbPAb:mMQZT6lxiyTnocAnZVmFmF2VtFj3bm0b
MD5:	42E288A95F7B53DBA4E9ADFC31F38966
SHA1:	A65FF4EEDBC9A3222382ED99386B9FB97CCE8E6C
SHA-256:	71959E0499DE9A7B1F7E4C567A89F431CD52BAA4DC1CC04AE5EC3CFC8FEDC5F3
SHA-512:	036BE5AAE55E86EE256FF32373A57D80B5B16C67423B785340C64175275C703218CEE2AEBC7077F52AE346FEA8FDF3821DD11275FD306E99B6CB3F05075C4C81
Malicious:	false
Preview:	rule:.. meta:.. name: packaged as an IExpress self-extracting archive.. namespace: executable/installer/iexpress.. author: awillia2@cisco.com.. scope: file.. references:.. - https://en.wikipedia.org/wiki/IExpress.. examples:.. - ac742739cae0d411dfcb78ae99a7baee:0xA4C0 # wextract_cleanup%d.. - ac742739cae0d411dfcb78ae99a7baee:0xA488 # Software\Microsoft\Windows\CurrentVersion\RunOnce.. - ac742739cae0d411dfcb78ae99a7baee:0x34BA2 # ' <description>IExpress extraction tool</description>'.. features:.. - or:.. - and:.. - string: "wextract_cleanup%d".. - string: "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce".. - string: " <description>IExpress extraction tool</description>"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\executable\installer\inno-setup\packaged-as-an-inno-setup-installer.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	390
Entropy (8bit):	4.715672071695494
Encrypted:	false
SSDEEP:	12:mdmJkJwXJlxZOXXTnocA+Y9TwdAJPYISPt4:mMsiJlxiXTnocAgum4
MD5:	9DE087C929D798A9122113C8093B9B2C
SHA1:	83400BE9A1551A43E0B790ADBD1151CE6452B32F
SHA-256:	D79DA521E73090117C925C0655EF35695C4A3DF9E4B5D3993DD45F044E207270
SHA-512:	8B4942C1E049FA4AB120F7C65A76A46A77F445DE55FA35CB34522FE6D24E00BCD3AABF225078D6CD0B21FAB96A68E511015975BF07CF230A7DF24EC61690B41B
Malicious:	false
Preview:	rule:.. meta:.. name: packaged as an Inno Setup installer.. namespace: executable/installer/inno-setup.. author: awillia2@cisco.com.. scope: file.. references:.. - https://jrsoftware.org/isinfo.php.. examples:.. - 70FD3347786ED7A4A43910E6778EF296.. features:.. - and:.. - string: /^Inno Setup Setup Data \(/.. - string: /^Inno Setup Messages \(/..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\executable\pe\pdb\contains-pdb-path.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	247
Entropy (8bit):	4.844226486100923
Encrypted:	false
SSDEEP:	6:hAvlmG+CDuuYli7S3CSkOy/BowKnqSUA623kdzGLV2yn:mdmG+CDuuYl2S3CDnBTnAXUAR
MD5:	CBAF715FCD818896197A4721E212E981
SHA1:	9DA898FAE5E7485F7391CA20D349822FCD2D6F8C
SHA-256:	A1AC5D0F9D99DE249BF53C5172296000E231E319D11F44C3796F2E8EF74F0E96
SHA-512:	137B6E19D75F5A6F542C9043279B60F909227C5B35D5B9196510079D0792C143C09E3674B2561B7BE59B0532DDD4FBC15B5F3A990BDBBCB06A9640640D1D37C8
Malicious:	false
Preview:	rule:.. meta:.. name: contains PDB path.. namespace: executable/pe/pdb.. author: moritz.raabe@fireeye.com.. scope: file.. examples:.. - 464EF2CA59782CE697BC329713698CCC # level32.exe.. features:.. - string: /:\\.*\.pdb/..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\executable\pe\section\rsrc\contain-a-resource-rsrc-section.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	261
Entropy (8bit):	4.738246853531565
Encrypted:	false
SSDEEP:	6:hAvlmG+AW3wli+Qy//3CSkOy/BowvOvVRM:mdmG+twlJCDnB9O0
MD5:	72187E84BD8490E943683E7FC57D98FF
SHA1:	E8C12E778C406DE9C0D6266E706D5DE3B04D6742
SHA-256:	9BFD057444ACD2D472A015F6CBB5EEF8980639C4CD4C689F62839969DEE480ED
SHA-512:	774E2971F989FE7783353C36EF7C0E73ED99F485B50522A9BA06DB563AF8908D599C05A054577C4B7EC8497F8D666932E8F97251039F844B1A5B849C3FF9E3EA
Malicious:	false
Preview:	rule:.. meta:.. name: contain a resource (.rsrc) section.. namespace: executable/pe/section/rsrc.. author: moritz.raabe@fireeye.com.. scope: file.. examples:.. - A933A1A402775CFA94B6BEE0963F4B46:0x41fd25.. features:.. - section: .rsrc..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\executable\pe\section\tls\contain-a-thread-local-storage-tls-section.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	273
Entropy (8bit):	4.451339610590316
Encrypted:	false
SSDEEP:	6:hAvlmG+GNd7wRKwli+ShClESkOy/BowdnvcCXhR1:mdmG+GNOKwlyDnBbnvcCXZ
MD5:	8377D7626DCC43DF32E847A0919AEC89
SHA1:	08BE6FE71E98E89F70A1FEB852D0499221F17C52
SHA-256:	BA1B8C1A9BBE9F856B3B7CD1E02FD70B81C6FE12D0D69FCD7350DA63914297F4
SHA-512:	57E25EC693742C312BDC9723FB6FDB3706480A499F3657682AE0D9B54D691468AA939DC643AA74DBFBB0721F6AAB386FA47CE7A4FD104FA2A5128E1740021981
Malicious:	false
Preview:	rule:.. meta:.. name: contain a thread local storage (.tls) section.. namespace: executable/pe/section/tls.. author: michael.hunhoff@fireeye.com.. scope: file.. examples:.. - Practical Malware Analysis Lab 16-02.exe_.. features:.. - section: .tls..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\executable\resource\extract-resource-via-kernel32-functions.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	4.755527540547875
Encrypted:	false
SSDEEP:	24:mMfl5WbivLRKXfITVcIHL977rtJW+TLELruvBX:mMfqbivNKXlIHL9L6+TLELy
MD5:	E65270C9A4B0411956AFEBB1DDF0456B
SHA1:	44591EFF401D05E9B4FD387B40D513023287BF3D
SHA-256:	D0D9790C1043D185697FDD4829C326505DD56C4132D8371C4C57D3CCE3CC1E84
SHA-512:	6D5F2641E4DF3475C187DEF4FDF2F23454A98628F91797EEE5CE3569C54BC680929D35EA13D1A2344BF7FCA0A55FB8D8A5932CDDBB84E0246C5712C36B2F3B41
Malicious:	false
Preview:	rule:.. meta:.. name: extract resource via kernel32 functions.. namespace: executable/resource.. author: william.ballenthin@fireeye.com.. scope: function.. examples:.. - BF88E1BD4A3BDE10B419A622278F1FF7:0x401000.. - Practical Malware Analysis Lab 01-04.exe_:0x4011FC.. # ntdll.. - 563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x140001ABA.. features:.. - or:.. - and:.. - or:.. - api: kernel32.LoadResource.. - api: kernel32.LockResource.. - api: LdrAccessResource.. - optional:.. - match: contain a resource (.rsrc) section.. - api: kernel32.GetModuleHandle.. # may occur in parent function, see 0664B09A86EC2DF7DFE01A93E184A1FA23DF66EA82CAB39000944E418EC1F7B2.. - or:.. - api: kernel32.FindResource.. - api: kernel32.FindResourceEx.. - api: LdrFindResource_U.. - api: LdrFindResourceEx_U.. - api: kernel3

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\executable\subfile\pe\contain-an-embedded-pe-file.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	440
Entropy (8bit):	4.6499669312534175
Encrypted:	false
SSDEEP:	12:mdmG+OYlfCDnlKTehbnvLR7mk/fyrxIGSGyv:mM0YlfCDnlKahzLRKk/fytIGSVv
MD5:	390608C9E056BF117BEEB3972A0BF6F6
SHA1:	D409DF027131446CB357BE42F86BB27E124CD49F
SHA-256:	C99BD4C54C337036E349A554E811A8BE5D6CC59C112D8B98ABA3D425BAA1A1F9
SHA-512:	5CEAE054DB77472355A164A2C2BB51EC49107A3155DBB96EB190EF61EFF7C2005C3466A358E884FEC962E68DE6248DCFD537A24A28A93450A2791DDF1B070A50
Malicious:	false
Preview:	rule:.. meta:.. name: contain an embedded PE file.. namespace: executable/subfile/pe.. author: moritz.raabe@fireeye.com.. scope: file.. mbc:.. - Execution::Install Additional Program [B0023].. examples:.. - Practical Malware Analysis Lab 01-04.exe_:0x4060.. features:.. - or:.. - count(characteristic(embedded pe)): 1 or more.. - count(string(This program cannot be run in DOS mode.)): 2 or more..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\bootloader\disable-code-signing.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	467
Entropy (8bit):	5.003893843346378
Encrypted:	false
SSDEEP:	6:hAvlm9GuKzYlLqLqUJFBO2S4FfyhuG24OUi15owYctQHmwlqGoRRJGCLX2rovZIt:mdm9GuDlLoRfFfyMo+/SmXJGIGcajB
MD5:	61C04769A2DCBC76E4A183C05179A476
SHA1:	25CFA483C43E75AA66889778839876C6763197CA
SHA-256:	ABEF2B1C755AA31F8824C42CD11FE0761AF86DC59EE12587EB5819C29B20578C
SHA-512:	8E05C7567ABEF3002F77DD07B098EECB7CAD5A2BD1226402DD54A3FC04D3C98B5498B92F88462DD0A7EC4B6432DF5B5816101B5C791B2FD514A44D29D80CCD13
Malicious:	false
Preview:	rule:.. meta:.. name: disable code signing.. namespace: host-interaction/bootloader.. author: william.ballenthin@fireeye.com.. scope: function.. att&ck:.. - Defense Evasion::Subvert Trust Controls::Code Signing Policy Modification [T1553.006].. examples:.. - 0596C4EA5AA8DEF47F22C85D75AACA95:0x10710B3 # old Necurs rootkit.. features:.. - and:.. - match: create process.. - string: /^bcdedit(\.exe)? -set TESTSIGNING ON/i..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\bootloader\manipulate-boot-configuration.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	799
Entropy (8bit):	4.493243541085223
Encrypted:	false
SSDEEP:	12:mdmdZKwlLoRfFfQcA+YSDHfNvsfOadR5kg6N8IHEPxD5IHb1U/mEZQ:mMdfl+qcAwj1oR5kgRIqxVIWDQ
MD5:	EBA5C9F38ABEA99D7B9369A75EC24F1C
SHA1:	20F919CA96845001AFAF1A946425471D0B4457AD
SHA-256:	A918FB1F5AE2E588E8874F428D123EC3F5197F48A9C21D5394E652F65B665DC2
SHA-512:	7692C92E8063A99C52CEC8E477C8DE1F15CD817173034160ABCADB2D8B940D06275C22F0DCD9BB9DBB0315C973413A61EA712A39DB9BDAB6CB78488130CB9FDD
Malicious:	false
Preview:	rule:.. meta:.. name: manipulate boot configuration.. namespace: host-interaction/bootloader.. author: william.ballenthin@fireeye.com.. scope: function.. references:.. - https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/bcdedit-command-line-options.. examples:.. - 7FBC17A09CF5320C515FC1C5BA42C8B3:0x40CA00.. features:.. - or:.. - and:.. - string: /bcdedit.exe/i.. - optional:.. - string: "/deletevalue safeboot".. - and:.. - string: /boot.ini/i.. - optional:.. - api: kernel32.GetPrivateProfileStringA.. - api: kernel32.WritePrivateProfileString.. - or:.. - string: /default/i.. - string: /boot loader/i.. - string: /operating systems/i..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\cli\accept-command-line-arguments.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	471
Entropy (8bit):	4.97893690730065
Encrypted:	false
SSDEEP:	12:mdmyG/ClL8HfCfFfy50Frbnvuf/B5PCvj:mMR/Cl4/CU5ezu3B0
MD5:	0A0EEAC78107968FD77E3055A1605B33
SHA1:	3C7379A449EB151DCA45A05A9E7EC8C4E3DE31F6
SHA-256:	C2DCA1664C3EFF15724431D0CCE50C78164294AABA5F8ED39F70C25B8D8C71D4
SHA-512:	5ACA4C5A7ACF4BFE686B8BAAAB97664A28995505C840986AE39D88AD32CA13BE1CDF2BF27AF24A72DF17C447BCA38C785D947D294BE94C967265D54AE43712E7
Malicious:	false
Preview:	rule:.. meta:.. name: accept command line arguments.. namespace: host-interaction/cli.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Execution::Command and Scripting Interpreter [T1059].. examples:.. - Practical Malware Analysis Lab 10-03.exe_:0x401140.. - AFB6EC3D721A5CB67863487B0E51A34C167F629CF701F8BC7A038C117B4DDA44:0x407D50.. features:.. - or:.. - api: GetCommandLine.. - api: CommandLineToArgv..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\cli\resolve-path-using-msvcrt.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	491
Entropy (8bit):	4.624850820049032
Encrypted:	false
SSDEEP:	6:hAvlm8nnJF6lLqLcoHFI8BIyZqhFVaTxlhowQfl/dmVRoPHVRSVS8uWXdm:mdmiJglL8HZihATVqfl9CM8m
MD5:	D988806767EF0F1F601AAF212A830683
SHA1:	DC811D2A533A812DAD96BB32CA7BD94A4AED0448
SHA-256:	1503159520410F34A03AAB3C00C3F6BB5ECAD840A424EFF61FDD0CDD43CD885E
SHA-512:	6B48746D9D2985C47C8379FD0CA211DE583F9819BFF84891F4927043CBF9D16236C95045B14E998C6C7BCC9E2DFEF67D2092C159A8CFF6981EC1FF8EB0DF96FD
Malicious:	false
Preview:	rule:.. meta:.. name: resolve path using msvcrt.. namespace: host-interaction/cli.. author: "@_re_fox".. scope: basic block.. att&ck:.. - Discovery::File and Directory Discovery [T1083].. examples:.. - 31600ad0d1a7ea615690df111ae36c73:0x4016B8.. features:.. - or:.. - api: msvcrt.__p__pgmptr.. - api: msvcrt.__p__wpgmptr.. - api: msvcrt._get_pgmptr.. - api: msvcrt._get_wpgmptr.. - api: msvcrt._pgmptr.. - api: msvcrt._wpgmptr..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\clipboard\open-clipboard.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	387
Entropy (8bit):	4.655926662723323
Encrypted:	false
SSDEEP:	6:hAvlmKlVN6lLqLctKNbClES4Ffyhr/AowKxfH9fNDR2GwBqNaHodFIh4/:mdmKzIlLifFfyl/ASlDIMIIHI0
MD5:	A7AEACD26F889C75EAADF14D2D4E1DFF
SHA1:	05F314C29C06F0BCFB85E4FE94B10AA90CA8ADA1
SHA-256:	1C5510F55832724A513EEC55CAB714CFB323909B26129B0C34A81C0F491151BF
SHA-512:	7E9207600747F33FD4B711A522E452042F808AB575D834AD9BD2F765ACAAED6FC21982B1B60C863E216D2DA789B8AE2FC0198C2653BD5DC021B27EBCC0F0F7DD
Malicious:	false
Preview:	rule:.. meta:.. name: open clipboard.. namespace: host-interaction/clipboard.. author: michael.hunhoff@fireeye.com.. scope: function.. att&ck:.. - Collection::Clipboard Data [T1115].. examples:.. - 6f99a2c8944cb02ff28c6f9ced59b161:0x403180.. features:.. - and:.. - api: user32.OpenClipboard.. - optional:.. - api: user32.CloseClipboard..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\clipboard\read-clipboard-data.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	441
Entropy (8bit):	4.802459894645623
Encrypted:	false
SSDEEP:	6:hAvlmuRFwlLqLctKNbClES4Ffyhr/AowijU6WiULF21tETSID++XvVGYHodFMqsP:mdmu0lLifFfyl/AKQiQLDvXzIHMgHhy
MD5:	6E6CB93864B963D7921B8B7904CA84E2
SHA1:	6F09C6161687FEAA0D47829044BBE5780ED56D35
SHA-256:	80A110B82F969339F2E80D420AC00FA129907F4AFB9B4E42F1CE98A14128971D
SHA-512:	62335F1B27799A3C7650D33B6E75D7F30F1AEC18227A51D5C2A867A09B938CA25277A51D95BCD4DCFAA9DA90F3F21A7D86BB63312233FD580F35808EF22AFC8B
Malicious:	false
Preview:	rule:.. meta:.. name: read clipboard data.. namespace: host-interaction/clipboard.. author: michael.hunhoff@fireeye.com.. scope: function.. att&ck:.. - Collection::Clipboard Data [T1115].. examples:.. - C91887D861D9BD4A5872249B641BC9F9:0x40156F.. - 93dfc146f60bd796eb28d4e4f348f2e4:0x401050.. features:.. - and:.. - optional:.. - match: open clipboard.. - api: user32.GetClipboardData..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\clipboard\replace-clipboard-data.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	429
Entropy (8bit):	4.581863451951482
Encrypted:	false
SSDEEP:	6:hAvlmxuRFwlLqLctKNbClES4FftKSFBaZjowKxfH9fNDR2GYHodFMqsVNGcm8vR2:mdmxu0lLifFftK4Ba9SlDgIHMLJkR
MD5:	6798D2F980357E7FD1E233D108F0EEDC
SHA1:	11442371F1844B7072B3F431D7114941D9BA89A8
SHA-256:	2301B1DFFFAAFD9C8FD70987AEC1C27B4371A3456282695D53A55D19B5B27221
SHA-512:	5B2EB49A89614523D6274F23055D330AE094686CC61F885DB1E654B0CDEA13AA7B1DE5D536D94919CED1398310E2707D8036CECCB1737B06907884B891F44199
Malicious:	false
Preview:	rule:.. meta:.. name: replace clipboard data.. namespace: host-interaction/clipboard.. author: michael.hunhoff@fireeye.com.. scope: function.. mbc:.. - Impact::Clipboard Modification [E1510].. examples:.. - 6f99a2c8944cb02ff28c6f9ced59b161:0x403180.. features:.. - and:.. - optional:.. - match: open clipboard.. - match: write clipboard data.. - api: user32.EmptyClipboard..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\clipboard\write-clipboard-data.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	392
Entropy (8bit):	4.72340796093543
Encrypted:	false
SSDEEP:	6:hAvlmSF8vRFwlLqLctKNbClES4FftKSFBaZjowqt0C9lDR2GYHodFMqsVNGLhy:mdmSc0lLifFftK4Ba9BQlDgIHMgLhy
MD5:	A810D761AA1EF611AC0A006475360CCD
SHA1:	29A3E9F6ACB0F8AAEF4E23082831040CE49EE72B
SHA-256:	15966B64B91CC5A43620CFE019AA5DE66D2FA6FBEB214952001120FCB94C1EBA
SHA-512:	4BDCBB1E5198C4B0378A222E838140CA6DAE1F8553F1C7F5E5E71E44ACB15CAD97DFA7D26DB46B61EAF9A640CB129292BF5A1F3E0FB38878787B543FF4E8185A
Malicious:	false
Preview:	rule:.. meta:.. name: write clipboard data.. namespace: host-interaction/clipboard.. author: michael.hunhoff@fireeye.com.. scope: function.. mbc:.. - Impact::Clipboard Modification [E1510].. examples:.. - 6F99A2C8944CB02FF28C6F9CED59B161:0x403180.. features:.. - and:.. - optional:.. - match: open clipboard.. - api: user32.SetClipboardData..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\console\manipulate-console.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	729
Entropy (8bit):	4.801837139182347
Encrypted:	false
SSDEEP:	12:mdmdYlLBSRfFftKUgIHcA+Yk2ZulMmO3DQ9s0IHWZkfn:mMdYle3KUgIHcAy2Zul1XI2Zkf
MD5:	29F62B51546522C7719270F31F6D654E
SHA1:	7AC24FA23FF0EFCCC17356DB0356E8C8EDE00063
SHA-256:	A5AD21A5019579E34B0B8FE51034888744175EA1B44B17D888676C1DA4EDE2CC
SHA-512:	C1F26B215EC0EB56024D8C71B6F79A884DC7FDA58BB2D15C3BEB0DE17F6352C1601645E4670E2D516BDD31DE0995C7FD6ECCF829A2D16AAF6FD4F8294E265ED0
Malicious:	false
Preview:	rule:.. meta:.. name: manipulate console.. namespace: host-interaction/console.. author: william.ballenthin@fireeye.com.. scope: function.. mbc:.. - Operating System::Console [C0033].. references:.. - https://stackoverflow.com/a/15770935/87207.. examples:.. - 3aa7ee4d67f562933bc998f352b1f319:0x705413A0.. features:.. - and:.. - or:.. - api: kernel32.SetConsoleCursorPosition.. - api: kernel32.ReadConsoleOutputCharacter.. - api: kernel32.WriteConsoleOutputCharacter.. - api: kernel32.WriteConsoleOutput.. - api: kernel32.WriteConsoleInput.. - optional:.. - api: kernel32.GetStdHandle.. - number: 0xfffffff5 = STD_OUTPUT_HANDLE..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\driver\disable-driver-code-integrity.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	867
Entropy (8bit):	4.645338950799996
Encrypted:	false
SSDEEP:	12:mdm9GzFAlLPRfFfQcA+YD2SJSgYxPBToePuGw9jZIstBKUUHFfIlTHI1mWaIHs+I:mM85AlNqcAJAFPZ9PuGuuH2GmIVI
MD5:	47155ECE9C05CA2AC739C99DEAC27339
SHA1:	7C2BF03AFE620801F2CEAF62ED2172793F378F63
SHA-256:	DBC04278669FFF622F21EA1CA09295F7E218C790355D37C36427525B1EA06B6A
SHA-512:	0A634C3CDADA83363F5D3C3F949A0AF08262C8A27DCE21AA835879277F12D123F0F7BDE3578D7C57DBD1AFC07DF3BC89E81A3C533C3A84684D6C5081C61CFCF8
Malicious:	false
Preview:	rule:.. meta:.. name: disable driver code integrity.. namespace: host-interaction/driver.. author: william.ballenthin@fireeye.com.. scope: function.. references:.. - https://www.fuzzysecurity.com/tutorials/28.html.. - https://j00ru.vexillium.org/2010/06/insight-into-the-driver-signature-enforcement/.. examples:.. - 31CEE4F66CF3B537E3D2D37A71F339F4:0x140004070.. features:.. - and:.. - or:.. - string: "CiInitialize".. description: exported symbol name used to resolve code integrity configuration.. - string: /g_CiEnabled/.. description: non-exported name for code integrity flag.. - string: /g_CiOptions/.. description: non-exported name for code integrity settings.. - optional:.. - string: /CI.dll/i.. description: code integrity implementation DLL..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\driver\install-driver.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	441
Entropy (8bit):	4.795780166519757
Encrypted:	false
SSDEEP:	12:mdmklLeC/hJ8AzfVJHkKlnU+hQCZt7pmc:mMklqCJJPzfXkKFU+hTbZ
MD5:	9213BB0970A49BB5FB96A1530CA66724
SHA1:	ED53BD97CC63930B676C044A478F8A0AEFDB05B3
SHA-256:	D353C587C30C4008E514D252C4BAB2E5BE2B62FCCCE9D4556134791F58CDE3AD
SHA-512:	0CE9FC8BE90C2A86550A38453F1A6CAB39AE6FCE990F823CAD5AF5150882CBE5785C98C6948C8204AE3EBC4BDA7542F43CDB4F487DBBB5693C0FDBCBAA281642
Malicious:	false
Preview:	rule:.. meta:.. name: install driver.. namespace: host-interaction/driver.. author: moritz.raabe@fireeye.com.. scope: basic block.. att&ck:.. - Persistence::Create or Modify System Process::Windows Service [T1543.003].. mbc:.. - Hardware::Install Driver [C0037].. examples:.. - af60700383b75727f5256a0000c1476f:0x1127E.. features:.. - or:.. - api: ntdll.NtLoadDriver.. - api: ZwLoadDriver..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\driver\interact-with-driver-via-control-codes.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	617
Entropy (8bit):	4.942822535334305
Encrypted:	false
SSDEEP:	12:mdmbTMlLeCfFfyNbnvuOjeZnNh1QT99N8aucv:mMbTMlqCUNzuOjebTi9ZZ
MD5:	E035778D63A84FE5BD0E7C42DFDB8EA8
SHA1:	5986C6390308C6A81F45E09A4F19764B201BA356
SHA-256:	74175A47F10DF8FC61A32062A9D1ECC31BE51C616B9E05911215DA6A695800C2
SHA-512:	530343E40E33948DB88207D4FC28FD4D4769816E087D59C6E352908EF76C397EAA9560C267107AEF90189ACB6C7C534CC4967DE62D6E90E6A8143678BFDE86DB
Malicious:	false
Preview:	rule:.. meta:.. name: interact with driver via control codes.. namespace: host-interaction/driver.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Execution::System Services::Service Execution [T1569.002].. examples:.. - Practical Malware Analysis Lab 10-03.exe_:0x401000.. - 9412A66BC81F51A1FA916AC47C77E02AC1A7C9DFF543233ED70AA265EF6A1E76:0x10002DE0.. features:.. - or:.. - api: DeviceIoControl.. - api: NtUnloadDriver.. - api: ZwUnloadDriver.. - and:.. - number: 38 = SystemLoadAndCallImage.. - api: ZwSetSystemInformation..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\environment-variable\get-comspec-environment-variable.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	393
Entropy (8bit):	4.628849981538202
Encrypted:	false
SSDEEP:	6:hAvlmCvSd3nYlLqLOyqHluES4FfJowdnvHh+G6fC3n7LZqrVLuqn:mdmCKYlLfuEfFfJbnvHqfyPZ6huq
MD5:	2B7110456CC91E5DD05C48CD91E59C9F
SHA1:	B550EEA5E082CB1EAA347B6E7B7D66A599FF7956
SHA-256:	E8D540998D4BBC9EA0741F33B5D1082B525F19665F0277F081F18DB8A3E73211
SHA-512:	DF8B6E4F7A8D75481CCCFBEE3510B8950D3B59243E3C44AE29986A0698935E036152EE25C5B48E493BD43D45E81DDC9D566B5EBA9202F9FE7CB132D0F4D96384
Malicious:	false
Preview:	rule:.. meta:.. name: get COMSPEC environment variable.. namespace: host-interaction/environment-variable.. author: matthew.williams@fireeye.com.. scope: function.. examples:.. - Practical Malware Analysis Lab 14-02.exe_:0x401880.. features:.. - and:.. - match: query environment variable.. - or:.. - string: "COMSPEC".. - string: "%COMSPEC%"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\environment-variable\query-environment-variable.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	617
Entropy (8bit):	4.816154094188783
Encrypted:	false
SSDEEP:	12:mdmayYlLahz6QRFfyINoo/BbnvHuvwRXTBpUm:mMayYlWz6Q2Eoo/BzOKh
MD5:	866B1A1DFBED3A0FBDA27CA061C8144C
SHA1:	0478DEE0BE2B64B1D3A48D48C163CB0F37DE3F66
SHA-256:	216076CCD197BE9274F4E6D5DA97881AC0EE5F911BFAEDE7969C96F263B2714C
SHA-512:	59BA3BC43BD5329216317974266F773D6DFB782362064828F2466752E539B72FC351542D0D7E08A21A1CA3C99D71CCAFFFD047C84784197833A1E0EEC58A3690
Malicious:	false
Preview:	rule:.. meta:.. name: query environment variable.. namespace: host-interaction/environment-variable.. author:.. - michael.hunhoff@fireeye.com.. - "@_re_fox".. scope: function.. att&ck:.. - Discovery::System Information Discovery [T1082].. examples:.. - Practical Malware Analysis Lab 14-02.exe_:0x401880.. - 0761142efbda6c4b1e801223de723578:0x65483490.. features:.. - or:.. - api: kernel32.GetEnvironmentVariable.. - api: kernel32.GetEnvironmentStrings.. - api: kernel32.ExpandEnvironmentStrings.. - api: msvcr90.getenv.. - api: msvcrt.getenv..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\environment-variable\set-environment-variable.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	442
Entropy (8bit):	4.665987648519483
Encrypted:	false
SSDEEP:	6:hAvlmWw3nYlLqLOyhClES4FftKU9CF2RhZYzzdrjowdnvtnMBBflF4BD:mdmWgYlLmfFftKUgIyrjbnvtnok
MD5:	5E3100863D4D41F02DAB29D132FDF3BE
SHA1:	8ADC41D8A80DF72121A2AFFBD3B317A628AB779B
SHA-256:	BA0337C4CAA59ACC47993AEE40F31EE336D2DBAACB33114BE2EF124F9160BC31
SHA-512:	4A24FB7F7DF332C524DB17047710F2D4865E6809DDDA130E76283EEB0D5B4D5E40BB286897194D009324C88A8C9362C8BE3305EAAD2F93A07DD5D0CEEF59A674
Malicious:	false
Preview:	rule:.. meta:.. name: set environment variable.. namespace: host-interaction/environment-variable.. author: michael.hunhoff@fireeye.com.. scope: function.. mbc:.. - Operating System::Environment Variable::Set Variable [C0034.001].. examples:.. - Practical Malware Analysis Lab 11-03.exe_:0x406580.. features:.. - or:.. - api: kernel32.SetEnvironmentStrings.. - api: kernel32.SetEnvironmentVariable..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\file-system\bypass-mark-of-the-web.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	627
Entropy (8bit):	4.788730945185596
Encrypted:	false
SSDEEP:	12:mdmkCgdofwlLTRfFfyMuqeO2UX7JAy/Php1wQUAa1wQ:mMW3lhUyeO2UNAy/5pWh
MD5:	9484AE48F670CB1B4CEBF67CC15A1F33
SHA1:	4D4CDF10E771B19848755C84E2F32DA631A8AA35
SHA-256:	C460CBCE0B35038EDD6020BD2F2F9571F471D8F98E734A37567A06EA3727A7B2
SHA-512:	5FEE349A769949F176CA8244E02FAC930AA0F0186B4C7DB8BEC74545E66591DF2DE5EADD7E50EDE753CD6A689FB3618687FF4539D799BF929579C0EB1F819A31
Malicious:	false
Preview:	rule:.. meta:.. name: bypass Mark of the Web.. namespace: host-interaction/file-system.. author: william.ballenthin@fireeye.com.. scope: function.. att&ck:.. - Defense Evasion::Subvert Trust Controls::Mark-of-the-Web Bypass [T1553.005].. examples:.. - 48c7ad2d9d482cb11898f2719638ceed:0x405B10.. features:.. - and:.. - api: DeleteFile.. - or:.. - string: ":Zone.Identifier".. description: NTFS ADS name recognized by Windows Defender SmartScreen.. - string: "%s:Zone.Identifier".. description: NTFS ADS name recognized by Windows Defender SmartScreen..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\file-system\copy\copy-file.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	551
Entropy (8bit):	4.474253561734333
Encrypted:	false
SSDEEP:	12:mdmG+nYlLLcCfFftKhdzbnvLRdbfe+RsoSCoIq:mM3Yl/cC3KXzLRd77RbSCoIq
MD5:	9A8D618877E9D2BDF95F52493C352BBF
SHA1:	D22E703F02BB189CF026BA7FC9DBC53ECA77269A
SHA-256:	891437DEA965C0FAD1F83BEDD0516D220D2034F2AD802C572D172B4342E21690
SHA-512:	275DF2E08C6FC7A6C304479630F8818F5A1C19E55C70149CDE998B9B50145F0A1BB2D0B7B2E169C7C7C09F7E1BA3D974EB68FECFD76267B5D90FB5624C9B22EC
Malicious:	false
Preview:	rule:.. meta:.. name: copy file.. namespace: host-interaction/file-system/copy.. author: moritz.raabe@fireeye.com.. scope: function.. mbc:.. - File System::Copy File [C0045].. examples:.. - Practical Malware Analysis Lab 01-01.exe_:0x401440.. features:.. - or:.. - api: kernel32.CopyFile.. - api: kernel32.CopyFileEx.. - api: CopyFile2.. - api: CopyFileTransacted.. - basic block:.. - and:.. - number: 2 = FO_COPY.. - or:.. - api: kernel32.SHFileOperation..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\file-system\create\create-directory.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	627
Entropy (8bit):	4.56854458501706
Encrypted:	false
SSDEEP:	12:mdmG3lJlLNfCfFftKhYttBbnvUy6jtajtNNljtQItQ9t+t3tNNgx:mMElZfC3KKTzGSfNBSIcwBfNE
MD5:	51B66C327D870B993E566C7D780E551A
SHA1:	A63101590EF9CBF2B486E08474D25462CB31BD78
SHA-256:	D6C7465D54AD14BD816ABAF04CAE26EC4C8915C0CAD28D1B964833FEF27F71D1
SHA-512:	6B1274C1974974D1200700DBC78414A310521E5F51ABFBAD69B4EC4D0EC5B279F70E21B7C8B0C33635194864B171F9FDCD2F1F6FBCFED44D212DC7AF2B6E589E
Malicious:	false
Preview:	rule:.. meta:.. name: create directory.. namespace: host-interaction/file-system/create.. author: moritz.raabe@fireeye.com.. scope: function.. mbc:.. - File System::Create Directory [C0046].. examples:.. - Practical Malware Analysis Lab 17-02.dll_:0x10008f62.. features:.. - or:.. - api: kernel32.CreateDirectory.. - api: kernel32.CreateDirectoryEx.. - api: kernel32.CreateDirectoryTransacted.. - api: NtCreateDirectoryObject.. - api: ZwCreateDirectoryObject.. - api: SHCreateDirectory.. - api: SHCreateDirectoryEx.. - api: _mkdir.. - api: _wmkdir..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\file-system\delete\delete-directory.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	509
Entropy (8bit):	4.900363505900323
Encrypted:	false
SSDEEP:	12:mdmuq5lLeCfFftKhl5bnvLdXLR5O/8/Qf:mMpliC3K35zLX4f
MD5:	781757742C04BB887F9AD76E79E1D159
SHA1:	2F328CA77011B2BE05A39D4EE4CA246F9737092F
SHA-256:	5BA96F1E09310531C135EF4507495F897B79F6958946570E976363C63E8FD8D0
SHA-512:	ECF7B4F48C9C7CFCD65BF9506B5CF916145A33C44C91BE6738D7971EA9B7A957451624B711B962E43C2ADEDC998A1A2E2C30EB4ED2C3FFA624505E8EDEDD05C0
Malicious:	false
Preview:	rule:.. meta:.. name: delete directory.. namespace: host-interaction/file-system/delete.. author: moritz.raabe@fireeye.com.. scope: function.. mbc:.. - File System::Delete Directory [C0048].. examples:.. - Practical Malware Analysis Lab 05-01.dll_:0x10009236.. - AFB6EC3D721A5CB67863487B0E51A34C167F629CF701F8BC7A038C117B4DDA44:0x429AA0.. features:.. - or:.. - api: RemoveDirectory.. - api: RemoveDirectoryTransacted.. - api: _rmdir.. - api: _wrmdir..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\file-system\delete\delete-file.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	925
Entropy (8bit):	4.767993927930866
Encrypted:	false
SSDEEP:	24:mM1HYliC3KPcto1TiSrmAy/gVujAy/0AiRCkAy/zAy/t8ICCpwzrZy:mM14PaPcto1FrmAytAysAiZAy7AylQc
MD5:	5834F77542F92929C60B1ECD0E096FA8
SHA1:	6C069D734F91F60F47C41A37FC714E107180F607
SHA-256:	9CC77AB97F0DE7C08C3C680CE46A7E18E6ADCC5656177C2DDF1E0181887CCD96
SHA-512:	B4C26DC4A23ED35ABB1DFA6674476ED6EE2E7AB54FFE363407014A3F72BD3D04D56EAE3232DCC8ABE395E746068225760F942792AD88632F179AEED3265E02FB
Malicious:	false
Preview:	rule:.. meta:.. name: delete file.. namespace: host-interaction/file-system/delete.. author: moritz.raabe@fireeye.com.. scope: function.. mbc:.. - File System::Delete File [C0047].. examples:.. - 946A99F36A46D335DEC080D9A4371940:0x100015F0.. # MoveFileEx.. - 31600AD0D1A7EA615690DF111AE36C73:0x401A15.. # NtDeleteFile.. - 563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x140001E04.. features:.. - or:.. - api: kernel32.DeleteFile.. - api: DeleteFileTransacted.. - api: NtDeleteFile.. - api: ZwDeleteFile.. - api: remove.. - api: _wremove.. - basic block:.. - and:.. - number: 3 = FO_DELETE.. - or:.. - api: kernel32.SHFileOperation.. - basic block:.. - and:.. - number: 4 = MOVEFILE_DELAY_UNTIL_REBOOT.. - number: 0 = NULL.. - api: MoveFileEx..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\file-system\exists\check-if-file-exists.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	675
Entropy (8bit):	4.74403944556789
Encrypted:	false
SSDEEP:	12:mdmGDsfClLDFCfFfyATVqIWmI61MoLKTA:mMm6ClPFCUATVnWmz7LKTA
MD5:	F13332DA133884BE2F55CAD8716FB07E
SHA1:	85AB4EB2EEBF9394FC34DEA9FA808C50989F7AD0
SHA-256:	122C4BBBB1502240B4FDCD044C88B1577E34B166A873C1DCFCD4FA467F0181C5
SHA-512:	D43EC712E550A69594004F21BA8CB06FB81C7DEE5734764483A7CF9C19B1D0C42E3BAC86976E504E8D9BB5B86F6C8E4EC8A79D67CC4C0148A9FB77A1F1E9449B
Malicious:	false
Preview:	rule:.. meta:.. name: check if file exists.. namespace: host-interaction/file-system/exists.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Discovery::File and Directory Discovery [T1083].. examples:.. - 31600AD0D1A7EA615690DF111AE36C73:0x401284.. features:.. - or:.. - basic block:.. - and:.. - api: kernel32.GetFileAttributes.. - mnemonic: cmp.. - number: 0xFFFFFFFF = INVALID_FILE_ATTRIBUTES.. - basic block:.. - and:.. - api: kernel32.GetLastError.. - mnemonic: cmp.. - number: 2 = ERROR_FILE_NOT_FOUND.. - api: shlwapi.PathFileExists..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\file-system\files\list\enumerate-files-recursively.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	481
Entropy (8bit):	4.571300543915293
Encrypted:	false
SSDEEP:	6:hAvlmAPVXwlLqLRf8BAFfyhFVaTxlhowWJkXXztF5hGjBJIBJxBEhXEhvY:mdmSglLj6FfyATVwJkX1yB+B9UXEhA
MD5:	177CEEDA8C3FBA04C290B4AA61F34D11
SHA1:	26CE260F6300F9CA1C5F32569614D6C77CE58554
SHA-256:	389BA36E17226C0C30F92B92BF9E28D441CD2D28EF2151E047CC7FC449DA4F7E
SHA-512:	7B8CD27041A2176A9E8246F99C8124746E6642A3AFD3B6DC97958B4ACB1773E21E73DA9670259A090B789C5EF95E603056151BA034D433C01B98782DE7C9E8FD
Malicious:	false
Preview:	rule:.. meta:.. name: enumerate files recursively.. namespace: host-interaction/file-system/files/list.. author: "@_re_fox".. scope: function.. att&ck:.. - Discovery::File and Directory Discovery [T1083].. examples:.. - 5f66b82558ca92e54e77f216ef4c066c:0x40640E.. features:.. - and:.. - or:.. - match: enumerate files via kernel32 functions.. - match: enumerate files via ntdll functions.. - characteristic: recursive call..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\file-system\files\list\enumerate-files-via-kernel32-functions.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	827
Entropy (8bit):	4.547193659762281
Encrypted:	false
SSDEEP:	12:mdmblLhCfFfyATVbnvLR/nnvsZZf2RndgRXXPIHy5Lv+:mMblFCUATVzLR/vch2ROX/IELm
MD5:	FF9A8B7D0A0DA934667F0FD2EFD0693E
SHA1:	24DDC1D1A83EB930945F60A7E91D06E772A6B2FF
SHA-256:	8E32A327C38D4BDD3710314DE0CD82E8F5E95BABC24BB8CE990AC1057C2B3DDD
SHA-512:	701996D4290D92B275CA3D8C3F71084715800A7A9800640B07C46CAEBC7D2B00C12831F6C68C3D96718204C6AED8363FB19FE556E9A5FD8DC7595BBDC731D6B1
Malicious:	false
Preview:	rule:.. meta:.. name: enumerate files via kernel32 functions.. namespace: host-interaction/file-system/files/list.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Discovery::File and Directory Discovery [T1083].. examples:.. - Practical Malware Analysis Lab 01-01.exe_:0x4011E0.. - Practical Malware Analysis Lab 20-02.exe_:0x401000.. features:.. - and:.. - or:.. - api: kernel32.FindFirstFile.. - api: kernel32.FindFirstFileEx.. - api: kernel32.FindFirstFileTransacted.. - api: kernel32.FindFirstFileName.. - api: kernel32.FindFirstFileNameTransacted.. - or:.. - api: kernel32.FindNextFile.. - api: kernel32.FindNextFileName.. - optional:.. - api: kernel32.FindClose.. - match: contain loop..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\file-system\files\list\enumerate-files-via-ntdll-functions.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	796
Entropy (8bit):	4.987168718203441
Encrypted:	false
SSDEEP:	12:mdm4WlLhCfFfyATEcA+Y2+KcGcEH0nMkbsSqIHYwodhLvFXEhs:mM4WlFCUATEcApdKUnMVI4wWhLdXUs
MD5:	0D1BE3E1BB25FD8E22B7E294EC34B574
SHA1:	3E15FFC8C47471E749595278CF7B9022590C5077
SHA-256:	B401AEB05F468908D553AAC10319716E5675572807ED4EB6F99E03BD5AF8BEB1
SHA-512:	D3D1517E2ABDDB394F9386C3AC41393DCE6BA5D79F9CCE7D14A1F6483323FC2D66C89A12AC5BCDDDB6D885AF086CF29228A28173E3278AEF2B76A7714681E4D9
Malicious:	false
Preview:	rule:.. meta:.. name: enumerate files via ntdll functions.. namespace: host-interaction/file-system/files/list.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Discovery::File and Directory Discovery [T1083].. references:.. - https://github.com/hfiref0x/TDL/blob/cc4b46ae1c939b14a22a734a727b163f873a41b5/Source/Furutaka/sup.c#L315.. examples:.. - 563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x14000203C.. features:.. - and:.. - basic block:.. - and:.. - number: 1 = DIRECTORY_QUERY.. - api: ntdll.NtOpenDirectoryObject.. - api: ntdll.NtQueryDirectoryObject.. - optional:.. - api: RtlAllocateHeap.. - match: contain loop.. - characteristic: indirect call..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\file-system\get-common-file-path.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1027
Entropy (8bit):	4.797927942272123
Encrypted:	false
SSDEEP:	12:mdmCJYlLiCfFfyATVbnvLJKZ54oBGsIO9q0+oSBEDkE:mMCWl2CUATVzLi4sG2N
MD5:	69EFE3F0544ADD6AE951402496CF99B6
SHA1:	867D436686B36084199F550C121AAD37F029A6CA
SHA-256:	E5952012FF4D4332F4D91C0CB8350F55E7979E2AF7EDD0470ABB0BF7E7CDBAA6
SHA-512:	0E30C274A0440F76B282E3C5770E8B8A3D12B5636C861608298F09BD2CFD8B30BF05E1CB2B639519B8CC8EFAA6EB15625FC681080D43F91BD19193A19268F5AE
Malicious:	false
Preview:	rule:.. meta:.. name: get common file path.. namespace: host-interaction/file-system.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Discovery::File and Directory Discovery [T1083].. examples:.. - Practical Malware Analysis Lab 03-02.dll_:0x10003415.. - 972B219F18379907A045431303F4DA7D:0x404887.. features:.. - or:.. - api: kernel32.GetTempPath.. - api: kernel32.GetTempFileName.. - api: kernel32.GetSystemDirectory.. - api: kernel32.GetWindowsDirectory.. - api: kernel32.GetSystemWow64Directory.. - api: GetAllUsersProfileDirectory.. - api: GetAppContainerFolderPath.. - api: GetCurrentDirectory.. - api: GetDefaultUserProfileDirectory.. - api: GetProfilesDirectory.. - api: GetUserProfileDirectory.. - api: SHGetFolderPathAndSubDir.. - api: shell32.SHGetFolderPath.. - api: shell32.SHGetFolderLocation.. - api: shell32.SHGetSpecialFolderPath.. - api: shell32.S

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\file-system\get-file-system-object-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	360
Entropy (8bit):	4.837598766035387
Encrypted:	false
SSDEEP:	6:hAvlmC3MPMKcfwlLqLRVJClESgyZqhFVaTxlhowklUDrgFzYjq:mdmCKcfwlLQ/hATV1r2
MD5:	75DFDB8C2039B20E66B566756E152ED4
SHA1:	613AC8C0010ED939BB164F2A89252763BF6C5986
SHA-256:	ACBD5D591039DB2085D249F4328462EAA300214FDD1F9E8D36DD2C9C45761F36
SHA-512:	59DCA2C26B7DF20C901049A28EEC3B7C049F463D0C255DA252A5196CF1DEA0E416EE7343FD076F3D505EB2D5BCED226D8FFA6DEEDEC59754CB3BB8F959526D62
Malicious:	false
Preview:	rule:.. meta:.. name: get file system object information.. namespace: host-interaction/file-system.. author: michael.hunhoff@fireeye.com.. scope: basic block.. att&ck:.. - Discovery::File and Directory Discovery [T1083].. examples:.. - 50D5EE1CE2CA5E30C6B1019EE64EEEC2:0x403538.. features:.. - or:.. - api: SHGetFileInfo..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\file-system\get-program-files-directory.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	658
Entropy (8bit):	5.037313795115509
Encrypted:	false
SSDEEP:	6:hAvlmCc0FFwlLqLRV3CSgyZqhFVaTxlhowqVfJV+2fS+G4ym0TPS3870TPycbiAP:mdmCKlLiC/hATVCfSQa71ZEbsE
MD5:	C9CE6F2AF5F61F993DE2C42053241BC7
SHA1:	F0C3FE5E4BCB6BE8FE9D873C38CA0AE6C7578369
SHA-256:	3609B3E16ADEC7321EC29D2E33E0D67351B7595EECAEFE13366757733772AB98
SHA-512:	8E71EFB42CB5EED598D86F1CAC96C10C57785B99900E15863F9A3DD79979FDE458AD7433AC3997AC169F0E20905B60A0BB6F85C29967DA17AF75AC548999FDA6
Malicious:	false
Preview:	rule:.. meta:.. name: get Program Files directory.. namespace: host-interaction/file-system.. author: moritz.raabe@fireeye.com.. scope: basic block.. att&ck:.. - Discovery::File and Directory Discovery [T1083].. examples:.. - BC452CC1128CCF7FA9F76D83CDA79132740414973600FED14509749FE946816E:0x407880.. features:.. - and:.. - or:.. - number: 0x26 = CSIDL_PROGRAM_FILES.. - number: 0x2A = CSIDL_PROGRAM_FILESX86.. - or:.. - api: shell32.SHGetFolderPath.. - api: shell32.SHGetFolderLocation.. - api: shell32.SHGetSpecialFolderPath.. - api: shell32.SHGetSpecialFolderLocation..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\file-system\meta\get-file-attributes.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	602
Entropy (8bit):	4.953695057679869
Encrypted:	false
SSDEEP:	12:mdmCR1lLmR/wKhLlBiuZkxTp3ZkxT1XTBZkuoE:mMC7lyR4KBnir61XTB+uh
MD5:	57A34F47D78831C872660C49ADC42BCD
SHA1:	A3D9A9D11D3D321C82392E11A94A4580A308847A
SHA-256:	70C63115FFED09E8E178BA4D2E18EC43FA0766382417C18614E0F85F70E0B6F7
SHA-512:	34F83BC83DE811DE68E13941C0CD340B9E9DF98CA2A60ABF6AA26410E3597346C7F1EEAD1CD3704C1C47CB43C2E788775A536129C667A95F1F4DD1AD1CDE6499
Malicious:	false
Preview:	rule:.. meta:.. name: get file attributes.. namespace: host-interaction/file-system/meta.. author: michael.hunhoff@fireeye.com.. scope: basic block.. mbc:.. - File System::Get File Attributes [C0049].. examples:.. - 03B236B23B1EC37C663527C1F53AF3FE:0x180019824.. - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x4028B6.. - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x4029E0.. features:.. - or:.. - api: kernel32.GetFileAttributes.. - api: ZwQueryDirectoryFile.. - api: ZwQueryInformationFile.. - api: NtQueryDirectoryFile.. - api: NtQueryInformationFile..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\file-system\meta\get-file-size.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	366
Entropy (8bit):	4.619159001531818
Encrypted:	false
SSDEEP:	6:hAvlmCcClLqLRYCFFJClES4FfyhFVaTxlhowKh4Bl1/Ql1y:mdmCXlLmRfFfyATVca1E1y
MD5:	BD16EB534FADFFF9F75894E2FFFD0966
SHA1:	712785596D5D6476BEB06F86F67951013A7FC4F2
SHA-256:	165119A4A026C44F67844E2240A045CAC8E6967E37A409FA2F8877E35721193C
SHA-512:	36E5662BD922EE95E50C577A7CD1E282A14F7CF54CBD2EA37C91AC258C7815E628042CDDBE7140254F1D491DD313A39AFF613BCE7C30679236B36CE8B80EDE96
Malicious:	false
Preview:	rule:.. meta:.. name: get file size.. namespace: host-interaction/file-system/meta.. author: michael.hunhoff@fireeye.com.. scope: function.. att&ck:.. - Discovery::File and Directory Discovery [T1083].. examples:.. - mimikatz.exe_:0x40630D.. features:.. - or:.. - api: kernel32.GetFileSize.. - api: kernel32.GetFileSizeEx..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\file-system\meta\get-file-version-info.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	677
Entropy (8bit):	4.442206571811179
Encrypted:	false
SSDEEP:	12:mdmCddYlLmRfFfyATVcciI1RiIiwIHSBFnRaicV/YiI2iIJ:mMCbYlyRUATVccT1RTiwIyDYXV/YT2TJ
MD5:	66F358BE13B4B55E5E792C9CE8F96F7E
SHA1:	B49C2572C2F637B2E9460DE33033A0606BD4E963
SHA-256:	B14523A3673BD56E9965A4D869DF32A7739ADC297BCF1B41AF631DB5D4274ECA
SHA-512:	250850492392BAA2A428CF4C4471ABE84144FA7148A5505CD4F765E00CFE7108B0E7810CA4D1737CBEE14A1E6C6ADF41541722DA6753EE7F63EC4964A495F9FA
Malicious:	false
Preview:	rule:.. meta:.. name: get file version info.. namespace: host-interaction/file-system/meta.. author: michael.hunhoff@fireeye.com.. scope: function.. att&ck:.. - Discovery::File and Directory Discovery [T1083].. examples:.. - mimikatz.exe_:0x45E308.. features:.. - and:.. - or:.. - api: version.GetFileVersionInfo.. - api: version.GetFileVersionInfoEx.. - optional:.. - description: retrieve specified version information from the version-information resource.. - api: version.VerQueryValue.. - or:.. - api: version.GetFileVersionInfoSize.. - api: version.GetFileVersionInfoSizeEx..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\file-system\meta\set-file-attributes.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	610
Entropy (8bit):	4.886301735180553
Encrypted:	false
SSDEEP:	12:mdmWR1lLm5CGh/hushstHKhvlx/BctoVPZkxTph+AkcE:mM+ly5COJputHKB5ctoVIS1
MD5:	3EE3857CF820D393E038C34D5C893E46
SHA1:	BCAACC0622F66ADF13B81917E62F941ED0D5BD0A
SHA-256:	4C6983BB56041A2E11A408D66D7AF0A56D496F330D005876AEB5EFC57D974BFE
SHA-512:	FE6A37AB17C3ED20405590CD4FB80F81171907D9ECECE1AC92AB2CF358412AD01A42DF41CB254FD08B3534F07FF2CFB6AB2F1401C99347E49EA52349BD72445C
Malicious:	false
Preview:	rule:.. meta:.. name: set file attributes.. namespace: host-interaction/file-system/meta.. author:.. - moritz.raabe@fireeye.com.. - michael.hunhoff@fireeye.com.. scope: basic block.. att&ck:.. - Defense Evasion::File and Directory Permissions Modification [T1222].. mbc:.. - File System::Set File Attributes [C0050].. examples:.. - 946A99F36A46D335DEC080D9A4371940:0x100015f0.. - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x4028B6.. features:.. - or:.. - api: kernel32.SetFileAttributes.. - api: ZwSetInformationFile.. - api: NtSetInformationFile..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\file-system\move\move-file.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	556
Entropy (8bit):	4.430973286186337
Encrypted:	false
SSDEEP:	12:mdmpNHYlLCdCfFfJbnvLR7mX9/0ofy5rRmkIq:mMnHYlUCbzLRKX9/0Sy5rRFIq
MD5:	2B4828F87CD8A45847A42E320877FF9D
SHA1:	37B4164A3B3814B4A1257595ABEC4DF987C9E577
SHA-256:	FFAED2545083C19950608F11C2FA5AA45AF2EB9574CE190B74F13D2304350BC4
SHA-512:	D1B81F273546C7208B1235F654ADCFFDA68534EAC7F19BA50CCE9B7925AAF2DD8C2EB068400C94AE0FC41396D4E1C577C158DB4E4EEAFC0A9DD5F6CF8270B133
Malicious:	false
Preview:	rule:.. meta:.. name: move file.. namespace: host-interaction/file-system/move.. author: moritz.raabe@fireeye.com.. scope: function.. examples:.. - Practical Malware Analysis Lab 01-04.exe_:0x401350.. features:.. - or:.. - api: kernel32.MoveFile.. - api: kernel32.MoveFileEx.. - api: MoveFileWithProgress.. - api: MoveFileTransacted.. - api: rename.. - api: _wrename.. - basic block:.. - and:.. - number: 1 = FO_MOVE.. - or:.. - api: kernel32.SHFileOperation..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\file-system\read\read-file-via-mapping.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	627
Entropy (8bit):	4.426630879489396
Encrypted:	false
SSDEEP:	6:hAvlm5kHYlLqLRsClES4FfJowdnvLRDYmGKt+2kdYa/mRHodFei42cARFnwtOmKD:mdmflLrfFfJbnvLRIboIH+CFRToSN
MD5:	F9ED2FFD373F0BFB4C95D348EC66A6CC
SHA1:	1D385AADA7AE39DA9822965951EA3B6F9FF8A765
SHA-256:	86CC33D581E36C3C0BA4FF23ABABB142BC1FE76A9E790E78BA8C0756B7ECE6C6
SHA-512:	19DF51DFB6EB3D76A3CBB44049825DB46DFFA748F28E97A35A317A491102CE366FF4B027EF8545AB45F7503535CE17F5ACB535B31C45687FA147F10C1FF554C9
Malicious:	false
Preview:	rule:.. meta:.. name: read file via mapping.. namespace: host-interaction/file-system/read.. author: michael.hunhoff@fireeye.com.. scope: function.. examples:.. - Practical Malware Analysis Lab 01-01.exe_:0x401440.. features:.. - and:.. - basic block:.. - and:.. - api: kernel32.MapViewOfFile.. - number: 4 = FILE_MAP_READ.. - optional:.. - api: kernel32.UnmapViewOfFile.. - and:.. - match: get file size.. - basic block:.. - and:.. - api: kernel32.CreateFileMapping.. - number: 2 = PAGE_READONLY..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\file-system\read\read-file.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	637
Entropy (8bit):	4.322861852428268
Encrypted:	false
SSDEEP:	12:mdmuYlL9CfFftKhP4AjkzIHhx/almfnYLvW:mMuYlxC3K/jIIr/aWnYLe
MD5:	2C62198BB7CDE6AA76C1A5BE3F735FD8
SHA1:	ED75E8D3D1CCF91A8F71D59F5AE1872F3B3B4ED7
SHA-256:	F28080FCB5A3A19B5809949FF8C9F0D12D3A7612DA1607DF3B736CC8F3C604EF
SHA-512:	DB8EA3E6571E9911499B78526700E242F3C14EC69CF82DBAEBB3C215CABEB9CB31614E25B292C61D3E5F825AA23DCCEB2B99E9595E2652DDC8178A663A4B5FD9
Malicious:	false
Preview:	rule:.. meta:.. name: read file.. namespace: host-interaction/file-system/read.. author: moritz.raabe@fireeye.com.. scope: function.. mbc:.. - File System::Read File [C0051].. examples:.. - BFB9B5391A13D0AFD787E87AB90F14F5:0x1314567B.. features:.. - or:.. - and:.. - optional:.. - and:.. - number: 0x80000000 = GENERIC_READ.. - or:.. - api: kernel32.CreateFile.. - or:.. - api: kernel32.ReadFile.. - api: ReadFileEx.. - api: NtReadFile.. - api: ZwReadFile.. - api: _read.. - api: fread..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\file-system\read\read-ini-file.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	673
Entropy (8bit):	4.692795055578404
Encrypted:	false
SSDEEP:	12:mdmoFYlLS6QkhfFftKhP4AjoJA5HhLzIHsVRP:mMoFYlm6QY3K/jKA5B3IAB
MD5:	3C246EB721FFA6DB0590E3666032DC7D
SHA1:	B973ED5700684BE7CB0DDA4ABE221CEC535A6CC8
SHA-256:	978D27792846B092196F16578CA2000347D1BE4520288B7ACB4A820925DAC870
SHA-512:	1FBCDD90C98F3CEC78D7DA37C7550F8004ABD6C24A2CB6C6F0CACAB67C903FAB39ABC6D8165FD4DE9F7A7449BD198B5F4E702BA3AFD9E4440C1BC7F2233BEDE7
Malicious:	false
Preview:	rule:.. meta:.. name: read .ini file.. namespace: host-interaction/file-system/read.. author:.. - "@_re_fox".. - michael.hunhoff@fireeye.com.. scope: function.. mbc:.. - File System::Read File [C0051].. examples:.. - 1d8fd13c890060464019c0f07b928b1a:0x401070.. - E6234FB98F17201C232F4502015B47B3:0x701312FA.. features:.. - and:.. - or:.. - api: GetPrivateProfileInt.. - api: GetPrivateProfileString.. - api: GetPrivateProfileStruct.. - api: GetPrivateProfileSection.. - api: GetPrivateProfileSectionNames.. - optional:.. - string: /\.ini/i.. - api: GetFullPathName..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\file-system\read\read-virtual-disk.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	825
Entropy (8bit):	4.905140344245114
Encrypted:	false
SSDEEP:	12:mdmq9YlL/6FftKhPKOcA+Y2A1RN6Y2A1RNxBfSfI3N035OdCYIHn/zF8cDe:mMWYlT8KdcAX7PfYI3635OvIfecK
MD5:	4C0D79990A9427F192077B6F4528CD71
SHA1:	2726DA30AFA43CBDEC93B28A7963065E03C49265
SHA-256:	A53F16A698E9FE33659CAC659360C252ACC69EA359989E3092CFCE24A70594A7
SHA-512:	67311C765EF2CF37143CB4157DE187FDBA52F00B4B6A07DE6F5A5A9E75CD0D383F23F5C52764B36596F4FF28B0FF37A0C2AFF85961964487BA5E5C219CE4F567
Malicious:	false
Preview:	rule:.. meta:.. name: read virtual disk.. namespace: host-interaction/file-system/read.. author: "@_re_fox".. scope: function.. mbc:.. - File System::Read Virtual Disk [C0056].. references:.. - https://github.com/vxunderground/VXUG-Papers/blob/main/Weaponizing%20Windows%20Virtualization/src.cpp.. - https://github.com/vxunderground/VXUG-Papers/blob/main/Weaponizing%20Windows%20Virtualization/WeaponizingWindowsVirtualization.pdf.. examples:.. - 3265b2b0afc6d2ad0bdd55af8edb9b37:0x00410637.. features:.. - and:.. - api: OpenVirtualDisk.. - api: AttachVirtualDisk.. - api: GetVirtualDiskPhysicalPath.. - optional:.. - and:.. - number: 0xec984aec.. - number: 0x47e9a0f9.. - number: 0x41711f90.. - number: 0x5b34665a..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\file-system\windows-file-protection\bypass-windows-file-protection.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	563
Entropy (8bit):	4.721715660884215
Encrypted:	false
SSDEEP:	12:mdmkC4PwlLP5fFftKMcZ7VubnvLR7m99pKLxWI:mMSol93KMyUzLRK9m5
MD5:	5F91993BA97C3713D48FA7F5DD2E59D5
SHA1:	3A47D93AFFFCD004B167B70016383553F9E07A17
SHA-256:	1F11DF98549FE51AC20860E67AE0FDBA44F11B8E2FCF729F6E06ABB00D46DA21
SHA-512:	D9737D8AEB3CD6102ABFADD28380BE8759744C8C38E99F5E50FAF8BA72349CC8CDCB26BF78F36C4C01C90CD43E81664AA482FC771C8D589B491A8A68485BB34B
Malicious:	false
Preview:	rule:.. meta:.. name: bypass Windows File Protection.. namespace: host-interaction/file-system/windows-file-protection.. author: michael.hunhoff@fireeye.com.. scope: function.. mbc:.. - Defense Evasion::Disable or Evade Security Tools::Bypass Windows File Protection [F0004.007].. examples:.. - Practical Malware Analysis Lab 01-04.exe_:0x401174.. features:.. - and:.. - string: "sfc_os.dll".. description: System File Checker.. - number: 0x2 = SfcTerminateWatcherThread.. - match: link function at runtime..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\file-system\write\write-file.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	910
Entropy (8bit):	4.489092110459196
Encrypted:	false
SSDEEP:	24:mMSGHYlgE3KkzLRKXfIWI22/m4M/A/79/SS69/Sa9/1y:mMv4CEakzNKXhI22nMoBZ+qeE
MD5:	3B979988904B9841F379D8DFF0FDF73D
SHA1:	9705A7B0A1D6F2869F969187B3E318835D14F9AC
SHA-256:	D70BE55A80602EE5464E2208CA1F15462F8AD26D6B39F7773010AD5C0EA2C601
SHA-512:	220B4BD5AD3B69A218EBB81DF8FC32AE67730F5A566C4430A57799D57FDEA324D0A39BF26F119B9783DB649BF52458AE92FF27D160E7AC4A8E1DDE4ABE6BFA2A
Malicious:	false
Preview:	rule:.. meta:.. name: write file.. namespace: host-interaction/file-system/write.. author: william.ballenthin@fireeye.com.. scope: function.. mbc:.. - File System::Writes File [C0052].. examples:.. - Practical Malware Analysis Lab 01-04.exe_:0x4011FC.. # ntdll.. - 563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x1400025C4.. features:.. - and:.. - optional:.. - or:.. - and:.. - number: 0x40000000 = GENERIC_WRITE.. - or:.. - api: kernel32.CreateFile.. - and:.. - number: 0x2 = FILE_WRITE_DATA.. - or:.. - api: NtCreateFile.. - api: ZwCreateFile.. - or:.. - api: kernel32.WriteFile.. - api: kernel32.WriteFileEx.. - api: NtWriteFile.. - api: ZwWriteFile.. - api: _fwrite.. - api: fwrite..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\filter\register-minifilter-driver.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	394
Entropy (8bit):	4.797543736618157
Encrypted:	false
SSDEEP:	12:mdmgCt5lLdu/PcA+YSDHfNvu2jDZkxTTWGX8d:mMgCPlBu3cAwj1u2jUTWGX8d
MD5:	48B021244FD3F65E8BA87DF876FB2A4B
SHA1:	278B4A793FF6AAD35730BE52390BB68FB4F02A14
SHA-256:	D0F54427432FC021C427CBFAF9D4EC04DF86BFC55C0411B2CF917357F0452203
SHA-512:	7FDCEA8D375E85A421021A103E25CCF18EFA9ACE46E75F37B0CD024D872D9E9AAACE9D867C1B985F1A18CF20DD702607373DA1233D23DB083C04CCF7A1A3A866
Malicious:	false
Preview:	rule:.. meta:.. name: register minifilter driver.. namespace: host-interaction/filter.. author: michael.hunhoff@fireeye.com.. scope: basic block.. references:.. - https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/filter-manager-concepts.. examples:.. - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x4060C8.. features:.. - and:.. - api: FltRegisterFilter..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\filter\start-minifilter-driver.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	391
Entropy (8bit):	4.8070123546051455
Encrypted:	false
SSDEEP:	12:mdmWxt5lLdu/PcA+YSDHfNvu2jDZkxTW0:mM8PlBu3cAwj1u2jUW0
MD5:	6DE383F90F1A2CF16E2F2E77D789F658
SHA1:	18DF0730B35B6AB2D302598503D8362EF3603E9C
SHA-256:	A94AC8A6951316AB794241AB624DB27BE1AB0960CDC04FA8146C213E42B57587
SHA-512:	DF2315553A1F85893B5C8325CDFB437820D94B883ED9F3DAEFDC89AC2122034D0FAA2CD5308FDD3B5EB42D1C5E2AB7F53CEF8479C5E07C8794791267B9EA9093
Malicious:	false
Preview:	rule:.. meta:.. name: start minifilter driver.. namespace: host-interaction/filter.. author: michael.hunhoff@fireeye.com.. scope: basic block.. references:.. - https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/filter-manager-concepts.. examples:.. - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x406360.. features:.. - and:.. - api: FltStartFiltering..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\firewall\modify\access-firewall-settings-via-inetfwmgr.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	647
Entropy (8bit):	5.017452403134045
Encrypted:	false
SSDEEP:	12:mdmrQrOlL7agHCfFfy+rxXrvV8y5AQ0/QtMw4IlbvNUrTq:mMrrlagHCU+r1rv5fHdKC
MD5:	DFDEB6900BB1E19B59FCD7B43DD95D53
SHA1:	FD4093E9AC8D91F6B0F5F39ABC641101B923A073
SHA-256:	1E0CFC7D514BBAFB84A62041D64615D1464E8CED8A5249DDEC121BB42F9126EE
SHA-512:	54711DDEF4788595FA0686BC767FBC5D8FA0435F99BFE1CB467060EEB0A4209B12012C427B39D3A42A10B9E633A60D35E360AB6508BC989A1A50441A56C96A67
Malicious:	false
Preview:	rule:.. meta:.. name: access firewall settings via INetFwMgr.. namespace: host-interaction/firewall/modify.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Discovery::Software Discovery::Security Software Discovery [T1518.001].. - Defense Evasion::Impair Defenses::Disable or Modify System Firewall [T1562.004].. examples:.. - EB355BD63BDDCE02955792B4CD6539FB:0x10003927.. features:.. - and:.. - api: ole32.CoCreateInstance.. - bytes: 42 E9 4C 30 39 6E D8 40 94 3A B9 13 C4 0C 9C D4 = CLSID_NetFwMgr.. - bytes: F5 8A 89 F7 C4 CA 32 46 A2 EC DA 06 E5 11 1A F2 = IID_INetFwMgr..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\gui\console\set-console-window-title.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	269
Entropy (8bit):	4.5076617322396935
Encrypted:	false
SSDEEP:	3:hAvl5lCIZ0vbcLBKso4IaGCDNgJLLDInnfCqClx2odN4FH/JowFFS0CsSSVzAWAJ:hAvlmWljlLqLKClES4FfJowKpmwBOy
MD5:	A7AFD50C3A6A8578AAF312B5EE235866
SHA1:	7DEF986CE73EFF2A885E9B03CB5445DE4EDAB71D
SHA-256:	5A7C01705EF892554475EADDF7139D6FA4530A8B4D488802252FAE80BB917E11
SHA-512:	F11C96A14EAEED10C9E224C01E67E853D45CA383BE3ACC3E2652D6E04E7C70347FD00D46DE47320C9AB5BD6958EAD64353909DCCCE337775D15E803CB99CA8AB
Malicious:	false
Preview:	rule:.. meta:.. name: set console window title.. namespace: host-interaction/gui/console.. author: michael.hunhoff@fireeye.com.. scope: function.. examples:.. - mimikatz.exe_:0x44570F.. features:.. - or:.. - api: kernel32.SetConsoleTitle..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\gui\enumerate-gui-resources.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	563
Entropy (8bit):	4.9022485914456535
Encrypted:	false
SSDEEP:	12:mdmAslL7FfypSJrMA5Q5U4bDuZN/5zmzeKK0j/Jv:mMflc8JrME0U4Usemh
MD5:	26D5D4B5B20E38DFBDBBBE186AC83307
SHA1:	C40DAB7FCFE3CD4DF5341814FF45588E9301B28A
SHA-256:	083C26CDFE50A57EAAC98D1E5CA70D45188E7D387EFA0067873B6313B9F169F3
SHA-512:	E5A89A48ECDA2C65D4294FD4C9E29CA7DD4E2F38FA6C9885CEDD254651EA17D62E42318D03E09E4C7A7E8FCF171F8E70BC3DAF0849ED2A06D91D97E9812F04D0
Malicious:	false
Preview:	rule:.. meta:.. name: enumerate gui resources.. namespace: host-interaction/gui.. author: johnk3r.. scope: function.. att&ck:.. - Discovery::Application Window Discovery [T1010].. examples:.. - 5e6764534b3a1e4d3abacc4810b6985d:0x4011C0.. - a74ee8200aace7d19dee79871bbf2ed3:0x403750.. - 74fa32d2b277f583010b692a3f91b627:0x66BAEA67.. - 021f49678cd633dc8cf99c61b3af3dda:0x40E44A.. features:.. - or:.. - api: EnumResourceTypes.. - api: EnumWindowStations.. - api: EnumDesktops.. - api: EnumWindows..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\gui\logon\references-logon-banner.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	397
Entropy (8bit):	4.755703262845422
Encrypted:	false
SSDEEP:	12:mdmHdWflLu+hiYed4gy/VV5zXnZoLFFFp:mMHdWflCMled8/7lybp
MD5:	236D35793FABEAAB4818241BC9A7B1FF
SHA1:	D4EDF39E0D32B2476E736E126E73336514F240DC
SHA-256:	B7790F69AA47D0C78844FE669023A2B45C05382CE262BCE396AEF113A9AF7813
SHA-512:	BA98D12E3DD9E7818C565B59064EEF30074F8C57C9FAB4B20D8EF4E778813F4DEC65B39BD966DC6934285D7A34A583AC7002109B767BED81F27019970577B25F
Malicious:	false
Preview:	rule:.. meta:.. name: references logon banner.. namespace: host-interaction/gui/logon.. author: "@_re_fox".. scope: basic block.. examples:.. - c3341b7dfbb9d43bca8c812e07b4299f:0x4066FC.. features:.. - and:.. - string: /\\Microsoft\\Windows\\CurrentVersion\\Policies\\System/.. - or:.. - string: /LegalNoticeCaption/.. - string: /LegalNoticeText/..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\gui\session\lock\lock-the-desktop.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	369
Entropy (8bit):	5.058382508359471
Encrypted:	false
SSDEEP:	6:hAvlmvXyglLqLzClES4FfyhjUbueSVow3pmfIhQgHU9dR/947qiov:mdmPyglLUfFfy+bMVLFCdY7fy
MD5:	D90E20A44687C600C63B27AB3A9CF3F7
SHA1:	5633F8795F2CB1EE48415661621F3B413FB77B1A
SHA-256:	B65539B2494C484598C7E412624147AD7D15C716CAC6B685156F3DC2DFEBF03F
SHA-512:	06846666C27D4F9356AC57EA62A5B691C6F5D29D78F9410A4F4904EDF6727FB0B00DA9CE32348EFD3BDD2D7B9446F4638CDD40CB4D2CC6FD3F0DC5A9E136AB09
Malicious:	false
Preview:	rule:.. meta:.. name: lock the desktop.. namespace: host-interaction/gui/session/lock.. author: michael.hunhoff@fireeye.com.. scope: function.. att&ck:.. - Impact::Endpoint Denial of Service [T1499].. examples:.. - 39C05B15E9834AC93F206BC114D0A00C357C888DB567BA8F5345DA0529CBED41:0x100084D0.. features:.. - api: user32.LockWorkStation..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\gui\session\wallpaper\change-the-wallpaper.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	433
Entropy (8bit):	5.088842485044598
Encrypted:	false
SSDEEP:	6:hAvlmGQkrlLqLPq8BIyZlKU9CF2RhbTowlyAwHKcXC9GjY/Rv7ugmjIja:mdmG9rlL0hiwKUgIhX2AwnXIlYF
MD5:	0D533556EB528549B5B9E9BE3E941866
SHA1:	56B354B6AB9C6D0A3152B49D08A369531D0C0BC4
SHA-256:	77E1C945FDFBAE701F880F3A5E1B730A4606C552EBFB11CF770F551BA9E32C83
SHA-512:	97CC3D106F3228F186D988356D8182DCCE7D25F949086D0CEF949B6BBDC7AFF7A2DA320E330DC786EAA8A7DE785434CC6D9D25D228C58FE797EBF33DDA0C2C5E
Malicious:	false
Preview:	rule:.. meta:.. name: change the wallpaper.. namespace: host-interaction/gui/session.. author: "@_re_fox".. scope: basic block.. mbc:.. - Operating System::Wallpaper [C0035].. examples:.. - 5dd0b130d5c3d40c69e3972f39fd7d62:0x45AC6F.. features:.. - and:.. - api: SystemParametersInfo.. - number: 0x14 = SPI_SETDESKWALLPAPER.. - number: 0x3 = SPIF_SENDWININICHANGE \| SPIF_UPDATEINIFILE..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\gui\set-application-hook.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	343
Entropy (8bit):	4.599512082944445
Encrypted:	false
SSDEEP:	6:hAvlmWm14lLqLKZClES4FfJowdnvtChdoH9GjZVXwidBSPVn:mdmWk4lLTfFfJbnvYzrwi36
MD5:	2F712A374517F189E39FA82A871A54EB
SHA1:	22C23DC8CCC945AA6144CFB6651C7EFC18CACDD8
SHA-256:	8AE7756522135F2D2FC9025972752E1B7CEFEB62E62D841096A12BD1A5FC6113
SHA-512:	1DB5338340B9A0C0CA7C64054DB8F7B7EBEABF0C925D48D93B6A30E2D64B80F667BE7CAD403518FFA175B10C7E9856F9EB984CFAABB69F6CEA93ED2BAA3EA513
Malicious:	false
Preview:	rule:.. meta:.. name: set application hook.. namespace: host-interaction/gui.. author: michael.hunhoff@fireeye.com.. scope: function.. examples:.. - Practical Malware Analysis Lab 12-03.exe_:0x401000.. features:.. - and:.. - or:.. - api: user32.SetWindowsHookEx.. - api: user32.UnhookWindowsHookEx..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\gui\taskbar\find\find-taskbar.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	369
Entropy (8bit):	4.914790081960733
Encrypted:	false
SSDEEP:	6:hAvlmulLqLXJ5dFfCS4FftKXWpoTnULowGGBdGeLJPX4kw:mdmulLSzddCfFftKXWpoTnA/jJPX4v
MD5:	AD1828DCA5A78D5E9359E9973E2C280C
SHA1:	EB68BAB3BB1205678FDC3F78CD87C8AA9BF9F75F
SHA-256:	436ED51DDF5B3E5C0468686096AEE2C929C99AE3D223F83E559581C4EFF60B4D
SHA-512:	D6994D726F3E50FFFAFA233C6A492D396CBEE978C2A2C64D1A6104170E9E79B9E769A158092D87A0D1D51E258880E39DABA4377C10BB733AE36282B2680B19FF
Malicious:	false
Preview:	rule:.. meta:.. name: find taskbar.. namespace: host-interaction/gui/taskbar/find.. author: moritz.raabe@fireeye.com.. scope: function.. mbc:.. - Discovery::Taskbar Discovery [B0043].. examples:.. - B7841B9D5DC1F511A93CC7576672EC0C:0x10007250.. features:.. - and:.. - string: "Shell_TrayWnd".. - match: find graphical window..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\gui\taskbar\hide\hide-the-windows-taskbar.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	418
Entropy (8bit):	4.966153724649554
Encrypted:	false
SSDEEP:	6:hAvlmgOE2lLqLXJs2GTClES4FfyhuZMovwYnow3pmfIhQgHU9dJdGI8D:mdmgilLST+fFfyZ4FnLFCdPY
MD5:	8F6188743177789888DA3CF4335F6472
SHA1:	4A57E11A207B275B0B6D9B747DA54CC00A6901BE
SHA-256:	56F10E8F4AF178B4AECDFF82794B955A7DEEAC3AFC7C7D9F1EE7EF7DAA4C428B
SHA-512:	F12611D358AD9CD68AF4136ED061628FAF1A27FB91F7177CD53C574630A2E076497B966F8F8EA2C777EE6167360A38B99A0AC18A926CA64D12C534BEC66846B8
Malicious:	false
Preview:	rule:.. meta:.. name: hide the Windows taskbar.. namespace: host-interaction/gui/taskbar/hide.. author: michael.hunhoff@fireeye.com.. scope: function.. att&ck:.. - Defense Evasion::Hide Artifacts [T1564].. examples:.. - 39C05B15E9834AC93F206BC114D0A00C357C888DB567BA8F5345DA0529CBED41:0x10007250.. features:.. - and:.. - match: find taskbar.. - match: hide graphical window..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\gui\window\find\find-graphical-window.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	383
Entropy (8bit):	4.896083804642657
Encrypted:	false
SSDEEP:	6:hAvlmBlLqLQodFfCS4FfyhfGnxVZjow8rSDnXu1XV6Fzb8J8L:mdmBlLTWdCfFfypSJmSDXwVuv8J8L
MD5:	C5666885A0DC8F55D9E3BE18A80EE4EF
SHA1:	D3E7609A647406FEA989967203B7BA698474833D
SHA-256:	8A0906C7A1CD0B5871EA019A1B8DF0C8A592182CCBF9C07B2ED9CCAA76F24072
SHA-512:	136D05FFD1EE60B209137B927454CD336CDBCCBBF048793BC388FA6C7431FF32A02EC04F3D263D7D5FB10F29EF84C3FFA41623C572FB4D6BD79C96DFFF15284D
Malicious:	false
Preview:	rule:.. meta:.. name: find graphical window.. namespace: host-interaction/gui/window/find.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Discovery::Application Window Discovery [T1010].. examples:.. - 7C843E75D4F02087B932FE280DF9C90C:0x41B180.. features:.. - or:.. - api: user32.FindWindow.. - api: user32.FindWindowEx..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\gui\window\get-text\get-graphical-window-text.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	513
Entropy (8bit):	4.826630636293518
Encrypted:	false
SSDEEP:	12:mdmCUlLTvCfFftK65j/yNj/UIHIduJ/I5p:mMCUlnC3KcGj/UIo4J/IP
MD5:	B6F69F68317BEBF0F31472442B97E506
SHA1:	40D701C93D0C88945E9E3BD2B3B9E2D614D51DB0
SHA-256:	59FD3BBB6837F525E7D77C8F6787E8C7491B4D8AA5AFC66F6565F7B2260297A5
SHA-512:	623B3C451A0011EAE4556D4D2B82876CA9EFA9B18071873F4AADE3E571D001A3968596E851579C92348FAC29948E2E591805465E62D3B36558CF676BE5758F59
Malicious:	false
Preview:	rule:.. meta:.. name: get graphical window text.. namespace: host-interaction/gui/window/get-text.. author: moritz.raabe@fireeye.com.. scope: function.. mbc:.. - Discovery::Application Window Discovery::Window Text [E1010.m01].. examples:.. - B7841B9D5DC1F511A93CC7576672EC0C:0x10007A50.. features:.. - and:.. - optional:.. - api: user32.IsWindowVisible.. - basic block:.. - and:.. - number: 0xD = WM_GETTEXT.. - api: user32.SendMessage..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\gui\window\hide\hide-graphical-window.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	432
Entropy (8bit):	5.090318227396513
Encrypted:	false
SSDEEP:	6:hAvlmi8ElLqLQtTClESgyZqhuZMovwO+FUtCow3pmfIhQgHU9dJdG5AF3m5Sy:mdmizlLTJ/hZ4ABLFCdb3m5L
MD5:	92CA9EDE7E6E5D4941F39016D2E305EC
SHA1:	C6428A61D6D6AD8424805B4B6AE632CF33EFB96F
SHA-256:	580A3D4457F3F4030A9A13F95FFE359C59C5335BD3362F37E8D1F5AA4EFC63A2
SHA-512:	80EAA6E1625FFA52051ADD521FC9AC1F186F1043F20EE3D42E12CDCEBFAEF609E76601E6FD13D1EB4B9B118E51171EAB82C2F00826C513FEB3D5D6C4C8481CA5
Malicious:	false
Preview:	rule:.. meta:.. name: hide graphical window.. namespace: host-interaction/gui/window/hide.. author: michael.hunhoff@fireeye.com.. scope: basic block.. att&ck:.. - Defense Evasion::Hide Artifacts::Hidden Window [T1564.003].. examples:.. - 39C05B15E9834AC93F206BC114D0A00C357C888DB567BA8F5345DA0529CBED41:0x10007250.. features:.. - and:.. - number: 0x0 = SW_HIDE.. - api: user32.ShowWindow..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\hardware\cdrom\manipulate-cd-rom-drive.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	488
Entropy (8bit):	4.9385467859303
Encrypted:	false
SSDEEP:	12:mdmdHGglLOHLfFftKuBt+jLFCdi7p0c0p0cA:mMd1lyHL3KOt+jL4iicbcA
MD5:	C4568443C1816D9086BED37CBD0D17FF
SHA1:	3418DFF4DB5EE946E1C1697F604CE639DA1AB4BE
SHA-256:	FCAF0B7776F743D06CE220E79156EA31783B93D78BDCB6F6CFAB3EBB8586CD45
SHA-512:	9A2B1DB976CD3D015B40C4011E37C4F06A50AF53773C5B757DFBC87CFEEDA1BA097CA78CBD9320A7D9F9C3F704945304FEFCB77F375413BDBF3C77EE85A629F1
Malicious:	false
Preview:	rule:.. meta:.. name: manipulate CD-ROM drive.. namespace: host-interaction/hardware/cdrom.. author: michael.hunhoff@fireeye.com.. scope: function.. mbc:.. - Impact::Modify Hardware::CDROM [B0042.001].. examples:.. - 39C05B15E9834AC93F206BC114D0A00C357C888DB567BA8F5345DA0529CBED41:0x10007250.. features:.. - and:.. - api: winmm.mciSendString.. - or:.. - string: "set cdaudio door closed wait".. - string: "set cdaudio door open"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\hardware\cpu\get-cpu-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	433
Entropy (8bit):	4.910616566680328
Encrypted:	false
SSDEEP:	12:mdmCwzcfwlLOgCfFfyINoo/BkVvyF/SBf59KGW1:mMC+lygCUEoo/B0vW/M5981
MD5:	F3D17F51018B0496434039F9A06BA3A0
SHA1:	017A2B7B4D2B941E326F23F6B63F506640AB28F9
SHA-256:	C41514F36C66F9D16B6612155451DAEFE9C4AD2BCA141406EEAC88C2B8166B3F
SHA-512:	3BD78996D07911A9924D73D8C85EB81E7B329FE4C82CC257736F6E69B2CE4B506259622776648D132718F448C05A8DD0E8840165FF3C6C4FB6FD4EE8109717D8
Malicious:	false
Preview:	rule:.. meta:.. name: get CPU information.. namespace: host-interaction/hardware/cpu.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Discovery::System Information Discovery [T1082].. examples:.. - BFB9B5391A13D0AFD787E87AB90F14F5:0x13145B5A.. features:.. - and:.. - match: query or enumerate registry value.. - string: /Hardware\\Description\\System\\CentralProcessor/i..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\hardware\cpu\get-number-of-processor-cores.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	517
Entropy (8bit):	4.98913228659056
Encrypted:	false
SSDEEP:	12:mdmCmmd6lLOCfFfyINoo/ocA+Y2QM5EIW7Gw9hxiL9UqSu+:mMCmm4lyCUEoo/ocA52ExCCiuqF+
MD5:	DBFC427E2306FE74D287B2488F5E51D8
SHA1:	E502C1E0F54AC2F7FFE3774A83F42E64C1B0D142
SHA-256:	3DF46C690F8722CF8C1ECDAF23E6BF1C2EF20D466FBFE0026EA2B5B634FD4543
SHA-512:	CF11D9B2D9D6CB7BA65A1F8059119389DE9D54C9CB49F2B7E65455EAD6C2168D46B7315367995D15C3D5097C91A19DCB36CC62AA4E637A953DB40B3ABD47C374
Malicious:	false
Preview:	rule:.. meta:.. name: get number of processor cores.. namespace: host-interaction/hardware/cpu.. author: michael.hunhoff@fireeye.com.. scope: function.. att&ck:.. - Discovery::System Information Discovery [T1082].. references:.. - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L207.. examples:.. - al-khaser_x86.exe_:0x435BA0.. features:.. - and:.. - string: /SELECT\s+\*\s+FROM\s+Win32_Processor/.. - string: "NumberOfCores"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\hardware\cpu\get-number-of-processors.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	519
Entropy (8bit):	4.7735100220807976
Encrypted:	false
SSDEEP:	12:mdmCmXClLOCfFfyINoo/ocA+Y2QM5EIW7GOhxiNNZ:mMCmSlyCUEoo/ocA52ExCO2P
MD5:	06E7A6A6D31964D23DFB7A0CFFDF9A7E
SHA1:	27814B6317A373D75710D5DCE594A0D92A2FEA47
SHA-256:	BF516E93810AE6B0659FBAD5301C179B80F658B8E466FC5999CF40D7FBF1397D
SHA-512:	8B921B0DEEF3C6D4CAEEADD31184F201163CCA925E7F1BC9061ED87E173D88ECEB0AA8F67EC0F13577F7EBAFC71E310BB4C80B2181981938BB639620F812D08C
Malicious:	false
Preview:	rule:.. meta:.. name: get number of processors.. namespace: host-interaction/hardware/cpu.. author: michael.hunhoff@fireeye.com.. scope: function.. att&ck:.. - Discovery::System Information Discovery [T1082].. references:.. - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L113.. examples:.. - al-khaser_x86.exe_:0x432CB0.. features:.. - and:.. - match: PEB access.. - or:.. - number/x32: 0x64.. - number/x64: 0xB8..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\hardware\keyboard\layout\get-keyboard-layout.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	581
Entropy (8bit):	4.924201845700993
Encrypted:	false
SSDEEP:	12:mdmCK6lLObULfFfyINoo/BBQle+Qi7aTugaIHT:mMCNlygUEoo/BBGe5waCgaIz
MD5:	DAD40F9CB667C463ADA462AFE0D52B60
SHA1:	45D942B9399B9B4DCF151744BFAD7144A37310C9
SHA-256:	F69C2C5987396820194F3CD82EE09ABC078B900578D6D7607EF3D72E217C637A
SHA-512:	B7F9FC06DF2006EB726943D73E10B565F3E8777B15B0EE42C0D79E53FAF60D0A925741A0378129F8C2239A91C96AAEF229A9D09980148870E7E14E75E435781D
Malicious:	false
Preview:	rule:.. meta:.. name: get keyboard layout.. namespace: host-interaction/hardware/keyboard/layout.. author: michael.hunhoff@fireeye.com.. scope: function.. att&ck:.. - Discovery::System Information Discovery [T1082].. examples:.. - 6F99A2C8944CB02FF28C6F9CED59B161:0x4193C0.. - C91887D861D9BD4A5872249B641BC9F9:0x4015FD.. features:.. - and:.. - or:.. - api: user32.GetKeyboardLayoutList.. - api: user32.GetKeyboardLayout.. - api: user32.GetKeyboardLayoutName.. - optional:.. - api: kernel32.GetLocaleInfo..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\hardware\keyboard\simulate-ctrl-alt-del.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	759
Entropy (8bit):	4.665420405873743
Encrypted:	false
SSDEEP:	12:mdmWJq4lLOjhQFftKPB5L0jNV0UHIHwD0NS05Q0+VFJu3/rF8ly:mM8q4lyN6K590j3hHIQDU7B+TJwaly
MD5:	D62326A42DD73C0BA6E66461B76045B5
SHA1:	89838A46B58A7A8BE25936F6DF16B53C4755FBA5
SHA-256:	4EA1576A89126EECC2BDC33F1306E6D9A5FFEC6709BBD4EFCAF95588F3521015
SHA-512:	E5D3C256A7C4538D15F08097C9733A4F7E27D4699EE0FB1F460908D13A77A81A67AE15CC6E3E3116413241681DD181FFFF3BDBDB2532E5DFBDA25414CFB87F7A
Malicious:	false
Preview:	rule:.. meta:.. name: simulate CTRL ALT DEL.. namespace: host-interaction/hardware/keyboard.. author:.. - michael.hunhoff@fireeye.com.. - johnk3r.. scope: function.. mbc:.. - Hardware::Simulate Hardware::Ctrl-Alt-Del [C0057.001].. examples:.. - b766cc43d649d30e9f27aff8f7ee7de0:0x406153.. features:.. - and:.. - optional:.. - basic block:.. - and:.. - or:.. - api: OpenDesktop.. - api: OpenInputDesktop.. - string: "Winlogon".. - basic block:.. - and:.. - api: PostMessage.. - number: 0x2E0003 = (MOD_ALT \| MOD_CONTROL \| VK_DELETE).. - number: 0x312 = WM_HOTKEY.. - number: 0xFFFF = HWND_BROADCAST..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\hardware\memory\get-memory-capacity.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	452
Entropy (8bit):	4.90379128749189
Encrypted:	false
SSDEEP:	6:hAvlmC+cFZEGQbFwlLqLB6CFF3CS4FfyhCMKnNox6FFBowUH9XWNLhQBGJ4GYILO:mdmCXuGlLO6cCfFfyINoo/BAGP9PYaO
MD5:	8A774FBA23BB8E5CB0021E233D7BF05F
SHA1:	6D873388468A01FD8AAA1425DC878D681EA95CF7
SHA-256:	43290F3B56FB5F72AEF92043A658B2855C6DD2CC4DC550E5A643F6A1B3D6FE6A
SHA-512:	15CF84E83A1DC8FE9F19939A712DC58FC04DD933383E1EEA8F14B3531D2B06FB717F44F9D478BB8B11D75A657B245E6B15394E21E0511917F239D95A9A95F2FD
Malicious:	false
Preview:	rule:.. meta:.. name: get memory capacity.. namespace: host-interaction/hardware/memory.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Discovery::System Information Discovery [T1082].. examples:.. - 9324D1A8AE37A36AE560C37448C9705A:0x4052A0.. features:.. - or:.. - api: kernel32.GlobalMemoryStatus.. - api: kernel32.GlobalMemoryStatusEx.. # TODO kernel32.GetSystemInfo with offset..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\hardware\mouse\swap-mouse-buttons.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	344
Entropy (8bit):	4.849825596128259
Encrypted:	false
SSDEEP:	6:hAvlmWfIKQSgv4lLqLBgSNFCS4FftKSXBt2Dl+nV7owGGBdbDQgy:mdmWgd4lLOgmFCfFftKuBtbV7/jDQgy
MD5:	4F154EA5F5BAB7B83BDC13F3C5AC9AA1
SHA1:	E9F2B8FB30B5217783366973098560CD2B98DAC5
SHA-256:	B2C866F54384CE229CCF056DA8441F098328559D1DD73EA0D1C5A0C1EE50C9E3
SHA-512:	100C1BB8BDB90DE70AFBB53259F968A47467215607C3287F737069186FF21924272D42C6D326AC1B3F9BF2D5A9C75635B3F367ED05AAA876DA62E66F090959FC
Malicious:	false
Preview:	rule:.. meta:.. name: swap mouse buttons.. namespace: host-interaction/hardware/mouse.. author: moritz.raabe@fireeye.com.. scope: function.. mbc:.. - Impact::Modify Hardware::Mouse [B0042.002].. examples:.. - B7841B9D5DC1F511A93CC7576672EC0C:0x10007250.. features:.. - or:.. - api: user32.SwapMouseButton..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\hardware\storage\enumerate-disk-properties.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	781
Entropy (8bit):	4.9373496570660995
Encrypted:	false
SSDEEP:	12:mdmnlLOJDfFfyINoo/ocA+Y2QM5EIW7GbLhxi/W9g96v/bdZIHj38:mMnlytUEoo/ocA52ExCbLAaxZIQ
MD5:	F20667E687C10AC1E1A0382B980F3B15
SHA1:	938CA16085A7C6056B9EC982CB7CC6391A43FA82
SHA-256:	D6C2BA1EB0B383A4ADC1B5C7A9A1880BD5CA6A8FA4F55C510E19217647240C17
SHA-512:	7BA1D15B6E06FF8A525259852197F77225408C6539B991034529534E7B47EECF0BCF4F8097179BBA25E3C625664A13E6A3DA58D523C0176A3706F4DE1B973DAC
Malicious:	false
Preview:	rule:.. meta:.. name: enumerate disk properties.. namespace: host-interaction/hardware/storage.. author: michael.hunhoff@fireeye.com.. scope: function.. att&ck:.. - Discovery::System Information Discovery [T1082].. references:.. - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L518.. examples:.. - al-khaser_x86.exe_:0x4369B0.. features:.. - and:.. - basic block:.. - and:.. - api: SetupAPI.SetupDiGetClassDevs.. - bytes: 67 E9 36 4D 25 E3 CE 11 BF C1 08 00 2B E1 03 18 = GUID_DEVCLASS_DISKDRIVE.. - api: SetupAPI.SetupDiEnumDeviceInfo.. - api: SetupAPI.SetupDiGetDeviceRegistryProperty.. - optional:.. - api: SetupAPI.SetupDiDestroyDeviceInfoList..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\hardware\storage\get-disk-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	683
Entropy (8bit):	4.979750487016321
Encrypted:	false
SSDEEP:	12:mdmCo7ucfwlLOJFCfFfyINoo/BAGP2S54gAkJQJcfyjAENWJkFT:mMCoalybCUEoo/BAbkLAk2djAENWY
MD5:	C19DE11F85BFDB711E161E4B70550648
SHA1:	B5242698D40E09C806DBF7AF9826E84DC63609EF
SHA-256:	4DD765AB1E0B6BAC62A0A895FDF31FCAC3A14D07B4E2D1FBF1B1041D4F48BD24
SHA-512:	4DE0D0C1B17FA38C7AA4E0BD843CB8934E6A8006C051A74DAEC2BBEEA26EB1CAEDF356F04E502ED8BB9B58D11537F2BACAD70474F63E21066E66DF857D1E0E59
Malicious:	false
Preview:	rule:.. meta:.. name: get disk information.. namespace: host-interaction/hardware/storage.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Discovery::System Information Discovery [T1082].. examples:.. - 9324D1A8AE37A36AE560C37448C9705A:0x4052A0.. - 972B219F18379907A045431303F4DA7D:0x41064E.. features:.. - or:.. - api: kernel32.GetDriveType.. - api: kernel32.GetLogicalDrives.. - api: kernel32.GetVolumeInformation.. - api: kernel32.GetVolumeNameForVolumeMountPoint.. - api: kernel32.GetVolumePathNamesForVolumeName.. - api: kernel32.GetLogicalDriveStrings.. - api: kernel32.QueryDosDevice..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\hardware\storage\get-disk-size.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	945
Entropy (8bit):	5.126988786579597
Encrypted:	false
SSDEEP:	24:mMCovlytUEoo/ocA52ExC9n/ae/QWgsNmkymV:mMtvyUUgc3ExC9n/ae/CXk/V
MD5:	999096B3D56CDBA8EA2DADCE75BA4B8F
SHA1:	52B880A6A5F127317D8FED90EA0CC65B652D2188
SHA-256:	E820A32CE2E68E88517DEBA00FA1608067AABAAF321E130F632F2A70E1A761A9
SHA-512:	D7FD54C35A0BD96BCAF9EA6577F5B4FAD6B5CE2EFE4580544E41F7681B46D9EF9CAF7411F5EBA0087334F7A629D2DC8EEEFED4FF542946FB727ADB0AC4BCEE99
Malicious:	false
Preview:	rule:.. meta:.. name: get disk size.. namespace: host-interaction/hardware/storage.. author: michael.hunhoff@fireeye.com.. scope: function.. att&ck:.. - Discovery::System Information Discovery [T1082].. references:.. - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L347.. examples:.. - al-khaser_x86.exe_:0x4343D0.. - al-khaser_x86.exe_:0x434010.. features:.. - or:.. - api: kernel32.GetDiskFreeSpace.. - api: kernel32.GetDiskFreeSpaceEx.. - basic block:.. - and:.. - api: DeviceIoControl.. - number: 0x7405C = IOCTL_DISK_GET_LENGTH_INFO.. - and:.. - or:.. - string: /SELECT\s+\\s+FROM\s+Win32_LogicalDisk/i.. - string: /SELECT\s+\\s+FROM\s+Win32_DiskDrive\s+WHERE\s+$SerialNumber\s+IS\s+NOT\s+NULL$\s+AND\s+$MediaType\s+LIKE\s+\'Fixed\s+hard\s+disk\%\'$/i.. - string: "Size"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\log\debug\write-event\print-debug-messages.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	328
Entropy (8bit):	4.832439764128699
Encrypted:	false
SSDEEP:	6:hAvlmEjoFZlLqLo9uOHhClES4FfJowX6pDc78QoH96kVe7Zl:mdmVHlLt3xfFfJp6tc782D
MD5:	DF49CD54A715B45D2830CC22D6D57CBA
SHA1:	AC90D3232D50B5B82194FE7BCF49C71E719F9A6C
SHA-256:	7D9FD26189E4AAA1190E12FB7FD2E3D7248B4CD58DCD18E52706E51F656CB757
SHA-512:	E8477EFEB7950BA37089F65807B5B0A0C941413B18F14D981D94E31A4748B104611DA521DDCA8CB6C53AF0B9CB0C4A822C22E0755A14697185E40B2DC52A9A7F
Malicious:	false
Preview:	rule:.. meta:.. name: print debug messages.. namespace: host-interaction/log/debug/write-event.. author: michael.hunhoff@fireeye.com.. scope: function.. examples:.. - 493167E85E45363D09495D0841C30648:0x401000.. features:.. - or:.. - api: ntoskrnl.DbgPrint.. - api: kernel32.OutputDebugString..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\log\winevt\access\access-the-windows-event-log.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	432
Entropy (8bit):	4.638983591352286
Encrypted:	false
SSDEEP:	6:hAvlmEgeilLqLcAaCS4FftKeVan0+QTNjowK389Ez0rZFD/n:mdmreilL5CfFftKXHCNjc3dz09t/n
MD5:	71D0171F936782F8E817E4E5C60B37C9
SHA1:	8E869FF7AEF4696CAE5542F43E23F1036DFDCE7E
SHA-256:	14F6236F09102C2B8C6DB953D29A5066BFFEA4DEEA1B9C4752BA8E307E620BC7
SHA-512:	B45A00D78B2ADBC93D14298C09D0D2617B7775BA0DA975059204BA0C8218061660E11527E0F477793503CC1A55DC8E478D38C2244712DEFC5FACF25511EE536C
Malicious:	false
Preview:	rule:.. meta:.. name: access the Windows event log.. namespace: host-interaction/log/winevt/access.. author: moritz.raabe@fireeye.com.. scope: function.. mbc:.. - Discovery::File and Directory Discovery::Log File [E1083.m01].. examples:.. - mimikatz.exe_:0x45228B.. features:.. - or:.. - api: OpenEventLog.. - api: ClearEventLog.. - api: OpenBackupEventLog.. - api: ReportEvent..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\mutex\check-mutex-and-exit.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	672
Entropy (8bit):	4.667159749230789
Encrypted:	false
SSDEEP:	12:mdmGPkPAIlL5XM6QaCfFftKY6fORh6fDEXv5oJPgXzBHuoL98C2sGri:mMcGAIllXM6QaC3KY6f+h6fDE/5K4XzZ
MD5:	E4139573D240FE091465C573550DE22C
SHA1:	9D50DDDABF681C6DB22188203FF1C03386A576AF
SHA-256:	C4150D7D6B6C77A8E8842C07EAFA81081130D0D48677E28CE0696CE994A8ECD6
SHA-512:	EB2D0D9B7ACED98A959E342CAE4B1278161793CF4C661DA717BAD97E9FBFFD0196CC67B485135D884D534CF309A6846849284DCE0D87671712A91D21143794B8
Malicious:	false
Preview:	rule:.. meta:.. name: check mutex and exit.. namespace: host-interaction/mutex.. author:.. - "@_re_fox".. - moritz.raabe@fireeye.com.. scope: function.. mbc:.. - Process::Check Mutex [C0043].. - Process::Terminate Process [C0018].. examples:.. - 1d8fd13c890060464019c0f07b928b1a:0x402eb0.. features:.. - and:.. - match: create mutex.. - api: ExitProcess.. - or:.. - api: WaitForSingleObject.. - and:.. - api: GetLastError.. - or:.. - number: 2 = ERROR_FILE_NOT_FOUND.. - number: 0xB7 = ERROR_ALREADY_EXISTS.. - number: 5 = ERROR_ACCESS_DENIED..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\mutex\check-mutex.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	539
Entropy (8bit):	4.643220663187716
Encrypted:	false
SSDEEP:	12:mdmGPUXwlL5X3n/wKY6fORabnvLR4URAUgXwIHpwoLN8Cv:mMcUXwllX3n4KY6f+azLRhAlXwIJLN8s
MD5:	EB45441BB4C436A4E06CC26BBD69F84B
SHA1:	62AF102D6817840736A744E3D931D60101A1E44E
SHA-256:	47EC5E2C49E6B38BA94222524362D0135CBE924497B791D6355F5FF24C93B6AA
SHA-512:	D77701B42F7D2045659AF0A4BEE53697B04AA51F074010AEAB90E7B7D4992DD5883DBA5894B0751CDCD0EB99C782D0D3AB92FD40C6E56EE3F9456605B08FAC47
Malicious:	false
Preview:	rule:.. meta:.. name: check mutex.. namespace: host-interaction/mutex.. author: moritz.raabem@fireeye.com.. scope: basic block.. mbc:.. - Process::Check Mutex [C0043].. examples:.. - Practical Malware Analysis Lab 01-01.dll_:0x10001010.. features:.. - and:.. - or:.. - api: kernel32.OpenMutex.. - match: create mutex.. - optional:.. - or:.. - api: kernel32.GetLastError.. - number: 2 = ERROR_FILE_NOT_FOUND.. - number: 0xB7 = ERROR_ALREADY_EXISTS..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\mutex\create-mutex.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	360
Entropy (8bit):	4.532896147105091
Encrypted:	false
SSDEEP:	6:hAvlmG3gXwlLqL2X3CS4FftK5G6fWIqRl5owdnvLR4URdBKRguKRj:mdmG3gXwlL5X3CfFftKY6fWIqRTbnvLl
MD5:	A418A947BA693A4E31E3D6071E8B6013
SHA1:	13040122E035EAC3DC7C59E251C0A6CB2C7A78A9
SHA-256:	45AD1989B08DBE1341912EA7C39C46423C517E4C603BEC685D71EB9B4D946DD9
SHA-512:	00B9DA41574F34175A760E8F1DD936B120B517E3B858EF055FF1E2639C8C76C9A04E6EA3D25F533AFA352A196BF6A4256ECA7635D351C9FCF13493C2DCD69D69
Malicious:	false
Preview:	rule:.. meta:.. name: create mutex.. namespace: host-interaction/mutex.. author: moritz.raabe@fireeye.com.. scope: function.. mbc:.. - Process::Create Mutex [C0042].. examples:.. - Practical Malware Analysis Lab 01-01.dll_:0x10001010.. features:.. - or:.. - api: kernel32.CreateMutex.. - api: kernel32.CreateMutexEx..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\network\address\get-local-ipv4-addresses.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	728
Entropy (8bit):	4.763836342443839
Encrypted:	false
SSDEEP:	12:mdmCrslLnRtCfFfyHeRod5bnvLdXqK4jdAAjbPeR4IHkolgl8UVy:mMC4lVtCUH2od5zLEK4RAqbmR4IDea
MD5:	92380744A436C27BDB944C00658AEF04
SHA1:	1FF8D55C20F1246CAACD564184D30EC4B09D934B
SHA-256:	FAAC864965B195BF891C6461168A2028ECED17D85908A921C78D0F2A5DE995B5
SHA-512:	B3EB1251D3ED24ADC239F008D69A9F6E78FC123BCFAD31C367D7FD6DD65562636D7139B173B49AA0619784B7E20B15A66FD360F452496AD98C336A32F38CF608
Malicious:	false
Preview:	rule:.. meta:.. name: get local IPv4 addresses.. namespace: host-interaction/network/address.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Discovery::System Network Configuration Discovery [T1016].. examples:.. - Practical Malware Analysis Lab 05-01.dll_:0x100037e6.. - 4C0553285D724DCAF5909924B4E3E90A:0x402010.. features:.. - or:.. - and:.. - api: GetAdaptersInfo.. - offset: 0x1B0 = IP_ADAPTER_INFO.IpAddressList.IpAddress.. # loop feature?.. - and:.. - api: GetAdaptersAddresses.. - optional:.. - or:.. - number: 0 = AF_UNSPEC.. - number: 2 = AF_INET.. - number: 23 = AF_INET6..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\network\connectivity\check-internet-connectivity-via-wininet.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	744
Entropy (8bit):	4.5593061237352615
Encrypted:	false
SSDEEP:	12:mdmGjcBlLnac9huEGh/hHeRao8jsNTxCkkwjmKQFV/EYIHGK/af3:mMocBl2c9huEOJH2ao8jmFCg9QrImKi/
MD5:	24C7DE30AE2263172B3B32B1CB3470D0
SHA1:	2FC8D3A0C726F2484F951306669D0BBEDD6C3C60
SHA-256:	5A0354A263CB9A20E0BCD500F6CEE70F8437E6A71E9D1B680D5E4D4D8C450817
SHA-512:	9967FCC76B7C367746E9E94C5B6EB7D54139ED997D66B0DBCC8C9DCA6B690A9942C452BEEC8D100277AB755B91B607FB5409A521AE06F08A4C569BD027495311
Malicious:	false
Preview:	rule:.. meta:.. name: check Internet connectivity via WinINet.. namespace: host-interaction/network/connectivity.. author:.. - matthew.williams@fireeye.com.. - michael.hunhoff@fireeye.com.. scope: basic block.. att&ck:.. - Discovery::System Network Configuration Discovery::Internet Connection Discovery [T1016.001].. examples:.. - 648FC498110B11B4313A47A776E6BA40:0x6633F0.. features:.. - or:.. - and:.. - or:.. - api: wininet.InternetGetConnectedState.. - api: wininet.InternetCheckConnection.. - optional:.. - mnemonic: cmp.. - or:.. - number: 0 = FALSE.. - number: 1 = TRUE.. - api: wininet.InternetAttemptConnect..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\network\dns\resolve\resolve-dns.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	566
Entropy (8bit):	4.777241110782698
Encrypted:	false
SSDEEP:	12:mdmV/YlLnVTNYQFftK9hzmjsBG16VTZNyKt:mMVgl7Y6K9sj5AZZNyKt
MD5:	8EF22A037C97B573A0C408D49CB35C4E
SHA1:	E739F9B23C62DF271CD1648674BB5A4143F099CB
SHA-256:	F42DDAE6EB6A57E4A614C196E193EB2600B572770B25C3242CA4C3D41E021A9B
SHA-512:	83AD5B1640AC355806E3A83683F9E6561C628884494751BD9EA94A246970DC1FFAED9485D3784D35DD772D9475039097792775B185CEC9D4691993F4F6CEEDCB
Malicious:	false
Preview:	rule:.. meta:.. name: resolve DNS.. namespace: host-interaction/network/dns/resolve.. author:.. - william.ballenthin@fireeye.com.. - johnk3r.. scope: function.. mbc:.. - Communication::DNS Communication::Resolve [C0011.001].. examples:.. - 17264e3126a97c319a6a0c61e6da951e:0x5FDC25D0.. features:.. - or:.. - api: ws2_32.gethostbyname.. - api: DnsQuery_A.. - api: DnsQuery_W.. - api: DnsQuery_UTF8.. - api: DnsQueryEx.. - api: getaddrinfo.. - api: GetAddrInfo.. - api: GetAddrInfoEx..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\network\domain\enumerate-domain-computers-via-ldap.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1048
Entropy (8bit):	4.9557971434450625
Encrypted:	false
SSDEEP:	24:mMclzXhTHVUdoqH2OJgcAwjtFHYXv/ETw8Wjqyp3BWNcJcANcevv:mMcZvUdtZucTUnETqV3BWNNANNvv
MD5:	3EB0C3B4F1352909BDCAC184E5AAC4E6
SHA1:	F8DAB98648B8C66BCEA240CB1FE63A37F50BA172
SHA-256:	4F8514D98D194B32E194386EC6FEAFC7F493598730BE7E1043B96667C61120B0
SHA-512:	2880D098F385B6F2BD4619F2F56F62D8836528342C4DAE3E1B12C09BA6ADCE7F65ABFDD802842925910CF0C77249E173E24B16193CEE5436097A483FD99AA136
Malicious:	false
Preview:	rule:.. meta:.. name: enumerate domain computers via LDAP.. namespace: host-interaction/network/domain.. author: awillia2@cisco.com.. description: Looks for an LDAP query and related Windows API calls used to enumerate other computers on the Windows domain that a computer is connected to... scope: function.. att&ck:.. - Discovery::System Network Configuration Discovery [T1016].. references:.. - https://docs.microsoft.com/en-us/windows/win32/api/adshlp/nf-adshlp-adsopenobject.. - https://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html.. - https://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/.. examples:.. - 1e2791877da02d49998dea79515a89ca:0x6CD41FF8.. - 3808f21e56dede99bc914d90aeabe47a:0x140007144.. features:.. - and:.. - or:.. - api: activeds.ADsOpenObject.. - api: activeds.#9.. - string: /LDAP:\/\//.. - or:.. - string: /$objectClass=computer$/..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\network\domain\get-domain-controller-name.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	911
Entropy (8bit):	4.7543961123783
Encrypted:	false
SSDEEP:	24:mMC0N4lzXziWndoqH2OJgcAwjt5jtSR34vPETejPYIJS:mMF6ZFndtZucT3s+HETmYIo
MD5:	7B6BCD18DA9F7C2CBC3397A0E7411346
SHA1:	C8F5C7EAA1D467CB26E9A751961C949C62BD8DD9
SHA-256:	1AF694E779C67101B7CA57BE85BB5DD89F2FE1AAC8CCB97967C43D87CF12C7CD
SHA-512:	09CAD575027175FA3326D66BD01F40DDCF95BB25247B991EC3347737A81480B76E3310D64A64DE1BEF281A6A0289C5456D27ECDF63B094AAD3B99B6CC6C0569A
Malicious:	false
Preview:	rule:.. meta:.. name: get domain controller name.. namespace: host-interaction/network/domain.. author: awillia2@cisco.com.. description: Looks for calls to Windows APIs that can be used to determine the name of the domain controller for a Windows domain that a computer is connected to... scope: function.. att&ck:.. - Discovery::System Network Configuration Discovery [T1016].. references:.. - https://docs.microsoft.com/en-us/windows/win32/api/lmaccess/nf-lmaccess-netgetdcname.. - https://docs.microsoft.com/en-us/windows/win32/api/dsgetdc/nf-dsgetdc-dsgetdcnamea.. - https://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/.. examples:.. - 3808f21e56dede99bc914d90aeabe47a:0x140007144.. features:.. - and:.. - or:.. - api: NetGetDCName.. - api: DsGetDcName.. - optional:.. - api: NetApiBufferFree..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\network\domain\get-domain-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	511
Entropy (8bit):	4.874820346632649
Encrypted:	false
SSDEEP:	12:mdmCp3acfwlLnDDXnOkHYbJdPVGdolFfyHeRod5YDOUUyhjcv:mMC0lzXZHYbJGdoqH2od5YCUUyhC
MD5:	A1056397139AE9B550FF7B13D58598D5
SHA1:	153CD2E0D25DDB919CD97DBB6A126418FB154CE6
SHA-256:	886C10FF77EB080827B562970ABE605B2483EB7AA71DF3D86022B111EC151DFC
SHA-512:	CAB18EBEA71F772C3A8B5AA5B31F889A0DE339C6656A85F6F90817DE19D5D2B15B6A46CB4AAAA3E85C8F841DC465F823CC10B9AE47FD454E0E9346DB5956ED20
Malicious:	false
Preview:	rule:.. meta:.. name: get domain information.. namespace: host-interaction/network/domain.. author: awillia2@cisco.com.. description: Looks for imported Windows APIs being called to collect information about the Windows domain that a computer is connected to... scope: function.. att&ck:.. - Discovery::System Network Configuration Discovery [T1016].. examples:.. - 9B7CCAA2AE6A5B96E3110EBCBC4311F6:0x1001C184.. features:.. - api: netapi32.DsRoleGetPrimaryDomainInformation..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\network\interface\get-networking-interfaces.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	408
Entropy (8bit):	4.885109763127577
Encrypted:	false
SSDEEP:	6:hAvlmCIKao4lLqLPSjmZCS4FfyhdOJzNoxVJ5owGGnoH9qa5fyta5ZL3:mdmCklLnyZCfFfyHeRod5/noHJPZ
MD5:	164893CB43044799B3D884633644613F
SHA1:	EF755CD9B7648A001122A4F99343A5C1A047CDDC
SHA-256:	B4536E00F1F4DAE7A2EC5744081199A5517A18EFF7DA90D9B38E0EF28DEE7C77
SHA-512:	A83C88B9D339F3F43650A7DBC984021BD290389CDC04108F6D76036D10AC26184E2D20D59BDAF55C2FCD743BBC65FC5142DA5C20219209E3910D3F9F148C045C
Malicious:	false
Preview:	rule:.. meta:.. name: get networking interfaces.. namespace: host-interaction/network/interface.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Discovery::System Network Configuration Discovery [T1016].. examples:.. - B7841B9D5DC1F511A93CC7576672EC0C:0x1000EBF0.. features:.. - or:.. - api: iphlpapi.GetIfTable.. - api: iphlpapi.GetAdaptersInfo..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\network\traffic\copy\copy-network-traffic.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	364
Entropy (8bit):	4.886856219260393
Encrypted:	false
SSDEEP:	6:hAvlmGaz1awlLqLPS1qMSJClES4FfyhJPXSmUoljowX6pDc78odkzG7kIWWDImWb:mdmGaz1hlLn1qPfFfyvNUohp6tc78ok3
MD5:	9526903DCD8B28C7478D109AF3CD965D
SHA1:	21C22B5E775EE23C6F4DE2CE289EB5AE67EC53F7
SHA-256:	C3B46D0C86E32F40F281028018CCA842D0546E6DAC5A60061D8765522A6BDA5D
SHA-512:	0D63B756C5CD0B5C6F8090D48DD1C17FF67E2CCE6DD4DEAEB9C7BDAD359C8CA111DD40F0AC956B22C899E58EB58C4D84E7BC30167FB9E46666667B5C92574FC7
Malicious:	false
Preview:	rule:.. meta:.. name: copy network traffic.. namespace: host-interaction/network/traffic/copy.. author: michael.hunhoff@fireeye.com.. scope: function.. att&ck:.. - Discovery::Network Sniffing [T1040].. examples:.. - 493167E85E45363D09495D0841C30648:0x404780.. features:.. - and:.. - api: fwpkclnt.FwpsCopyStreamDataToBuffer0..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\network\traffic\filter\register-network-filter-via-wfp-api.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	401
Entropy (8bit):	4.916807110582446
Encrypted:	false
SSDEEP:	12:mdmgGUhElLn1qMfFfygVb2q1p6tc78Qv9IT:mMgGUulYMUG2Wp6tfbT
MD5:	EFFD7C394B00B4B82D501D802495BCD7
SHA1:	111FB393F1EE56689E91AC9B499C491878216A4D
SHA-256:	E7C00C6D26F41C1FC42CB0FF26E673D656F63F1127B57D1A7F8A58A76C074899
SHA-512:	1468ADFFAED65791601A537D9CE6150F01C6D5FFDF91F1FBE4C65629F094BF68C2D09DCC08691D1B3C16B369A12EAB381055A65770DD3FCAF9313A112140BE0F
Malicious:	false
Preview:	rule:.. meta:.. name: register network filter via WFP API.. namespace: host-interaction/network/traffic/filter.. author: michael.hunhoff@fireeye.com.. scope: function.. att&ck:.. - Impact::Data Manipulation::Transmitted Data Manipulation [T1565.002].. examples:.. - 493167E85E45363D09495D0841C30648:0x404220.. features:.. - and:.. - api: fwpkclnt.FwpmFilterAdd0..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\os\hostname\get-hostname.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	453
Entropy (8bit):	4.824044249738948
Encrypted:	false
SSDEEP:	6:hAvlmC2N4lLqLnN/CS4FfyhCMKnNox6FFBowUH9XWNLhQBgAomgAgqvXH+REJvNv:mdmCJlLACfFfyINoo/BAGPEoSgqvXeo
MD5:	49247780A46B231BDB3874F5BD54C069
SHA1:	F0925D20C17E267E9013F9805414239513F956AF
SHA-256:	93DEAC41E82BC8619734D88C1B9F46012033A065EAF2CDD3E6F88B8E6E093A8D
SHA-512:	6462AADB2D1E50B4993E453E2E3CCFA235F29559459241BD49BD5734DF946A8249E4AD402EC973D39549F0FCD88AB2745A225B189C96B620F5E3E7256CA7F898
Malicious:	false
Preview:	rule:.. meta:.. name: get hostname.. namespace: host-interaction/os/hostname.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Discovery::System Information Discovery [T1082].. examples:.. - 9324D1A8AE37A36AE560C37448C9705A:0x4052A0.. features:.. - or:.. - api: kernel32.GetComputerName.. - api: kernel32.GetComputerNameEx.. - api: GetComputerObjectName.. - api: ws2_32.gethostname..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\os\info\get-system-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	635
Entropy (8bit):	4.952921631817265
Encrypted:	false
SSDEEP:	12:mdmCBzcfwlLVPfCfFfyINoo/BMkbsyHPi8P8HtucfEHtupYAucfZHtucfZHtuZ:mMCTllfCUEoo/BMIHPi8PiUGYANNm
MD5:	C1F1CE676C6853CBDFD6797F9EA81E1D
SHA1:	6677B3CB5910414F4D1082650B304CD99E822399
SHA-256:	73BEA465676F0CD0E8CB547F7480BE56FA415011121F8BB7C75FE10DCE15BD05
SHA-512:	3D6E6431B2D195AE9307B84E0CB24F1CC2B3CCF5BDFE6913629745A2437E2AF60FE6F61CBE62833D32B2AAC95F77DFDF5F1B42251C6EFACA06B37DBE95347F1E
Malicious:	false
Preview:	rule:.. meta:.. name: get system information.. namespace: host-interaction/os/info.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Discovery::System Information Discovery [T1082].. examples:.. - 563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x140002280.. features:.. - or:.. - api: kernel32.GetSystemInfo.. - api: kernel32.GetNativeSystemInfo.. - api: NtQuerySystemInformation.. - api: NtQuerySystemInformationEx.. - api: ntdll.RtlGetNativeSystemInformation.. - api: ZwQuerySystemInformation.. - api: ZwQuerySystemInformationEx..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\os\shutdown-system.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	394
Entropy (8bit):	5.028649622718704
Encrypted:	false
SSDEEP:	6:hAvlmWZWwlLqLPClES4FfyhjScK3vFLow3pmfIhQgHU9d7VbEntYEnAv:mdmWLlLEfFfy4ZhLFCd7dGtYGAv
MD5:	4A06522D8C94750B01E690C7BB474D56
SHA1:	3B8BD05CCA69382B81B2725D6EDEEC20D1C7BD0C
SHA-256:	B3CDCEA6F502EBDB25BEAB19B4F1C7D9BB829B88BF5F5E38ED528D5C0AE40309
SHA-512:	C34ABA464CC861506A89A43CD169CB2A3ACA2942A4BE3736D7686C566A5F578A97953D3315D64455E7ED2382A21E5E8445373A96C723EFE68C1B32D18788DAAD
Malicious:	false
Preview:	rule:.. meta:.. name: shutdown system.. namespace: host-interaction/os.. author: michael.hunhoff@fireeye.com.. scope: function.. att&ck:.. - Impact::System Shutdown/Reboot [T1529].. examples:.. - 39C05B15E9834AC93F206BC114D0A00C357C888DB567BA8F5345DA0529CBED41:0x10008D60.. features:.. - or:.. - api: user32.ExitWindowsEx.. - api: user32.ExitWindows..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\os\version\check-os-version.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1319
Entropy (8bit):	4.267507459808154
Encrypted:	false
SSDEEP:	24:mM3lhDEoo/Bp6tfuFh501x46gI1KjhdW5iMnI139UjtnvPcsXgIm:mM37DU5pcfMh50j46gI1oKiEI1tmBrg1
MD5:	3A56A4A652FD72097E386F5AD4583349
SHA1:	F16E66C420E9A6C9008AF2D8AAC1E389D4E1677F
SHA-256:	B6E2291CE241F1117BCCA1CE80C3B7DF706DF9518999D203F7328C0EC42DD8F6
SHA-512:	5E40CF82C1B7C6A627B173D854BD98E40BD576756EE778CF4EC3C594FDC71C9E3FF7028C9C6278E58A1E853E20CAFB8B16B1CF7B66D60414EA56F2922E07C698
Malicious:	false
Preview:	rule:.. meta:.. name: check OS version.. namespace: host-interaction/os/version.. author:.. - michael.hunhoff@fireeye.com.. - johnk3r.. scope: function.. att&ck:.. - Discovery::System Information Discovery [T1082].. examples:.. - 493167E85E45363D09495D0841C30648:0x401000.. features:.. - and:.. - or:.. - api: RtlGetVersion.. - api: ntoskrnl.PsGetVersion.. - api: GetVersion.. - api: GetVersionEx.. - api: VerifyVersionInfo.. - api: VerSetConditionMask.. - mnemonic: cmp.. - or:.. - and:.. - number: 5 = Windows 2000.. - optional:.. - or:.. - number: 0.. - number: 1 = Windows XP.. - number: 2 = Windows XP 64-bit / Windows Server 2003 / Windows Server 2003 R2.. - and:.. - number: 6 = Windows Vista / Windows Server 2008.. - optional:.. - or:.. - number: 0.. - n

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\process\allocate-thread-local-storage.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	351
Entropy (8bit):	4.774303774311208
Encrypted:	false
SSDEEP:	6:hAvlmEmCNd6ClLqLCClES4FftK5G6faZTa2j1LNjowUG2o7q9BxJdy:mdmX6YClLpfFftKY6feTf5i3ha
MD5:	B76CD2893E99E350934C5B04D04FB625
SHA1:	3B2EE714D11A6ACF618EC19FF366E53BCA23C4A2
SHA-256:	4A80AC11DBC0663311437A473FE892C739AF8EDECC437465A40183B74C743AC7
SHA-512:	31F0D42DD1C71A74198B28894F1F16EE8F5E0B76D74F9151C341CF2B05ACC8935BB78B4934FB77AC4F959F6645BF6648E21EF90B20B3A9544704A6719DD08279
Malicious:	false
Preview:	rule:.. meta:.. name: allocate thread local storage.. namespace: host-interaction/process.. author: michael.hunhoff@fireeye.com.. scope: function.. mbc:.. - Process::Allocate Thread Local Storage [C0040].. examples:.. - 03B236B23B1EC37C663527C1F53AF3FE:0x18000ADF6.. features:.. - or:.. - api: kernel32.TlsAlloc..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\process\create\create-a-process-with-modified-io-handles-and-window.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1338
Entropy (8bit):	4.912207859003121
Encrypted:	false
SSDEEP:	24:mMRo+ljkOuE3KY6fkEpcAwjtV+WihzusHt26O6s6aMFdtCbxp4Mtuaqzik1iHIy:mMRP+O1afsEpcTeWQzusHdHZFdMbxp4s
MD5:	F77B641F10A74DC26A1A89AA652D97FC
SHA1:	084EA8F401F733A0A40C386C2740D182833230A4
SHA-256:	B2F5B2D6B91EC207D92815C728D351DE5C496DD48B35905E4A960367934781EE
SHA-512:	313C120B4991F7522903F9D04AEC6600B4D5D27299B195B4169F9D98513AA0A595A61B1C2F801DA8EDF1AF62663C1D497B14A09669789AF7534403616B68639E
Malicious:	false
Preview:	rule:.. meta:.. name: create a process with modified I/O handles and window.. namespace: host-interaction/process/create.. author: matthew.williams@fireeye.com.. scope: function.. mbc:.. - Process::Create Process [C0017].. references:.. - https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/ns-processthreadsapi-startupinfoa.. examples:.. - Practical Malware Analysis Lab 14-02.exe_:0x4011C0.. features:.. - and:.. - or:.. - description: API functions that accept a pointer to a STARTUPINFO structure.. - api: kernel32.CreateProcess.. - api: kernel32.CreateProcessInternal.. - api: advapi32.CreateProcessAsUser.. - api: advapi32.CreateProcessWithLogon.. - api: advapi32.CreateProcessWithToken.. - number: 0x101 = STARTF_USESTDHANDLES \| STARTF_USESHOWWINDOW.. # STARTF_USESTDHANDLES indicates the hStdInput, hStdOutput, and hStdError members contain additional information.. #

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\process\create\create-process-suspended.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	567
Entropy (8bit):	4.764075311079993
Encrypted:	false
SSDEEP:	12:mdmG3JGZFlL/kIR/wKY6fWJfWaEs8bnvL2NJB1t4U8DqU8/n:mMqGZFljkq4KY6fkfjEs8zL2NMD6/
MD5:	6915C90A70626C0475D9AF4167CE5A38
SHA1:	37FA087192FD932EB8D7F7ECC19E4CAA402A3954
SHA-256:	2E39451B47E2FB58D9862EBF5703C6B20C2B7FF1180BDE2602D24A27D91E497D
SHA-512:	24627CE8179C7FB0DDCCC07A5D7E71DB83B9222DFF94BD009EE49DF76BBEBF9E3DF3E74A18DCDCCDDF1DA35B61682A260FF2786FEE9C846293348DAE991CDD39
Malicious:	false
Preview:	rule:.. meta:.. name: create process suspended.. namespace: host-interaction/process/create.. author: william.ballenthin@fireeye.com.. scope: basic block.. mbc:.. - Process::Create Process::Create Suspended Process [C0017.003].. examples:.. - Practical Malware Analysis Lab 03-03.exe_:0x4010EA.. features:.. - and:.. - or:.. - number: 0x08000004 = CREATE_NO_WINDOW \| CREATE_SUSPENDED.. - number: 4 = CREATE_SUSPENDED.. - or:.. - api: kernel32.CreateProcess.. - api: advapi32.CreateProcessAsUser..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\process\create\create-process.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	936
Entropy (8bit):	4.711960117995684
Encrypted:	false
SSDEEP:	24:mMqG0ljkfC4KY6fkEiAdvLRK7Vu6m606HHt466YSy/YSJfy:mMG+6LfsEiAdvNK7V9VPHS66ly/lJfy
MD5:	4D504AE6BB50DCD691B8B542FA7E8FFE
SHA1:	F2535C5DFF0CE266B3C1E52AD80D437ACB331D66
SHA-256:	24E712B2E373AE5C260D0F5661A110BC18ECE393F3420A10A70BEB24FCD80D5E
SHA-512:	C20CF16FA25DF43729CC1C3396A64EDEE9AC1A7EC97FEB3F7F0645DC8EE3D7C754AB1FD1329FD8EC389BBE965DDA428D75499004640421F0595432DD62124AA1
Malicious:	false
Preview:	rule:.. meta:.. name: create process.. namespace: host-interaction/process/create.. author: moritz.raabe@fireeye.com.. scope: basic block.. mbc:.. - Process::Create Process [C0017].. examples:.. - 9324D1A8AE37A36AE560C37448C9705A:0x406DB0.. - Practical Malware Analysis Lab 01-04.exe_:0x4011FC.. features:.. - or:.. - api: kernel32.WinExec.. - api: kernel32.CreateProcess.. - api: shell32.ShellExecute.. - api: shell32.ShellExecuteEx.. - api: advapi32.CreateProcessAsUser.. - api: advapi32.CreateProcessWithLogon.. - api: advapi32.CreateProcessWithToken.. - api: kernel32.CreateProcessInternal.. - api: ntdll.NtCreateUserProcess.. - api: ntdll.NtCreateProcess.. - api: ntdll.NtCreateProcessEx.. - api: ntdll.ZwCreateProcess.. - api: ZwCreateProcessEx.. - api: ntdll.ZwCreateUserProcess.. - api: ntdll.RtlCreateUserProcess..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\process\dump\create-process-memory-minidump.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	344
Entropy (8bit):	4.774229917902412
Encrypted:	false
SSDEEP:	6:SWq+iazvlmG3JGuItdFe3lLqLcsClESgyZBowHYFlhvthi:NVzdmG3JG1alLq/YmL0
MD5:	CB6863DA7A304E4BCE7BA3448F6E7FB3
SHA1:	535811E4AE14D544C7FF305018A06C685D7B19A3
SHA-256:	B544E08D8E20EE92A7CD155E9C170E01F03D0C7F0CC2B78931A5E7B4E7DB9991
SHA-512:	B0E2F32C35B4528D0183BD8A80208C692533DB4759997667AE450F0FD9ADFF903F7EA238AFB7BA96EF97E501ADBE328E63313282ADBA30ACCED6E14BF1C4A1BA
Malicious:	false
Preview:	# generated using capa explorer for IDA Pro..rule:.. meta:.. name: create process memory minidump.. namespace: host-interaction/process/dump.. author: michael.hunhoff@fireeye.com.. scope: basic block.. examples:.. - 91a12a4cf437589ba70b1687f5acad19:0x43E1C9.. features:.. - or:.. - api: dbghelp.MiniDumpWriteDump..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\process\get-process-heap-flags.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	867
Entropy (8bit):	4.525059902847821
Encrypted:	false
SSDEEP:	12:mdmC1bylLp/h/WGdcA+Y2QM5EI4EohhximhSv9Y/5gjlHe6O:mMCxyllJ/WGdcA52EX3BYVY/aRHFO
MD5:	0F87B1FC11D260DA379AFE445FC0D2C9
SHA1:	A0B8175024967A20D230C73AAA8F1B49CF5E5727
SHA-256:	37C942F78DAA7EE44A244763F3411083435B40942052CF93054552399AFC5C75
SHA-512:	4BE69413C5D794BC70DD7425A0915D8A60F09909126CA7E6B0161D2A618D0234264F9F180B7D5BB2F58E5D8B0A4555F442B4025A0AB0A817A883CF5CFB259AE3
Malicious:	false
Preview:	rule:.. meta:.. name: get process heap flags.. namespace: host-interaction/process.. author: michael.hunhoff@fireeye.com.. scope: basic block.. att&ck:.. - Discovery::Process Discovery [T1057].. references:.. - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/ProcessHeap_Flags.cpp.. examples:.. - al-khaser_x86.exe_:0x425470.. features:.. - and:.. - match: PEB access.. - or:.. - and:.. - number/x32: 0x18 = offset process heap.. - or:.. - number/x32: 0x40 = offset heap flags >= Vista.. - number/x32: 0xC = offset heap flags < Vista.. - and:.. - number/x64: 0x30 = offset process heap.. - or:.. - number/x64: 0x70 = offset heap flags >= Vista.. - number/x64: 0x14 = offset heap flags < Vista..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\process\get-process-heap-force-flags.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	883
Entropy (8bit):	4.527535111968767
Encrypted:	false
SSDEEP:	12:mdmC1b+slLp/h/WGdcA+Y2QM5EI4nohhximhSvo/DgjlM3ak:mMCx+sllJ/WGdcA52EXCBYw/kRKak
MD5:	422891EE1DD8804543D3479FDBF5A61B
SHA1:	2A6FA1ECE661569A034FCD51EA8A3D230CD42058
SHA-256:	8FB101D3C2F7BDACA3C7C45F94C89121ADC159BA7310D0F536AC79E1163E27C1
SHA-512:	4606764E4D059A07EF45058DF2A09BE1D135E0F5AA7CF9780091A53864EFA93D46A78C97A0A217184588BB7F0692F3F1EF2289F34E1765BCF61A9B008CB15840
Malicious:	false
Preview:	rule:.. meta:.. name: get process heap force flags.. namespace: host-interaction/process.. author: michael.hunhoff@fireeye.com.. scope: basic block.. att&ck:.. - Discovery::Process Discovery [T1057].. references:.. - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/ProcessHeap_ForceFlags.cpp.. examples:.. - al-khaser_x86.exe_:0x425470.. features:.. - and:.. - match: PEB access.. - or:.. - and:.. - number/x32: 0x18 = offset process heap.. - or:.. - number/x32: 0x44 = offset force flags >= Vista.. - number/x32: 0x10 = offset force flags < Vista.. - and:.. - number/x64: 0x30 = offset process heap.. - or:.. - number/x64: 0x74 = offset force flags >= Vista.. - number/x64: 0x18 = offset force flags < Vista..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\process\inject\allocate-rwx-memory.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	488
Entropy (8bit):	5.057451108514643
Encrypted:	false
SSDEEP:	12:mdmXkFlLXHC/wKCe2bnvL2OfIkbs/mKexody:mMXkFlbHC4KCe2zL2OfINmNB
MD5:	2C980CDEBDBDC0D026A8B9B761691592
SHA1:	D9F429448949ED83D4A54734D0E4595E30FE3AC2
SHA-256:	BE453BE87BEB3E677C1238E0D0FBA3A11CFCAEDDA2ECF6E7E4B6CFD06B598A0D
SHA-512:	32E8F6D7E30FD1BFBCF858CBE1E73DF8400521BC4B04648264FDF42A6D0592372BF92240040FB2C4297E90F9E1D32B302622FB0B7E605C821A5C6C25F9CC17B6
Malicious:	false
Preview:	rule:.. meta:.. name: allocate RWX memory.. namespace: host-interaction/process/inject.. author: moritz.raabe@fireeye.com.. scope: basic block.. mbc:.. - Memory::Allocate Memory [C0007].. examples:.. - Practical Malware Analysis Lab 03-03.exe_:0x4010EA.. # ntdll.. - 563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x140001ABA.. features:.. - and:.. - match: allocate memory.. - number: 0x40 = PAGE_EXECUTE_READWRITE..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\process\inject\allocate-user-process-rwx-memory.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	511
Entropy (8bit):	4.751463420453004
Encrypted:	false
SSDEEP:	12:mdmXTt0lLXpfFfyBGW2Vp6tc78kEfhmkEe3YIHG1:mMXOlbpUBGWYp6tfkCmk73YIm1
MD5:	B76F89EF27557B63D81A63A248AABC60
SHA1:	E4DE852C4DA40639D03507F947297C180CDE65C4
SHA-256:	D1253F7DF22910C96AFF767E2B0464E8C06A1A31987ACF79C6B0C9FCE0876D9B
SHA-512:	482974CF0C63D8828332E80246E20A207956DBBEF8061A28568A0716C421D658F326C9BC88A5A5F137516531FFEA7F5FE080FA8BADCA2538633FB30C201C3CDD
Malicious:	false
Preview:	rule:.. meta:.. name: allocate user process RWX memory.. namespace: host-interaction/process/inject.. author: michael.hunhoff@fireeye.com.. scope: function.. att&ck:.. - Defense Evasion::Process Injection [T1055].. examples:.. - 493167E85E45363D09495D0841C30648:0x404B00.. features:.. - and:.. - match: attach user process memory.. - match: allocate RWX memory.. - number: 0xFFFFFFFF = NtCurrentProcess().. - optional:.. - match: find process by PID..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\process\inject\attach-user-process-memory.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	410
Entropy (8bit):	4.785924176601811
Encrypted:	false
SSDEEP:	6:hAvlmE7AfUItdCFFwlLqLiZClES4FfyhuBaGWFsJVowX6pDc78cVGPCM6X+y:mdm9fvlLXpfFfyBGW2Vp6tc78hF6X+y
MD5:	FBB17FA8A7ABF0E998D8CBF8584B8458
SHA1:	EE674FC1E4F1E08693C28B30ECB6D4B4EE3C2CFA
SHA-256:	21AF47EB620FB69186B6A09A879B8AAD7C9BE4323437EF9E7B2738FC9BB1E6FD
SHA-512:	3BD7D220B70DA0C1AE43DADB6E29D1133807649FD5E4244E9348B07202472CCE4D05854863C4C6FB0E0B60B12D1DAD1BD1AA40E2E81508C81020052984AD6C1C
Malicious:	false
Preview:	rule:.. meta:.. name: attach user process memory.. namespace: host-interaction/process/inject.. author: michael.hunhoff@fireeye.com.. scope: function.. att&ck:.. - Defense Evasion::Process Injection [T1055].. examples:.. - 493167E85E45363D09495D0841C30648:0x404B00.. features:.. - and:.. - api: ntoskrnl.KeStackAttachProcess.. - api: ntoskrnl.KeUnstackDetachProcess..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\process\inject\free-user-process-memory.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	548
Entropy (8bit):	4.741169930360355
Encrypted:	false
SSDEEP:	12:mdmLIvlLXpfFfyBGW2pK3C9p6tc78kEfue3JjIHG1:mMklbpUBGWwK3C9p6tfk831Im1
MD5:	CACA65D8FD892024F6EF83D64851A23D
SHA1:	EEB52644A2AC64556A32A73DF57AC4831E690702
SHA-256:	34DE3A29ADEDB40D51AE440F45B419B0DF15C0263882B09C68E776E762D88174
SHA-512:	F1D7B7C6F818691E16620542DBE5B5F1F60E26399D2BA7911038D44BF56C913BD8C79D756D2A7A60B7B4F3E5BC4222022586B93306FA4B376C191840DD5CF8A1
Malicious:	false
Preview:	rule:.. meta:.. name: free user process memory.. namespace: host-interaction/process/inject.. author: michael.hunhoff@fireeye.com.. scope: function.. att&ck:.. - Defense Evasion::Process Injection [T1055].. mbc:.. - Memory::Free Memory [C0044].. examples:.. - 493167E85E45363D09495D0841C30648:0x404B00.. features:.. - and:.. - match: attach user process memory.. - number: 0xFFFFFFFF = NtCurrentProcess().. - api: ZwFreeVirtualMemory.. - optional:.. - match: find process by PID..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\process\inject\hijack-thread-execution.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	707
Entropy (8bit):	4.654118674448736
Encrypted:	false
SSDEEP:	12:mdm0fwlLXQNuFfyBGW2gUZa4HVV56e2IHAbfX9SmkdIHjezX9PAM:mMllbQNJBGW3UAW63IK/kmkdIDezXpAM
MD5:	B83BCD1CF8FD06554309223EE3430F5B
SHA1:	96866CED8469D5C6E3771E3F75604897A457DE1D
SHA-256:	A39F6D1B23DE7E81EB8E55958F5FCD3E9F4866411EA46F967A08A8E261C414CD
SHA-512:	0F81A40FCFC165D160159E1FCDF34C335C488DDD3774F5696D0C252107DFEF82844306BADBBABAB0D2766B7C4C2EEBA9D118C41E62D9031B1E95F0FF4EDDDE06
Malicious:	false
Preview:	rule:.. meta:.. name: hijack thread execution.. namespace: host-interaction/process/inject.. author: 0x534a@mailbox.org.. scope: function.. att&ck:.. - Defense Evasion::Process Injection::Thread Execution Hijacking [T1055.003].. examples:.. - 77d87e9937546aebc1595039d730352b15fab32c72a76913f04262c6802d098f:0x401000.. features:.. - and:.. - optional:.. - or:.. - match: open thread.. - match: create thread.. - match: suspend thread.. - api: kernel32.GetThreadContext.. - match: allocate RWX memory.. - optional:.. - match: write process memory.. - api: kernel32.SetThreadContext.. - match: resume thread..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\process\inject\inject-apc.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	792
Entropy (8bit):	4.6687440185635545
Encrypted:	false
SSDEEP:	12:mdm9ClLXARfFfyBGW2Vpyf5hkCjzejen9BFQN3LRIHwrU8Iy:mM9ClbiUBGWV+seSFQ3VIQRIy
MD5:	7CDCF1FE6A07BC698AFEFE24C0E74E4C
SHA1:	BD2CF8498DA9265853D9D702B50807BA17C99E99
SHA-256:	A5AFF5022C1AB3F255340F0C2D1F753377B1176C5704C8DF363EC080F3B821C8
SHA-512:	964587F2A633676A5C9003D9B79866C3446771FC5E096E10D332F593C4AA854051119376B440BCA62853C4A851265D0E8C0D38F9754DD82E90E224D4D95E7D8A
Malicious:	false
Preview:	rule:.. meta:.. name: inject APC.. namespace: host-interaction/process/inject.. author: william.ballenthin@fireeye.com.. scope: function.. att&ck:.. - Defense Evasion::Process Injection::Asynchronous Procedure Call [T1055.004].. examples:.. - al-khaser_x64.exe_:0x140019348.. features:.. - and:.. - or:.. - match: write process memory.. - api: kernel32.MapViewOfSection.. - api: NtMapViewOfSection.. - api: ntdll.ZwMapViewOfSection.. - api: kernel32.MapViewOfFile.. - or:.. - api: kernel32.QueueUserAPC.. - api: ntdll.NtQueueApcThread.. - optional:.. - or:.. - number: 0x1fffff = THREAD_ALL_ACCESS.. - api: kernel32.CreateProcess.. - api: kernel32.OpenProcess..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\process\inject\inject-dll.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1378
Entropy (8bit):	4.941003909905586
Encrypted:	false
SSDEEP:	24:mMtwlbQNJBGWSIh/uOycAhw8rtFMeXfVy4iFKcLNXpXphCzUIFGGmkWPei/UdI:mMatQNJn7xycKRTM+44iFKy5YzUIhWP1
MD5:	D5086549DC188D2B82A09427E24EEEF2
SHA1:	7EAF51416347E1F491599216E39C3A84BF8F1296
SHA-256:	87EC743A9EA81B566F92EA82AACD1DA6E28698408FD46F8C0DC829B964E161E3
SHA-512:	3F130403842B3504E4A365F5962E9A554C2F850E43628496689E925E78EE0C9675B56ADB85A60AC4CEA46482E7271772136E59E6F3DF734D8139E42F6689FDDB
Malicious:	false
Preview:	rule:.. meta:.. name: inject dll.. namespace: host-interaction/process/inject.. author: 0x534a@mailbox.org.. scope: function.. att&ck:.. - Defense Evasion::Process Injection::Dynamic-link Library Injection [T1055.001].. references:.. - Practical Malware Analysis, p. 676.. - https://www.researchgate.net/publication/279155742_A_Novel_Approach_to_Detect_Malware_Based_on_API_Call_Sequence_Analysis.. - https://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf.. - https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf.. - https://unit42.paloaltonetworks.com/unit42-kazuar-multiplatform-espionage-backdoor-api-access/.. - https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf.. - https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/.. examples:.. - Practical Malware Analysis Lab 17-02.dll_:0x1000D10D.. featu

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\process\inject\inject-pe.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	883
Entropy (8bit):	4.598239646430181
Encrypted:	false
SSDEEP:	24:mMblbQNJBGWtlcAmRw4bvT2XUpIFGGmkZ/ev:mMbtQNJntlcjb7wUpIhZ/y
MD5:	771723CA1957616DDA90A0CECA921365
SHA1:	54DA5929213A7A63BC57C437362141E52B8BC185
SHA-256:	48A1BF40FF187E3C22D428FCEF058BB6CC69E2ED97786B7BAD7921E1D0ADA4A0
SHA-512:	1116F07B023B15F5826835FA5828B0E633D45C306979F872A68068C80211AFC66299D66DE27AC4D295654109FCF88E28F4A5EC1226D60A3B8355A707E6512E83
Malicious:	false
Preview:	rule:.. meta:.. name: inject pe.. namespace: host-interaction/process/inject.. author: 0x534a@mailbox.org.. scope: function.. att&ck:.. - Defense Evasion::Process Injection::Portable Executable Injection [T1055.002].. references:.. - https://www.elastic.co/de/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process.. examples:.. - ce8d7590182db2e51372a4a04d6a0927a65b2640739f9ec01cfd6c143b1110da:0x4014E0.. features:.. - and:.. - characteristic: loop.. - optional:.. - or:.. - match: open process.. - match: create process.. - match: allocate RWX memory.. - basic block:.. - description: virtual address offset calculation.. - and:.. - mnemonic: and.. - number: 0x0FFF.. - match: write process memory.. - match: create thread..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\process\inject\inject-thread.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	754
Entropy (8bit):	4.680509135925954
Encrypted:	false
SSDEEP:	12:mdmWlLXlLBNuFfyBGW2gUZabnvHSlmxHv7mkrmkWPeJKIHbJGS1x:mMWlbhBNJBGW3UAzHMmxTmkrmkWPe4In
MD5:	B92265F0A6BC033612C8D558F6441C02
SHA1:	3EEDE7C856F188BC1A3E470557B0F4900037DEE7
SHA-256:	3AF3CD7726AE0F0C9692C8986705AE7057CB867191546A3154177F5468253888
SHA-512:	B5A65CB085AD90DA17FCEC42AC2CE005570984A485615C3A39F7F2408E01C9C0C32082679116DAC92E2F1FB549A201A9399467133695527201301319D2F27F27
Malicious:	false
Preview:	rule:.. meta:.. name: inject thread.. namespace: host-interaction/process/inject.. author:.. - anamaria.martinezgom@fireeye.com.. - 0x534a@mailbox.org.. scope: function.. att&ck:.. - Defense Evasion::Process Injection::Thread Execution Hijacking [T1055.003].. examples:.. - Practical Malware Analysis Lab 12-01.exe_:0x4010D0.. - 2D3EDC218A90F03089CC01715A9F047F:0x4027CF.. features:.. - and:.. - or:.. - match: allocate RWX memory.. - match: allocate RW memory.. - match: write process memory.. - match: create thread.. - optional:.. - or:.. - match: open process.. - match: create process.. - number: 0x3000 = MEM_COMMIT or MEM_RESERVE..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\process\inject\use-process-doppelg nging.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	601
Entropy (8bit):	4.871484315548257
Encrypted:	false
SSDEEP:	12:mdmjClLXHCDnqBGW2cGW/i7jq24JS/O0CLURfQsMIv05Jx:mMGlbHCDnqBGWpGWqvCSZTRIBJx
MD5:	0CF4FC3CDFC617616960CB650B42E7A2
SHA1:	C5690EE13A03F01F6817F8363D975D2E03E28170
SHA-256:	72EE6310DA951944CA8215B2B1F4A35CF4CF29773D98B7F0505865F237E5B394
SHA-512:	25D2BCD3472438428FD58C1F6A6BD9BA40A604FDBD46B3E0EDFBD56C76E60CC490C8EBB0FA59D51FD82F4337F4D114444F55AEC43749E4A7D5C55FF34CFE8024
Malicious:	false
Preview:	rule:.. meta:.. name: use process Doppelg.nging.. namespace: host-interaction/process/inject.. author: moritz.raabe@fireeye.com.. scope: file.. att&ck:.. - Defense Evasion::Process Injection::Process Doppelg.nging [T1055.013].. examples:.. # proc_doppel64.exe from https://github.com/hasherezade/process_doppelganging/releases/tag/0.2.. - A5D66324DAAEE5672B913AA461D4BD3A.. features:.. - and:.. - string: /CreateFileTransacted./.. - or:.. - string: "ZwCreateSection".. - string: "NtCreateSection".. - string: "RollbackTransaction"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\process\inject\use-process-replacement.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	619
Entropy (8bit):	4.684551803340149
Encrypted:	false
SSDEEP:	12:mdmGjYg4lLXARfFfyBGW2cGW+lcA+gY9st5bnvN+JGZWeyAM:mMPg4lbiUBGWpGW+lcA9z0GZWeyAM
MD5:	EDE13CA799714D4FCD21EC651BF3A36A
SHA1:	0253CB4B9AE0324DFFD9C4478626D2F781D5C7C5
SHA-256:	1C81F7AC0D1DD41610BB8E6E3DD8230DACB3EB353E5D3826EF68D9CD25803071
SHA-512:	9340BE9CA82198FD547834C21D3D32B2FEB3ECCD1463651BA18E4B0B0FAFC959A66F6D6ADB5331F2417EB5982CC959EA1BB60C10BAD602A34FA735F120E43053
Malicious:	false
Preview:	rule:.. meta:.. name: use process replacement.. namespace: host-interaction/process/inject.. author: william.ballenthin@fireeye.com.. scope: function.. att&ck:.. - Defense Evasion::Process Injection::Process Hollowing [T1055.012].. references:.. - http://www.autosectools.com/process-hollowing.pdf.. - https://www.andreafortuna.org/2017/10/09/understanding-process-hollowing/.. examples:.. - Practical Malware Analysis Lab 12-02.exe_:0x4010EA.. features:.. - and:.. - match: create process suspended.. - match: write process memory.. - match: resume thread..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\process\list\enumerate-processes-on-remote-desktop-session-host.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	561
Entropy (8bit):	4.6488731057142
Encrypted:	false
SSDEEP:	12:mdmyGGW5lL0fFfy/WGuSlvRRFNwIHVRPqr:mMyGTlAU/WGuAvRRXwI1Ryr
MD5:	D7C9864B40367A7A2EB48C00F74B745A
SHA1:	6CEEE3E044E71414AD34CF7055F7646A465DEAC1
SHA-256:	0D57C2F6262D2AFC49DE4DAF0FF66FC6BC0B39BA62C6F359C688763531C637B9
SHA-512:	5309254CC135460C51896D3E59E2B252886EE7D4AE9AC965FE70C44B277E0D089BCA77E226C4F77A8076F8BF1FAE0E1A98E9C2286D81CE2D2CBB3F3412EBF4FA
Malicious:	false
Preview:	rule:.. meta:.. name: enumerate processes on remote desktop session host.. namespace: host-interaction/process/list.. author: michael.hunhoff@fireeye.com.. scope: function.. att&ck:.. - Discovery::Process Discovery [T1057].. examples:.. - 6f99a2c8944cb02ff28c6f9ced59b161:0x414B70.. features:.. - and:.. - or:.. - api: wtsapi32.WTSEnumerateProcesses.. - api: wtsapi32.WTSEnumerateProcessesEx.. - optional:.. - or:.. - api: wtsapi32.WTSFreeMemory.. - api: wtsapi32.WTSOpenServer..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\process\list\enumerate-processes-via-ntquerysysteminformation.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	458
Entropy (8bit):	4.988280823077358
Encrypted:	false
SSDEEP:	12:mdmyGGfHtucfwlLaih/WGv4+rl6CyLO4LmHtucv:mMyG+el2m/WGv4+x6vO4L0Z
MD5:	799CCB3DE0A5BEC719A90636361949B3
SHA1:	524A726FB81F9F84B131CF7E4DD88F618567F697
SHA-256:	F60D33404B3373E866E89A8B0A61ACABD0E0475755A497F5C6461CF0CE567561
SHA-512:	2B4A283D8B60F2DBE6E771F78BC2D2B09D05B61103609C8DE8C2A5532A1F09AA484E42611AA82572735F76E6D1F083DA7BB2B27ACBCD114A513C2C7D72865077
Malicious:	false
Preview:	rule:.. meta:.. name: enumerate processes via NtQuerySystemInformation.. namespace: host-interaction/process/list.. author: "@_re_fox".. scope: basic block.. att&ck:.. - Discovery::Process Discovery [T1057].. - Discovery::Software Discovery [T1518].. examples:.. - 31bd8dd48ac0de3d4da340bf29f4d280:0x00401be3.. features:.. - and:.. - number: 0x5 = SYSTEM_PROCESS_INFORMATION.. - api: NtQuerySystemInformation..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\process\list\enumerate-processes.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	673
Entropy (8bit):	4.846506989778966
Encrypted:	false
SSDEEP:	12:mdmyGslLGCfFfy/WGv42lmxHGlmWzEWlIH6a94N6F206y:mMyGslyCU/WGv4ImxmlmWzEWlIaa9mts
MD5:	2CA4903491D7AAEFB88F30C4FE10D905
SHA1:	A4B2E09EF42E52D83477063D832C6EC8DF89FB40
SHA-256:	FECF1ECF0E0F39335A332E8E6D66BADDBB59103B15DD7E5FBB6CB5C98CB51E4E
SHA-512:	B993311B3B173B24C24A03E32D01158617397822A0AE0AC4534E2A7B4A061003E03FC3D84445A6D4959021DB3BFCE3659F91838A8AEA29D15DF5A4C74EE9AE4B
Malicious:	false
Preview:	rule:.. meta:.. name: enumerate processes.. namespace: host-interaction/process/list.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Discovery::Process Discovery [T1057].. - Discovery::Software Discovery [T1518].. examples:.. - 2D3EDC218A90F03089CC01715A9F047F:0x403DAB.. - 35d04ecd797041eee796f4ddaa96cae8:0x10004F34.. features:.. - and:.. - api: kernel32.Process32First.. - api: kernel32.Process32Next.. - optional:.. - and:.. - or:.. - number: 0xF = TH32CS_SNAPALL.. - number: 0x2 = TH32CS_SNAPPROCESS.. - api: kernel32.CreateToolhelp32Snapshot..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\process\list\find-process-by-pid.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	420
Entropy (8bit):	4.815155207472118
Encrypted:	false
SSDEEP:	12:mdmYClL0fFfy/WGup6tc78hcgTgRIHX8Zb:mMYClAU/WGup6tfqgTgRIM1
MD5:	BDA51C670957C88259972DF6DB58509E
SHA1:	A1FACB3A1109D8387DBFBECAB96B3F9978BE1E44
SHA-256:	37E236BDD64A7D32E9F3D54043D15F590195DAB065DC4C9A6FFDD01FCFDBE49B
SHA-512:	7658C0E5F40E60E1CB6EBA5A4065BA1814A57CDEB8EF69C0F48887368DDF6EEA038EE41DE35D4BDD8D44F3E766DED3A7E385C7A77D95000138A170734EB8ED9D
Malicious:	false
Preview:	rule:.. meta:.. name: find process by PID.. namespace: host-interaction/process/list.. author: michael.hunhoff@fireeye.com.. scope: function.. att&ck:.. - Discovery::Process Discovery [T1057].. examples:.. - 493167E85E45363D09495D0841C30648:0x404B00.. features:.. - and:.. - api: ntoskrnl.PsLookupProcessByProcessId.. - optional:.. - api: ntoskrnl.ObfDereferenceObject..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\process\list\get-explorer-pid.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	479
Entropy (8bit):	4.804511034469889
Encrypted:	false
SSDEEP:	12:mdmCpEblL0/h/WGdcA+Y2QM5EIa9LvhhximZBlYgy:mMC0lAJ/WGdcA52EHtBfagy
MD5:	477DF9EBD9E9C40CEC6C3292465B1A7E
SHA1:	0279CE97809594C4DA32B6F1BD3BFD9BDF60B238
SHA-256:	018775B3BB11341441451570CA9EBF057267F2532902F07DDFD817E7CF5C734B
SHA-512:	15254C8628E166FE115D9B43744193945F3CEA0FD8C59409ADDB3CCE261762CAB9845DFDDFDA725F1E8B7E65BB43A80F8C8CA7833A3771039CFF0A6B28577A82
Malicious:	false
Preview:	rule:.. meta:.. name: get Explorer PID.. namespace: host-interaction/process/list.. author: michael.hunhoff@fireeye.com.. scope: basic block.. att&ck:.. - Discovery::Process Discovery [T1057].. references:.. - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/ParentProcess.cpp.. examples:.. - al-khaser_x86.exe_:0x425210.. features:.. - and:.. - api: GetShellWindow.. - api: GetWindowThreadProcessId..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\process\modify\acquire-debug-privileges.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	444
Entropy (8bit):	4.655868549170414
Encrypted:	false
SSDEEP:	6:hAvlmEMe9q4lLqLbNF0JFBO2SgyZqhoYeAD9BowdnvLR7mI8VGeLJmHodFOSAv:mdmRolLKAR/huYhBbnvLR7m99JmIHOSK
MD5:	4B94122B6C0282D36638DC986607CE2E
SHA1:	853FFD5B9C2070FF354AF0407EF449EE8ED81F20
SHA-256:	997A0979EC08886E4A4E9042B4204739C2194A5F5DE779E6B34685308F1826E6
SHA-512:	2661E12FD6894FF606747C6E12DBE0F90BAA05241B26A38A2D677DD90975FE7D0196A0AFC8CF7128C930956211EDC983F4327881A29790BF9144498E2D6396C4
Malicious:	false
Preview:	rule:.. meta:.. name: acquire debug privileges.. namespace: host-interaction/process/modify.. author: william.ballenthin@fireeye.com.. scope: basic block.. att&ck:.. - Privilege Escalation::Access Token Manipulation [T1134].. examples:.. - Practical Malware Analysis Lab 01-04.exe_:0x401174.. features:.. - and:.. - string: "SeDebugPrivilege".. - optional:.. - match: modify access privileges..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\process\modify\modify-access-privileges.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	455
Entropy (8bit):	4.801668973630583
Encrypted:	false
SSDEEP:	6:hAvlmISA4lLqLbNF3CS4FfyhoYeAD9BowUH9XWNLhDsVG2Bc4HodFDX/nk:mdmnxlLKHCfFfyuYhBAGPYZB1IHD8
MD5:	5FFE85E28E44600EF8A5F4AF667E6F12
SHA1:	5564EA7FD32C9222EABACA9F7D85A1D8482D3175
SHA-256:	FFADB5DE01DB6D074286FC011B4F956290E19BE7AFA1A6CA8454E62116C027B4
SHA-512:	D8AE995B53B2C6032785F989F941A3A7680630E0265FF33D913C2D571D4701E4AD096E459F72986EEAE6A561DDDF22FBE9ED08176B7288E41D7195C7F6DC1173
Malicious:	false
Preview:	rule:.. meta:.. name: modify access privileges.. namespace: host-interaction/process/modify.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Privilege Escalation::Access Token Manipulation [T1134].. examples:.. - 9324D1A8AE37A36AE560C37448C9705A:0x403BE0.. features:.. - and:.. - api: advapi32.AdjustTokenPrivileges.. - optional:.. - or:.. - api: advapi32.LookupPrivilegeValue..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\process\modules\list\enumerate-process-modules.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	793
Entropy (8bit):	4.737226725253679
Encrypted:	false
SSDEEP:	12:mdmyGPlLCfFfy/WGuBQlNCGXIHYeQMRM0N5M+rwQ0NYG:mMyGPlGU/WGuBGZXI4eQMRMc5M+8QcYG
MD5:	171F28E1470832C43203C0E51F85E02D
SHA1:	161A1B7BB90390A39EE94A226594BA3857529B37
SHA-256:	3F71C3169A9DD0D5D315C7C5723244FF8BD7412F6AB730F401A1B642793F8BFB
SHA-512:	34DB229AD2FA528941E662459789DD72549CB41DBE534C7B9F6AC67C7E3563D13643AC3B809A74DA047CC86C999FFE1CF9F5ABC5D20AB798961D48B22352421C
Malicious:	false
Preview:	rule:.. meta:.. name: enumerate process modules.. namespace: host-interaction/process/modules/list.. author: michael.hunhoff@fireeye.com.. scope: function.. att&ck:.. - Discovery::Process Discovery [T1057].. examples:.. - 6F99A2C8944CB02FF28C6F9CED59B161:0x419FF8.. - 9B2FD471274C41626B75DDBB5C897877:0x100046B0.. features:.. - and:.. - optional:.. - or:.. - api: kernel32.OpenProcess.. - api: kernel32.CloseHandle.. - or:.. - api: kernel32.K32EnumProcessModules.. - api: kernel32.K32EnumProcessModulesEx.. - api: kernel32.K32EnumProcesses.. # depending on OS version in kernel32 or psapi.. - api: EnumProcessModules.. - api: EnumProcessModulesEx.. - api: EnumProcesses..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\process\set-thread-local-storage-value.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	424
Entropy (8bit):	4.692133696685918
Encrypted:	false
SSDEEP:	12:mdmWoXEKF/ClLpfFftKY6fVZTXESjijy/iIHCm6o:mMzEe/Cll3KY6fn7ESjiu/iIimp
MD5:	FD21F47684B2E410F6A278392E20E4A4
SHA1:	EA187ACAF1DAFEF6AF673353AA32BD83690D0765
SHA-256:	D08BC7258349F58EBCB1D551FAB8842727905306EA7E83157E772C207B0E7D5F
SHA-512:	DE92435CDD0BEC7E7CE2F89B512539A6BD097DACC7B320BAF7401393869E44B6AD3E089CBD0D6C4A700244C43330BC9EBB8149E35A560D2F54C967F43B45E1B5
Malicious:	false
Preview:	rule:.. meta:.. name: set thread local storage value.. namespace: host-interaction/process.. author: michael.hunhoff@fireeye.com.. scope: function.. mbc:.. - Process::Set Thread Local Storage Value [C0041].. examples:.. - 03B236B23B1EC37C663527C1F53AF3FE:0x18000AE21.. features:.. - and:.. - api: kernel32.TlsSetValue.. - optional:.. - match: allocate thread local storage..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\process\terminate\terminate-process-via-fastfail.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	446
Entropy (8bit):	4.705356862051397
Encrypted:	false
SSDEEP:	12:mdmdG9EGwlLWS/ZiwKY6fDEXvgcA+YSDHHeYh+0U+awDj:mMdGNwlyS/ZZKY6fDE/gcAwj+Yh+0N
MD5:	A72FEFE708F9925A513F66FCFCD931EE
SHA1:	A58165FC8B7A3252397671E2635770C9259A70BB
SHA-256:	016B7D1B4ED369FD7547DE77716D651712D27111C45E61B3BC0EF04FBE1819C8
SHA-512:	53218114BC5017B72E2A5B94D6B8B0B36D9DAD2AD7168F4C294FEB56A031708F4FF30288DC54D700FD2F3979476C0420805E90B5E1974B4C6AA6DFBA0BCDA4FD
Malicious:	false
Preview:	rule:.. meta:.. name: terminate process via fastfail.. namespace: host-interaction/process/terminate.. author: "@_re_fox".. scope: basic block.. mbc:.. - Process::Terminate Process [C0018].. references:.. - https://docs.microsoft.com/en-us/cpp/intrinsics/fastfail?view=vs-2019.. examples:.. - b87e9dd18a5533a09d3e48a7a1efbcf6:0x14000747F.. features:.. - and:.. - mnemonic: int.. - number: 0x29..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\process\terminate\terminate-process.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	536
Entropy (8bit):	4.725477925945309
Encrypted:	false
SSDEEP:	12:mdmdG0lLWS/fCfFftKY6fDEXv5KQinTDObQTIHMAHG5By:mMdG0lyS/fC3KY6fDE/5lmTC8TIsAHiw
MD5:	35AF8F0BC338C55B80C26D8E3332A68D
SHA1:	7BF3F65215B49CB429E8C7C7F4BCA189B8E733BA
SHA-256:	44E3556C4202EE929839E0FFA58BA1CC15D92DA5D7887744C16B13400683E552
SHA-512:	9309662E5BBEA901B68C5BF9BC64796FF33F669A2C619FBFE86A8CC9CB57E387F8E72B893A7766D4A3544AD640ADE569DD225994A72884BABD6FB0197594BD31
Malicious:	false
Preview:	rule:.. meta:.. name: terminate process.. namespace: host-interaction/process/terminate.. author: moritz.raabe@fireeye.com.. scope: function.. mbc:.. - Process::Terminate Process [C0018].. examples:.. - C91887D861D9BD4A5872249B641BC9F9:0x401A77.. - 9B7CCAA2AE6A5B96E3110EBCBC4311F6:0x10010307.. features:.. - and:.. - optional:.. - match: open process.. - or:.. - api: kernel32.TerminateProcess.. - api: ntdll.NtTerminateProcess.. - api: kernel32.ExitProcess..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\registry\create-or-open-registry-key.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1271
Entropy (8bit):	4.908158629407804
Encrypted:	false
SSDEEP:	24:mMslJ4KUgIygIEzLDm16tf8IpVgYWujIjmufjIsz25jZrFXcbsrbslRSzDPygjn:mMsbLNIHIEzXm1cf8IpV+sQMVSyesjn
MD5:	6D4504220D6D227BB9FA4A5E0C277CFC
SHA1:	5D4C790FC686A16CF5A859C4BE0C51B15CB7617A
SHA-256:	ABA20042B504B5F295586578E21E0A83E3A095CD3373615EBAFC3F1792913136
SHA-512:	F01A4198CBC43C38A3D1BF4702C42174D78E2193CF015B31064ABCE703DE75D9B21FA7B96110A78E2EF713FF706E15502A92AB1A00D4D3EAA3B09BFF27A641DB
Malicious:	false
Preview:	rule:.. meta:.. name: create or open registry key.. namespace: host-interaction/registry.. author: michael.hunhoff@fireeye.com.. scope: basic block.. mbc:.. - Operating System::Registry::Create Registry Key [C0036.004].. - Operating System::Registry::Open Registry Key [C0036.003].. examples:.. - Practical Malware Analysis Lab 03-02.dll_:0x10004706.. - Practical Malware Analysis Lab 11-01.exe_:0x401000.. - 493167E85E45363D09495D0841C30648:0x404D60.. - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x4045F2.. - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x40433E.. features:.. - or:.. - api: advapi32.RegOpenKey.. - api: advapi32.RegOpenKeyEx.. - api: advapi32.RegCreateKey.. - api: advapi32.RegCreateKeyEx.. - api: advapi32.RegOpenCurrentUser.. - api: advapi32.RegOpenKeyTransacted.. - api: advapi32.RegOpenUserClassesRoot.. - api: advapi32.RegCreateKeyTransacted.. - api: ZwOpenKey.. - api: ZwOpenKeyEx..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\registry\create-registry-key-via-offline-registry-library.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	447
Entropy (8bit):	4.721624438483806
Encrypted:	false
SSDEEP:	6:hAvlmG3MkC0EAUvNFwlLqLKFpFfyhuFt899lKU9CF2RkfUx5owsSGWJCFHR:mdmG3qjglLtFfyWAKUgIkfUx5rNJWHR
MD5:	6D94FDBDBF756EF11897C2CB73B77B81
SHA1:	BB3409D628E20A152A9D2289F438F8A3010E1BE7
SHA-256:	7A07ABBD1FD1B5F3113337BC5E8DC0D82F7FC3C692090A0B0FB40AFD608414B2
SHA-512:	41F33BFF25F6BC20A72DDA0B1DC0FC35F5E9ADB25AD6D897E14AA18BCF003A4B1DEFE16A7D256285520401E008A983CA7DE4FB350419EF0499295E35D9F02458
Malicious:	false
Preview:	rule:.. meta:.. name: create registry key via offline registry library.. namespace: host-interaction/registry.. author: johnk3r.. scope: function.. att&ck:.. - Defense Evasion::Modify Registry [T1112].. mbc:.. - Operating System::Registry::Create Registry Key [C0036.004].. examples:.. - 5fbbfeed28b258c42e0cfeb16718b31c:0x100481A0.. features:.. - or:.. - api: ORCreateHive.. - api: ORCreateKey..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\registry\create\set-registry-value.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1041
Entropy (8bit):	4.662559918270323
Encrypted:	false
SSDEEP:	24:mMlW/Clk15CO3KUgI2j1IVxdIRKe/sKteQ5/DP/1/ie/9/s/RGp:mM0Cu1UOaNI2j1IVxdIYOht1hj9iOFM8
MD5:	65A3E8B62A8A8AB0BF81FE8909365FAD
SHA1:	A4C362BA30B4699B4979DBBCB68B94A401C97DFB
SHA-256:	EE59C0DD1A803D78B29AD8B792AC817E78FED1B7714AEB4243B5D00E7699CEE3
SHA-512:	B2341DCA684081CE1A89DB5CB02A1294B51B7425DFEA11BC6C37A8930C34C7F704DE6B80537F70C927234CC0E1D1B43ACAC479B3F9B9B5A62B023E05AD60574B
Malicious:	false
Preview:	rule:.. meta:.. name: set registry value.. namespace: host-interaction/registry/create.. author:.. - moritz.raabe@fireeye.com.. - michael.hunhoff@fireeye.com.. scope: function.. mbc:.. - Operating System::Registry::Set Registry Key [C0036.001].. examples:.. - BFB9B5391A13D0AFD787E87AB90F14F5:0x13147AF0.. - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x40433E.. - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x40415E.. features:.. - or:.. - and:.. - optional:.. - match: create or open registry key.. - or:.. - api: advapi32.RegSetValue.. - api: advapi32.RegSetValueEx.. - api: advapi32.RegSetKeyValue.. - api: ZwSetValueKey.. - api: NtSetValueKey.. - api: RtlWriteRegistryValue.. - api: SHSetValue.. - api: SHRegSetPath.. - api: SHRegSetValue.. - api: SHRegSetUSValue.. - api: SHRegWriteUSValue.. - and:.. - match: create proces

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\registry\delete\delete-registry-key.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	900
Entropy (8bit):	4.688441650555102
Encrypted:	false
SSDEEP:	12:mdmuy6lLXCGhQFfyWAKUgIkBAUlGDN3g6tc78eIHsM4+GwU2SLBJY/P:mMklbCODWAKUgIoG+6tfeIBzG12SNK
MD5:	03B7CF9D82CB040D72249337A834085F
SHA1:	9252F800FEE640A018CA5BAEFA281D3A620FF656
SHA-256:	D3E63C5448B42F6B01FEBC3362581355A34E0C27BEF640DC598BA0C98867DD65
SHA-512:	3EFE020B6AD4037BFA6BFE3FF7BAA56AE8B889859B4D49C671108DE0773EE478DFADE6FAD2BD6C69DD6D3957CCA4D048949AC5BC2D915AB400BF9C6D166C1712
Malicious:	false
Preview:	rule:.. meta:.. name: delete registry key.. namespace: host-interaction/registry/delete.. author:.. - moritz.raabe@fireeye.com.. - michael.hunhoff@fireeye.com.. - johnk3r.. scope: function.. att&ck:.. - Defense Evasion::Modify Registry [T1112].. mbc:.. - Operating System::Registry::Delete Registry Key [C0036.002].. examples:.. - 4f11bdb380dafa2518053c6d20147a05:0x402A36.. - 493167E85E45363D09495D0841C30648:0x404D60.. features:.. - and:.. - optional:.. - match: create or open registry key.. - or:.. - api: advapi32.RegDeleteKey.. - api: advapi32.RegDeleteTree.. - api: advapi32.RegDeleteKeyEx.. - api: advapi32.RegDeleteKeyTransacted.. - api: ZwDeleteKey.. - api: NtDeleteKey.. - api: SHDeleteKey.. - api: SHDeleteEmptyKey.. - api: SHRegDeleteEmptyUSKey..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\registry\delete\delete-registry-value.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	726
Entropy (8bit):	4.663598155959346
Encrypted:	false
SSDEEP:	12:mdmuySyF/ClLTfFfyWAKUgIkBRQDZkxTNIHsME/0Ek/H1J/G/q:mMUW/Cl/UWAKUgIjUNIBE/0t/H1J/G/q
MD5:	A1E08813C9C7EB28278C8FD73C246C9F
SHA1:	B4EBBCA2901C2ADE87C27D4EA94695F937368C15
SHA-256:	DA9AB3E8654B770CD77869466A3F6EF52B6F0465A9FA07F2F8CF4323E7BC2F8A
SHA-512:	C8BB64DD8E438D03EF4C6ECA95F4E1514E7127333335F517427CC9742D9209F55C9352D29818F10C1509E28C941657B1DBE53D2CC81AE8494B69A4DD0777B087
Malicious:	false
Preview:	rule:.. meta:.. name: delete registry value.. namespace: host-interaction/registry/delete.. author: michael.hunhoff@fireeye.com.. scope: function.. att&ck:.. - Defense Evasion::Modify Registry [T1112].. mbc:.. - Operating System::Registry::Delete Registry Value [C0036.007].. examples:.. - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x4041A0.. features:.. - and:.. - optional:.. - match: create or open registry key.. - or:.. - api: advapi32.RegDeleteValue.. - api: advapi32.RegDeleteKeyValue.. - api: ZwDeleteValueKey.. - api: NtDeleteValueKey.. - api: RtlDeleteRegistryValue.. - api: SHDeleteValue.. - api: SHRegDeleteUSValue..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\registry\open-registry-key-via-offline-registry-library.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	374
Entropy (8bit):	4.692056023343759
Encrypted:	false
SSDEEP:	6:hAvlmK8kC0EAUvNFwlLqLKFpFftKU9CF2Rk+AU8owsSgR8W4FFCI:mdmKajglLtFftKUgIk+AU8rgR4CI
MD5:	58A040DDAB3B1FDCF751441467403523
SHA1:	F0B475E32BFE2B3FF2C1A5451FFBA4CCC4053D41
SHA-256:	6381AC8946ECFDB0BEA84C047CE43C151EB8279549159B04A42C4BA6058FFE0D
SHA-512:	2BA823C27D3775B520D95D7E3968A9C0166D8DD225A1CC95AB867E0C31598BE292C32DBF284FB6967183C4B3BA9BF048D47A5653B34B38425055C7C2DF34792B
Malicious:	false
Preview:	rule:.. meta:.. name: open registry key via offline registry library.. namespace: host-interaction/registry.. author: johnk3r.. scope: function.. mbc:.. - Operating System::Registry::Open Registry Key [C0036.003].. examples:.. - 5fbbfeed28b258c42e0cfeb16718b31c:0x4071E1.. features:.. - or:.. - api: OROpenHive.. - api: OROpenKey..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\registry\query-or-enumerate-registry-key.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	911
Entropy (8bit):	4.763431783471143
Encrypted:	false
SSDEEP:	24:mMUlJUDJKUgIITp6tf2IfIBBDBYS2TkRSRvlc5YS5Jk:mMUbUDANIITpcf2IfIvtlJRSRvm5l5Jk
MD5:	C42BCDCE0ABF85317BAF66CC66DEE5FA
SHA1:	948D421EA919FCE7F2CF5202C6581B0DB5D89E54
SHA-256:	7FEE3D00B6AF7A6FF78A0D600BC75A785BE1F499B74189964F8AF2CCD5B87C42
SHA-512:	1CD2FA211BE7B007E81DCB70FD0552182CD807A194C7E07CBD8E64FA78A0C2EFE701A97D59324CA0105381E5514B83785DE5CF20813ADC89B6FB290EC7FD5F7E
Malicious:	false
Preview:	rule:.. meta:.. name: query or enumerate registry key.. namespace: host-interaction/registry.. author: michael.hunhoff@fireeye.com.. scope: function.. att&ck:.. - Discovery::Query Registry [T1012].. mbc:.. - Operating System::Registry::Query Registry Key [C0036.005].. examples:.. - 493167E85E45363D09495D0841C30648:0x404930.. - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x402608.. features:.. - and:.. - optional:.. - match: create or open registry key.. - or:.. - api: advapi32.RegEnumKey.. - api: advapi32.RegEnumKeyEx.. - api: advapi32.RegQueryInfoKeyA.. - api: ZwQueryKey.. - api: ZwEnumerateKey.. - api: NtQueryKey.. - api: NtEnumerateKey.. - api: RtlCheckRegistryKey.. - api: SHEnumKeyEx.. - api: SHQueryInfoKey.. - api: SHRegEnumUSKey.. - api: SHRegQueryInfoUSKey..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\registry\query-or-enumerate-registry-value.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1422
Entropy (8bit):	4.679694278263472
Encrypted:	false
SSDEEP:	24:mMkW/ClQOUDJKUgIIKWLwIBPue/0+/0D/0O20SgQ8UgQDP/Q5/plNue/cPn/Evog:mMTC6OUDANIIKW0IcODgzzr6cAOcnEv3
MD5:	93C7476ED0D4D1A829BAB31AF2A2EE6A
SHA1:	6D48939053A0526F758F7117166E05A2CB0EA4D8
SHA-256:	909B2D38F42C926712EADB2C9EF8A73BF8E20C41562DBBC0787E5779A8527667
SHA-512:	5075D4A7551006539B813B72D52D9DCB7BECEDDB3D6F41A3C6CB56283E778C5F62BD72583B8A8061894D77F73C9CE0D727301A70894E6053F8D8B7FBEEE7D35E
Malicious:	false
Preview:	rule:.. meta:.. name: query or enumerate registry value.. namespace: host-interaction/registry.. author:.. - william.ballenthin@fireeye.com.. - michael.hunhoff@fireeye.com.. scope: function.. att&ck:.. - Discovery::Query Registry [T1012].. mbc:.. - Operating System::Registry::Query Registry Value [C0036.006].. examples:.. - BFB9B5391A13D0AFD787E87AB90F14F5:0x13145B5A.. - Practical Malware Analysis Lab 03-02.dll_:0x100047AD.. features:.. - and:.. - optional:.. - match: create or open registry key.. - or:.. - api: advapi32.RegGetValue.. - api: advapi32.RegEnumValue.. - api: advapi32.RegQueryValue.. - api: advapi32.RegQueryValueEx.. - api: advapi32.RegQueryMultipleValues.. - api: ZwQueryValueKey.. - api: ZwEnumerateValueKey.. - api: NtQueryValueKey.. - api: NtEnumerateValueKey.. - api: RtlQueryRegistryValues.. - api: SHGetValue.. - ap

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\registry\query-registry-key-via-offline-registry-library.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	411
Entropy (8bit):	4.770208484757013
Encrypted:	false
SSDEEP:	6:hAvlmUsjkC0EAUvNFwlLqLKFpFfyhp8GtlKU9CF2RkD8HBDH5owsSiQ5hGF5:mdmLTjglLtFfyDJKUgIkDgZrK5
MD5:	BA44F7373DAB3218677FCABF52BBEF05
SHA1:	1E1366B1FC6F116971D7A8B5BB7EFDE64E5B205D
SHA-256:	8A45DD85B5C70EFE4064244794071E1B5842E68E795237AA166F794B218159A4
SHA-512:	9CC6DA4CF41F03F7CBA94CE4CA661848DB163A326A0D852A218D318B9161B8BC0D7641455286AB2B79F9BD8B9B13EE5DD6FB901E25ADC914EE45910F4174D55F
Malicious:	false
Preview:	rule:.. meta:.. name: query registry key via offline registry library.. namespace: host-interaction/registry.. author: johnk3r.. scope: function.. att&ck:.. - Discovery::Query Registry [T1012].. mbc:.. - Operating System::Registry::Query Registry Value [C0036.006].. examples:.. - 5fbbfeed28b258c42e0cfeb16718b31c:0x42388C.. features:.. - and:.. - api: ORGetValue..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\registry\set-registry-key-via-offline-registry-library.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	458
Entropy (8bit):	4.720701803515924
Encrypted:	false
SSDEEP:	12:mdmWmjglLtFfyWAKUgIklUmjrdH/iIHNb:mMfkleWAKUgI2j5/iIx
MD5:	F37076CD6475D79F526A4BD638364CDF
SHA1:	888E7DA9BFCFCA87A873DFA4F9CE1AE55524BACC
SHA-256:	FAE422527C990154C817E03B75397BCBCC34DD6E36B65A3E646E10AB8F359D27
SHA-512:	978D9CE51072607E286EFF05B045DFC9B1BDC9E55E7C2E4CD24EA66058704CBA0BF9294487545E118C38D1FC311B21C371321C5290D8B92D83232A87B490FB89
Malicious:	false
Preview:	rule:.. meta:.. name: set registry key via offline registry library.. namespace: host-interaction/registry.. author: johnk3r.. scope: function.. att&ck:.. - Defense Evasion::Modify Registry [T1112].. mbc:.. - Operating System::Registry::Set Registry Key [C0036.001].. examples:.. - 5fbbfeed28b258c42e0cfeb16718b31c:0x43A6C8.. features:.. - and:.. - api: ORSetValue.. - optional:.. - api: ORSaveHive..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\service\create\create-service.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	509
Entropy (8bit):	4.7221870945374205
Encrypted:	false
SSDEEP:	12:mdmG3blLLe1fCfFfyJ8AzfVJHVbnvLJpBq2TaIHeP:mMYlifCUJPzfXVzLdXaI+P
MD5:	9725DAC052991E1A5569A82329778EF1
SHA1:	29652EBAC0FA0E37BF4FF46DB289D5DCF03BC45D
SHA-256:	AB170F15628E23C9B213ECEC77C032B5847BE2367DDD2DBF9710B7D221EB11A2
SHA-512:	342C7A28391D56D6F604BBEDB2A27C7D6577C0C754C598C53DC3704C4024C4FB070FEAFC71DF6686689A35695FFC7265507C7A458AEB89D8E398080E130CFC57
Malicious:	false
Preview:	rule:.. meta:.. name: create service.. namespace: host-interaction/service/create.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Persistence::Create or Modify System Process::Windows Service [T1543.003].. - Execution::System Services::Service Execution [T1569.002].. examples:.. - Practical Malware Analysis Lab 03-02.dll_:0x10004706.. features:.. - and:.. - api: advapi32.CreateService.. - optional:.. - api: advapi32.OpenSCManager..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\service\delete\delete-service.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	491
Entropy (8bit):	4.827715295705273
Encrypted:	false
SSDEEP:	12:mdmuQlLL+ECfFfyJ8AzfVJH8TcMG//nnvLJdIH/FEnzmH9:mMZlOECUJPzfX8IMmvLjIfunzC9
MD5:	83BA6EB210EB53F66711B626E559E245
SHA1:	D317FDBD77EA26ACA7C0977A2F41BFB08B19F085
SHA-256:	CA39E93248279BC7D5ED78C0424495AC34A6DC0085E8804F1288D74E8CF16E95
SHA-512:	4BD9AA6AA3AEF2719765ED3F051365E00DDF2412820FF10E388338CAEDB4A5559701CA1E615A6AA029494381099C5AFEE1FA18DD0E4881F45F03CB22A9B51FE0
Malicious:	false
Preview:	rule:.. meta:.. name: delete service.. namespace: host-interaction/service/delete.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Persistence::Create or Modify System Process::Windows Service [T1543.003].. examples:.. - E544A4D616B60147D9774B48C2B65EF2:0x402140.. - Practical Malware Analysis Lab 03-02.dll_:0x10004B18.. features:.. - and:.. - optional:.. - match: get service handle.. - api: advapi32.DeleteService..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\service\list\enumerate-services.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	404
Entropy (8bit):	4.690130311395914
Encrypted:	false
SSDEEP:	6:hAvlmA8E4lLqLYjq3CS4FfyhDM8oxzLowdnvLdVBnW5hzUzA0Uzj:mdmrlLLq3CfFfyBqxbnvLdXnWfiI
MD5:	8FE10431AAB9DC145B954A0F2E0F9278
SHA1:	230661E2E230A227B94CA6AA2C56CB00A7DB0F5E
SHA-256:	EC4E62E35FDED4B4A3C62C1C49970B9A352D853A0093E1C8816E164E5A7B046B
SHA-512:	E34C62712C891EC1DF2D8EA16443607EC82B15F31FF3CD69A2B653C35A662DCC37112BB0124287E3725626B98616EBB58DA16ABF70C28AB237D2EF80D6D74555
Malicious:	false
Preview:	rule:.. meta:.. name: enumerate services.. namespace: host-interaction/service/list.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Discovery::System Service Discovery [T1007].. examples:.. - Practical Malware Analysis Lab 05-01.dll_:0x1000B823.. features:.. - or:.. - api: advapi32.EnumServicesStatus.. - api: advapi32.EnumServicesStatusEx..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\service\modify\modify-service.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	563
Entropy (8bit):	4.804419788498533
Encrypted:	false
SSDEEP:	12:mdmzmlLLoHCfFfyJ8AzfVJHV2sIH/FEYHPCDHPCi:mMzmlYHCUJPzfXV7IfuYH6DH6i
MD5:	A10FD3BED08F9026C9E0D0E72F392C65
SHA1:	C563B83B3FCB96A755FC392280865392AA5CDE8E
SHA-256:	A9FF493E548BCFCCBF951662A83D4A7B909B6618B78D765B0B5EAAC99B9144E0
SHA-512:	A36C49F7B395F26AD64C88CB71C50AEF1A3EC967223E9E4180AFC692B3BC5F858385EA25DA07997F34B47CD53D9DA69AA6FC48B08BF0D847EEE7B681B35176C8
Malicious:	false
Preview:	rule:.. meta:.. name: modify service.. namespace: host-interaction/service/modify.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Persistence::Create or Modify System Process::Windows Service [T1543.003].. - Execution::System Services::Service Execution [T1569.002].. examples:.. - 7D16EFD0078F22C17A4BD78B0F0CC468:0x401000.. features:.. - and:.. - optional:.. - match: get service handle.. - or:.. - api: advapi32.ChangeServiceConfig.. - api: advapi32.ChangeServiceConfig2..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\service\query-service-status.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	393
Entropy (8bit):	4.823621190677775
Encrypted:	false
SSDEEP:	6:hAvlmU2dr6lLqLYjbClES4FfyhDM8oxzLowsX4TfgSBQDzZQnuZQc:mdmIlLLLfFfyBqxMkgNZQnuZQc
MD5:	95A5B0FD5A65ABE4AE8E5F76FD420A9E
SHA1:	B810D2D29A8B502EC586F60D8EAD3DF1603917DF
SHA-256:	A1D251E669989267DF89B9DF21520FB99A397684B7F51C522075B1C0E7EF0762
SHA-512:	B13C2100F6225B13DEC2DABB1370A461AB18712DDDBCE046FB49E9EFB0B142A49B11C7F8C581F83422EEDA7A080B4B21AF241A2E56C5AB5F063FE430E755C65C
Malicious:	false
Preview:	rule:.. meta:.. name: query service status.. namespace: host-interaction/service.. author: michael.hunhoff@fireeye.com.. scope: function.. att&ck:.. - Discovery::System Service Discovery [T1007].. examples:.. - 9DC209F66DA77858E362E624D0BE86B3:0x403C70.. features:.. - or:.. - api: advapi32.QueryServiceStatusEx.. - api: advapi32.QueryServiceStatus..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\service\run-as-service.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	569
Entropy (8bit):	4.485655951945238
Encrypted:	false
SSDEEP:	12:mdmJlLL/CGhDnlKUHbnvLJLh/WNafX4fXbPy:mMJlvCODnlKUHzLHpXOXbPy
MD5:	5C865411288469D31F9FA46D56F3F6B0
SHA1:	96926FE2CCEEA8BB39A14C639D423FE71BBA5CEB
SHA-256:	9C7E3CE60D9E28A43FF17E6BF4880A541B007806E14308379BB8532F457FE022
SHA-512:	8B2F36AF169C9882083405FA0038A6EC35227F56DAFCBFF9566BBEC7022342046CDBC294B2DD68F8A49500D1FA5B2A94B338DD385E35EEED083546B991EBF4B8
Malicious:	false
Preview:	rule:.. meta:.. name: run as service.. namespace: host-interaction/service.. author:.. - moritz.raabe@fireeye.com.. - michael.hunhoff@fireeye.com.. scope: file.. mbc:.. - Anti-Behavioral Analysis::Execution Guardrails::Runs as Service [E1480.m07].. examples:.. - Practical Malware Analysis Lab 03-02.dll_.. features:.. - or:.. - export: ServiceMain.. - function:.. - or:.. - api: RegisterServiceCtrlHandler.. - api: RegisterServiceCtrlHandlerEx.. - api: StartServiceCtrlDispatcher..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\service\start\start-service.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	426
Entropy (8bit):	4.770519113070075
Encrypted:	false
SSDEEP:	12:mdmW+mlLLORucCfFfyJ8AzfVJH8TcuIH/FEnb:mMfmlOucCUJPzfX8IuIfunb
MD5:	D3342F34148323651B24772306F9F6EB
SHA1:	C5E186A5FDCD7CB271E1F94232B062CAE6B07663
SHA-256:	13C0111C8BEBD02369378AD2BF9F3B51AFA91FC472E75575C1F67EB413A5C93C
SHA-512:	744D76053B9E2DDA392F2DDDBEC72B57B00A247B9AAF8BB56F46315BD3D45C5CF49AF564CD8A46F19D3FADE98EB5C450093EE38EECB71845F1DEADB13BC6A380
Malicious:	false
Preview:	rule:.. meta:.. name: start service.. namespace: host-interaction/service/start.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Persistence::Create or Modify System Process::Windows Service [T1543.003].. examples:.. - E544A4D616B60147D9774B48C2B65EF2:0x401FA0.. features:.. - and:.. - optional:.. - match: get service handle.. - api: advapi32.StartService..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\service\stop\stop-service.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	565
Entropy (8bit):	4.8660950599665
Encrypted:	false
SSDEEP:	12:mdmWHAalLLORPHCfFfyJ8AzfVJHpjTcMG/TIH/FEzbbb9v:mMMAalOPHCUJPzfXpjIMgIfuz3Rv
MD5:	F2510B733BA8EC809A83C37AA9E57B32
SHA1:	AD8B8A34FE51BD7102B8F572FAD6AB4A1CE8C16F
SHA-256:	D0BA3B00CBD59F56182CA8EFD43AC0440BDE9F087FD052F032D1C2B6300EF6BA
SHA-512:	FCA9B312F67603098C98A916A4230708E1495FCE1DCC9EC1A0EBC12D082524795EA299D4EC3928839C34C1B50B4D69032252F566CCBF327ED4ED6DBD007C4B7F
Malicious:	false
Preview:	rule:.. meta:.. name: stop service.. namespace: host-interaction/service/stop.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Persistence::Create or Modify System Process::Windows Service [T1543.003].. - Impact::Service Stop [T1489].. examples:.. - E544A4D616B60147D9774B48C2B65EF2:0x402140.. features:.. - and:.. - optional:.. - match: get service handle.. - number: 0x1 = SERVICE_CONTROL_STOP.. - or:.. - api: advapi32.ControlService.. - api: advapi32.ControlServiceEx..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\session\get-logon-sessions.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	497
Entropy (8bit):	4.762942337480487
Encrypted:	false
SSDEEP:	12:mdmC/2BlLMnOkHYukFfy1zJYDOfp2uIHZpd:mMC/+luZHYKRJYCh3Ind
MD5:	238E1576F53AEFC8E20EAFC0F0C86EC2
SHA1:	5B7FF56145D0A6DED204366F686A98FB272F51CC
SHA-256:	64524DF62FA6A50A76895C58A1C44EE5E656379F5CC98BC8DA9B58827EB0C83E
SHA-512:	42CF65147172F53B2ACACD6976EE1EF912CC6A47C5EBA1B7ECEF85BFE41055641AEA34B67403A24E747FA12CA1181BC5C024B6AB0DBD8C33D64634B4FE5BC730
Malicious:	false
Preview:	rule:.. meta:.. name: get logon sessions.. namespace: host-interaction/session.. author: awillia2@cisco.com.. description: Looks for imported Windows APIs being called to enumerate user sessions... scope: function.. att&ck:.. - Discovery::Account Discovery [T1087].. examples:.. - 9B7CCAA2AE6A5B96E3110EBCBC4311F6:0x1001C1AC.. features:.. - and:.. - api: secur32.LsaEnumerateLogonSessions.. - optional:.. - api: secur32.LsaGetLogonSessionData..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\session\get-session-integrity-level.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	355
Entropy (8bit):	4.86781926405806
Encrypted:	false
SSDEEP:	6:hAvlmCT8vXwlLqLTJClES4FfyhL6xXaowTFMluEbAWyB6v:mdmCSwlLM5fFfyt6hah2a3y
MD5:	F2FE2F1ABEB9F815D8D5E1F20A6A22D0
SHA1:	F00BB64E82D198A155A4B7463CBD73E044F24915
SHA-256:	E83ED6A6F4232FF752C8045B49D134EC697CA7A9E6EFF0B90F85EA90C59197BC
SHA-512:	362DD958C0A66333487D2468CD732A2F3815050610D04DEB02F445A6307058A88446A263A7E4D71AB8064F5A7094AEA90278BED40F10F4A95BA29C0108DA4D87
Malicious:	false
Preview:	rule:.. meta:.. name: get session integrity level.. namespace: host-interaction/session.. author: michael.hunhoff@fireeye.com.. scope: function.. att&ck:.. - Discovery::System Owner/User Discovery [T1033].. examples:.. - 9879D201DC5ACA863F357184CD1F170E:0x10003643.. features:.. - or:.. - api: shell32.IsUserAnAdmin..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\session\get-session-user-name.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	620
Entropy (8bit):	4.67677406522401
Encrypted:	false
SSDEEP:	12:mdmCP4lLM3CfFfyt6hrzJbnvALKRpfCqvXJaFz5Q0ucfLUv:mMCP4l6CUt69JzAevfJabQ052
MD5:	DA2F92FC22B4AA52AE55D05BE0B029CB
SHA1:	C3F7CB207450AD7A75F06092324005C0F19A86C0
SHA-256:	E815C00AA93479C8F92D75C87F7D5CA3270ADD35B82FE0D00E71B69DD0CC882D
SHA-512:	61996B1C6B927A6614B8F25022099C5D359A9049FF8C5DE7FE339ABFF29CAD8A642DD9B31BCB1E0637AAF920874185FC3AE25F0DFA97BC7935A85D328A135178
Malicious:	false
Preview:	rule:.. meta:.. name: get session user name.. namespace: host-interaction/session.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Discovery::System Owner/User Discovery [T1033].. - Discovery::Account Discovery [T1087].. examples:.. - Practical Malware Analysis Lab 14-01.exe_:0x401285.. features:.. - or:.. - api: advapi32.GetUserName.. - api: secur32.GetUserNameEx.. - basic block:.. - and:.. # - match: get session information (see #463).. - api: wtsapi32.WTSQuerySessionInformation.. - number: 5 = WTSUserName..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\session\get-token-membership.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	438
Entropy (8bit):	4.673618926967937
Encrypted:	false
SSDEEP:	6:hAvlmCut+lLqLTJClES4FfyhL6xXaowK9l9G2ueLOHodFeAqDntevn:mdmCut+lLM5fFfyt6hacFrOIHeltwn
MD5:	CF22FF962B157B357115C43BE7E4FC25
SHA1:	A88D7151F8C9DE9E87F19D97D5389D02FFBD53C4
SHA-256:	5F7260EA04EB7E10537788C935F0B0171ACAAB938827661DFA365364DD7ABE0D
SHA-512:	883CDC7C1EBBCEBA9B9DF870F6058E1C80118ACE9FB68138CA4E7B934A28AFF7B43470553CA56FD0BD36F5A1974631796E20986692CA1E2D1277602427F2E64F
Malicious:	false
Preview:	rule:.. meta:.. name: get token membership.. namespace: host-interaction/session.. author: michael.hunhoff@fireeye.com.. scope: function.. att&ck:.. - Discovery::System Owner/User Discovery [T1033].. examples:.. - mimikatz.exe_:0x40DABE.. features:.. - and:.. - api: advapi32.CheckTokenMembership.. - optional:.. - api: advapi32.AllocateAndInitializeSid.. - api: advapi32.FreeSid..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\session\get-user-security-identifier.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	455
Entropy (8bit):	4.698233258078636
Encrypted:	false
SSDEEP:	12:NVzdmCgmHIBzlLM5/h1zJc/gdWe9+Y9+v:NVQC3IBzl4JRJc/gdWe9f9+
MD5:	85272F38D11831980A43917D00C25E01
SHA1:	E7095C85996320D6D4AC937DCEAE17AA15B63488
SHA-256:	56E9BFE90808706DAE87EC2410F0056875A81015380598891DE870A910D0EB7D
SHA-512:	6F506CC12C6098A1D839DCF936552E8DFF70D39D98715AFA9C662A770FF398CB1449AD0E2131BAB6509B091884D9D324DA9438F41B39E65122DC8A9D1DF41F88
Malicious:	false
Preview:	# generated using capa explorer for IDA Pro..rule:.. meta:.. name: get user security identifier.. namespace: host-interaction/session.. author: michael.hunhoff@fireeye.com.. scope: basic block.. att&ck:.. - Discovery::Account Discovery [T1087].. examples:.. - mimikatz.exe_:0x40DC42.. features:.. - or:.. - api: advapi32.LookupAccountName.. - api: advapi32.LsaLookupNames.. - api: advapi32.LsaLookupNames2..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\thread\create\create-thread.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	854
Entropy (8bit):	4.750990320447688
Encrypted:	false
SSDEEP:	24:mM3lX5CO4KY6f1n2ctoNIbn/Ll77aACnDrbDpCT:mM3BUOLfN2ctoNI3l71Ejy
MD5:	14D2D260E274EBF17473791AE5C4D626
SHA1:	5A7ABECB2C26FCDA5988825CC875D8A40A71B32F
SHA-256:	0351F59425F3F9A44CD14ED119DF39F634C398565848519E9B9010DD9C140317
SHA-512:	F9B9F609918EE51D7C38940839A47844277013CA619E36F39F6BB2577882BE33C256DE7047EF43E2E4D1F4720C6F5FAAA4551754985677DDAE1E33F72DC922FD
Malicious:	false
Preview:	rule:.. meta:.. name: create thread.. namespace: host-interaction/thread/create.. author:.. - moritz.raabe@fireeye.com.. - michael.hunhoff@fireeye.com.. scope: basic block.. mbc:.. - Process::Create Thread [C0038].. examples:.. - 946A99F36A46D335DEC080D9A4371940:0x10001DA0.. - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x408020.. features:.. - or:.. - api: kernel32.CreateThread.. - api: _beginthread.. - api: _beginthreadex.. - api: PsCreateSystemThread.. - api: SHCreateThread.. - api: SHCreateThreadWithHandle.. - api: kernel32.CreateRemoteThread.. - api: kernel32.CreateRemoteThreadEx.. - api: ntdll.RtlCreateUserThread.. - api: ntdll.NtCreateThread.. - api: ntdll.NtCreateThreadEx.. - api: ntdll.ZwCreateThread.. - api: ntdll.ZwCreateThreadEx..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\thread\list\enumerate-threads.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	324
Entropy (8bit):	4.631679632503376
Encrypted:	false
SSDEEP:	6:hAvlmAk4lLqL60cCS4FfJowdnvLdVBE/9GGnDmnFRy:mdmGlLzCfFfJbnvLdXEXQA
MD5:	813483736B3BF965F3BD2DEB88822FD0
SHA1:	C23C38CC2A16E225221E9E6B9CE903DD176D9CF1
SHA-256:	F3BEF6B1E5EFFEE72367AEDB4AFCD5D91269276FCCE332A1802E453D0C018751
SHA-512:	83F48021581F7A782C894B0D28D3141904AFDA9D881028A9ECDBC97B251E4EF71F57CA0E1EE3C00C8CB467887979B61F3CB244D50AD92F9E76C4FE6A2A94780E
Malicious:	false
Preview:	rule:.. meta:.. name: enumerate threads.. namespace: host-interaction/thread/list.. author: moritz.raabe@fireeye.com.. scope: function.. examples:.. - Practical Malware Analysis Lab 05-01.dll_:0x10006BD5.. features:.. - and:.. - api: kernel32.Thread32First.. - api: kernel32.Thread32Next..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\thread\resume\resume-thread.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	482
Entropy (8bit):	4.845478502327676
Encrypted:	false
SSDEEP:	12:mdmJAflLqQNGwKY6fWP/OhbnvNtEMDXvXh:mMJAflVNdKY6fWnOhzd/x
MD5:	7C56314F7D15C97541D109F3E0243138
SHA1:	C678EFBFEB1794C5EF05ECA769CEDCF573101D40
SHA-256:	7CB724528078CBC1C07D23D3E3B0F6B8EE5AC2D497885CAC24459CC03A18786B
SHA-512:	A026BF5A7BE224D409DD997A0449BF00449114637F3D6CD6F41BBBA486453099DE961495C84C5B47B08366C174E987268494BB71B25C99C17C3CBD9CA5F534E9
Malicious:	false
Preview:	rule:.. meta:.. name: resume thread.. namespace: host-interaction/thread/resume.. author: 0x534a@mailbox.org.. scope: basic block.. mbc:.. - Process::Resume Thread [C0054].. examples:.. - Practical Malware Analysis Lab 12-02.exe_:0x4010EA.. - 787cbc8a6d1bc58ea169e51e1ad029a637f22560660cc129ab8a099a745bd50e:0x4044C7.. features:.. - or:.. - api: kernel32.ResumeThread.. - api: ntdll.NtResumeThread.. - api: ntdll.ZwResumeThread..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\thread\suspend\suspend-thread.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	428
Entropy (8bit):	4.793986931554746
Encrypted:	false
SSDEEP:	6:hAvlmWDwBZJlLqL6HOLBoq7/FGyZlK5G6fuIQoP/CCow0ElCD7TKz6hYzBN:mdmW8JlLRkLNGwKY6f3QoP/tOEMDXvu
MD5:	D09BB95FFB6C63C8DFFAF49B8A1C7EA7
SHA1:	71FF1282B9AF30BCABAD1FEED659F06FF22F8682
SHA-256:	A8C91A47D27F7E5705BAA6652C6700C33F7D506319768AB2A26A1D920F837227
SHA-512:	A82E8CB666E90DF85CCAEC59E16EFC859306BE4F2B5513F1E4E5CC37895E1B8CD55CB6D4A93A62B8447DBE97418DFCDDB362FD06F238006FE63C82A9BE73710A
Malicious:	false
Preview:	rule:.. meta:.. name: suspend thread.. namespace: host-interaction/thread/suspend.. author: 0x534a@mailbox.org.. scope: basic block.. mbc:.. - Process::Suspend Thread [C0055].. examples:.. - 787cbc8a6d1bc58ea169e51e1ad029a637f22560660cc129ab8a099a745bd50e:0x502f4c.. features:.. - or:.. - api: kernel32.SuspendThread.. - api: ntdll.NtSuspendThread.. - api: ntdll.ZwSuspendThread..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\thread\terminate\terminate-thread.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	484
Entropy (8bit):	4.803456964260542
Encrypted:	false
SSDEEP:	12:mdmmlLC/5CGh/wKY6fUP/ZhbnvLJdZkxTPXLn:mMmlG/5CO4KY6fUnPzLQPXb
MD5:	8B5BE6D7A61EEDA7AAF5B7F7E46B6CC8
SHA1:	9759A66BA19F59F2EA2179A1EB49B94848E9EFB0
SHA-256:	E2B36CD4971A310A2684CE406E9E1EFFF542FE18D4D4FF7C05772A96C42F9AED
SHA-512:	37C02C9F80406BE59A8D91D6A67F5B8E0EE0314E7D9A87FFEEF1773DCCF315D9557D343306DE922799D8052A649651A5079133A68E7910DA586836064B8AA6B7
Malicious:	false
Preview:	rule:.. meta:.. name: terminate thread.. namespace: host-interaction/thread/terminate.. author:.. - moritz.raabe@fireeye.com.. - michael.hunhoff@fireeye.com.. scope: basic block.. mbc:.. - Process::Terminate Thread [C0039].. examples:.. - Practical Malware Analysis Lab 03-02.dll_:0x10003286.. - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x407E90.. features:.. - or:.. - api: kernel32.TerminateThread.. - api: PsTerminateSystemThread..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\uac\bypass\bypass-uac-via-appinfo-alpc.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	701
Entropy (8bit):	5.053546268115014
Encrypted:	false
SSDEEP:	12:mdmkCYCCClLH+ZEfFfyN+tQPAcA+Y2ShPSQAccxaLWGu+Vt7NYEl5P/L+y:mMRCCljCEUNhPAcAzIc0aLWIpYEv3Ky
MD5:	0EE750FBFC86EFD2CEB74D2807C61B52
SHA1:	EF4D459CC55EEB3C0D33C3740E2B44DB14478910
SHA-256:	BE7652B12286C1248D00A23FA2772F7D5ED49932315F03AAC5D40F95BD3FE860
SHA-512:	11B8FF103EB056450D388D7043D6DCCC8384DAD3951F0355F64890B7237EB6E7D9128875957BE2E19889416764C8DB61270505B9A851025E43F5D0CDF995B744
Malicious:	false
Preview:	rule:.. meta:.. name: bypass UAC via AppInfo ALPC.. namespace: host-interaction/uac/bypass.. author: richard.cole@fireeye.com.. scope: function.. att&ck:.. - Defense Evasion::Abuse Elevation Control Mechanism::Bypass User Account Control [T1548.002].. references:.. - https://github.com/hfiref0x/UACME/blob/0a4d2bd67f4872c595f0217ef6ebdcf135186945/Source/Akagi/methods/tyranid.c#L597.. examples:.. - 2f43138aa75fb12ac482b486cbc98569:0x180002304.. features:.. - and:.. - string: "winver.exe".. - string: "WinSta0\\Default".. - string: "taskmgr.exe".. - api: WaitForDebugEvent.. - api: ContinueDebugEvent.. - api: TerminateProcess..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\uac\bypass\bypass-uac-via-icmluautil.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	946
Entropy (8bit):	4.997507286426352
Encrypted:	false
SSDEEP:	24:mM+wljubUNhPAcAPMYvfEqzTnI6rImom/iP:mM9dyULIcaMYvfEqvnI0a
MD5:	29B68B51DEF795B41D151C7FE06B1AEC
SHA1:	2AF604B98504E242B65729B83B9347C7E2C97491
SHA-256:	DE97237B1317034F6CA1E494F4383DEADCE798E8D203C041AD2C6ABE01A478B9
SHA-512:	147A212E2AF5480458890BFC66EDA31088FF642B8019AAA5E2B811D3A858816E2683A27F44D60BDC567897FC5192AD872F49087CA2347DB48B2796311F9DC901
Malicious:	false
Preview:	rule:.. meta:.. name: bypass UAC via ICMLuaUtil.. namespace: host-interaction/uac/bypass.. author: anamaria.martinezgom@fireeye.com.. scope: function.. att&ck:.. - Defense Evasion::Abuse Elevation Control Mechanism::Bypass User Account Control [T1548.002].. references:.. - https://gist.github.com/hfiref0x/196af729106b780db1c73428b5a5d68d.. examples:.. - 08ac667c65d36d6542917655571e61c8.exe_:0x406831.. features:.. - and:.. - or:.. - string: "{3E5FC7F9-9A51-4367-9063-A120244FBEC7}".. description: T_CLSID_CMSTPLUA.. - bytes: F9 C7 5F 3E 51 9A 67 43 90 63 A1 20 24 4F BE C7 = T_CLSID_CMSTPLUA.. - optional:.. - or:.. - api: ole32.CoGetObject.. - or:.. - string: "{6EDD6D74-C007-4E75-B76A-E5740995E24C}".. description: IID_ICMLuaUtil.. - bytes: 74 6D DD 6E 07 C0 75 4E B7 6A E5 74 09 95 E2 4C = IID_ICMLuaUtil..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\uac\bypass\bypass-uac-via-token-manipulation.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	677
Entropy (8bit):	5.045671761111734
Encrypted:	false
SSDEEP:	12:mdmkCyVSwlLH+ZEfFfyN+tQPAcA+Y2ShPSQAccDvhaLWGmkt6yG8i:mMeljCEUNhPAcAzIcghaLWQ1i
MD5:	A96683B28D3E1F6366757461F51D5AFB
SHA1:	A6DC64B41B9D59D7A7868FD0FB09E0E6E5C672B8
SHA-256:	907E897BFAE999B5F50BBD807B532F872FB7A54838AF8581D6C179D1401E2EFA
SHA-512:	45C63C1A2559C6D67DFE31DC47394975BF4741DF347371274ACBB20304698EA9E445A044C395D9B11530602E86AF2D5A086CC71C21C4750843A80D0EA51B047C
Malicious:	false
Preview:	rule:.. meta:.. name: bypass UAC via token manipulation.. namespace: host-interaction/uac/bypass.. author: richard.cole@fireeye.com.. scope: function.. att&ck:.. - Defense Evasion::Abuse Elevation Control Mechanism::Bypass User Account Control [T1548.002].. references:.. - https://github.com/hfiref0x/UACME/blob/0a4d2bd67f4872c595f0217ef6ebdcf135186945/Source/Akagi/methods/tyranid.c#L83.. examples:.. - 2f43138aa75fb12ac482b486cbc98569:0x180001B48.. features:.. - and:.. - string: "wusa.exe".. - api: ShellExecuteExW.. - api: ImpersonateLoggedOnUser.. - api: GetStartupInfoW.. - api: CreateProcessWithLogonW..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\host-interaction\wmi\connect-to-wmi-namespace-via-wbemlocator.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	754
Entropy (8bit):	4.852437872199169
Encrypted:	false
SSDEEP:	12:NVzdmGeXojQlLrfFfyP/6hkCFhW23Xsps1lqQIy7AIHsuXv:NVQ1XoUl3Un6+sXL170IF
MD5:	0D59DE8957FECCA918ED9E588C87C87C
SHA1:	B45AA8B04F63D31741DEA41622CEF73D7C7E38F4
SHA-256:	EBE598368C8F96B0FF950D7E17D56510ECD236881F2FC6C7900EF973D1BCBC96
SHA-512:	CC0FC3D40D75ACDFF334CE4032A2D5CC85AB4B24D4590C8DE041FB036995120E2A7DA532B5978FFE7F750554032C57FAF435E8D4C6D39C57636E3E56CBDCD693
Malicious:	false
Preview:	# generated using capa explorer for IDA Pro..rule:.. meta:.. name: connect to WMI namespace via WbemLocator.. namespace: host-interaction/wmi.. author: michael.hunhoff@fireeye.com.. scope: function.. att&ck:.. - Execution::Windows Management Instrumentation [T1047].. examples:.. - al-khaser_x64.exe_:0x14001956E.. features:.. - and:.. - basic block:.. - and:.. - api: ole32.CoCreateInstance.. - bytes: 11 F8 90 45 3A 1D D0 11 89 1F 00 AA 00 4B 2E 24 = CLSID_WbemLocator.. - bytes: 87 A6 12 DC 7F 73 CF 11 88 4D 00 AA 00 4B 2E 24 = IID_IWbemLocator.. - offset: 0x18 = ppv->ConnectServer.. - optional:.. - string: /ROOT\\CIMV2/i.. - string: /ROOT\\DEFAULT/i..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\impact\inhibit-system-recovery\delete-volume-shadow-copies.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	616
Entropy (8bit):	4.903448470759395
Encrypted:	false
SSDEEP:	12:mdmuA7lCMOCfFfy5fHbrLTfxM4y9KqAt6mj5xhXuLJggaJc2HDi:mMRlPOCURbfT24aK1j5nX4
MD5:	FA264878BA65410576C84648863BA06E
SHA1:	D9B8B1CF9D45EB5031330E06BA609CC25D604BC9
SHA-256:	AF4672C54C76AF2B7938002D2FA8163F406BA697450F0F70FA0DA62DEFF3114F
SHA-512:	71299DB843011F7C082077C351F02816840B59556EB1A8821EC01DC63A6805CDF6CAA49E7FBBF2B83515BBD6EADA25591FBB2A8C1532BAFDB28E4D20150CA9B6
Malicious:	false
Preview:	rule:.. meta:.. name: delete volume shadow copies.. namespace: impact/inhibit-system-recovery.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Impact::Inhibit System Recovery [T1490].. - Defense Evasion::Indicator Removal on Host::File Deletion [T1070.004].. mbc:.. - Impact::Disk Content Wipe::Delete Shadow Drive [F0014.001].. examples:.. - B87E9DD18A5533A09D3E48A7A1EFBCF6:0x140006AF0.. features:.. - or:.. - string: /vssadmin.* delete shadows/i.. - string: /vssadmin.* resize shadowstorage/i.. - string: /wmic.* shadowcopy delete/i..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\impact\wipe-disk\wipe-mbr\overwrite-master-boot-record-mbr.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.005128096663826
Encrypted:	false
SSDEEP:	12:mdmKaZyolCdpfFfy9TaLFCdf9C89/wmeI7gtcI7gaIHVxn:mMKaZtlupU92L4fV9//eI73I7DIfn
MD5:	1CE137C88869DF92DFE6876061644EAD
SHA1:	A87F4F3178798933DCFAB1F564208C57672457C8
SHA-256:	79F4535E842BCC4BD184390ED41660F9A997A7211EF036ADF3F20502965E2400
SHA-512:	92373ACF73D214D14E0D8CC7E124D71E1A9F49DA05EC1C6E276131BC8B547C7FA3F7AA408ED0DE6ADE574F38C17C12A2FF701EFD7204D59833FC1906EAE4651E
Malicious:	false
Preview:	rule:.. meta:.. name: overwrite Master Boot Record (MBR).. namespace: impact/wipe-disk/wipe-mbr.. author: michael.hunhoff@fireeye.com.. scope: function.. att&ck:.. - Impact::Disk Wipe::Disk Structure Wipe [T1561.002].. examples:.. - 39C05B15E9834AC93F206BC114D0A00C357C888DB567BA8F5345DA0529CBED41:0x100070A0.. features:.. - and:.. - string: "\\\\.\\PHYSICALDRIVE0".. - api: kernel32.WriteFile.. - number: 0x200 = MBR/sector size in bytes.. - or:.. - number: 0x55 = MBR signature constant.. - number: 0xAA = MBR signature constant.. - optional:.. - api: kernel32.CreateFile..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\internal\limitation\file\README.md Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	314
Entropy (8bit):	4.3411885465735365
Encrypted:	false
SSDEEP:	6:ScSCFBmHtgQFAs9zufKICiZcSQj5FjEEr5dEllWLbutQ5o2ewRumv:XSGB40DrCi9k3EEt+W2tuew7
MD5:	92701B25C936AAE3AA22FE5E38E95E9E
SHA1:	E2F1E604695676D74956CC5A352C9C0CB9A6E2E4
SHA-256:	FD08EAC19AC12A83C4D68278C43D78D6C1DFFA522DC2892AFFA78FD6790B6D6B
SHA-512:	96CAB7538EF74FFAD275261FC3BE405FF719A3DA2A00F55A14859F09B7939AAE4C755BA609E886D5E7E93B73040D1590D997179CB1543AF5A78160BCEC90B2F9
Malicious:	false
Preview:	# file limitations....This directory contains rules with the special namespace `internal/limitation/file`...capa uses these rules to identify files that it cannot handle well, such as .NET modules or packed programs...When one of these rules matches, capa will render the description as a warning message and bail.

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\internal\limitation\file\internal-autohotkey-file-limitation.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	744
Entropy (8bit):	4.647790337585427
Encrypted:	false
SSDEEP:	12:mdm1qnbKwlZCg/oKmdozyVyyyys1nkx+fhqrg5MQEd7zRxgpQFpvLnB/FAI:mM1cRlZFXmOirslksFtEd3RxgiXznB/Z
MD5:	90009F9FA0DD34CC03DBCDF4CEE70D6A
SHA1:	AFBC9562416A211CAB2A5649AA8E5C135F485077
SHA-256:	09B2CE2ECDEA31707D48DB3A5C472D754C2BAE1002542C8DA2A51D28A15A4EFE
SHA-512:	35B63281BAB1A0A9B943262EF88881946E07F2A4B9308357F1B27930785F229511031511754E1ACE84966BEF6A2BD81D8878DAEEFCF787AA04A73D11AE197417
Malicious:	false
Preview:	rule:.. meta:.. name: (internal) autohotkey file limitation.. namespace: internal/limitation/file.. author: "@mr-tz".. description: \|.. This sample appears to be compiled with AutoHotkey..... AutoHotkey is a free, open-source scripting language for Windows that allows users to easily create scripts... AutoHotkey was developed from AutoIT and the scripts may be similar... capa cannot handle AutoHotkey scripts. This means that the results will be misleading or incomplete... You may have to analyze the file manually, using a tool like the AutoIt decompiler MyAut2Exe... scope: file.. examples:.. - 92D8EA10EA30E8B534334A1C9857A455.. features:.. - or:.. - match: compiler/autohotkey..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\internal\limitation\file\internal-autoit-file-limitation.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	861
Entropy (8bit):	4.634309546442179
Encrypted:	false
SSDEEP:	24:mM17anGeQPlZFqkmONpQeBEdQRxgiXznB4uMy:mM13P06tBSsxPB4uMy
MD5:	787A08946A783D5DE32FCCDC4ADBD840
SHA1:	63D1ADDA4162BBECE613E871F4CE4F28C8F236C5
SHA-256:	7937C8F3D3AAE1415A7FC5FA9834BB8508CC23F57967610CD23EC723364052AF
SHA-512:	16349F74F367F47ECC11EE6C2F956AEB0F23285A697D9C3CEFFC69E3AA1AB05A9A2A9B7DC240CB2E423C755346FDA00D3099590885F8676FF59029527684622D
Malicious:	false
Preview:	rule:.. meta:.. name: (internal) autoit file limitation.. # capa will detect dozens of capabilities for AutoIt samples,.. # but these are due to the AutoIt runtime, not the payload script... # so, don't confuse the user with FP matches - bail instead.. namespace: internal/limitation/file.. author: william.ballenthin@fireeye.com.. description: \|.. This sample appears to be compiled with AutoIt..... AutoIt is a freeware BASIC-like scripting language designed for automating the Windows GUI... capa cannot handle AutoIt scripts. This means that the results will be misleading or incomplete... You may have to analyze the file manually, using a tool like the AutoIt decompiler MyAut2Exe... scope: file.. examples:.. - 55D77AB16377A8A314982F723FCC6FAE.. features:.. - or:.. - match: compiler/autoit..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\internal\limitation\file\internal-dotnet-file-limitation.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	776
Entropy (8bit):	4.547339190283957
Encrypted:	false
SSDEEP:	24:mM1JZeXbM4AslZFqkmZEXEG/ogiX+nBDp9:mM16XgNs0D+JAiBD/
MD5:	41E3EB2186033FC060C5F7D5E4CE8CE9
SHA1:	E4D511EE6CAEC9A5CB27CE18ED035A3CBBD75E5E
SHA-256:	A11893E24E1F8831D7B0DD61CCEA3380D193FFBC9CC3F8478B39FB4364543DFE
SHA-512:	9252109606D2F145EB6C59A158F8FFEEAC826476B5B0ABD047EF18228A61A39E21CD2AF2C218CC9B4D3AE073D1A9DD2C34F290EE3D39D5339E15892AA06FB3DB
Malicious:	false
Preview:	rule:.. meta:.. name: (internal) dotnet file limitation.. # capa won't detect much in .NET samples... # it might match some file-level things... # for consistency, bail on things that we don't support... namespace: internal/limitation/file.. author: william.ballenthin@fireeye.com.. description: \|.. This sample appears to be a .NET module..... .NET is a cross-platform framework for running managed applications... capa cannot handle non-native files. This means that the results may be misleading or incomplete... You may have to analyze the file manually, using a tool like the .NET decompiler dnSpy... scope: file.. examples:.. - b9f5bd514485fb06da39beff051b9fdc.. features:.. - or:.. - match: runtime/dotnet..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\internal\limitation\file\internal-installer-file-limitation.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	661
Entropy (8bit):	4.503986059586024
Encrypted:	false
SSDEEP:	12:mdm1FXFfKbuXFo2xepWuElZCg/IRpKmEX7E1iTXR3PwgExV3gNA/eV4nBdAROZOi:mM1tZaYe2xeclZFqkm+7E1iBogEx6NA1
MD5:	477542106A07CF847807FADDEC3810ED
SHA1:	2B2CB4FCA588DF94E20BC8901A916E1CEBDC391D
SHA-256:	77F3D0BE0D88477E20727A58EF45F31DC82511EF167CDA719A3B38277CA47BEF
SHA-512:	288D210B6835DFF5B31EB1753CA672D3D77346790D16E29D6627B3D8E42CCB98EDC644256382FB64F5B0ECA300535FB2BDE4986BC8EA667694B265D5E2FF32A5
Malicious:	false
Preview:	rule:.. meta:.. name: (internal) installer file limitation.. # capa will likely detect installer specific functionality... # this is probably not what the user wants... namespace: internal/limitation/file.. author: william.ballenthin@fireeye.com.. description: \|.. This sample appears to be an installer..... capa cannot handle installers well. This means the results may be misleading or incomplete... You should try to understand the install mechanism and analyze created files with capa... scope: file.. examples:.. - 70FD3347786ED7A4A43910E6778EF296.. features:.. - or:.. - match: executable/installer..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\internal\limitation\file\internal-packer-file-limitation.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	606
Entropy (8bit):	4.607323515975075
Encrypted:	false
SSDEEP:	12:mdm1vKwlZCg/IRpKmat93rEUPwglvsxVnBghV4nBDU6v:mM1vRlZFqkmy9rEUoglExtBghV4nBDzv
MD5:	9AD0B90D48BA022FE93514A0A32CE922
SHA1:	6A5A88129D4C3C30255831B2C6912597B1908B88
SHA-256:	776E369629FE8EF8FCD96BFF49654CF4F2AB008A6B21F8121FB13E31E6615C1E
SHA-512:	C31B271F2E5458191FF78F31518AB2E1924E9E2C62DAAA32576FC7DE7A83DD57C785F25696FFED8FE6FD7C952ACFF33FC19E76CD23A88E16355C5FF9FC8F054D
Malicious:	false
Preview:	rule:.. meta:.. name: (internal) packer file limitation.. namespace: internal/limitation/file.. author: william.ballenthin@fireeye.com.. description: \|.. This sample appears to be packed..... Packed samples have often been obfuscated to hide their logic... capa cannot handle obfuscation well. This means the results may be misleading or incomplete... If possible, you should try to unpack this input file before analyzing it with capa... scope: file.. examples:.. - CD2CBA9E6313E8DF2C1273593E649682.. features:.. - or:.. - match: anti-analysis/packer..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\internal\limitation\file\internal-visual-basic-file-limitation.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	701
Entropy (8bit):	4.521799434308475
Encrypted:	false
SSDEEP:	12:mdm1rKwlZCg/oKmdoXulzgWrp7sHg3EFRxgpJpsscnB1131FSn:mM1rRlZFXmOXgzgWrpsHcEFRxgd1cnBS
MD5:	FFCA9F6FF286D231A8C3A678EB2CE5B2
SHA1:	4B6EDA858DC03CC0129CA65D3BD6C73B7569EF59
SHA-256:	FE921125787BD54F311E36E5BA0B79B380D2279D19931BA80E0824511851A677
SHA-512:	FCA7D031D0D26CC3A426A12802A786627EF3E26BD7FB935CDF6A235C1FF304EF20E5801FE78A0016D342B2FCA73F3E0F439DD035C3F4A7727981FDD629B45B2B
Malicious:	false
Preview:	rule:.. meta:.. name: (internal) Visual Basic file limitation.. namespace: internal/limitation/file.. author: "@mr-tz".. description: \|.. This sample appears to be compiled from Visual Basic..... Visual Basic is a Microsoft programming language that can be compiled to native code or an intermediate.. representation called P-Code... capa cannot handle Visual Basic executables well. This means that the results will be misleading or incomplete... You may have to analyze the file manually, for example using a tool like VB Decompiler... scope: file.. examples:.. - 9bca6b99e7981208af4c7925b96fb9cf.. features:.. - or:.. - match: compiler/vb..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\lib\allocate-memory.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	701
Entropy (8bit):	4.8707374406709665
Encrypted:	false
SSDEEP:	12:mdmXtNDGwKCe2bnvL2OfIkbsVjN9nQ57jn3x:mMXtNDdKCe2zL2OfI7I57bx
MD5:	16CB66E081E990877A796542F4034BC9
SHA1:	DA804E183197E5A7F37B388579853653DAB224D4
SHA-256:	007FE7FCBF1434CDFD56E9828F1BA23A897593CAD79C6D1EB94734F5ACD7DCD6
SHA-512:	75C18750FB8DF9200AAAA7AB9B27AF55125A4A1EC14A9F42351FF5752873953E57A312892046A009A096088B5E180276C5AAF90E8E9886C26319320FCFA73E5E
Malicious:	false
Preview:	rule:.. meta:.. name: allocate memory.. author: 0x534a@mailbox.org.. lib: true.. scope: basic block.. mbc:.. - Memory::Allocate Memory [C0007].. examples:.. - Practical Malware Analysis Lab 03-03.exe_:0x4010EA.. # ntdll.. - 563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x140001ABA.. features:.. - or:.. - api: kernel32.VirtualAlloc.. - api: kernel32.VirtualAllocEx.. - api: kernel32.VirtualAllocExNuma.. - api: kernel32.VirtualProtect.. - api: kernel32.VirtualProtectEx.. - api: NtAllocateVirtualMemory.. - api: ZwAllocateVirtualMemory.. - api: NtMapViewOfSection.. - api: ZwMapViewOfSection..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\lib\allocate-rw-memory.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	340
Entropy (8bit):	4.634871830979834
Encrypted:	false
SSDEEP:	6:hAvlmEmkW9cCFFy7/FDGyZlKCeSLowdnvUoQzGqmLCFFRlby:mdmXkWMNDGwKCe2bnvUDXmqby
MD5:	9B7B5C655CE62453EC6423F60F5266B4
SHA1:	533982529FE8DBE5DE37F85964BDC51E933F87CB
SHA-256:	1AF0375F5A2260EE5B20B9240D5BBDBB31EC5EC62E7CAC4DA2F8D061DE28A52B
SHA-512:	55BBA27B5BACA38F9F8AE3CBD117569B4EDBBF7CA1FD4A41067A62C106DDDA16D070FFEA5EDF9638E85BE3FDFFF9FBC3FDD04CC966B40F1959324AFD55CD58EA
Malicious:	false
Preview:	rule:.. meta:.. name: allocate RW memory.. author: 0x534a@mailbox.org.. lib: true.. scope: basic block.. mbc:.. - Memory::Allocate Memory [C0007].. examples:.. - Practical Malware Analysis Lab 17-02.dll_:0x1000D10D.. features:.. - and:.. - match: allocate memory.. - number: 0x4 = PAGE_READWRITE..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\lib\calculate-modulo-256-via-x86-assembly.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	412
Entropy (8bit):	4.577224894782426
Encrypted:	false
SSDEEP:	6:hAvlmGMKOQ3JRcdN3CS1GyZlKZpowUH9XWNLhcCh7tSvTt/W7A/4Av:mdmGMK/5Rc/CoGwKZpAGP1tSvTtxBv
MD5:	DEE9CD5ECCF6ED1CE3990C337345BFFB
SHA1:	3CA6E286605FE5952AD59CC236B4291AC5B141E0
SHA-256:	4C9D92F247AD2465B6C869BCA223AEEA4E17DD66F27441C9C059ED42C35C5400
SHA-512:	5A6FA7D9ADA04AB33AC8E24424D7938C27C12818C82F75690488BAFAF44C16DE8A078BDB0879C38D0970AAC361D38E38C1BA7CC4E9B7662DC0F86EE3987C5276
Malicious:	false
Preview:	rule:.. meta:.. name: calculate modulo 256 via x86 assembly.. author: moritz.raabe@fireeye.com.. lib: true.. scope: basic block.. mbc:.. - Data::Modulo [C0058].. examples:.. - 9324D1A8AE37A36AE560C37448C9705A:0x4049A9.. features:.. # and ecx, 800000FFh.. # and ecx, 0FFh.. - and:.. - mnemonic: and.. - or:.. - number: 0x800000FF.. - number: 0xFF..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\lib\contain-loop.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	310
Entropy (8bit):	4.5433059808015965
Encrypted:	false
SSDEEP:	6:hAvlmG+6dCS1uFfJowbu4nWUqh5XEhFkwXEhywXEhvY:mdmG+oCouFfJkVUqXEhFbXEhNXEhA
MD5:	9E8B3FC880155E135750E296ED04896A
SHA1:	216AEE8F533F11AEF102C558EC28F9A1077A881E
SHA-256:	88AF20FCDA6402C0B18C3203F59CBCF8C2C090206BB4B03734AF9C7842B8AAE3
SHA-512:	B9FC9E1B68A07C827B64E7E11CBA87DA3EB0900760C2010EE37BD33DEFBC98F82A5E367BA9270B9B44B8030927903D7A98D05DABDE94D2380B5C73020833F489
Malicious:	false
Preview:	rule:.. meta:.. name: contain loop.. author: moritz.raabe@fireeye.com.. lib: true.. scope: function.. examples:.. - 08AC667C65D36D6542917655571E61C8:0x406EAA.. features:.. - or:.. - characteristic: loop.. - characteristic: tight loop.. - characteristic: recursive call..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\lib\contain-pusha-popa-sequence.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	468
Entropy (8bit):	4.354003703945544
Encrypted:	false
SSDEEP:	6:hAvlmG+CdCS1uFfJowcHEzGzKoH9GeSMlXavFLSi+SbrlXavFLSSov:mdmG+wCouFfJYNzz34vfx4vQv
MD5:	C50048A64E2DC0277B00165E321F8F23
SHA1:	0C2DC8A54EF725FFFBA6D889EF666CA4B21797B8
SHA-256:	81C0BAC5CC56BBAC1B92B85286640AB0B82F345293B29D2714C3883B00619E88
SHA-512:	7BAFEE73F7673334F43840AB0A7D1606C4329AF60EB94C8A007435B66AA0154C14A42D11B80F019BC084935B90B5CB7FB53CE7FF0FDBEBCB1D1E1BC14BA7375D
Malicious:	false
Preview:	rule:.. meta:.. name: contain pusha popa sequence.. author: moritz.raabe@fireeye.com.. lib: true.. scope: function.. examples:.. - a5c70086b3bc4fe64f4e7a0aa452e620:0x35007200.. features:.. - and:.. - or:.. - count(mnemonic(pusha)): 2 or more.. # vivisect.. - count(mnemonic(pushad)): 2 or more.. - or:.. - count(mnemonic(popa)): 2 or more.. # vivisect.. - count(mnemonic(popad)): 2 or more..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\lib\create-or-open-file.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	481
Entropy (8bit):	4.472958671865563
Encrypted:	false
SSDEEP:	12:mdmG3ERoGwKhIdhDZkxTHhT/4f9/wfa9FOb/97FXn:mMFRodKahUh/C9/6a9Fg/97FXn
MD5:	EB02A5D9618AB28BBF3359D98C13897F
SHA1:	BC04B598727206C536576DA32E774C83D9ED76C1
SHA-256:	627B98381ED63046E7F60AF7EB80B921A6FDBE241D5217662E22A2A59E154E0B
SHA-512:	A0E324373DFB4AA4E1AD1F4CFA28DD211B01CE43C1A18CC0067E0EAA987C67357458630DD39D14FFBFE0D69F4418AC61EAC4F9B56B10A79680BE684A29CA0E76
Malicious:	false
Preview:	rule:.. meta:.. name: create or open file.. author: michael.hunhoff@fireeye.com.. lib: true.. scope: basic block.. mbc:.. - File System::Create File [C0016].. examples:.. - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x401D7E.. features:.. - or:.. - api: CreateFile.. - api: CreateFileEx.. - api: IoCreateFile.. - api: IoCreateFileEx.. - api: ZwOpenFile.. - api: ZwCreateFile.. - api: NtOpenFile.. - api: NtCreateFile..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\lib\delay-execution.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1108
Entropy (8bit):	4.959588622766166
Encrypted:	false
SSDEEP:	24:mMlodKUAUE6cAwjtkH2EEJGIw7/znDPRDijXIs2JDPeJDixAzX:mMloUJmcTZEiGIwXndGrA4Gs
MD5:	9483F023F7DBC50BD3BA90C2319FB307
SHA1:	A0B3C7AEE84CABAE454994127798D07D782AD212
SHA-256:	DB8CDF65B62CD7F6A348104FE6F7BA7D88A151C4955BB194ACB1C9EA65CD0B3A
SHA-512:	3F8F902B1965A9249F5C881A67184130562154E2E1B402EFF0F412221C9CD140BF2005525114C309C163275D27829A4924BBC8C0668176B43DCA63C1C02C8BA5
Malicious:	false
Preview:	rule:.. meta:.. name: delay execution.. author: michael.hunhoff@fireeye.com.. lib: true.. scope: basic block.. mbc:.. - Anti-Behavioral Analysis::Dynamic Analysis Evasion::Delayed Execution [B0003.003].. references:.. - https://docs.microsoft.com/en-us/windows/win32/sync/wait-functions.. - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/TimingAttacks/timing.cpp.. examples:.. - al-khaser_x86.exe_:0x449770.. - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x402FA6.. features:.. - or:.. - api: kernel32.Sleep.. - api: kernel32.SleepEx.. - api: kernel32.WaitForSingleObject.. - api: kernel32.SignalObjectAndWait.. - api: kernel32.WaitForSingleObjectEx.. - api: kernel32.WaitForMultipleObjects.. - api: kernel32.WaitForMultipleObjectsEx.. - api: kernel32.RegisterWaitForSingleObject.. - api: WaitOnAddress.. - api: user32.MsgWaitForMultipleObjects.. - api: user32.MsgWaitForMultipleObjects

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\lib\get-service-handle.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	293
Entropy (8bit):	4.54997435112567
Encrypted:	false
SSDEEP:	6:hAvlmCIIE5fCS1uFfJowdnvLPRB/9zqRMXj0r9:mdmCNYCouFfJbnvLJpdq2T0p
MD5:	C7D87DCE36C3C3FA4976FBE528873BAE
SHA1:	28F3BC342FC157B35D5DD7FBC3240DEF0F12D7A8
SHA-256:	52844AC823806958C3AF9321F2E85BAC4F1B15B1B616E5BC05A54E447A6310FE
SHA-512:	185D30BAFFC3BF17C3C0823CA4D87E79DE8FBDE404B8EA9D5DC019D7C8801B82BD44033AFCDBBB00F6CFF3438EBB0005CC95D7C87B38D8BBABCF42F8C9E09C91
Malicious:	false
Preview:	rule:.. meta:.. name: get service handle.. author: moritz.raabe@fireeye.com.. lib: true.. scope: function.. examples:.. - Practical Malware Analysis Lab 03-02.dll_:0x10004706.. features:.. - or:.. - api: advapi32.CreateService.. - api: advapi32.OpenService..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\lib\open-process.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	303
Entropy (8bit):	4.511312600279694
Encrypted:	false
SSDEEP:	3:hAvl5lCIFqbdD5UCy/FoyvNGLG9EGOCowFFfnDS+hNmNxOFQcAWAHHxzsVxFutxA:hAvlmKx7/FDGyZBowdnvUoQzBGStMq/y
MD5:	CC1F5772B27D56DB6C70BA725ABF698A
SHA1:	8391505907D9B56A7C6A13FADE6715D41A0A1C56
SHA-256:	B39626BF6CDA108B1808F7A7F39E8248FF38C13C541177EACF9065718FD78224
SHA-512:	53D9F526C9EC8EC1A05E001E9EEB588A46A6E3ABB715C32C9EE53F47C9A54133F30505BF87154C0E5C9A60F12493AB7130F6F4A67B1B973B12E60401A8AF676E
Malicious:	false
Preview:	rule:.. meta:.. name: open process.. author: 0x534a@mailbox.org.. lib: true.. scope: basic block.. examples:.. - Practical Malware Analysis Lab 17-02.dll_:0x1000D10D.. features:.. - or:.. - api: kernel32.OpenProcess.. - api: NtOpenProcess.. - api: ZwOpenProcess..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\lib\open-thread.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	320
Entropy (8bit):	4.707130963283611
Encrypted:	false
SSDEEP:	6:hAvlmKI7/FDGyZBow0ElCD7TKz6hwzBuLqd:mdmKqNDGYOEMDXv9ed
MD5:	5FF83A4111B3A76BECAD57785717E467
SHA1:	8DDB95081B1E71B9FF4911A706CBC5FB93F8082B
SHA-256:	DF4453FA2AF8161272E5C495F7B6DEA1C89B3791FF038CCAF4E936D00A8D2CD6
SHA-512:	4D3CEAE082DF73E203432134AC1FC41AD1F0BD1C6E43091D1528146A970847697DB5EAB3751B63566888950A2FB1E7E4C9AF12B875D05290C249CC5B4887CAF2
Malicious:	false
Preview:	rule:.. meta:.. name: open thread.. author: 0x534a@mailbox.org.. lib: true.. scope: basic block.. examples:.. - 787cbc8a6d1bc58ea169e51e1ad029a637f22560660cc129ab8a099a745bd50e:00502F4C.. features:.. - or:.. - api: kernel32.OpenThread.. - api: NtOpenThread.. - api: ZwOpenThread..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\lib\peb-access.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1225
Entropy (8bit):	4.636456839417251
Encrypted:	false
SSDEEP:	24:mMb5odKUSGWrCcA52EWaDTXUu2EWawXUhSfSeXUd/0/DVSoVu7V2EWa8XU+n:mM9oUpec3ErbUNEaUQqIUd/0/3uAE+U8
MD5:	F7B1107A05E179DB5B210AEE7DB074B6
SHA1:	2C94BC31239108566953F4C050081C35D3385E57
SHA-256:	02326ADDB70DF40BB3FDC791534CA3BC3AC33313318C31886DF9677912D0A88F
SHA-512:	4B0665B3E1DD53EB5ECEED32F0991449BA21394E0821B342004BCAC62E5AF871E814E9D884FF9EF7DA2CC0FC97F46DCBF4469AABED834DA4D158650BD3E0961D
Malicious:	false
Preview:	rule:.. meta:.. name: PEB access.. author: michael.hunhoff@fireeye.com.. lib: true.. scope: basic block.. mbc:.. - Anti-Behavioral Analysis::Debugger Detection::Process Environment Block [B0001.019].. references:.. - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/NtGlobalFlag.cpp.. examples:.. - al-khaser_x86.exe_:0x420D20.. features:.. - or:.. - characteristic: peb access.. - and:.. # https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/NtGlobalFlag.cpp#L41.. - characteristic: fs access.. - or:.. - offset/x32: 0x30.. - and:.. - number/x32: 0x30.. - mnemonic: add.. - and:.. - characteristic: gs access.. - or:.. - offset/x64: 0x60.. - and:.. - number/x64: 0x60.. - mnemonic: add.. - and:.. # WoW64 PEB address is fetched via the WoW64 Thread Environment Bloc

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\lib\validate-payment-card-number-using-luhn-algorithm-with-lookup-table.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2103
Entropy (8bit):	3.951047815464319
Encrypted:	false
SSDEEP:	48:mMfI+Lj/YFEUqUY/LgMqC4AxGuD8IKTIx:JrQH5LG
MD5:	4C9970919D5420A75BF4C37F43CB2CE0
SHA1:	FDAFC046489F3968842EE1D0B88485999AAAF26F
SHA-256:	36201926D91B9EE8545EBF97ABB2116656F6454634B194AF9CDD762E9D646AFF
SHA-512:	41BBE62E81E532EB6FA13F76504D8FE506BE19DDCA63AAD38AD8A2A63A18BF535123AB799BD3E96734517713A9CBC432FE868BE6F034F96509A828F18DBB67AD
Malicious:	false
Preview:	rule:.. meta:.. name: validate payment card number using luhn algorithm with lookup table.. author: "@_re_fox".. lib: true.. scope: function.. mbc:.. - Data::Checksum::Luhn [C0032.002].. examples:.. - 1d8fd13c890060464019c0f07b928b1a:0x401920.. - 60abaef3fda131ffa20df480cb3f8029:0x4048e0.. features:.. - and:.. - not:.. - characteristic: nzxor.. - characteristic: loop.. description: Iterate over CC digits.. - basic block:.. - or:.. - 8 or more:.. - description: Digital root lookup table.. - number: 0x0.. - number: 0x2.. - number: 0x4.. - number: 0x6.. - number: 0x8.. - number: 0x1.. - number: 0x3.. - number: 0x5.. - number: 0x7.. - number: 0x9.. - 8 or more:.. - description: Digital root lookup table via neg numbers.. - number: 0x0.. - number: 0

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\lib\validate-payment-card-number-using-luhn-algorithm-with-no-lookup-table.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2230
Entropy (8bit):	3.7401923233937193
Encrypted:	false
SSDEEP:	24:mMfiV/4K4CiGXUFS/1S4CyhNNev6jL7JujWRv8IRjufwfImjw:mMfILjiAUCg/6jZuWJ8IxuWIT
MD5:	10FE1B8E7AA07E216668DCE807209BA8
SHA1:	ADBF9162D1B934C5627F7A0109F9639B498AE72B
SHA-256:	21DD40E9A420A76CDA9CE601103D0EBA40B624DF921C3879BF8C3064270937E2
SHA-512:	9E64DE0426AE167A851E0E049175021E4483C2827C89A83EB3DBD65C518A5777DE0F4617FE0C0CC9B0A0647F7C3FB3BEB70AC82D2F2D2D91A01088AFE8E24DA2
Malicious:	false
Preview:	rule:.. meta:.. name: validate payment card number using luhn algorithm with no lookup table.. author: "@_re_fox".. lib: true.. scope: function.. mbc:.. - Data::Checksum::Luhn [C0032.002].. examples:.. - 6fcc13563aad936c7d0f3165351cb453:0x4026C0.. features:.. - and:.. - characteristic: loop.. description: Iterate over CC digits.. - or:.. - basic block:.. - and:.. - or:.. - mnemonic: add.. - and:.. - mnemonic: shl.. - number: 0x1.. - and:.. - mnemonic: imul.. - number: 0x2.. - mnemonic: cmp.. - number: 0x9.. - description: Digital Root check number*2 < 0x9.. - and:.. - basic block:.. - and:.. - mnemonic: cmp.. - number: 0x9.. - description: Compare number to 0x9 for Digital Root.. - basic block:..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\lib\write-process-memory.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	443
Entropy (8bit):	4.841966045592642
Encrypted:	false
SSDEEP:	6:hAvlmSFVuItdCFF3CS1uFfyhuBaGWFsJVowkxbmxHwU8BIeLFFopI0FF3I0FFLyE:mdmSDMCouFfyBGW2V2lmxHvPek9yJ+n
MD5:	167CAFAF2DA9F7ED8C890B8809DF294E
SHA1:	AA273F36CFB345A25E0C41E607A245F7670AAC3D
SHA-256:	4120C52F5D591C7AD46B6DD65441C0A0251CEEC1018347A34334AF7088144794
SHA-512:	A38F215259CA22CA4AA73EEDA45B1F8C3FC31CDF87905929B234D8B79CD2668E5B244EF7FB124270B43B2D8C80EEF4ECF927D9CC23ED9AA385E55C2A4A40141B
Malicious:	false
Preview:	rule:.. meta:.. name: write process memory.. author: moritz.raabe@fireeye.com.. lib: true.. scope: function.. att&ck:.. - Defense Evasion::Process Injection [T1055].. examples:.. - 2D3EDC218A90F03089CC01715A9F047F:0x4027CF.. features:.. - or:.. - api: kernel32.WriteProcessMemory.. - api: ntdll.NtWriteVirtualMemory.. - api: ntdll.ZwWriteVirtualMemory.. - api: NtWow64WriteVirtualMemory64..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\linking\runtime-linking\access-peb-ldr_data.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2035
Entropy (8bit):	4.795860826040232
Encrypted:	false
SSDEEP:	24:mMrwel59a/CJ0cAaSfQ4BFdaFBa5qu3Fw4pHfczimFbja/6XURldMXUPpkG:mM7XQaJ0c1QaLKSCkziy6/8URWUPpH
MD5:	6B6DCD03C307CCDF8DB2988DDE0786CA
SHA1:	954655E4C9E4687EBA1ACB268CC62D689E50D7BB
SHA-256:	6724A536C77C6E0ACD202D71512CC15F3BF37B36CE22E7CDFA6C5395521F30EB
SHA-512:	6942566784C68F146CEC77CF4D42538F1F4960353227485484596C743778DA4BA694D5733CA8109F3DA18B7047CB31BDECF02AF8D389ABAA533E534BC9AD55EB
Malicious:	false
Preview:	rule:.. meta:.. name: access PEB ldr_data.. namespace: linking/runtime-linking.. author: moritz.raabe@fireeye.com.. scope: basic block.. att&ck:.. - Execution::Shared Modules [T1129].. references:.. - https://www.geoffchappell.com/studies/windows/win32/ntdll/structs/peb_ldr_data.htm.. - https://github.com/d35ha/CallObfuscator/blob/5834aff9ff4511f1408ae4ce80b79737af4ae77b/ShellCode/shell_x64.asm#L8.. examples:.. - 3FDFB2D522E7DEECAAAF2F87420F7E75:0x4117B7.. features:.. - or:.. - description: x32.. - and:.. - description: resolve the PEB.. - or:.. - match: PEB access.... # x86 Windows uses fs:0 to access the TIB which contains SEH information at offset 0.. # checking for fs:0 and a (possibly unrelated) number or offset often results in false positives.... - offset/x32: 0x0C = PEB.LDR_DATA.... - or:.. - description: resolve a module list.. - offset/x32: 0x0C = PEB.L

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\linking\runtime-linking\get-kernel32-base-address.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	890
Entropy (8bit):	5.188734376625582
Encrypted:	false
SSDEEP:	24:mMCQh6l59a/CJ0cAFAqlfgSfQglRxMgwtkfx3yEyb8yS:mMYXQaJ0cBaoQfl/ddn88z
MD5:	148F8DA804B5BDF3310B96B03ACB8234
SHA1:	86592322290F8FC332EFB253C0B14693195594CD
SHA-256:	C9E6FC570D124FF040207C72E1371AFD03A0BE616EA881DBFD2918D6A0C52A13
SHA-512:	47F2C1D20386CC20972470FBDD5DA3080628A8E71CE7936A4B6453A85DDC5A727ECCDBE20B1BFEBDE77A07A6091EE11A601FB8A0441D888922B425823951E0BB
Malicious:	false
Preview:	rule:.. meta:.. name: get kernel32 base address.. namespace: linking/runtime-linking.. author: moritz.raabe@fireeye.com.. scope: basic block.. att&ck:.. - Execution::Shared Modules [T1129].. references:.. - https://idafchev.github.io/exploit/2017/09/26/writing_windows_shellcode.html.. - https://www.geoffchappell.com/studies/windows/win32/ntdll/structs/ldr_data_table_entry.htm.. examples:.. - 67f8302a2fd28d15f62d6d20d748bfe350334e5353cbdef112bd1f8231b5599d:0x406936.. features:.. - and:.. # PEB -> PEB.Ldr -> PEB_LDR_DATA.InLoadOrderModuleList.Flink.. - match: access PEB ldr_data.. # -> current module -> ntdll.. - count(offset(0)): 2.. # -> kernel32 -> LDR_DATA_TABLE_ENTRY.DllBase.. - or:.. - offset/x32: 0x18 = LDR_DATA_TABLE_ENTRY.DllBase.. - offset/x64: 0x30 = LDR_DATA_TABLE_ENTRY.DllBase..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\linking\runtime-linking\get-ntdll-base-address.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	875
Entropy (8bit):	5.187541628567976
Encrypted:	false
SSDEEP:	24:mMCbl59a/CJ0cAFAqlfgSfQglRKgMgwtxcryEyb8yS:mMwXQaJ0cBaoQflpMkn88z
MD5:	8855DD46A4B32FB915E4861CDAB610FD
SHA1:	9BE18B9AB9ABDA81F88474B11A9F84D513986615
SHA-256:	1A6FCB015B60A190A82E2E6241E28872142E25E33FA2236102D6F3829CF25EAA
SHA-512:	B082B07BAB4333DCA42B800E82FAE8E41170EDC658594EDB7C15D72F3DA6B5F26BA97B9CBCF997CDF6CDF0DA773D4967AD94EC2F89F91586D2ACA94D8743DD90
Malicious:	false
Preview:	rule:.. meta:.. name: get ntdll base address.. namespace: linking/runtime-linking.. author: moritz.raabe@fireeye.com.. scope: basic block.. att&ck:.. - Execution::Shared Modules [T1129].. references:.. - https://idafchev.github.io/exploit/2017/09/26/writing_windows_shellcode.html.. - https://www.geoffchappell.com/studies/windows/win32/ntdll/structs/ldr_data_table_entry.htm.. examples:.. - 67f8302a2fd28d15f62d6d20d748bfe350334e5353cbdef112bd1f8231b5599d:0x40694A.. features:.. - and:.. # PEB -> PEB.Ldr -> PEB_LDR_DATA.InLoadOrderModuleList.Flink.. - match: access PEB ldr_data.. # -> current module.. - count(offset(0)): 1.. # -> ntdll -> LDR_DATA_TABLE_ENTRY.DllBase.. - or:.. - offset/x32: 0x18 = LDR_DATA_TABLE_ENTRY.DllBase.. - offset/x64: 0x30 = LDR_DATA_TABLE_ENTRY.DllBase..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\linking\runtime-linking\link-function-at-runtime.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	683
Entropy (8bit):	4.679888068118985
Encrypted:	false
SSDEEP:	12:mdmzWl5MkCP/CfFfylAGPMNnnvLR7m6XXURTaIHyXEhs:mMzWl59a/CUlARvLRK6XURGISXUs
MD5:	CF9AF9E453BC1ABEE2F069660540434C
SHA1:	C5CF00410A37AD0E0BF5C5E5CA877E0542240082
SHA-256:	11635A2AC78B4DB4D2DE0B65B3349273A252AB95B03C39773FF0C0AE2BE0E722
SHA-512:	A53F2BD025E2A8F3769E7C13A3A88C6121B87717F537EB9514DBB984DAC2E29B7BCF4C53D461F29ED067D3D343057547A13F87A4B0F5D638B33AEEADD6863BE1
Malicious:	false
Preview:	rule:.. meta:.. name: link function at runtime.. namespace: linking/runtime-linking.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Execution::Shared Modules [T1129].. examples:.. - 9324D1A8AE37A36AE560C37448C9705A:0x404130.. - Practical Malware Analysis Lab 01-04.exe_:0x401350.. features:.. - and:.. - or:.. - api: kernel32.LoadLibrary.. - api: kernel32.GetModuleHandle.. - api: kernel32.GetModuleHandleEx.. - api: ntdll.LdrLoadDll.. - or:.. - api: kernel32.GetProcAddress.. - api: ntdll.LdrGetProcedureAddress.. - optional:.. - characteristic: indirect call..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\linking\runtime-linking\link-many-functions-at-runtime.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	605
Entropy (8bit):	4.676759571751016
Encrypted:	false
SSDEEP:	12:mdmzAl5MkCP/CfFfyl0dYXXUReEeNxlev:mMzAl59a/CUlRXUR8Av
MD5:	595318E18F4FD5F1EC85D6B4909DCC0F
SHA1:	1DCEBFDB0EE7F5B157BF5497F6D2C19F407670B0
SHA-256:	1C33FE01DA59790A0B1947CC47AAF271D5B24951689F35C3CE68B0A46B7B975F
SHA-512:	EE7A8DB83B71AA9F4F13722EAE993F5B07DD2409C6B0AB63EC457BC65D83A0B956D3E11004EC055E52C00C4083ED0103969D68DA7F475F6B46DE2A9E71E85DFA
Malicious:	false
Preview:	rule:.. meta:.. name: link many functions at runtime.. namespace: linking/runtime-linking.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Execution::Shared Modules [T1129].. examples:.. - b7b5e1253710d8927cbe07d52d2d2e10:0x401000.. features:.. - and:.. - or:.. - api: kernel32.LoadLibrary.. - api: kernel32.GetModuleHandle.. - api: kernel32.GetModuleHandleEx.. - api: ntdll.LdrLoadDll.. - or:.. - count(api(kernel32.GetProcAddress)): 5 or more.. - count(api(ntdll.LdrGetProcedureAddress)): 5 or more..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\linking\runtime-linking\resolve-function-by-fin8-fasthash.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1268
Entropy (8bit):	4.740170565969218
Encrypted:	false
SSDEEP:	24:mMJl59a6vSBTuQcArlEUHOMGRHE4xvXMPE5qwP6FRFi:mMJXQ3uQcuf8DrQljs
MD5:	72439BEA8D6C5FD8596D3B811CAF04C9
SHA1:	88B8E85B8DB3A9EA8300C7942F2E7B59D6302C93
SHA-256:	E1D9AFF93B267930B00586016EDC7884DC457DCECE6795EDA3337A1A58939537
SHA-512:	5CDE92868A6CF49B979D75C9BBA55A55A4FB699804AE9EC362CA58B002B3E33D1BA8916835E533DDE71C8CC5577ADE5F5FC72CAD7033D2608AFE197F9BE78ED1
Malicious:	false
Preview:	rule:.. meta:.. name: resolve function by FIN8 fasthash.. namespace: linking/runtime-linking.. author: "@r3c0nst (Frank Boldewin)".. description: APIHashing algorithm derived from a fasthash implementation in OpenCPN using seeds.. scope: function.. references:.. - https://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf.. - https://raw.githubusercontent.com/fboldewin/YARA-rules/master/Shellcode.APIHashing.FIN8.yar.. examples:.. - B43FCA5283BFC7022553EFF663683834:0x12F.. - 4BF70EA92979DD88C9761EE848370050:0x28b.. features:.. - or:.. - basic block:.. - and:.. - description: 64-bit constants.. - mnemonic: mov.. - number: 0x880355F21E6D1965.. - number: 0x2127599BF4325C37.. - mnemonic: add.. - basic block:.. - and:.. - description: 32-bit constants.. - mnemonic: push.. - number: 0x880355F2..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\linking\static\cryptopp\linked-against-crypto.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	707
Entropy (8bit):	5.035053377932722
Encrypted:	false
SSDEEP:	12:mdmzATl5MY9jCDnlKrMTskjEDX5ZKarUABd2bcX6XPw1J6oLcoh8:mMzATl5JVCDnlKrM/EDKarVdF6X4Tp8
MD5:	C9CF8679E02771A9D13837FCCD2B029F
SHA1:	7EF369CF0BD4507901FC9F96CAA9D9DE438EDF49
SHA-256:	C3D499E0AA19A42C9E7ADC7A9018F9D2EDC4E491A105ACAFCA99765E159C1464
SHA-512:	799D81836B8047691A866FC0FB43083E527D334F77897595E561503DDD805D514E7347378229A8550D4AF4CB72FB2E01B3A0D8A7D063702BF0004BDD482D1585
Malicious:	false
Preview:	rule:.. meta:.. name: linked against Crypto++.. namespace: linking/static/cryptopp.. author: moritz.raabe@fireeye.com.. scope: file.. mbc:.. - Cryptography::Crypto Library [C0059].. examples:.. - 8BA66E4B618FFDC8255F1DF01F875DDE6FD0561305D9F8307BE7BB11D02AE363.. - 66602B5FAB602CB4E6F754748D249542.. features:.. - or:.. - string: "Cryptographic algorithms are disabled after a power-up self test failed.".. - string: ": this object requires an IV".. - string: "BER decode error".. - string: ".?AVException@CryptoPP@@".. - string: "FileStore: error reading file".. - string: "StreamTransformationFilter: PKCS_PADDING cannot be used with "..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\linking\static\libcurl\linked-against-libcurl.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	293
Entropy (8bit):	4.797246118917292
Encrypted:	false
SSDEEP:	6:hAvlmzAkIYF/wl5MYs4F/3CSkOy/Bow2D0t8TLoh/LVEd7X:mdmzANowl5MYsI3CDnBUD0tOolVwX
MD5:	0460F3AC904E2BC2E20D85EFCE3F77F5
SHA1:	E585C0317D84A1AB7A3C2966D564892C4CFDEEFE
SHA-256:	0D7A7E0C4127557ED614CFFDBB01AA992E6ABB1872A6A0D7E5A00FC65E5AEE08
SHA-512:	A65C9078D2D09B97876965227E48137102CDCB23361D1C6510F5A3F92894F1968D2D3084980E1BF56C7BD5A77BD6BBD3FB0C9D285438150AF506BB90E098BA53
Malicious:	false
Preview:	rule:.. meta:.. name: linked against libcurl.. namespace: linking/static/libcurl.. author: moritz.raabe@fireeye.com.. scope: file.. examples:.. - A90E5B3454AA71D9700B2EA54615F44B.. features:.. - or:.. - string: /CLIENT libcurl/.. - string: /curl\.haxx\.se/..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\linking\static\msdetours\linked-against-microsoft-detours.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	455
Entropy (8bit):	4.887746038770758
Encrypted:	false
SSDEEP:	12:mdmzAkSj9Cl5MYKFCDnqy7nwcA+Y27RsejyjhSijKjw:mMzAkSkl5JoCDnqy7wcAeRsqwh3jKjw
MD5:	0AA672EDDB0C4C26E527040A9B85F517
SHA1:	F296D9DE507A3CBCFB097C571344B6C18DF3669E
SHA-256:	CCA8DDB43381FA41B0C49B72E95C6EBC8A4E9DBA0EB0DB170B0CF4CB3E9D1763
SHA-512:	F45E8D08FC0D14CAE0659B7DBABA89D4D019559AF10615D21B9791D2D6DF445DC1611C286294682A5E9B6B512A4E3E12C6405E6F12C3EEBB4209795571D03E94
Malicious:	false
Preview:	rule:.. meta:.. name: linked against Microsoft Detours.. namespace: linking/static/msdetours.. author: moritz.raabe@fireeye.com.. scope: file.. att&ck:.. - Defense Evasion::Hijack Execution Flow [T1574].. references:.. - https://github.com/microsoft/Detours.. examples:.. - 071F2D1C4C2201EE95FFE2AA965000F5F615A11A12D345E33B9FB060E5597740.. features:.. - or:.. - section: .detourc.. - section: .detourd..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\linking\static\openssl\linked-against-openssl.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	457
Entropy (8bit):	5.060742053427509
Encrypted:	false
SSDEEP:	12:mdmzA2Jl5MYrvSwRDnlKrMFw9EgcT6axKsT6aFp:mMzAQl5JWyDnlKrMFg5c2y2ap
MD5:	FC2CCEB207A80EE041EA2655DCF1C53A
SHA1:	70201F7516D84DE9F6E23568E384B7BDB59DAECD
SHA-256:	751A744119648E6BA738077E7998BAC899F7B6C40FA94C3903B9BCCC2EA4FE15
SHA-512:	2838639F6B2AF7A57087E374BCBE6AAEEF9AF69FDC8DD108EFEB146530DD5059E2EC98F8A652244CC942358666ED866F888D2760D7886BFF6B70FA5ABCDF05FF
Malicious:	false
Preview:	rule:.. meta:.. name: linked against OpenSSL.. namespace: linking/static/openssl.. author: william.ballenthin@fireeye.com.. scope: file.. mbc:.. - Cryptography::Crypto Library [C0059].. examples:.. - 6cc148363200798a12091b97a17181a1.. features:.. - or:.. - string: "RC4 for x86_64, CRYPTOGAMS by <appro@openssl.org>".. - string: "AES for x86_64, CRYPTOGAMS by <appro@openssl.org>".. - string: "DSA-SHA1-old"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\linking\static\polarssl\linked-against-polarsslmbed-tls.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	526
Entropy (8bit):	4.888118798839554
Encrypted:	false
SSDEEP:	12:mdmzAD7Cl5MYJSwRDnlKrMRLBWGEZycPwYt0iCUwY80wYQnwY7:mMzAD7Cl5JYyDnlKrMRBWGdY5CdY8Ypq
MD5:	60BEAC5069FB0E6468EFB41D859BEC15
SHA1:	B3A79AC2B2206D542759E34F40C9632B40E09370
SHA-256:	732F5DFC90AF7FB34EFC181E04C35A441F1447F32BC7E041A754549DC477A747
SHA-512:	3CE8B9D97887CCB91F100C7136AFB57DCE2780C896968D1EAA5832C7630A039E809C21E99DA74EF4A93A5CE62CA424FFB26C138281EDA79547D0A2736F763588
Malicious:	false
Preview:	rule:.. meta:.. name: linked against PolarSSL/mbed TLS.. namespace: linking/static/polarssl.. author: william.ballenthin@fireeye.com.. scope: file.. mbc:.. - Cryptography::Crypto Library [C0059].. examples:.. - 232b0a8546035d9017fadf68398826edb0a1e055566bc1d356d6c9fdf1d7e485.. features:.. - or:.. - string: "PolarSSLTest".. - string: "mbedtls_cipher_setup".. - string: "mbedtls_pk_verify".. - string: "mbedtls_ssl_write_record".. - string: "mbedtls_ssl_fetch_input"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\linking\static\zlib\linked-against-zlib.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	358
Entropy (8bit):	4.733725246317467
Encrypted:	false
SSDEEP:	6:hAvlmzAk2l5MYZX0JFBO2SkOy/lKXpQ14jowjELEU9AhTLbTeLYc:mdmzAtl5MY5wRDnlKa1MFw9EbQYc
MD5:	948B621751EE73322ED53810ACD0E5B0
SHA1:	FA1AABBCC520AC78BE6CE4B34542A696524FA884
SHA-256:	7A932987D160E101D870F23FE7ADF5AAF00F41212A96F567EF3A0A7C224288BC
SHA-512:	F1778DCCA5C752E966774D83B7A90F37D124415FBE5C9888039ABC7B0B59160DB789340D5B5ED0F4A635F765E1C9D7372D77A20942428F8B1587A4B24465533A
Malicious:	false
Preview:	rule:.. meta:.. name: linked against ZLIB.. namespace: linking/static/zlib.. author: william.ballenthin@fireeye.com.. scope: file.. mbc:.. - Data::Compression Library [C0060].. examples:.. - 6cc148363200798a12091b97a17181a1.. features:.. - or:.. - string: /deflate .* Copyright/.. - string: /inflate .* Copyright/..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\load-code\pe\access-pe-header.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	383
Entropy (8bit):	5.004443779285414
Encrypted:	false
SSDEEP:	6:hAvlmEgrllOBSGFCS4FfyhLbowa4lEIIhHijZ5OFcOty:mdmrrlAAcCfFfylMkbsU0Ftk
MD5:	A52045F4A8A8E0AA94CAEF1535682981
SHA1:	69A57C66839489983B745BBE377B5D7790F03408
SHA-256:	86ED0F22448287668B20C5F98C04ED4077C6784CF48651E1EB4D39851B4B87FA
SHA-512:	67A612C5F3A54711C723AD77120ADCBDEC62F967A698C61EEACEA776B8D8155DFD63BA3A834463C810644027D973843C84B484E32A6EC69328EB172C0C3EE93E
Malicious:	false
Preview:	rule:.. meta:.. name: access PE header.. namespace: load-code/pe.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Execution::Shared Modules [T1129].. examples:.. - 563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x1400018E0.. features:.. - or:.. - api: RtlImageNtHeader.. - api: ntdll.RtlImageNtHeaderEx..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\load-code\pe\enumerate-pe-sections.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1302
Entropy (8bit):	4.995540598353189
Encrypted:	false
SSDEEP:	12:mdmGlAACAFfQcA+YTbexrSgYa/KqSIR4uQx+J0z0NCRmAYMebw1kYbw1w2tgLXbY:mMGlAbZcAFBrG0QRAYXw1kQw1v4PT8iy
MD5:	8105D3538BDA9B0B0F09E67E7A0726CF
SHA1:	0BB0A30C277E62DCD6A96032C212212C0462B7B7
SHA-256:	3733F387FFB289EDC7D3BF406F0347342053BCFBE9D12D7EB8942401A92E36F0
SHA-512:	DD4D7C4B33735431C710243060591B5328ED95A42F528DDCCE0509E36CA96C5752DE6E0BD605BB7662B482B3BCDF651E6218516B8209CB48C4B0CA6E6F7041D9
Malicious:	false
Preview:	rule:.. meta:.. name: enumerate PE sections.. namespace: load-code/pe.. author: "@Ana06".. scope: function.. references:.. - https://0x00sec.org/t/reflective-dll-injection/3080.. - https://www.ired.team/offensive-security/code-injection-process-injection/reflective-dll-injection.. examples:.. - E4C33AC3638EEF68311F8AC0D72483C7:0x401510.. features:.. - and:.. - offset: 0x6 = IMAGE_NT_HEADERS.FileHeader.NumberOfSections.. - basic block:.. - or:.. - and:.. - description: IMAGE_FIRST_SECTION(nt_header).. - offset: 0x14 = IMAGE_NT_HEADERS.FileHeader.SizeOfOptionalHeader.. - offset: 0x18 = FileHeader.SizeOfOptionalHeader.. - and:.. - description: (DWORD)dll_raw + dos_header->e_lfanew + sizeof(IMAGE_NT_HEADERS) + sizeof(IMAGE_SECTION_HEADER) * i.. - number: 0x28 = sizeof(IMAGE_SECTION_HEADER).. - or:.. - offset/x32: 0xF8 = sizeof(IMAGE_NT_HEAD

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\load-code\pe\inject-dll-reflectively.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	874
Entropy (8bit):	4.865774583123603
Encrypted:	false
SSDEEP:	24:mM3glAbTBGWSIh/uOycAFBrG0nEaG0EyXUDERIqt:mM3gun7xycuBqmXHEEUDMIqt
MD5:	439D8852891FE8227CDD9B179648ED4B
SHA1:	5DEB510D14029D3FF6B65CDAE2BA538D897626EE
SHA-256:	5D3D99FE1E96C8E5C1657CA259FAAA6A4F282EF15719B2A69E4AFE5BCED25E06
SHA-512:	8CDFA11A9340553E9FFD02EA06F892D5FAB18C2635ACBA2372603B47FB66B936BB44B9B1EF1B452149F7A1B1DCDEC68533A11552E46CE68729B0B38C7C9098BD
Malicious:	false
Preview:	rule:.. meta:.. name: inject DLL reflectively.. namespace: load-code/pe.. author: "@Ana06".. scope: function.. att&ck:.. - Defense Evasion::Process Injection::Dynamic-link Library Injection [T1055.001].. references:.. - https://0x00sec.org/t/reflective-dll-injection/3080.. - https://www.ired.team/offensive-security/code-injection-process-injection/reflective-dll-injection.. examples:.. - E4C33AC3638EEF68311F8AC0D72483C7:0x401510.. features:.. - and:.. - match: enumerate PE sections.. - match: rebuild import table.. - basic block:.. - and:.. - offset: 0x28 = IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint.. - number: 0x1 = DLL_PROCESS_ATTACH.. - characteristic: indirect call = call entry point.. - optional:.. - match: inspect section memory permissions..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\load-code\pe\inspect-section-memory-permissions.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1647
Entropy (8bit):	4.540847251649015
Encrypted:	false
SSDEEP:	24:mM7lAbX35+0WMlnlw8olbvl+88vsb2sace8vElb2splspYIF:mM7swPMpW8oZv8880bLace8cZLpOpYIF
MD5:	83F84EDF4ADBD982EC1DA370FC97F01D
SHA1:	2501CB22A8A7A13872B49C96BAA2F42B52A68CC8
SHA-256:	636F1BF73AB630B30AF9A448D91CD68A04DBDEA09166F0CF46AAE172A5159BE9
SHA-512:	0590376451D665AA06E78B288FB88565438A60C0D3D567474CCFE0E378159CA9B8240868B5A92703490F15F111119EAC65380F27081A81CC0A8DF0E63563F4E2
Malicious:	false
Preview:	rule:.. meta:.. name: inspect section memory permissions.. namespace: load-code/pe.. author: "@Ana06".. description: "translate section memory permissions (specified in the 'Characteristics' field of the image section header) into page protection constants".. scope: function.. examples:.. - E4C33AC3638EEF68311F8AC0D72483C7:0x401480.. features:.. - and:.. - 3 or more:.. - and:.. - number: 0x40000000 = IMAGE_SCN_MEM_READ.. - number: 0x2 = PAGE_READONLY.. - and:.. - number: 0x20000000 = IMAGE_SCN_MEM_EXECUTE.. - number: 0x10 = PAGE_EXECUTE.. - and:.. - or:.. - number: 0x60000000 = IMAGE_SCN_MEM_READ \| IMAGE_SCN_MEM_EXECUTE.. - and:.. - number: 0x40000000 = IMAGE_SCN_MEM_READ.. - number: 0x20000000 = IMAGE_SCN_MEM_EXECUTE.. - number: 0x20 = PAGE_EXECUTE_READ.. - and:.. - or:.. - number: 0xC0000000 = IMAGE_SCN_

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\load-code\pe\parse-pe-exports.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	779
Entropy (8bit):	5.151061429980274
Encrypted:	false
SSDEEP:	24:mMLfClAbZcAhhXW0wFEgxsmgxsKOdBXCXgYyCXlW:mMLa8cKBWfAOnYq
MD5:	AA60B33961C257B5B0BC73CF2E4EC7DF
SHA1:	C56D92839002535392E3CCFD99CB124F8D49A3DF
SHA-256:	105A7FAB3A8BCE81830712A865679791EDB8C8E14A20C2016B2B1BD83D31952F
SHA-512:	B52D8839D85C48156BD2C71CCC3DCC156706F3F1537BEF961478C9868BA24D55F38CCD673EA0923ADC67D7F2B35A6E0B155435F918E0BEE5A7886CB0C181E6AC
Malicious:	false
Preview:	rule:.. meta:.. name: parse PE exports.. namespace: load-code/pe.. author: "@Ana06".. scope: function.. references:.. - Practical Malware Analysis, Chapter 19.. examples:.. - E4C33AC3638EEF68311F8AC0D72483C7:0x401390.. features:.. - and:.. - offset: 0x3C = IMAGE_DOS_HEADER.e_lfanew.. - or:.. - offset/x32: 0x78 = IMAGE_NT_HEADERS32.OptionalHeader.DataDirectory.VirtualAddress.. - offset/x64: 0x88 = IMAGE_NT_HEADERS64.OptionalHeader.DataDirectory.VirtualAddress.. - offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames.. - offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames.. - offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals.. - offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\load-code\pe\parse-pe-header.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1071
Entropy (8bit):	4.701943721768591
Encrypted:	false
SSDEEP:	24:mM2lAdCUlApFgrPJbfXedFSLlL7sLjML7F:mM2rUlApeRbfkiV7uji7F
MD5:	310C1CDBB21C2DA7DCB901FD1E70A696
SHA1:	174A41D443CED2F12F3ACD786371F6FBD333F69C
SHA-256:	1180BF7CB40820E57E36553E2BF44F7F1486AA188834B33FC0ECCE0B1F8C8055
SHA-512:	1A2952A40E53FFE371581E11A63BC1FCCA2BDAB410BE3AA79E5E0F53CD4103A66CFA330DFD0865A4B997905A38633D4DF355E5322600673938FB535D9B3CFECE
Malicious:	false
Preview:	rule:.. meta:.. name: parse PE header.. namespace: load-code/pe.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Execution::Shared Modules [T1129].. examples:.. - 9324D1A8AE37A36AE560C37448C9705A:0x403DD0.. features:.. # TODO filter out false positives.. - or:.. - and:.. - mnemonic: cmp.. - or:.. - number: 0x4550 = IMAGE_NT_SIGNATURE (PE).. - and:.. - number: 0x50.. - number: 0x45.. - or:.. - number: 0x5A4D = IMAGE_DOS_SIGNATURE (MZ).. - and:.. - number: 0x4D.. - number: 0x5A.. - and:.. - offset: 0x3C = IMAGE_DOS_HEADER.e_lfanew.. - or:.. - and:.. - offset/x32: 0x50 = IMAGE_NT_HEADERS.OptionalHeader.SizeOfImage.. - offset/x32: 0x34 = IMAGE_NT_HEADERS.OptionalHeader.ImageBase.. - and:.. - offset/x64: 0x50 = IMAGE_NT_HEADERS64.OptionalHeader.SizeOfImage..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\load-code\pe\rebuild-import-table.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1073
Entropy (8bit):	5.072054392692077
Encrypted:	false
SSDEEP:	24:mM1lAbZcAFBrG0vgxsCgxsfKCAK9I5a04w/U:mM18cuBqN1I34wM
MD5:	7BF2BCAA688B221FE08BA809AB650264
SHA1:	C0FB95E807A96FDAC86E306F696AB6CE3DEABB8E
SHA-256:	C8662525786368C405DBBDE1CE00DBD4ECBF176A9E05A1179B44987604ED83DA
SHA-512:	B2BF01E521F767601DE72E9D30A60D1C22F5AE0B5E0A5EEFF9B4108BB90860CA0A774497A0B06838C71085F4264AEB9663090CD88D5E2AF86DEFEB06EE37649C
Malicious:	false
Preview:	rule:.. meta:.. name: rebuild import table.. namespace: load-code/pe.. author: "@Ana06".. scope: function.. references:.. - https://0x00sec.org/t/reflective-dll-injection/3080.. - https://www.ired.team/offensive-security/code-injection-process-injection/reflective-dll-injection.. examples:.. - E4C33AC3638EEF68311F8AC0D72483C7:0x401510.. features:.. - and:.. - offset: 0x7C = IMAGE_NT_HEADERS.OptionalHeader.DataDirectory.Size.. - offset: 0x78 = IMAGE_NT_HEADERS.OptionalHeader.DataDirectory.VirtualAddress.. - basic block:.. - and:.. - offset: 0xC = IMAGE_IMPORT_DESCRIPTOR.Name.. - api: LoadLibraryA.. - offset: 0x10 = IMAGE_IMPORT_DESCRIPTOR.FirstThunk.. - api: GetProcAddress.. - optional:.. - description: import by ordinal.. - or:.. - number/x32: 0x80000000 = IMAGE_SNAP_BY_ORDINAL32.. - number/x64: 0x8000000000000000 = IMAGE_SNAP_BY_ORDINAL64.. - number: 0x

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\add-file-to-cabinet-file.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	298
Entropy (8bit):	4.492111915162102
Encrypted:	false
SSDEEP:	6:hAvlmEKOP/YlLqLRVJClES4FfQceGp4KpDHfHFwMLV0An:mdmgnYlLQfFfQcESDHflxp
MD5:	CB423693D741AD738B427F4FA8709B0B
SHA1:	8812CA6A4623B9EF6D8BE7CC2D569EE5D087D147
SHA-256:	5B5A5A6C990DD6C9C32FB3B8181198E34CAF88F56A1D38FA31A8CD0E623467A5
SHA-512:	5A63F70074B232FC7D78DE5267A493D409FE8BBAE918661FE52773363590D93BF485E4F5F7F9D7301FDE4038EBC9F48633D117B0FFC4FFB2E0D0CE020AC504AF
Malicious:	false
Preview:	rule:.. meta:.. name: add file to cabinet file.. namespace: host-interaction/file-system.. author: michael.hunhoff@fireeye.com.. scope: function.. references: https://docs.microsoft.com/en-us/windows/win32/msi/cabinet-files.. features:.. - or:.. - api: cabinet.FCIAddFile..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\build-docker-image.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	535
Entropy (8bit):	4.720160491236368
Encrypted:	false
SSDEEP:	12:mdmRFClLBGeRfFfyqcWvcA+YZ+DSjLjdOAbN5RXVa6eiKLB:mMKlAMUqFcAz+WfR5PlapV
MD5:	27E8FB9F84F0DD4794819CDFF7E35D4A
SHA1:	A39C18DA9E1101C761AF0C85A5058E5B036DA147
SHA-256:	2011E89B34657BE866C26A9F6155307E360A4F8FBA1F7EA300E6B1999D1706C7
SHA-512:	3D29DDEFB898A72A2B120A9DF2D78696E40AB4517B1B6F126FED57262A3A2A2F8D71069E12581A5566DBFB3DE63A2F21A3DA9BD2D0BF987EAC2E929B33987F5A
Malicious:	false
Preview:	rule:.. meta:.. name: build Docker image.. namespace: host-interaction/container/docker.. author: william.ballenthin@fireeye.com.. scope: function.. att&ck:.. - Defense Evasion::Build Image on Host [T1612].. references:.. - https://docs.docker.com/engine/api/v1.24/.. examples:.. features:.. - or:.. - string: /^docker(\.exe)? build/.. - and:.. - match: send HTTP request.. - string: /\/v1\.[0-9]{1,2}\/build/.. description: docker API endpoint, e.g., /v1.24/build..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\bypass-uac-via-scheduled-task-environment-variable.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	786
Entropy (8bit):	4.730877468194302
Encrypted:	false
SSDEEP:	24:mMyYljubUNhPAcAF8ThrZ7n+kGkIbyFhy:mMyYdyULIcJhx+MIm2
MD5:	0636F9B4A9CB3E178826FF5F3A5BA22B
SHA1:	1112E21E47AA6C0DBB809462E5C20A7339B822E1
SHA-256:	E82941C01B9EF9AAA8A516E0A475E61461C65717EC0BE319F9814DE9708D7180
SHA-512:	D8BE387B0C0697BA307B3AB9D65EE85335E562BE24ACDCBE6EC62CD9BBAE8B6B16D8FB6A8E493694EA35A17BB1241B924B901A4EE3B21610AB88BB4D4AAB4DC0
Malicious:	false
Preview:	rule:.. meta:.. name: bypass UAC via scheduled task environment variable.. namespace: host-interaction/uac/bypass.. author: anamaria.martinezgom@fireeye.com.. scope: function.. att&ck:.. - Defense Evasion::Abuse Elevation Control Mechanism::Bypass User Account Control [T1548.002].. references:.. - https://www.tiraniddo.dev/2017/05/exploiting-environment-variables-in.html.. - https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup.. features:.. - and:.. - string: "schtasks.exe".. - string: /Microsoft\\Windows\\DiskCleanup\\SilentCleanup/i.. - match: create process.. - optional:.. - or:.. - string: "Environment".. - string: "windir".. - match: set registry value..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\capture-screenshot-in-go.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	847
Entropy (8bit):	4.245198920671792
Encrypted:	false
SSDEEP:	12:mdmGBO4lkKOVDnqlcHKG+SaTp3yf8N/ZptHEtApE6ro:mMqlk1nqlyKG+LynpV
MD5:	6CFBECB25F54F719DD72991B3C50F999
SHA1:	E98822DFB2C68891463BEC1BDADC5FD4F4642195
SHA-256:	EA76254E934767CBEE055768859831613E03ACCBBA34891704746104913B7921
SHA-512:	065124A1196D8CD6A78EEB83BE248CE3251D0FD86E524842114211E3573ACB70C38176C9ACF4F45A700F37204F8D759621D88260A908271458CAB28971016BE2
Malicious:	false
Preview:	rule:.. meta:.. name: capture screenshot in Go.. namespace: collection/screenshot.. author:.. - joakim@intezer.com.. description: Detects screenshot capability via WinAPI for Go files... scope: file.. att&ck:.. - Collection::Screen Capture [T1113].. mbc:.. - Collection::Screen Capture::WinAPI [E1113.m01].. features:.. - and:.. - match: compiled with Go.. - and:.. - string: "syscall.NewLazyDLL".. description: Dynamic loading of DLLs.. - or:.. - and:.. - string: /user32.dll/.. - or:.. - string: /GetWindowDC/.. - string: /GetDC/.. - and:.. - string: /gdi32.dll/.. - or:.. - string: /BitBlt/.. - string: /GetDIBits/.. - string: /CreateCompatibleDC/..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\check-for-process-debug-object.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	600
Entropy (8bit):	4.680425336703064
Encrypted:	false
SSDEEP:	12:mdmGpMl/Dp5fFftKUcQcA+Y2QM5EIzBqRaeXqOBqAov:mM1lLH3KU3cA52EWcRxaosv
MD5:	A139076DC0886E60FD40F68E7EEDD999
SHA1:	500C54172B8E8FFC6045771644B49F8D3317E189
SHA-256:	3D60CF39023DDA92D9A19FB7E96BDEEEA06A2D2FBC4CA4344E6D7BAA1247E4EF
SHA-512:	003AF2036D4FD7A31C836DE4C2D87D66E8262EAEA05155D4C25425880E301DA214BB7793C705501C2829EA17FA30344D48A2C8E668C71FC5D2D50D7FDE133D6A
Malicious:	false
Preview:	rule:.. meta:.. name: check for process debug object.. namespace: anti-analysis/anti-debugging/debugger-detection.. author: michael.hunhoff@fireeye.com.. scope: function.. mbc:.. - Anti-Behavioral Analysis::Debugger Detection.. references:.. - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/NtQueryInformationProcess_ProcessDebugObject.cpp.. features:.. - and:.. - api: kernel32.GetCurrentProcess.. - basic block:.. - and:.. - api: NtQueryInformationProcess.. - number: 0x1E = ProcessDebugObjectHandle..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\check-for-windows-sandbox-via-mutex.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	493
Entropy (8bit):	4.780339989705831
Encrypted:	false
SSDEEP:	12:mdmGpjNXwl/yEgh6Ffy+Wc8AJGfKUGlEDcA+Y2dcaFlUX8NaJv:mMOXwlsV7/AofKU0EDcAq9UX8M
MD5:	9EF491A9F1758510E08B441D72A2430E
SHA1:	D0959D1B0663672783704F27F604702ABCBC0D14
SHA-256:	0D94B0744AA9FE1A07225591E8189E41CA32CF660713ED2332774EA2BDC0B5F1
SHA-512:	38A13756AFA4F57C7144A2AFDAA1D7E10D205183629F5FA726DACFD68E6A07F81A99029B0B1C6B6262E1B36D07D31E66B0C28290F4FD1A081C5B3A3C13B9C9BC
Malicious:	false
Preview:	rule:.. meta:.. name: check for windows sandbox via mutex.. namespace: anti-analysis/anti-vm/vm-detection.. author: "@_re_fox".. scope: function.. att&ck:.. - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001].. mbc:.. - Anti-Behavioral Analysis::Virtual Machine Detection [B0009].. references:.. - https://github.com/LloydLabs/wsb-detect.. features:.. - and:.. - match: check mutex.. - string: "WindowsSandboxMutex"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\check-license-value.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	479
Entropy (8bit):	4.852078998369776
Encrypted:	false
SSDEEP:	12:mdmGFFF/Cl/yEg5fFfy+Wc8AJGycA+Y2QM5EIW7GEO/SRao:mM2/Cl6U7/AoycA52ExCEO/zo
MD5:	C5176B4B27CC47CB7E62809BB9D24CA3
SHA1:	7E0132FBF47FD0C5FFB19F673636F2CDB920FF5A
SHA-256:	F26AFCC30544B49FC1F6E3C2B1D0F74D5CD95745BECA3F715C202E469E4055FC
SHA-512:	DB9498882428AFFBAAD699EF593F4D38FC6A65793D56CF3889AFD4D412ADBDB20CBB324D29861D23FE1B9EA209ACF6B76B5ADF68DAF73F5FDC026448A2CB3492
Malicious:	false
Preview:	rule:.. meta:.. name: check license value.. namespace: anti-analysis/anti-vm/vm-detection.. author: michael.hunhoff@fireeye.com.. scope: function.. att&ck:.. - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001].. references:.. - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L1224.. features:.. - and:.. - api: NtQueryLicenseValue.. - string: "Kernel-VMDetection-Private"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\check-processdebugflags.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	501
Entropy (8bit):	4.727276098631556
Encrypted:	false
SSDEEP:	12:mdmGc6zl/Dp5/wKUcQcA+Y2QM5EIzBqR8ojqFU8Y:mMb6zlLH4KU3cA52EWcRcFU8Y
MD5:	5C4BA9BEFA71BD8FCB4958D3732D8AF6
SHA1:	54077DA34390B5FE096C4FC5CFAD2A138EB3DAF9
SHA-256:	E83A57E663C13E912507976AC168EB2A7E6DC364F563D6524633AD40445C54EC
SHA-512:	FC3034C8D41BB5EF634B06E7F1ABC01E0FBF7C48B8A17627A35025DA2A5576A23C44736B1D564A17257C3025E7E18CA3220EC391C754B89FD02C35495C8CD5ED
Malicious:	false
Preview:	rule:.. meta:.. name: check ProcessDebugFlags.. namespace: anti-analysis/anti-debugging/debugger-detection.. author: michael.hunhoff@fireeye.com.. scope: basic block.. mbc:.. - Anti-Behavioral Analysis::Debugger Detection.. references:.. - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/NtQueryInformationProcess_ProcessDebugFlags.cpp.. features:.. - and:.. - api: NtQueryInformationProcess.. - number: 0x1F = ProcessDebugFlags..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\check-systemkerneldebuggerinformation.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	542
Entropy (8bit):	4.743685072463203
Encrypted:	false
SSDEEP:	12:mdmGXuKcfwl/Dp5/wKUcQcA+Y2QM5EIzpHtuAK+y7qlIKcv:mMTKlLH4KU3cA52EWX/BymCN
MD5:	62F27023203EDC9A90BC733205946D6F
SHA1:	CD20EC09BAA6833E7E5B235A49619AFA2AC1A656
SHA-256:	E3F153B6BBB431E2CB0EEF83FC62D98B73D18B58338592426AE815C78D5AB6C9
SHA-512:	A969A2D50CF680FB441B824FB2F746E0DB7E3D18AB2F0E02E2632769F60E0B44D2C8920D23E9279A256E4747C9CAA92428B561C737860677BFEBDF92E6DD6E84
Malicious:	false
Preview:	rule:.. meta:.. name: check SystemKernelDebuggerInformation.. namespace: anti-analysis/anti-debugging/debugger-detection.. author: michael.hunhoff@fireeye.com.. scope: basic block.. mbc:.. - Anti-Behavioral Analysis::Debugger Detection.. references:.. - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/NtQuerySystemInformation_SystemKernelDebuggerInformation.cpp.. features:.. - and:.. - api: NtQueryInformationProcess.. - number: 0x23 = SystemKernelDebuggerInformation..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\check-thread-yield-allowed.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	577
Entropy (8bit):	4.743513539710198
Encrypted:	false
SSDEEP:	12:mdmGXdw6l/Dp5fFftKUcQcA+Y2QM5EIzFy/ffLvFWG:mMgdw6lLH3KU3cA52EWFyvLt7
MD5:	1BEFD47E2B86874B1F572FFDBD12B4D5
SHA1:	A6CE5A064EF6ED0CDB48DEDBFF697C448F9629AC
SHA-256:	BF757FD83B2DCC4225ABDA53DF2084E5E3384357CC4D64C14EED3B3C9847D363
SHA-512:	38614741BB1BA2D9E946F833C8C6D07031FDF8A1C20E115F231B7673B39C5E3C100A657B941FD26782A5E94E6431F68D48622DEA84F1C6E8A7F90537FE7C3BA3
Malicious:	false
Preview:	rule:.. meta:.. name: check thread yield allowed.. namespace: anti-analysis/anti-debugging/debugger-detection.. author: michael.hunhoff@fireeye.com.. scope: function.. mbc:.. - Anti-Behavioral Analysis::Debugger Detection.. references:.. - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/NtYieldExecution.cpp.. features:.. - and:.. - api: NtYieldExecution.. - match: contain loop.. - basic block:.. - and:.. - mnemonic: cmp.. - number: 0x40000024 = STATUS_NO_YIELD_PERFORMED..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\compare-security-identifiers.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	259
Entropy (8bit):	4.510273303141947
Encrypted:	false
SSDEEP:	6:SWq+iazvlmGTQ1BuwWCFClLqLicClESgyZ9z49:NVzdmGsBYGClLd+/mC
MD5:	720085C71D03366EE8B02E249B24DA94
SHA1:	BC33464B6BCFFA1D66F7BDEBF246899BBD0589C4
SHA-256:	99EB21F5F0B1EEFA21875F1954F7899BC2CC89A886D908FF4D2C9FA653FEECF3
SHA-512:	A201DAC4623EC0202376D4B80AC26FDFB99E1CD34CF32D4B74BF3A7A875E161D9E9093720318B07F7A2DECFBFCD205F9F0ABF5338F77D2E39F37C23AC5F2D35D
Malicious:	false
Preview:	# generated using capa explorer for IDA Pro..rule:.. meta:.. name: compare security identifiers.. namespace: host-interaction/sid.. author: michael.hunhoff@fireeye.com.. scope: basic block.. features:.. - or:.. - api: advapi32.EqualSid..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\compiled-from-epl.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	662
Entropy (8bit):	4.7637606794230285
Encrypted:	false
SSDEEP:	12:mdmGtRglkWwRDnocA+Y+UwntQZdSHHJ3j/zcnHkgZ2i5BjQrH9+EXov:mMuGlkWyDnocAlwoSHFLcnEij52x4v
MD5:	606F414C631AC9703B33475C571F05EA
SHA1:	60B948C58382E1065666E28385DE46C2A9F16B35
SHA-256:	599595D4C42308209E388D46F6C15F8EF6132309C833A40F0B423E2D719A3AC0
SHA-512:	98A7AF76EC672CDA65EEF847D36914427EBC6F0DD5FB5745F69B04CE747FED1EB28B4376182674267B5FB73969CBC0F0B42322DDA50BC3E72D4102054E5BF433
Malicious:	false
Preview:	rule:.. meta:.. name: compiled from EPL.. namespace: compiler/epl.. author: william.ballenthin@fireeye.com.. scope: file.. references:.. - https://www.hexacorn.com/blog/2019/02/13/pe-files-and-the-easy-programming-language-epl/.. features:.. - or:.. - string: "GetNewSock".. - string: "Software\\FlySky\\E\\Install".. - string: "Not found the kernel library or the kernel library is invalid!".. - string: "Failed to allocate memory!".. - string: "/ MADE BY E COMPILER . WUTAO".. - section: .edata.. - import: krnln.fne.. - import: krnln.fnr.. - import: eAPI.fne.. - import: RegEx.fnr..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\connect-network-resource.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	457
Entropy (8bit):	4.239474890088261
Encrypted:	false
SSDEEP:	6:hAvlmGArKN6lkEeMPClES9ZVcImmFdGSCBgTCBATCBvFwHodFLA4ETA4c:mdmGAXlkObKFOGmOmxiIHC6
MD5:	BE51A60ED2BCAFE80577C2BDD77FBE50
SHA1:	0D0AD8F09DA11CE53FD3105D51CB47E41FA06379
SHA-256:	A347947D94BE2F56CDD8C95BA91EDA0C6D53CD171074B84CA004D451C14EA2CB
SHA-512:	2D8ADB9C09790D2A0577B5DB6E3FBE32A204246C93A25F4832473EC2CB846322D8AF567EC243B1CE846346742DD48E42245359947432E57C881805AD1AB55EC3
Malicious:	false
Preview:	rule:.. meta:.. name: connect network resource.. namespace: communication/http.. author: michael.hunhoff@fireeye.com.. description: connect to disk or print resource.. scope: function.. features:.. - and:.. - or:.. - api: mpr.WNetAddConnection.. - api: mpr.WNetAddConnection2.. - api: mpr.WNetAddConnection3.. - optional:.. - api: mpr.WNetCancelConnection.. - api: mpr.WNetCancelConnection2..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\create-container.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	800
Entropy (8bit):	4.751574678199515
Encrypted:	false
SSDEEP:	12:mdmG3q4lLBGeRfFfyRcA+YZ+DSjLjdOAwOA7p5RXVa8iKL6z5RXVaSiKLC:mMAlAMURcAz+WfRQ7pPlaQuzPlaeO
MD5:	EF01308E129CCEB760174E4CC7AC7079
SHA1:	F8C940F3ACAEB0A25FD8E9B5CA257A2937577639
SHA-256:	30D28C62EBF986766201044829167D6426F2A5D77BDC8A196F464AED0B69A5D8
SHA-512:	0D3560FA56FD13E567AF3E7FAAA573C4F084C750DEEFCE421B1625032284F86035E922B1909C3CB8B18C6C0F60A18EF1527007C545F66254B8EEF7D99B9A3725
Malicious:	false
Preview:	rule:.. meta:.. name: create container.. namespace: host-interaction/container/docker.. author: william.ballenthin@fireeye.com.. scope: function.. att&ck:.. - Execution::Deploy Container [T1610].. references:.. - https://docs.docker.com/engine/api/v1.24/.. examples:.. features:.. - or:.. - string: /^docker(\.exe)? create/.. - string: /^docker(\.exe)? start/.. - and:.. - match: send HTTP request.. - string: /\/v1\.[0-9]{1,2}\/containers\/create/.. description: docker API endpoint, e.g., /v1.24/containers/create.. - and:.. - match: send HTTP request.. - string: /\/v1\.[0-9]{1,2}\/containers\/[0-9a-fA-F]+\/start/.. description: docker API endpoint, e.g., /v1.24/containers/e90e34656806/start..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\create-restart-manager-session.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	425
Entropy (8bit):	4.495675429780841
Encrypted:	false
SSDEEP:	6:hAvlmG3mKwlLqLCClES9NqzNnu32iJ2K+MUFgFfQceGp4GLoiFRNRBkwXIgoRMQy:mdmG3JwlLpXRbr2FfQcE4YgoE
MD5:	00254F79B6641D4CB56EF247DC19637B
SHA1:	C1E637CD796435151C7B00F56F57E27884749403
SHA-256:	C633A17929D06C9784EC6348C2B046EE6BF48B477E830F5AC2FF62FAD278B5DA
SHA-512:	DD2B5A0BE40810CB1CB7918F3E37D90544431D9BC94C145194B65FC7F5DA5B2B88D6FF384642AC62A961BA8753D03E0369A56C3267B58CEA633F5BB64DA6CBEF
Malicious:	false
Preview:	rule:.. meta:.. name: create Restart Manager session.. namespace: host-interaction/process.. author: michael.hunhoff@fireeye.com.. description: Windows Restart Manager can be used to close/unlock specific files, often abused by Ransomware.. scope: function.. references: https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/.. features:.. - or:.. - api: rstrtmgr.RmStartSession..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\create-shortcut-via-ishelllink.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	788
Entropy (8bit):	4.5395239572310535
Encrypted:	false
SSDEEP:	12:mdmG3BulClLU4uEfFfQcA+YSDHflQKJTLgBU4ElM+k6JPN1k6JN/AHpgnccYIU:mMZ4lg4uEqcAwjtFL9g6C6vIycT
MD5:	67E19E3F146742A512C87E8EB5E33720
SHA1:	1ECFC8C76FE5F4061E29418738FB56333070D296
SHA-256:	1B3E323A8CD7D3422319E0E1153861C2CBA9F89923573F7C33B17FBA17E51DCD
SHA-512:	5CB3DDA328A328AC03D119379E98FA1B4022F8BD94B241D0F248FAB11D3A0508F55BEFA536086D659BA1CF9A23B36E4B770595CEC1317765AC4ACA9FDE5A8B35
Malicious:	false
Preview:	rule:.. meta:.. name: create shortcut via IShellLink.. namespace: host-interaction/file-system/write.. author: matthew.williams@fireeye.com.. scope: function.. references:.. - https://docs.microsoft.com/en-us/windows/win32/shell/links#creating-a-shortcut-and-a-folder-shortcut-to-a-file.. features:.. - and:.. - bytes: 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46 = CLSID_ShellLink.. - or:.. - bytes: EE 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46 = IID_IShellLinkA.. - bytes: F9 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46 = IID_IShellLinkW.. - bytes: 0B 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46 = IID_IPersistFile.. - offset: 0x50 = psl->SetPath.. - offset: 0x18 = ppf->Save.. - api: ole32.CoCreateInstance..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\debug-build.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	234
Entropy (8bit):	4.350695553391229
Encrypted:	false
SSDEEP:	6:hAvlmVCFLlitFeJFBO2SkOy/9TLbmhFA2LbmhFh:mdmo5lsFWRDn5kvkv
MD5:	18296C416D624AEF42CC64E706AA4FD7
SHA1:	F2705A0CF43BA9DCB2AFCBF826D4D585B9050453
SHA-256:	93A47A6CCB2E5FCB907CBC463EFCB26D7F28150EF390480E1E903952018C8A2C
SHA-512:	E08F5B6CEBD55BBDFDAB4A4983E231250DFD41C406806AE428E4BC1C9A1CA9929754EE14ACD1D53EA59BA68B83D6EE78360658C9DFC66E06C7F5827279EFB3D3
Malicious:	false
Preview:	rule:.. meta:.. name: debug build.. namespace: executable/pe/debug.. author: william.ballenthin@fireeye.com.. scope: file.. features:.. - or:.. - string: "Assertion failed!".. - string: "Assertion failed:"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\decrypt-data-via-sspi.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	414
Entropy (8bit):	4.673173843752228
Encrypted:	false
SSDEEP:	12:mdmhIdmCYlxbfqdGuE/h2XGwjsKUIcA+YSDHflV7QpWaK:mMhIcCYlBfqouEJ2XZcAwjtZUDK
MD5:	B7C69AAAA41E00343833A15CD4616308
SHA1:	C41C3BC3D5F3AB7115E33903C6CA7FE3C7E7E7A1
SHA-256:	A885E25CEB7B0118B44A9E550FAB9C9A77668E95B4C862DAE45047FB650BCB07
SHA-512:	DC9415719D7571E7B2D78B5566FB9CDB176706EDF3B014079C6743D70F403964CE0116A74CF69FD891BCC0DEC9B0C25D5AEDE6B5743AF4369DB0DB7AB3238777
Malicious:	false
Preview:	rule:.. meta:.. name: decrypt data via SSPI.. namespace: data-manipulation/encryption.. author: matthew.williams@fireeye.com.. scope: basic block.. att&ck:.. - Defense Evasion::Deobfuscate/Decode Files or Information [T1140].. references:.. - https://docs.microsoft.com/en-us/windows/win32/api/sspi/nf-sspi-decryptmessage.. features:.. - and:.. - api: secur32.DecryptMessage..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\delete-internet-cache.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	334
Entropy (8bit):	4.245158885799623
Encrypted:	false
SSDEEP:	6:hAvlmu1AlLqLicClES4FdGuBTmGqa4RZlFwHodFmE9+Z/P:mdmu+lLKfFpBtIHhspP
MD5:	94A57818010947927087F118DEBE5352
SHA1:	413F2D218ADB8962B5105661396EFDBFF5CB91E0
SHA-256:	5D1066924547DC538B251E01B0134F3AA31EF82D741CA443E7BDA8A81364C020
SHA-512:	B2102E8973821C6C2FB6DA2DE7C0B9BBECF5F0CB5837D42D2139ACFE3C854FD6B274D7B268B4420AD5E8A08B5E386911E93BFCD31A9BA0A2E442D5440EFB8383
Malicious:	false
Preview:	rule:.. meta:.. name: delete internet cache.. namespace: host-interaction/internet/cache.. author: michael.hunhoff@fireeye.com.. scope: function.. features:.. - and:.. - match: enumerate internet cache.. - api: wininet.DeleteUrlCacheEntry.. - optional:.. - api: wininet.UnlockUrlCacheEntryFile..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\delete-registry-key-via-offline-registry-library.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	451
Entropy (8bit):	4.605666538937245
Encrypted:	false
SSDEEP:	12:mdmuy2jglLtFfyWAKUgIkBAU4gIkBRdslw:mMIkleWAKUgILgIE
MD5:	EB4BCB773F0467FF0CD8B6D0EB03BA5B
SHA1:	B7FEC814D271132472047BD50C3708CD52D468D7
SHA-256:	249CFE87752F952A894AD1E1300ED1F7E7C2432D0FAD65619650ABD27607EE88
SHA-512:	3304E5C4FE8BCA8CA4477BA4A38EC18F6E4758C6A63E2F6D48408A0C86C076D94129CF1240600E5BEC42EB4779BAF01ABEA34D85799C73039C58D64EF67A8929
Malicious:	false
Preview:	rule:.. meta:.. name: delete registry key via offline registry library.. namespace: host-interaction/registry.. author: johnk3r.. scope: function.. att&ck:.. - Defense Evasion::Modify Registry [T1112].. mbc:.. - Operating System::Registry::Delete Registry Key [C0036.002].. - Operating System::Registry::Delete Registry Value [C0036.007].. features:.. - or:.. - api: ORDeleteKey.. - api: ORDeleteValue..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\empty-recycle-bin-quietly.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	701
Entropy (8bit):	5.148865040326015
Encrypted:	false
SSDEEP:	12:mdmc1elLPGuE/PcA+YSDHflh6H3NspQIrIRrhSZThhTbqIrIRr8:mMBlauE3cAwjt0XNsOWIN4thkWIN8
MD5:	7C1699D369FB9124CD96AC3F3D81BD40
SHA1:	6F7CACD2B9D10DDE4FFF220FE4F268C54AE6AA39
SHA-256:	AB9EB8526F849EB14C604B6E6AB20C056D8AFAA4A61B3C8021E3ABD1E8129B3F
SHA-512:	B8130E9E1BE2C8C48FE6A9303C75DB26A13770DA696C77862C27FF5AD04E0F43D1607802A4ECF900E922A643CCEDCA905ABE9BD9E60BC03EE2004155E8679913
Malicious:	false
Preview:	rule:.. meta:.. name: empty recycle bin quietly.. namespace: host-interaction/recycle-bin.. author: matthew.williams@fireeye.com.. scope: basic block.. references:.. - https://docs.microsoft.com/en-us/windows/win32/api/shellapi/nf-shellapi-shemptyrecyclebina.. examples:.. - 276F691A3DF25481F59D79781799E35F:0x1400254E0.. features:.. - and:.. - api: SHEmptyRecycleBin.. - or:.. - and:.. - mnemonic: lea.. - offset: 7 = SHERB_NOSOUND\|SHERB_NOPROGRESSUI\|SHERB_NOCONFIRMATION.. - description: accounts for argument loaded via LEA (lea r8d, [rdx+7]).. - number: 7 = SHERB_NOSOUND\|SHERB_NOPROGRESSUI\|SHERB_NOCONFIRMATION..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\empty-the-recycle-bin.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	209
Entropy (8bit):	4.313368535496299
Encrypted:	false
SSDEEP:	3:hAvl5lCIPd8+scvNFwIaGCDNgJLLB8Td/F3AlDe2odN4FHuAWAHHxKH634:hAvlmABs+wlLqLY3CS4FdYHl
MD5:	56B3AA32998E581B566CAEF4C63F34BA
SHA1:	8D61288ABFA3AD6EA06A48DED5A28C09711CAFFA
SHA-256:	C794395826B0BDDC0FF76E53A3EE5851E36452F334CC6D0D31E79CF53A64BCD3
SHA-512:	52E3ED2CA65945C8C103ED0E3A7027FD4714DA1AA1D8D737438C2D21C5CFA5E8EBDAECA71ABD684D74E56D3A5508F56F5C1AF9785D82B5C2E1B3FFA1CC7582DA
Malicious:	false
Preview:	rule:.. meta:.. name: empty the recycle bin.. namespace: host-interaction/recycle-bin.. author: moritz.raabe@fireeye.com.. scope: function.. features:.. - or:.. - api: SHEmptyRecycleBin..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\encrypt-data-using-aes-via-x86-extensions.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	855
Entropy (8bit):	4.659016888855125
Encrypted:	false
SSDEEP:	24:mMiylBfqdCUPKXZZtzwM+hdaB8hvvbt+vn:mMiyrZUyJnNoKeztQn
MD5:	CCF0BA0C1CA18B5AA85C57D423E451E6
SHA1:	231C33999E789319CCC02DC9EA253A50121726BC
SHA-256:	A199F7BAE896784FB42AEAFE1B5291AD1ACC6B2774E20288789F22DED2E8622E
SHA-512:	2E421CD8C03E31EEFB0C6B11ECD479E1C1F621DB788BEEFEEE9F5FAF41A104CE2F16EAF12786DA01F92019AB93DD5942042841A65C2A4C3E9D1400EC095DA022
Malicious:	false
Preview:	rule:.. meta:.. name: encrypt data using AES via x86 extensions.. namespace: data-manipulation/encryption/aes.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Defense Evasion::Obfuscated Files or Information [T1027].. mbc:.. - Defense Evasion::Obfuscated Files or Information::Encryption-Standard Algorithm [E1027.m05].. - Cryptography::Encrypt Data::AES [C0027.001].. features:.. - or:.. - mnemonic: aesenc = Perform One Round of an AES Encryption Flow.. - mnemonic: vaesenc.. - mnemonic: aesenclast = Perform Last Round of an AES Encryption Flow.. - mnemonic: vaesenclast.. - mnemonic: aesimc = Perform the AES InvMixColumn Transformation.. - mnemonic: vaesimc.. - mnemonic: aeskeygenassist = AES Round Key Generation Assist.. - mnemonic: vaeskeygenassist..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\encrypt-data-using-fakem-cipher.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	785
Entropy (8bit):	4.77047264852271
Encrypted:	false
SSDEEP:	12:NVzdmiyZlxbfqd5BSXIHhSimsKuK/DBtcEnPXEhphwkf1NFI:NVQiAlBfqbEIBPKLHckXUpf1Nm
MD5:	9388350E882EF7FDED25EA90BB1B431C
SHA1:	2B2AB4E506DEBC84F90077AF64E9488ED0CA49A7
SHA-256:	FD592536ADE6DBED65085234E180A38A9267512339143B04776B4E45AF55893B
SHA-512:	DF92712E8EFDEFD801695EE0100A9AAD24FCAAEE3DE744A219E9AB5AB9F19A56BCB17B5EDF9655C6293271CE5C91A68E8E8A72BBC1F3946E07E01A8EC8F9CD34
Malicious:	false
Preview:	# generated using capa explorer for IDA Pro..rule:.. meta:.. name: encrypt data using FAKEM cipher.. namespace: data-manipulation/encryption.. author: michael.hunhoff@fireeye.com.. description: Detect custom encryption cipher used by FAKEM malware family.. scope: basic block.. att&ck:.. - Defense Evasion::Obfuscated Files or Information [T1027].. mbc:.. - Cryptography::Decrypt Data [C0031].. - Cryptography::Encrypt Data [C0027].. references: https://attack.mitre.org/software/S0076/.. features:.. - and:.. - characteristic: tight loop.. - count(mnemonic(ror)): 5.. - count(mnemonic(xor)): 5.. - number: 0x59 = Y.. - number: 0x48 = H.. - number: 0x43 = C.. - number: 0x52 = R.. - number: 0x41 = A..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\encrypt-data-using-salsa20-or-chacha.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1008
Entropy (8bit):	4.620578043205086
Encrypted:	false
SSDEEP:	24:mMiAlBfqNQ3CUicATjYMQjdHJdiX/LTz8HBpn:mMiArDyUicljw/Lfunn
MD5:	32A83EB0278F1B0602E629E80B25DC99
SHA1:	873BC95E5540C299B4B5FC42EDBFA21B2047EFF2
SHA-256:	F475E95CC59130AF3E03E59BEC4BA4C13CE7058140812749C43969FB87B47098
SHA-512:	D90B988FE5369AB253D550123158EED41EB499EE1607F387AB76B90CCB17510D459A44DD25FEDAF4ED46AAC92343F9874BE493156795E6B4A80A2F79ADEA3CA7
Malicious:	false
Preview:	rule:.. meta:.. name: encrypt data using Salsa20 or ChaCha.. namespace: data-manipulation/encryption/salsa20.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Defense Evasion::Obfuscated Files or Information [T1027].. references:.. - http://cr.yp.to/snuffle/ecrypt.c.. features:.. # The constant words spell "expand 32-byte k" in ASCII (i.e. the 4 words are "expa", "nd 3", "2-by", and "te k").. - or:.. - description: part of key setup.. - string: "expand 32-byte k = sigma".. - string: "expand 16-byte k = tau".. # if sigma and tau are in contiguous memory, may result in concatenated string.. - string: "expand 32-byte kexpand 16-byte k".. - and:.. - string: "expa".. - string: "nd 3".. - string: "2-by".. - string: "te k".. - and:.. - number: 0x61707865 = "apxe".. - number: 0x3320646E = "3 dn".. - number: 0x79622D32 = "yb-2".. - number: 0x6B206574 =

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\encrypt-data-via-sspi.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	406
Entropy (8bit):	4.673814828479059
Encrypted:	false
SSDEEP:	12:mdmiZmCYlxbfqdGuE/hSimsK1cA+YSDHflPSxpvzK:mMiYCYlBfqouEJicAwjta7K
MD5:	67E73DBA4CE4579631BE1D064BB0F825
SHA1:	EF43474FA9194B0D3C3C9072F4AEADF7B0F0B3CB
SHA-256:	FBE0411AD1F35125EB49C6A7882E314E5344F1EE126912C0C0C0259F5FA7CD91
SHA-512:	58C3A5E0575E3F0D48CDED4CC217EC59C681DEAD8061271549B9B91139ABF8CC81F3DA9020C7D08196DD6A8A12D95F757E9243D5B92B38D3CF0B8FC42031EF43
Malicious:	false
Preview:	rule:.. meta:.. name: encrypt data via SSPI.. namespace: data-manipulation/encryption.. author: matthew.williams@fireeye.com.. scope: basic block.. att&ck:.. - Defense Evasion::Obfuscated Files or Information [T1027].. references:.. - https://docs.microsoft.com/en-us/windows/win32/api/sspi/nf-sspi-encryptmessage.. features:.. - and:.. - api: secur32.EncryptMessage..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\encrypt-or-decrypt-data-via-bcrypt.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	734
Entropy (8bit):	4.468375650078176
Encrypted:	false
SSDEEP:	12:mdmiBjlxbfqd5fFfySimsKuK/DBHcus4IHwfl/xl/dvdbbVYd:mMiBjlBfqbUPKLllI6lplVlA
MD5:	E166A18FC4F53472D2972C4D3DFEBEE6
SHA1:	0FE1F746F28C6F81CD008AF2619089A7B2AB98EF
SHA-256:	BAD68F93BE8162B00354AF368CDB82D76B0A24CBA8674165C526393AFF34EA05
SHA-512:	6A523E8AF42F129E85C2DA97F3A1F7CE696947248F509FA33E9E3D4F1C1B46FAA4DB3AD5C7C8806A1D701BDED43A0346B357B4EB2B82A7E280521260985208D7
Malicious:	false
Preview:	rule:.. meta:.. name: encrypt or decrypt data via BCrypt.. namespace: data-manipulation/encryption.. author: michael.hunhoff@fireeye.com.. scope: function.. att&ck:.. - Defense Evasion::Obfuscated Files or Information [T1027].. mbc:.. - Cryptography::Decrypt Data [C0031].. - Cryptography::Encrypt Data [C0027].. features:.. - and:.. - or:.. - api: BCryptDecrypt.. - api: BCryptEncrypt.. - optional:.. - api: BCryptOpenAlgorithmProvider.. - api: BCryptCloseAlgorithmProvider.. - api: BCryptImportKey.. - api: BCryptImportKeyPair.. - api: BCryptGenerateKeyPair.. - api: BCryptGenerateSymmetricKey.. - api: BCryptDestroyKey..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\enumerate-browser-history.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	597
Entropy (8bit):	4.794411309501402
Encrypted:	false
SSDEEP:	12:mdmAcOglLfsxfFMziF/31STzC55m4Ks1YeD0CzLIwIHD716Cn:mMHtlLsxZ13sfCb7Y1CgwIt6Cn
MD5:	2299873ABEC6FB9C93F2A16EF83F9E1D
SHA1:	C6B10ABF2E3F0645FE269CFD886A842F51A7AEF1
SHA-256:	75C4F6318BCCE2B677AE38DF3EFBD94C5734C485377AB18C05F7B3E18BA9540A
SHA-512:	CC965FD7FC0F58CFEE1DFC3156F59156DF4F6E813E52D5F66215B16543BB3523F3F63A8C51B3A9A6DB00304D0138569DACF50E22203EBCD3561E5F55C241C02E
Malicious:	false
Preview:	rule:.. meta:.. name: enumerate browser history.. namespace: host-interaction/browser/history/list.. author: michael.hunhoff@fireeye.com.. scope: function.. features:.. - and:.. - api: ole32.CoCreateInstance.. - bytes: 11 DC A0 AF 13 C3 D0 11 83 1A 00 C0 4F D5 AE 38 = IUrlHistoryStg2.. - bytes: 40 4A 37 3C E4 BA CF 11 BF 7D 00 AA 00 69 46 EE = CUrlHistory.. - offset: 28 = IUrlHistoryStg2.EnumUrls, enumerate IE URLs.. - optional:.. - offset: 20 = IEnumSTATURL.Reset, reset iterator to start of IE URLs.. - offset: 12 = IEnumSTATURL.Next..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\enumerate-disk-volumes.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	667
Entropy (8bit):	4.371385484290879
Encrypted:	false
SSDEEP:	12:mdm8SlLOJDfFfyINoo/yLvhh6IHYlodoOIHPd:mM8SlytUEoo/yL5h6IyodoOIvd
MD5:	D631CEDD45A06F281D4D13C4A9C4A3B9
SHA1:	813F8E5F28FAE3A0B473A07B086843C5A0B28EB6
SHA-256:	A099E5D913CE0BEA70367C4FE576CE50953F41B123DDD76145B13DE7D41550F1
SHA-512:	5A7C5ADE3096A7411A81D5F5CEE7991625CB0A7BD4CBD54773E1CA77178592A26B7FC473A519E4CCBF5E58787438490A22E0D19AA9EF6EE2132A91EB42A4B00C
Malicious:	false
Preview:	rule:.. meta:.. name: enumerate disk volumes.. namespace: host-interaction/hardware/storage.. author: michael.hunhoff@fireeye.com.. scope: function.. att&ck:.. - Discovery::System Information Discovery [T1082].. features:.. - and:.. - match: contain loop.. - or:.. - and:.. - api: kernel32.FindFirstVolume.. - api: kernel32.FindNextVolume.. - optional:.. - api: kernel32.FindVolumeClose.. - and:.. - api: kernel32.FindFirstVolumeMountPoint.. - api: kernel32.FindNextVolumeMountPoint.. - optional:.. - api: kernel32.FindVolumeMountPointClose..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\enumerate-internet-cache.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	370
Entropy (8bit):	4.292392841659337
Encrypted:	false
SSDEEP:	6:hAvlmA1mAlLqLicClES4FdG+YA+ZlFwHodFmQQZlF+LEvUKLRl+:mdm+lLKfF/dIHMLLv+
MD5:	5141CAD5E7E21732F18877800F1E52E4
SHA1:	D6A6A8CF26186845695CF1A7FE30BEF34159BFF3
SHA-256:	E57025CB18625DA497C3B5886CD9562EF22A9A61BD40736134C9B655DB524C40
SHA-512:	9A638E1E772695F30B0E742D26394C9BA250EBB7FEC04802075EEEF7BD1A393AA6580501E067154D17950584087A054CF246D97B2502F9235C4794A4D1F324FC
Malicious:	false
Preview:	rule:.. meta:.. name: enumerate internet cache.. namespace: host-interaction/internet/cache.. author: michael.hunhoff@fireeye.com.. scope: function.. features:.. - and:.. - api: wininet.FindFirstUrlCacheEntry.. - optional:.. - api: wininet.FindNextUrlCacheEntry.. - api: wininet.FindCloseUrlCache.. - match: contain loop..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\enumerate-network-shares.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	362
Entropy (8bit):	4.422016278184383
Encrypted:	false
SSDEEP:	6:hAvlmAElLqLPSEClES4FfyhJPtnKoxmyVGKiBgWISTGLNKEKLRl+:mdmNlLnmfFfyvvzUgTLNKjLv+
MD5:	FA7ACD3ED95BAA6315495B3262D18886
SHA1:	D6C44677B2D5AE8BD8557CDBE20614BF301195F1
SHA-256:	7D7A0D6783D0902C2A2634DD02990E6ED6FCC512E88CB185594908C853C0C7C7
SHA-512:	E45CD0C79CCF8177F24C14B9E6531CFD4F274D3602E99B5FD9ACE44D7B2F5B0076ADA74737E2C8011D85F4B9A722A2F533F72AB9C6F953C5DD87E41CE1A88639
Malicious:	false
Preview:	rule:.. meta:.. name: enumerate network shares.. namespace: host-interaction/network.. author: michael.hunhoff@fireeye.com.. scope: function.. att&ck:.. - Discovery::Network Share Discovery [T1135].. features:.. - and:.. - or:.. - api: netapi32.NetShareEnum.. - api: mpr.WNetEnumResource.. - match: contain loop..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\enumerate-system-firmware-tables.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	360
Entropy (8bit):	4.639480877106792
Encrypted:	false
SSDEEP:	6:hAvlmA9s4lLqLBQihClES4FfQceGGF+Wf2tCM5JKz+OWSMIP9GGSd2UuI:mdm14lLOQefFfQcA+Y2QM5EIWUuI
MD5:	CCA3B5647EB5663464A95548355BF884
SHA1:	F0D1A36E4AD1C3FEA620F0CEE473C56F22469EF1
SHA-256:	E84BBFF4889859CEC3158C8C7D1DC5FFBFAE81E4AC41C962F659CB8052EC1196
SHA-512:	66E42328CC160176DE7DF7F60C038008364E489D113C4F061D046E5FB3995E160078388FBDC2BBBA94F2C7F36EB38FBEB3FB0536C6558AD614A19AB84F5C201B
Malicious:	false
Preview:	rule:.. meta:.. name: enumerate system firmware tables.. namespace: host-interaction/hardware/firmware.. author: michael.hunhoff@fireeye.com.. scope: function.. references:.. - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/Shared/Utils.cpp#L843.. features:.. - and:.. - api: kernel32.EnumSystemFirmwareTables..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\execute-shell-command-via-windows-remote-management.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	421
Entropy (8bit):	4.507477892777861
Encrypted:	false
SSDEEP:	6:SWq+iazvlmA9ctLctdYlLqLs6HhClES4FdG1vJoT8+vJoT0UwHodFY3Gov:NVzdmQtilL/kRfFOvK8+vK0UwIHEn
MD5:	235EA2E1CA9E23D643FB279EEC86CBF6
SHA1:	55CE6109171E99759E4F976913904566F9902FA9
SHA-256:	88B162D299F037FFFD073E0AA93137D0FA3865B682FC2C03F3845F8541D9CB6E
SHA-512:	7592339DC52D83BD13FE6F0BA661F7AF98D64E8DBEFA8CF16DEB1E830A74F3F4038056E25FC89152BAB204D08277FA42004D9F7BFC94B3E50C3DD4E2C152C1D1
Malicious:	false
Preview:	# generated using capa explorer for IDA Pro..rule:.. meta:.. name: execute shell command via Windows Remote Management.. namespace: host-interaction/process/create.. author: michael.hunhoff@fireeye.com.. scope: function.. features:.. - and:.. - or:.. - api: wsmsvc.WSManRunShellCommand.. - api: wsmsvc.WSManRunShellCommandEx.. - optional:.. - api: wsmsvc.WSManCreateShell..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\execute-syscall-instruction.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	409
Entropy (8bit):	4.235910913466035
Encrypted:	false
SSDEEP:	6:hAvlmA0gfwlm1OeITp/SdFOWw08yZoceGGF+Wf2sdGW71WT2N57Du7dn:mdmawlCOeCyF5kPcA+Y2CWm8n
MD5:	1A2A80DA6BC536A35F2DCB8191077C13
SHA1:	D5368DA4F78B5D859E5EDAA7B344AE32AE3BA7A7
SHA-256:	DC022E34CB84D71E0FD03E1CB884430C74E69BF15C78E485C54304B718DF3C73
SHA-512:	272C883222F9582EBD3C100207F49F106A7EEB8A1C46E12417792B6538026462460704981033FC2ED09C5BE36A07CBB3ABA41FB139754CFF622B82FBA070F73E
Malicious:	false
Preview:	rule:.. meta:.. name: execute syscall instruction.. namespace: anti-analysis.. author:.. - "@kulinacs".. - "@mr-tz".. description: may be used to evade hooks or hinder analysis.. scope: basic block.. references:.. - https://github.com/j00ru/windows-syscalls.. features:.. - and:.. - mnemonic: syscall.. - or:.. - mnemonic: ret.. - mnemonic: retn..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\flush-cabinet-file.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	404
Entropy (8bit):	4.506070185107071
Encrypted:	false
SSDEEP:	6:hAvlmVRFToP/YlLqLRVJClES4FfQceGp4KpDHfHFwMLVOvFHqFeROfsbOhFH2s:mdmvanYlLQfFfQcESDHflx7wRAKOTHz
MD5:	9BAFBBB27D7A4C8591B554348148A04B
SHA1:	A2BDF491C6E0C312D10E4DDF87E8043DB0EA9963
SHA-256:	DDAE1602BB32AAE6404B36546F1FF6E180A71B6C7E870F7F37FFEEAD39D5DB12
SHA-512:	022C770B5E1F7C76F32B831C896F0B4280F5D52AC8555BE9731C60A9CDDE2CF4F15FA475BEB259A26E2910AB559A6859B344D989092922F8DA9E81E91D573A22
Malicious:	false
Preview:	rule:.. meta:.. name: flush cabinet file.. namespace: host-interaction/file-system.. author: michael.hunhoff@fireeye.com.. scope: function.. references: https://docs.microsoft.com/en-us/windows/win32/msi/cabinet-files.. features:.. - or:.. - api: cabinet.FCIFlushFolder = flush current folder under construction.. - api: cabinet.FCIFlushCabinet = completes current cabinet..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\generate-random-numbers-using-the-delphi-lcg.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	549
Entropy (8bit):	4.652193433073739
Encrypted:	false
SSDEEP:	12:mdmC/gb4lx0R/wKVmJQycA+YdMq26dVLwYYF3ePv/1vNGVMvn:mMC64lo4KYJQycAnZdds3ePvXGVMv
MD5:	9972FF57B3F3480EFD07600E56EEA6DE
SHA1:	80A3A8D4D8349BDCDDC92582826DA6C26390C98E
SHA-256:	5F68796A7410885C6F38569B6EE00F8AA0A84AAA81141C48118794DA39C1DFF2
SHA-512:	22824AA541888A436CEA38DCF963CD29C752E89541BBC49D924637842532BC23CC5B5879D85EB194B19F7E85AD08120C910C408DCAC4C1EA5F9F54A42FA4DA1C
Malicious:	false
Preview:	rule:.. meta:.. name: generate random numbers using the Delphi LCG.. namespace: data-manipulation/prng/lcg.. author: william.ballenthin@fireeye.com.. scope: basic block.. mbc:.. - Cryptography::Generate Pseudo-random Sequence [C0021].. references:.. - https://en.wikipedia.org/wiki/Linear_congruential_generator.. - https://community.osr.com/discussion/130410/generating-random-numbers.. features:.. - and:.. - mnemonic: imul.. - number: 0x8088405 = multiplier a.. - mnemonic: inc = increment c..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\get-client-handle-via-schannel.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	759
Entropy (8bit):	4.690980604371967
Encrypted:	false
SSDEEP:	12:mdmCHdWIYwlxbfqdGuEfFfySimsK1cA+YSDHfl0I5YYSDHflGqKPz7a6FYSDHflY:mMCH8IYwlBfqouEUicAwjt0I5WjtGtPC
MD5:	8BF63B0E10528A1695E6AF3F3AFB90AD
SHA1:	5CB38CB75B0BFE6D89F403FE6A23221CB37DCF06
SHA-256:	8C95A347F7E38255D72C4C401988F0A84A649FC904962D1672630C23D47A23A0
SHA-512:	3A0188C02512CB1CB80646D636F6CB5766E52CDDD7D78D51741673674A4CD4700A4519F74DD7D787723A0673BB9DA7C44A082744E0CCD58237F148DFC537F105
Malicious:	false
Preview:	rule:.. meta:.. name: get client handle via SChannel.. namespace: data-manipulation/encryption.. author: matthew.williams@fireeye.com.. scope: function.. att&ck:.. - Defense Evasion::Obfuscated Files or Information [T1027].. references:.. - https://docs.microsoft.com/en-us/windows/win32/secauthn/getting-schannel-credentials.. - https://docs.microsoft.com/en-us/windows/win32/api/credssp/ns-credssp-credssp_cred.. - https://docs.microsoft.com/en-us/windows/win32/api/credssp/ne-credssp-credspp_submit_type.. features:.. - and:.. - match: get outbound credentials handle via CredSSP.. - number: 4 = CredsspSchannelCreds.. - optional:.. - string: "Microsoft Unified Security Protocol Provider"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\get-inbound-credentials-handle-via-credssp.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	583
Entropy (8bit):	4.84049237268324
Encrypted:	false
SSDEEP:	12:mdmC7JlxbfqdGuE/hSimsK1cA+YSDHflSABYSDHfl0I5mpg2:mMCtlBfqouEJicAwjtBjt0I5ug2
MD5:	D945730ED960DEBC0BE4AFE9ADD4FCB7
SHA1:	C5097D52C81F93CB1FAFA7A1816C7AFE852FAFF1
SHA-256:	94A0AC3A890316159EA297ACA96B7F3CD0E991B8E00F734D8DA3F2D929A3F9EF
SHA-512:	F8FC4231AE658C52945ECAA3FD0BA0486EFD8C873C2437C9D275148F7056FF1E484B86712F37B8DC8449FFA6715CFE0A2625ABF7333DE9A2C5C906BB3F196AC7
Malicious:	false
Preview:	rule:.. meta:.. name: get inbound credentials handle via CredSSP.. namespace: data-manipulation/encryption.. author: matthew.williams@fireeye.com.. scope: basic block.. att&ck:.. - Defense Evasion::Obfuscated Files or Information [T1027].. references:.. - https://docs.microsoft.com/en-us/windows/win32/api/sspi/nf-sspi-acquirecredentialshandlea.. - https://docs.microsoft.com/en-us/windows/win32/secauthn/getting-schannel-credentials.. features:.. - and:.. - api: secur32.AcquireCredentialsHandle.. - number: 1 = SECPKG_CRED_INBOUND..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\get-installed-programs.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	386
Entropy (8bit):	4.639719465801179
Encrypted:	false
SSDEEP:	6:hAvlmCjOBFJWGClLqLJgHfCS4FfyhZKoxUGoRRvwZmL2o+R9nRyEqzwXEhFs:mdmCKMJlLqECfFfyNWv2o+XnLXEhFs
MD5:	E521D4FBDDEBF1DF429B1DA546BD4652
SHA1:	B6B7A6202D7DA4C98D99886F5DC472F64C23854B
SHA-256:	583ADA8E0321F7843574528BD16CFA9BF086102C3F53B3C5486233113A004561
SHA-512:	B555AA35C308CD8DDA8EB08656B51AC2F36F3EFCD38B3EFD33C9D46C5A388F895736E15C4059915A59170C52FD85A41239E2A6F08F7DBD801038703E46F1BBC2
Malicious:	false
Preview:	rule:.. meta:.. name: get installed programs.. namespace: host-interaction/software.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Discovery::Software Discovery [T1518].. features:.. - and:.. - match: create or open registry key.. - string: /SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall/i.. - characteristic: loop..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\get-networking-parameters.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	300
Entropy (8bit):	4.551392858504108
Encrypted:	false
SSDEEP:	6:hAvlmCIKiE3/FClLqLPSEClES4FfyhdOJzNoxVJVqa5fOw:mdmCHNClLnmfFfyHeRodxfF
MD5:	0D3939A2A4A4441D86F1A31C394B416F
SHA1:	E4348FA8932FEC4ABC8D15D1DC74C82624AFD87C
SHA-256:	F0A277F78B64FF9A6282480556B4B61B738E15A0FBB5680F66A66E3EA535328F
SHA-512:	36CE6A77427E2EBF6F0D45EE488651A94DB47BE93EE932879D15D98DECE11956446BB1E85CBDA7D74767BEFD330F76E242141AF26D35E813C5117B61CEA6173E
Malicious:	false
Preview:	rule:.. meta:.. name: get networking parameters.. namespace: host-interaction/network.. author: michael.hunhoff@fireeye.com.. scope: function.. att&ck:.. - Discovery::System Network Configuration Discovery [T1016].. features:.. - or:.. - api: iphlpapi.GetNetworkParams..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\get-proxy.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	323
Entropy (8bit):	4.517786047125567
Encrypted:	false
SSDEEP:	6:hAvlmCXcofwlLqLPSff3CS4FfyhdOJzNoxVJVGoRRvwZmLL+Uy:mdmCXZ4lLnnCfFfyHeRodnvL+p
MD5:	5506E092B418A61F78981707078356DD
SHA1:	8C5D886484CDEDE6F6671C41EFCC07BDB54B09CA
SHA-256:	CF82ACA0A8009C646C38112B2B2BE1797E3F62FA0C15B1C99C7F2FDEDC6ED9CA
SHA-512:	A69AB1B5A38D207237BEB47196D2A97A8DAB4DDA4A986B3CB5896D31133938B90286335B6CB21E19B7E652BE3C8B1C5CC7484E65D8C8F83C39A5FD0B4E8C7D1A
Malicious:	false
Preview:	rule:.. meta:.. name: get proxy.. namespace: host-interaction/network/proxy.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Discovery::System Network Configuration Discovery [T1016].. features:.. - and:.. - match: create or open registry key.. - string: "ProxyServer"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\get-remote-cert-context-via-schannel.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	495
Entropy (8bit):	4.89883897409565
Encrypted:	false
SSDEEP:	12:mdmCBWIYwlxbfqdGuE/hSimsK1cA+YSDHflPi9d7p9uW:mMCAIYwlBfqouEJicAwjtPIdFH
MD5:	C4F8CBC594293EBCE42B73062457FD18
SHA1:	9AA225A1F833F764137DE25B1C53CFE1CC00059A
SHA-256:	2F932513AF8D23CA1E2422F65AEF5D73AF92B2A39873DA33F54D3618DD87994E
SHA-512:	399C88FD2E00A340A9F2473A639639A77170C84D3773485F0A522C20034A4B78F62C76FB85D25B03E9A05D4724A246BDF4FE5152D691C417E51E4E74756E5704
Malicious:	false
Preview:	rule:.. meta:.. name: get remote cert context via SChannel.. namespace: data-manipulation/encryption.. author: matthew.williams@fireeye.com.. scope: basic block.. att&ck:.. - Defense Evasion::Obfuscated Files or Information [T1027].. references:.. - https://docs.microsoft.com/en-us/windows/win32/secauthn/querycontextattributes--schannel.. features:.. - and:.. - api: secur32.QueryContextAttributes.. - number: 0x53 = SECPKG_ATTR_REMOTE_CERT_CONTEXT..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\get-routing-table.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	349
Entropy (8bit):	4.664213894628372
Encrypted:	false
SSDEEP:	6:hAvlmCi7iHYlLqLPS7yhClES4FfyhdOJzNoxVJVqa5ISta5Iy:mdmCqi4lLnKfFfyHeRodxwZ
MD5:	6062D3A289C753F82989575CA415BB68
SHA1:	D53C5744A385CD502688B8EA94F134F0E9CBA94F
SHA-256:	D8547AF3CCB18BAD1E7A26731EFF5ABC5A68773F9C71B2E0B584015C956BCBC7
SHA-512:	0046FBB9F3DB6F7E281F6F7E462722AD56D092368B939438006C0357D3DF9AC80F5148878DDBB8576B1CE7641E6B0ACA0F0744C506E95362AB1D1A559BFFD3BA
Malicious:	false
Preview:	rule:.. meta:.. name: get routing table.. namespace: host-interaction/network/routing-table.. author: michael.hunhoff@fireeye.com.. scope: function.. att&ck:.. - Discovery::System Network Configuration Discovery [T1016].. features:.. - or:.. - api: iphlpapi.GetIpForwardTable.. - api: iphlpapi.GetIpForwardTable2..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\get-session-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	356
Entropy (8bit):	4.569425788591015
Encrypted:	false
SSDEEP:	6:hAvlmCTcMKcfwlLqLTJClES4FfyhL6xXUGliOR/qGMKcfwHodFNCRy:mdmCMcfwlLM5fFfyt6h50ucfwIHURy
MD5:	EDBC9E68313C620FB21CB138527A7507
SHA1:	722095E02AC9C5BABF06CDB03A2DFBE72ECCB633
SHA-256:	B538605645682CEC030C6D454D070DA1CC0328E13ADA174CF093B153E4E166C8
SHA-512:	84A8CF9B7B5BB15F29A0F861CBE985885F1A679CA70AAFFD895222C71222FC4A44A07E482D8FC6BBF580BA90FAA34667CD6B046322339D9E88B0FE35AFC4CE9F
Malicious:	false
Preview:	rule:.. meta:.. name: get session information.. namespace: host-interaction/session.. author: michael.hunhoff@fireeye.com.. scope: function.. att&ck:.. - Discovery::System Owner/User Discovery [T1033].. features:.. - and:.. - api: wtsapi32.WTSQuerySessionInformation.. - optional:.. - api: wtsapi32.WTSFreeMemory..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\get-socket-information.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	287
Entropy (8bit):	4.556356885766305
Encrypted:	false
SSDEEP:	6:hAvlmCZPMKcfwlkEeM3cClES4FfyhdOJzNoxVJVGk/Ay:mdmC1cfwlkXfFfyHeRodLAy
MD5:	FA5DA4FA071B6C936EE5FD5FCE1B5BCC
SHA1:	4F347B8BF7A863EF54C54E857492750E7BDDFAA9
SHA-256:	3A91121884A663C9E1FDD3F8E1423F6338D1AECF68008232A768B15FD665F4F8
SHA-512:	15D54A50626CB7935AAE969CBFF6714D099F3D4ED9FA80D52C030F9FA9242295ABB3F87680532FA7A5E43298DB702820C492A278AE675EC481F81B2ADF37C630
Malicious:	false
Preview:	rule:.. meta:.. name: get socket information.. namespace: communication/socket.. author: michael.hunhoff@fireeye.com.. scope: function.. att&ck:.. - Discovery::System Network Configuration Discovery [T1016].. features:.. - and:.. - api: ws2_32.getsockname..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\get-storage-device-properties.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	531
Entropy (8bit):	4.874398070823579
Encrypted:	false
SSDEEP:	12:NVzdmCklLOJDfFfQcESDHflwBJ4TmsIHsMv:NVQCklytqc/jt+J4TmsIV
MD5:	44D941EC63EF187592998B864CB2AE49
SHA1:	1FFBE8F2A13C22CD36225A71806CC43B53A5E7D1
SHA-256:	74E5E51EEEEFA983F3FA3CB478F83991B1348B41DC2DE20146172B7860A14CCC
SHA-512:	AE8492C155D69F01F781EAAAA4A07E5B19CD5625237066A188DA7D8541A40F6DAF4C66E98E003252EBE8CDB7D95F6EAE063F638B53043EFFAE705A04D164EBC7
Malicious:	false
Preview:	# generated using capa explorer for IDA Pro..rule:.. meta:.. name: get storage device properties.. namespace: host-interaction/hardware/storage.. author: michael.hunhoff@fireeye.com.. scope: function.. references: https://docs.microsoft.com/en-us/windows/win32/api/winioctl/ni-winioctl-ioctl_storage_query_property.. features:.. - and:.. - match: interact with driver via control codes.. - number: 0x2D1400 = IOCTL_STORAGE_QUERY_PROPERTY.. - optional:.. - string: "\\\\.\\PhysicalDrive0"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\get-system-firmware-table.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	351
Entropy (8bit):	4.652046186977055
Encrypted:	false
SSDEEP:	6:hAvlmCHzYlLqLBQihClES4FfQceGGF+Wf2tCM5JKz+OWSM0GGEUuP:mdmCMlLOQefFfQcA+Y2QM5EIPUuP
MD5:	142A78166086901E2BD1354F97D7D0DA
SHA1:	974311975AAB624CE9BEC0C0DBA19BA8943AE8D0
SHA-256:	1E5DE5E25A9603EA7C8AAE2E16862A0E30A8390157D7093ED9346111D4B32FDF
SHA-512:	50227C6634A4BD45B3B0E03B7B75EFCC04BD43A479E74DBDDD7994E59CFC85DA2F304CA730578D8AB54DA1EBDF5C7DC895D80C5392F4DC6C4F2395C81480593D
Malicious:	false
Preview:	rule:.. meta:.. name: get system firmware table.. namespace: host-interaction/hardware/firmware.. author: michael.hunhoff@fireeye.com.. scope: function.. references:.. - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/Shared/Utils.cpp#L854.. features:.. - and:.. - api: kernel32.GetSystemFirmwareTable..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\get-thread-local-storage-value.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	221
Entropy (8bit):	4.359439975823399
Encrypted:	false
SSDEEP:	3:hAvl5lCIN0xdgwMrWEAvFFFCIaGCDNgJLLmhCqClx2odN4FHuAWAHjfCWzsByK:hAvlmCodlEKF/ClLqLCClES4FdGGFK
MD5:	BD8A97521A41A689AF0E3DB93F3D8DCF
SHA1:	27DCFE8AA2A96AAC5B628592A62AC5E15FE0B033
SHA-256:	404AF8AF959DD1C8B69AA20D2046B088E39FE8A0BC70FCB5FB9BAA1CB1B2D19C
SHA-512:	3E963C8F9AA78ABDDF1D3D5471A3643656AD79278E9F50FC9CEF3C456931B768A2CD9EAE914BBDDC1EBFD707951CE7A8D56C5F08BB874A536320B4CEB471AB77
Malicious:	false
Preview:	rule:.. meta:.. name: get thread local storage value.. namespace: host-interaction/process.. author: michael.hunhoff@fireeye.com.. scope: function.. features:.. - and:.. - api: kernel32.TlsGetValue..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\get-token-privileges.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	413
Entropy (8bit):	4.42512773709227
Encrypted:	false
SSDEEP:	6:SWq+iazvlmCm4lLqLTJClES4FdGKt+mXVAmGMKcfhKU4HodFeX/nXy:NVzdmCzlLM5fFDlucfQIHePy
MD5:	D96A35F3AA0575EF0BBD014E30670D18
SHA1:	B781A544B005000DAC6CBB63ACA303495E70A54A
SHA-256:	DE040263FD8B7CCBC89360AFE397DB9D7247F4692B26D695AA70419D9BA1B864
SHA-512:	07DC35AAF84919E735810B02199FF99DB20C75E5C93570FABBF837785838F250D2C921AF13B9B755A76F5C7BE6CD4851E3C9D7B367CF23CDD8E4F560B138D18E
Malicious:	false
Preview:	# generated using capa explorer for IDA Pro..rule:.. meta:.. name: get token privileges.. namespace: host-interaction/session.. author: michael.hunhoff@fireeye.com.. scope: function.. features:.. - and:.. - basic block:.. - and:.. - api: advapi32.GetTokenInformation.. - number: 0x3 = TokenPrivileges.. - optional:.. - api: advapi32.LookupPrivilegeName..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\hash-data-using-crc32b.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	241
Entropy (8bit):	4.532677069660857
Encrypted:	false
SSDEEP:	6:hAvlmnCb2NwlCsdSNB3CS4FdG5AfHqXEhhIXy:mdmnCWwlxm3CfFBHqXEhl
MD5:	C1DA043C77E5F5F968130EA616CC8E12
SHA1:	B942704F1706F5FD5DF1BE1E17D6A5BCB058377D
SHA-256:	DDA36F9703C1C007510241369172D5A827D0649C44894CC92576EBC866E88DB4
SHA-512:	0E109768ECAFBA3F2D1FC3A8C27938A4DC095C96622A1A027DACEB16A04B537B8247492DFFDCE490CB39C2E363B4E42488FAA9AD8956D04364265F3B8DE01BD3
Malicious:	false
Preview:	rule:.. meta:.. name: hash data using CRC32b.. namespace: data-manipulation/checksum/crc32.. author: moritz.raabe@fireeye.com.. scope: function.. features:.. - and:.. - number: 0x4C11DB7.. - characteristic: nzxor..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\hash-data-using-md4.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	262
Entropy (8bit):	4.64019623341962
Encrypted:	false
SSDEEP:	6:hAvlmnCgvF6lCs+oL8uLSgyZ9G5LkshOW43ALy:mdmnCgvF6lxXL3L/UWkt
MD5:	A16C5F2BC5807E944CF3D2094017E7C8
SHA1:	7A16007B0B6B7BA2B20672274F0A97BB03E53993
SHA-256:	A822558D842599C58B15527B7E4615E20D520F1F6A7E2FA444417B8C4AE168CC
SHA-512:	5601CCFDB01FA34171E39033B0CB6A41919A04FCB6131348A251DD34DBF173D938D20698A12279DEAA7D46FEF78789595B8CB20BF91D24467C928B44D1E384F3
Malicious:	false
Preview:	rule:.. meta:.. name: hash data using MD4.. namespace: data-manipulation/hashing/md4.. author: anamaria.martinezgom@fireeye.com.. scope: basic block.. features:.. - and:.. - number: 0x8002 = CALG_MD4.. - api: advapi32.CryptCreateHash..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\hash-data-using-murmur2.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	454
Entropy (8bit):	4.55838152665383
Encrypted:	false
SSDEEP:	12:mdmnCdwlxvRfFfQcA+Y2/WFjsiTOrYoHpYoM:mMnpljqcASWBRTwYoHpYoM
MD5:	6E702290710325CB6DC90C8BDD7DCAF2
SHA1:	4EFBC4D3EEF03055FBB7EACD8DCDFD16A1853341
SHA-256:	20089FFF3412E85A4584FCA222430A79FC607285610212B196EB659AF7569A24
SHA-512:	3013A255F2F92FD89B0D0CDF77C174C1824580C43A4BC8F412F9EDB34FA2DE8161C7BF59A2FA98384574E66DFA786B52C705E94B8806EB0ED2F8CDE8ED20152F
Malicious:	false
Preview:	rule:.. meta:.. name: hash data using murmur2.. namespace: data-manipulation/hashing/murmur.. author: william.ballenthin@fireeye.com.. scope: function.. references:.. - https://github.com/abrandoned/murmur2/blob/master/MurmurHash2.c.. examples:.. features:.. - and:.. - or:.. - number: 0xc6a4a7935bd1e995 = 64-bit mixing constant m.. - number: 0x5bd1e995 = 32-bit mixing constant m.. - mnemonic: imul..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\hash-data-using-sha1-via-wincrypt.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	335
Entropy (8bit):	4.5542649662870724
Encrypted:	false
SSDEEP:	6:hAvlmnCrlCs40F/FJClES4FdHKkWH+DIkf2Lcn:mdmnCrlxTF/DfFYB/An
MD5:	A953891236291162181FBCA59FCFFB3A
SHA1:	58B9EDD7BAAE6219E95986DE5365CDDF4E5A3137
SHA-256:	126890520F0EDD357D2DF121195F1AE0E55B1915ACDDECE08D520ACD957AC287
SHA-512:	1FE3D38FFE1D1B01F9667645ABCEEACBD33155881A4FAE2EE05A1519F291600D7ADCC3FAABF7FDD30DDDA5C7D070FB40CD67C413A88D3F04D09B200731C32541
Malicious:	false
Preview:	rule:.. meta:.. name: hash data using SHA1 via WinCrypt.. namespace: data-manipulation/hashing/sha1.. author: michael.hunhoff@fireeye.com.. scope: function.. features:.. - or:.. - and:.. - match: initialize hashing via WinCrypt.. - number: 0x8004 = CALG_SHA1.. - api: advapi32.CryptHashData..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\hash-data-using-sha1-via-x86-extensions.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	536
Entropy (8bit):	4.631762518121966
Encrypted:	false
SSDEEP:	12:mdmnCplxTF/3iL+ypZ/nkkyfb5zsHcn5zE:mMn+lNRPyfpWzs85zE
MD5:	C4A1DB8A64C3228902B6F5CF631C771E
SHA1:	8DB1686D332064BB6511FB6D19C22D10DC193328
SHA-256:	B36361D6DC6B6995A7032A3C7B41D44E20E1F1D297E76EF286F0916619AAD91A
SHA-512:	80E0E60C7332BDF9C5C9083C1B900FA60D853450F04B8ADBA27435198931177E3DB206489AEF0E376E87B8F213264DFB7B1C0B549CA9E57D02A39831C6958DEB
Malicious:	false
Preview:	rule:.. meta:.. name: hash data using sha1 via x86 extensions.. namespace: data-manipulation/hashing/sha1.. author: "@_re_fox".. scope: basic block.. features:.. - or:.. - mnemonic: sha1rnds4 = Perform Four Rounds of SHA1 Operation.. - mnemonic: sha1nexte = Calculate SHA1 State Variable E after Four Rounds.. - mnemonic: sha1msg1 = Perform an Intermediate Calculation for the Next Four SHA1 Message Dwords.. - mnemonic: sha1msg2 = Perform a Final Calculation for the Next Four SHA1 Message Dwords..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\hash-data-using-sha256-via-x86-extensions.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	470
Entropy (8bit):	4.709030902755438
Encrypted:	false
SSDEEP:	12:mdmnCPn/lxjinjNQVUvXkkyfb5J9ydXcn5J9m:mMne/lVu6SWuS56
MD5:	99B8EFDEDBA8E288F43CA23B81BAE5A4
SHA1:	10964F85A948195FF43F1C755A9853B90D0E5A85
SHA-256:	9DA37E4A52FC2208E8A9C58D42107724768C65CE6F0DEB66EA8F7B925998BE1D
SHA-512:	6CC031F27F1DB95F605C6FDDB4496AACD75ABAD805F9B5F8D47CDC5134CBF40E156854088550847D043C3D60290D358FD9A8DE4FC0BA711A791550F4FAD3FC01
Malicious:	false
Preview:	rule:.. meta:.. name: hash data using sha256 via x86 extensions.. namespace: data-manipulation/hashing/sha256.. author: "@_re_fox".. scope: basic block.. features:.. - or:.. - mnemonic: sha256rnds2 = Perform Two Rounds of SHA256 Operation.. - mnemonic: sha256msg1 = Perform an Intermediate Calculation for the Next Four SHA256 Message Dwords.. - mnemonic: sha256msg2 = Perform a Final Calculation for the Next Four SHA256 Message Dwords..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\hash-data-via-bcrypt.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	648
Entropy (8bit):	4.352982443951656
Encrypted:	false
SSDEEP:	12:mdmnHlxDpfFfySimsKuKJ/4qgqQIHAIfaKIHwfl/xli:mMnHlRpUPKJ/4qQIjI6lpli
MD5:	AD5121518E43B9978D219C2FFB7FF2CA
SHA1:	61C14AFF87850346EAF0AD4A340E8061B0868BE0
SHA-256:	43729EA0189D87F2E44DC04AA56542D9BAE8F49B304413784CB8464AA93FFA85
SHA-512:	7D8FC20F43717A05304F6B09456516465786D00CCDEC25D6DBAC1298434A6974A276263872B311D68097F7FCE508C721A1F713A0416DCBBBE9B11A85713EAA9B
Malicious:	false
Preview:	rule:.. meta:.. name: hash data via BCrypt.. namespace: data-manipulation/hashing.. author: michael.hunhoff@fireeye.com.. scope: function.. att&ck:.. - Defense Evasion::Obfuscated Files or Information [T1027].. mbc:.. - Cryptography::Cryptographic Hash [C0029].. features:.. - and:.. - or:.. - api: BCryptHash.. - and:.. - api: BCryptHashData.. - optional:.. - api: BCryptFinishHash.. - api: BCryptDestroyHash.. - api: BCryptCreateHash.. - optional:.. - api: BCryptOpenAlgorithmProvider.. - api: BCryptCloseAlgorithmProvider..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\hide-thread-from-debugger.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	424
Entropy (8bit):	4.71392378929328
Encrypted:	false
SSDEEP:	6:hAvlmzXJo9lmUiqIwhClESgyZoceGGF+Wf2tCM5JKz+OWzBMKKUGYMKw8Zr:mdm7JEl/D/PcA+Y2QM5EIzhndr
MD5:	35B873A19AE31024126CD930A4C2DB2B
SHA1:	4D560574BA285DE6F32F9DCD6565F6AEC9F2535F
SHA-256:	D1255E4B723E2F4AD361D302D384C4536F6CD4C7E03BF8598DB78487B5BF40A8
SHA-512:	4A6AACF0B56F861AE07D1142DE627C63D374459EC81E717E8DA8F74B540BFB42F5C11E22A767DB3CD38173F2AD9B7895F098616D7FF0F7871423E7AA87BE6E2E
Malicious:	false
Preview:	rule:.. meta:.. name: hide thread from debugger.. namespace: anti-analysis/anti-debugging.. author: michael.hunhoff@fireeye.com.. scope: basic block.. references:.. - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/NtSetInformationThread_ThreadHideFromDebugger.cpp.. features:.. - and:.. - api: NtSetInformationThread.. - number: 0x11 = ThreadHideFromDebugger..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\hook-routines-via-microsoft-detours.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	391
Entropy (8bit):	4.962564907827567
Encrypted:	false
SSDEEP:	12:mdmspXu6V5MJylRfFfQcA+Y+2j0K31paSTFq:mMnw5PrqcAgWlpa6q
MD5:	AAB8F2ED3F585CF843F05494C15E27BC
SHA1:	A78210635D2C7A823AF3F9784C80EC626235CF26
SHA-256:	A68B693FCDEEE5596C6B95EFD6B92BE091D19E97018A6405AE8B607C49C34D2D
SHA-512:	EFF821B5F880A6A3ED029873E4D1F3A0463356EA5492327B1B4D70BBE1FC1FDC205140D3C59ECB3DC260B93069D10F215511BF2BAEEC6AACA539C7038725E614
Malicious:	false
Preview:	rule:.. meta:.. name: hook routines via microsoft detours.. # namespace: linking/hooking.. author: william.ballenthin@fireeye.com.. scope: function.. references:.. - https://www.fireeye.com/content/dam/fireeye-www/global/en/blog/threat-research/Flare-On%202017/Challenge7.pdf.. examples:.. features:.. - or:.. - number: 0x52727464 = DETOUR_REGION_SIGNATURE..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\hooked-by-api-override.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	383
Entropy (8bit):	4.678346424205763
Encrypted:	false
SSDEEP:	6:hAvlmhNldCliZAWJFBO2SkOy/oceGGF+WfGL/LUhi2DkMqyjqEh+M/VuZusL9Q+n:mdmhN+lC7RDnocA+Y+Uhnzjbhz/VSxXn
MD5:	7FAB0491E638D1BC2AA21682A4BA067A
SHA1:	101286B7EF737CE49B77B8C8CB2DF8C1B6199F9A
SHA-256:	DAE9AC3F352E9E0C47779A938BA1DFAA595DF403403E2D169C7248B96E4F86AD
SHA-512:	B5D734AAFB3C1F1AA3F576966AD5516B758C4E4C68C727B02F29A103B5158B8F4E5406D6C71B4A1B88517F1A0E325FEB7AD10BCE2DF15AE00517E61D0195B8F8
Malicious:	false
Preview:	rule:.. meta:.. name: hooked by API Override.. namespace: executable/hooked/api-override.. author: william.ballenthin@fireeye.com.. scope: file.. references:.. - https://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/.. - http://jacquelin.potier.free.fr/winapioverride32/.. features:.. - or:.. - section: .winapi..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\impersonate-user.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	465
Entropy (8bit):	4.518483008867157
Encrypted:	false
SSDEEP:	12:mdmVlLxfFfyuYCzKZUfjIgIHmLKGLCqvn:mMVllUqKafjIgIGxzv
MD5:	DEFE68E518A2C9DDA5097F0455074B91
SHA1:	28E4CE282344836A749AFC27EDF5F2229EA49C0A
SHA-256:	973AF0611D29597B85250DA325E431EAE4DFF46C0FA505452DFAA3A8531D582B
SHA-512:	EAFB53BD68C30532C8B628DF1F9C45DA498403F7ADA59486580FBCE58D3BCDE49E77829F0CBF982F9C8513FC8E2401FB8F9DC11A0188B8D4FCA8AE58D25F4996
Malicious:	false
Preview:	rule:.. meta:.. name: impersonate user.. namespace: host-interaction/user.. author: michael.hunhoff@fireeye.com.. scope: function.. att&ck:.. - Privilege Escalation::Access Token Manipulation::Token Impersonation/Theft [T1134.001].. features:.. - or:.. - api: advapi32.LogonUser.. - and:.. - api: userenv.LoadUserProfile.. - optional:.. - api: advapi32.GetUserName.. - api: advapi32.GetUserNameEx..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\initialize-hashing-via-wincrypt.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	288
Entropy (8bit):	4.412036778336179
Encrypted:	false
SSDEEP:	6:hAvlmMkWqlCsD/hClES4FdG243ALRHodFejE:mdmrlxDpfFhkKIHeg
MD5:	EACD2FEA913230DC7D3B20BD44781598
SHA1:	D1E485CB9C304F50B40B20660E3FCECD5D8419DF
SHA-256:	9EF85BE47FA8769031E4229117C01E46E57E506705AE74E07EF7FE8ACE202CD8
SHA-512:	EC220086A0E76C40127BE853013DD528E6E05DAC3AC50C10D464765C520D3D32BD4234D2F159D290CE383B627907056EE098B4BF2D4AEA589C96D1D37B3F0C42
Malicious:	false
Preview:	rule:.. meta:.. name: initialize hashing via WinCrypt.. namespace: data-manipulation/hashing.. author: michael.hunhoff@fireeye.com.. scope: function.. features:.. - and:.. - api: advapi32.CryptCreateHash.. - optional:.. - api: advapi32.CryptDestroyHash..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\inspect-load-icon-resource.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	965
Entropy (8bit):	4.7758348296484066
Encrypted:	false
SSDEEP:	12:NVzdm1Wl7/EhvnBshUeXpomOUE51vKeXEfqF5uGeBkSlVGhYVG6se:NVQ1Wl7MhvnyKmu51SZfqF5ut/66se
MD5:	7CE2B6651B289DC307F0B653A9792337
SHA1:	ED0D361163E8E482FBDF592EC481A644E43D9209
SHA-256:	8A83A64BD74E3546C3CCCF590A617F6E07045BBEECCF7296C8FF47C0F5AA157A
SHA-512:	F5B3E71762CAEEF9EFF64EE89D68AB674C701FD514B4782A31085956260943F8F19843B9AF2B1E280E5B32FA9CAD1F6C9C17E1AAF55630BE521A89608F5C0D8C
Malicious:	false
Preview:	# generated using capa explorer for IDA Pro..rule:.. meta:.. name: inspect load icon resource.. namespace: anti-analysis.. author: michael.hunhoff@fireeye.com.. scope: basic block.. features:.. # check if call to LoadIcon fails when first argument is NULL.. # and second argument is not a valid predefined icon - LoadIcon.. # should return NULL here, but some sandboxes/emulation may instead.. # return a valid handle.. - and:.. - api: user32.LoadIcon.. - number: 0x0.. - mnemonic: test.. - not:.. - or:.. - description: predefined icon identifiers.. - number: 0x7F05 = IDI_WINLOGO.. - number: 0x7F06 = IDI_SHIELD.. - number: 0x7F02 = IDI_QUESTION.. - number: 0x7F00 = IDI_APPLICATION.. - number: 0x7F04 = (IDI_ASTERISK \| IDI_INFORMATION).. - number: 0x7F01 = (IDI_ERROR \| IDI_HAND).. - number: 0x7F03 = (IDI_EXCLAMATION \| IDI_WARNING)..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\linked-against-c-regex-library.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	461
Entropy (8bit):	4.5160698743246295
Encrypted:	false
SSDEEP:	12:mdmzAJyzNgl5MY2NwRDnocA+kYY6iONsISXbT5x2lsv:mMzAJyml5J2NyDnocA37lIlO
MD5:	52A00CC68661071642D4AA75A77AA33C
SHA1:	31B7E7E996998A9D72A2F89C5831BBA0522D49F9
SHA-256:	E6055AA3459A585CA7819A0BE28C7E941728A2EAB09A6F4CA137BBD73AD10ADD
SHA-512:	DDD359FACAF0A75536E42878EBA53E8DB3CCD0C300883B54F049EB96ACB1048736297791CFE596D156F71537939C205D5B2A1A0290333A7CDC4DF4F83F893EDD
Malicious:	false
Preview:	rule:.. meta:.. name: linked against C++ regex library.. namespace: linking/static/cppregex.. author: william.ballenthin@fireeye.com.. scope: file.. references:.. - http://www.cplusplus.com/reference/regex/regex_error/.. features:.. - or:.. - string: "regex_error(error_syntax)".. description: C++ STL regex library.. - string: "regex_error(error_collate): The expression contained an invalid collating element name."..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\linked-against-go-process-enumeration-library.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	603
Entropy (8bit):	4.617021910160093
Encrypted:	false
SSDEEP:	12:mdmzAQglLuHoMpUnq/WGvvcA+YEr3fyf9Qi39eHoM9Qi3AW+:mMzAblqHOnq/WGvvcAaOVaHocuW+
MD5:	B0E562F56A01393D38A934D6DAA3A76A
SHA1:	4594BBD5BF32EA9B435EC149CE0513A054B361CB
SHA-256:	924C0A98E673A552E1A74B408F4A45C6D0FBA6BD3C550B8A33775B269523C844
SHA-512:	7D0402DD5197D65408BF132B8C0E8409D1725DD43D266D3FA49D546149AF92EED0B86E1715D5364D628065A7C7CEEAB82FA59DF2DEAE886CE3D9B393DC917EDF
Malicious:	false
Preview:	rule:.. meta:.. name: linked against Go process enumeration library.. namespace: host-interaction/process/list.. author:.. - joakim@intezer.com.. description: Enumerating processes using a Go library.. scope: file.. att&ck:.. - Discovery::Process Discovery [T1057].. - Discovery::Software Discovery [T1518].. references:.. - https://pkg.go.dev/github.com/mitchellh/go-ps.. features:.. - and:.. - match: compiled with Go.. - or:.. - string: "github.com/mitchellh/go-ps.FindProcess".. - string: "github.com/mitchellh/go-ps.Processes"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\linked-against-go-registry-library.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	503
Entropy (8bit):	4.471359203148869
Encrypted:	false
SSDEEP:	12:mdmzAMmjglL+KsNIKnocA+Y2ksAWf9c4J0X9QiksbJ0y:mMzA7klyZnocAqAWVAtvWy
MD5:	A634E7879F5B0E7E4F73482694DD009A
SHA1:	5C863567FE347FE060DB1CC55B127F6C2F1D003D
SHA-256:	847F1F5ABB140AD127B4972F7EE4B55D2988AF2737DCE740348BCB96EFB2E630
SHA-512:	A7F5F6A047E266A802147443FACC80DAEA3A28E9D62B5F0D4BEF8E93E7516B736BFB13B88777C247EEA9EA2B7675146E9883E13AE65370DD08E56E2359392EEE
Malicious:	false
Preview:	rule:.. meta:.. name: linked against Go registry library.. namespace: host-interaction/registry.. author:.. - joakim@intezer.com.. description: Uses a Go library for interacting with the Windows registry... scope: file.. references:.. - https://github.com/golang/sys.. features:.. - and:.. - match: compiled with Go.. - or:.. - string: "golang.org/x/sys/windows/registry.Key.Close".. - string: "github.com/golang/sys/windows/registry.Key.Close"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\linked-against-go-static-asset-library.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1736
Entropy (8bit):	4.514675783488882
Encrypted:	false
SSDEEP:	48:mMzAProcitENze1tBthntUthvDp7FjZuA:JsProfEoHhtShv3j4A
MD5:	C24680BCFF0F91E8C2D6A1F36D835059
SHA1:	C2382C9573293E07EED0BF94BE29A87C041F5C58
SHA-256:	3044B1A1D0777AE5F9764443E4AF308A4AB7F399E43AE408406318C3AAE9A0AE
SHA-512:	6DCE6956AF218EF40CD303C38753203337B2710A056E4EA0D9CC3AA473600B22CB7053FFF5E7A2F4E359E27DC6B9EA170D5720DA5194AC795E3CA93265403057
Malicious:	false
Preview:	rule:.. meta:.. name: linked against Go static asset library.. namespace: executable/resource.. author:.. - joakim@intezer.com.. description: Detects if the Go file includes an static assets... scope: file.. references:.. - https://github.com/rakyll/statik.. - https://github.com/gobuffalo/packr.. - https://github.com/gobuffalo/packr.. - https://github.com/GeertJohan/go.rice.. - https://github.com/kevinburke/go-bindata.. - https://github.com/lu4p/binclude.. - https://github.com/lu4p/binclude.. - https://github.com/omeid/go-resources.. - https://github.com/pyros2097/go-embed.. features:.. - and:.. - match: compiled with Go.. - or:.. - or:.. - string: "github.com/rakyll/statik/fs.IsDefaultNamespace".. - string: "github.com/rakyll/statik/fs.RegisterWithNamespace".. - string: "github.com/rakyll/statik/fs.NewWithNamespace".. - string: "github.com/rakyll/statik/fs.Regi

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\linked-against-go-wmi-library.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	560
Entropy (8bit):	4.6791843776564646
Encrypted:	false
SSDEEP:	12:mdmzA0mglknkObxj6nqlNxd2dcA+Y2taf9QiNE9Qi5n:mMzAclkkOdenqlccAwaV70Hn
MD5:	4B63BC1678DBEA3B6AFFE817FC5FDEF3
SHA1:	7611EA41E4AA972FE00506DFCB02A5A66F38CA48
SHA-256:	B30F4F9BDE9CFDCB1613D36460D8264DEC41DABB00276931E0D1B874DD16C781
SHA-512:	27C8D1AC9053F7E7E54CA1FC4E8ED5AE4023A418C219BB768D9836A42A1391C59AF52F5980709044C1ACEF87FF3FCCFD6B5C19BD9057A181D7297DA3ACF6E209
Malicious:	false
Preview:	rule:.. meta:.. name: linked against Go WMI library.. namespace: collection/database/wmi.. author:.. - joakim@intezer.com.. description: StackExchange's WMI library is used to interact with WMI... scope: file.. att&ck:.. - Collection::Data from Information Repositories [T1213].. references:.. - https://github.com/StackExchange/wmi.. features:.. - and:.. - match: compiled with Go.. - or:.. - string: "github.com/StackExchange/wmi.CreateQuery".. - string: "github.com/StackExchange/wmi.Query"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\linked-against-xzip.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1202
Entropy (8bit):	4.571768655249314
Encrypted:	false
SSDEEP:	24:mMzArl5J7CDnlKC7cAZ8eCaZxXtAXm5F2Z6dgUO:mMzArXJODc4caiWoQF2ZkgUO
MD5:	C3089813B86A852106DB550453CD21F5
SHA1:	58D885B0842662A7488E03CF28B83E9D901051BF
SHA-256:	5E7B1AECEBDA76449C5AFF4AC9850F7471E3C88AD5CC46F0976618BD8B7CEEDD
SHA-512:	810EFFE8200F2631D26BBACE85A819C33E128D697FCC03C407E71BF040AA798124BAB07005B222FEC9E9E6D78804E0479162F3E39DA5F312E7EC39A1A731C76B
Malicious:	false
Preview:	rule:.. meta:.. name: linked against XZip.. namespace: linking/static/xzip.. author: moritz.raabe@fireeye.com.. scope: file.. mbc:.. - Data::Compression Library [C0060].. references:.. - https://github.com/ValveSoftware/source-sdk-2013/blob/master/sp/src/public/XZip.cpp.. features:.. - or:.. - string: "ct_init: length != 256".. - string: "ct_init: dist != 256".. - string: "ct_init: 256+dist != 512".. - string: "bit length overflow".. - string: "code %d bits %d->%d".. - string: "inconsistent bit counts".. - string: "gen_codes: max_code %d ".. - string: "dyn trees: dyn %ld, stat %ld".. - string: "bad pack level".. - string: "Code too clever".. - string: "unknown zip result code".. - string: "Culdn't duplicate handle" # typo in library code.. - string: "File not found in the zipfile".. - string: "Still more data to unzip".. - string: "Caller: the file had already been partially unz

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\list-containers.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	590
Entropy (8bit):	4.799946592861208
Encrypted:	false
SSDEEP:	12:mdmBdTYClLBGeRfFfycRBcA+YZ+DSjLjdOAU5RXVa+iKLXWu:mMBdPlAMUc/cAz+WfRUPlaKCu
MD5:	CB77D0657D0E4D9EC267183187A9F880
SHA1:	9CF0230222B06F5F0636EDA4B15CDF39D763AAA4
SHA-256:	81FDDCC543945315555D08E84BC975F8588074B2280E3650C0656D96B9CE9E88
SHA-512:	B0DE2DA8B88C130ED238928AEA55F7FFA39BF34AFC84D7948F9BAA9466610B4C2A1C8A59216DF01771DC15F8F6FCA3924D8C2ED64D276E9E0CF5E65C80F1A4C3
Malicious:	false
Preview:	rule:.. meta:.. name: list containers.. namespace: host-interaction/container/docker.. author: william.ballenthin@fireeye.com.. scope: function.. att&ck:.. - Discovery::Container and Resource Discovery [T1613].. references:.. - https://docs.docker.com/engine/api/v1.24/.. examples:.. features:.. - or:.. - string: /^docker(\.exe)? ps/.. - and:.. - match: send HTTP request.. - string: /\/v1\.[0-9]{1,2}\/containers\/json/.. description: docker API endpoint, e.g., /v1.24/containers/json?all=1&before=8dfafdbc3a40&size=1..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\list-tcp-connections-and-listeners.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	274
Entropy (8bit):	4.508835378109389
Encrypted:	false
SSDEEP:	6:SWq+iazvlmBxsFClkISEClESgyZ9qa5hXJ9:NVzdmBxkClkvm/ch
MD5:	A99CF208A6A2CC499066676180746C26
SHA1:	4A0F249C5A0C26D7127541927D3BE39558F85532
SHA-256:	F0B9E46C9C0DA0810967C55F4E3167BD3BDA333D5A7FB9146D7C6471257F210B
SHA-512:	E87C0600139A9336737E19A0C9B0B651FF03A23A4F1732F3453DE4C41430F69A88AAF9D2E80393F1454229DD881C4659E264A549487F6C209619696A63650AF1
Malicious:	false
Preview:	# generated using capa explorer for IDA Pro..rule:.. meta:.. name: list TCP connections and listeners.. namespace: collection/network.. author: michael.hunhoff@fireeye.com.. scope: basic block.. features:.. - or:.. - api: iphlpapi.GetExtendedTcpTable..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\list-udp-connections-and-listeners.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	274
Entropy (8bit):	4.516539937347966
Encrypted:	false
SSDEEP:	6:SWq+iazvlmBs8KNFClkISEClESgyZ9qa51:NVzdmBPKXClkvm/c1
MD5:	D329E3AECFCF460AF1A6F0DA7CEBF350
SHA1:	1E1E40A5CFDCAF5632E52293456096C409BC8A0D
SHA-256:	EB7E899C3258510D953E9CE36B443A4518801701872563B7FD59C13DE18A986E
SHA-512:	2CE39E82B139EFF153E675F354AA2D594BB947BACB37D1379C749CDC1272786AAA43213E312FA3346CB8BC80226D9E6150C101DA5F9509A784F3575E62E60AF1
Malicious:	false
Preview:	# generated using capa explorer for IDA Pro..rule:.. meta:.. name: list UDP connections and listeners.. namespace: collection/network.. author: michael.hunhoff@fireeye.com.. scope: basic block.. features:.. - or:.. - api: iphlpapi.GetExtendedUdpTable..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\listen-for-remote-procedure-calls.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	273
Entropy (8bit):	4.441356185184464
Encrypted:	false
SSDEEP:	6:SWq+iazvlmWCbpg0lkEeMyUAcsClESgyZ90Vrn:NVzdmWupVlkCAcu/l
MD5:	167BAE0D770302750B44B1AA07A9E008
SHA1:	981F0A0934CA9B3EE94198A4825FF1B824BAD576
SHA-256:	C648BDFEF0C840AA437C72DA0815A597652D687EFA9494B45A2DECFAED9B970D
SHA-512:	FEBD34E0794D2AFCA928C36C8F255D85B839A91787B429539284B7E64945727A88E0FE7E51EAA6FB2DB95333A688C6E20D37F0702F3764ECEF6A01C94877CDA3
Malicious:	false
Preview:	# generated using capa explorer for IDA Pro..rule:.. meta:.. name: listen for remote procedure calls.. namespace: communication/rpc/server.. author: michael.hunhoff@fireeye.com.. scope: basic block.. features:.. - or:.. - api: rpcrt4.RpcServerListen..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\log-keystrokes-via-raw-input-data.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1014
Entropy (8bit):	4.696940502590931
Encrypted:	false
SSDEEP:	12:NVzdmRqelkv7pfFfylNLx9xsZ9ohsjz2vHhZZozOIH0AJy:NVQRxlkv7pUlB3uZ9ohUq/hZXIUey
MD5:	3086C77F6FDBA1EBFCF2206E55BB217E
SHA1:	000076DE5D2505CA68E4E1A8C01DC40E7B22793B
SHA-256:	C29ACE3357FDDF49E5BE56BF6E93AE47B08DDC59805CDB59208A42A998FCFB2A
SHA-512:	711CCCC78AB97110914E92637E8B5029CBF8E93A39ECEA4D99C4C481CB718C5A67504298E9898964059809259EDF561671F8C366E1A123950E6C5FE698CE5E1B
Malicious:	false
Preview:	# generated using capa explorer for IDA Pro..rule:.. meta:.. name: log keystrokes via raw input data.. namespace: collection/keylog.. author: michael.hunhoff@fireeye.com.. scope: function.. att&ck:.. - Collection::Input Capture::Keylogging [T1056.001].. features:.. - and:.. - basic block:.. - description: get raw input.. - and:.. - api: user32.GetRawInputData.. - number: 0x10000003 = RID_INPUT.. - number: 0x10 = sizeof(RAWINPUTHEADER).. - basic block:.. - description: check raw data is keyboard keydown.. - and:.. - mnemonic: cmp.. - offset/x32: 0x18 = RAWINPUT->data.Message.. - number: 0x100 = WM_KEYDOWN.. - basic block:.. - description: check raw data is keyboard.. - and:.. - mnemonic: cmp.. - offset/x32: 0x0 = RAWINPUT->header.dwType.. - number: 0x1 = RIM_TYPEKEYBOARD.. - optional:.. - offset/x32: 0x16 = RAWINPU

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\make-an-http-request-with-a-cookie.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	258
Entropy (8bit):	4.363222593531886
Encrypted:	false
SSDEEP:	6:hAvlmIA0FtY5RRRKCNClkEeM9Fr8uLS4FdG4ALHe5RTLRgv:mdm6FtY5RRRHNClkO3LfFd5RHRq
MD5:	5257E629FD49B6A104B9076CAB16DC6C
SHA1:	E59AD364D00DDA8D9FFC965F02C9901D32FAB550
SHA-256:	1C66CDDC0E0C89B7F451CD8E2F4E28812767CC759395332E43A222FEE834A367
SHA-512:	316BDDBD3B5F0899478FBA72483CE83BF96AC8D9944E750E3DD99734054BFD46AD960F873BBFE2C712DF23C0D91B50130698A59856E168B3277818FF8DC15E9F
Malicious:	false
Preview:	rule:.. meta:.. name: make an HTTP request with a Cookie.. namespace: communication/http/client.. author: anamaria.martinezgom@fireeye.com.. scope: function.. features:.. - and:.. - match: send HTTP request.. - string: /Cookie:/i..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\migrate-process-to-active-window-station.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	983
Entropy (8bit):	4.61280716839522
Encrypted:	false
SSDEEP:	24:mMrG5lnMT2PcAlj/aDCgeP1W4iMYiloeI6oJgIQ2o:mMkS4c3C5Pze6oYILo
MD5:	4EFF7D7EFE329306B4652030D30187A9
SHA1:	737F70609F6ED406114BE4C49FADE38BB4AD663E
SHA-256:	D68E49AC834DE89FEA5D809AE83A4C76FEE78D2E778CB3B8FA78D982D7C62794
SHA-512:	C421F30B1F01A44D93AEC4E27607149FEB60B7AF23DBCC47008FA21066D63FFA4D8D5D509566A9421BD30CCC0939F19EBC8C79942649599100DF4BF6BDDFCA88
Malicious:	false
Preview:	rule:.. meta:.. name: migrate process to active window station.. namespace: host-interaction/gui/window-station.. author: william.ballenthin@fireeye.com.. description: set process to the active window station so it can receive GUI events. commonly seen in keyloggers... scope: function.. references:.. - https://www.installsetupconfig.com/win32programming/windowstationsdesktops13_1.html.. - https://brianbondy.com/blog/100/understanding-windows-at-a-deeper-level-sessions-window-stations-and-desktops.. - https://cboard.cprogramming.com/windows-programming/144588-[win7]-setwindowshookex-windows-service-setthreaddesktop.html.. features:.. - and:.. - api: OpenWindowStation.. - or:.. - string: "winsta0".. - string: "WinSta0".. - api: SetProcessWindowStation.. - api: OpenInputDesktop.. - api: SetThreadDesktop.. - optional:.. - string: "Default".. description: default desktop name..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\mine-cryptocurrency.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1333
Entropy (8bit):	4.318778069845995
Encrypted:	false
SSDEEP:	24:mMWluwCDnqfcAd0XKTqOWIjeqdsBvBJ+9U3S:mMWuDqfcPKTqhIjeqdk+GS
MD5:	902E593B7D2F5793C3073254964A6333
SHA1:	DB69271AD892D7E0C5F5971D5F07FF16E6EBA020
SHA-256:	1250493CFB74C86F231D17D698501616145A637F6E129151A9582FE0F78593D5
SHA-512:	4727B1C12E01A379CAD730979293A0181D60E899483215DA5DE32AF5BE872F2D9FB507DBC2B4D3C708AD03426B2D7D2D0B2EB2B62F4796DC364E5E8FC0760103
Malicious:	true
Yara Hits:	Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\mine-cryptocurrency.yml, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\mine-cryptocurrency.yml, Author: Joe Security
Preview:	rule:.. meta:.. name: mine cryptocurrency.. namespace: impact/cryptocurrency.. author: moritz.raabe@fireeye.com.. scope: file.. att&ck:.. - Impact::Resource Hijacking [T1496].. references:.. - https://github.com/ctxis/CAPE/blob/master/modules/signatures/cryptomining.py.. features:.. - or:.. - string: "stratum+tcp://".. - string: "xmrig".. - string: "xmr-stak".. - string: "supportxmr.com:".. - string: "dwarfpool.com:".. - string: "minergate".. - string: "xmr.".. - string: "monero.".. - string: "Bitcoin".. - string: "Bitcoin".. - string: "BitcoinGold".. - string: "BtcCash".. - string: "Ethereum".. - string: "BlackCoin".. - string: "ByteCoin".. - string: "EmerCoin".. - string: "ReddCoin".. - string: "Peercoin".. - string: "Ripple".. - string: "Miota".. - string: "Cardano".. - string: "Lisk".. - string: "Stratis".. - string: "Waves"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\open-cabinet-file.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	290
Entropy (8bit):	4.458622071224264
Encrypted:	false
SSDEEP:	6:hAvlmKjP/YlLqLRVJClES4FfQceGp4KpDHfHFwMLVC:mdmKjnYlLQfFfQcESDHflx0
MD5:	66DDE29CC70D5E9CDE1A9775CFDFAB07
SHA1:	E263416C75FCD55AFC83C7C28D211D99558C0191
SHA-256:	10C3E95CE1B1B08B1DE2666173B160A07FF5D7B182287244D1E2647A96B598B4
SHA-512:	FAD24F4F278EE5A06C337A06BAD2B8FDD7E486D4A708A25B3EEF7E058D0F4847E178D56026FB7D08D62F8DDCE7E699D4322B65FDF3F74558E87422A65F6780F6
Malicious:	false
Preview:	rule:.. meta:.. name: open cabinet file.. namespace: host-interaction/file-system.. author: michael.hunhoff@fireeye.com.. scope: function.. references: https://docs.microsoft.com/en-us/windows/win32/msi/cabinet-files.. features:.. - or:.. - api: cabinet.FCICreate..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\packaged-as-a-createinstall-installer.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	383
Entropy (8bit):	4.503755162872598
Encrypted:	false
SSDEEP:	6:hAvlmJh7ANEBqOXJliOZOXdRu7f0JFBO2SkOy/oceGGF+WfGLOANeYvwWfGL/LUk:mdmJxASBXJlxZOXdRsfwRDnocA+YHzx5
MD5:	710C9F5864671B4EBF821D687B7B6315
SHA1:	DC9C15FE4D1A8038C4BF3D3AFCE7DD6E2266DDE5
SHA-256:	F868EE6AE2E47AED9C0F90ED59DCE003ECD65BE00243E9D7A01A67E8D0E6855C
SHA-512:	DA8F7E6563B63CB848AB3ED6CBC34B56026571AEF9B914F8E47C8DB23414670021ABDEB3C67CC9E863DB2AA031388ACD18E895BD3E066EE06B4095EE385FAC30
Malicious:	false
Preview:	rule:.. meta:.. name: packaged as a CreateInstall installer.. namespace: executable/installer/createinstall.. author: william.ballenthin@fireeye.com.. scope: file.. references:.. - https://www.createinstall.com/.. - https://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/.. features:.. - or:.. - section: .gentee..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\packaged-as-a-nsis-installer.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	281
Entropy (8bit):	4.427620870627774
Encrypted:	false
SSDEEP:	6:hAvlmJhVSJOXJliOZOXDsCSkOy/oceGGF+WfsRnMlhTLJipn:mdmJigXJlxZOXwCDnocA+YsRMJip
MD5:	A39E48B2E66A0D768D27BEB1752FA1EB
SHA1:	F3D7371F309FECE56C59C6EFFD31B64A5BCCC228
SHA-256:	AB03B82166A5C9D1151761022430DCE3115D2B6361847978C4376B47A2597187
SHA-512:	702BA6018191922DAFB2C6FB3E02EB514C7C82C5C11C28CA23FF11CDC233696A994205A627A8976A1F4F085B922E506835FF4486689067387B59BBC22A7395B6
Malicious:	false
Preview:	rule:.. meta:.. name: packaged as a NSIS installer.. namespace: executable/installer/nsis.. author: moritz.raabe@fireeye.com.. scope: file.. references:.. - https://nsis.sourceforge.io/Main_Page.. features:.. - or:.. - string: /http://nsis\.sf\.net/..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\packaged-as-a-pintool.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	621
Entropy (8bit):	4.742986312840431
Encrypted:	false
SSDEEP:	12:mdmJowluwRDnocA+YzQqBKU/cNQQfgY+UhnzjbY/VxrF7jLB+9t+A:mMOwluyDnocAbp/cNFfLpnu17cuA
MD5:	F6BB7C860B97C154FE2FC0BFF08EF7D7
SHA1:	DBA6A0EF787CD15ED639E63C84F646B3672E9571
SHA-256:	078FF8CE42D95FB3C63C8CC7DEF3BEF42E95F458F2EC7159E3E4A34090FF4EC0
SHA-512:	1B04293E7D08C965567E5245AA12D4B9F07237CF296A9F5232CD7F7C664D9E9A6090577184A993B170305A756AC45F4644062BDB3DA0ACD4C4E4F6451A42C1DE
Malicious:	false
Preview:	rule:.. meta:.. name: packaged as a Pintool.. namespace: executable/pintool.. author: william.ballenthin@fireeye.com.. scope: file.. references:.. - https://software.intel.com/content/www/us/en/develop/articles/pin-a-dynamic-binary-instrumentation-tool.html.. - https://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/.. - https://www.blackhat.com/docs/asia-16/materials/asia-16-Sun-Break-Out-Of-The-Truman-Show-Active-Detection-And-Escape-Of-Dynamic-Binary-Instrumentation.pdf.. features:.. - or:.. - section: .charmve.. - section: .pinclie..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\packaged-as-a-winzip-self-extracting-archive.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	324
Entropy (8bit):	4.606738561487931
Encrypted:	false
SSDEEP:	6:hAvlmJhKAXvSTFYliOZOXJEMJJFBO2SkOy/oceGGF+WfGL/LUyXq+6ORW/DhQbn:mdmJDST6lxZOXJtRDnocA+Y+Uyi+G4
MD5:	DAB33B939BCBC8E41982DA2534ACB3AE
SHA1:	031C6DF7B8F226EECAA43E032469FE4721E18E28
SHA-256:	FE385034BC62B28E6BE75692CB14829AB7B0C81FDE116FA57933DF775C97F329
SHA-512:	F1D46B2FA3B9C3630E207CB717EC29718CDF71C6186D8B998B98A636B5AA637A2CE5DCE75D2FBF385DF1F18D32ADE6083F5BCD699C274B5EF68E97CAD6987D06
Malicious:	false
Preview:	rule:.. meta:.. name: packaged as a WinZip self-extracting archive.. namespace: executable/installer/winzip.. author: william.ballenthin@fireeye.com.. scope: file.. references:.. - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/.. features:.. - or:.. - section: _winzip_..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\packaged-as-a-wise-installer.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	256
Entropy (8bit):	4.326566075194509
Encrypted:	false
SSDEEP:	6:hAvlmJh/OXJliOZOXJc7f3CSkOy/9TLNLLTWgsXkRLsD:mdmJoXJlxZOXJef3CDn5N/ag4keD
MD5:	4EE9BE59C415C4A48D48791ADEBF16B0
SHA1:	C668F4C7DB672D529EE7135C4E7924EFD7B88EFD
SHA-256:	BC321E67A247F6B72EC6F10B10A52F5E76CC7A6645EEF5882883D2C5B3B15954
SHA-512:	3B8495DF5A5A282AF054EFFA6A276D9D9355F713E793FA6DE9B51AC8E5ECF59C5DBB242B54AA19B114D486F23243D4D00D7A12DBE8762F065929A90D12191A42
Malicious:	false
Preview:	rule:.. meta:.. name: packaged as a Wise installer.. namespace: executable/installer/wiseinstall.. author: moritz.raabe@fireeye.com.. scope: file.. features:.. - or:.. - string: "WiseMain".. - string: /Wise Installation Wizard/..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\packaged-as-an-installshield-installer.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	435
Entropy (8bit):	4.461060152139447
Encrypted:	false
SSDEEP:	6:hAvlmJhnXWCJOXJliOZOXXZYsCSkOy/9MCzXxF8nodbevCzSFflJDJpqYXA8g8Lf:mdmJIXJlxZOXpXCDnWW3ivCzcJeCjr
MD5:	96312574B365E1C2D85F1DCF4052D157
SHA1:	E9F8680D34F4CDC84D750D1212A54D4C856C6A5E
SHA-256:	D607511E101E51C0B853D4C1C7A35E58E3517E773704C061AF98C104A1389E08
SHA-512:	556874DE661C1B210C4D6F9AC016860FCFBD531DAAC3F32B93D9D4E7EADF6FC6E36E719D9D52427999F6C320485F50E3B8941AFFDDCDEE17C08F4E438CB07EAD
Malicious:	false
Preview:	rule:.. meta:.. name: packaged as an InstallShield installer.. namespace: executable/installer/installshield.. author: moritz.raabe@fireeye.com.. scope: file.. features:.. - or:.. # AppHelp has an export ApphelpCheckInstallShieldPackage,.. # which we want to avoid FP'ing on,.. # so do an exact match for this string... # ok to relax if there are counterexamples... - string: "InstallShield"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\packed-with-ccg.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	470
Entropy (8bit):	4.761182369236737
Encrypted:	false
SSDEEP:	12:mdmJL4l/SURDnqSimsKkYuKR2MycA+Y+Uyi+GFjI:mMl4laeDnqzYuKR2MycAlyQBI
MD5:	21EA3E03DF15DF265B2271B407139582
SHA1:	09159B32D7EF1C1763398A5EF534AEDCAB9E83C6
SHA-256:	993D7EDC976F17B8FF9FC95140742594EA8462D7CF5AEC11A24951A934386215
SHA-512:	A617B4B69739308F671DE277F4828D43B18F5A88D206FD4824568D311112F3B8310DEA0DDA108A77F727C2ACAB6EB39FDE71ED9112DC95733711017623B60579
Malicious:	false
Preview:	rule:.. meta:.. name: packed with CCG.. namespace: anti-analysis/packer/ccg.. author: william.ballenthin@fireeye.com.. scope: file.. att&ck:.. - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002].. mbc:.. - Anti-Static Analysis::Software Packing [F0001].. references:.. - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/.. examples:.. features:.. - or:.. - section: .ccg..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\packed-with-crunch.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	479
Entropy (8bit):	4.760115908107832
Encrypted:	false
SSDEEP:	12:mdmJXeygl/6ARDnqSimsKkYuKR2MycA+Y+Uyi+GFjId:mMRglCiDnqzYuKR2MycAlyQBId
MD5:	FECD67C6B0A797ACBE005A326167DC42
SHA1:	970F0B99D3BE3C7876E506EC6EB89F25D7EE2373
SHA-256:	49899BD120A9156A504F391664FBA9DBC4F728DBFDC688BA30094767B8FBDE04
SHA-512:	4590D414257353A56626BA2DFCA8746D34CC281724F1419510EE825FDE94F72FC9374C9958779F3D85E588CB16FD61C3994093C7524286A8BFBC0527125A6EE4
Malicious:	false
Preview:	rule:.. meta:.. name: packed with Crunch.. namespace: anti-analysis/packer/crunch.. author: william.ballenthin@fireeye.com.. scope: file.. att&ck:.. - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002].. mbc:.. - Anti-Static Analysis::Software Packing [F0001].. references:.. - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/.. examples:.. features:.. - or:.. - section: BitArts..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\packed-with-dragon-armor.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	490
Entropy (8bit):	4.764800022553062
Encrypted:	false
SSDEEP:	12:mdmJjLl/jIoRDnqSimsKkYuKR2MycA+Y+Uyi+GFjq:mMtLl7LDnqzYuKR2MycAlyQBq
MD5:	7B7135148E2A8ED98144AFE6545C0F86
SHA1:	8CF4B5221B2BECDE6D166DDA21A1BBDDDD812D6C
SHA-256:	067212EA1AE9159CB8474B8A6C10962FEDFE44249EAA310C5EB274A1961F0579
SHA-512:	3F3F99718C5517B3ACB65B9700206633B6AFBEA657C34D8EBEE5715665A776B898F59D098615CE715C3F29E86C5DA56CA8BCDA8FAC91200B7F58C34248401E14
Malicious:	false
Preview:	rule:.. meta:.. name: packed with Dragon Armor.. namespace: anti-analysis/packer/dragon-armor.. author: william.ballenthin@fireeye.com.. scope: file.. att&ck:.. - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002].. mbc:.. - Anti-Static Analysis::Software Packing [F0001].. references:.. - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/.. examples:.. features:.. - or:.. - section: DAStub..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\packed-with-enigma.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	507
Entropy (8bit):	4.697285136069116
Encrypted:	false
SSDEEP:	12:mdmJxCl/x4ORDnqSimsKkYuKR2MycA+Y+Uyi+GFj1N1:mMClZlDnqzYuKR2MycAlyQB1
MD5:	47A8E0C81CDD6B3E94DD3F33438986DB
SHA1:	4A0FF37CF913F264D13164D90519478ED3D723E0
SHA-256:	3629F546A78B6B5C9D5B48AAF382AC81D40CC3A704A068414096C30C4A1AFFB5
SHA-512:	1F11C3CF81C62AB0362EC8620BE11E2CBFDC1016D318CCCC50B68CCAFE0A0366EBAE34437DF4C11E497189EAE9AA00063216F31EE8311A092F13462885AD2684
Malicious:	false
Preview:	rule:.. meta:.. name: packed with enigma.. namespace: anti-analysis/packer/enigma.. author: william.ballenthin@fireeye.com.. scope: file.. att&ck:.. - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002].. mbc:.. - Anti-Static Analysis::Software Packing [F0001].. references:.. - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/.. examples:.. features:.. - or:.. - section: .enigma1.. - section: .enigma2..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\packed-with-epack.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	478
Entropy (8bit):	4.771787563487281
Encrypted:	false
SSDEEP:	12:mdmJSYl/vOlRDnqSimsKkYuKR2MycA+Y+Uyi+GFj8n:mMBl3qDnqzYuKR2MycAlyQB8n
MD5:	D01ADD9F3143C31F81BAABEEFB613B4B
SHA1:	8030F7E40E99E38FB9A949535E8DF425CF83354D
SHA-256:	765462C8B70D2934202F58C0F5DA85EFEFB357CC05383899BAA7384702434A0E
SHA-512:	E4D7C02A8BD0B57C843FB326E51CC1293FF873F03BE02EBB515CACEA1E6AB1E2376805ADA36126799F90D22A8B1249BD0B4189A0A6D8EE08F1D5F57CBA82600A
Malicious:	false
Preview:	rule:.. meta:.. name: packed with Epack.. namespace: anti-analysis/packer/epack.. author: william.ballenthin@fireeye.com.. scope: file.. att&ck:.. - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002].. mbc:.. - Anti-Static Analysis::Software Packing [F0001].. references:.. - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/.. examples:.. features:.. - or:.. - section: "!Epack"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\packed-with-maskpe.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	479
Entropy (8bit):	4.770928625690261
Encrypted:	false
SSDEEP:	12:mdmJel/1lRDnqSimsKkYuKR2MycA+Y+Uyi+GFjk:mM8l9rDnqzYuKR2MycAlyQBk
MD5:	D1ACBD767C75800849D43E0DB339F982
SHA1:	48DA29C2B143E3569943343E18E473799494A556
SHA-256:	D162732A0E52F43D41FD2F8B4BC905EAD1198031AB81F2188A3B95D55944B71C
SHA-512:	A4472F052CF89E0DD0A64E871E828C826DD507E3C011E4861966EA6EDA5747D686521D4A8C9A0420B3C28EE4CB5A0F29F016698334C8FF5234C030D95D598CDF
Malicious:	false
Preview:	rule:.. meta:.. name: packed with MaskPE.. namespace: anti-analysis/packer/maskpe.. author: william.ballenthin@fireeye.com.. scope: file.. att&ck:.. - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002].. mbc:.. - Anti-Static Analysis::Software Packing [F0001].. references:.. - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/.. examples:.. features:.. - or:.. - section: .MaskPE..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\packed-with-mew.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	469
Entropy (8bit):	4.772070836807234
Encrypted:	false
SSDEEP:	12:mdmJYl/jRDnqSimsKkYuKR2MycA+Y+Uyi+GFjkv:mM+ltDnqzYuKR2MycAlyQBkv
MD5:	B8ED7E10116FA84AAE81875DABD8A418
SHA1:	E764EDAA8555B96FE7A60839EE60C44F8BCA2411
SHA-256:	F37BADF6FB5F3C33AE43B02A7E59E1CEE884E2D764DC7F65639F2D1B07A005BF
SHA-512:	46449C6D606A76ECC74AA5FAB05B32D57D17F8127D7BFDBC3F9022EB9B372CD720EC589FE0BB92D8FB132001EC866F3A100B20832714D998300F892981483756
Malicious:	false
Preview:	rule:.. meta:.. name: packed with MEW.. namespace: anti-analysis/packer/mew.. author: william.ballenthin@fireeye.com.. scope: file.. att&ck:.. - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002].. mbc:.. - Anti-Static Analysis::Software Packing [F0001].. references:.. - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/.. examples:.. features:.. - or:.. - section: MEW..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\packed-with-mpress.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	507
Entropy (8bit):	4.777645516113722
Encrypted:	false
SSDEEP:	12:mdmJpl/7wRDnqSimsKkYuKR2MycA+Y+Uyi+GFj3K+Ki:mMjljyDnqzYuKR2MycAlyQB35B
MD5:	AA9CB944D048204436BA660B38EEE1B8
SHA1:	F6A8E3778080BFBD91007BA0686D36570D3ED4EE
SHA-256:	3404CB4AAFF3FCAE60C809E389558BE6989E433A758426EC0A203C28677F91CB
SHA-512:	F46ACE95501EE975CBE173C9DA2E641EB085394559A4A77E2209B80B244691F04699ACE1D6BC244ABBCC7A80475985FAEEF5829539466067B41F24DEB7277487
Malicious:	false
Preview:	rule:.. meta:.. name: packed with Mpress.. namespace: anti-analysis/packer/mpress.. author: william.ballenthin@fireeye.com.. scope: file.. att&ck:.. - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002].. mbc:.. - Anti-Static Analysis::Software Packing [F0001].. references:.. - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/.. examples:.. features:.. - or:.. - section: .MPRESS1.. - section: .MPRESS2..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\packed-with-neolite.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	508
Entropy (8bit):	4.681373760626214
Encrypted:	false
SSDEEP:	12:mdmJbl/IRDnqSimsKkYuKR2MycA+Y+Uyi+GFjL:mM1lCDnqzYuKR2MycAlyQBL
MD5:	FECC0869F84BE9E94CD15851CB9B357D
SHA1:	46D3B4579541F99D64DF117B7033A5665C41656F
SHA-256:	9BBB0C37D9699185A04CA1B9CAE21F031475EF489525B1DF953B1345CF3115AC
SHA-512:	0BACC78A4AC22E755039BECED8F57D455E976052B167C72BE778262C52C75C34C4D5D2E32EE840A1684F571C49337D95D8DA7FAE6F045539953916FBD1D930C6
Malicious:	false
Preview:	rule:.. meta:.. name: packed with Neolite.. namespace: anti-analysis/packer/neolite.. author: william.ballenthin@fireeye.com.. scope: file.. att&ck:.. - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002].. mbc:.. - Anti-Static Analysis::Software Packing [F0001].. references:.. - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/.. examples:.. features:.. - or:.. - section: .neolite.. - section: .neolit..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\packed-with-pecompact.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	692
Entropy (8bit):	4.568833266054084
Encrypted:	false
SSDEEP:	12:mdmJRl/mRDnqSimsKkYuKR2MycA+Y+Uyi+GFjne+wzn:mMnlsDnqzYuKR2MycAlyQBef
MD5:	D55ACF3F984F28161477F6A6248D708A
SHA1:	2473B0CAF7B09DE7761687726B642622D30383AB
SHA-256:	FE1EB310587ADCBA8E2224CC1DB334CB1C62A1C18D0773735C80A79CD1D8D0E7
SHA-512:	92E99C1F9ECF1BD95D16F0AFF4B450D8716A52F21FC7A054F1BAF4A3FF3B79DFA4587EF6C4CA3EC5255290EB740F2BA0931A73462C9B130F6255F8CD7DD0EF9B
Malicious:	false
Preview:	rule:.. meta:.. name: packed with PECompact.. namespace: anti-analysis/packer/pecompact.. author: william.ballenthin@fireeye.com.. scope: file.. att&ck:.. - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002].. mbc:.. - Anti-Static Analysis::Software Packing [F0001].. references:.. - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/.. examples:.. features:.. - or:.. - section: PEC2TO.. - section: PEC2.. - section: pec.. - section: pec1.. - section: pec2.. - section: pec3.. - section: pec4.. - section: pec5.. - section: pec6.. - section: PEC2MO..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\packed-with-pepack.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	480
Entropy (8bit):	4.795086440394953
Encrypted:	false
SSDEEP:	12:mdmJ5Dl/kjRDnqSimsKkYuKR2MycA+Y+Uyi+GFjBwyn:mMnDlKDnqzYuKR2MycAlyQBBwyn
MD5:	3CABCB0E37EA020C8DF53FEEA8D4D963
SHA1:	41BFF3BF54797C9F4AA12C767C4BB9E0EDC7188C
SHA-256:	9FC120426CE31FA909EB27D7679C1518CA69D1587DEE8B77A2A41FF29A96F2A1
SHA-512:	88A0A381E225A4FEE3B823317C1B02F5CA14682D4FD9319A20FAF36D624C3EFF5511AFD9FC73C8524E5F4A9C40C5BC63C034A9247D4512DD214D84B679BBB95D
Malicious:	false
Preview:	rule:.. meta:.. name: packed with Pepack.. namespace: anti-analysis/packer/pepack.. author: william.ballenthin@fireeye.com.. scope: file.. att&ck:.. - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002].. mbc:.. - Anti-Static Analysis::Software Packing [F0001].. references:.. - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/.. examples:.. features:.. - or:.. - section: PEPACK!!..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\packed-with-perplex.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	482
Entropy (8bit):	4.742320089139451
Encrypted:	false
SSDEEP:	12:mdmJkwl/TwRDnqSimsKkYuKR2MycA+Y+Uyi+GFjr:mMOwlryDnqzYuKR2MycAlyQBr
MD5:	BEA9C4F9F6E4A14C38CE0A420533C654
SHA1:	20C7F2CC98C029B3BFF8400F4FBE8C70AD9A302F
SHA-256:	B3CBF3C99D6B9B12C49A09667BFAA12E788F1123ED91CAD2231692BEE852B0DD
SHA-512:	7AD7444FC824331F2FF2ACC5819EEA670FA7541C126C6075320196CCB0B9F0B43FB7D59ED0B89D254CDF437236D725B4C1B73E724099ADAEFF83F25FA256E661
Malicious:	false
Preview:	rule:.. meta:.. name: packed with Perplex.. namespace: anti-analysis/packer/perplex.. author: william.ballenthin@fireeye.com.. scope: file.. att&ck:.. - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002].. mbc:.. - Anti-Static Analysis::Software Packing [F0001].. references:.. - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/.. examples:.. features:.. - or:.. - section: .perplex..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\packed-with-procrypt.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	484
Entropy (8bit):	4.768342435062328
Encrypted:	false
SSDEEP:	12:mdmJ/Ml/pRDnqSimsKkYuKR2MycA+Y+Uyi+GFj8:mMSlfDnqzYuKR2MycAlyQB8
MD5:	FE614C9D1C71AAD35A0819B8C20013A9
SHA1:	01D6E1241DB9361AFEC66C996E059DC4EBE80554
SHA-256:	25A9783110D141D6F42BE2B76F2FED189EC079FFBF58F946D00E75FC5813A910
SHA-512:	061D8F1F9C8D3842E435B7833BA358FC6656466178FF65687C7A5E096843329EEE391DE8A8600AA860F29A9BF5666F8FB4054A21F1C2630DEBC06C67A73001B6
Malicious:	false
Preview:	rule:.. meta:.. name: packed with ProCrypt.. namespace: anti-analysis/packer/procrypt.. author: william.ballenthin@fireeye.com.. scope: file.. att&ck:.. - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002].. mbc:.. - Anti-Static Analysis::Software Packing [F0001].. references:.. - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/.. examples:.. features:.. - or:.. - section: ProCrypt..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\packed-with-rpcrypt.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	508
Entropy (8bit):	4.762238919694921
Encrypted:	false
SSDEEP:	12:mdmJfl/5VoRDnqSimsKkYuKR2MycA+Y+Uyi+GFjXPFv:mMdlxVKDnqzYuKR2MycAlyQBt
MD5:	B633B9C6BF76404621DB6CA426A3FCE5
SHA1:	AE6FF2A4A14CD3445B8F0A4ECDDA6C581E7ED794
SHA-256:	B342E2E41B9B6FC8453A4EDA99A8677D9EFE46DC46008FF4ABFF22E71DB7E8C0
SHA-512:	BEDFF40AEC0B85C80165C7C7F7D7979042B854F3846FA5CF59C37A8105148541BF8AA825E754B53CAA6E53EE451768A8FB8BDB62BDD8C480A33BED8110BDF440
Malicious:	false
Preview:	rule:.. meta:.. name: packed with RPCrypt.. namespace: anti-analysis/packer/rpcrypt.. author: william.ballenthin@fireeye.com.. scope: file.. att&ck:.. - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002].. mbc:.. - Anti-Static Analysis::Software Packing [F0001].. references:.. - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/.. examples:.. features:.. - or:.. - section: RCryptor.. - section: .RCrypt..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\packed-with-seausfx.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	479
Entropy (8bit):	4.754891706282393
Encrypted:	false
SSDEEP:	12:mdmJx+Xl/GwRDnqSimsKkYuKR2MycA+Y+Uyi+GFjz:mMglOyDnqzYuKR2MycAlyQBz
MD5:	7999FD711F773BE792DA90F65805F1CC
SHA1:	0DF7185DBA42A0806B815DAA1DBDC88CFA490E1F
SHA-256:	4A187F51B2920DD3F81E54E4C3A938FAC3E5029FF7DDA7215AC2A8602BCA33AB
SHA-512:	77ED19AA89D92741BC5F631C8B3800406739C5ADE5D9DAB991F918B9BE5306EE579D94E685D393ED37E2D501772D6C9F9F16F88675D3E808C3E29FBE5BED6CF3
Malicious:	false
Preview:	rule:.. meta:.. name: packed with SeauSFX.. namespace: anti-analysis/packer/seausfx.. author: william.ballenthin@fireeye.com.. scope: file.. att&ck:.. - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002].. mbc:.. - Anti-Static Analysis::Software Packing [F0001].. references:.. - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/.. examples:.. features:.. - or:.. - section: .seau..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\packed-with-shrinker.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	538
Entropy (8bit):	4.695114975961947
Encrypted:	false
SSDEEP:	12:mdmJY4l//oRDnqSimsKkYuKR2MycA+Y+Uyi+GFjhS:mMu4lHKDnqzYuKR2MycAlyQBg
MD5:	DB80A87B92E32C21CE5D7D3C6BE01C3C
SHA1:	B96F4815AA22C59F70CE7511AB615FD96E5CE260
SHA-256:	CD66D45DCC43449E558FCF2BAF12AADEBF74F629E759166E543E7A5BDBC1510A
SHA-512:	9E8F7E95559FDD71933CAA659F0A217F821DC3CD35B9DF1ACA66219804BD3B94B17BC04A94B20C9EEDA54BAAB3AA5E15DA3FFC85FD66AAB509B08E62D2BF1777
Malicious:	false
Preview:	rule:.. meta:.. name: packed with Shrinker.. namespace: anti-analysis/packer/shrinker.. author: william.ballenthin@fireeye.com.. scope: file.. att&ck:.. - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002].. mbc:.. - Anti-Static Analysis::Software Packing [F0001].. references:.. - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/.. examples:.. features:.. - or:.. - section: .shrink1.. - section: .shrink2.. - section: .shrink3..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\packed-with-simple-pack.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	488
Entropy (8bit):	4.742131821294297
Encrypted:	false
SSDEEP:	12:mdmJ9xv4l/uRDnqSimsKkYuKR2MycA+Y+Uyi+GFjh:mM/OlEDnqzYuKR2MycAlyQBh
MD5:	4DBCA715FE63C14D89F9AEE4D406DDA0
SHA1:	8829EE089B255D0027AD3B492FCDECEB591F51C0
SHA-256:	822C2D4B92F0F07AE05736CF21C40C3A55D521C1F9707C21BEA114122146673C
SHA-512:	08C9F49542A29CE64A71E248B7371431D97989A1683DD9FA878A1C8634B3364C01DD859FC9EA179389572825EDCEA5DE46EB4D8266BADAF9302C45FA4128BB6A
Malicious:	false
Preview:	rule:.. meta:.. name: packed with Simple Pack.. namespace: anti-analysis/packer/simple-pack.. author: william.ballenthin@fireeye.com.. scope: file.. att&ck:.. - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002].. mbc:.. - Anti-Static Analysis::Software Packing [F0001].. references:.. - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/.. examples:.. features:.. - or:.. - section: .spack..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\packed-with-starforce.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	486
Entropy (8bit):	4.7389038254001
Encrypted:	false
SSDEEP:	12:mdmJkl/IARDnqSimsKkYuKR2MycA+Y+Uyi+GFj/HG:mMGlNDnqzYuKR2MycAlyQB/HG
MD5:	52A0A430301FCC57E52FA6F93EEDB004
SHA1:	E6B077797D654F1B2910CA23922E675AE7B4812A
SHA-256:	465B8BB87BA23BB1C1AF130AFFC8699363A5FA565F975B92CA33CBABDB871FD8
SHA-512:	F9459F0AA6CC6CA3433BB861A31C263173720EFAA832EFE1CE9E701E080A250B5DBCE22685140603CF5C1721960DAC7EAF8983A14A504B5BCBDDF9910288B389
Malicious:	false
Preview:	rule:.. meta:.. name: packed with StarForce.. namespace: anti-analysis/packer/starforce.. author: william.ballenthin@fireeye.com.. scope: file.. att&ck:.. - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002].. mbc:.. - Anti-Static Analysis::Software Packing [F0001].. references:.. - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/.. examples:.. features:.. - or:.. - section: .sforce3..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\packed-with-svkp.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	473
Entropy (8bit):	4.777422519460765
Encrypted:	false
SSDEEP:	12:mdmJpl/eHRDnqSimsKkYuKR2MycA+Y+Uyi+GFjvz:mM7lmxDnqzYuKR2MycAlyQBvz
MD5:	AA8F93BCD09A38E1F2714F5BA92EF776
SHA1:	7886E20957EC11B971DB5830A3D01140938C90D5
SHA-256:	461D975F3F347CDDAC06A70FB513664CFF8C040DF4EDB035CD02912858F205C0
SHA-512:	E661F3430C0940B02737981B4E66CE01BE0E914B3BB702575A900090DAF69C85FFACF10C6D946A8E1DA5077D338E3541E3E7FAF04714A473C996B7C70B384172
Malicious:	false
Preview:	rule:.. meta:.. name: packed with SVKP.. namespace: anti-analysis/packer/svkp.. author: william.ballenthin@fireeye.com.. scope: file.. att&ck:.. - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002].. mbc:.. - Anti-Static Analysis::Software Packing [F0001].. references:.. - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/.. examples:.. features:.. - or:.. - section: .svkp..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\packed-with-themida.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	535
Entropy (8bit):	4.700110903707008
Encrypted:	false
SSDEEP:	12:mdmJwYl/c+jIRDnqSimsKkYuKR2MycA+Y+Uyi+GFjBWp:mM+YlHqDnqzYuKR2MycAlyQBBWp
MD5:	FA5F1E1AE390A4BB754F765CABC23CF6
SHA1:	E9A89453A0802A6D9C100EEF39B7EF2250AA175B
SHA-256:	1100CCC96E48F22E10AEE8B3458C1F8D1BF2ABE5FF3527983C15DFD925438C82
SHA-512:	17F17AE4A6479615B6D9BE50678D96E150DEF4DF2816C54EB8859A9182E9AD87C38B086FD9B20853DF965C9319F9E4533DA67436BEBF0EA0D2A64D10CA159665
Malicious:	false
Preview:	rule:.. meta:.. name: packed with Themida.. namespace: anti-analysis/packer/themida.. author: william.ballenthin@fireeye.com.. scope: file.. att&ck:.. - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002].. mbc:.. - Anti-Static Analysis::Software Packing [F0001].. references:.. - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/.. examples:.. features:.. - or:.. - section: Themida.. - section: .Themida.. - section: WinLicen..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\packed-with-tsuloader.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	513
Entropy (8bit):	4.743267980912166
Encrypted:	false
SSDEEP:	12:mdmJsl/DRDnqSimsKkYuKR2MycA+Y+Uyi+GFjfeZ:mMql9DnqzYuKR2MycAlyQBS
MD5:	BF1EE5253A3380542638C29E47FD409C
SHA1:	CF4BD7D45780802142C96DD008D61752B151FBFF
SHA-256:	200590FE80885883120F214C3792AE188DE27DA4491FD64554D7D328F8C1F3C3
SHA-512:	ED8261EDEC3696839B3A9203A724A1856D005FEE9BCEF995CA2914E9674CFFD838E2F8C4BF133C4B2777F79FDE7B1059558628DC3771C586D880E2E2F33E3E28
Malicious:	false
Preview:	rule:.. meta:.. name: packed with TSULoader.. namespace: anti-analysis/packer/tsuloader.. author: william.ballenthin@fireeye.com.. scope: file.. att&ck:.. - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002].. mbc:.. - Anti-Static Analysis::Software Packing [F0001].. references:.. - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/.. examples:.. features:.. - or:.. - section: .tsuarch.. - section: .tsustub..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\packed-with-vprotect.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	484
Entropy (8bit):	4.747094169250737
Encrypted:	false
SSDEEP:	12:mdmJngl/r1RDnqSimsKkYuKR2MycA+Y+Uyi+GFjQn:mMRglDbDnqzYuKR2MycAlyQBQn
MD5:	FE44E0627333752E40C475F0B87FBFB6
SHA1:	8522312953AF01E839FCD1C76C6743C45793D1B5
SHA-256:	03C31FFFBFF6CF95298E23F2982763194B534283D6935D56D921CB34AA5F30BF
SHA-512:	C5166185ABB327D6E653487672537AFA5E995BD9028CC0F8C913F84FB34B5C6BA24BC90DF99256D544131850FEE6E1095672500A6A932BAE9AB4F6B51BC593F3
Malicious:	false
Preview:	rule:.. meta:.. name: packed with VProtect.. namespace: anti-analysis/packer/vprotect.. author: william.ballenthin@fireeye.com.. scope: file.. att&ck:.. - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002].. mbc:.. - Anti-Static Analysis::Software Packing [F0001].. references:.. - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/.. examples:.. features:.. - or:.. - section: VProtect..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\packed-with-wwpack.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	504
Entropy (8bit):	4.810230894868697
Encrypted:	false
SSDEEP:	12:mdmJSl/aVwRDnqSimsKkYuKR2MycA+Y+Uyi+GFjG2sNn:mMYlCEDnqzYuKR2MycAlyQBU
MD5:	5658312765E6D0913A3B747323384C84
SHA1:	B1300D9DE0E41FCB8D56449915EB9328CDF16E9B
SHA-256:	80E135D4E6E009E5D545D095203FC6FF128B6A1D196EF5644F1E3E4DB4EEACA4
SHA-512:	9816E6C23DF1CE103DEBBD1004272614FB6A1F3CB93BE93EC99799C86472A06EC90F90D4DF701B09A596F2EF09E581717F5F0E920DEAF5563F9ECAD559EC6568
Malicious:	false
Preview:	rule:.. meta:.. name: packed with WWPACK.. namespace: anti-analysis/packer/wwpack.. author: william.ballenthin@fireeye.com.. scope: file.. att&ck:.. - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002].. mbc:.. - Anti-Static Analysis::Software Packing [F0001].. references:.. - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/.. examples:.. features:.. - or:.. - section: .WWPACK.. - section: .WWP32..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\prompt-user-for-credentials.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	608
Entropy (8bit):	4.5187310862942205
Encrypted:	false
SSDEEP:	12:NVzdmAYlkORfFfQcEa/KqS//V58jDCDSmYIHnPb5N:NVQAYlkORqc4n5cDCDSmYIHPbL
MD5:	B0F4F26FDB4F02AD5038C400A25E1C8D
SHA1:	33DA76597B8F826A57AC609FD10D211A507D8595
SHA-256:	0789E56C2507B666A6667498F188A3C4BF9A265EB9A7A0EFCCF71920024438CB
SHA-512:	06B9771238DF889E630089FC642E94AD0BBB9043ECE32FDAC5B9C216281E1B9FA1BB9520B25C8CCE68390EE8AC336A1A51EABD02B56A29FFDA352E4412B14B59
Malicious:	false
Preview:	# generated using capa explorer for IDA Pro..rule:.. meta:.. name: prompt user for credentials.. namespace: collection/credentials.. author: michael.hunhoff@fireeye.com.. scope: function.. references: https://www.ired.team/offensive-security/credential-access-and-credential-dumping/credentials-collection-via-creduipromptforcredentials.. features:.. - and:.. - or:.. - api: credui.CredUIPromptForCredentials.. - api: credui.CredUIPromptForWindowsCredentials.. - optional:.. - api: credui.CredUnPackAuthenticationBuffer # unpack credentials for collection..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\query-remote-server-for-available-data.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	279
Entropy (8bit):	4.442934444869402
Encrypted:	false
SSDEEP:	6:SWq+iazvlmUc3tllFwlkEeMAJClESgyZ9LYlyfi5p9:NVzdm1l4lkV5/FqA9
MD5:	08DDB14D9627AAEB91D53F191798F818
SHA1:	D58966A36C5DD7669A6551B5F9E5607E4F6E14F7
SHA-256:	7E47D4A249D82220362CAC66861ED8B0695755F786408A350B440AC681413C84
SHA-512:	2D323957338C1731CD2C2A8A5ACDB74ED40521C3FAC774804654AC556966EAD686A16F5943EDE0313617E9906F3A7A527768227AEF523B1AF1C4B007C4414012
Malicious:	false
Preview:	# generated using capa explorer for IDA Pro..rule:.. meta:.. name: query remote server for available data.. namespace: communication.. author: michael.hunhoff@fireeye.com.. scope: basic block.. features:.. - or:.. - api: wininet.InternetQueryDataAvailable..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\read-and-send-data-from-client-to-server.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	243
Entropy (8bit):	4.154666503340974
Encrypted:	false
SSDEEP:	6:hAvlm4FHP2OwlkxOsGJFBO2S4FdGr0/4ALjy:mdmIv7wlkxURfFjly
MD5:	A1922463BA5CD485379A71123BBBECDB
SHA1:	850C91D9090AC509C4B74CB14219F7952278F555
SHA-256:	AA4A4CDC4F7C1C6A64C0F22973A27BC91A183536473D41175B9FB30550F021BD
SHA-512:	BD55F4F8E54576ED648435E6AA03A3EF34C1350F4C2DBE14BA632167676D11B6379F5A9CEBEFEDFA025307CB962025C5ADDE465C076ACF9864082C24EE056F69
Malicious:	false
Preview:	rule:.. meta:.. name: read and send data from client to server.. namespace: c2/file-transfer.. author: william.ballenthin@fireeye.com.. scope: function.. features:.. - and:.. - match: read file.. - match: send data..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\read-process-memory.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	401
Entropy (8bit):	4.329742736634649
Encrypted:	false
SSDEEP:	6:hAvlmvEItdCFFwlLqLfLluESm6QCAFdGGqLFFwHodFRGhmyqN3XT:mdmvflLQhuEz6QRFuEIHYANnT
MD5:	E416C46BCCFC564B9082FA0043981337
SHA1:	12CF9F1ECF3D37581D91CB2EDDB2A07728645ABE
SHA-256:	4A9CFE90E5624763B88C70FA9322AACA3EECC711F3C66DB4BFFC7CB93B1CEF3E
SHA-512:	08CE8E3CB4D3C84A0CCCDFF69751A8E5EF0E71C82D9FFFF15DC7A9E961A0E451E1EA318D72ADC1EE7BA0BEE950792538FE1E675D735334C8DE2A72197E70EE0B
Malicious:	false
Preview:	rule:.. meta:.. name: read process memory.. namespace: host-interaction/process.. author:.. - matthew.williams@fireeye.com.. - "@_re_fox".. scope: function.. features:.. - and:.. - api: kernel32.ReadProcessMemory.. - optional:.. - or:.. - api: kernel32.OpenProcess.. - api: kernel32.VirtualQueryEx.. - api: psapi.QueryWorkingSet..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\read-raw-disk-data.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	246
Entropy (8bit):	4.463296354771998
Encrypted:	false
SSDEEP:	6:hAvlmt3KoFwlLqLRV0JFBO2SkOy/9TLbNavF8LK:mdm5UlLTRDn5M0K
MD5:	A22F2CE614EE04DC7F582C633097B299
SHA1:	4334B8E2990F726B07AB85E77A9A72FC6FCB8157
SHA-256:	5FFD9FCE87F0C47CB0DD12D336B65F1C751B93BC7378FF28B82D286ED60E048B
SHA-512:	20587E998F0B014C908DB5D6D1D85CFE2A0C809F76EA56B53D56579C1FB668E84BCB93E65D745976A55E4265E97081A5E9835B5B3972697B45A9270DA5C17CEB
Malicious:	false
Preview:	rule:.. meta:.. name: read raw disk data.. namespace: host-interaction/file-system.. author: william.ballenthin@fireeye.com.. scope: file.. features:.. - or:.. - string: "\\\\.\\PhysicalDrive0".. - string: "\\\\.\\C:"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\rebuilt-by-imprec.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	305
Entropy (8bit):	4.558383998498642
Encrypted:	false
SSDEEP:	6:hAvlmjMtUnW/FwliOIlGF0JFBO2SkOy/oceGGF+WfGL/LUhi2DkMqyjqxQtA:mdmj7lxIllRDnocA+Y+UhnzjfA
MD5:	8DE32767524791FA6E13078007714E9C
SHA1:	2948C4A69E6A84F2CFF3CC656130E763F25EC2FF
SHA-256:	B6126A63149C9F157D47FA19D5F514DC46331906338269169B193878B633A506
SHA-512:	76DE3919B52A454B39066AE17B2114A5810E8D7EEE3D70321671312B10C013A11C49F76E445547DA4D52F369F431B30632B9B564D4A41D2B0C5A8B38C2B07B7F
Malicious:	false
Preview:	rule:.. meta:.. name: rebuilt by ImpRec.. namespace: executable/imprec.. author: william.ballenthin@fireeye.com.. scope: file.. references:.. - https://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/.. features:.. - or:.. - section: .mackt..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\receive-and-write-data-from-server-to-client.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	251
Entropy (8bit):	4.1736649044491445
Encrypted:	false
SSDEEP:	6:hAvlmL+NhugFYlkxOsGJFBO2S4FdG9lFEcmSJNvn:mdmL+NholkxURfF27ZHv
MD5:	FD24C5B4FE5B971322EA1CFA4EF8B09C
SHA1:	0CDA716843BD44FAAF93D45E365AC5815FDF71BE
SHA-256:	E502A9F8721A5EAC621C0029DB44E9EC90103AF10E0E7C1B8B8AA976DF017F33
SHA-512:	0C8C43A029046E4536D04F23D4D0020F147664946B87CEF781FC38039A38BE65E65923272972B0D59953C8455B2AD601E045A82A166EBF61E307AD4FBDC51C5D
Malicious:	false
Preview:	rule:.. meta:.. name: receive and write data from server to client.. namespace: c2/file-transfer.. author: william.ballenthin@fireeye.com.. scope: function.. features:.. - and:.. - match: receive data.. - match: write file..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\reference-114dns-dns-server.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	559
Entropy (8bit):	4.746712764338301
Encrypted:	false
SSDEEP:	12:mdmH6glkBIRfFfQcA+Y0H/4YI2CBH4QyigOZ0X0v0Ta0aa0uU0B:mMH6glkYqcA0iHNeEcTnanuRB
MD5:	2E0A42DBFACCDB193FCF08D5247D1948
SHA1:	41C841353D6342B15390554F79A16D2395793423
SHA-256:	0CB06FB7FE0730C11E4413A078066992D42D73F6821F92BEF8696BB71349A9BD
SHA-512:	644DA679FE3C150306FF3B595971248E4EDECAF0EF02DB904268A6B719ECC979C39F9692741CDF2CCB32E0038555BEBBA9FB6A7709453CEB13C9E2344B748F50
Malicious:	false
Preview:	rule:.. meta:.. name: reference 114DNS DNS server.. namespace: communication/dns.. author: william.ballenthin@fireeye.com.. scope: function.. references:.. - https://www.114dns.com/.. - https://www.amazon.com/ask/questions/Tx27CUHKMM403NP.. examples:.. # - ab57d3c179355bf2bcdb7935483d84d4.. features:.. - or:.. - string: "114.114.114.114".. - string: "114.114.115.115".. - string: "114.114.114.119".. - string: "114.114.115.119".. - string: "114.114.114.110".. - string: "114.114.115.110"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\reference-aes-constants.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	414
Entropy (8bit):	4.6423843152635405
Encrypted:	false
SSDEEP:	12:mdmH6gPClxbfqWRfFfySimsKvks59m5Y2+M:mMH6gPClBfqEU5suiDM
MD5:	C631E4B27E02AAAD5B62F5D985E4BA22
SHA1:	25A8470750323CB1D8AF1CB9D634FA08E76C0ED6
SHA-256:	73F4181ABAA8AB40F26DEADC89FC0DBEA2418FD0611769A2F5F3D25565737945
SHA-512:	B2F48BAB7E0BE806D2BF02FEBD8961B053D290C101E1CE824214FE613E0C23E329A9F05B66E75285EA5F40482E8DB2AAB689A0D2E5F7D1F45B95C60C0AF3B453
Malicious:	false
Preview:	rule:.. meta:.. name: reference AES constants.. namespace: data-manipulation/encryption/aes.. author: william.ballenthin@fireeye.com.. scope: function.. att&ck:.. - Defense Evasion::Obfuscated Files or Information [T1027].. features:.. - or:.. - bytes: 50 a7 f4 51 53 65 41 7e = d-0.. - bytes: 63 7c 77 7b f2 6b 6f c5 = s-box.. - bytes: 52 09 6a d5 30 36 a5 38 = inv-s-box..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\reference-alidns-dns-server.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	414
Entropy (8bit):	4.74574661112575
Encrypted:	false
SSDEEP:	12:mdmH6uplkBIRfFfQcA+YghH4QyigOZVb0ZcHUMAf0MAeI:mMH6uplkYqcAYHNvWYui
MD5:	2F977610FE2B086DE4374F73ECA8EE7E
SHA1:	0BDB9AE19EA9901EC04F609FC43C36EB905F3956
SHA-256:	19593BBFCE7666C49E5A0DC71F821AF053C7C186DECE420D9ACB2FD40FDAB287
SHA-512:	0DE11682E1535CF678B33DAB9169B5E3E606884B99CDBC14087F6B58D9521559C8DDF2FC8122AC06FB0AE7144EC885C014C346717ADD41F6A37BF1C468DEFA51
Malicious:	false
Preview:	rule:.. meta:.. name: reference AliDNS DNS server.. namespace: communication/dns.. author: william.ballenthin@fireeye.com.. scope: function.. references:.. - https://www.alidns.com/.. examples:.. # - ab57d3c179355bf2bcdb7935483d84d4.. features:.. - or:.. - string: "223.5.5.5".. - string: "223.6.6.6".. - string: "2400:3200::1".. - string: "2400:3200:baba::1"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\reference-cloudflare-dns-server.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	324
Entropy (8bit):	4.489641162846019
Encrypted:	false
SSDEEP:	6:hAvlmHeGgKXlkEeM4FMJFBO2S4FfQceGGF+WfGLYTbTcyowzTLT2Lph3v:mdmH6KXlkBIRfFfQcA+YDdopZ
MD5:	3C6FD7D215D7A57EB95A949C4139C3A2
SHA1:	CA986F7B6994D600A11AB577827632B4660D4DB5
SHA-256:	F11A5FB61C5F331ADF3B87D8E39EA308CA1D53A89039BF99A54FD584F2E5F451
SHA-512:	1825BA16558A4A38B16955BEAA53A791EC5C4F93178DC7BD5D3FEA39D0576B3693C1D165B9F4E99FD91C81B02E441B4CAC32CD977812CF8362ADDEA8DCBFE4ED
Malicious:	false
Preview:	rule:.. meta:.. name: reference Cloudflare DNS server.. namespace: communication/dns.. author: william.ballenthin@fireeye.com.. scope: function.. references:.. - https://www.techradar.com/news/best-dns-server.. examples:.. features:.. - or:.. - string: "1.1.1.1".. - string: "1.0.0.1"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\reference-comodo-secure-dns-server.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	334
Entropy (8bit):	4.5881968989131545
Encrypted:	false
SSDEEP:	6:hAvlmHeGg9EUplkEeM4FMJFBO2S4FfQceGGF+WfGLYTbTcyowzTLouLoipS:mdmH6+UplkBIRfFfQcA+YDdoEoipS
MD5:	D4CFE84129512582C7919C8AAF5EA530
SHA1:	EAF96CD70D5928293C53BD09C52D77E88EA06413
SHA-256:	C67E502195126CBEEE84FFC5AA9656CDD584BAA2EE0E594F98401AA21CDA41D4
SHA-512:	6686F05B25146BECD67104275CA54B464D9BEAA0295A630B50D9083D6104A27554A07575643D39080421BB10124BB22FF6CE50AE6093D73AE762EC0A03E1C8DA
Malicious:	false
Preview:	rule:.. meta:.. name: reference Comodo Secure DNS server.. namespace: communication/dns.. author: william.ballenthin@fireeye.com.. scope: function.. references:.. - https://www.techradar.com/news/best-dns-server.. examples:.. features:.. - or:.. - string: "8.26.56.26".. - string: "8.20.247.20"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\reference-google-public-dns-server.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	474
Entropy (8bit):	4.679926978586107
Encrypted:	false
SSDEEP:	12:mdmH6k+FlkBIRfFfQcA+Y2YAIvzRDqBdohoxIuIpv:mMH69FlkYqcA8IrBqBG
MD5:	764881620E18FEB16DB6DD0667D4C68C
SHA1:	55225B124A929D9A151391EF4992D4F589186304
SHA-256:	435A5E14A7C53A87B8276795D54E713A92E0B38DB79EBAB01E15F1D7F9DABB39
SHA-512:	137A060F62434F707864AA6D91E87A617376AE68418D0A132E6B57BF677440801CFF136EB8AF76812B1ECD0F67BE4A3A002EE929E5495461695AD1507F387AD8
Malicious:	false
Preview:	rule:.. meta:.. name: reference Google Public DNS server.. namespace: communication/dns.. author: william.ballenthin@fireeye.com.. scope: function.. references:.. - https://www.techradar.com/news/best-dns-server.. - https://developers.google.com/speed/public-dns/docs/using.. examples:.. features:.. - or:.. - string: "8.8.8.8".. - string: "8.8.4.4".. - string: "2001:4860:4860::8888".. - string: "2001:4860:4860::8844"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\reference-hurricane-electric-dns-server.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	622
Entropy (8bit):	4.463946490594358
Encrypted:	false
SSDEEP:	12:mdmH6AQlkBIRfFfQcA+YfYh9JddceE2dD5dRdu3dzy:mMH6AQlkYqcAy7Lc3STHuNzy
MD5:	26B988EEF32B5E8D797AB515639C8BE5
SHA1:	C4489291CBF9BE9373BACDE8442F0D02FD572D8D
SHA-256:	C4F937A2F2002A6ED3FB530FDAF8E4030CC8689935498E20730B71EC8CCD778F
SHA-512:	F0EC56DFB999490A5479C7EE80CD8D5E265E496ED7BF94BEDE35F7AAD0D3063BA74E45D7146A41053E336FD2058F9D064E3AE54D2646FD9D1CD28EAA7203DCBA
Malicious:	false
Preview:	rule:.. meta:.. name: reference Hurricane Electric DNS server.. namespace: communication/dns.. author: william.ballenthin@fireeye.com.. scope: function.. references:.. - https://dns.he.net/.. - https://dnslytics.com/ip/216.66.1.2.. examples:.. features:.. - or:.. - string: "216.218.130.2".. description: ns1.he.net.. - string: "216.218.131.2".. description: ns2.he.net.. - string: "216.218.132.2".. description: ns3.he.net.. - string: "216.66.1.2".. description: ns4.he.net.. - string: "216.66.80.18".. description: ns5.he.net..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\reference-kornet-dns-server.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	378
Entropy (8bit):	4.732430760643939
Encrypted:	false
SSDEEP:	6:hAvlmHeGglHglkEeM4FMJFBO2S4FfQceGGF+Wf04KuBt7jFJowB4QyWDkrOH9TLU:mdmH6JglkBIRfFfQcA+Y04KufbH4Qyi0
MD5:	E79FDFDF5FC4553158553AE7D0B371D1
SHA1:	D8FC6EBFE288352E317CE29A71D5C980F1CCF310
SHA-256:	0F69A6005D314064BB4F0AE03A5E98B181827F38E13DCA7CE1FEBFF722CF50C5
SHA-512:	E7E6241069DF054A65B0217EA67203FAA5D29842958A50C7F8D7E22DF92F2580BB2E25F585FA15414FD066C2804B235C8472A14742BBFE835798BE54A877B8FE
Malicious:	false
Preview:	rule:.. meta:.. name: reference kornet DNS server.. namespace: communication/dns.. author: william.ballenthin@fireeye.com.. scope: function.. references:.. - https://whatismyipaddress.com/ip/168.126.63.1.. examples:.. # - ab57d3c179355bf2bcdb7935483d84d4.. features:.. - or:.. - string: "168.126.63.1".. description: kns.kornet.net..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\reference-l3-dns-server.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	428
Entropy (8bit):	4.512020398027758
Encrypted:	false
SSDEEP:	12:mdmH6glkBIRfFfQcA+YITW67odEUnE3EaE+0EQnEe:mMH6glkYqcAWT9oqUEUh+7ve
MD5:	8CFCE2B828FABB97AC06A6483394DE06
SHA1:	6F07FC1250CB7F0D7801B0C0845738E797CA57B4
SHA-256:	E73B91D725EAEDF0032326C96D3963BCACC6E0D67F1CB08C0DA5857247629AE4
SHA-512:	0BEE960E0232477CDC2223FBB964069F5E878A95A70B2932515C49E4D2017CA7D34C0E74E7D6C21E33F9C6728180169EAED380D4F413BF306B36ECEC7D353585
Malicious:	false
Preview:	rule:.. meta:.. name: reference L3 DNS server.. namespace: communication/dns.. author: william.ballenthin@fireeye.com.. scope: function.. references:.. - https://www.quora.com/What-is-a-4-2-2-1-DNS-server.. examples:.. features:.. - or:.. - string: "4.2.2.1".. - string: "4.2.2.2".. - string: "4.2.2.3".. - string: "4.2.2.4".. - string: "4.2.2.5".. - string: "4.2.2.6"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\reference-opendns-dns-server.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	335
Entropy (8bit):	4.605149102960099
Encrypted:	false
SSDEEP:	6:hAvlmHeGgz+1nlkEeM4FMJFBO2S4FfQceGGF+WfGLYTbTcyowzTLIQieLIQ4v:mdmH6QlkBIRfFfQcA+YDdIQiUIQ4v
MD5:	AC9C2BAA9F4D5051407A881258466B7D
SHA1:	A231CEFFD9F62A902777918FCEE015DEA1B81887
SHA-256:	17B084699EFA6B7450CB57BD7BDEF0BD1A7E721F48AC2F8E4842FD19AFEA94E9
SHA-512:	B445C60B02468B8BCE836A3E9C77969B4496659825F52D994B12A48CFED76E7950A94B40BD64B2B9445153CFD9BEE7DEA754B171317E5A9BD089BE85EF356E0C
Malicious:	false
Preview:	rule:.. meta:.. name: reference OpenDNS DNS server.. namespace: communication/dns.. author: william.ballenthin@fireeye.com.. scope: function.. references:.. - https://www.techradar.com/news/best-dns-server.. examples:.. features:.. - or:.. - string: "208.67.222.222".. - string: "208.67.220.220"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\reference-processor-manufacturer-constants.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	869
Entropy (8bit):	4.942812217487705
Encrypted:	false
SSDEEP:	24:mMH6oPClLuEJ7/AofKU0rcAnZRHaGLEaOAIG:mMa5Z1J8oCTcCRHTLENAIG
MD5:	9B94D44C4F9239B8F556466342C43B24
SHA1:	C6DA6907C764E3EC9B0809C3FF25160F488F8B17
SHA-256:	1C567786A9785DC638845CA14F601F1980ECD0BC964B339E38F86611390BA4C0
SHA-512:	34C538159E762C81A61B38B6DEEFD9435510F14A07C5F1A11A3458D2EAAB81995FC9B302D7D6945A82E5E152763F7C7DEE1693A4BABF9B8434E6C691B621CB2A
Malicious:	false
Preview:	rule:.. meta:.. name: reference processor manufacturer constants.. namespace: anti-analysis/anti-vm/vm-detection.. author: matthew.williams@fireeye.com.. scope: basic block.. att&ck:.. - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001].. mbc:.. - Anti-Behavioral Analysis::Virtual Machine Detection::Instruction Testing - CPUID [B0009.034].. references:.. - https://en.wikipedia.org/wiki/CPUID.. features:.. - and:.. - mnemonic: cmp.. - or:.. - number: 0x61774D56 = 'awMV' (VMware).. - number: 0x566E6558 = 'VneX' (Xen HVM).. - number: 0x7263694D = 'rciM' (Microsoft Hyper-V).. - number: 0x4B4D564B = 'KMVK' (KVM).. - number: 0x70726C20 = 'prl ' (Parallels).. - number: 0x786F4256 = 'xoBV' (VirtualBox).. - optional:.. - mnemonic: cpuid..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\reference-quad9-dns-server.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	327
Entropy (8bit):	4.5578645598825815
Encrypted:	false
SSDEEP:	6:hAvlmHeGg9nlkEeM4FMJFBO2S4FfQceGGF+WfGLYTbTcyowzTLs22LFJ:mdmH61lkBIRfFfQcA+YDdsLFJ
MD5:	CD0918F93FB7E6E2F34A7A34E487D7BC
SHA1:	E64E42DC31A8D7DE289B04859DDF3A6977C35F69
SHA-256:	BB62D2444583A9104A8C9AEB93A9B54463B0A8565D009AA26AA0782AC961471A
SHA-512:	864C346E29BBF9A2F735539F36F5F5C707D4B940E7EB5A9627FE5D7042FC7058735608121F7254524F051ED2DA9C70B32E09387B3F90AB1944905EC23204910A
Malicious:	false
Preview:	rule:.. meta:.. name: reference Quad9 DNS server.. namespace: communication/dns.. author: william.ballenthin@fireeye.com.. scope: function.. references:.. - https://www.techradar.com/news/best-dns-server.. examples:.. features:.. - or:.. - string: "9.9.9.9".. - string: "149.112.112.112"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\reference-screen-saver-executable.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	546
Entropy (8bit):	4.596361612277884
Encrypted:	false
SSDEEP:	12:mdmH6kAgl1ph3pLhbASDKHgFfyLW1E9dJlIHsJTELVZEinWVFhyn:mMH6kRl1hLhbNuHzLVIhfSFhy
MD5:	86F058BAABDB24FBF5A832C066B654C0
SHA1:	44D83D0767DA1A8A8CD3D664AE0A32541D6CAC24
SHA-256:	1713AA9062F72A2CBCED06539B7F75600E5BDAE6BD8EDF6F55BF7FA4C4434CBC
SHA-512:	4B76F1CC34F74070ECD59FA1B3775C94967E97633197DBEB2129E92EC489DB606B789C12CFCAAB7BD01EC362D9BC23D2C3CE811A05DF4D4DAC3B74699435E172
Malicious:	false
Preview:	rule:.. meta:.. name: reference screen saver executable.. namespace: persistence/screensaver.. author: michael.hunhoff@fireeye.com.. description: SCRNSAVE.EXE registry value specifies the name of the screen saver executable file.. scope: function.. att&ck:.. - Persistence::Event Triggered Execution::Screensaver [T1546.002].. features:.. - and:.. - string: "SCRNSAVE.EXE".. - optional:.. - string: "ScreenSaveTimeOut".. - string: "Control Panel\\Desktop".. - match: set registry value..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\reference-startup-folder.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	345
Entropy (8bit):	4.628051613733353
Encrypted:	false
SSDEEP:	6:hAvlmHeGgOpJl1dAcHluESkOy/qhjcusYi5x2eRGAhTLcQqY:mdmH6OpJl1dAMuEDnqMAeTVqY
MD5:	A6E67277626935B23124428B06332965
SHA1:	AD4F0A8EB709E91B502E5FA293FAA94353514A48
SHA-256:	56849D6D1C0F775556CC1944209A0BB11AAC5DA3946FB667B5A34B46E46A3C40
SHA-512:	1C6A12AA95D9D4C8DC1D5E95DCD016294E49253D0FAEBA8D0B85E4024DB5C5D3CEACBE94CB4E374F8E351BC1D12BC0C652A42F5B61723A90B9A6C259A4C24A38
Malicious:	false
Preview:	rule:.. meta:.. name: reference startup folder.. namespace: persistence/startup-folder.. author: matthew.williams@fireeye.com.. scope: file.. att&ck:.. - Persistence::Boot or Logon Autostart Execution::Registry Run Keys / Startup Folder [T1547.001].. features:.. - or:.. - string: /Start Menu\\Programs\\Startup/i..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\reference-the-vmware-io-port.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	518
Entropy (8bit):	4.88462584491298
Encrypted:	false
SSDEEP:	12:mdmH6rl/yEgGuEfFfy+Wc8AJGfKUGllVbGz9LNWQA:mMH6rlLuEU7/AofKU0/jD
MD5:	38EE04477CA401E903D3092294E4FC84
SHA1:	DF559D02F713BFDE96D6D94FB1CB031AD3DD61AA
SHA-256:	5FCEFD4698EEA8E6ECF6B32AF3F078857CF4533A35F762C4B70265E6DF67EBED
SHA-512:	01C796401B4209E5657CF3426CEB3AF514C5264717A5223737FEA2266F7923D80B56A52CCEFAF0B86E24D56964D1BBACD83A14A5C426E103A0E37400F9EAC80E
Malicious:	false
Preview:	rule:.. meta:.. name: reference the VMWare IO port.. namespace: anti-analysis/anti-vm/vm-detection.. author: matthew.williams@fireeye.com.. scope: function.. att&ck:.. - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001].. mbc:.. - Anti-Behavioral Analysis::Virtual Machine Detection::Unique Hardware/Firmware Check - I/O Communication Port [B0009.025].. features:.. - and:.. - mnemonic: in.. - number: 0x564D5868 = VMXh.. - number: 0x5658 = VX..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\reference-verisign-dns-server.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	326
Entropy (8bit):	4.506586988089116
Encrypted:	false
SSDEEP:	6:hAvlmHeGg4lkEeM4FMJFBO2S4FfQceGGF+WfGLYTbTcyowzTLwAeLwn:mdmH64lkBIRfFfQcA+YDdwAUwn
MD5:	F01971BD27B99BB4B2D847F420363F9B
SHA1:	D3B533C32027F1F4E12DD4706FD8FDC207813BF0
SHA-256:	7C4A78FA838E6BF0A7D0CE20597212A0700186D7BF5AB4A7653821CDB5AA78C2
SHA-512:	FB684B5CCAEBDE4717AE83DCE52FACA2CA72C9C29A3728FB86BFB07F62236F4B90FA98FF165FE14D1A14084E849B85831577DDEB1F15CD35B09D20706C320ADD
Malicious:	false
Preview:	rule:.. meta:.. name: reference Verisign DNS server.. namespace: communication/dns.. author: william.ballenthin@fireeye.com.. scope: function.. references:.. - https://www.techradar.com/news/best-dns-server.. examples:.. features:.. - or:.. - string: "64.6.64.6".. - string: "64.6.65.6"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\register-http-server-url.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	304
Entropy (8bit):	4.582591862537279
Encrypted:	false
SSDEEP:	6:SWq+iazvlmngFZ4glkEeM9ClESgyZ9mKyX5KMqEy:NVzdmgsglkC/RKyX5KvEy
MD5:	E0C872566C4846A2AE5C2C4DA28B1EB8
SHA1:	8C02583F6AF7DA4FF5310EABCC3993AE392E0123
SHA-256:	20FE92AE4405347D295D89BC4462F1298B2D90AE34852D3E6F1D114F2FD73F02
SHA-512:	F509B88C643E30D0C658211C20C0FA31FC70524840534B3B37580E8E0F362BBAB83B87E16DBBE514E5C3F6853B46A249C6F0B7DE2D2D971E58DB5AD0A34B5397
Malicious:	false
Preview:	# generated using capa explorer for IDA Pro..rule:.. meta:.. name: register HTTP server URL.. namespace: communication/http/server.. author: michael.hunhoff@fireeye.com.. scope: basic block.. features:.. - or:.. - api: httpapi.HttpAddUrl.. - api: httpapi.HttpAddUrlToUrlGroup..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\resolve-function-by-hash.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	903
Entropy (8bit):	5.031350720231505
Encrypted:	false
SSDEEP:	12:mdmmLl5MkCPoRfFfySimsKJ+cA+Y+iuF5lIdfgYolOI7ZnsHyjTFq8xPjvklkp9f:mMIl59aKUm+cAg2dfUlOyFT4ovkUB
MD5:	ED97AB32B08F5509822718F62E81A774
SHA1:	78067D2AB09BAB3ECFFCACC78BAE59A7C3963FBE
SHA-256:	1BDA82DCAD2CF1880CB7C043E955DBA2063C506972F20E004B175981795F1FA4
SHA-512:	68D31043EA1DB2A9EA2B0E82CAF6145E694DE8754729825EA1D8FBD5DF9DDAC622419EF9A45F0A76147940BF9033A802E203B84286A5AD41D50954DEC2724CD9
Malicious:	false
Preview:	rule:.. meta:.. name: resolve function by hash.. namespace: linking/runtime-linking.. author: william.ballenthin@fireeye.com.. scope: function.. att&ck:.. - Defense Evasion::Obfuscated Files or Information::Indicator Removal from Tools [T1027.005].. references:.. - https://www.fireeye.com/blog/threat-research/2012/11/precalculated-string-hashes-reverse-engineering-shellcode.html.. - https://pastebin.com/ci5XYW4P.. examples:.. features:.. - or:.. - number: 0x6a4abc5b = ROR13(kernel32.dll).. - number: 0x3cfa685d = ROR13(ntdll.dll).. - number: 0xec0e4e8e = ROR13(LoadLibraryA).. - number: 0x7c0dfcaa = ROR13(GetProcAddress).. - number: 0x91afca54 = ROR13(VirtualAlloc).. - number: 0x534c0ab8 = ROR13(NtFlushInstructionCache).. - number: 0xff7f061a = ROR13(RtlExitUserThread).. - number: 0x60e0ceef = ROR13(ExitThread)..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\run-in-container.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	865
Entropy (8bit):	4.844022887269616
Encrypted:	false
SSDEEP:	12:mdmtl4lLBGeRfFfyqYcA+YZ+DSjLjdOALx9x05RXVafiKLr5RXVaPiKLwVA1:mMElAMU1cAz+WfRln0PlalfPla1P
MD5:	93F892D3A8FC53FED6FCD06AFB4D3AEE
SHA1:	5C41074C82554A5368C5873B27B76E863A7FF39A
SHA-256:	BAD517B6FCD9ED1E97487A0141E8501DBCCA3A78B11505849F6B24904A7F9315
SHA-512:	F3E7F1F3AFF106290343514D25D3CD10BDCF102441DFEC470E1A64A059AA3DAA9DBF11FF8E0ACEB9C7167965D23F7150C8CCD41CB3365211E337A10A6F249E74
Malicious:	false
Preview:	rule:.. meta:.. name: run in container.. namespace: host-interaction/container/docker.. author: william.ballenthin@fireeye.com.. scope: function.. att&ck:.. - Execution::Container Administration Command [T1609].. references:.. - https://docs.docker.com/engine/api/v1.24/.. examples:.. features:.. - or:.. - string: /^docker(\.exe)? exec/.. - string: /^kubectl(\.exe)? exec/.. - string: /^kubectl(\.exe)? run/.. - and:.. - match: send HTTP request.. - string: /\/v1\.[0-9]{1,2}\/containers\/[0-9a-fA-F]+\/exec/.. description: docker API endpoint, e.g., /v1.24/containers/e90e34656806/exec.. - and:.. - match: send HTTP request.. - string: /\/v1\.[0-9]{1,2}\/exec\/[0-9a-fA-F]+\/start/.. description: docker API endpoint, e.g., /v1.24/exec/e90e34656806/start..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\run-powershell-expression.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	440
Entropy (8bit):	4.4610288516739445
Encrypted:	false
SSDEEP:	12:mdmoXFANSwlAGl3LfFfy50FVujJXXjnR0BIHsutnwy:mMOAnlAAbU5rXAIHVt
MD5:	54370A59B395A3190F3CACED46F7210C
SHA1:	7BA1FFB4D48E96645E0506251C11DCF8F65B792D
SHA-256:	C28B46BAE546C88E367C791E7A96FD616A04721ECE9C9A78B2904ACF34689E65
SHA-512:	601B9519433951F64D550717BF588D1E7C4D5101F3AFF65AE2F397E5E243919378DA7D320E89F00C1D90A320A4B1181150609428705AA2F215D33E9226B51344
Malicious:	false
Preview:	rule:.. meta:.. name: run PowerShell expression.. namespace: load-code/powershell/.. author: anamaria.martinezgom@fireeye.com.. scope: function.. att&ck:.. - Execution::Command and Scripting Interpreter::PowerShell [T1059.001].. features:.. - and:.. - or:.. - string: / iex\(/i.. - string: / iex /i.. - string: /Invoke-Expression/i.. - optional:.. - string: /powershell.exe /..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\schedule-task-via-itaskservice.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	562
Entropy (8bit):	4.797943901095404
Encrypted:	false
SSDEEP:	6:hAvlmWDSiS2l1pS/uwTClES4FfyhjS//wRzGKt+86wzVOhfijNA/iZ95vFz6Ilzi:mdmWLl1pSGIfFfyM33wEijr5z6j5d
MD5:	BF98D571DA8C2044E7EA767484C02DE3
SHA1:	211212EE029D801E11B3A17BE879612AD48A01F3
SHA-256:	7BF3D8F5477DB151EFC5E8832090BB73A2AEC037E714E23075F64A7D54D7B965
SHA-512:	A700A124444FF6493B9F6D6D043C02B2217D846A55A674AD20E0B5A2BC59FB83FC344341B960037CC1536DC1CEFB9D52E40CC4F9AABF0964004458FFF611E88F
Malicious:	false
Preview:	rule:.. meta:.. name: schedule task via ITaskService.. namespace: persistence/scheduled-tasks.. author: michael.hunhoff@fireeye.com.. scope: function.. att&ck:.. - Persistence/Scheduled Task/Job/Scheduled Task [T1053.005].. features:.. - and:.. - basic block:.. - and:.. - api: ole32.CoCreateInstance.. - bytes: 9F 36 87 0F E5 A4 FC 4C BD 3E 73 E6 15 45 72 DD = CLSID_TaskScheduler.. - bytes: C7 A4 AB 2F A9 4D 13 40 96 97 20 CC 3F D4 0F 85 = IID_ITaskService.. - offset: 0x24 = ppv->NewTask..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\search-for-credit-card-data.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	660
Entropy (8bit):	4.50788418562925
Encrypted:	false
SSDEEP:	6:hAvlmWhrFwlkpydgHluES4FdGKt+m7Rq7uVKbAt+m7Rqxbv/KbAt+m7RMR2FGLiL:mdmWh2lkp1uEfFXBBCzzs2FFNkM
MD5:	C7698CCBD981B2A55336D9F4EFB4C8F9
SHA1:	A3A49D796C35ADBA6B6FC36525D93CFC91ECB9E6
SHA-256:	53082C3F5E52D8FE99A55F417EF7614FA72E6D000F8D0D78E4C5D24ECE9EBEDD
SHA-512:	36F44122D645DD5AF27F06D2A92F91CAB360B81F88CE1F0CDAF6857F8358C51AF50BB45E954B22F42FFD01769DF60DCC7D2C92DF2A070C6D0B2513CC84ED50D7
Malicious:	false
Preview:	rule:.. meta:.. name: search for credit card data.. namespace: collection/credit-card.. author: matthew.williams@fireeye.com.. scope: function.. features:.. - and:.. - basic block:.. - and:.. - mnemonic: cmp.. - number: 0x5E = '^' (Track 1 separator).. - basic block:.. - and:.. - mnemonic: cmp.. - number: 0x3D = '=' (Track 2 separator).. - basic block:.. - and:.. - mnemonic: cmp.. # seen in 518185ED134F93DF708590E74473DA8E and 05B2D1AF23CF96E295BBBFC6CDC76E1F.. - number: 0x44 = 'D' (Unknown separator).. - match: read process memory..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\send-http-request-with-host-header.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	249
Entropy (8bit):	4.3205294136535
Encrypted:	false
SSDEEP:	6:hAvlmWOhe5RR/clkEeMt8uLS4FdG4ALHe5RTLBDvy:mdmWOY5RR/clk23LfFd5RHBDvy
MD5:	D2B63D97A0FABEFA7DB078B7E403D648
SHA1:	7B3D7B5B5BA4CDAD3036B77782F29D7E258F5AC5
SHA-256:	13EEB85D20CAD1AD76DCB8970706464A608CABC3F40E92B68FF51C33182B9ABD
SHA-512:	F6592AE1D207A000C2D4299FF622F11DB7FD805B66D5EC943AAFFF0A7CD626E89CB9A2DD354F87F93E91A859008998D4E59DCC94A02B97B6A0D4EC05104648D9
Malicious:	false
Preview:	rule:.. meta:.. name: send HTTP request with Host header.. namespace: communication/http.. author: anamaria.martinezgom@fireeye.com.. scope: function.. features:.. - and:.. - match: send HTTP request.. - string: /Host:/i..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\set-global-application-hook.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	291
Entropy (8bit):	4.6760226733201895
Encrypted:	false
SSDEEP:	6:hAvlmWXT14lLqLKZClESgyZ9GwZVXRkDlHAF4Nd:mdmWZ4lLT/qrSlA2
MD5:	E9DCA331477A2D430D9C61F9B1AB87FD
SHA1:	27A15A9CFFD3A9156218825F5A1B2E7C62281049
SHA-256:	36805377FD47B026E75D3DCADF94CC271B99E5B6F21072F700D058C6FE9B3C81
SHA-512:	01A0140A18C40C044AB868B840A0FB30188E90A4F54790AB367DDA42587AF031391AD9FE6383AFA121F27C02DD7848D75FD6DA0B2E9B3E89B996F8ADC16497EE
Malicious:	false
Preview:	rule:.. meta:.. name: set global application hook.. namespace: host-interaction/gui.. author: michael.hunhoff@fireeye.com.. scope: basic block.. features:.. - and:.. - api: user32.SetWindowsHookEx.. - number: 0x3 = WM_GETMESSAGE.. - number: 0x0 = dwThreadId..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\spawn-thread-to-rwx-shellcode.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	243
Entropy (8bit):	4.239174979270992
Encrypted:	false
SSDEEP:	6:hAvlmWlNQ8fCOFCllOBisJGOFFCS4FdGqmkjCFFQRRt:mdmWg8lYlAEbOfCfFtmkFt
MD5:	FC306EC0A5F23BC343F733253B24ED8B
SHA1:	AA6C0404375DF7EFB5862FE324E4653EFD813C40
SHA-256:	08BF95BD91D655EA105104D756A59CA4BD72C8743431D1D7118CE01DA85EE540
SHA-512:	530DAA1E35FBCFF2F364608F52B60F301426968D3F1C2D1C67591649EB373E8AC2BDF647803F98154CBB3A9B1331411080B1FB1021D8A98C98AF04CEAB338368
Malicious:	false
Preview:	rule:.. meta:.. name: spawn thread to RWX shellcode.. namespace: load-code/shellcode.. author: moritz.raabe@fireeye.com.. scope: function.. features:.. - and:.. - match: allocate RWX memory.. - match: create thread..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\spoof-parent-pid.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	410
Entropy (8bit):	4.912257450287577
Encrypted:	false
SSDEEP:	6:SWq+iazvlmWPD34lmUiqIAyJClESgyZoceGp4hPQQLARwaOVGG8w3BtnPHIey:NVzdmWP8l/i/PcEhbLnMiQey
MD5:	6ABC215AFF7269596001BCC3BC3F5A37
SHA1:	1BA5494A5EBBAC95D73CFE6A7AC34086A420A2D6
SHA-256:	83D9AE1E5FCA01ECD816E970B6094CA08C6E9E3E22C7C30EAF8BB6D8F24F300F
SHA-512:	44023845A97122332D88E064D17A1215EA1D9B9C44C867D7D2D4CC7104988893DA121A0CF0CFDEDDDCF8A970980770A0B6BA3A94308553FFEAA5A37542270284
Malicious:	false
Preview:	# generated using capa explorer for IDA Pro..rule:.. meta:.. name: spoof parent PID.. namespace: anti-analysis/anti-forensic.. author: michael.hunhoff@fireeye.com.. scope: basic block.. references: https://blog.f-secure.com/detecting-parent-pid-spoofing/.. features:.. - and:.. - api: kernel32.UpdateProcThreadAttribute.. - number: 0x20000 = PROC_THREAD_ATTRIBUTE_PARENT_PROCESS..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\nursery\terminate-process-by-name.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	373
Entropy (8bit):	4.340875000305362
Encrypted:	false
SSDEEP:	6:hAvlmewvGu80JlLqLMyWH/MJFBO2S4FfJowBwf8F9GgwvGCB/GWTDJl:mdmdGh0JlLWS/IRfFfJHwxGCB/Gel
MD5:	7FDD438C2D5F91A9DA5101EB4750F14C
SHA1:	16F5C6D8BC926715E69B796DBF934E3EAAD4585D
SHA-256:	7BD60CEB3C5571D7BDCC9B4F9456B9927B56FCF9F63B518571A3B4464D314268
SHA-512:	3D138DE148772942D2F22552729F3D7BC15D34B63D49618E86F856D0FA354AB43C4C73B450F0552BBEAB4D6673261B78E09F166C7CA32D63C990338A19C2174E
Malicious:	false
Preview:	rule:.. meta:.. name: terminate process by name.. namespace: host-interaction/process/terminate.. author: william.ballenthin@fireeye.com.. scope: function.. examples:.. # - unpacked Cl0p ransomware.. features:.. - and:.. - match: terminate process.. - match: enumerate processes.. - or:.. - offset: 0x24 = pe.szExeFile (x32)..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\persistence\registry\appinitdlls\disable-appinit_dlls-code-signature-enforcement.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1027
Entropy (8bit):	5.035523703532761
Encrypted:	false
SSDEEP:	24:mM8Qe4l1oULCcAwjtQWGJqqlcsBeokFhW/BuNoGxNi7Gy:mM8Q7ToULCcTOWGJqqVBrkyBuWCS/
MD5:	66D52B1FCE4A622CA9DF599FB965B279
SHA1:	8320EE782670365CB4E828F03013356D79298DEB
SHA-256:	9D98D42D59B6956D97003B6363D44C669AF50BF95E4E73806BC5D4E9C6F6497E
SHA-512:	9200B167A100AD8FA152D4B9B84483BBB1D81A1067B51B663E8278FA7B70A04381A979932737F70468C0C8981E9FB7B7373CEAFD1687376647BCF47FD368DBC3
Malicious:	false
Preview:	rule:.. meta:.. name: disable AppInit_DLLs code signature enforcement.. namespace: persistence/registry/appinitdlls.. author: william.ballenthin@fireye.com.. scope: function.. att&ck:.. - Persistence::Event Triggered Execution::AppInit DLLs [T1546.010].. - Defense Evasion::Subvert Trust Controls::Code Signing Policy Modification [T1553.006].. references:.. - https://docs.microsoft.com/en-us/windows/win32/win7appqual/appinit-dlls-in-windows-7-and-windows-server-2008-r2.. examples:.. - 58ADC2E97FBEE01B71073CCD7FF1B9A4:0x401350.. features:.. - and:.. - string: /RequireSignedAppInit_DLLs/i.. description: disable DLL code signature enforcement.. - number: 0 = state disabled.. - or:.. - match: set registry value.. - number: 0x80000002 = HKEY_LOCAL_MACHINE.. - or:.. - string: /Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows/i.. - string: /Software\\Wow6432Node\\Microsoft\\Windows NT\\

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\persistence\registry\appinitdlls\persist-via-appinit_dlls-registry-key.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	930
Entropy (8bit):	4.925500972621545
Encrypted:	false
SSDEEP:	24:mM3sl1fULwcAwjtQWGzI4lFhW/BuNoGxNi7GcIQH/:mM3sTfULwcTOWGzI4lyBuWCS3IQf
MD5:	E7D33CF2D52F68E247ED2A0425136408
SHA1:	9F8AA95B1C2680F9A83A4EFB49EFAD7C7BE3A009
SHA-256:	EF7B9FEBD2915E7B06C99E19BBC87B9619751FD1508D11F80F73C8D7146E7F2F
SHA-512:	5B1BE5DC949AC471B26E6A1803C9D21984A7372D427608154DF8750E5A72A8AA8B619BB2659C3A46F4DD077B7A502F328FF651ED8748F83A055E87DB0FC3DF34
Malicious:	false
Preview:	rule:.. meta:.. name: persist via AppInit_DLLs registry key.. namespace: persistence/registry/appinitdlls.. author: michael.hunhoff@fireye.com.. scope: function.. att&ck:.. - Persistence::Event Triggered Execution::AppInit DLLs [T1546.010].. references:.. - https://docs.microsoft.com/en-us/windows/win32/win7appqual/appinit-dlls-in-windows-7-and-windows-server-2008-r2.. examples:.. - Practical Malware Analysis Lab 11-02.dll_:0x1000158b.. features:.. - and:.. - or:.. - match: set registry value.. - number: 0x80000002 = HKEY_LOCAL_MACHINE.. - or:.. - string: /Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows/i.. - string: /Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows/i.. - string: /AppInit_DLLs/i.. - optional:.. - string: /LoadAppInit_DLLs/i.. description: enable AppInit DLLs feature..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\persistence\registry\ginadll\persist-via-ginadll-registry-key.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	542
Entropy (8bit):	4.899737363343797
Encrypted:	false
SSDEEP:	12:mdm3Kl10rY+fFfyLWbFBbnvCFhyF/Bp2o+X2/M1Kbp:mM3Kl1j+ULCzCFhW/Bn+GUKt
MD5:	FA6C2BBB7B7B4A8981E721C2FF43E84E
SHA1:	5047DDFC7D3666A9B5B6BAFD23C74A2EA1F26094
SHA-256:	6A7252FFBB72B7992B92DB7BBD782502B14A0CC8209BFF8D0277CD08D353FD7E
SHA-512:	2BF66A1883864E9E1E8B56E5305F564B39F31B2EEECE4B6FFAD598E2031F0FCC92F8B9FD8F14D36FB1F59D3427AB358D7BEF35AAE9AB2376B12174D166584EBD
Malicious:	false
Preview:	rule:.. meta:.. name: persist via GinaDLL registry key.. namespace: persistence/registry/ginadll.. author: michael.hunhoff@fireye.com.. scope: function.. att&ck:.. - Persistence::Event Triggered Execution [T1546].. examples:.. - Practical Malware Analysis Lab 11-01.exe_:0x401000.. features:.. - and:.. - or:.. - match: set registry value.. - number: 0x80000002 = HKEY_LOCAL_MACHINE.. - string: /SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon/i.. - string: /GinaDLL/i..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\persistence\registry\persist-via-active-setup-registry-key.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	657
Entropy (8bit):	4.9503691007264266
Encrypted:	false
SSDEEP:	12:mdm3/wl10CCfFfyP/1/ocA+Y+iuKRcJvDrwrFhyF/BpBNVerpvwuaJxm:mM3/wl1bCUPt/ocAgaRcJrrwrFhW/BP8
MD5:	CF7F6AFA3EFD4823E35353F7E4B322FA
SHA1:	61ABAC1101F243D5C2D17C801B924484A0412A5E
SHA-256:	5EEEEF07344050A05D411821DC4B82DBBC79136CA34019032B92DA81C69AD747
SHA-512:	6E0C6F65F86310E1EE8CC4A89D3D7450B45BF59C6A048BCE1EA088E1A415358A90BE99D5ED22F6F7D89AA5672D0BAFDF5C92CD640E60A748F87F39394BD12ABA
Malicious:	false
Preview:	rule:.. meta:.. name: persist via Active Setup registry key.. namespace: persistence/registry.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Persistence::Boot or Logon Autostart Execution::Active Setup [T1547.014].. references:.. - https://www.fireeye.com/blog/threat-research/2017/02/spear_phishing_techn.html.. examples:.. - c335a9d41185a32ad918c5389ee54235:0x4028F0.. features:.. - and:.. - or:.. - match: set registry value.. - number: 0x80000002 = HKEY_LOCAL_MACHINE.. - string: /Software\\Microsoft\\Active Setup\\Installed Components/i.. - string: "StubPath"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\persistence\registry\run\persist-via-run-registry-key.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1129
Entropy (8bit):	4.8610292509758075
Encrypted:	false
SSDEEP:	24:mM3Ul15CUQjzL8UKS05dx4FhW/SApNoP0qz18NoGLy6U:mM3UTUUQjzFKSkdOyVpWd8W2G
MD5:	BD78965C6330AB5FAA276D23EE52EA0A
SHA1:	982A48387CF4468FB6046CA915A0BF17449A67EF
SHA-256:	001BEF25B5E842673CE61B52C1B851060699E74ED42B55B1B9189914144F5809
SHA-512:	94046021B3B8BBF8CA260CB61F04119C7F5B87D4E1EC0BFB0F9D7E75E053127BDEABEAB41FB96BDB2BD535624141F0B663EF6E0C4BFCE8D9005A9C23DA7A7C4E
Malicious:	false
Preview:	rule:.. meta:.. name: persist via Run registry key.. namespace: persistence/registry/run.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Persistence::Boot or Logon Autostart Execution::Registry Run Keys / Startup Folder [T1547.001].. examples:.. - Practical Malware Analysis Lab 06-03.exe_:0x401130.. - b87e9dd18a5533a09d3e48a7a1efbcf6:0x1400070E0.. - 9ff8e68343cc29c1036650fc153e69f7:0x470624.. features:.. - and:.. - or:.. - match: set registry value.. - number: 0x80000001 = HKEY_CURRENT_USER.. - number: 0x80000002 = HKEY_LOCAL_MACHINE.. - or:.. - and:.. - string: /Software\\Microsoft\\Windows\\CurrentVersion/i.. - or:.. - string: /Run/i.. - string: /Explorer\\Shell Folders/i.. - string: /User Shell Folders/i.. - string: /RunServices/i.. - string: /Policies\\Explorer\\Run/i.. - string: /Software\\Microsoft\\Win

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\persistence\registry\winlogon-helper\persist-via-winlogon-helper-dll-registry-key.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	701
Entropy (8bit):	4.932652747935012
Encrypted:	false
SSDEEP:	12:mdm3XK06l107ARNuFfyKf56KQ2FhyF/SYhpBNVeX2/M1KuuA6biy:mM3XKJl1rRNJKRnFhW/SAPNoGUKuA
MD5:	FBE3E0D49EE834FA687791409ADFAFC4
SHA1:	4A8A1EC7A41C05CF46EC9B736A04C0E17E0CE51B
SHA-256:	AE8F70067C38664B0F4F38FD0264065F79E8149751705656A19B4072F9EE4EC2
SHA-512:	B68F2C51CA207D324A84D115F5BE2816AD38B2B0212AAF1C0A88B4FDBD0B701B542283671A605FF2B3698A5D10DD2DD06BC73F86077A86A2902C63733745E1D1
Malicious:	false
Preview:	rule:.. meta:.. name: persist via Winlogon Helper DLL registry key.. namespace: persistence/registry/winlogon-helper.. author: 0x534a@mailbox.org.. scope: function.. att&ck:.. - Persistence::Boot or Logon Autostart Execution::Winlogon Helper DLL [T1547.004].. examples:.. - 9ff8e68343cc29c1036650fc153e69f7:0x47f818.. features:.. - and:.. - or:.. - match: set registry value.. - number: 0x80000001 = HKEY_CURRENT_USER.. - number: 0x80000002 = HKEY_LOCAL_MACHINE.. - string: /Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon/i.. - or:.. - string: /Notify/i.. - string: /Userinit/i.. - string: /Shell/i..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\persistence\scheduled-tasks\schedule-task-via-command-line.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	501
Entropy (8bit):	4.556521222310496
Encrypted:	false
SSDEEP:	12:mdmWbl1pSGLNuFfyOB007DKJGAnVduKXr:mMgl18GLNJOB007SGOTXr
MD5:	84B18CE4CB10128D28D52FCDBF1C8942
SHA1:	B54825EF1C1C434B0BB5A6292049260952DBD041
SHA-256:	014DD72FB3E792488E75053AF5992083EEE4B0490D4CDD91AD1D1721F431EEF9
SHA-512:	CEF78AAB9AE848DC3C643ECDA17396CF1A699B60F0C49C4183E295302378B6AE6694E6FEC9119227522978AD5D3CD39BD220AD1F9D6C04E42E21263E7C22AD59
Malicious:	false
Preview:	rule:.. meta:.. name: schedule task via command line.. namespace: persistence/scheduled-tasks.. author: 0x534a@mailbox.org.. scope: function.. att&ck:.. - Persistence::Scheduled Task/Job::Scheduled Task [T1053.005].. examples:.. - 79cde1aa711e321b4939805d27e160be:0x401440.. features:.. - and:.. - match: create process.. - or:.. - and:.. - string: /schtasks/i.. - string: /\/create /i.. - string: /Register-ScheduledTask /i..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\persistence\scheduled-tasks\schedule-task-via-itaskscheduler.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	644
Entropy (8bit):	4.90148689563208
Encrypted:	false
SSDEEP:	12:mdmWaWl1pSGqCfFfyOB0y4L5re17bc5te16uJl8Wv:mMal18GqCUOB0ymreJktehf
MD5:	09174136727FB1122FF97A879A26C691
SHA1:	CD13BF40D1F17B51BDCFFAA39A58B19F0BFC80A7
SHA-256:	18DF2A52B508072EE07A19436F748391A8D2830E7C937F55C0A569D3FC91F16D
SHA-512:	3D8A9F4F2D0C974E874676DE0CC18C995555425221EB539DC6DC04E5AF02F969F7DB958848A45993349CDA701AEB47438D295AD1D4518FFD10FB4EA01308FC6B
Malicious:	false
Preview:	rule:.. meta:.. name: schedule task via ITaskScheduler.. namespace: persistence/scheduled-tasks.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Persistence::Scheduled Task/Job::Scheduled Task [T1053.005].. examples:.. - 2B8BEC5BCB1777EAA155D832F7AFC797:0x405887.. features:.. - and:.. - api: ole32.CoCreateInstance.. - bytes: 2A D5 8B 14 AB A2 CE 11 B1 1F 00 AA 00 53 05 03 = CLSID_CTaskScheduler.. - bytes: 27 D5 8B 14 AB A2 CE 11 B1 1F 00 AA 00 53 05 03 = IID_ITaskScheduler.. - or:.. - offset: 0x20 = pts->NewWorkItem.. - offset: 0x24 = pts->AddWorkItem..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\persistence\service\persist-via-windows-service.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	913
Entropy (8bit):	4.4498820618823665
Encrypted:	false
SSDEEP:	12:mdm3Jl1rdCfFfyJ8AzfVJHVbnvLJpvo7U/mq2TyIHbgRJGwrLeiFyRrLaf2:mM3Jl1JCUJPzfXVzL07U/mXyI7gvGBX
MD5:	889D462C8DDE00F434E111652D9C7951
SHA1:	8A168E6F303E0922F5CF2425FD3AEB5CDB1DEF21
SHA-256:	70397B9778F0F020C1A8D7A87D5F017701438F44B14BECFEB21D004E8C3BE1BA
SHA-512:	2B2B6FF926877D4620BB9EB82D2261251BE551F0156D7DB64B7B1D18693090AE00EF2D4DFB21A703B56AFBFEF44D8D0ACBF052EF7781D4E3E9D7BF13B8786705
Malicious:	false
Preview:	rule:.. meta:.. name: persist via Windows service.. namespace: persistence/service.. author: moritz.raabe@fireeye.com.. scope: function.. att&ck:.. - Persistence::Create or Modify System Process::Windows Service [T1543.003].. - Execution::System Services::Service Execution [T1569.002].. examples:.. - Practical Malware Analysis Lab 03-02.dll_:0x10004706.. features:.. - or:.. - and:.. - basic block:.. - and:.. - number: 2 = SERVICE_AUTO_START.. - api: advapi32.CreateService.. - optional:.. - or:.. - api: advapi32.OpenService.. - api: advapi32.StartService.. - and:.. - match: create process.. - or:.. - and:.. - string: /^sc(\|\.exe)$/i.. - string: /create /i.. - string: /^sc(\|\.exe) create/i.. - string: /New-Service /i..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\persistence\startup-folder\get-startup-folder.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	658
Entropy (8bit):	4.955386618263381
Encrypted:	false
SSDEEP:	6:hAvlmCnpJl1dAcHluESgyZqhjcusYi5x2eRGGjowU5+EVG44gZvjQbiACvb+GEnP:mdmCnpJl1dAMuE/hMAe3jg+EDXZEbsE
MD5:	521A9BEFAB60FCE581297EF3587B1D7B
SHA1:	A5806DB58B6E310D5638D5D8E15CB110654B0CD8
SHA-256:	05A2A37CB402C3DF029A0170E8773A81A616A115CEA20AB2805A1059320A61C4
SHA-512:	0D09062C4173A6E8365A3B3636522325C7678C0F00D2950AFAFC8CA0C41D4D251BCF145A077A2CAD9A547041826667D84038D94D4A07102A35FB72960AA2C575
Malicious:	false
Preview:	rule:.. meta:.. name: get startup folder.. namespace: persistence/startup-folder.. author: matthew.williams@fireeye.com.. scope: basic block.. att&ck:.. - Persistence::Boot or Logon Autostart Execution::Registry Run Keys / Startup Folder [T1547.001].. examples:.. - 07F7846BBCDA782E5639292AD93907EB:0x40121A.. features:.. - and:.. - or:.. - number: 0x07 = CSIDL_STARTUP.. - number: 0x18 = CSIDL_COMMON_STARTUP.. - or:.. - api: shell32.SHGetFolderPath.. - api: shell32.SHGetFolderLocation.. - api: shell32.SHGetSpecialFolderPath.. - api: shell32.SHGetSpecialFolderLocation..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\persistence\startup-folder\write-file-to-startup-folder.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	503
Entropy (8bit):	4.669500715260798
Encrypted:	false
SSDEEP:	12:mdmS4apJl1dAMuEfFfyMAe3jg+pFOp5JnOcNHjZHv:mMSdJl1dBuEUQjTc5lVHjdv
MD5:	970D1C2EB5ADC6D5B14C5E95793F9F4B
SHA1:	A4DD5132CA6EEB5323057862559D221EAEDD311C
SHA-256:	8B7A3D5E5E968547CD5B9D83A88C860A89444EFA1E2E40E3D54E81979113E3CB
SHA-512:	4BBD32A57FC3D9EE3C9B66D8D7C0175C1ECC226B05F064AA475283BD30E3600EED4043BCECAC51A95D2CA4C2637D84F63008E9B0959841803BC05A6BEFE04990
Malicious:	false
Preview:	rule:.. meta:.. name: write file to startup folder.. namespace: persistence/startup-folder.. author: matthew.williams@fireeye.com.. scope: function.. att&ck:.. - Persistence::Boot or Logon Autostart Execution::Registry Run Keys / Startup Folder [T1547.001].. examples:.. - 07F7846BBCDA782E5639292AD93907EB:0x401040.. features:.. - and:.. - match: get startup folder.. - or:.. - match: copy file.. - match: move file.. - match: write file..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\runtime\dotnet\compiled-to-the-net-platform.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	378
Entropy (8bit):	4.545346677997865
Encrypted:	false
SSDEEP:	6:hAvlmGTkq0FFwlDKAozJFBO2SkOy/BowFpk95KBDQsMY+NCKBDQMKXCKBDQsMhH4:mdmGYCliRDnBDpn0M+Nv0MKXv09PNv07
MD5:	C5155CC33C0476679889AC1554933F39
SHA1:	50C3989D10F0D59EE397A3B0CC65E0812FF4B8E8
SHA-256:	1937F55A8016A6F50916AEE5445EE6F4A412D4BDF86AB6D20F414CEA592BFAE4
SHA-512:	D4623D86B5DA96F1963894AEC55CD0A1435E898CFA15BCA1A6A39EB4B42297C0720124B016F135258D8BF4E7DE91B607A428DC87B214E2980A08FD3C3B5D1AAF
Malicious:	false
Preview:	rule:.. meta:.. name: compiled to the .NET platform.. namespace: runtime/dotnet.. author: william.ballenthin@fireeye.com.. scope: file.. examples:.. - b9f5bd514485fb06da39beff051b9fdc.. features:.. - or:.. - import: mscoree._CorExeMain.. - import: mscoree._corexemain.. - import: mscoree._CorDllMain.. - import: mscoree._cordllmain..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\targeting\automated-teller-machine\diebold-nixdorf\load-diebold-nixdorf-atm-library.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2478
Entropy (8bit):	4.573745216145811
Encrypted:	false
SSDEEP:	24:mMdlZ7CEDnocAIHnskJYNli9ZI1B4JE9zSB0saKCzY:mMdv7CEDocRsIYK9WN9sqk
MD5:	6915B4E4AB6A58C615F41AFD8DFAA871
SHA1:	60123840B4A75FA96D86D041364AD360638BCADB
SHA-256:	6155E5A6850BF8A9547E8FD88B55E79B9FD094878482A74BE751B8AB97B178F8
SHA-512:	1497AB58662E64A5C586D0462A28486ECAF75BF40C0D210D4CDECA701674A39B38B149605D258703F3093AD63F3A7402C495602492D7D3B2E3B3A63B5C8D7D1A
Malicious:	false
Preview:	rule:.. meta:.. name: load Diebold Nixdorf ATM library.. namespace: targeting/automated-teller-machine/diebold-nixdorf.. author: william.ballenthin@fireeye.com.. scope: file.. references:.. - https://www.vkremez.com/2017/12/lets-learn-cutlet-atm-malware-internals.html.. examples:.. - 658b0502b53f718bd0611a638dfd5969.. - 8683c43f1e22363ce98f0a89ca4ed389.. - 953bc3e68f0a49c6ade30b52a2bfaaab.. features:.. - or:.. - import: cscwcng.dll.. - string: "CSCWCNG.dll".. - import: cscwcng.CscCngStatusWrite.. - import: cscwcng.CscCngCasRefInit.. - import: cscwcng.CscCngEncryption.. - import: cscwcng.CscCngRecovery.. - import: cscwcng.CscCngService.. - import: cscwcng.CscCngOpen.. - import: cscwcng.CscCngReset.. - import: cscwcng.CscCngClose.. - import: cscwcng.CscCngDispense.. - import: cscwcng.CscCngTransport.. - import: cscwcng.CscCngStatusRead.. - import: cscwcng.CscCngInit.. - i

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\targeting\automated-teller-machine\diebold-nixdorf\reference-diebold-atm-routines.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	514
Entropy (8bit):	4.809282132303459
Encrypted:	false
SSDEEP:	12:mdmH6+vF6lZAr8BCWRDnocA+Y+iuq6T+AYJRMnvAIf8DDAv:mMH6HlZ7CEDnocAg66T+JRJG
MD5:	1B40FDC65F9325EB9DC481F6F88289FE
SHA1:	8F6C8191227A48F2E5547CCB3F56EF4A0F7DD8B1
SHA-256:	927552647C07A7526415BF8C6B049F736F03400EB75984C2D2FE4B8FDAD34F85
SHA-512:	F327DBAC82B8F6210465061E8DC0B02F537D98EA6CC68DC619D0E24337F947140D94AADFC2A157776DA9C675936E83EE0C74C002834D1F3F3184C56CD099D32C
Malicious:	false
Preview:	rule:.. meta:.. name: reference Diebold ATM routines.. namespace: targeting/automated-teller-machine/diebold-nixdorf.. author: william.ballenthin@fireeye.com.. scope: file.. references:.. - https://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html.. examples:.. - b2ad4409323147b63e370745e5209996.. features:.. - or:.. - string: "DBD_AdvFuncDisp".. description: dispenser function.. - string: "DBD_EPP4".. description: pin pad function..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\targeting\automated-teller-machine\identify-atm-dispenser-service-provider.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	625
Entropy (8bit):	4.822539706641025
Encrypted:	false
SSDEEP:	12:mdmTslZArvRDnocA+Y7JStNtKLRMi3lOZvHZG/vcy:mMTslZMDnocA0aRHVl
MD5:	9D767B844FB4AE5E1E2D1FBF4B992363
SHA1:	C0B0445A804AA6111E43F2C0D3F1B9E7C466691B
SHA-256:	202B5F8E057C924041FD574B85FE2EF60A790B9BC1AE88BCE474AE783FD2F631
SHA-512:	540686D066863C4ECEE1395BD23EA4FD46E80D103838E889F07C07ED9CFB80CF4D32496D00BBE1D238BB8B444B7F28ED904B80AF927487658ADE258C0C837688
Malicious:	false
Preview:	rule:.. meta:.. name: identify ATM dispenser service provider.. namespace: targeting/automated-teller-machine.. author: william.ballenthin@fireeye.com.. scope: file.. references:.. - https://doc.axxonsoft.com/confluence/display/atm70en/Configuring+the+connection+to+the+dispenser+service+provider.. examples:.. - b2ad4409323147b63e370745e5209996.. - 1f094dd65be477d15d871e72f0fdce5e.. features:.. - or:.. - string: "CurrencyDispenser1".. description: NCR.. - string: "CDM30".. description: Wincor.. - string: "DBD_AdvFuncDisp".. description: Diebold..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\targeting\automated-teller-machine\ncr\load-ncr-atm-library.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	742
Entropy (8bit):	4.959123061235468
Encrypted:	false
SSDEEP:	12:mdmtH9GglZArrRDnocA+Yv9RqDI78PdImfJHuKE05h1KLLRV4Wrv//D1cwyJ8S5I:mMNlZIDnocA5TqU78lRfJHub05KDJTTZ
MD5:	3FEB0401A33A89274EF9E802EA8DEAA3
SHA1:	710EAE3E5A19C22A8FC6AD5DFCF31D7BBD3F072A
SHA-256:	392BAB648A3D8EF1EC774A988BB693FE8B938969B8D64BD9A30199709ABB4CAE
SHA-512:	1B0EF43E5E8A8566E5228DE6078BE6956F1E097E68BBFF49AC441125550611A303FEBB5D08D369A4B78D0EE5AD4CC01FEF57268EDFB48731E2AF013FBFDCC348
Malicious:	false
Preview:	rule:.. meta:.. name: load NCR ATM library.. namespace: targeting/automated-teller-machine/ncr.. author: william.ballenthin@fireeye.com.. scope: file.. references:.. - https://www.pcworld.com/article/2824572/leaked-programming-manual-may-help-criminals-develop-more-atm-malware.html.. examples:.. - 971e599e6e707349eccea2fd4c8e5f67.. - 4bdd67ff852c221112337fecd0681eac.. - 32d1f4b9c0cf2bb9512d88d27ca23c07.. - dc9eb40429d6fa2f15cd34479cb320c8.. - 5b3968b47eb16a1cb88525e3b565eab1.. - dc4dc746d8a14060fb5fc7edd4ef5282.. features:.. - or:.. - import: msxfs.dll.. description: Extension for Financial Services (XFS).. - string: "MSXFS.dll".. - string: "msxfs.dll"..

C:\Users\user\AppData\Local\Temp\_MEI7842\rules\targeting\automated-teller-machine\ncr\reference-ncr-atm-library-routines.yml Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1211
Entropy (8bit):	4.846805280306436
Encrypted:	false
SSDEEP:	24:mMH6qlZIqcA5TqU78lRfJszNb03AA2BJ2ydwI2+bUYcP05hA8/dx9XtlXHch11:mMaqvIqcsuU7QhszNmoBc43Uf+A01Ds
MD5:	2E0ED65EE3C3EB6E34A04150477E4A60
SHA1:	C1D42A0255D933B0BE303FC2879EB1F1888F934D
SHA-256:	5F01389BF4A39B3ABE2C4D8F14B8D006171E56E295E57EFC9DC2294C0CFCBD73
SHA-512:	AC9BF76F104DC34749C352F1AE96955EE55B71C7EA0588693C20EA06A476F72EA2567D8E5E362A0201964322D529553EF19910563095767782C284210C1B2BBE
Malicious:	false
Preview:	rule:.. meta:.. name: reference NCR ATM library routines.. namespace: targeting/automated-teller-machine/ncr.. author: william.ballenthin@fireeye.com.. scope: function.. references:.. - https://www.pcworld.com/article/2824572/leaked-programming-manual-may-help-criminals-develop-more-atm-malware.html.. examples:.. - 84a1212f4a91066babcf594d87a85894:0x404470 # loads routines via GetProcAddress.. # 971e599e6e707349eccea2fd4c8e5f67 # packed with vmprotect.. features:.. - or:.. - string: "msxfs.dll" # Extension for Financial Services (XFS).... - api: msxfs.WFSCleanUp.. - string: "WFSCleanUp".... - api: msxfs.WFSClose.. - string: "WFSClose".... - api: msxfs.WFSExecute.. - string: "WFSExecute".... - api: msxfs.WFSFreeResult.. - string: "WFSFreeResult".... - api: msxfs.WFSGetInfo.. - string: "WFSGetInfo".... - api: msxfs.WFSLock.. - string: "WFSLock".... - api: msxfs.WFSOpen..

C:\Users\user\AppData\Local\Temp\_MEI7842\select.pyd Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	27824
Entropy (8bit):	6.16098797426807
Encrypted:	false
SSDEEP:	384:T2XLk/FcA2CTeHkXvwhMMHqS5C6l1tPe0cEJXa5IImGPDG4y8iD0hS:T2qXIkXvwhRHqSRtmKq5IImGPDG4y+hS
MD5:	E21CFF76DB11C1066FD96AF86332B640
SHA1:	E78EF7075C479B1D218132D89BF4BEC13D54C06A
SHA-256:	FCC2E09A2355A5546922874FB4CAC92EE00A33C0ED6ADBC440D128D1E9F4EC28
SHA-512:	E86DBA2326CA5EA3F5EF3AF2ABD3C23D5B29B6211ACC865B6BE5A51D5C8850B7CDA8C069E6F631AC62F2047224C4B675BBE6AC97C7BA781DE5B8016EBAFFD46F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........*.J.D.J.D.J.D.C...H.D.&.E.H.D.&.A.A.D.&.@.B.D.&.G.N.D...E.H.D...E.O.D.J.E.t.D...I.K.D...D.K.D....K.D...F.K.D.RichJ.D.........PE..d...o.`.........." .........4......X...............................................z(....`..........................................@..L....A..x....p.......`.......P..........8....2..T........................... 3..8............0...............................text............................... ..`.rdata.......0......."..............@..@.data........P.......<..............@....pdata.......`.......>..............@..@.rsrc........p.......B..............@..@.reloc..8............N..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\sigs\1_flare_msvc_rtf_32_64.sig Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	4720417
Entropy (8bit):	7.9993569768567765
Encrypted:	true
SSDEEP:	98304:IOXSuOAmjxcfnt5DLpK8FTroUs5DFZ81txUgKX:IHDAmjCfjdK6/s5DI21X
MD5:	E999E7A70264D7BD99CBBB2FA80A4D7B
SHA1:	46953DA313056E2B62F65865339DDF7267999CD2
SHA-256:	E0042918FA80D432A1914680816996AC397AFC30B05D3161192F29DE63E66E79
SHA-512:	BAD117D82BCB9A0EBD6616A45F70D1026122A921D4EE51658969A9B3E9C10E4BD8E1E56D539F0362D2B089B9B9C4E35FA7728E7E9396A93866FBA75748EAE5CD
Malicious:	false
Preview:	IDASGN............................!..\|... ..."FLARE MSVC Signatures 32/64 bit"x..k..G.&.]U.`....MJ..9w8...5...].veUf5....H6..`.f.,...oU5...9..c....c....._c.q.............`.....a.......^@rDdfdDfdVVW.I.3.X...9q....'N./pE~..q\..7....-...qg..Un..8..z.<..Yy.....j..k...l..n.m...W5..r=EpD.^.~.......W.Dn.8D..p..\.A.......E..2.....r.c.\|.........M......s\H...xkU.H6...\|.x.B......9..X.B..g...n..[.. .l.?.....'B.......Ww...~g......`..bB\..{.:/.R.#YF...../?..g....w6D7M.yx....j..............B..6V.o..{.9.oW...A..".w......u...7.}.3..u...V.#....>x..?....u.].`..f.4.@.Z.}.k[..x..--.uY.....^7.@..t?.[...cv!..`........}D..(......[.y.N.]k.....G._.U..... .</4......i..O.1jnP...S.q..`....&.7..5....?;{...9\|....k$w._wr..J.b..X.z....&..X..x.~.CmL....gJ....=q.....u.(.4P.............>.-h.}..G"..(..zG.....%..X...d...yh...E..jf3N.@......B..~.EL..wmP.i$o......`\.{]`...y;R..(..`..>....._.1.....?....)...$....._.u.&T.R..F.+b..-17O..H.\..^..^...M.\X..F.b.[......n.?g.x......>..Omr.....@.[f

C:\Users\user\AppData\Local\Temp\_MEI7842\sigs\2_flare_msvc_atlmfc_32_64.sig Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7581481
Entropy (8bit):	7.999492856377772
Encrypted:	true
SSDEEP:	196608:qWu9uN/XngNpIyE2ZB6k9Dc8aRYgk+rMISrAlk+Bo:qWu9ucpZE2fmvrMIS8lk+Bo
MD5:	56BA1319E12C2776D6FFAAD42CEA6FC4
SHA1:	8069A4B92D6AC18EB0787B934FFACB58BE1C45C0
SHA-256:	C6F6084F1553F3A4A515BCEFE7A72FE2B3564C8338C01FA9ADD1166276BF09F1
SHA-512:	129FFE4AAFAE1273BF8AFE8B049114EA82E5BF5B8BF9F45BFABB5DA161301C9A382AD6CA487FE739E08E8925478F6608BA080F73C4747EDD812F355E8BC00C6B
Malicious:	false
Preview:	IDASGN............................)...... ..."FLARE MSVC ATL/MFC Signatures 32/64 bit"x...x..y(:.X..K..D.C..+.D..#...A..)./.V.R...!...,$u..b#.n..%7n..N.....9...-$.F....J..$.=N..q.(v..=Mx..fw......s.>.$v..g..9...9.........E..I...\T..N_8......(Ny<.C.B<........O8rN0...!.743....%g8..NQ..G.3./....Q..........." ..1Xf.<1..<t.d.$...}..j@:4..?5...-.xK..aG.....Ut._]..P...{.........u......./..G.']...?.....FD.}...8.C.^Rknn...R{..O~..=.*...cP1...5-.i.Z..C..!P.1..W..Z~..>....t....m.Jl..F...865...s..+.c.o)T.....z2.H....H....S.va...\|.xw5t..T..T.J..-nO..=................n....%5..uGN ..X]G..:.. u....B.6X.......D.}yk.N........,-8........^.[F5/&..bf.<a.P..'w......v....{....#63..S3.M.n.ym.z~..y..^...]ds....%y...Gx......pd./{]..".E)"...f.@8.Vf.81.w.^c7..E.b....8....$..qP....{V....V.?&......p...A.?..Z..A'}mg.<@.............6.a.....0.k....E...$...'....8>...1=`...@_8.f.=...".....c...$F".S..'c...\..Ln,._...e.........).h.....A...Qt;.......5.'b.$D....

C:\Users\user\AppData\Local\Temp\_MEI7842\sigs\3_flare_common_libs.sig Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2877687
Entropy (8bit):	7.99949918033721
Encrypted:	true
SSDEEP:	49152:8/CquyfYZKC75ftNQbFvB+M/NTLkXSN55Qr4sB654r+VfLjEjAFt80LAAw9:8KE9CdnUXtN8XSr5Qr4sA4a3EjyAAw
MD5:	8B9B289A5C64E984B3BE780FDB938347
SHA1:	44F92912D59D0B74A70AA2BE8435F9B3AC2A3C0B
SHA-256:	6FA7DDA3FFB523D2F555348DB47C67B9820A40153BFACD543C9EA02A1ECD83A8
SHA-512:	71E8EFA11DF154FA1940492ED13654DF562E8591863B3E81FA43A4F01C445F89E7B47574DB324DFB052DFFF87610CC1EAC9AAF0FADF4CC3B32DB834A7155DE47
Malicious:	false
Preview:	IDASGN............................"..y... ..."FLARE Common Libraries 32/64 bit"x...x..u(\|f..."..J..e'.$Q.l`H..H Eq.......D...0.H.M@Q..\|v..M.....4M...Ud./..<Kr.Hj..N.(.k...4......J.. [.>..f.=..s.=.=w.......\H........p..........\......k.2....P..T5mY...E...j.+...-]..}\?.#.DIp.mc..V.VB.l}x..."...8........o.....B......I..'.+....!...0......t....F.1.w.;/..o.9m=X....J..H..`..}^.0....-.A.}\.....>37.............)....3...[.C]~.V1....y.-Fc@r...p#..55....n...".J.I.h6.ehr.g).....iu....}M[.@geX:...Q.w.....3..l.(..A..;8.7..l.. ..X.4\|x....+....4...&.'.$.o..~.p..1..8...pM..#.O.a{.U..o....;w...;.@....H........6...k?..#.,."...HD~.p...m..{.....ES8N........ZnR..Qs.&..j.S.......{....=.C~.........&.L6...{8..F...o.B=.j.4 .U.cG...k..6..&..0.....Q.!..B`...E....Q...-..;-.v+w...........c-&....H...m..9...7.3L.m".6.H...mm.B.ns..r.U.......A...e....7..BY...Tsl....#J,?.#.Q).sV..F.)8..#k..`{~...vh...2.yV.x....9......F.!.k...~OiQ/.A.a.Q.S......<.'.{;...T.Q.+..*y..+Z....]....%...c.

C:\Users\user\AppData\Local\Temp\_MEI7842\sigs\README.md Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	551
Entropy (8bit):	4.6226498371749285
Encrypted:	false
SSDEEP:	12:EB49QXbqH46riE7JZm/dfQSEQ6mT+z1bBSBTPqQT1B9kvwdyn:bQGY6FJZm/dwQ6mC1tSBTPqQr9kvwUn
MD5:	A35067C8C2CFC9D13915E1EE4546033F
SHA1:	8C941A592E751D22D28C4E0B3D91937D3FD693D9
SHA-256:	61F114AAB3275A29939B0DAB22FAF6067BF965C4500FC8486F918A10B0D2750B
SHA-512:	C9E7F4A520B409C8C7CEF14508E289378D6AC1AABF92B9D8484BEB10B3810EB79EC14686592B1D7173CF30FD5BE97501F4CE2EEEA5F28BE9D90087B3A89CC28C
Malicious:	false
Preview:	# capa/sigs....This directory contains FLIRT signatures that capa uses to identify library functions...Typically, capa will ignore library functions, which reduces false positives and improves runtime.....These FLIRT signatures were generated by FireEye using the Hex-Rays FLAIR tools such as `pcf` and `sigmake`...FireEye generated the signatures from source data that they collected; these signatures are not derived from the FLIRT signatures distributed with IDA Pro.....The signatures in this directory have the same license as capa: Apache 2.0...

C:\Users\user\AppData\Local\Temp\_MEI7842\ucrtbase.dll Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1035720
Entropy (8bit):	6.627207870602929
Encrypted:	false
SSDEEP:	24576:2QqGcVofavjyMI0gTV3FHJ9oPbDcnEdEtmxvSZX0ypea7C:fqGuFyMJgTV3JA/dEOa
MD5:	BB0E3819E308A153C99FA6BCCF2F4E77
SHA1:	D96DC06CB9F441869C5088AAEE4E55A81FA14387
SHA-256:	83E7252E6AF0E63BD80BC996EED6CB687C36B94F20A55A16145D5E68076B1587
SHA-512:	7EB23A895BC4FAC0CDA16B1AB8CDCDACAC7ADE76519B5D9E14D2917025F3CDD7FC4BD16D22DF59A8DFE7B110EB8A8CE98A50355AA32D8C49BCAB3596BD0A01ED
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........of...5...5...5..5...5...5&..5...5...5...4...5...4...5...4...5...4...5...4..5...5...5...4...5Rich...5........PE..d...d%............" .....:...........Z..............................................SX....`A................................................ ................ ...........!.......... ...T........................... f..............................................text....9.......:.................. ..`.rdata.......P.......>..............@..@.data....&..........................@....pdata....... ......................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\unicodedata.pyd Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1097904
Entropy (8bit):	5.344015553113774
Encrypted:	false
SSDEEP:	12288:Ve3qQOZ6O191SnFRFotduNYBjCmN/XlyCAx9++bBlhJk93cgewrxEeBk7x6:Ve3Gj4olhCc/+9nbDhG2wrxk74
MD5:	601AEE84E12B87CA66826DFC7CA57231
SHA1:	3A7812433CA7D443D4494446A9CED24B6774CECA
SHA-256:	D8091E62C74E1B2B648086F778C3C41CE01F09661A75EA207D3FEA2CF26A8762
SHA-512:	7C2D64623C6CFD66D6729F59909C90AA944E810FF6514C58B2B3142EE90E8660B7DDF7FA187389DD333E47EFE8B19E935DD4E9119C15375B69B4880D043877D7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.T~~.:-~.:-~.:-w..-x.:-..;,\|.:-..?,r.:-..>,v.:-..9,}.:-..;,}.:-%.;,\|.:-~.;-4.:-..7,..:-..:,..:-...-..:-..8,..:-Rich~.:-........................PE..d...q.`.........." .....L...Z.......)....................................................`.............................................X...h...................H...................`)..T............................)..8............`...............................text...nJ.......L.................. ..`.rdata.."/...`...0...P..............@..@.data...............................@....pdata..H...........................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI7842\vivisect-1.0.3-py3.8.egg-info\INSTALLER Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Mn:M
MD5:	365C9BFEB7D89244F2CE01C1DE44CB85
SHA1:	D7A03141D5D6B1E88B6B59EF08B6681DF212C599
SHA-256:	CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
SHA-512:	D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
Malicious:	false
Preview:	pip.

C:\Users\user\AppData\Local\Temp\_MEI7842\vivisect-1.0.3-py3.8.egg-info\LICENSE.txt Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	11357
Entropy (8bit):	4.4265944416265475
Encrypted:	false
SSDEEP:	192:fU6G5KXSD9VYUKhu1JVF9hFGvV/QiGkS594drFjuHYx5dvTrLh3kTSEn7HbHR:M9vlKM1zJlFvmNz5VrlkTS07Ht
MD5:	86D3F3A95C324C9479BD8986968F4327
SHA1:	7DF059597099BB7DCF25D2A9AEDFAF4465F72D8D
SHA-256:	C71D239DF91726FC519C6EB72D318EC65820627232B2F796219E87DCF35D0AB4
SHA-512:	DC6B68D13B8CF959644B935F1192B02C71AA7A5CF653BD43B4480FA89EEC8D4D3F16A2278EC8C3B40AB1FDB233B3173A78FD83590D6F739E0C9E8FF56C282557
Malicious:	false
Preview:	Apache License. Version 2.0, January 2004. http://www.apache.org/licenses/.. TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION.. 1. Definitions... "License" shall mean the terms and conditions for use, reproduction,. and distribution as defined by Sections 1 through 9 of this document... "Licensor" shall mean the copyright owner or entity authorized by. the copyright owner that is granting the License... "Legal Entity" shall mean the union of the acting entity and all. other entities that control, are controlled by, or are under common. control with that entity. For the purposes of this definition,. "control" means (i) the power, direct or indirect, to cause the. direction or management of such entity, whether by contract or. otherwise, or (ii) ownership of fifty percent (50%) or more of the. outstanding shares, or (iii) beneficial owne

C:\Users\user\AppData\Local\Temp\_MEI7842\vivisect-1.0.3-py3.8.egg-info\METADATA Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	6992
Entropy (8bit):	4.959477392146831
Encrypted:	false
SSDEEP:	192:tRBG/PGKVFNmEx7TaY4pJ9ZpMMahfFv/y7nza+7L:9+uqvme34pJ9ZpMDhfF3y7nzxL
MD5:	4B655C40B99211E3D2215827A75355EF
SHA1:	3198F9D1448C83EA9E21A166422BE8D628F6ED35
SHA-256:	F041643B89BAECB8D61C38F888B39D1CAF116863E934B324D467BD4B349986E6
SHA-512:	E5D179193A05A05522646B03A0CA1CF1F3780188E7970C3DC8E495120A198489C31CA3127198FEB53F68E922D86ADB1074FC758A4510F827CCA163CACC5C6801
Malicious:	false
Preview:	Metadata-Version: 2.1.Name: vivisect.Version: 1.0.3.Summary: Pure python disassembler, debugger, emulator, and static analysis framework.Home-page: https://github.com/vivisect/vivisect.Author: The Vivisect Peeps.Author-email: .License: UNKNOWN.Platform: UNKNOWN.Classifier: Topic :: Security.Classifier: Topic :: Software Development :: Disassemblers.Classifier: Topic :: Software Development :: Debuggers.Classifier: Programming Language :: Python :: 3.6.Classifier: Programming Language :: Python :: 3.7.Classifier: Programming Language :: Python :: 3.8.Classifier: Programming Language :: Python :: 3.9.Classifier: License :: OSI Approved :: Apache Software License.Requires-Python: >=3.6.Description-Content-Type: text/markdown.Requires-Dist: pyasn1 (<0.5.0,>=0.4.5).Requires-Dist: pyasn1-modules (<0.3.0,>=0.2.4).Requires-Dist: cxxfilt (<0.3.0,>=0.2.1).Requires-Dist: msgpack (<1.1.0,>=1.0.0).Requires-Dist: pycparser (>=2.20).Provides-Extra: gui.Requires-Dist: pyqt5 (==5.15.1) ; extra == 'gui'

C:\Users\user\AppData\Local\Temp\_MEI7842\vivisect-1.0.3-py3.8.egg-info\RECORD Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	77799
Entropy (8bit):	5.6500060198803315
Encrypted:	false
SSDEEP:	1536:P6Z4xUa0T3mYEZ/PsifVdVFr2vWcNboYip:DPPVFrp8boZp
MD5:	C38D575C0D4367E50AE8D96E7C556581
SHA1:	30C9447D89950065EBC688A4DF81E77BFF655082
SHA-256:	7EA88F3B23125B8341580FFA0FC6A15CD477666BD7F93E0EEFCBECD71DC7FA09
SHA-512:	976773F885FF33DDB1DCDA1904ACDA6BC0827043CEFA580D01D250876B7D21414C46DD7E33000C85CF1DBDFD0072701FFA42686A53FF9A239A3AA445294D561A
Malicious:	false
Preview:	../../Scripts/vdbbin.exe,sha256=51-SOF63GO71H_1wUCQjENhoCstfqg9E5UBarTTnXQY,106357..../../Scripts/vivbin.exe,sha256=D-yaX3z-1xiY3kEgczc0-dzx0TMMZAz4GB8xJ3ZUH-o,106359..Elf/__init__.py,sha256=EvFqromZbJcNgtUFczqRAtItc_jY_4oQxTan4hKevz0,36033..Elf/__pycache__/__init__.cpython-38.pyc,,..Elf/__pycache__/elf_lookup.cpython-38.pyc,,..Elf/elf_lookup.py,sha256=mexWXrUkXIPnexA2RKNgcyzuQNNwuH-DzEIlUgux-wc,25798..PE/__init__.py,sha256=T9XE3GhB6gxjrVD-X31jG4hX1PWHeL2pcAVKNXI1LeM,43642..PE/__pycache__/__init__.cpython-38.pyc,,..PE/__pycache__/carve.cpython-38.pyc,,..PE/__pycache__/cofflib.cpython-38.pyc,,..PE/__pycache__/petool.cpython-38.pyc,,..PE/carve.py,sha256=nVCJ7PdtppusoBkcj1o_PPHpSnTOU7KPlUjr1-QfYO0,2405..PE/cofflib.py,sha256=I_yq0YxLqLdD_tmUHQu8FBKgbUEfOMvKM94fr3DCObY,6170..PE/ordlookup/__init__.py,sha256=PiVcG-AIGYPboRa0A5pDJMNc3ygOLuwMjBYFS7S8D5c,840..PE/ordlookup/__pycache__/__init__.cpython-38.pyc,,..PE/ordlookup/__pycache__/comctl32.cpython-38.pyc,,..PE/ordlookup/__pycache__/mfc42.cpy

C:\Users\user\AppData\Local\Temp\_MEI7842\vivisect-1.0.3-py3.8.egg-info\WHEEL Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	92
Entropy (8bit):	4.842566724466667
Encrypted:	false
SSDEEP:	3:RtEeX7MWcSlViHoKKjP+tPCCfA5S:RtBMwlViQWBBf
MD5:	11AA48DBE7E7CC631B11DD66DC493AEB
SHA1:	249FDB01AD3E3F71356E33E1897D06F23CFB20C2
SHA-256:	3AA464174798E461ECB0CA2B16395B4C8AB4EF6BE91E917AD1F21003A952F710
SHA-512:	EDD5892C9B2FE1F2439C53D2CD05F4478EC360885054BD06AFCF7936F6D066377FEE07796DAE9ECDF810E3D6100E039CAD48F00AD0E3145693D53E844CC5319D
Malicious:	false
Preview:	Wheel-Version: 1.0.Generator: bdist_wheel (0.36.2).Root-Is-Purelib: true.Tag: py3-none-any..

C:\Users\user\AppData\Local\Temp\_MEI7842\vivisect-1.0.3-py3.8.egg-info\entry_points.txt Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	77
Entropy (8bit):	4.071219657240854
Encrypted:	false
SSDEEP:	3:1TBMLiFknK6LeHQQGtATsGL3n:1TBMLmt6biL
MD5:	3927D7A317582ECFE5F308E3D8399331
SHA1:	4F1E4B19004496B7CD372B61B72382305B471695
SHA-256:	B33E50FC32F6A6646AC4F083630B9AFD8B07D559603186AD2FE1A9BA51BAB231
SHA-512:	204E9B61A70FC4FF769FB402D8D13A3EC43C07F3401A45C0B1BB1443CC04FBE04CF4D4DFE21DEF3529D93B30B3521C4A8D60A8FB0941CDC38699346269140B71
Malicious:	false
Preview:	[console_scripts].vdbbin = vdbbin.vdbbin:main.vivbin = vivisect.vivbin:main..

C:\Users\user\AppData\Local\Temp\_MEI7842\vivisect-1.0.3-py3.8.egg-info\top_level.txt Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	59
Entropy (8bit):	3.9997009488567414
Encrypted:	false
SSDEEP:	3:Mz1gwcuiXMmJYRixTRNvK:MzBiXMINC
MD5:	AB03419B470F6CB381FA23929E459B21
SHA1:	1043B7E034BDADDC07890DF3D9D4361B6D3ABE64
SHA-256:	E2D88DCA263C896507CC68D22F2B99884BD3E856A399715A416ED94C95F099B1
SHA-512:	992025762D7BAB2E95DA8F92F007984204145D07BDE6ABE3BC6CE2DCCBA28E5B6472CF02E038D6A4EA1952F0BDB55592E853927B81636D1E496667C4701984FA
Malicious:	false
Preview:	Elf.PE.cobra.envi.vdb.visgraph.vivisect.vqt.vstruct.vtrace.

C:\Users\user\AppData\Local\Temp\_MEI7842\wcwidth\__init__.py Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1557
Entropy (8bit):	4.620290061076834
Encrypted:	false
SSDEEP:	24:DmY4FFQxErXMNF1VhAP81Pbnhcg8yz+MzhbGM7Rfl4jgk1l/tkwWkT9H2k/EH:DnjYMlrk8RnhUgUM71Wk8lF1WkgmQ
MD5:	73F9AEEB4D3295F7F5A6390F3B65BC61
SHA1:	9BCB07427BE7523105F3A3D271D4F8386956D406
SHA-256:	F3D7E4F2AD8C3DBE1C95A85EFEA0D52339486B4536F3BD9DB04E21130C42E96F
SHA-512:	CE1F9F161CFA5D98815BD5DD3B5D79EE3C3247E5805AC0859035CA7FC69D56CA8E55E429E7115CB0D1E346A7F3B8E3F8949A4744E426232432F7C1CB3B5584E2
Malicious:	false
Preview:	""".wcwidth module...https://github.com/jquast/wcwidth.""".# re-export all functions & definitions, even private ones, from top-level.# module path, to allow for 'from wcwidth import _private_func'. Of course,.# user beware that any _private function may disappear or change signature at.# any future version...# local.from .wcwidth import ZERO_WIDTH # noqa.from .wcwidth import (WIDE_EASTASIAN,. wcwidth,. wcswidth,. _bisearch,. list_versions,. _wcmatch_version,. _wcversion_value)..# The __all__ attribute defines the items exported from statement,.# 'from wcwidth import *', but also to say, "This is the public API"..__all__ = ('wcwidth', 'wcswidth', 'list_versions')..# I used to use a _get_package_version() function to use the `pkg_resources'.# module to parse the package version from our version.json file, but this blew.# some folks up, or more particularly, jus

C:\Users\user\AppData\Local\Temp\_MEI7842\wcwidth\__pycache__\__init__.cpython-38.pyc Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	505
Entropy (8bit):	5.412288425398864
Encrypted:	false
SSDEEP:	12:cwPBsB+rhXxJiSy7JuF3FU2++re4NlDHKozocDs:cwP9rhBY7JO3FV++rd0
MD5:	0B1591478F0D6368819C06E254C87160
SHA1:	B4DD6DB3A5D6C536FFDE4E7475803DA15612F8BA
SHA-256:	8CB364CF9501DF77EA2AEE131012D2C94161AE08CF2C16B85D5E98E6935AE103
SHA-512:	64BC14374049E9F971D918C0CF97E8C97D767D354AC0421536FD367CA6A42C33CF22B3D31346B26DD4103CD6CE86EF71410233417963EE0514F9AF093EE5FE42
Malicious:	false
Preview:	U.........`.........................@...s@...d.Z.d.d.l.m.Z...d.d.l.m.Z.m.Z.m.Z.m.Z.m.Z.m.Z.m.Z...d.Z.d.Z.d.S.).z4.wcwidth module...https://github.com/jquast/wcwidth......)...ZERO_WIDTH)...WIDE_EASTASIAN..wcwidth..wcswidth.._bisearch..list_versions.._wcmatch_version.._wcversion_value).r....r....r....z.0.2.5N)...__doc__r....r....r....r....r....r....r....r......__all__..__version__..r....r.....Rc:\hostedtoolcache\windows\python\3.8.10\x64\Lib\site-packages\wcwidth/__init__.py..<module>....s........$...

C:\Users\user\AppData\Local\Temp\_MEI7842\wcwidth\__pycache__\table_wide.cpython-38.pyc Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	6167
Entropy (8bit):	4.1597762792562785
Encrypted:	false
SSDEEP:	192:zHaGK3LcJ5OBlijKMCJKXgKJiKoK0NB7s4:zNK3YJ5MltLYXZJHRS7Z
MD5:	C16793C7354D4B9B99F545D40B18D65C
SHA1:	3F3425F79C3EFBBC915FFE67854BDD2180E75A5F
SHA-256:	535CBDFEBFC555DB98E85EEE763A1181ECF6394019A0718871A878C667B3BD7D
SHA-512:	602F03ED71695A87082C0B1F639BD604348B7C24398866AA29712AA11DB58A97AB0FB88FD5C16BDC00CA15E462099ACE05A54939F9EB36EC22225033D4D0FEB8
Malicious:	false
Preview:	U.........`>6.......................@...s....d.Z.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d...Z.d.S.).z6Wide_Eastasian table, created by bin/update-tables.py.)!.......iY......_...r......i)#..i*#....i....i......i....i......i./..i./....i./..i./....i.0..i>0....iA0..i.0....i.0..i.0..)...1..i,1....i11..i.1.....1..i.1..)...1..i.1....i.1..i.2..... 2..iC2.....P2..i.2......3..i.M..)...N..i......i.........i....i.....i....i...........i-.....i0...ij.....ip...i......i....i......i0...iR.....iT...if.....ih...ik.....i....i`.....i....i..................i....i....)!r....r....r....r....r....r....r....r....r....r......r....i-1..r....r......r......1..r....r....r....r....).r....i...r....r....r....r....r ...r!...r"...r#...r$...r%...r&...r'...r(...r+...)%..r....r......i....i......i....i....r....r....r....r....r....r....r....r....r,...r....r....r-...r......r....iG2..r......r.....M....r....r....r......i`...i\|...r......i....i......i....i......r....i....r"...r#...r$...r%...r&...r'...)......r:...)......i1.....i@...i

C:\Users\user\AppData\Local\Temp\_MEI7842\wcwidth\__pycache__\table_zero.cpython-38.pyc Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	19662
Entropy (8bit):	3.888898014953895
Encrypted:	false
SSDEEP:	384:zNSWQbbErSS0ZYvpUQRHZUB5SubrSyqZStylh+yzUkyey27yroVN1yyLboLDyEfI:hSWebErSPspUsZUB5SubrSyqZStylh+M
MD5:	2D9475B3330247065FF61AD246E060D5
SHA1:	581CB73B85810B5092FD4F6C72B27CC4A24B4749
SHA-256:	B80218F17F84E38A76332C33F98592AB34E918CA520CA80BE2CEA2DBEC50985A
SHA-512:	B19DC14702CC4DC473BBB89B234DF498203C9E17D7A6000439039C04A8EC3A496367BB5D75898A9C6E310DE922E6C0334DB11B239EAA7D49C1183E273922CF52
Malicious:	false
Preview:	U.........`........................@...s....d.Z.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d...Z.d.S.).z2Zero_Width table, created by bin/update-tables.py.){..i....io.........i......i........).....i....).i..............r......i....i......i....i...........r...........i.......K...i^......p...r......i....i......i...........i....i......i....i...........r......i0...iJ.....i....i......i............<...r .....iA...iH......M...r#......Q...iT.....ib...ic.........r(.........r*.....i....i...........r-.....i....i......i....i.......<...r1.....iA...iB.....iG...iH.....iK...iM.....ip...iq.....i....i..........r8.....i....i......i....i...........r<.....i....i...........r?......<...rA......?...rC......A...iC......M...rG......V...rI.........rK..........rM..........rO.....i>...i@.....iF...iH.....iJ...iM.....iU...iV.........rU.........rW..........rY.....i....i.......A...iC......M...r^..........r`.....i....i...........rc......1...re.....i4...i:.....iG...iN.........ri.........i......i..........i....i....

C:\Users\user\AppData\Local\Temp\_MEI7842\wcwidth\__pycache__\unicode_versions.cpython-38.pyc Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	879
Entropy (8bit):	5.237042109449088
Encrypted:	false
SSDEEP:	24:cwP1laljnwkJptkJ8MkxizEoZgYSBjftNP:z95EtIyygYSBjftd
MD5:	F39F182A3EC1DEF36EB4982D85257917
SHA1:	8FFABC18D7E05AFD52FC5BC17098AA4C8BFCE4D0
SHA-256:	6314D0A6D99EAC287497DEA3F53897951877C41D6373C887BB2177B724A51E48
SHA-512:	B24A7AAB55EA05172B830CEF9630F2E41085185263B527EC10F23A70290EE3481E8C580C270ACB207B7374C258DBFA86F55A4BC7E3C9F32396E08F50B36DA237
Malicious:	false
Preview:	U.........`.........................@...s....d.Z.d.d...Z.d.S.).z..Exports function list_versions() for unicode version level support...This code generated by bin/update-tables.py on 2020-06-23 16:03:21.350604..c....................C...s....d.S.).a6.... Return Unicode version levels supported by this module release... Any of the version strings returned may be used as keyword argument. ``unicode_version`` to the ``wcwidth()`` family of functions... :returns: Supported Unicode version numbers in ascending sorted order.. :rtype: list[str]. ).z.4.1.0z.5.0.0z.5.1.0z.5.2.0z.6.0.0z.6.1.0z.6.2.0z.6.3.0z.7.0.0z.8.0.0z.9.0.0z.10.0.0z.11.0.0z.12.0.0z.12.1.0z.13.0.0..r....r....r.....Zc:\hostedtoolcache\windows\python\3.8.10\x64\Lib\site-packages\wcwidth/unicode_versions.py..list_versions....s......r....N)...__doc__r....r....r....r....r......<module>....s......

C:\Users\user\AppData\Local\Temp\_MEI7842\wcwidth\__pycache__\wcwidth.cpython-38.pyc Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	10865
Entropy (8bit):	5.444996337818308
Encrypted:	false
SSDEEP:	192:zNdPz4gz2edx2kkhs7b0gbC6a3p7ccpPN3N4ZDZQS3e:zLzT6sPfIccjWZDZQS3e
MD5:	E04A2854DAE7265A408D235AFD736B1D
SHA1:	A54DE02B7EFBE8370BB29F1BE6D87B96B2C80229
SHA-256:	CBBDB123035FF59540D82E3A21E232E260BB717427E9DDB4A4CD647F4A389FB1
SHA-512:	B15517B8B4A52B37A546592B6906441F150D412F392AD368109252BAC6D7DB29AF8DB3BF45FFDE9875854BE88E79F3B9A423A6F8A07E9925DBC2DD487E9E33F3
Malicious:	false
Preview:	U.........`.:.......................@...s....d.Z.d.d.l.m.Z...d.d.l.Z.d.d.l.Z.d.d.l.Z.d.d.l.m.Z...d.d.l.m.Z...d.d.l.m.Z...z.d.d.l.m.Z...W.n ..e.k.r\|......d.d.l.m.Z...Y.n.X.d.Z.e.j.d...d.k.Z.e.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.g...Z.d.d...Z.e.d.d...d*d d!....Z.d+d"d#..Z.e.d$d...d%d&....Z.e.d'd...d(d)....Z.d.S.),a.....This is a python implementation of wcwidth() and wcswidth()...https://github.com/jquast/wcwidth..from Markus Kuhn's C code, retrieved from:.. http://www.cl.cam.ac.uk/~mgk25/ucs/wcwidth.c..This is an implementation of wcwidth() and wcswidth() (defined in.IEEE Std 1002.1-2001) for Unicode...http://www.opengroup.org/onlinepubs/007904975/functions/wcwidth.html.http://www.opengroup.org/onlinepubs/007904975/functions/wcswidth.html..In fixed-width output devices, Latin characters all occupy a single."cell" position of equal width, whereas ideographic CJK characters.occupy two such cells. Interoperability between terminal-line.applications and (teletype-style) character termin

C:\Users\user\AppData\Local\Temp\_MEI7842\wcwidth\table_wide.py Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	79422
Entropy (8bit):	4.685178733941672
Encrypted:	false
SSDEEP:	1536:O+F8ZEPM+Y83WsFyl3Wsdy93Ws+yB3WsFs23WsCsA3WsuhUx:O+F8ZEPM+Y83WsQl3WsI93Ws/B3Wsu20
MD5:	AAB260CC2D2E6EFA8966877B940506AC
SHA1:	4799AB2B9E73713AC1FEEBF5DCC79773E53729ED
SHA-256:	D320043865FA288AEC9B9754A731B426B6F8B3CC01E9CECC0BBEA77578CB2E3F
SHA-512:	49D8A9993A0051E241DF89A807E3E311C263DD739A415BA858F4712864E83B940DADC98F4A1263FF9FDA5D6ECA421E4C395F998E614C1D99EAB0A055E7D7227F
Malicious:	false
Preview:	"""Wide_Eastasian table, created by bin/update-tables.py.""".# Generated: 2020-06-23T16:03:18.836005.WIDE_EASTASIAN = {. '4.1.0': (. # Source: EastAsianWidth-4.1.0.txt. # Date: 2005-03-17, 15:21:00 PST [KW]. #. (0x01100, 0x01159,), # Hangul Choseong Kiyeok ..Hangul Choseong Yeorinhi. (0x0115f, 0x0115f,), # Hangul Choseong Filler ..Hangul Choseong Filler. (0x02329, 0x0232a,), # Left-pointing Angle Brac..Right-pointing Angle Bra. (0x02e80, 0x02e99,), # Cjk Radical Repeat ..Cjk Radical Rap. (0x02e9b, 0x02ef3,), # Cjk Radical Choke ..Cjk Radical C-simplified. (0x02f00, 0x02fd5,), # Kangxi Radical One ..Kangxi Radical Flute. (0x02ff0, 0x02ffb,), # Ideographic Description ..Ideographic Description. (0x03000, 0x0303e,), # Ideographic Space ..Ideographic Variation In. (0x03041, 0x03096,), # Hiragana Letter Small A ..Hiragana Letter Small Ke. (0x03099, 0x030ff,), # Co

C:\Users\user\AppData\Local\Temp\_MEI7842\wcwidth\table_zero.py Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	310230
Entropy (8bit):	4.751404853784457
Encrypted:	false
SSDEEP:	1536:CsbPBJYnheYjjcHfjcHKjgHSe2bT5E3DT2z9DTAzNDTms1DT3sX4T7sX4THsg4T0:CsbJJEewcLc+gH2O3U9ONz1cXlXxgX
MD5:	A371726F17B9B6FE7D42DA7944E54751
SHA1:	7EF19C5AF8CD92E5AF1C9714F074511EF1854B6E
SHA-256:	C3CCA6F26B161B54765E1B495D18D4913D5EAC52218FC77A61C9575EB6286A44
SHA-512:	3C0281395BF293627747CF25D933A22EBEF2C4F5523A217DB4EF0B0D15325B267190688744509E9CE1DC430D9986182ABC0B5210FCCD1471EA09F70C2B35AE4F
Malicious:	false
Preview:	"""Zero_Width table, created by bin/update-tables.py.""".# Generated: 2020-06-23T16:03:21.187024.ZERO_WIDTH = {. '4.1.0': (. # Source: DerivedGeneralCategory-4.1.0.txt. # Date: 2005-02-26, 02:35:50 GMT [MD]. #. (0x00300, 0x0036f,), # Combining Grave Accent ..Combining Latin Small Le. (0x00483, 0x00486,), # Combining Cyrillic Titlo..Combining Cyrillic Psili. (0x00488, 0x00489,), # Combining Cyrillic Hundr..Combining Cyrillic Milli. (0x00591, 0x005b9,), # Hebrew Accent Etnahta ..Hebrew Point Holam. (0x005bb, 0x005bd,), # Hebrew Point Qubuts ..Hebrew Point Meteg. (0x005bf, 0x005bf,), # Hebrew Point Rafe ..Hebrew Point Rafe. (0x005c1, 0x005c2,), # Hebrew Point Shin Dot ..Hebrew Point Sin Dot. (0x005c4, 0x005c5,), # Hebrew Mark Upper Dot ..Hebrew Mark Lower Dot. (0x005c7, 0x005c7,), # Hebrew Point Qamats Qata..Hebrew Point Qamats Qata. (0x00610, 0x00615,), # Arabic Sign

C:\Users\user\AppData\Local\Temp\_MEI7842\wcwidth\tests\__init__.py Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	42
Entropy (8bit):	3.853527173181363
Encrypted:	false
SSDEEP:	3:75M7RVczyqLOzv:1KnczyqLOj
MD5:	34CC0C3ADD882A6CA06F00329A6B12C5
SHA1:	12DF82B708797999C35EF6E017896B563AE5D30B
SHA-256:	BFFDAE470504DE14C992E5BAE7A74BAE40E233D6A5ECA2F58FFBF01917344533
SHA-512:	7201ACEBA483D701BB2FBB8A2AE64D2C1E90B8B2D7330C98DF0F6A3BE45097932D08AC5FFC50E7820AC2EA0BEFA60A66E2BB6931FE4274AA71CD2C96AEC14F37
Malicious:	false
Preview:	"""This file intentionally left blank.""".

C:\Users\user\AppData\Local\Temp\_MEI7842\wcwidth\tests\__pycache__\__init__.cpython-38.pyc Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.019863440506296
Encrypted:	false
SSDEEP:	6:cwPTqetGCom3KnczyqLOkA6B0PeYKjcDnbAr4dWhcD6:cwPTqeUwutwOP6Bo5KozdWiD6
MD5:	2EDB756379F94F12460B307B325BACA1
SHA1:	1DABD1549C70BDEBBC288BB2719CEA0268FDDE0A
SHA-256:	F3226D69348C38BA4203DA4C66D0B0A1F1768A96BF35A7561A4BFD55461CC545
SHA-512:	251D27BE696E8F950985BE625937FBECB1B844EFFE6E86D9F06723829E91416177BB55F522BC562780DA0602DD7C761769A82389F9E4DECDE994583650444A44
Malicious:	false
Preview:	U.........`*........................@...s....d.Z.d.S.).z#This file intentionally left blank.N)...__doc__..r....r.....Xc:\hostedtoolcache\windows\python\3.8.10\x64\Lib\site-packages\wcwidth/tests/__init__.py..<module>.........

C:\Users\user\AppData\Local\Temp\_MEI7842\wcwidth\tests\__pycache__\test_core.cpython-38.pyc Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	3117
Entropy (8bit):	5.303131760224361
Encrypted:	false
SSDEEP:	48:zhUvuHAvZUlIwuzsW7En0/Tm+S3lvXktlOe/HutgxEH5D3qUgeHgqZHWqb5Hw3fM:zUMAeIfE0avpYwOJ45D6u/FJJXVVKY
MD5:	A70340077252FB53A307A2D1284DAC62
SHA1:	88757EA22CA201DB01F6ABEFF55C2B8D534057F1
SHA-256:	B38B5C7667C8B51B47F547271204817D7B4D8E745860242A271D559B140C7A09
SHA-512:	DE011AA64447D742156407910D7C369D968DE292CBDC0E1ED312DF14577D7C667F0A77B115296EB6BF5EA8B497C3B22B22CC0AE277F2B530D7823F568B65ECFF
Malicious:	false
Preview:	U.........`.........................@...sP...d.Z.d.d.l.Z.d.d...Z.d.d...Z.d.d...Z.d.d...Z.d.d...Z.d.d...Z.d.d...Z.d.d...Z.d.S.).z.Core tests module for wcwidth......Nc....................C...sF...d.}.d.}.t.\|...}.t.t.t.j.\|.....}.t...\|...}.\|.\|.k.s6t...\|.\|.k.sBt...d.S.).u..... Width of Japanese phrase: ....., ...!.. Given a phrase of 5 and 3 Katakana ideographs, joined with. 3 English-ASCII punctuation characters, totaling 11, this. phrase consumes 19 cells of a terminal emulator.. .........., ...!)......r....r....r....r.........r....r....r....r....r....N)...sum..tuple..map..wcwidth..wcswidth..AssertionError....phrase..expect_length_each..expect_length_phraseZ.length_each..length_phrase..r.....Yc:\hostedtoolcache\windows\python\3.8.10\x64\Lib\site-packages\wcwidth/tests/test_core.py..test_hello_jp....s..................r....c....................C...s0...d.}.d.}.d.}.t.\|...}.t...\|.\|...}.\|.\|.k.s,t...d.S.).z.. Test wcswidth() optional 2nd para

C:\Users\user\AppData\Local\Temp\_MEI7842\wcwidth\tests\test_core.py Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	3886
Entropy (8bit):	4.899089668880482
Encrypted:	false
SSDEEP:	96:pdAvnYqPuE0LZeYYqApYqAtD2YqAKYqASYqAljYqAC:pdAvnY9ZvYvYeYAY4YrYo
MD5:	6A50367C490C3860BF81916B303A756D
SHA1:	E7D53BC0E13F1A5E1DAD78634A2BEA2C75AC89DE
SHA-256:	801691F1BDD5BF65AAD6AE6F1A4F5F013D1E5B5D806842B992ECC7E9FC023BE4
SHA-512:	BA0C6E3BD40DD2D6C8E5CD667803578BF7CC470779106B36B397E60F8C3E9F292468090C6321BE2CF953F5190B74CFE4E8D2C19DDEFE2BE979099DE54521BC8E
Malicious:	false
Preview:	# coding: utf-8."""Core tests module for wcwidth.""".import wcwidth...def test_hello_jp():. u""". Width of Japanese phrase: ....., ...!.. Given a phrase of 5 and 3 Katakana ideographs, joined with. 3 English-ASCII punctuation characters, totaling 11, this. phrase consumes 19 cells of a terminal emulator.. """. # given,. phrase = u'....., ...!'. expect_length_each = (2, 2, 2, 2, 2, 1, 1, 2, 2, 2, 1). expect_length_phrase = sum(expect_length_each).. # exercise,. length_each = tuple(map(wcwidth.wcwidth, phrase)). length_phrase = wcwidth.wcswidth(phrase).. # verify,. assert length_each == expect_length_each. assert length_phrase == expect_length_phrase...def test_wcswidth_substr():. """. Test wcswidth() optional 2nd parameter, ``n``... ``n`` determines at which position of the string. to stop counting length.. """. # given,. phrase = u'....., ...!'. end = 7. expect_len

C:\Users\user\AppData\Local\Temp\_MEI7842\wcwidth\unicode_versions.py Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	792
Entropy (8bit):	4.435942597824547
Encrypted:	false
SSDEEP:	12:k3tVJj5F1Ciwk5T8i0YkVbCvXGXOsfKEDgbjHUR+v:yljnsiwkJ8MkxizEDcNv
MD5:	58FB6447AC21C14A5BF8207C11675954
SHA1:	E0C4E8FE840DE92C2FEB80755431065899FF534C
SHA-256:	A66C8F53C8CF0AA34E8CE1D25472DE74A716796F92001481709D4425E99025BA
SHA-512:	CD6D8D27B77EA97C337889FE422F4D154B3184565983A6FE7F83C6431320391DCA3860E98A0C2ED15609066875574B08A033BEA5570E72C7B9D08EC06B9328DF
Malicious:	false
Preview:	""".Exports function list_versions() for unicode version level support...This code generated by bin/update-tables.py on 2020-06-23 16:03:21.350604.."""...def list_versions():. """. Return Unicode version levels supported by this module release... Any of the version strings returned may be used as keyword argument. ``unicode_version`` to the ``wcwidth()`` family of functions... :returns: Supported Unicode version numbers in ascending sorted order.. :rtype: list[str]. """. return (. "4.1.0",. "5.0.0",. "5.1.0",. "5.2.0",. "6.0.0",. "6.1.0",. "6.2.0",. "6.3.0",. "7.0.0",. "8.0.0",. "9.0.0",. "10.0.0",. "11.0.0",. "12.0.0",. "12.1.0",. "13.0.0",. ).

C:\Users\user\AppData\Local\Temp\_MEI7842\wcwidth\version.json Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	202
Entropy (8bit):	3.7250674491075615
Encrypted:	false
SSDEEP:	6:YAx6U+OU+SxhtcclbaqOtLTVeJfCEQHwv:YxU+OU+SNcoaqsLT4fC5Hwv
MD5:	207F516E074DFBAB4791F3B7765BE4F4
SHA1:	4B81E5EB6E970C17EEA6681329EE2884094783F3
SHA-256:	D738EB83436875AB9D1A3BDC63E121FB9267046287926542223D8BF6537D93E5
SHA-512:	99AE9700AE9F462548C8C2D8AC73A8347C3C33F60BF0792F94214183B4D39E459B623D6457F9D0597F73940133C315C03BB9842FECF514AB754C13D8B4058CA3
Malicious:	false
Preview:	{"tables": ["4.1.0", "5.0.0", "5.1.0", "5.2.0", "6.0.0", "6.1.0", "6.2.0", "6.3.0", "7.0.0", "8.0.0", "9.0.0", "10.0.0", "11.0.0", "12.0.0", "12.1.0", "13.0.0"], "package": "0.2.4", "default": "8.0.0"}.

C:\Users\user\AppData\Local\Temp\_MEI7842\wcwidth\wcwidth.py Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	14872
Entropy (8bit):	4.7814580966421145
Encrypted:	false
SSDEEP:	192:LPz4gz2edx2kpT07Pt2dSpk7b0g9Ywt9C6agDXL7qcN4ZeUyxcaBu64PxjYRiTPf:bzT6GT6F2PfhL3UZxyCaBu64Pxj44P15
MD5:	08D42E87BD4DB1F7B424D571E64A33BC
SHA1:	2AF06B3FEC30383DF250938670490ECBDFA596F2
SHA-256:	D1B800F14D7B432BD21EC732E73BB5256EEB4D670469DC3A1F034D6C0F4F86F9
SHA-512:	1B13F3FBCADA0E74C6D245898D3444A875FCEBC2F50E0A768224C137880817A1B86C8B5EFB3DF7EF416FE5F9A5AD285693089B62A350C991B7F4C3B23D003BD8
Malicious:	false
Preview:	""".This is a python implementation of wcwidth() and wcswidth()...https://github.com/jquast/wcwidth..from Markus Kuhn's C code, retrieved from:.. http://www.cl.cam.ac.uk/~mgk25/ucs/wcwidth.c..This is an implementation of wcwidth() and wcswidth() (defined in.IEEE Std 1002.1-2001) for Unicode...http://www.opengroup.org/onlinepubs/007904975/functions/wcwidth.html.http://www.opengroup.org/onlinepubs/007904975/functions/wcswidth.html..In fixed-width output devices, Latin characters all occupy a single."cell" position of equal width, whereas ideographic CJK characters.occupy two such cells. Interoperability between terminal-line.applications and (teletype-style) character terminals using the.UTF-8 encoding requires agreement on which character should advance.the cursor by how many cell positions. No established formal.standards exist at present on which Unicode character shall occupy.how many cell positions on character terminals. These routines are.a first attempt of defining such behavi

C:\Users\user\AppData\Local\Temp\_MEI7842\yaml\_yaml.cp38-win_amd64.pyd Download File
Process:	C:\Users\user\Desktop\capa.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	270848
Entropy (8bit):	6.161781492072208
Encrypted:	false
SSDEEP:	6144:4Q4bBtFiKnHTBsJsx1ZgnD0j/LiOGTC3:34bBtZ+J30bLD
MD5:	4ED0E37E4973BCDFE85BBC7583642BBE
SHA1:	5BEB50ECC8B6451E2633064F4061BB79F32EF6B4
SHA-256:	0D1FEB559EE20BA187E80154A9FED1495772AB4157A29584FB7FBD1C3B9E57E8
SHA-512:	9162E7ADE5830C22C3E2BC55BCE9B3BC83D919F42E9559554FD7AEA6C4D17AE5429BDF13116FE3CFA826655278675198EE5033720E6043B2ED9BA00B99D47669
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................................uw_......................\|.........F..Z......Z......Z......y.g....Z......Rich...........................PE..d.....`.........." .....6...........<....................................................`.............................................X............p.......@..................D...0o..............................Po...............P...............................text....5.......6.................. ..`.rdata..fT...P...V...:..............@..@.data............p..................@....pdata.......@......................@..@.gfids.......`......................@..@.rsrc........p......................@..@.reloc..D...........................@..B........................................................................................................................................................................

Static File Info

General
File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	7.996029434557069
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	capa.exe
File size:	33262761
MD5:	9ca015deaade0b450465c158b3d6d478
SHA1:	4e0db7ee62856ddbf7f1ade4b86540d315614bab
SHA256:	e54f0acc46db1c5541a0d98922e2dc9112b4fec47ecfd378187448a4e9f11671
SHA512:	983978350e63708de1e98f96ae7059f1397fd36fd83b969b52b39549ac81d7fac823f33698d5613f8e1a448d24eee6082ce0fa27d9823c98c4af3afcd30630f5
SSDEEP:	786432:g2doxCED3H/GSRGTlaEa51vzozeyAZWXBi+/4SAE:fdoxC0ulnazvzozQOg3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........F............wTa.....wTc.i...wTb.....]hW..............................7[.............Q.......Q.o.....Q.......Rich...........

File Icon


Icon Hash:	71ec4ec6d6a6f469

Static PE Info

General
Entrypoint:	0x140008914
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x5FFEC122 [Wed Jan 13 09:45:06 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	bb2292057634957dfa559b6eef7b52d8

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F62EC54E1F4h
dec eax
add esp, 28h
jmp 00007F62EC54DB1Bh
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
xor ecx, ecx
call dword ptr [000197D7h]
dec eax
mov ecx, ebx
call dword ptr [000197C6h]
call dword ptr [00019740h]
dec eax
mov ecx, eax
mov edx, C0000409h
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [000197BCh]
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 38h
mov ecx, 00000017h
call 00007F62EC566CC4h
test eax, eax
je 00007F62EC54DCA9h
mov ecx, 00000002h
int 29h
dec eax
lea ecx, dword ptr [0003342Fh]
call 00007F62EC54DE6Fh
dec eax
mov eax, dword ptr [esp+38h]
dec eax
mov dword ptr [00033516h], eax
dec eax
lea eax, dword ptr [esp+38h]
dec eax
add eax, 08h
dec eax
mov dword ptr [000334A6h], eax
dec eax
mov eax, dword ptr [000334FFh]
dec eax
mov dword ptr [00033370h], eax
dec eax
mov eax, dword ptr [esp+40h]
dec eax
mov dword ptr [00033474h], eax
mov dword ptr [0003334Ah], C0000409h
mov dword ptr [00033344h], 00000001h
mov dword ptr [0003334Eh], 00000001h
mov eax, 00000008h

Rich Headers

Programming Language:

[RES] VS2015 UPD3 build 24213

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x30dec	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x41000	0x22b84	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x3e000	0x1d28	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x64000	0x690	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2ede0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2ee00	0x94	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x22000	0x330	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x20fc0	0x21000	False	0.559303977273	zlib compressed data	6.46078763006	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x22000	0xf916	0xfa00	False	0.523828125	data	5.84369774274	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x32000	0xb108	0xc00	False	0.132486979167	data	1.83675939143	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0x3e000	0x1d28	0x1e00	False	0.475260416667	data	5.26854254751	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.gfids	0x40000	0xac	0x200	False	0.279296875	data	1.75128522365	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x41000	0x22b84	0x22c00	False	0.228108138489	data	3.70851844021	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x64000	0x690	0x800	False	0.57373046875	data	4.98305280395	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x41208	0x468	GLS_BINARY_LSB_FIRST
RT_ICON	0x41670	0x988	data
RT_ICON	0x41ff8	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
RT_ICON	0x430a0	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
RT_ICON	0x45648	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
RT_ICON	0x49870	0x94a8	data
RT_ICON	0x52d18	0x10828	dBase III DBT, version number 0, next free block index 40
RT_GROUP_ICON	0x63540	0x68	data
RT_MANIFEST	0x635a8	0x5db	XML 1.0 document, ASCII text, with CRLF line terminators

Imports

DLL	Import
KERNEL32.dll	GetCommandLineW, GetEnvironmentVariableW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, CreateDirectoryW, GetTempPathW, WaitForSingleObject, Sleep, GetExitCodeProcess, GetStartupInfoW, LoadLibraryExW, CloseHandle, GetCurrentProcess, LocalFree, FormatMessageW, LoadLibraryA, MultiByteToWideChar, WideCharToMultiByte, GetProcAddress, GetModuleFileNameW, SetDllDirectoryW, CreateProcessW, GetLastError, SetEndOfFile, HeapReAlloc, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetModuleHandleW, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetCommandLineA, ReadFile, CreateFileW, GetDriveTypeW, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, GetFullPathNameW, RemoveDirectoryW, FindClose, FindFirstFileExW, FindNextFileW, SetStdHandle, SetConsoleCtrlHandler, DeleteFileW, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, GetACP, HeapFree, HeapAlloc, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleCP, CompareStringW, LCMapStringW, GetCurrentDirectoryW, FlushFileBuffers, SetEnvironmentVariableA, GetFileAttributesExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetStringTypeW, GetProcessHeap, WriteConsoleW, GetTimeZoneInformation, HeapSize, RaiseException
ADVAPI32.dll	ConvertSidToStringSidW, GetTokenInformation, OpenProcessToken, ConvertStringSecurityDescriptorToSecurityDescriptorW
WS2_32.dll	ntohl

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: capa.exe PID: 784 Parent PID: 5588

General

Start time:	15:22:55
Start date:	02/08/2021
Path:	C:\Users\user\Desktop\capa.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\capa.exe'
Imagebase:	0x7ff7752f0000
File size:	33262761 bytes
MD5 hash:	9CA015DEAADE0B450465C158B3D6D478
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 4228 Parent PID: 784

General

Start time:	15:22:56
Start date:	02/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: capa.exe PID: 1092 Parent PID: 784

General

Start time:	15:23:12
Start date:	02/08/2021
Path:	C:\Users\user\Desktop\capa.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\capa.exe'
Imagebase:	0x7ff7752f0000
File size:	33262761 bytes
MD5 hash:	9CA015DEAADE0B450465C158B3D6D478
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 5556 Parent PID: 1092

General

Start time:	15:23:13
Start date:	02/08/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c 'ver'
Imagebase:	0x7ff77d8b0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: capa.exe PID: 784 Parent PID: 5588 capa.exeCOMMON

Execution Graph

Execution Coverage:	16.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	14.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	84

Executed Functions

Function 00007FF77530E2F8, Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 366
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF77530E336

Part of subcall function 00007FF77530DD58: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77530DD6C

_get_daylight.LIBCMT ref: 00007FF77530E325

Part of subcall function 00007FF77530DDB8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77530DDCC

_get_daylight.LIBCMT ref: 00007FF77530E56B
_get_daylight.LIBCMT ref: 00007FF77530E57C
_get_daylight.LIBCMT ref: 00007FF77530E58D
GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF77530E7ED), ref: 00007FF77530E5B4
WideCharToMultiByte.KERNEL32 ref: 00007FF77530E64A
WideCharToMultiByte.KERNEL32 ref: 00007FF77530E696

Strings

?, xrefs: 00007FF77530E689

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _get_daylight$ByteCharMultiWide_invalid_parameter_noinfo$InformationTimeZone
String ID: ?
API String ID: 3440502458-1684325040
Opcode ID: b4d2d5153702a475cf35722c83de85126df702778f526e425e12e45591b83e42
Instruction ID: d810e04340a827e1ee315f69ecd3c51eb29ca36a7a570360cfc642d89c05dba7
Opcode Fuzzy Hash: b4d2d5153702a475cf35722c83de85126df702778f526e425e12e45591b83e42
Instruction Fuzzy Hash: 3AE1A233A387564AE764BF35E8505A9A792FF44F8CFC4423DEA4D42AA5CE3CD4429720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F4150, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(?,00000000,?,00007FF7752F411D), ref: 00007FF7752F41E6
GetCurrentProcessId.KERNEL32(?,00000000,?,00007FF7752F411D), ref: 00007FF7752F41EC

Part of subcall function 00007FF7752F4360: GetEnvironmentVariableW.KERNEL32(00007FF7752F2605), ref: 00007FF7752F439A
Part of subcall function 00007FF7752F4360: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF7752F43B7

Part of subcall function 00007FF7753001A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7753001C1

SetEnvironmentVariableW.KERNEL32(?,00000000,?,00007FF7752F411D), ref: 00007FF7752F42A1

Part of subcall function 00007FF7752F55C0: WideCharToMultiByte.KERNEL32 ref: 00007FF7752F5601

Part of subcall function 00007FF7752F54C0: MultiByteToWideChar.KERNEL32(?,00000000,00007FF7752F438C,00007FF7752F2605), ref: 00007FF7752F54FA

SetEnvironmentVariableW.KERNEL32(?,00000000,?,00007FF7752F411D), ref: 00007FF7752F4325

Strings

_MEI%d, xrefs: 00007FF7752F41F4
LOADER: Failed to set the TMP environment variable., xrefs: 00007FF7752F41C4
TMP, xrefs: 00007FF7752F41AA
TMP, xrefs: 00007FF7752F4188, 00007FF7752F4249, 00007FF7752F42D7

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: Environment$Variable$ByteCharMultiWide$CurrentExpandPathProcessStringsTemp_invalid_parameter_noinfo
String ID: LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d
API String ID: 1081748254-1116378104
Opcode ID: 1e64082ad1928bb95d80d5a6da09fe794690bb9291381ac5af20e155e580166e
Instruction ID: 966952932d8d763ad00e3c887aac85a3d18a5cb3b36c12a539e337113b45395d
Opcode Fuzzy Hash: 1e64082ad1928bb95d80d5a6da09fe794690bb9291381ac5af20e155e580166e
Instruction Fuzzy Hash: A0518B92F39A4241FA58B722BD556BED2519F85FC4FC45035EC0E4BBD6EE6CE1018360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775308ECC, Relevance: 6.4, APIs: 4, Instructions: 425stringCOMMON

Download Yara Rule

APIs

strchr.LIBVCRUNTIME ref: 00007FF775308F0C
SetEnvironmentVariableA.KERNEL32 ref: 00007FF775309180
wcschr.LIBVCRUNTIME ref: 00007FF775309200
SetEnvironmentVariableW.KERNELBASE ref: 00007FF775309470

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: EnvironmentVariable$strchrwcschr
String ID:
API String ID: 2618829048-0
Opcode ID: e3d1dd1f51e1c043ca9d1d634e27f1f459cdfb48b5b4dfa3a44db02f7cbb9b19
Instruction ID: 3f21b19a21d05d3515b2922b98acf82c07d240d9c04a3f71998780c4001b6983
Opcode Fuzzy Hash: e3d1dd1f51e1c043ca9d1d634e27f1f459cdfb48b5b4dfa3a44db02f7cbb9b19
Instruction Fuzzy Hash: 9EF1E423A3D71681FA65BB25940467AE296AF01FA8FC5463DED2D472F1DE7DA8018320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775308138, Relevance: 6.2, APIs: 4, Instructions: 179COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF77530822E
_get_daylight.LIBCMT ref: 00007FF77530823F
_get_daylight.LIBCMT ref: 00007FF775308250
_isindst.LIBCMT ref: 00007FF775308322

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 4da19891db533d7035746201e18153e46ed09c5502f6b78b86ff90ad619a0a3f
Instruction ID: 062567c76531d2c9614d110a6439e60e01d4773eecd5c0828ea26adeecaeb7f3
Opcode Fuzzy Hash: 4da19891db533d7035746201e18153e46ed09c5502f6b78b86ff90ad619a0a3f
Instruction Fuzzy Hash: 8161E573F347118AFB28EB6495517BCA3A6AB90B9CF80413DDE1D46AE5DE3CE4058710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F8780, Relevance: 3.0, APIs: 2, Instructions: 18COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNELBASE ref: 00007FF7752F8789
_invalid_parameter_noinfo.LIBCMT ref: 00007FF775302678

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: ExceptionFilterUnhandled_invalid_parameter_noinfo
String ID:
API String ID: 59578552-0
Opcode ID: 5e35efb2fce74188c159bc1f695f0b0389b17fb5a0c2c9935f7394b684777968
Instruction ID: 3f278f4ea2e58d73c30ff874a20925cb3f696c7290cc1d739931122e14e2fc9e
Opcode Fuzzy Hash: 5e35efb2fce74188c159bc1f695f0b0389b17fb5a0c2c9935f7394b684777968
Instruction Fuzzy Hash: 5BE08C33E3C20B86F62833B95C560B990925F44B28FE1033EF11C812E2CD9DA4814B72

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F1680, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

htonl.WS2_32 ref: 00007FF7752F16EA
htonl.WS2_32 ref: 00007FF7752F16F8
htonl.WS2_32 ref: 00007FF7752F1710
htonl.WS2_32 ref: 00007FF7752F1744
_fread_nolock.LIBCMT ref: 00007FF7752F1758
htonl.WS2_32 ref: 00007FF7752F1782

Part of subcall function 00007FF7752FA614: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7752FA628

Strings

malloc, xrefs: 00007FF7752F172C
Error on file., xrefs: 00007FF7752F179D
Could not read from file., xrefs: 00007FF7752F1763
Could not allocate buffer for TOC., xrefs: 00007FF7752F1725
fread, xrefs: 00007FF7752F176A

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: htonl$_fread_nolock_invalid_parameter_noinfo
String ID: Could not allocate buffer for TOC.$Could not read from file.$Error on file.$fread$malloc
API String ID: 235321421-2332847760
Opcode ID: 4b1c198e7ab07480cb05b548bde86e717d8d723b16ccaa01358bd8a40e86376f
Instruction ID: 3bb583920775510480d4c48b68523396d3f30811de60edab3515d9c80d9607d7
Opcode Fuzzy Hash: 4b1c198e7ab07480cb05b548bde86e717d8d723b16ccaa01358bd8a40e86376f
Instruction Fuzzy Hash: D6314DA3F3590282EB04BB35E861678A291AF44F58FC85535D51D462E6DF3DE8818760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F1230, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

htonl.WS2_32 ref: 00007FF7752F127F
htonl.WS2_32 ref: 00007FF7752F1297
htonl.WS2_32 ref: 00007FF7752F12CC
_fread_nolock.LIBCMT ref: 00007FF7752F12DF

Strings

Could not allocate read buffer, xrefs: 00007FF7752F12AB
Could not read from file, xrefs: 00007FF7752F12EA
Cannot open archive file, xrefs: 00007FF7752F125E
Error decompressing %s, xrefs: 00007FF7752F1342

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: htonl$_fread_nolock
String ID: Cannot open archive file$Could not allocate read buffer$Could not read from file$Error decompressing %s
API String ID: 941911645-3387914768
Opcode ID: 3258586ad02e35a84bcd624714f2113650ce30c4e2911b77fc0d0e11958f03ab
Instruction ID: bc49777a89f62cf7a1e52155f0d35589ced7085772b611de79ed111b1c1e4017
Opcode Fuzzy Hash: 3258586ad02e35a84bcd624714f2113650ce30c4e2911b77fc0d0e11958f03ab
Instruction Fuzzy Hash: 49315EA3F3894186EB44FB26F8512ADA290EF44F84FC41431EA4D47BD6DF2DE9918750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF77530F1FC, Relevance: 13.8, APIs: 9, Instructions: 272
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF77530EF2C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77530EF6D
Part of subcall function 00007FF77530EF2C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77530EFEA
Part of subcall function 00007FF77530EF2C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77530F03B
Part of subcall function 00007FF77530EF2C: _get_daylight.LIBCMT ref: 00007FF77530F097

CreateFileW.KERNELBASE ref: 00007FF77530F2FD
CreateFileW.KERNEL32 ref: 00007FF77530F359
GetLastError.KERNEL32 ref: 00007FF77530F38D
GetFileType.KERNELBASE ref: 00007FF77530F3A2
GetLastError.KERNEL32 ref: 00007FF77530F3AC
CloseHandle.KERNEL32 ref: 00007FF77530F3DF
CloseHandle.KERNEL32 ref: 00007FF77530F538
CreateFileW.KERNEL32 ref: 00007FF77530F570
GetLastError.KERNEL32 ref: 00007FF77530F57F

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type_get_daylight
String ID:
API String ID: 1330151763-0
Opcode ID: 94e77a5ab00acea8316dcb4216f651764611d223c5e17019bd45a1d74c5b97d9
Instruction ID: b262fe135baa1b00cc1999b0003e440d6b7f72e3f406b22f08c9c1b3b5135ecc
Opcode Fuzzy Hash: 94e77a5ab00acea8316dcb4216f651764611d223c5e17019bd45a1d74c5b97d9
Instruction Fuzzy Hash: BFC1CF37B38B458AEB50EB65D4813AC7762E749BA8F411239DE2E573A5CF38D016C310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F879C, Relevance: 13.6, APIs: 9, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF7752F87B0

Part of subcall function 00007FF7752F8C00: __isa_available_init.LIBCMT ref: 00007FF7752F8C1D
Part of subcall function 00007FF7752F8C00: __vcrt_initialize.LIBVCRUNTIME ref: 00007FF7752F8C22

__scrt_fastfail.LIBCMT ref: 00007FF7752F87BE

Part of subcall function 00007FF7752F8F84: IsProcessorFeaturePresent.KERNEL32 ref: 00007FF7752F8FA0
Part of subcall function 00007FF7752F8F84: RtlCaptureContext.KERNEL32 ref: 00007FF7752F8FC9
Part of subcall function 00007FF7752F8F84: RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7752F8FE3
Part of subcall function 00007FF7752F8F84: RtlVirtualUnwind.KERNEL32 ref: 00007FF7752F9024
Part of subcall function 00007FF7752F8F84: IsDebuggerPresent.KERNEL32 ref: 00007FF7752F9078
Part of subcall function 00007FF7752F8F84: SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7752F9099
Part of subcall function 00007FF7752F8F84: UnhandledExceptionFilter.KERNEL32 ref: 00007FF7752F90A4

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF7752F87CC
__scrt_fastfail.LIBCMT ref: 00007FF7752F87E3
__scrt_release_startup_lock.LIBCMT ref: 00007FF7752F8840
__scrt_is_nonwritable_in_current_image.LIBCMT ref: 00007FF7752F8856
__scrt_is_nonwritable_in_current_image.LIBCMT ref: 00007FF7752F8886
__scrt_is_managed_app.LIBCMT ref: 00007FF7752F88BB
__scrt_uninitialize_crt.LIBCMT ref: 00007FF7752F88D9

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled__scrt_fastfail__scrt_is_nonwritable_in_current_image$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual__isa_available_init__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt__vcrt_initialize
String ID:
API String ID: 552178382-0
Opcode ID: 0ea756166d5b87cd1bfdb098556d8ac3a628f481564c44a76635cea29ace2841
Instruction ID: 2baf9d6435f16e31b850af2f5ff7df41108ab548725e52ddb218b7190c07a003
Opcode Fuzzy Hash: 0ea756166d5b87cd1bfdb098556d8ac3a628f481564c44a76635cea29ace2841
Instruction Fuzzy Hash: 763127A3E3864781FA54BB61B8117B9E391AF45F88FC40539EA0D272E7DE2DA4048370

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF77530E548, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 155
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF77530E56B

Part of subcall function 00007FF77530DDB8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77530DDCC

_get_daylight.LIBCMT ref: 00007FF77530E57C

Part of subcall function 00007FF77530DD58: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77530DD6C

_get_daylight.LIBCMT ref: 00007FF77530E58D

Part of subcall function 00007FF77530DD88: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77530DD9C

Part of subcall function 00007FF775302D54: RtlReleasePrivilege.NTDLL(?,?,00000000,00007FF775306F6F,?,?,?,00007FF775303C99,?,?,?,?,00007FF775302F13,?,?,00000000), ref: 00007FF775302D6A
Part of subcall function 00007FF775302D54: GetLastError.KERNEL32(?,?,00000000,00007FF775306F6F,?,?,?,00007FF775303C99,?,?,?,?,00007FF775302F13,?,?,00000000), ref: 00007FF775302D7C

GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF77530E7ED), ref: 00007FF77530E5B4
WideCharToMultiByte.KERNEL32 ref: 00007FF77530E64A
WideCharToMultiByte.KERNEL32 ref: 00007FF77530E696

Strings

?, xrefs: 00007FF77530E689

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ByteCharMultiWide$ErrorInformationLastPrivilegeReleaseTimeZone
String ID: ?
API String ID: 382489769-1684325040
Opcode ID: 5ebce1c0a91f36f159fd90b5ffe48853d5170798c00ffb2b2304ea22367d012d
Instruction ID: 6541c2d604af0f78f9a3abb46fd776a2542884a49f7bb203ab056b386cb5eb7b
Opcode Fuzzy Hash: 5ebce1c0a91f36f159fd90b5ffe48853d5170798c00ffb2b2304ea22367d012d
Instruction Fuzzy Hash: CF615F33A38B5686E760AF21E8405A9B6A5FF44F98FC4023DE94D46AB5DF3CD441C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F4A20, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7752F54C0: MultiByteToWideChar.KERNEL32(?,00000000,00007FF7752F438C,00007FF7752F2605), ref: 00007FF7752F54FA

Part of subcall function 00007FF775300E64: SetConsoleCtrlHandler.KERNELBASE(?,00007FF7752F4A70,00000000,00007FF7752F27AD), ref: 00007FF775300ED1

Part of subcall function 00007FF775300E64: GetLastError.KERNEL32(?,00007FF7752F4A70,00000000,00007FF7752F27AD), ref: 00007FF775300EEC

GetStartupInfoW.KERNEL32 ref: 00007FF7752F4AA7

Part of subcall function 00007FF775302D2C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF775302D40

Part of subcall function 00007FF7753009D4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF775300A3B

GetCommandLineW.KERNEL32 ref: 00007FF7752F4B2F
CreateProcessW.KERNELBASE ref: 00007FF7752F4B71
WaitForSingleObject.KERNEL32 ref: 00007FF7752F4B83
GetExitCodeProcess.KERNELBASE ref: 00007FF7752F4B93

Strings

Error creating child process!, xrefs: 00007FF7752F4B9F
CreateProcessW, xrefs: 00007FF7752F4BA6

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlErrorExitHandlerInfoLastLineMultiObjectSingleStartupWaitWide
String ID: CreateProcessW$Error creating child process!
API String ID: 1742298069-3524285272
Opcode ID: 676a5ded4ad5856b35fa249fc993bdb23ce0fe0daf8aea4802677cb2a18f7773
Instruction ID: 03b1c004405f7752dd82e8a552973297c004568a882a8b3da9d8fd4cca2344da
Opcode Fuzzy Hash: 676a5ded4ad5856b35fa249fc993bdb23ce0fe0daf8aea4802677cb2a18f7773
Instruction Fuzzy Hash: 1B415573A38B8182EA10EB60F4556AEF361FB94B44F804539E69D076A6DF7CD454CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F1040, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

htonl.WS2_32 ref: 00007FF7752F105B
htonl.WS2_32 ref: 00007FF7752F1099
htonl.WS2_32 ref: 00007FF7752F10AA

Strings

1.2.11, xrefs: 00007FF7752F10B9
Error %d from inflate: %s, xrefs: 00007FF7752F10F0
Error %d from inflateInit: %s, xrefs: 00007FF7752F10F9
Error allocating decompression buffer, xrefs: 00007FF7752F106F

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: htonl
String ID: 1.2.11$Error %d from inflate: %s$Error %d from inflateInit: %s$Error allocating decompression buffer
API String ID: 2009864989-3188157777
Opcode ID: 5190a8eac2db0f4800f189f29953677c65711aec05e3e12a5c972da953da1bc9
Instruction ID: 2ff38584f4054d564972e934c262fb4b3ed2bd6ec7b0efac6aabd759838c47e0
Opcode Fuzzy Hash: 5190a8eac2db0f4800f189f29953677c65711aec05e3e12a5c972da953da1bc9
Instruction Fuzzy Hash: 4A217163B38A8182E750EB21F85066AE364FB84B80FC44135EA8D836D5EF3DE51187A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775304698, Relevance: 10.8, APIs: 7, Instructions: 294
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF775304ADD

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: f029e03754d0f40f8b452ab6c525f2e408ed9aaf43063f1cd75634af2cbe7b7b
Instruction ID: 6885eb026cc10ad6f54cfdc3eb6903ce30ed3ec767ae5b81d8717ab02e841a34
Opcode Fuzzy Hash: f029e03754d0f40f8b452ab6c525f2e408ed9aaf43063f1cd75634af2cbe7b7b
Instruction Fuzzy Hash: 4AC10423E3C79681FA60AF15940067EAB52BF80F98F95413DEA4E037B5CE3DE9418321

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F1130, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_fread_nolock.LIBCMT ref: 00007FF7752F115F

Part of subcall function 00007FF7752FA8C0: fread_s.LIBCMT ref: 00007FF7752FA8D3

_fread_nolock.LIBCMT ref: 00007FF7752F119A
_fread_nolock.LIBCMT ref: 00007FF7752F11C2
_fread_nolock.LIBCMT ref: 00007FF7752F1209

Strings

M, xrefs: 00007FF7752F1164
Z, xrefs: 00007FF7752F116F

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _fread_nolock$fread_s
String ID: M$Z
API String ID: 184871262-4250246861
Opcode ID: c4bbd1332017a5dd07d9c79696830ad7a6c8cc9a4d3807e6e01ee921f3e9df78
Instruction ID: fb361176c4ee19ea596e7874762489bca6eb9b2737fde1b4dab4cab9da860bd0
Opcode Fuzzy Hash: c4bbd1332017a5dd07d9c79696830ad7a6c8cc9a4d3807e6e01ee921f3e9df78
Instruction Fuzzy Hash: 3821C1A3B3809142E790AB65F8417AEB311DB85B94FC46131F64A87AD9CF3DD485CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F5010, Relevance: 10.6, APIs: 7, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF7752F502A
OpenProcessToken.ADVAPI32 ref: 00007FF7752F503B
GetTokenInformation.KERNELBASE ref: 00007FF7752F505D
GetLastError.KERNEL32 ref: 00007FF7752F5067
GetTokenInformation.KERNELBASE ref: 00007FF7752F50A4
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF7752F50B6
CloseHandle.KERNEL32 ref: 00007FF7752F50CE

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: e5e7d16c3258a19f264b989c2e18d6f7008915bca297c78610840f732c4df5a4
Instruction ID: 6af2c4b5bb889731c7d4b689649c325e55407113610be50677d0aa2f54c3797f
Opcode Fuzzy Hash: e5e7d16c3258a19f264b989c2e18d6f7008915bca297c78610840f732c4df5a4
Instruction Fuzzy Hash: 0C217473638E4283EB10AB25F88056AE360FB85B64F940338EA6E466E4DF3DD545C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F1390, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

htonl.WS2_32 ref: 00007FF7752F13EA

Strings

%s could not be extracted!, xrefs: 00007FF7752F13F9
fopen, xrefs: 00007FF7752F1400
Failed to write all bytes for %s, xrefs: 00007FF7752F1433
fwrite, xrefs: 00007FF7752F143A

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: htonl
String ID: %s could not be extracted!$Failed to write all bytes for %s$fopen$fwrite
API String ID: 2009864989-741305175
Opcode ID: 04e5a770e7885fcab22c5bb6924106089b7e71cc424d55c55326ac8bc7a899eb
Instruction ID: d0a2c7b04b8a7b5890d47e01c8c8e54b70496a7401403c6519b2aaab0149d2d1
Opcode Fuzzy Hash: 04e5a770e7885fcab22c5bb6924106089b7e71cc424d55c55326ac8bc7a899eb
Instruction Fuzzy Hash: BF21C5A2F38A4281EA54B726F8404B9E3509F81FE4FD80631EE1D17BD6DE2CE5418760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF77530573C, Relevance: 7.7, APIs: 5, Instructions: 203
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF775305781

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 9f254aea1f80866c44cb341a00381d2cf0c39e4bff19b1d1e1287af4dc572f73
Instruction ID: dfec1a56fd8f479c601406238768f0bd72e55f48ecdc2a3bc73f0932ed8da46a
Opcode Fuzzy Hash: 9f254aea1f80866c44cb341a00381d2cf0c39e4bff19b1d1e1287af4dc572f73
Instruction Fuzzy Hash: EC819023F3871699FB11BB6594806BDA6A6BB44F5CF80413ADE0E576B5CF3CA441C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775305D18, Relevance: 7.6, APIs: 5, Instructions: 114
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(?,00000000,00000003,00007FF77530612F,?,?,00000000,00007FF775306F7F,?,?,?,00007FF775303C99), ref: 00007FF775305E3A

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 4efc5ba41e45092064173930352f3869166e0b75ab00182d0a86a1e395658040
Instruction ID: 4c43292eb7a16353c8511302614bd875afe5858fc27a9be919491fa5457cf20b
Opcode Fuzzy Hash: 4efc5ba41e45092064173930352f3869166e0b75ab00182d0a86a1e395658040
Instruction Fuzzy Hash: E341C673B39B4181FA21AB16A814AB5E296BF14FD8F49453ADD5E4B7A4DE3CE401C320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F1000, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

setbuf.LIBCMT ref: 00007FF7752F2598

Part of subcall function 00007FF7752FF01C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF775308507

Strings

_MEIPASS2, xrefs: 00007FF7752F25F1, 00007FF7752F2605, 00007FF7752F2767, 00007FF7752F2777
Cannot open self %s or archive %s, xrefs: 00007FF7752F2646

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfosetbuf
String ID: Cannot open self %s or archive %s$_MEIPASS2
API String ID: 3262704042-930416966
Opcode ID: 1674378ab4b918072f1f1be1231a7c46decbd5a897e5dca7c745e1996df79c65
Instruction ID: bbc73cda1b9f851284f55a2ed394169c002d1299dba97678f40f9be4ff1e738a
Opcode Fuzzy Hash: 1674378ab4b918072f1f1be1231a7c46decbd5a897e5dca7c745e1996df79c65
Instruction Fuzzy Hash: 1771AFA3F3C68241FA25BB31BD552B9E291AF86F84FC04035EA4D476C6EF2DE5058720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F52D0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7752F5010: GetCurrentProcess.KERNEL32 ref: 00007FF7752F502A
Part of subcall function 00007FF7752F5010: OpenProcessToken.ADVAPI32 ref: 00007FF7752F503B
Part of subcall function 00007FF7752F5010: GetTokenInformation.KERNELBASE ref: 00007FF7752F505D
Part of subcall function 00007FF7752F5010: GetLastError.KERNEL32 ref: 00007FF7752F5067
Part of subcall function 00007FF7752F5010: GetTokenInformation.KERNELBASE ref: 00007FF7752F50A4
Part of subcall function 00007FF7752F5010: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF7752F50B6
Part of subcall function 00007FF7752F5010: CloseHandle.KERNEL32 ref: 00007FF7752F50CE

LocalFree.KERNEL32(00000000,00007FF7752F422A,?,00000000,?,00007FF7752F411D), ref: 00007FF7752F5327
CreateDirectoryW.KERNELBASE(?,00000000,?,00007FF7752F411D), ref: 00007FF7752F5364

Strings

S-1-3-4, xrefs: 00007FF7752F5300
D:(A;;FA;;;%s), xrefs: 00007FF7752F5307

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCreateCurrentDirectoryErrorFreeHandleLastLocalOpenString
String ID: D:(A;;FA;;;%s)$S-1-3-4
API String ID: 1039964830-2855260032
Opcode ID: 87a46b9f15358c18013fc57f442f41d3d74608a8109c0abbe32678398e1c1838
Instruction ID: 4034030c4d1f2b1e3c98cb57e96732f93ced4417682c0ad651c007d63c8fca2b
Opcode Fuzzy Hash: 87a46b9f15358c18013fc57f442f41d3d74608a8109c0abbe32678398e1c1838
Instruction Fuzzy Hash: 07115B73638B4641FA60AB21F8157E9A351FB48B44F804535EA4D427D5DF7CD105CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775304F38, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF775304FAA
GetFileType.KERNELBASE ref: 00007FF775304FC0

Strings

@, xrefs: 00007FF775304FEB

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: FileHandleType
String ID: @
API String ID: 3000768030-2766056989
Opcode ID: 389bad43a172148e3040aaa87e21bd5ad1a100d1e02fc8b3de48582e2566aa7a
Instruction ID: deaa1725002d5976e9e89f76ffe7e705d4d4d268c86879a8592f8d81d63e29af
Opcode Fuzzy Hash: 389bad43a172148e3040aaa87e21bd5ad1a100d1e02fc8b3de48582e2566aa7a
Instruction Fuzzy Hash: 7521D423E38B4281EB609B25D49013DA656EB85F78F68133ED66E177F4CE39D981C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752FE9D4, Relevance: 4.6, APIs: 3, Instructions: 137pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE ref: 00007FF7752FEA06
GetLastError.KERNEL32 ref: 00007FF7752FEB39
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000030,?,?,00007FF7752FE8F9), ref: 00007FF7752FEB83

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: ErrorFileLastNamedPeekPipeType
String ID:
API String ID: 1388729460-0
Opcode ID: ae086db5dce6567d77cd189c1a56c6ff2696c0a9e0519a99cfd446dcb3e71c27
Instruction ID: 7a1034b3322ffc974192f94b9dedb133ec1ae5dd433ae67e87861acb5616f252
Opcode Fuzzy Hash: ae086db5dce6567d77cd189c1a56c6ff2696c0a9e0519a99cfd446dcb3e71c27
Instruction Fuzzy Hash: 9351BE63A3860199FB91EB71E8403ADA3A1BB44F68F904639DE2E477D8DF38D4058360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752FE814, Relevance: 4.6, APIs: 3, Instructions: 122fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7752FE84C
CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7752FEFFE), ref: 00007FF7752FE8D9
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7752FEFFE), ref: 00007FF7752FE92E

Part of subcall function 00007FF7752FE9D4: GetFileType.KERNELBASE ref: 00007FF7752FEA06

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: File$CloseCreateHandleType_invalid_parameter_noinfo
String ID:
API String ID: 1405040552-0
Opcode ID: bc1ba50430883b8cb21bd9b33c3fbdc26f60637890f45cbae15871a2645750c7
Instruction ID: eb79a0020575fa004ae95ac26e9cb7674d80e6ca203b054d151c5cdcf2f12cc5
Opcode Fuzzy Hash: bc1ba50430883b8cb21bd9b33c3fbdc26f60637890f45cbae15871a2645750c7
Instruction Fuzzy Hash: 6351D86393875146F7A1AF35A9412B9A361BF44B68F404339EEAD026E6DF3CE1818720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752FEBBC, Relevance: 4.6, APIs: 3, Instructions: 50timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7752FEA93), ref: 00007FF7752FEBF0
SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7752FEA93), ref: 00007FF7752FEC04
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7752FEA93), ref: 00007FF7752FEC51

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: Time$System$ErrorFileLastLocalSpecific
String ID:
API String ID: 2674341965-0
Opcode ID: 5d0d8b0fb7a661a46ad7d7f6a202102ccd82ac6a45957635c740415b5c2c7d80
Instruction ID: 7e19019754e90e1e59d6b83638b1e4f31675ceec3f9a24c502fdb6d2dffca4db
Opcode Fuzzy Hash: 5d0d8b0fb7a661a46ad7d7f6a202102ccd82ac6a45957635c740415b5c2c7d80
Instruction Fuzzy Hash: 2B116F63F38A1299FB50AB71A8011BDA2A1AB04F78F900739FE7E556E4DF3C91509720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775302460, Relevance: 4.5, APIs: 3, Instructions: 19COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF775302444), ref: 00007FF775302488
TerminateProcess.KERNEL32(?,?,?,00007FF775302444), ref: 00007FF775302493
ExitProcess.KERNEL32 ref: 00007FF7753024A2

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5c521a59c9b4485005e447f3ef43428bd5a26dca168a593f15ee0759c39b2fe9
Instruction ID: 7c617d63b421fd05c04d9a93774849cbf61798382b7ca88058e59a152bbe733d
Opcode Fuzzy Hash: 5c521a59c9b4485005e447f3ef43428bd5a26dca168a593f15ee0759c39b2fe9
Instruction Fuzzy Hash: A0E01221B38B0582EA947B729C81A7963579F84F45F40483CD80E06372CE3EA4598321

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F4610, Relevance: 3.2, APIs: 2, Instructions: 190sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7752F54C0: MultiByteToWideChar.KERNEL32(?,00000000,00007FF7752F438C,00007FF7752F2605), ref: 00007FF7752F54FA

_findclose.LIBCMT ref: 00007FF7752F4933

Part of subcall function 00007FF775301050: DeleteFileW.KERNELBASE ref: 00007FF775301054
Part of subcall function 00007FF775301050: GetLastError.KERNEL32 ref: 00007FF77530105E

Sleep.KERNEL32(?,00007FF7752F27C0), ref: 00007FF7752F4907

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: ByteCharDeleteErrorFileLastMultiSleepWide_findclose
String ID:
API String ID: 418668421-0
Opcode ID: 53d083d4e349602b279c990e41695d8dcbc4e26d4e73b761dd00afa3bc40b9a2
Instruction ID: 80756c23d028c7dfc167a52af87092d91d5d32e14d582edf04053cd04a4cfba0
Opcode Fuzzy Hash: 53d083d4e349602b279c990e41695d8dcbc4e26d4e73b761dd00afa3bc40b9a2
Instruction Fuzzy Hash: 35A1B253E38BC582E7119F28D9012FD6360FB94B5CF809325EB9C165A6EF68E2C5C350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752FA640, Relevance: 3.2, APIs: 2, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7752FA67C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7752FA7B2

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 823bafda329df74482e6d3d6b580ef2d4331e61762fd0252eb0f318bdb23a630
Instruction ID: b8e067d325be36f62fd80c26bda5018abf388961ab43b6a32af76412dada4404
Opcode Fuzzy Hash: 823bafda329df74482e6d3d6b580ef2d4331e61762fd0252eb0f318bdb23a630
Instruction Fuzzy Hash: B061F6A3F3924242FAA4BB25BC0067AE2D1AF84FA8F945635DD2D437D5CF3CE4018620

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775300E64, Relevance: 3.1, APIs: 2, Instructions: 134COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00007FF7752F4A70,00000000,00007FF7752F27AD), ref: 00007FF775300ED1
GetLastError.KERNEL32(?,00007FF7752F4A70,00000000,00007FF7752F27AD), ref: 00007FF775300EEC

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: ConsoleCtrlErrorHandlerLast
String ID:
API String ID: 3113525192-0
Opcode ID: 0e901fbeba0deec0367f8b342eb43362ebf9f9d4061a4e6ddee2a138ba3170bd
Instruction ID: 947460aa693ce277877642254f4aacca8e53b177e39ce7dba8949ca2e45f5e33
Opcode Fuzzy Hash: 0e901fbeba0deec0367f8b342eb43362ebf9f9d4061a4e6ddee2a138ba3170bd
Instruction Fuzzy Hash: 0051BE63B39B8281FA15AB15981027AE296AF40F48FC4453DD94D4B7F1DE3DE945D330

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775303DC8, Relevance: 3.1, APIs: 2, Instructions: 55COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,00007FF775303CFB,?,?,00000000,00007FF775303DA3,?,?,?,?,?,?,00007FF7752FA54A), ref: 00007FF775303E2B
GetLastError.KERNEL32(?,?,?,00007FF775303CFB,?,?,00000000,00007FF775303DA3,?,?,?,?,?,?,00007FF7752FA54A), ref: 00007FF775303E35

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: 778a3c09fa1dd90e13589cf629af938a2dbac6398b58ccee1053262a714e0a20
Instruction ID: 90e22e615f2766d90bd87e7d7eb4a700e1b47501b247fb9450a1b9da56691be6
Opcode Fuzzy Hash: 778a3c09fa1dd90e13589cf629af938a2dbac6398b58ccee1053262a714e0a20
Instruction Fuzzy Hash: 60116D13B3C74A41FEA4776596903B995839F84F6CF94023ED92E472F2DE6CA4418321

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF77530AF44, Relevance: 3.0, APIs: 2, Instructions: 44COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,00000000,00007FF775301D66,?,?,00000000,00007FF775301CBA,?,?,00000000,00007FF77530220D), ref: 00007FF77530AF58
FreeEnvironmentStringsW.KERNEL32(?,?,00000000,00007FF775301D66,?,?,00000000,00007FF775301CBA,?,?,00000000,00007FF77530220D), ref: 00007FF77530AFBD

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: EnvironmentStrings$Free
String ID:
API String ID: 3328510275-0
Opcode ID: 666341277d152f813cbd470f22c6dcdfdb8d93889ae36d0b8592105513023c0b
Instruction ID: a893da6eed84ca0092f969d4e1b71c3f83698f7288f7b97c0dd14716eebf78bd
Opcode Fuzzy Hash: 666341277d152f813cbd470f22c6dcdfdb8d93889ae36d0b8592105513023c0b
Instruction Fuzzy Hash: 9F018823A78B4185DE14BF12A81106EA761EF44FE4BC84239EA6E077E5DE3CE4528760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775304DA0, Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000000,00007FF7753057DA,?,?,?,?,?,?,?,?,?,?,?,00007FF7753056FC), ref: 00007FF775304DE4
GetLastError.KERNEL32(?,?,00000000,00007FF7753057DA,?,?,?,?,?,?,?,?,?,?,?,00007FF7753056FC), ref: 00007FF775304DEE

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 3f618aa852ef03ee9e46fb75688df8ae4c709de799a95981d989ce0338ee6fe8
Instruction ID: 2dddbeebb38c1c93239a5d2893d1ae99203146e1e2e1011b455635ee9480759e
Opcode Fuzzy Hash: 3f618aa852ef03ee9e46fb75688df8ae4c709de799a95981d989ce0338ee6fe8
Instruction Fuzzy Hash: BB01C823B38B4281EE50AB25B844079A251AF80FB8F94533AE93E0B7F5DE3CD4528310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775302D54, Relevance: 3.0, APIs: 2, Instructions: 19COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlReleasePrivilege.NTDLL(?,?,00000000,00007FF775306F6F,?,?,?,00007FF775303C99,?,?,?,?,00007FF775302F13,?,?,00000000), ref: 00007FF775302D6A
GetLastError.KERNEL32(?,?,00000000,00007FF775306F6F,?,?,?,00007FF775303C99,?,?,?,?,00007FF775302F13,?,?,00000000), ref: 00007FF775302D7C

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: ErrorLastPrivilegeRelease
String ID:
API String ID: 1334314998-0
Opcode ID: 35b0a468ca9a8a406ef906924cc6c5e30a93088b65578c218f1489adacd4d72b
Instruction ID: 06a3e27543f16feb9d60f52c9d0f2bd3ff92eaec58b8e12d04214134b0078211
Opcode Fuzzy Hash: 35b0a468ca9a8a406ef906924cc6c5e30a93088b65578c218f1489adacd4d72b
Instruction Fuzzy Hash: 58E08613F3D70B92FF04B7F3980457892925F44F4DB84443CE80D86271ED2C64824360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7753001E0, Relevance: 3.0, APIs: 2, Instructions: 12COMMON

Download Yara Rule

APIs

RemoveDirectoryW.KERNELBASE ref: 00007FF7753001E4
GetLastError.KERNEL32 ref: 00007FF7753001EE

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: DirectoryErrorLastRemove
String ID:
API String ID: 377330604-0
Opcode ID: 2530619843f75df8452b0940bceb5cd5f895181db4d3b8ecaabeb59db2ea4e4e
Instruction ID: 42f2ce8f6858d689d1d6cc45aab3592c0cd7ee04e452741e6f42a99fc7311a44
Opcode Fuzzy Hash: 2530619843f75df8452b0940bceb5cd5f895181db4d3b8ecaabeb59db2ea4e4e
Instruction Fuzzy Hash: 9ED0C912E3DB02C1F65437720D4953891952F44F29FE00A39D02E851F2DD1CA18A4331

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775301050, Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE ref: 00007FF775301054
GetLastError.KERNEL32 ref: 00007FF77530105E

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID:
API String ID: 2018770650-0
Opcode ID: adf913ee5cc7c7c1ef42c013a1011cebf8c8422f17240b760de7ad176e9312e7
Instruction ID: 755fbb67cfead7b037b8329fa2e85b366e8207b9ca0d4c5b565ee446f9e7a1b9
Opcode Fuzzy Hash: adf913ee5cc7c7c1ef42c013a1011cebf8c8422f17240b760de7ad176e9312e7
Instruction Fuzzy Hash: 3AD0C912E39A4281E65477720C0553A91912F49F28FE00A38E06E811F0EE1CA1864331

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752FB18C, Relevance: 1.6, APIs: 1, Instructions: 128COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7752FB1CE

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 6822dbc2a8b1ff3e6349b220cbdc0c550ebb3dc47220e5dccddef0256f2ff239
Instruction ID: 585e8484e751ab67decccec730c5fd9259e57c7376da1f3b1af7f37cad274ea0
Opcode Fuzzy Hash: 6822dbc2a8b1ff3e6349b220cbdc0c550ebb3dc47220e5dccddef0256f2ff239
Instruction Fuzzy Hash: 3741EAA2B3824146FA64BF667D0427EE391AF44FE0F984634EE5E47AD1DE3CE8418310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775304B00, Relevance: 1.6, APIs: 1, Instructions: 121COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF775304B2B

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 0f0db46c4ac0937c5018805778628a33dc3b6b3c5f42e90fc7a398784ed182cc
Instruction ID: 7cfc0c946c466ffcd439021f97ed71227122e281b018ab4bdcab28b6756cdbff
Opcode Fuzzy Hash: 0f0db46c4ac0937c5018805778628a33dc3b6b3c5f42e90fc7a398784ed182cc
Instruction Fuzzy Hash: D8519D33A347458AEB18AF25D8502B97B61FB84F98F450939EA5E037A4CF39D951C320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752FAC70, Relevance: 1.6, APIs: 1, Instructions: 107COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7752FAC91

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2c2c13596a5037e6d2d42df1c8249db59ca4a6e953e68e4d0548ec9288c0af8f
Instruction ID: c6ff285db4f91588123a00198915b31cb02d1bbbab8f6dcc2e937ef4652df693
Opcode Fuzzy Hash: 2c2c13596a5037e6d2d42df1c8249db59ca4a6e953e68e4d0548ec9288c0af8f
Instruction Fuzzy Hash: A441F2A3A3874986EB94EF25E840679B760EB84F84F816136DE4E073E5CF2CE441C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7753022F4, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF77530231C

Part of subcall function 00007FF7753024AC: GetModuleHandleExW.KERNEL32 ref: 00007FF7753024CC
Part of subcall function 00007FF7753024AC: GetProcAddress.KERNEL32 ref: 00007FF7753024E2
Part of subcall function 00007FF7753024AC: FreeLibrary.KERNEL32 ref: 00007FF775302507

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 8ca54f0a7675e36929e684a4e33d25b5e44eb427543012a0c9b6a703ae604a76
Instruction ID: cc9fe0253f2c0272791506ccf1dbaf65cae979bda367849f76766235d63a8515
Opcode Fuzzy Hash: 8ca54f0a7675e36929e684a4e33d25b5e44eb427543012a0c9b6a703ae604a76
Instruction Fuzzy Hash: 5A418213E38B4282EA68BB55D454678A292BF50F48F80543DEA0D476B1DF3EE845C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775304580, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77530467C

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: a273ec983798f05df9125b728d669bfa6ab2f0a19c58609746e5ab9c4fb55a25
Instruction ID: 1c52a665c6589382907439cc57493fcd6b53bde19a9d09c67bcf92ae224fdba8
Opcode Fuzzy Hash: a273ec983798f05df9125b728d669bfa6ab2f0a19c58609746e5ab9c4fb55a25
Instruction Fuzzy Hash: 2231A063E3832A89F6417B619805279A692AF40F68FD2453DD92D473F2EE7CE5418730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775305650, Relevance: 1.6, APIs: 1, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 656029b866c2b64c4fb070a0a055ed623f8d238c5d9fdf2f46ac08bf598c2c87
Instruction ID: 727a8564aeaa473af84828869af48230d261fb7d68090bea3a563e799353751e
Opcode Fuzzy Hash: 656029b866c2b64c4fb070a0a055ed623f8d238c5d9fdf2f46ac08bf598c2c87
Instruction Fuzzy Hash: 0821E233E3835686E241BF12A854279A652AF40FA8FE5053EED1D873E2CE7CE4408720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F1480, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF7752F14CF

Part of subcall function 00007FF7752FA8C0: fread_s.LIBCMT ref: 00007FF7752FA8D3

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _fread_nolockfread_s
String ID:
API String ID: 3465328306-0
Opcode ID: 3154bf4182fbb5f7fb22ba52bea32714d235810c6a13285e1109eb0eea49d99f
Instruction ID: 3f69c1303ca739e3a962a95e212b223192a806182df699b53fa65931b7154973
Opcode Fuzzy Hash: 3154bf4182fbb5f7fb22ba52bea32714d235810c6a13285e1109eb0eea49d99f
Instruction Fuzzy Hash: 55316423B28A8583EB20DF34D5012A9A360FB99B48F859635DF8D53656EF38E195C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775304CB0, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e255286e02a416fb80ba2a45fb124a5764a5af857cba7ce528a94b7f44b4e606
Instruction ID: 78ec49f401c66cdabc38c7fbffd5a1c066ac6c251ae6bfd16e772a6ae60c4393
Opcode Fuzzy Hash: e255286e02a416fb80ba2a45fb124a5764a5af857cba7ce528a94b7f44b4e606
Instruction Fuzzy Hash: 4721DE23E3835646F651BF11A944239A652AB80FB8F95063DED2D073E3CE3CE4418720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752FF45C, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7752FF3B1

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 72812ab1d589848553df9a3627f37fc48297ceacbb545af0eee9de262716b331
Instruction ID: 6c87134af481bf87647909874f16769499b79deecfa961c18bfc85191750c842
Opcode Fuzzy Hash: 72812ab1d589848553df9a3627f37fc48297ceacbb545af0eee9de262716b331
Instruction Fuzzy Hash: EE21C563A3C38682EA15BF11A90027EE2A1BF44F84F944035EB4C977D6DF3CD8428760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF77530EBB8, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77530EBE8

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 76e0514b73e48b7281084e3381d47d48c0f700110335b6d02748d3a549e52ce9
Instruction ID: b8015869e41f8647e5ffe8c7f572a761f0062968249f7ba503dc9b488150468c
Opcode Fuzzy Hash: 76e0514b73e48b7281084e3381d47d48c0f700110335b6d02748d3a549e52ce9
Instruction Fuzzy Hash: 5821B73373874647D765AF24E54037AB6A2AB80FA8F54423CDA5E866F5DF2DD8008B10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775300628, Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77530065C

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: b4c08daca6a6831fc4e568de7b6574a11fc81050bb42f0080b116ae13a25e1f9
Instruction ID: fbc879c97109f833df8ae0aafb64a20ef87354fd05052151f1efdbe753cd51c8
Opcode Fuzzy Hash: b4c08daca6a6831fc4e568de7b6574a11fc81050bb42f0080b116ae13a25e1f9
Instruction Fuzzy Hash: EE113D2393C74686F210BB15A440539E297FB84B88FD5013DE68D4A7B5DF3CE4508B60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752FFE74, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7752FFEB2

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: df771ba188d204793d483a230f51e0cf269cb5405cf79eb3bedf98a1f02427af
Instruction ID: 24df4a490e24962d0fdee1844e7f6bfd67380e2d91176473754fc0bf574d007b
Opcode Fuzzy Hash: df771ba188d204793d483a230f51e0cf269cb5405cf79eb3bedf98a1f02427af
Instruction Fuzzy Hash: C701C053E3C75240FE60BB65B940179D280AF00F98FC41639E92C826E7DF6CA4428330

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775303D24, Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bde30c0e19591bf27cbf6c80c6ad9874960969efd5f38449a937b98a5a748e7
Instruction ID: 8f569dab23481aa8d69069689f2351b1a897c84a4f5125f7ee32bd71e86bb180
Opcode Fuzzy Hash: 9bde30c0e19591bf27cbf6c80c6ad9874960969efd5f38449a937b98a5a748e7
Instruction Fuzzy Hash: BC114F63938B4A96E645BF54E6442ADF762EB80B68FD0413AD64D066F5CF7CD0058B20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752FA4F8, Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7752FA515

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 1e38f1a71e6edaebba53464f408863bb79e2c7f7164e2ff846e080a32884a5af
Instruction ID: a980f8817dcb6194c424a77a738fe68b565e4575acda84047683ff38e3f042d3
Opcode Fuzzy Hash: 1e38f1a71e6edaebba53464f408863bb79e2c7f7164e2ff846e080a32884a5af
Instruction Fuzzy Hash: 87018463E3820641FE58BB79A91137991919F40F68FA51335E92D872E2DE2DE8418730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752FB328, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7752FB35D

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 4ba2ef1f9eeba0afa5796943fee2b436c7a65e389ff72a5d861afe13d56c1497
Instruction ID: 9a76e80fd386c977d39ca3bb5b52c9285e39b19147ac85629e30693662aecef2
Opcode Fuzzy Hash: 4ba2ef1f9eeba0afa5796943fee2b436c7a65e389ff72a5d861afe13d56c1497
Instruction Fuzzy Hash: 05015B73E20B1A88EB04EFA0E8404EC77B8FB24B48B910136DA4C13768DF38D5A5C390

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775302EAC, Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,00000000,00007FF775306EC5,?,?,?,00007FF7752FBB30,?,?,00000000,00007FF7752FE421), ref: 00007FF775302F01

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a62c9982f3dd2203348fa0e8b84adfd5892d1915442a604536a1a95da6cdd961
Instruction ID: e1b62aa1ff5637bdc6a9212fafbc68e581ecd7df5a7472f4e3d433245cf02516
Opcode Fuzzy Hash: a62c9982f3dd2203348fa0e8b84adfd5892d1915442a604536a1a95da6cdd961
Instruction Fuzzy Hash: 66F04942B3970681FE647762D851AB5E2820F88F88F980838E90E866E2DE1DE4818330

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752FA57C, Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7752FA5A5

Part of subcall function 00007FF7752FA4F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7752FA515

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 05b2ef034e02f3c4ecdd2f2217128cd5f5b53d149360704b61a5809def32f19d
Instruction ID: fddb6a8c8a0c92c03559aaa4b32620244f3ab00ce410bbe1f4da21a63e31f9c5
Opcode Fuzzy Hash: 05b2ef034e02f3c4ecdd2f2217128cd5f5b53d149360704b61a5809def32f19d
Instruction Fuzzy Hash: 02F090A3E3C20742EA44B7B9B91117AA2819F40B94FE46130EA1E862D6DF2CE8418730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752FA988, Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7752FA9B4

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 319c056ec18a667aed709a61f47591d97028b07b74352a83101b19db1f2445c3
Instruction ID: 47018f429ae288f7bf23d4cbdb66f950d32d83ca059134bb8e925aca754d6906
Opcode Fuzzy Hash: 319c056ec18a667aed709a61f47591d97028b07b74352a83101b19db1f2445c3
Instruction Fuzzy Hash: C4F09062B3824242EB90B765BD8212EE291AF44FD4F956131EA1D876D6CF2CD8408720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752FAC04, Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7752FAC25

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: f01cfeb65208a6553f9345d451597099b925dd753397887adba98e7ec8bda9b1
Instruction ID: d1ac0d367267fc3616a5dddd8bbc907e68d2f8f2d2a27397756cc0386e068276
Opcode Fuzzy Hash: f01cfeb65208a6553f9345d451597099b925dd753397887adba98e7ec8bda9b1
Instruction Fuzzy Hash: EDF0B473E3860A42F681BB70BD4117AA2809F40F74F951630F52E863D2DF2CE8404730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775302D94, Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 00007FF775302DD2

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c21a571bc974b5bb7657bd3a9d239b3753710b7898264d10f2d3b29b2a2ddd20
Instruction ID: 414cb2af2fccb414e5fd8453b63fd1af1ae5a0eb2f454d093bff409bd1c86295
Opcode Fuzzy Hash: c21a571bc974b5bb7657bd3a9d239b3753710b7898264d10f2d3b29b2a2ddd20
Instruction Fuzzy Hash: D9F05E03A3C70688FA5477629910A7591824F84FA8F880638EC3E852E2DE5DEC828330

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752FB4E0, Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7753064C4: DeleteCriticalSection.KERNEL32 ref: 00007FF775306537

DeleteCriticalSection.KERNEL32 ref: 00007FF7752FB511

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: CriticalDeleteSection
String ID:
API String ID: 166494926-0
Opcode ID: 2238394d76eaae2bdec8e36ebf4022bfdb5614ddaf639da6f0413fcce0b786a0
Instruction ID: 049a21f455e5b58a84a3916b3b6cd004d45f551b6386bdbf00be28345afb266d
Opcode Fuzzy Hash: 2238394d76eaae2bdec8e36ebf4022bfdb5614ddaf639da6f0413fcce0b786a0
Instruction Fuzzy Hash: 19F06557E38D0691FB41BB66E891775A350AF84F08FC0003AD90F432B28D1CA4A58331

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7753001A8, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7753001C1

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 629075894b72c3d875607a1be8c4acd34918f57f12d13ef35b9c69b46a310b88
Instruction ID: d137c99d9a7f404b7e303c82ce22ac16b1a5f6b4ff294169aa6fdc3341ea8140
Opcode Fuzzy Hash: 629075894b72c3d875607a1be8c4acd34918f57f12d13ef35b9c69b46a310b88
Instruction Fuzzy Hash: 63E0C297E3830B42F6983BA446CA17991428F44B88FD1003EDD0C4A3E3DD1C68450330

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF7752F2B20, Relevance: 264.9, APIs: 50, Strings: 101, Instructions: 656libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,00000000,00007FF7752F20BE,00000000,00007FF7752F273E), ref: 00007FF7752F2B30
GetProcAddress.KERNEL32(?,?,00000000,00007FF7752F20BE,00000000,00007FF7752F273E), ref: 00007FF7752F2B68

Part of subcall function 00007FF7752F1A50: GetLastError.KERNEL32(?,?,00000000,00007FF7752F527B,?,?,?,?,?,?,?,?,?,?,?,00007FF7752F1023), ref: 00007FF7752F1A77

Strings

Failed to get address for PyObject_CallFunction, xrefs: 00007FF7752F31D2
Failed to get address for PySys_SetArgvEx, xrefs: 00007FF7752F335A
Py_NoUserSiteDirectory, xrefs: 00007FF7752F2C3E
PyMarshal_ReadObjectFromString, xrefs: 00007FF7752F3456
Py_SetPath, xrefs: 00007FF7752F2DFE
Failed to get address for Py_SetPythonHome, xrefs: 00007FF7752F2EC2
Py_DecRef, xrefs: 00007FF7752F2D1E
Failed to get address for Py_DecRef, xrefs: 00007FF7752F2D3A
PyErr_Fetch, xrefs: 00007FF7752F2FBE
Failed to get address for PyImport_ExecCodeModule, xrefs: 00007FF7752F3082
PyUnicode_FromFormat, xrefs: 00007FF7752F3536
Failed to get address for PyErr_Restore, xrefs: 00007FF7752F3012
Failed to get address for Py_NoUserSiteDirectory, xrefs: 00007FF7752F2C5A
Failed to get address for PyDict_GetItemString, xrefs: 00007FF7752F2EFA
PyUnicode_DecodeFSDefault, xrefs: 00007FF7752F35A6
Failed to get address for PySys_SetPath, xrefs: 00007FF7752F3402
Py_NoSiteFlag, xrefs: 00007FF7752F2C06
Failed to get address for PyErr_Print, xrefs: 00007FF7752F2FA2
Failed to get address for PyUnicode_Decode, xrefs: 00007FF7752F358A
Failed to get address for PyMarshal_ReadObjectFromString, xrefs: 00007FF7752F3472
PyEval_EvalCode, xrefs: 00007FF7752F341E
Failed to get address for Py_Initialize, xrefs: 00007FF7752F2DE2
Failed to get address for Py_VerboseFlag, xrefs: 00007FF7752F2CCA
PyImport_AddModule, xrefs: 00007FF7752F302E
Py_OptimizeFlag, xrefs: 00007FF7752F2C76
Failed to get address for PyMem_RawFree, xrefs: 00007FF7752F351A
Failed to get address for PyLong_AsLong, xrefs: 00007FF7752F3162
Failed to get address for PyObject_Str, xrefs: 00007FF7752F32B2
Py_Finalize, xrefs: 00007FF7752F2D56
Failed to get address for PyModule_GetDict, xrefs: 00007FF7752F319A
PyDict_GetItemString, xrefs: 00007FF7752F2EDE
Failed to get address for PyList_New, xrefs: 00007FF7752F312A
Failed to get address for Py_SetProgramName, xrefs: 00007FF7752F2E8A
Failed to get address for PyList_Append, xrefs: 00007FF7752F30F2
GetProcAddress, xrefs: 00007FF7752F2B49, 00007FF7752F2B81, 00007FF7752F2BB9, 00007FF7752F2BF1, 00007FF7752F2C29, 00007FF7752F2C61, 00007FF7752F2C99, 00007FF7752F2CD1, 00007FF7752F2D09, 00007FF7752F2D41, 00007FF7752F2D79, 00007FF7752F2DB1, 00007FF7752F2DE9, 00007FF7752F2E21, 00007FF7752F2E59, 00007FF7752F2E91, 00007FF7752F2EC9, 00007FF7752F2F01, 00007FF7752F2F39, 00007FF7752F2F71, 00007FF7752F2FA9, 00007FF7752F2FE1, 00007FF7752F3019, 00007FF7752F3051, 00007FF7752F3089, 00007FF7752F30C1, 00007FF7752F30F9, 00007FF7752F3131, 00007FF7752F3169, 00007FF7752F31A1, 00007FF7752F31D9, 00007FF7752F3211, 00007FF7752F3249, 00007FF7752F3281, 00007FF7752F32B9, 00007FF7752F32F1, 00007FF7752F3329, 00007FF7752F3361, 00007FF7752F3399, 00007FF7752F33D1, 00007FF7752F3409, 00007FF7752F3441, 00007FF7752F3479, 00007FF7752F34B1, 00007FF7752F34E9, 00007FF7752F3521, 00007FF7752F3559, 00007FF7752F3591, 00007FF7752F35C9, 00007FF7752F3601
PyErr_Occurred, xrefs: 00007FF7752F2F4E
Py_FrozenFlag, xrefs: 00007FF7752F2B96
Py_IgnoreEnvironmentFlag, xrefs: 00007FF7752F2BCE
PyLong_AsLong, xrefs: 00007FF7752F3146
Failed to get address for Py_OptimizeFlag, xrefs: 00007FF7752F2C92
PyObject_GetAttrString, xrefs: 00007FF7752F325E
Failed to get address for PyErr_Fetch, xrefs: 00007FF7752F2FDA
PySys_SetObject, xrefs: 00007FF7752F33AE
Py_GetPath, xrefs: 00007FF7752F2E36
PyObject_SetAttrString, xrefs: 00007FF7752F3226
PyImport_ImportModule, xrefs: 00007FF7752F309E
Failed to get address for Py_IgnoreEnvironmentFlag, xrefs: 00007FF7752F2BEA
Py_DecodeLocale, xrefs: 00007FF7752F34C6
PyUnicode_AsUTF8, xrefs: 00007FF7752F35DE
PyList_Append, xrefs: 00007FF7752F30D6
PyList_New, xrefs: 00007FF7752F310E
Failed to get address for PyUnicode_DecodeFSDefault, xrefs: 00007FF7752F35C2
PySys_SetArgvEx, xrefs: 00007FF7752F333E
Failed to get address for PyUnicode_FromFormat, xrefs: 00007FF7752F3552
Failed to get address for PyImport_AddModule, xrefs: 00007FF7752F304A
PyObject_CallFunctionObjArgs, xrefs: 00007FF7752F31EE
PySys_GetObject, xrefs: 00007FF7752F3376
Failed to get address for PyObject_GetAttrString, xrefs: 00007FF7752F327A
Py_IncRef, xrefs: 00007FF7752F2D8E
Failed to get address for Py_IncRef, xrefs: 00007FF7752F2DAA
Failed to get address for Py_FileSystemDefaultEncoding, xrefs: 00007FF7752F2B7A
Py_SetPythonHome, xrefs: 00007FF7752F2EA6
Failed to get address for Py_NoSiteFlag, xrefs: 00007FF7752F2C22
Failed to get address for PyErr_Occurred, xrefs: 00007FF7752F2F6A
Failed to get address for PyObject_SetAttrString, xrefs: 00007FF7752F3242
PySys_SetPath, xrefs: 00007FF7752F33E6
Failed to get address for PyEval_EvalCode, xrefs: 00007FF7752F343A
Failed to get address for Py_FrozenFlag, xrefs: 00007FF7752F2BB2
PyModule_GetDict, xrefs: 00007FF7752F317E
Failed to get address for Py_GetPath, xrefs: 00007FF7752F2E52
Failed to get address for PyUnicode_AsUTF8, xrefs: 00007FF7752F35FA
Py_BuildValue, xrefs: 00007FF7752F2CE6
PyObject_Str, xrefs: 00007FF7752F3296
Py_DontWriteBytecodeFlag, xrefs: 00007FF7752F2B26
Failed to get address for PySys_GetObject, xrefs: 00007FF7752F3392
Failed to get address for Py_SetPath, xrefs: 00007FF7752F2E1A
Failed to get address for PySys_SetObject, xrefs: 00007FF7752F33CA
Failed to get address for PyImport_ImportModule, xrefs: 00007FF7752F30BA
Py_Initialize, xrefs: 00007FF7752F2DC6
PyErr_Clear, xrefs: 00007FF7752F2F16
PyImport_ExecCodeModule, xrefs: 00007FF7752F3066
Failed to get address for PyUnicode_FromString, xrefs: 00007FF7752F34AA
Failed to get address for Py_DecodeLocale, xrefs: 00007FF7752F34E2
PyErr_Restore, xrefs: 00007FF7752F2FF6
PyObject_CallFunction, xrefs: 00007FF7752F31B6
PyErr_Print, xrefs: 00007FF7752F2F86
PyUnicode_FromString, xrefs: 00007FF7752F348E
Py_SetProgramName, xrefs: 00007FF7752F2E6E
PySys_AddWarnOption, xrefs: 00007FF7752F3306
Failed to get address for Py_Finalize, xrefs: 00007FF7752F2D72
PyMem_RawFree, xrefs: 00007FF7752F34FE
Failed to get address for PyRun_SimpleString, xrefs: 00007FF7752F32EA
Failed to get address for PyErr_Clear, xrefs: 00007FF7752F2F32
Failed to get address for Py_DontWriteBytecodeFlag, xrefs: 00007FF7752F2B42
Py_FileSystemDefaultEncoding, xrefs: 00007FF7752F2B5E
Failed to get address for PySys_AddWarnOption, xrefs: 00007FF7752F3322
PyRun_SimpleString, xrefs: 00007FF7752F32CE
PyUnicode_Decode, xrefs: 00007FF7752F356E
Failed to get address for PyObject_CallFunctionObjArgs, xrefs: 00007FF7752F320A
Failed to get address for Py_BuildValue, xrefs: 00007FF7752F2D02
Py_VerboseFlag, xrefs: 00007FF7752F2CAE

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: AddressProc$ErrorLast
String ID: Failed to get address for PyDict_GetItemString$Failed to get address for PyErr_Clear$Failed to get address for PyErr_Fetch$Failed to get address for PyErr_Occurred$Failed to get address for PyErr_Print$Failed to get address for PyErr_Restore$Failed to get address for PyEval_EvalCode$Failed to get address for PyImport_AddModule$Failed to get address for PyImport_ExecCodeModule$Failed to get address for PyImport_ImportModule$Failed to get address for PyList_Append$Failed to get address for PyList_New$Failed to get address for PyLong_AsLong$Failed to get address for PyMarshal_ReadObjectFromString$Failed to get address for PyMem_RawFree$Failed to get address for PyModule_GetDict$Failed to get address for PyObject_CallFunction$Failed to get address for PyObject_CallFunctionObjArgs$Failed to get address for PyObject_GetAttrString$Failed to get address for PyObject_SetAttrString$Failed to get address for PyObject_Str$Failed to get address for PyRun_SimpleString$Failed to get address for PySys_AddWarnOption$Failed to get address for PySys_GetObject$Failed to get address for PySys_SetArgvEx$Failed to get address for PySys_SetObject$Failed to get address for PySys_SetPath$Failed to get address for PyUnicode_AsUTF8$Failed to get address for PyUnicode_Decode$Failed to get address for PyUnicode_DecodeFSDefault$Failed to get address for PyUnicode_FromFormat$Failed to get address for PyUnicode_FromString$Failed to get address for Py_BuildValue$Failed to get address for Py_DecRef$Failed to get address for Py_DecodeLocale$Failed to get address for Py_DontWriteBytecodeFlag$Failed to get address for Py_FileSystemDefaultEncoding$Failed to get address for Py_Finalize$Failed to get address for Py_FrozenFlag$Failed to get address for Py_GetPath$Failed to get address for Py_IgnoreEnvironmentFlag$Failed to get address for Py_IncRef$Failed to get address for Py_Initialize$Failed to get address for Py_NoSiteFlag$Failed to get address for Py_NoUserSiteDirectory$Failed to get address for Py_OptimizeFlag$Failed to get address for Py_SetPath$Failed to get address for Py_SetProgramName$Failed to get address for Py_SetPythonHome$Failed to get address for Py_VerboseFlag$GetProcAddress$PyDict_GetItemString$PyErr_Clear$PyErr_Fetch$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyList_New$PyLong_AsLong$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyRun_SimpleString$PySys_AddWarnOption$PySys_GetObject$PySys_SetArgvEx$PySys_SetObject$PySys_SetPath$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$Py_BuildValue$Py_DecRef$Py_DecodeLocale$Py_DontWriteBytecodeFlag$Py_FileSystemDefaultEncoding$Py_Finalize$Py_FrozenFlag$Py_GetPath$Py_IgnoreEnvironmentFlag$Py_IncRef$Py_Initialize$Py_NoSiteFlag$Py_NoUserSiteDirectory$Py_OptimizeFlag$Py_SetPath$Py_SetProgramName$Py_SetPythonHome$Py_VerboseFlag
API String ID: 4214558900-925859108
Opcode ID: b1b34659b6ac772a7d07e572676278b4f8477998d11e5e959f0120f36f61710e
Instruction ID: 733d69caf87308fe231cbbc35ef00bf1f8ee90cdf1f458d0e0d0108f5bcc710c
Opcode Fuzzy Hash: b1b34659b6ac772a7d07e572676278b4f8477998d11e5e959f0120f36f61710e
Instruction Fuzzy Hash: 2062E9A6E39F0791EA55BB39FC50470A351AF54F68BC41A39E41E462F0EF6DA1A4C330

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F4DA0, Relevance: 24.6, APIs: 5, Strings: 9, Instructions: 95libraryloaderCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7752F22A1,00000000,00007FF7752F2736), ref: 00007FF7752F4DD0
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7752F22A1,00000000,00007FF7752F2736), ref: 00007FF7752F4E5D
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7752F22A1,00000000,00007FF7752F2736), ref: 00007FF7752F4E70
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7752F22A1,00000000,00007FF7752F2736), ref: 00007FF7752F4E83

Part of subcall function 00007FF7752F1A50: GetLastError.KERNEL32(?,?,00000000,00007FF7752F527B,?,?,?,?,?,?,?,?,?,?,?,00007FF7752F1023), ref: 00007FF7752F1A77

Part of subcall function 00007FF7752F4F30: GetLastError.KERNEL32(00007FF7752F1A84,?,?,00000000,00007FF7752F527B), ref: 00007FF7752F4F55
Part of subcall function 00007FF7752F4F30: FormatMessageW.KERNEL32 ref: 00007FF7752F4F86

Strings

kernel32, xrefs: 00007FF7752F4E56
8, xrefs: 00007FF7752F4EAB
Failed to decode wchar_t from UTF-8, xrefs: 00007FF7752F4E3E
Out of memory., xrefs: 00007FF7752F4E08
ActivateActCtx, xrefs: 00007FF7752F4E76
CreateActCtxW, xrefs: 00007FF7752F4E66
MultiByteToWideChar, xrefs: 00007FF7752F4DE4, 00007FF7752F4E45
win32_utils_from_utf8, xrefs: 00007FF7752F4E0F
Failed to get wchar_t buffer size., xrefs: 00007FF7752F4DDD

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: AddressErrorLastProc$ByteCharFormatLibraryLoadMessageMultiWide
String ID: 8$ActivateActCtx$CreateActCtxW$Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$kernel32$win32_utils_from_utf8
API String ID: 1194605682-1231727188
Opcode ID: e9d90d75d9451bb9725c92077547a6832520e34a0eed8259bf9dbaeb594a5630
Instruction ID: 2b9aa06bf40b6419e6acc8c2db59ab96daaad7ed35300bbca4953ec40e8d9da3
Opcode Fuzzy Hash: e9d90d75d9451bb9725c92077547a6832520e34a0eed8259bf9dbaeb594a5630
Instruction Fuzzy Hash: 49418F73A38F4291E650EB25F800569A291AF84FA4FC44739E56D437E4EF7CE505C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF77530C850, Relevance: 24.1, APIs: 9, Strings: 4, Instructions: 1310COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF77530C899
_invalid_parameter_noinfo.LIBCMT ref: 00007FF77530CF12
memcpy_s.LIBCMT ref: 00007FF77530D8BF
memcpy_s.LIBCMT ref: 00007FF77530D966

Part of subcall function 00007FF77530DBBC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77530DBEE

memcpy_s.LIBCMT ref: 00007FF77530DA2F

Part of subcall function 00007FF775302DF4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF775302E19

Strings

1#INF, xrefs: 00007FF77530DB07
1#SNAN, xrefs: 00007FF77530DAC9
1#IND, xrefs: 00007FF77530DAAA
1#QNAN, xrefs: 00007FF77530DAE8

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfomemcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 281475176-2761157908
Opcode ID: 58088951ffabfed2dfeb9325599c6666881e12b2ec84d4fda0932d263fc640c2
Instruction ID: 09f82266f4a96344372748e9045b315e4e3dc48bf9a5136e1b34a109929204bd
Opcode Fuzzy Hash: 58088951ffabfed2dfeb9325599c6666881e12b2ec84d4fda0932d263fc640c2
Instruction Fuzzy Hash: F6B20873A383828BE765AF68D4406F9A7D2FB44B8CF905539DA0E57B94DF38E5048B10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F4F30, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 43windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00007FF7752F1A84,?,?,00000000,00007FF7752F527B), ref: 00007FF7752F4F55

Part of subcall function 00007FF7752F55C0: WideCharToMultiByte.KERNEL32 ref: 00007FF7752F5601

FormatMessageW.KERNEL32 ref: 00007FF7752F4F86

Strings

No error messages generated., xrefs: 00007FF7752F4F90
PyInstaller: pyi_win32_utils_to_utf8 failed., xrefs: 00007FF7752F4FDC
FormatMessageW, xrefs: 00007FF7752F4F97
PyInstaller: FormatMessageW failed., xrefs: 00007FF7752F4FA3

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: ByteCharErrorFormatLastMessageMultiWide
String ID: FormatMessageW$No error messages generated.$PyInstaller: FormatMessageW failed.$PyInstaller: pyi_win32_utils_to_utf8 failed.
API String ID: 1653872744-3268588819
Opcode ID: b8a0dbb53044ca0af52369f0239c0678ca3d6db094299114c4ddc91301e777fc
Instruction ID: c57cb83e22c8270d646470bf15841c46c6a31b4ed4473f4136e4989c4059ea6b
Opcode Fuzzy Hash: b8a0dbb53044ca0af52369f0239c0678ca3d6db094299114c4ddc91301e777fc
Instruction Fuzzy Hash: 2E112162B38A4291FE20BB21FC55775A351BB84B48FC04539EA4D526A5DF6CD205C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775303964, Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF7753039DD
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7753039F5
RtlVirtualUnwind.KERNEL32 ref: 00007FF775303A30
IsDebuggerPresent.KERNEL32 ref: 00007FF775303A69
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF775303A73
UnhandledExceptionFilter.KERNEL32 ref: 00007FF775303A7E

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 80b0730903e532fc70616f4dc65be134e5b86ea7bc24d021c4a1d0bf6ad54e27
Instruction ID: f747ae9ca9e82ee47079302c6597f67cc30f6436bdf2214de9bcfd11657c91af
Opcode Fuzzy Hash: 80b0730903e532fc70616f4dc65be134e5b86ea7bc24d021c4a1d0bf6ad54e27
Instruction Fuzzy Hash: 08316333638F8186D720DB25E8406ADB364FB84B58F900539EA9D43BA4DF3CC145C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775309DF0, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 169COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF775309E30

Part of subcall function 00007FF775303B90: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF775303B6E), ref: 00007FF775303B99
Part of subcall function 00007FF775303B90: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF775303B6E), ref: 00007FF775303BBD

Strings

., xrefs: 00007FF77530A268
., xrefs: 00007FF77530A277
*, xrefs: 00007FF775309E57

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor_invalid_parameter_noinfo
String ID: *$.$.
API String ID: 4036615347-2112782162
Opcode ID: 72e1c56197c311c0751013bf47713b01f0f3284c86a3f4f3d8e8cb7a0cf8aeca
Instruction ID: 5bd015a2d8db433b3a38fce2cbdcd0e344422b4f1194d3072c831898a4243992
Opcode Fuzzy Hash: 72e1c56197c311c0751013bf47713b01f0f3284c86a3f4f3d8e8cb7a0cf8aeca
Instruction Fuzzy Hash: F751BE63B34B5585FB10EBA298406BDA3A6BB44FC8F944139DE5D17BA9DE38D442C320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF77530C380, Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCMT ref: 00007FF77530C40B

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 7c95d79a6932f591ae303023ad9bcf5e3cdb31da0663f78c422ae26a9081d948
Instruction ID: 1cee155b604b8c278d3b48999e2abac05e1925112b7208c853c3b391e2b6f02d
Opcode Fuzzy Hash: 7c95d79a6932f591ae303023ad9bcf5e3cdb31da0663f78c422ae26a9081d948
Instruction Fuzzy Hash: 0BD19333B3838987DB74DF15A18466AF792F798B88F548138DB4E57B54DA3CE8418B10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F80A0, Relevance: 4.1, Strings: 3, Instructions: 371COMMON

Download Yara Rule

Strings

invalid literal/length code, xrefs: 00007FF7752F84E0
invalid distance too far back, xrefs: 00007FF7752F8514
invalid distance code, xrefs: 00007FF7752F84F6

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID:
String ID: invalid distance code$invalid distance too far back$invalid literal/length code
API String ID: 0-3255898291
Opcode ID: 9044a9e1988170a7d03f25ce4610e22a42a88ef3ba9adc312cf0ebb9643e8720
Instruction ID: f5317a4c3559134bcc30a65bfd5fd2f79f98e93fa6a6c6831cd95b5945da4a63
Opcode Fuzzy Hash: 9044a9e1988170a7d03f25ce4610e22a42a88ef3ba9adc312cf0ebb9643e8720
Instruction Fuzzy Hash: 8DD14973A3C5D58BE7198F29E81427DBBA1E791B90F448236EA9A537C1CE3CE509C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF77530A020, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

., xrefs: 00007FF77530A268

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: b5db4f2aed64c692855849ed24079320b871bc9280091d7031d108ab40820a1f
Instruction ID: 0a8af1b3eea9e48739f927b8ec2cd647ee76b5156bffafb77d42072f9b0831b2
Opcode Fuzzy Hash: b5db4f2aed64c692855849ed24079320b871bc9280091d7031d108ab40820a1f
Instruction Fuzzy Hash: BE311653B3879545E760AF62A804676E792FB40FE8F948639EE6D07BE4DE3CD4018320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775311588, Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF7753117D5
RaiseException.KERNEL32 ref: 00007FF7753117E6

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: a5234e5d9a918b0ef48134481ad7d3ba995bb1ddaa82fbe7c9d99b69d69d4f07
Instruction ID: 94392cfe2517f13a09f413f62943a57fd92983b33d26ee28135be0daa7e09359
Opcode Fuzzy Hash: a5234e5d9a918b0ef48134481ad7d3ba995bb1ddaa82fbe7c9d99b69d69d4f07
Instruction Fuzzy Hash: 85B15977A20B898AEB15DF29C8453A8BBA0F744F8CF188925DA5D837B4CB39D451C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF77530EC98, Relevance: 1.7, APIs: 1, Instructions: 194COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF77530ECFD

Part of subcall function 00007FF7752FF660: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7752FF674

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo
String ID:
API String ID: 474895018-0
Opcode ID: 7bc4fa4a1f55762211477fb5d93b293b849e54d64afc8a742a1398b6d5973f49
Instruction ID: 0d5e2abb30af9247e2a1d69419df3d9ed92cbe19253631834a1ce1ec0cdad8fd
Opcode Fuzzy Hash: 7bc4fa4a1f55762211477fb5d93b293b849e54d64afc8a742a1398b6d5973f49
Instruction Fuzzy Hash: F2710723B3839E45F7646B289444638E283AB80B68F94473DD66D877F1DE7CE841D720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775301078, Relevance: 1.5, Strings: 1, Instructions: 228COMMON

Download Yara Rule

Strings

TMP, xrefs: 00007FF775301097

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: TMP
API String ID: 3215553584-3125297090
Opcode ID: 40750de77d646c01d56e82cf426d33e1f55cc340be3b3fab1b0fdca9edd0ecb0
Instruction ID: e56bb7fa09158ac4e725d612f62468eaae28b3b52680ecd3d587bb331c03926b
Opcode Fuzzy Hash: 40750de77d646c01d56e82cf426d33e1f55cc340be3b3fab1b0fdca9edd0ecb0
Instruction Fuzzy Hash: 19719017F3835241EA2CBB26591157A9293AF40FCCF888039DE0D47BB6EE3DE4468354

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752FD020, Relevance: 1.5, Strings: 1, Instructions: 219COMMON

Download Yara Rule

Strings

0, xrefs: 00007FF7752FD1D7

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: db30f2c63f18a140d05b371e59a83c30065240504741ede35166ef46515c3e59
Instruction ID: e82090e24eb8bc40136e94963ae80c3d1b97593cb2f9206b7744a33c95c5fd89
Opcode Fuzzy Hash: db30f2c63f18a140d05b371e59a83c30065240504741ede35166ef46515c3e59
Instruction Fuzzy Hash: A181E5A3A3820242EBE4BB25A94067EA3A1EF42F44FD41535DD09876D5CF2DE847C761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752FCDA4, Relevance: 1.4, Strings: 1, Instructions: 199COMMON

Download Yara Rule

Strings

0, xrefs: 00007FF7752FCF3E

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: 5c66c6e0aff52e3a814ff90621c8c0917536b0a8d7c9c9eed1f23e2114802e5e
Instruction ID: f46510a55d3c5135e246e4d0c36fd79c566ad245c1cdb934791cdddb8f0325a8
Opcode Fuzzy Hash: 5c66c6e0aff52e3a814ff90621c8c0917536b0a8d7c9c9eed1f23e2114802e5e
Instruction Fuzzy Hash: D971E8A3A3C24246FB68AB15784027DE3909F41F44FD40D36DD49A77E5CF2DE8468761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752FCB28, Relevance: 1.4, Strings: 1, Instructions: 199COMMON

Download Yara Rule

Strings

0, xrefs: 00007FF7752FCCC2

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: 74dcee436b559ad53bd5e083cad9013d74d93bd80b661b50ca22568b58697a90
Instruction ID: 40b9741beeafd864f0b5e1ba3636c3306aff1107ca22cc3d9dcca34b7a1aa7be
Opcode Fuzzy Hash: 74dcee436b559ad53bd5e083cad9013d74d93bd80b661b50ca22568b58697a90
Instruction Fuzzy Hash: 8F7127A3A3C24246F768AB24B84027DD7909F82F4CF940D31DD4DA76F9CE2DE8468761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775302874, Relevance: 1.4, Strings: 1, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

Strings

@, xrefs: 00007FF7753028B0

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 13e397550ae31c85129cf34c4b39e040576814d93205fffdd07cdcca2f405f33
Instruction ID: 4af63c92cf0e46de2dc26a89a30eedb01f54a2f804b77cd68e3bd38cf1569301
Opcode Fuzzy Hash: 13e397550ae31c85129cf34c4b39e040576814d93205fffdd07cdcca2f405f33
Instruction Fuzzy Hash: 4B41C363734B5489EE04DF2AD8146A9B3A2B748FC4B89A03AEE1D87764DE3DD446C310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF77530B9A0, Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF77530B9A4

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: c697010c415bb406de5f5ba4249fc3c53353e06f14618bda4412a62a8bd03628
Instruction ID: b411f8363bccf95cb835029f20a71d600eee943c7e4b489a2518adcf4d7a26bc
Opcode Fuzzy Hash: c697010c415bb406de5f5ba4249fc3c53353e06f14618bda4412a62a8bd03628
Instruction Fuzzy Hash: 8BB09221E3BE06E6EA483B226C82218A2A87F48F04FD4403CC00C41330DE2C21A65760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F7850, Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04f7e355dbeba9ad19f79f2d3cf72c2032f8e469e3b0dc3e766727acbbad995a
Instruction ID: eee0d8c50dd687dd2922780a5ab2c2fa1af1f815e1de99b9b5c25bb3f54a09e5
Opcode Fuzzy Hash: 04f7e355dbeba9ad19f79f2d3cf72c2032f8e469e3b0dc3e766727acbbad995a
Instruction Fuzzy Hash: 1871BEB37301749BEB648B2EA514EA93390F36A749FC56115EB8447B81CE3EB921CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752FF050, Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57fe8ae82f4a7f1e5c3cba6a7b579c4cbe970ed01518187d4632761707183b5f
Instruction ID: cfbcd9b233cd29dec8484eda9ba3a107964ba4e79a0828a19c4a2adc8aa963c9
Opcode Fuzzy Hash: 57fe8ae82f4a7f1e5c3cba6a7b579c4cbe970ed01518187d4632761707183b5f
Instruction Fuzzy Hash: 574192C3D3C69A04FA959B18AD003B9D6809F22FA4FE852B4DDAF633D6D90D6547C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7753113D0, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 191b5d8501a35a53c1ce80ff18f5d351d14d7a7a06e8a4a6908da3fb582f899e
Instruction ID: 7c99d9f2fac6473922823bd89ec0d8b0d75ed8b01f6066abd1c445cc4b7be48c
Opcode Fuzzy Hash: 191b5d8501a35a53c1ce80ff18f5d351d14d7a7a06e8a4a6908da3fb582f899e
Instruction Fuzzy Hash: 74F068737396558ADBD89F28A84262977E0E708784FD0843ED68D83B28D63CD0628F14

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F9120, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91839643d30135ffc7adb971268a4a67ca3dd32d1b96bbcbbe984aa292f49f9b
Instruction ID: 5d56e953c4645877bf49bfd79912ab1210ac7d182d440d5ab13e4291e9f557a7
Opcode Fuzzy Hash: 91839643d30135ffc7adb971268a4a67ca3dd32d1b96bbcbbe984aa292f49f9b
Instruction Fuzzy Hash: 77A00162A38C02D0EA44AB22A855825A270BB50B04F900835E51D450A09E3DA400C620

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F20B0, Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 133COMMON

Download Yara Rule

Strings

Failed to execute script %s, xrefs: 00007FF7752F24A7
Could not get __main__ module., xrefs: 00007FF7752F2350
__main__, xrefs: 00007FF7752F233B
Name exceeds PATH_MAX, xrefs: 00007FF7752F24D3
__file__, xrefs: 00007FF7752F23F8
Failed to unmarshal code object for %s, xrefs: 00007FF7752F24BC
Could not get __main__ module's dict., xrefs: 00007FF7752F237D
%s.py, xrefs: 00007FF7752F23CE

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID:
String ID: %s.py$Could not get __main__ module's dict.$Could not get __main__ module.$Failed to execute script %s$Failed to unmarshal code object for %s$Name exceeds PATH_MAX$__file__$__main__
API String ID: 0-2368408649
Opcode ID: aae7fbf184d232e1786fff97544d966361f94814fd8406c1f1740380ae73d237
Instruction ID: ccf5fe8fc38138f5d87935da7fcf74d76c39e52a1d3fd0ae077caf4ac9b2d586
Opcode Fuzzy Hash: aae7fbf184d232e1786fff97544d966361f94814fd8406c1f1740380ae73d237
Instruction Fuzzy Hash: D7517FA3A3CA4381FA24BB22BC105B9A290AF55F94FC40535ED5E867E5DE7EE0458330

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF77530797C, Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF775307AF9

Strings

NAN, xrefs: 00007FF7753079DD
nan, xrefs: 00007FF7753079E4
inf, xrefs: 00007FF775307A02
nan(ind), xrefs: 00007FF775307A32
NAN(IND), xrefs: 00007FF775307A27
INF, xrefs: 00007FF7753079EF
NAN(SNAN), xrefs: 00007FF775307A11
nan(snan), xrefs: 00007FF775307A1C

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
API String ID: 3215553584-2617248754
Opcode ID: 3179a56723a21d6cc442c7c6c7c39b94e8f4395454ad5cd1c72b07a63001d736
Instruction ID: 080372bf80f76dd7d51c952812df2e32388e274326cfc0f60162cb5e1b7ef2f9
Opcode Fuzzy Hash: 3179a56723a21d6cc442c7c6c7c39b94e8f4395454ad5cd1c72b07a63001d736
Instruction Fuzzy Hash: 9B419B32A39B4589FB00DF34E8417A9B3A5EB04B88F80453AEE5C07B65DE3CD025C354

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F3660, Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 89COMMON

Download Yara Rule

APIs

htonl.WS2_32 ref: 00007FF7752F373A
htonl.WS2_32 ref: 00007FF7752F3749

Strings

strict, xrefs: 00007FF7752F367D
loads, xrefs: 00007FF7752F36DE
utf-8, xrefs: 00007FF7752F3684
marshal, xrefs: 00007FF7752F36C5
mod is NULL - %s, xrefs: 00007FF7752F3781
Failed to get _MEIPASS as PyObject., xrefs: 00007FF7752F3696
_MEIPASS, xrefs: 00007FF7752F36B0

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: htonl
String ID: Failed to get _MEIPASS as PyObject.$_MEIPASS$loads$marshal$mod is NULL - %s$strict$utf-8
API String ID: 2009864989-3336796446
Opcode ID: 71e61a976854cb198d7bc3e8283467ac40c7974c54ce13730874df954d327be3
Instruction ID: 22adf104c831f0ee8894c5e30489737b1f5861fc28d92219d71be24270142856
Opcode Fuzzy Hash: 71e61a976854cb198d7bc3e8283467ac40c7974c54ce13730874df954d327be3
Instruction Fuzzy Hash: 8F415EA2A3CA4692EA04BB21FC546B9B360AF54FA4FC44535DA1E073E4DF3CE045C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F3E80, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7752F54C0: MultiByteToWideChar.KERNEL32(?,00000000,00007FF7752F438C,00007FF7752F2605), ref: 00007FF7752F54FA

ExpandEnvironmentStringsW.KERNEL32(00000000,00007FF7752F419F,?,00000000,?,00007FF7752F411D), ref: 00007FF7752F3EE2

Strings

LOADER: Failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF7752F3EB6
LOADER: Failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF7752F3EF6
LOADER: Failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF7752F3F26

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMultiStringsWide
String ID: LOADER: Failed to convert runtime-tmpdir to a wide string.$LOADER: Failed to expand environment variables in the runtime-tmpdir.$LOADER: Failed to obtain the absolute path of the runtime-tmpdir.
API String ID: 2001182103-3498232454
Opcode ID: 1fd6734e61767806cd826dd581c55661d1c497fb10b06256f4908bd81dc6a8a2
Instruction ID: e831b55fb08a4beba3bfa6b90331517d2bad2dbc056946fcf0c0477acd58a72a
Opcode Fuzzy Hash: 1fd6734e61767806cd826dd581c55661d1c497fb10b06256f4908bd81dc6a8a2
Instruction Fuzzy Hash: 04319293B3CB8691FE24B725FD552BAE251AF98FC0FC44535DA0E427D6EE2CE1048620

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F1B70, Relevance: 13.7, APIs: 1, Strings: 8, Instructions: 170stringCOMMON

Download Yara Rule

APIs

strchr.LIBVCRUNTIME ref: 00007FF7752F1BD2

Strings

Error copying %s, xrefs: 00007FF7752F1CAD
Error extracting %s, xrefs: 00007FF7752F1E59
%s%s%s.exe, xrefs: 00007FF7752F1D7A
%s%s%s.pkg, xrefs: 00007FF7752F1D4D
%s%s%s%s%s, xrefs: 00007FF7752F1C63
Archive not found: %s, xrefs: 00007FF7752F1DDC
%s%s%s, xrefs: 00007FF7752F1DA7
%s%s%s%s%s%s%s, xrefs: 00007FF7752F1D0B

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: strchr
String ID: %s%s%s$%s%s%s%s%s$%s%s%s%s%s%s%s$%s%s%s.exe$%s%s%s.pkg$Archive not found: %s$Error copying %s$Error extracting %s
API String ID: 2830005266-390755151
Opcode ID: 002ed9ba5170322bc6c27abb3c57df30f33d8438d6d6c792dfbb0fc659c9e0c8
Instruction ID: 23b840d73295ae445019fe948c0f80e1fb7b5d4d3ea02576649d4d09c90121c5
Opcode Fuzzy Hash: 002ed9ba5170322bc6c27abb3c57df30f33d8438d6d6c792dfbb0fc659c9e0c8
Instruction Fuzzy Hash: 24813F63A38EC394EB20AB21EC401F9A365FB55B88FC44136EA4D476D9EF78D205C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F3A40, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 121COMMON

Download Yara Rule

APIs

fflush.LIBCMT ref: 00007FF7752F3BB6
fflush.LIBCMT ref: 00007FF7752F3BC8
setbuf.LIBCMT ref: 00007FF7752F3BD9
setbuf.LIBCMT ref: 00007FF7752F3BED
setbuf.LIBCMT ref: 00007FF7752F3C01

Strings

Failed to convert Wflag %s using mbstowcs (invalid multibyte string), xrefs: 00007FF7752F3C35
pyi-, xrefs: 00007FF7752F3ADC

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: setbuf$fflush
String ID: Failed to convert Wflag %s using mbstowcs (invalid multibyte string)$pyi-
API String ID: 410961200-3625900369
Opcode ID: 70ee1634e765a46cbf7eebb5f84f857e8093b6ebe6d1e948273328f0a84d6a6c
Instruction ID: c08744c9217227647a029822ea85bf259313f2c843f3dc7e3f989741d3bcba32
Opcode Fuzzy Hash: 70ee1634e765a46cbf7eebb5f84f857e8093b6ebe6d1e948273328f0a84d6a6c
Instruction Fuzzy Hash: 71517CA3A3C60641FA14BB25EC652B9A251AF54F54FC44139E91D873E7CE7DE8018370

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F5140, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7752F1023), ref: 00007FF7752F51DD
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7752F1023), ref: 00007FF7752F5227

Strings

win32_utils_to_utf8, xrefs: 00007FF7752F525F
WideCharToMultiByte, xrefs: 00007FF7752F526F
Out of memory., xrefs: 00007FF7752F5258
Failed to encode wchar_t as UTF-8., xrefs: 00007FF7752F524F
Failed to get UTF-8 buffer size., xrefs: 00007FF7752F5268

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 626452242-3595433791
Opcode ID: fa26b47c32204bb14b884f800050f1a4cb12be7793418c37bfc9b437f1700ba7
Instruction ID: 0f2cfa99fa61373224cb780af2a9c3302ec5ffd971073f2f3bf2e427a1f1a069
Opcode Fuzzy Hash: fa26b47c32204bb14b884f800050f1a4cb12be7793418c37bfc9b437f1700ba7
Instruction Fuzzy Hash: B641C173A38B8282E660EF55B84016AF7A5FB84B94F944235EA8D47BE4DF3CE111C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F55C0, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 63COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF7752F5601

Part of subcall function 00007FF7752F1A50: GetLastError.KERNEL32(?,?,00000000,00007FF7752F527B,?,?,?,?,?,?,?,?,?,?,?,00007FF7752F1023), ref: 00007FF7752F1A77

WideCharToMultiByte.KERNEL32 ref: 00007FF7752F5673

Strings

win32_utils_to_utf8, xrefs: 00007FF7752F5642
WideCharToMultiByte, xrefs: 00007FF7752F5615, 00007FF7752F5684
Out of memory., xrefs: 00007FF7752F563B
Failed to encode wchar_t as UTF-8., xrefs: 00007FF7752F567D
Failed to get UTF-8 buffer size., xrefs: 00007FF7752F560E

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 1717984340-3595433791
Opcode ID: 626ab26b13916d9d32718d33e2c174ebc2376be8bb3d424ff61070e4e5b53e0a
Instruction ID: e18b8c28e7d706c9159c205d91e8699ed7c49f1eba42c22d81501fa44f022544
Opcode Fuzzy Hash: 626ab26b13916d9d32718d33e2c174ebc2376be8bb3d424ff61070e4e5b53e0a
Instruction Fuzzy Hash: 95219C62B38F4685EA14AF25BD40069B7A1AB84FD8F844539DA1E43BA4EF3CE500C320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F5830, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 62COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,00000000,00007FF7752F5470), ref: 00007FF7752F5862

Part of subcall function 00007FF7752F1A50: GetLastError.KERNEL32(?,?,00000000,00007FF7752F527B,?,?,?,?,?,?,?,?,?,?,?,00007FF7752F1023), ref: 00007FF7752F1A77

Strings

WideCharToMultiByte, xrefs: 00007FF7752F5875, 00007FF7752F58F3
Out of memory., xrefs: 00007FF7752F58AD
Failed to get ANSI buffer size., xrefs: 00007FF7752F586E
Failed to encode filename as ANSI., xrefs: 00007FF7752F58EC
win32_wcs_to_mbs, xrefs: 00007FF7752F58B4

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID: Failed to encode filename as ANSI.$Failed to get ANSI buffer size.$Out of memory.$WideCharToMultiByte$win32_wcs_to_mbs
API String ID: 203985260-2581065711
Opcode ID: 30a9694185e67db114cd990fa3b2a6ed8137dcb5d445eb3289618fd7341275ff
Instruction ID: e2f9ca5983065249cda6bee17875ea17e5483b1cbf214142c6455151b0a618cf
Opcode Fuzzy Hash: 30a9694185e67db114cd990fa3b2a6ed8137dcb5d445eb3289618fd7341275ff
Instruction Fuzzy Hash: 3D218072A3CB8686E750AF25F84006AB791FB84BD4F844539E99E437A9DF3CE150C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F37E0, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 60COMMON

Download Yara Rule

APIs

htonl.WS2_32 ref: 00007FF7752F3812

Strings

Failed to append to sys.path, xrefs: 00007FF7752F389D
strict, xrefs: 00007FF7752F382E
utf-8, xrefs: 00007FF7752F3835
Installing PYZ: Could not get sys.path, xrefs: 00007FF7752F3876
%U?%zu, xrefs: 00007FF7752F3845
path, xrefs: 00007FF7752F3864

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: htonl
String ID: %U?%zu$Failed to append to sys.path$Installing PYZ: Could not get sys.path$path$strict$utf-8
API String ID: 2009864989-2673223963
Opcode ID: f31583c6e0f3b0c3a2d4415782db2ecca80cfe0c57754da180719fd39221b6e8
Instruction ID: be8e4fa4c16447d5c41ff564eee992c7d4d61d9bd1e6ac1f344425c12cbbaae2
Opcode Fuzzy Hash: f31583c6e0f3b0c3a2d4415782db2ecca80cfe0c57754da180719fd39221b6e8
Instruction Fuzzy Hash: 16216DA2A3CE8A96FA00BB21FD44179E360AB54F94FC80535DA5E472E5DF3CE445C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F56B0, Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 100COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7752F3C6F), ref: 00007FF7752F5743
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7752F3C6F), ref: 00007FF7752F5783

Strings

Failed to decode wchar_t from UTF-8, xrefs: 00007FF7752F57A8
Out of memory., xrefs: 00007FF7752F57B1
MultiByteToWideChar, xrefs: 00007FF7752F57C8
win32_utils_from_utf8, xrefs: 00007FF7752F57B8
Failed to get wchar_t buffer size., xrefs: 00007FF7752F57C1

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
API String ID: 626452242-306716450
Opcode ID: b7a981fb26e26d907ecda976e39adb5b6bbd8516ec14e4a57fd930b1c95056be
Instruction ID: 2437c667d5e240f53f225fb7f2d98b1e0e33406880a9d429ca4a2ff7291d9bce
Opcode Fuzzy Hash: b7a981fb26e26d907ecda976e39adb5b6bbd8516ec14e4a57fd930b1c95056be
Instruction Fuzzy Hash: 1A418E73A39B4282E620EB15B88417AB6A5FB84B94F945135DA8D47BE4DF3CE1068720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F53A0, Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 75COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF7752F53DC

Part of subcall function 00007FF7752F1A50: GetLastError.KERNEL32(?,?,00000000,00007FF7752F527B,?,?,?,?,?,?,?,?,?,?,?,00007FF7752F1023), ref: 00007FF7752F1A77

Strings

Failed to decode wchar_t from UTF-8, xrefs: 00007FF7752F5451
Out of memory., xrefs: 00007FF7752F5419
MultiByteToWideChar, xrefs: 00007FF7752F53F0, 00007FF7752F5458
win32_utils_from_utf8, xrefs: 00007FF7752F5420
Failed to get wchar_t buffer size., xrefs: 00007FF7752F53E9

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
API String ID: 203985260-306716450
Opcode ID: ad507fd2f00d72f57f5f306e379f003d9307038b1cdee95eb0d0fa1b61fd7ff7
Instruction ID: c9e9a7a3cef0d79616e19eed76157080f0d1d79b835e23729a7d6d10118daf7b
Opcode Fuzzy Hash: ad507fd2f00d72f57f5f306e379f003d9307038b1cdee95eb0d0fa1b61fd7ff7
Instruction Fuzzy Hash: E3314F63B3CB4291EA54BF21BC4017AE691AF84FD4FC84535E94D47BE5EE2CE1018320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F54C0, Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00007FF7752F438C,00007FF7752F2605), ref: 00007FF7752F54FA

Part of subcall function 00007FF7752F1A50: GetLastError.KERNEL32(?,?,00000000,00007FF7752F527B,?,?,?,?,?,?,?,?,?,?,?,00007FF7752F1023), ref: 00007FF7752F1A77

MultiByteToWideChar.KERNEL32(?,00000000,00007FF7752F438C,00007FF7752F2605), ref: 00007FF7752F557E

Strings

Failed to decode wchar_t from UTF-8, xrefs: 00007FF7752F5588
Out of memory., xrefs: 00007FF7752F5542
MultiByteToWideChar, xrefs: 00007FF7752F550E, 00007FF7752F558F
win32_utils_from_utf8, xrefs: 00007FF7752F5549
Failed to get wchar_t buffer size., xrefs: 00007FF7752F5507

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
API String ID: 1717984340-306716450
Opcode ID: fada89fb940858c21b49de34bb2b725a169a813b03191ed1fe033f854eaf305c
Instruction ID: 25124cf47ca48a022497b0a0c1ab9d502a878f9919095ee720cbbce373a0c02e
Opcode Fuzzy Hash: fada89fb940858c21b49de34bb2b725a169a813b03191ed1fe033f854eaf305c
Instruction Fuzzy Hash: 7021B663B38A4281EB50EB29F800169E7A1EF84BD8FD80535DB5C43BB9EF2CD5418714

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775308684, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7753086B9

Part of subcall function 00007FF775307D34: GetCurrentDirectoryW.KERNEL32 ref: 00007FF775307D7B

GetFullPathNameW.KERNEL32 ref: 00007FF775308743
GetLastError.KERNEL32 ref: 00007FF77530874F

Strings

., xrefs: 00007FF77530870D
:, xrefs: 00007FF7753086F9

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: CurrentDirectoryErrorFullLastNamePath_invalid_parameter_noinfo
String ID: .$:
API String ID: 2924719347-4202072812
Opcode ID: 850e0496f0f60e438cb9a96dea5f25ed957b8036a8123f93b34d0a85f777eaf2
Instruction ID: edfaf5ef50747e6c149fccfe992eb70346a330ea489f2ba77a1cf0874a3cd91c
Opcode Fuzzy Hash: 850e0496f0f60e438cb9a96dea5f25ed957b8036a8123f93b34d0a85f777eaf2
Instruction Fuzzy Hash: BB31A023A3C71681FA307B65941527AE292EF94F8CFC1403DEA4D867A6DE3CE4008B35

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7753024AC, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF7753024CC
GetProcAddress.KERNEL32 ref: 00007FF7753024E2
FreeLibrary.KERNEL32 ref: 00007FF775302507

Strings

CorExitProcess, xrefs: 00007FF7753024DB
mscoree.dll, xrefs: 00007FF7753024C3

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 8e47be83509a870c7da9deaf13c124d4cb932dc417ecbbf493f49e1e0bf2286c
Instruction ID: a1733c335d4da723640ba39f9af5cf9bb717185803199bb2cbb6a18db52d27aa
Opcode Fuzzy Hash: 8e47be83509a870c7da9deaf13c124d4cb932dc417ecbbf493f49e1e0bf2286c
Instruction Fuzzy Hash: 17F0AF23A39B42C1EE85AB21F480A79A361EF88F88F88143DF90F06274CE3CD445C320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775310980, Relevance: 7.8, APIs: 5, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bfe2a44c4d9e7a1cc84fda5b75ddb96b7ff877ba954fd8d13c39ec378f45a63
Instruction ID: 6e4ebb3b93571ed66ef18e3ea9c570d65f0e879445edc9c787a3f9fdd2084488
Opcode Fuzzy Hash: 0bfe2a44c4d9e7a1cc84fda5b75ddb96b7ff877ba954fd8d13c39ec378f45a63
Instruction Fuzzy Hash: F3A1D563A39B8247FB606B709450379A6D1AF04F98FE44A39DA6D1E7E5DF3CD4448320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7753050B0, Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF7753058E3), ref: 00007FF77530510D
WideCharToMultiByte.KERNEL32 ref: 00007FF7753051E9
WriteFile.KERNEL32 ref: 00007FF77530520F
WriteFile.KERNEL32 ref: 00007FF77530524E
GetLastError.KERNEL32 ref: 00007FF775305286

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
String ID:
API String ID: 3659116390-0
Opcode ID: 69f6b8766e1ec0c05da9ff232bb89250459649f6ce857c3aa9cd85f7215ab13e
Instruction ID: cb7423a53bdd06a3c6cb620cfd5923adbdf1ba91df320ac56b8c7c0473b75200
Opcode Fuzzy Hash: 69f6b8766e1ec0c05da9ff232bb89250459649f6ce857c3aa9cd85f7215ab13e
Instruction Fuzzy Hash: 4C51AF33A35A518AE710DB65D8443ACB7B5BB48B8CF44813ADE0E47AA8DF38D141C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752FF468, Relevance: 7.6, APIs: 5, Instructions: 133COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7752FF4B9

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: fef81fd67bbad7b19e29c7229520ba9ad299aa7bc25be361af24c94c4b3abdd8
Instruction ID: 4282448e733c328935933a25e5139b862f4910f92aa7954b25f899f61aa26042
Opcode Fuzzy Hash: fef81fd67bbad7b19e29c7229520ba9ad299aa7bc25be361af24c94c4b3abdd8
Instruction Fuzzy Hash: 3051B7A3A3878285E760AF21B880179F7A5EF40FA4FA55235DA6E436E0DF3CD452C310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775307FE4, Relevance: 7.6, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF775308014

Part of subcall function 00007FF775302D94: RtlAllocateHeap.NTDLL ref: 00007FF775302DD2

MultiByteToWideChar.KERNEL32 ref: 00007FF77530804B
GetLastError.KERNEL32 ref: 00007FF775308058
MultiByteToWideChar.KERNEL32 ref: 00007FF775308090
GetLastError.KERNEL32 ref: 00007FF77530809A

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide$AllocateHeap_invalid_parameter_noinfo
String ID:
API String ID: 1500607604-0
Opcode ID: 6a16453c5239338bf2938dad65af5ddac56dbb11634145a693f921c01c6c24c6
Instruction ID: 4a39c668f7a29b72cdd64eb14823066556f4e89b9cd568ffd31bc01034120f03
Opcode Fuzzy Hash: 6a16453c5239338bf2938dad65af5ddac56dbb11634145a693f921c01c6c24c6
Instruction Fuzzy Hash: B621B533A38B4285FA14BF66A80017AE696AF84FA8F940939ED5D477B5DE3CD4418320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7753111D0, Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF7753111F7
_set_statfp.LIBCMT ref: 00007FF775311212
_set_statfp.LIBCMT ref: 00007FF77531122E
_set_statfp.LIBCMT ref: 00007FF77531126A

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 70895f6a6caca5a93f387097b68bfd30b7bf4dd7af3bc8c27b3038974be86bdd
Instruction ID: 70483c2ecbfa14830419a549f5a26fbc365abcad3d11c93477ebb28505c419a0
Opcode Fuzzy Hash: 70895f6a6caca5a93f387097b68bfd30b7bf4dd7af3bc8c27b3038974be86bdd
Instruction Fuzzy Hash: 38116327E38E4305F7943375D4823F581416F55B68F944B3CE97E9A5FACEACA44241E0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7753088EC, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 205COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF775308B90

Strings

UTF-16LEUNICODE, xrefs: 00007FF775308B37
UTF-8, xrefs: 00007FF775308B14
ccs, xrefs: 00007FF775308AD5

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 03018829ccc2153328cc6b4da21c157ac6a6d554b15c094cd5420836e427f9af
Instruction ID: a440274096703f7aa9382ed762edfb97f5f79132097e8184231276382a679f8f
Opcode Fuzzy Hash: 03018829ccc2153328cc6b4da21c157ac6a6d554b15c094cd5420836e427f9af
Instruction Fuzzy Hash: 33816173E3831286FB657F259540279E7A2EF11F4CF98843DCA0E43AA1DB2CE8519761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7753054DC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF7753055C2
WriteFile.KERNEL32 ref: 00007FF7753055F5
GetLastError.KERNEL32 ref: 00007FF775305617

Strings

U, xrefs: 00007FF7753055A0

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: ByteCharErrorFileLastMultiWideWrite
String ID: U
API String ID: 2456169464-4171548499
Opcode ID: 16f06c8ccfbfc86e4807a4ca887a357c20fd54fd588d7b33a8e0f5e64b9df96b
Instruction ID: f42f6e991a08f3c96d76e4f0ec8b5cda559ba0bf61fcd2d469a2a5c385e29aa9
Opcode Fuzzy Hash: 16f06c8ccfbfc86e4807a4ca887a357c20fd54fd588d7b33a8e0f5e64b9df96b
Instruction Fuzzy Hash: 2A41C723738B8582EB609F25E8047B9A761FB48B98F844035EE4E87794DF3CD441CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F28C0, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,00007FF7752F25C1), ref: 00007FF7752F28F1

Part of subcall function 00007FF7752F1A50: GetLastError.KERNEL32(?,?,00000000,00007FF7752F527B,?,?,?,?,?,?,?,?,?,?,?,00007FF7752F1023), ref: 00007FF7752F1A77

Strings

Failed to get executable path., xrefs: 00007FF7752F28FB
Failed to convert executable path to UTF-8., xrefs: 00007FF7752F292A
GetModuleFileNameW, xrefs: 00007FF7752F2902

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
API String ID: 2776309574-482168174
Opcode ID: fc2ab3a8e8924eb8c88877591f41853b1f1d81f8712409f1e949cdb965f0599f
Instruction ID: a75f110613d412744c15a0b40fab12d8ad92246c3dd723509deece89f6b601d9
Opcode Fuzzy Hash: fc2ab3a8e8924eb8c88877591f41853b1f1d81f8712409f1e949cdb965f0599f
Instruction Fuzzy Hash: 440184A3B3CA4281FA21B731FC457B59295AF48F88FC00435E84E872D6EE1DE205C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF77530EF2C, Relevance: 6.2, APIs: 4, Instructions: 160COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77530EF6D
_invalid_parameter_noinfo.LIBCMT ref: 00007FF77530EFEA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF77530F03B
_get_daylight.LIBCMT ref: 00007FF77530F097

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo$_get_daylight
String ID:
API String ID: 72036449-0
Opcode ID: 14f6514fccc07efd642587f22b8797253fa3456445727fcbcc00a01137e8ac2d
Instruction ID: e173298bd8682e2f355bd66408b6e92f7e1d9e4a3a9acfbb2820d037efe7d072
Opcode Fuzzy Hash: 14f6514fccc07efd642587f22b8797253fa3456445727fcbcc00a01137e8ac2d
Instruction Fuzzy Hash: 7D519D23E3C34686F3647B28954537BA682AB00F1CF99413DDA0D862F6CA6DE8429771

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF77530697C, Relevance: 6.1, APIs: 4, Instructions: 104COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7753069CF
WideCharToMultiByte.KERNEL32 ref: 00007FF775306AA1
GetLastError.KERNEL32 ref: 00007FF775306AC4
_invalid_parameter_noinfo.LIBCMT ref: 00007FF775306AF6

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
String ID:
API String ID: 4141327611-0
Opcode ID: de9b1b76107ffc4e36e154699251fde910a02da331f22f58b24d05e4ebac98cb
Instruction ID: 112ebeb926e56cec07f1c055ecf8a44175552a71cb1ef868acad6222ae2c0d91
Opcode Fuzzy Hash: de9b1b76107ffc4e36e154699251fde910a02da331f22f58b24d05e4ebac98cb
Instruction Fuzzy Hash: 5441B273B387D246FB61BB149540379E692EF80F98FA58139DA4D06AE9CF2CD8418720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF77530005C, Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF7752FFEE8,?,?,00000000,00007FF7752FFE5A,?,?,00000000,00007FF7753001CD), ref: 00007FF775300097
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF7752FFEE8,?,?,00000000,00007FF7752FFE5A,?,?,00000000,00007FF7753001CD), ref: 00007FF7753000D7
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF7752FFEE8,?,?,00000000,00007FF7752FFE5A,?,?,00000000,00007FF7753001CD), ref: 00007FF77530011E
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF7752FFEE8,?,?,00000000,00007FF7752FFE5A,?,?,00000000,00007FF7753001CD), ref: 00007FF775300165

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 93146123df832fb0a3cc4dba1b7dcc873c99c5d43a19401494fc1aa515db7ab0
Instruction ID: b885d39a83d2fe6b48adb77ac307a1ebdca35ce461904addf07ca4aa9548a810
Opcode Fuzzy Hash: 93146123df832fb0a3cc4dba1b7dcc873c99c5d43a19401494fc1aa515db7ab0
Instruction Fuzzy Hash: 9D31A633638B8181E724EF26A94022AB6D6AFC4FD4F54423DEA9E47BA5DF3CD1018714

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF77530AE40, Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF775301CFF,?,?,?,00007FF775301C72), ref: 00007FF77530AE59
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF775301CFF,?,?,?,00007FF775301C72), ref: 00007FF77530AEBB
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF775301CFF,?,?,?,00007FF775301C72), ref: 00007FF77530AEF5
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF775301CFF,?,?,?,00007FF775301C72), ref: 00007FF77530AF1F

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$Free
String ID:
API String ID: 1557788787-0
Opcode ID: 9edc2db792d9d21376ef9ea0619ad505fb68736d5120d854b1cbc6aa0d246926
Instruction ID: 99d352e28175606d1ca24df3a1b43fba3a2039aa59090fea9b24ae4a6ca54d73
Opcode Fuzzy Hash: 9edc2db792d9d21376ef9ea0619ad505fb68736d5120d854b1cbc6aa0d246926
Instruction Fuzzy Hash: 80217F62F3879181D624AF12B400429F695FB44FD4B884138EE5D57BB4DF3CD452C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775306E8C, Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF7752FBB30,?,?,00000000,00007FF7752FE421), ref: 00007FF775306E96
SetLastError.KERNEL32(?,?,?,00007FF7752FBB30,?,?,00000000,00007FF7752FE421), ref: 00007FF775306EFE
SetLastError.KERNEL32(?,?,?,00007FF7752FBB30,?,?,00000000,00007FF7752FE421), ref: 00007FF775306F14
abort.LIBCMT ref: 00007FF775306F1A

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: ErrorLast$abort
String ID:
API String ID: 1447195878-0
Opcode ID: e7b0baa38ac0c9798d3d3f3ad3c858776679f1c97a6a692627d759700e0e4b58
Instruction ID: 80e655521a563e4ec81cec5696b0a27b9619a99185d8d265e700ce45e7301256
Opcode Fuzzy Hash: e7b0baa38ac0c9798d3d3f3ad3c858776679f1c97a6a692627d759700e0e4b58
Instruction Fuzzy Hash: 36016D12B3978282FA58B775965593D91435F44F98F84043CE91E077FADD2EA8858320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7753070F0, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 245COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF775307154

Strings

gfffffff, xrefs: 00007FF7753073E2

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: gfffffff
API String ID: 3215553584-1523873471
Opcode ID: 3430f1822f04c36405762b54b44eeaf827bd1e331b9e3d180e9492761eb2a050
Instruction ID: 836da5f608387ca1bada5b491870c56f7d3af061cf810a29f8be94be75096a4d
Opcode Fuzzy Hash: 3430f1822f04c36405762b54b44eeaf827bd1e331b9e3d180e9492761eb2a050
Instruction Fuzzy Hash: 43913863B3938686EB159F2991403BCAB96AB65FC4F448135DB8D073A5DE3CE111C311

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775307520, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF775307563

Strings

e+000, xrefs: 00007FF77530760B
gfff, xrefs: 00007FF77530768E

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: e+000$gfff
API String ID: 3215553584-3030954782
Opcode ID: 1420c6e68b03954d80ac3064e3232d6c0d7ba78ed617cd5a33ff68ef3d70d9d7
Instruction ID: 88e7f87d9fc6202b03a706bd8a82a3a3832d3f1728a9a0919cdbc1ea477f0c67
Opcode Fuzzy Hash: 1420c6e68b03954d80ac3064e3232d6c0d7ba78ed617cd5a33ff68ef3d70d9d7
Instruction Fuzzy Hash: 3E512963B387C546E7259B399941379AB92E740F94F88C235C79D47BE5CE2CD444C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775301AD8, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF775301B02
GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF7752F870A), ref: 00007FF775301B1E

Strings

C:\Users\user\Desktop\capa.exe, xrefs: 00007FF775301B0C

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: FileModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\capa.exe
API String ID: 3307058713-1874003804
Opcode ID: ff5da6d7611cc9ca51a162c039aaffdb221000a236729bf0b7bdddc60735fb2d
Instruction ID: 9769a1f69163e01de3aa679e2245a76e65ffbdd89dd1cf33d51cc811fe856a54
Opcode Fuzzy Hash: ff5da6d7611cc9ca51a162c039aaffdb221000a236729bf0b7bdddc60735fb2d
Instruction Fuzzy Hash: 88419F33A38B568AE715FF21D8400B9B3A6FB44F98B944039E90D43B65EF3DE4918360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775307D34, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF775307D7B
GetCurrentDirectoryW.KERNEL32 ref: 00007FF775307DCA

Strings

:, xrefs: 00007FF775307D92

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 18de7c211564a9f149350a2b63bb75c1270d796ac043dc2aedcb485afaf31348
Instruction ID: 222ca1abc3adae6a8b8bfc8321ace02d54e63ba4ce214e5441425ca47f94808e
Opcode Fuzzy Hash: 18de7c211564a9f149350a2b63bb75c1270d796ac043dc2aedcb485afaf31348
Instruction Fuzzy Hash: 45218163A3874281FB64BB15D44427DE2A2FB88F48FC58039DA4D47694DF7CE982C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775308844, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF775308874

Strings

:, xrefs: 00007FF77530888C

Memory Dump Source

Source File: 00000000.00000002.295576546.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000000.00000002.295569465.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295601951.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295616830.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295622986.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295630145.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: :
API String ID: 3215553584-336475711
Opcode ID: eb053fd105b0e6735f10ab4579cff1c23cded4808c5edb2da2b2a849cf3adf5a
Instruction ID: 1f19b6ef209da39eca82b8279cac7f0024ab223257e12d74b35444460ba9faa3
Opcode Fuzzy Hash: eb053fd105b0e6735f10ab4579cff1c23cded4808c5edb2da2b2a849cf3adf5a
Instruction Fuzzy Hash: 8D01626393870686F721BF60946527EF3A1EF84B4CFD00439E95E466A5DF3CD5048B25

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: capa.exe PID: 1092 Parent PID: 784 capa.exeCOMMON

Execution Graph

Execution Coverage:	5.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1345
Total number of Limit Nodes:	53

Executed Functions

Function 00007FF77530E2F8, Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 366
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF77530E336

Part of subcall function 00007FF77530DD58: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77530DD6C

_get_daylight.LIBCMT ref: 00007FF77530E325

Part of subcall function 00007FF77530DDB8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77530DDCC

_get_daylight.LIBCMT ref: 00007FF77530E56B
_get_daylight.LIBCMT ref: 00007FF77530E57C
_get_daylight.LIBCMT ref: 00007FF77530E58D
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF77530E7ED), ref: 00007FF77530E5B4
WideCharToMultiByte.KERNEL32 ref: 00007FF77530E64A
WideCharToMultiByte.KERNEL32 ref: 00007FF77530E696

Strings

?, xrefs: 00007FF77530E689

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _get_daylight$ByteCharMultiWide_invalid_parameter_noinfo$InformationTimeZone
String ID: ?
API String ID: 3440502458-1684325040
Opcode ID: 98cf3cf5574a962be9dbf170c97aa7fc4f303feb5f2d26fcdf2a950d105621fb
Instruction ID: d810e04340a827e1ee315f69ecd3c51eb29ca36a7a570360cfc642d89c05dba7
Opcode Fuzzy Hash: 98cf3cf5574a962be9dbf170c97aa7fc4f303feb5f2d26fcdf2a950d105621fb
Instruction Fuzzy Hash: 3AE1A233A387564AE764BF35E8505A9A792FF44F8CFC4423DEA4D42AA5CE3CD4429720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775308ECC, Relevance: 6.4, APIs: 4, Instructions: 425stringCOMMON

Download Yara Rule

APIs

strchr.LIBVCRUNTIME ref: 00007FF775308F0C
SetEnvironmentVariableA.KERNEL32 ref: 00007FF775309180
wcschr.LIBVCRUNTIME ref: 00007FF775309200
SetEnvironmentVariableW.KERNEL32 ref: 00007FF775309470

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: EnvironmentVariable$strchrwcschr
String ID:
API String ID: 2618829048-0
Opcode ID: 6d28959bd5f3fb8ccf81674802c7078c442d0da57415b48374171409777bbdc1
Instruction ID: 3f21b19a21d05d3515b2922b98acf82c07d240d9c04a3f71998780c4001b6983
Opcode Fuzzy Hash: 6d28959bd5f3fb8ccf81674802c7078c442d0da57415b48374171409777bbdc1
Instruction Fuzzy Hash: 9EF1E423A3D71681FA65BB25940467AE296AF01FA8FC5463DED2D472F1DE7DA8018320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775308138, Relevance: 6.2, APIs: 4, Instructions: 179COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF77530822E
_get_daylight.LIBCMT ref: 00007FF77530823F
_get_daylight.LIBCMT ref: 00007FF775308250
_isindst.LIBCMT ref: 00007FF775308322

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 4da19891db533d7035746201e18153e46ed09c5502f6b78b86ff90ad619a0a3f
Instruction ID: 062567c76531d2c9614d110a6439e60e01d4773eecd5c0828ea26adeecaeb7f3
Opcode Fuzzy Hash: 4da19891db533d7035746201e18153e46ed09c5502f6b78b86ff90ad619a0a3f
Instruction Fuzzy Hash: 8161E573F347118AFB28EB6495517BCA3A6AB90B9CF80413DDE1D46AE5DE3CE4058710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F8780, Relevance: 3.0, APIs: 2, Instructions: 18COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7752F8789
_invalid_parameter_noinfo.LIBCMT ref: 00007FF775302678

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: ExceptionFilterUnhandled_invalid_parameter_noinfo
String ID:
API String ID: 59578552-0
Opcode ID: 5e35efb2fce74188c159bc1f695f0b0389b17fb5a0c2c9935f7394b684777968
Instruction ID: 3f278f4ea2e58d73c30ff874a20925cb3f696c7290cc1d739931122e14e2fc9e
Opcode Fuzzy Hash: 5e35efb2fce74188c159bc1f695f0b0389b17fb5a0c2c9935f7394b684777968
Instruction Fuzzy Hash: 5BE08C33E3C20B86F62833B95C560B990925F44B28FE1033EF11C812E2CD9DA4814B72

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F4DA0, Relevance: 24.6, APIs: 5, Strings: 9, Instructions: 95
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7752F22A1,00000000,00007FF7752F2736), ref: 00007FF7752F4DD0
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7752F22A1,00000000,00007FF7752F2736), ref: 00007FF7752F4E5D
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7752F22A1,00000000,00007FF7752F2736), ref: 00007FF7752F4E70
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7752F22A1,00000000,00007FF7752F2736), ref: 00007FF7752F4E83

Part of subcall function 00007FF7752F1A50: GetLastError.KERNEL32(?,?,00000000,00007FF7752F527B,?,?,?,?,?,?,?,?,?,?,?,00007FF7752F1023), ref: 00007FF7752F1A77

Part of subcall function 00007FF7752F4F30: GetLastError.KERNEL32(00007FF7752F1A84,?,?,00000000,00007FF7752F527B), ref: 00007FF7752F4F55
Part of subcall function 00007FF7752F4F30: FormatMessageW.KERNEL32 ref: 00007FF7752F4F86

Strings

8, xrefs: 00007FF7752F4EAB
Failed to decode wchar_t from UTF-8, xrefs: 00007FF7752F4E3E
Failed to get wchar_t buffer size., xrefs: 00007FF7752F4DDD
ActivateActCtx, xrefs: 00007FF7752F4E76
win32_utils_from_utf8, xrefs: 00007FF7752F4E0F
CreateActCtxW, xrefs: 00007FF7752F4E66
MultiByteToWideChar, xrefs: 00007FF7752F4DE4, 00007FF7752F4E45
Out of memory., xrefs: 00007FF7752F4E08
kernel32, xrefs: 00007FF7752F4E56

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: AddressErrorLastProc$ByteCharFormatLibraryLoadMessageMultiWide
String ID: 8$ActivateActCtx$CreateActCtxW$Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$kernel32$win32_utils_from_utf8
API String ID: 1194605682-1231727188
Opcode ID: c9fcae3effe5c88577cf0ab02cef077b1cb077b86bd9d9ceffa14bd55f62eef8
Instruction ID: 2b9aa06bf40b6419e6acc8c2db59ab96daaad7ed35300bbca4953ec40e8d9da3
Opcode Fuzzy Hash: c9fcae3effe5c88577cf0ab02cef077b1cb077b86bd9d9ceffa14bd55f62eef8
Instruction Fuzzy Hash: 49418F73A38F4291E650EB25F800569A291AF84FA4FC44739E56D437E4EF7CE505C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F1680, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

htonl.WS2_32 ref: 00007FF7752F16EA
htonl.WS2_32 ref: 00007FF7752F16F8
htonl.WS2_32 ref: 00007FF7752F1710
htonl.WS2_32 ref: 00007FF7752F1744
_fread_nolock.LIBCMT ref: 00007FF7752F1758
htonl.WS2_32 ref: 00007FF7752F1782

Part of subcall function 00007FF7752FA614: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7752FA628

Strings

malloc, xrefs: 00007FF7752F172C
fread, xrefs: 00007FF7752F176A
Error on file., xrefs: 00007FF7752F179D
Could not read from file., xrefs: 00007FF7752F1763
Could not allocate buffer for TOC., xrefs: 00007FF7752F1725

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: htonl$_fread_nolock_invalid_parameter_noinfo
String ID: Could not allocate buffer for TOC.$Could not read from file.$Error on file.$fread$malloc
API String ID: 235321421-2332847760
Opcode ID: 454f3254f9bcd79998e0a8f561da67edb66bac9d3effc921f1c0693c72157003
Instruction ID: 3bb583920775510480d4c48b68523396d3f30811de60edab3515d9c80d9607d7
Opcode Fuzzy Hash: 454f3254f9bcd79998e0a8f561da67edb66bac9d3effc921f1c0693c72157003
Instruction Fuzzy Hash: D6314DA3F3590282EB04BB35E861678A291AF44F58FC85535D51D462E6DF3DE8818760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F20B0, Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 133
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Could not get __main__ module's dict., xrefs: 00007FF7752F237D
Failed to unmarshal code object for %s, xrefs: 00007FF7752F24BC
Could not get __main__ module., xrefs: 00007FF7752F2350
__file__, xrefs: 00007FF7752F23F8
Name exceeds PATH_MAX, xrefs: 00007FF7752F24D3
%s.py, xrefs: 00007FF7752F23CE
__main__, xrefs: 00007FF7752F233B
Failed to execute script %s, xrefs: 00007FF7752F24A7

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID:
String ID: %s.py$Could not get __main__ module's dict.$Could not get __main__ module.$Failed to execute script %s$Failed to unmarshal code object for %s$Name exceeds PATH_MAX$__file__$__main__
API String ID: 0-2368408649
Opcode ID: d204c53941d044247a5180ebd1df279c2283194cd8908bde0656cf8e2f5301af
Instruction ID: ccf5fe8fc38138f5d87935da7fcf74d76c39e52a1d3fd0ae077caf4ac9b2d586
Opcode Fuzzy Hash: d204c53941d044247a5180ebd1df279c2283194cd8908bde0656cf8e2f5301af
Instruction Fuzzy Hash: D7517FA3A3CA4381FA24BB22BC105B9A290AF55F94FC40535ED5E867E5DE7EE0458330

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F3660, Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

htonl.WS2_32 ref: 00007FF7752F373A
htonl.WS2_32 ref: 00007FF7752F3749

Strings

marshal, xrefs: 00007FF7752F36C5
mod is NULL - %s, xrefs: 00007FF7752F3781
Failed to get _MEIPASS as PyObject., xrefs: 00007FF7752F3696
utf-8, xrefs: 00007FF7752F3684
loads, xrefs: 00007FF7752F36DE
_MEIPASS, xrefs: 00007FF7752F36B0
strict, xrefs: 00007FF7752F367D

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: htonl
String ID: Failed to get _MEIPASS as PyObject.$_MEIPASS$loads$marshal$mod is NULL - %s$strict$utf-8
API String ID: 2009864989-3336796446
Opcode ID: 5345377c511ff4bcb709f18c6a87b177923cbcec224385f9137692f6c812ff9d
Instruction ID: 22adf104c831f0ee8894c5e30489737b1f5861fc28d92219d71be24270142856
Opcode Fuzzy Hash: 5345377c511ff4bcb709f18c6a87b177923cbcec224385f9137692f6c812ff9d
Instruction Fuzzy Hash: 8F415EA2A3CA4692EA04BB21FC546B9B360AF54FA4FC44535DA1E073E4DF3CE045C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F1230, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

htonl.WS2_32 ref: 00007FF7752F127F
htonl.WS2_32 ref: 00007FF7752F1297
htonl.WS2_32 ref: 00007FF7752F12CC
_fread_nolock.LIBCMT ref: 00007FF7752F12DF

Strings

Cannot open archive file, xrefs: 00007FF7752F125E
Could not allocate read buffer, xrefs: 00007FF7752F12AB
Error decompressing %s, xrefs: 00007FF7752F1342
Could not read from file, xrefs: 00007FF7752F12EA

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: htonl$_fread_nolock
String ID: Cannot open archive file$Could not allocate read buffer$Could not read from file$Error decompressing %s
API String ID: 941911645-3387914768
Opcode ID: ce772da399f69a47e171bf28fad33b6cf71a1add2f07adcfae154d329bd195da
Instruction ID: bc49777a89f62cf7a1e52155f0d35589ced7085772b611de79ed111b1c1e4017
Opcode Fuzzy Hash: ce772da399f69a47e171bf28fad33b6cf71a1add2f07adcfae154d329bd195da
Instruction Fuzzy Hash: 49315EA3F3894186EB44FB26F8512ADA290EF44F84FC41431EA4D47BD6DF2DE9918750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF77530F1FC, Relevance: 13.8, APIs: 9, Instructions: 272
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF77530EF2C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77530EF6D
Part of subcall function 00007FF77530EF2C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77530EFEA
Part of subcall function 00007FF77530EF2C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77530F03B
Part of subcall function 00007FF77530EF2C: _get_daylight.LIBCMT ref: 00007FF77530F097

CreateFileW.KERNEL32 ref: 00007FF77530F2FD
CreateFileW.KERNEL32 ref: 00007FF77530F359
GetLastError.KERNEL32 ref: 00007FF77530F38D
GetFileType.KERNEL32 ref: 00007FF77530F3A2
GetLastError.KERNEL32 ref: 00007FF77530F3AC
CloseHandle.KERNEL32 ref: 00007FF77530F3DF
CloseHandle.KERNEL32 ref: 00007FF77530F538
CreateFileW.KERNEL32 ref: 00007FF77530F570
GetLastError.KERNEL32 ref: 00007FF77530F57F

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type_get_daylight
String ID:
API String ID: 1330151763-0
Opcode ID: 94e77a5ab00acea8316dcb4216f651764611d223c5e17019bd45a1d74c5b97d9
Instruction ID: b262fe135baa1b00cc1999b0003e440d6b7f72e3f406b22f08c9c1b3b5135ecc
Opcode Fuzzy Hash: 94e77a5ab00acea8316dcb4216f651764611d223c5e17019bd45a1d74c5b97d9
Instruction Fuzzy Hash: BFC1CF37B38B458AEB50EB65D4813AC7762E749BA8F411239DE2E573A5CF38D016C310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F879C, Relevance: 13.6, APIs: 9, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF7752F87B0

Part of subcall function 00007FF7752F8C00: __isa_available_init.LIBCMT ref: 00007FF7752F8C1D
Part of subcall function 00007FF7752F8C00: __vcrt_initialize.LIBVCRUNTIME ref: 00007FF7752F8C22

__scrt_fastfail.LIBCMT ref: 00007FF7752F87BE

Part of subcall function 00007FF7752F8F84: IsProcessorFeaturePresent.KERNEL32 ref: 00007FF7752F8FA0
Part of subcall function 00007FF7752F8F84: RtlCaptureContext.KERNEL32 ref: 00007FF7752F8FC9
Part of subcall function 00007FF7752F8F84: RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7752F8FE3
Part of subcall function 00007FF7752F8F84: RtlVirtualUnwind.KERNEL32 ref: 00007FF7752F9024
Part of subcall function 00007FF7752F8F84: IsDebuggerPresent.KERNEL32 ref: 00007FF7752F9078
Part of subcall function 00007FF7752F8F84: SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7752F9099
Part of subcall function 00007FF7752F8F84: UnhandledExceptionFilter.KERNEL32 ref: 00007FF7752F90A4

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF7752F87CC
__scrt_fastfail.LIBCMT ref: 00007FF7752F87E3
__scrt_release_startup_lock.LIBCMT ref: 00007FF7752F8840
__scrt_is_nonwritable_in_current_image.LIBCMT ref: 00007FF7752F8856
__scrt_is_nonwritable_in_current_image.LIBCMT ref: 00007FF7752F8886
__scrt_is_managed_app.LIBCMT ref: 00007FF7752F88BB
__scrt_uninitialize_crt.LIBCMT ref: 00007FF7752F88D9

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled__scrt_fastfail__scrt_is_nonwritable_in_current_image$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual__isa_available_init__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt__vcrt_initialize
String ID:
API String ID: 552178382-0
Opcode ID: 0ea756166d5b87cd1bfdb098556d8ac3a628f481564c44a76635cea29ace2841
Instruction ID: 2baf9d6435f16e31b850af2f5ff7df41108ab548725e52ddb218b7190c07a003
Opcode Fuzzy Hash: 0ea756166d5b87cd1bfdb098556d8ac3a628f481564c44a76635cea29ace2841
Instruction Fuzzy Hash: 763127A3E3864781FA54BB61B8117B9E391AF45F88FC40539EA0D272E7DE2DA4048370

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF77530E548, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 155
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF77530E56B

Part of subcall function 00007FF77530DDB8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77530DDCC

_get_daylight.LIBCMT ref: 00007FF77530E57C

Part of subcall function 00007FF77530DD58: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77530DD6C

_get_daylight.LIBCMT ref: 00007FF77530E58D

Part of subcall function 00007FF77530DD88: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77530DD9C

Part of subcall function 00007FF775302D54: RtlReleasePrivilege.NTDLL(?,?,00000000,00007FF775306F6F,?,?,?,00007FF775303C99,?,?,?,?,00007FF775302F13,?,?,00000000), ref: 00007FF775302D6A
Part of subcall function 00007FF775302D54: GetLastError.KERNEL32(?,?,00000000,00007FF775306F6F,?,?,?,00007FF775303C99,?,?,?,?,00007FF775302F13,?,?,00000000), ref: 00007FF775302D7C

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF77530E7ED), ref: 00007FF77530E5B4
WideCharToMultiByte.KERNEL32 ref: 00007FF77530E64A
WideCharToMultiByte.KERNEL32 ref: 00007FF77530E696

Strings

?, xrefs: 00007FF77530E689

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ByteCharMultiWide$ErrorInformationLastPrivilegeReleaseTimeZone
String ID: ?
API String ID: 382489769-1684325040
Opcode ID: bf6c319ca74a460b93276a967d99e65ea2239855b2081e6dacb05eb38a823e8c
Instruction ID: 6541c2d604af0f78f9a3abb46fd776a2542884a49f7bb203ab056b386cb5eb7b
Opcode Fuzzy Hash: bf6c319ca74a460b93276a967d99e65ea2239855b2081e6dacb05eb38a823e8c
Instruction Fuzzy Hash: CF615F33A38B5686E760AF21E8405A9B6A5FF44F98FC4023DE94D46AB5DF3CD441C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F1040, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

htonl.WS2_32 ref: 00007FF7752F105B
htonl.WS2_32 ref: 00007FF7752F1099
htonl.WS2_32 ref: 00007FF7752F10AA

Strings

Error %d from inflateInit: %s, xrefs: 00007FF7752F10F9
Error allocating decompression buffer, xrefs: 00007FF7752F106F
1.2.11, xrefs: 00007FF7752F10B9
Error %d from inflate: %s, xrefs: 00007FF7752F10F0

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: htonl
String ID: 1.2.11$Error %d from inflate: %s$Error %d from inflateInit: %s$Error allocating decompression buffer
API String ID: 2009864989-3188157777
Opcode ID: ce740e0d448c2510380f72cfbbad9cb782c00fcc9200d90af77ecd5f7d4d1448
Instruction ID: 2ff38584f4054d564972e934c262fb4b3ed2bd6ec7b0efac6aabd759838c47e0
Opcode Fuzzy Hash: ce740e0d448c2510380f72cfbbad9cb782c00fcc9200d90af77ecd5f7d4d1448
Instruction Fuzzy Hash: 4A217163B38A8182E750EB21F85066AE364FB84B80FC44135EA8D836D5EF3DE51187A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F4F30, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 43
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(00007FF7752F1A84,?,?,00000000,00007FF7752F527B), ref: 00007FF7752F4F55

Part of subcall function 00007FF7752F55C0: WideCharToMultiByte.KERNEL32 ref: 00007FF7752F5601

FormatMessageW.KERNEL32 ref: 00007FF7752F4F86

Strings

No error messages generated., xrefs: 00007FF7752F4F90
FormatMessageW, xrefs: 00007FF7752F4F97
PyInstaller: FormatMessageW failed., xrefs: 00007FF7752F4FA3
An attempt to set the process default activation context failed because the process default activation context was already set., xrefs: 00007FF7752F4FCD, 00007FF7752F4FE5
PyInstaller: pyi_win32_utils_to_utf8 failed., xrefs: 00007FF7752F4FDC

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: ByteCharErrorFormatLastMessageMultiWide
String ID: An attempt to set the process default activation context failed because the process default activation context was already set.$FormatMessageW$No error messages generated.$PyInstaller: FormatMessageW failed.$PyInstaller: pyi_win32_utils_to_utf8 failed.
API String ID: 1653872744-3426200897
Opcode ID: b8a0dbb53044ca0af52369f0239c0678ca3d6db094299114c4ddc91301e777fc
Instruction ID: c57cb83e22c8270d646470bf15841c46c6a31b4ed4473f4136e4989c4059ea6b
Opcode Fuzzy Hash: b8a0dbb53044ca0af52369f0239c0678ca3d6db094299114c4ddc91301e777fc
Instruction Fuzzy Hash: 2E112162B38A4291FE20BB21FC55775A351BB84B48FC04539EA4D526A5DF6CD205C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775304698, Relevance: 10.8, APIs: 7, Instructions: 294
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF775304ADD

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 5776a65c22e16d02f712de46bb2d1e573785635928616c464c05c2e1296c6dd4
Instruction ID: 6885eb026cc10ad6f54cfdc3eb6903ce30ed3ec767ae5b81d8717ab02e841a34
Opcode Fuzzy Hash: 5776a65c22e16d02f712de46bb2d1e573785635928616c464c05c2e1296c6dd4
Instruction Fuzzy Hash: 4AC10423E3C79681FA60AF15940067EAB52BF80F98F95413DEA4E037B5CE3DE9418321

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F1130, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_fread_nolock.LIBCMT ref: 00007FF7752F115F

Part of subcall function 00007FF7752FA8C0: fread_s.LIBCMT ref: 00007FF7752FA8D3

_fread_nolock.LIBCMT ref: 00007FF7752F119A
_fread_nolock.LIBCMT ref: 00007FF7752F11C2
_fread_nolock.LIBCMT ref: 00007FF7752F1209

Strings

Z, xrefs: 00007FF7752F116F
M, xrefs: 00007FF7752F1164

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _fread_nolock$fread_s
String ID: M$Z
API String ID: 184871262-4250246861
Opcode ID: 681e0f7eb8e1f7d72c085a2733f8226feaba63c24344ffad9f6caf46f21aef85
Instruction ID: fb361176c4ee19ea596e7874762489bca6eb9b2737fde1b4dab4cab9da860bd0
Opcode Fuzzy Hash: 681e0f7eb8e1f7d72c085a2733f8226feaba63c24344ffad9f6caf46f21aef85
Instruction Fuzzy Hash: 3821C1A3B3809142E790AB65F8417AEB311DB85B94FC46131F64A87AD9CF3DD485CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F1000, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

setbuf.LIBCMT ref: 00007FF7752F2598

Part of subcall function 00007FF7752FF01C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF775308507

Strings

_MEIPASS2, xrefs: 00007FF7752F25F1, 00007FF7752F2605, 00007FF7752F2767, 00007FF7752F2777
Cannot open self %s or archive %s, xrefs: 00007FF7752F2646

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfosetbuf
String ID: Cannot open self %s or archive %s$_MEIPASS2
API String ID: 3262704042-930416966
Opcode ID: ccd2e5c092089b647195b388c711b595fa174e98de04c04d0e6bb0f3b5d648fa
Instruction ID: bbc73cda1b9f851284f55a2ed394169c002d1299dba97678f40f9be4ff1e738a
Opcode Fuzzy Hash: ccd2e5c092089b647195b388c711b595fa174e98de04c04d0e6bb0f3b5d648fa
Instruction Fuzzy Hash: 1771AFA3F3C68241FA25BB31BD552B9E291AF86F84FC04035EA4D476C6EF2DE5058720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E825AC0, Relevance: 6.1, APIs: 4, Instructions: 129COMMON

Download Yara Rule

APIs

__security_init_cookie.LIBCMT ref: 00007FFB4E825AE8
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFB4E825B1F
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFB4E825B71

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: ErrorLast$__security_init_cookie
String ID:
API String ID: 2222513578-0
Opcode ID: c3e7074efad15977f4e3a3c8442241630d340eba2914056a073fc8d585d04f47
Instruction ID: 3d98952595b52a2784940a30ab932c5a0b874b7d904cbb6a1a5ed033b39acfb4
Opcode Fuzzy Hash: c3e7074efad15977f4e3a3c8442241630d340eba2914056a073fc8d585d04f47
Instruction Fuzzy Hash: 3851B1F0E4C24346FE657F35DB9517963869F987A0F184634D82E076E7EE2DB8408603

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E82C450, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB4E81D6A0: RtlAllocateHeap.NTDLL(?,?,00000000,00007FFB4E822E79,?,?,?,00007FFB4E8639E5,?,?,?,?,00007FFB4E82727A,?,?,?), ref: 00007FFB4E81D6E8

InitializeCriticalSectionAndSpinCount.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FFB4E82EDBE,?,?,?,?,?,00007FFB4E82EAC6), ref: 00007FFB4E865BD8
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,?,00007FFB4E82EDBE,?,?,?,?,?,00007FFB4E82EAC6), ref: 00007FFB4E865BEE

Strings

InitializeCriticalSectionEx, xrefs: 00007FFB4E865BE4

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: AddressAllocateCountCriticalHeapInitializeProcSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 3806826319-3084827643
Opcode ID: f776607fc57b2577290c7518d0472cbbe6ab835a75945ad4174965dfc93fd30d
Instruction ID: c8ae1976b1dfb33ecaf3fdaeb159d777e8183c1c116731c643ff33857a0e5117
Opcode Fuzzy Hash: f776607fc57b2577290c7518d0472cbbe6ab835a75945ad4174965dfc93fd30d
Instruction Fuzzy Hash: B041AFA6B1CB4282EE14AF79E6502B933A0FB697A0F884775DA6D477C4DF3CE4558300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775304F38, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF775304FAA
GetFileType.KERNEL32 ref: 00007FF775304FC0

Strings

@, xrefs: 00007FF775304FEB

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: FileHandleType
String ID: @
API String ID: 3000768030-2766056989
Opcode ID: 389bad43a172148e3040aaa87e21bd5ad1a100d1e02fc8b3de48582e2566aa7a
Instruction ID: deaa1725002d5976e9e89f76ffe7e705d4d4d268c86879a8592f8d81d63e29af
Opcode Fuzzy Hash: 389bad43a172148e3040aaa87e21bd5ad1a100d1e02fc8b3de48582e2566aa7a
Instruction Fuzzy Hash: 7521D423E38B4281EB609B25D49013DA656EB85F78F68133ED66E177F4CE39D981C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752FE9D4, Relevance: 4.6, APIs: 3, Instructions: 137pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF7752FEA06
GetLastError.KERNEL32 ref: 00007FF7752FEB39
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000030,?,?,00007FF7752FE8F9), ref: 00007FF7752FEB83

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: ErrorFileLastNamedPeekPipeType
String ID:
API String ID: 1388729460-0
Opcode ID: ae086db5dce6567d77cd189c1a56c6ff2696c0a9e0519a99cfd446dcb3e71c27
Instruction ID: 7a1034b3322ffc974192f94b9dedb133ec1ae5dd433ae67e87861acb5616f252
Opcode Fuzzy Hash: ae086db5dce6567d77cd189c1a56c6ff2696c0a9e0519a99cfd446dcb3e71c27
Instruction Fuzzy Hash: 9351BE63A3860199FB91EB71E8403ADA3A1BB44F68F904639DE2E477D8DF38D4058360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752FE814, Relevance: 4.6, APIs: 3, Instructions: 122fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7752FE84C
CreateFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7752FEFFE), ref: 00007FF7752FE8D9
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7752FEFFE), ref: 00007FF7752FE92E

Part of subcall function 00007FF7752FE9D4: GetFileType.KERNEL32 ref: 00007FF7752FEA06

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: File$CloseCreateHandleType_invalid_parameter_noinfo
String ID:
API String ID: 1405040552-0
Opcode ID: bc1ba50430883b8cb21bd9b33c3fbdc26f60637890f45cbae15871a2645750c7
Instruction ID: eb79a0020575fa004ae95ac26e9cb7674d80e6ca203b054d151c5cdcf2f12cc5
Opcode Fuzzy Hash: bc1ba50430883b8cb21bd9b33c3fbdc26f60637890f45cbae15871a2645750c7
Instruction Fuzzy Hash: 6351D86393875146F7A1AF35A9412B9A361BF44B68F404339EEAD026E6DF3CE1818720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752FEBBC, Relevance: 4.6, APIs: 3, Instructions: 50timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7752FEA93), ref: 00007FF7752FEBF0
SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7752FEA93), ref: 00007FF7752FEC04
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7752FEA93), ref: 00007FF7752FEC51

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: Time$System$ErrorFileLastLocalSpecific
String ID:
API String ID: 2674341965-0
Opcode ID: 5d0d8b0fb7a661a46ad7d7f6a202102ccd82ac6a45957635c740415b5c2c7d80
Instruction ID: 7e19019754e90e1e59d6b83638b1e4f31675ceec3f9a24c502fdb6d2dffca4db
Opcode Fuzzy Hash: 5d0d8b0fb7a661a46ad7d7f6a202102ccd82ac6a45957635c740415b5c2c7d80
Instruction Fuzzy Hash: 2B116F63F38A1299FB50AB71A8011BDA2A1AB04F78F900739FE7E556E4DF3C91509720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E826980, Relevance: 3.8, APIs: 3, Instructions: 72COMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFB4E8269A7
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFB4E8269EC
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFB4E826A3E

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 18858fb757fcb098391d8d9e7eda50efaf63ce4cd7b9666bbb3bedfa5a4dfac6
Instruction ID: 83d93535c5fbc79b6befd812ae27003ec69fb534d787acc849a77d7e3451eae7
Opcode Fuzzy Hash: 18858fb757fcb098391d8d9e7eda50efaf63ce4cd7b9666bbb3bedfa5a4dfac6
Instruction Fuzzy Hash: 2B215CE0F0D24382FE69BF34DB9517963569F987A0F144B38D42F066E7EE2DB4419202

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752FA640, Relevance: 3.2, APIs: 2, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7752FA67C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7752FA7B2

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 823bafda329df74482e6d3d6b580ef2d4331e61762fd0252eb0f318bdb23a630
Instruction ID: b8e067d325be36f62fd80c26bda5018abf388961ab43b6a32af76412dada4404
Opcode Fuzzy Hash: 823bafda329df74482e6d3d6b580ef2d4331e61762fd0252eb0f318bdb23a630
Instruction Fuzzy Hash: B061F6A3F3924242FAA4BB25BC0067AE2D1AF84FA8F945635DD2D437D5CF3CE4018620

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E82C248, Relevance: 3.1, APIs: 2, Instructions: 74COMMON

Download Yara Rule

APIs

GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FFB4E82C2AA
GetFileType.KERNEL32 ref: 00007FFB4E82C2C0

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: eee8f73989da7d542739bcc425482394b708f36621f146e7172249e724927a21
Instruction ID: 7a715873be793d017b48999f4ccfb21426d8f27f670290447ac63dbacad01ede
Opcode Fuzzy Hash: eee8f73989da7d542739bcc425482394b708f36621f146e7172249e724927a21
Instruction Fuzzy Hash: 8C31C166A1CB4299EF60AF34C6901782750FBA5BA0F681779DB6E073E0CF38E461C341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7753094AC, Relevance: 3.1, APIs: 2, Instructions: 72COMMON

Download Yara Rule

APIs

abort.LIBCMT ref: 00007FF775309574

Part of subcall function 00007FF775302E54: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF775306F1F,?,?,?,00007FF7752FBB30,?,?,00000000,00007FF7752FE421), ref: 00007FF775302E7A

Part of subcall function 00007FF775303B90: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF775303B6E), ref: 00007FF775303B99
Part of subcall function 00007FF775303B90: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF775303B6E), ref: 00007FF775303BBD

abort.LIBCMT ref: 00007FF775309590

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: FeaturePresentProcessorabort$CurrentProcess
String ID:
API String ID: 1017773387-0
Opcode ID: 8213f4f6f16c095bf7a3dae3c5d0e23ee83f1b9614dc17ef8cdb2b243d427516
Instruction ID: 03bc3a89904a5a8e15efb10376f1ea80eb00ab47d2471906d81d3d0cb2997091
Opcode Fuzzy Hash: 8213f4f6f16c095bf7a3dae3c5d0e23ee83f1b9614dc17ef8cdb2b243d427516
Instruction Fuzzy Hash: 7A21E533A3874641FB58AF21D15137AE292EF40B58F904639EB6D43AE2DF3DE4518310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775303DC8, Relevance: 3.1, APIs: 2, Instructions: 55COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,?,?,00007FF775303CFB,?,?,00000000,00007FF775303DA3,?,?,?,?,?,?,00007FF7752FA54A), ref: 00007FF775303E2B
GetLastError.KERNEL32(?,?,?,00007FF775303CFB,?,?,00000000,00007FF775303DA3,?,?,?,?,?,?,00007FF7752FA54A), ref: 00007FF775303E35

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: 778a3c09fa1dd90e13589cf629af938a2dbac6398b58ccee1053262a714e0a20
Instruction ID: 90e22e615f2766d90bd87e7d7eb4a700e1b47501b247fb9450a1b9da56691be6
Opcode Fuzzy Hash: 778a3c09fa1dd90e13589cf629af938a2dbac6398b58ccee1053262a714e0a20
Instruction Fuzzy Hash: 60116D13B3C74A41FEA4776596903B995839F84F6CF94023ED92E472F2DE6CA4418321

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775301FF4, Relevance: 3.1, APIs: 2, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF775302D54: RtlReleasePrivilege.NTDLL(?,?,00000000,00007FF775306F6F,?,?,?,00007FF775303C99,?,?,?,?,00007FF775302F13,?,?,00000000), ref: 00007FF775302D6A
Part of subcall function 00007FF775302D54: GetLastError.KERNEL32(?,?,00000000,00007FF775306F6F,?,?,?,00007FF775303C99,?,?,?,?,00007FF775302F13,?,?,00000000), ref: 00007FF775302D7C

WideCharToMultiByte.KERNEL32 ref: 00007FF77530203D
WideCharToMultiByte.KERNEL32 ref: 00007FF77530207F

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastPrivilegeRelease
String ID:
API String ID: 197855498-0
Opcode ID: b676a9c56ab3fce82a7f767931681d1f02ec3d35f8711123a12a47506c1c527f
Instruction ID: 9d5f90a5cbac2b091a9842db0784c98426808390af5f291d851bdc0a33add1a9
Opcode Fuzzy Hash: b676a9c56ab3fce82a7f767931681d1f02ec3d35f8711123a12a47506c1c527f
Instruction Fuzzy Hash: 7721A123A38B4281E764AB25E40077AA292AB84B68F58433DFA9E466E4CF7DD4418710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E81D6A0, Relevance: 3.0, APIs: 2, Instructions: 50memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,00000000,00007FFB4E822E79,?,?,?,00007FFB4E8639E5,?,?,?,?,00007FFB4E82727A,?,?,?), ref: 00007FFB4E81D6E8

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 318c41f52048fdfd736c5ea037d0aa66eaeda29f0ce7969596829f767011627f
Instruction ID: fb64c3c597e3bc64765fea43e80d31de5558ac670c8297002346ebc748b0939c
Opcode Fuzzy Hash: 318c41f52048fdfd736c5ea037d0aa66eaeda29f0ce7969596829f767011627f
Instruction Fuzzy Hash: 45119EE0A1C78281FEA4AF79DA102766390AF88B90F485634E95E873D2DF3CB4008700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF77530AF44, Relevance: 3.0, APIs: 2, Instructions: 44COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,00000000,00007FF775301D66,?,?,00000000,00007FF775301CBA,?,?,00000000,00007FF77530220D), ref: 00007FF77530AF58
FreeEnvironmentStringsW.KERNEL32(?,?,00000000,00007FF775301D66,?,?,00000000,00007FF775301CBA,?,?,00000000,00007FF77530220D), ref: 00007FF77530AFBD

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: EnvironmentStrings$Free
String ID:
API String ID: 3328510275-0
Opcode ID: 5a4766e258c21f9749084ef556a1df9b876b2828890fd243eff4cf4ddd0ffbba
Instruction ID: a893da6eed84ca0092f969d4e1b71c3f83698f7288f7b97c0dd14716eebf78bd
Opcode Fuzzy Hash: 5a4766e258c21f9749084ef556a1df9b876b2828890fd243eff4cf4ddd0ffbba
Instruction Fuzzy Hash: 9F018823A78B4185DE14BF12A81106EA761EF44FE4BC84239EA6E077E5DE3CE4528760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775304DA0, Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,00000000,00007FF7753057DA,?,?,?,?,?,?,?,?,?,?,?,00007FF7753056FC), ref: 00007FF775304DE4
GetLastError.KERNEL32(?,?,00000000,00007FF7753057DA,?,?,?,?,?,?,?,?,?,?,?,00007FF7753056FC), ref: 00007FF775304DEE

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 3f618aa852ef03ee9e46fb75688df8ae4c709de799a95981d989ce0338ee6fe8
Instruction ID: 2dddbeebb38c1c93239a5d2893d1ae99203146e1e2e1011b455635ee9480759e
Opcode Fuzzy Hash: 3f618aa852ef03ee9e46fb75688df8ae4c709de799a95981d989ce0338ee6fe8
Instruction Fuzzy Hash: BB01C823B38B4281EE50AB25B844079A251AF80FB8F94533AE93E0B7F5DE3CD4528310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775302D54, Relevance: 3.0, APIs: 2, Instructions: 19COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlReleasePrivilege.NTDLL(?,?,00000000,00007FF775306F6F,?,?,?,00007FF775303C99,?,?,?,?,00007FF775302F13,?,?,00000000), ref: 00007FF775302D6A
GetLastError.KERNEL32(?,?,00000000,00007FF775306F6F,?,?,?,00007FF775303C99,?,?,?,?,00007FF775302F13,?,?,00000000), ref: 00007FF775302D7C

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: ErrorLastPrivilegeRelease
String ID:
API String ID: 1334314998-0
Opcode ID: 35b0a468ca9a8a406ef906924cc6c5e30a93088b65578c218f1489adacd4d72b
Instruction ID: 06a3e27543f16feb9d60f52c9d0f2bd3ff92eaec58b8e12d04214134b0078211
Opcode Fuzzy Hash: 35b0a468ca9a8a406ef906924cc6c5e30a93088b65578c218f1489adacd4d72b
Instruction Fuzzy Hash: 58E08613F3D70B92FF04B7F3980457892925F44F4DB84443CE80D86271ED2C64824360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E82C3A8, Relevance: 2.5, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FFB4E82C21C), ref: 00007FFB4E82C3D4
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FFB4E82C21C), ref: 00007FFB4E82C429

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 7233684e7e15e1c1cfdcd61b63e67b0c8eba7bd2c3e05db23ae2a8c86271fff2
Instruction ID: a4c5c415bdb3403a2a08393a79250c02173a239333abb2eb15235c9434d82b29
Opcode Fuzzy Hash: 7233684e7e15e1c1cfdcd61b63e67b0c8eba7bd2c3e05db23ae2a8c86271fff2
Instruction Fuzzy Hash: A31155B6E0CB4292EB50AF34EA4013A63A4FFA4784F840871DA9D832E1DF7CF8418741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E82C200, Relevance: 2.5, APIs: 2, Instructions: 18COMMON

Download Yara Rule

APIs

EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFB4E82C20D

Part of subcall function 00007FFB4E82C3A8: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FFB4E82C21C), ref: 00007FFB4E82C3D4
Part of subcall function 00007FFB4E82C3A8: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FFB4E82C21C), ref: 00007FFB4E82C429

LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFB4E82C233

Part of subcall function 00007FFB4E82C34C: GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FFB4E82C36C

Part of subcall function 00007FFB4E82C248: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FFB4E82C2AA
Part of subcall function 00007FFB4E82C248: GetFileType.KERNEL32 ref: 00007FFB4E82C2C0

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: CriticalSection$EnterLeave$FileHandleInfoStartupType
String ID:
API String ID: 2762830733-0
Opcode ID: 9dda03ad6d8e223157430abf8feaeb190acfa707eeab3e1a2251fc1e3fd0cdac
Instruction ID: fe5a74940c5eeafd96e159a2f2fe3847779a40d9836a7534bf9d990da88c9462
Opcode Fuzzy Hash: 9dda03ad6d8e223157430abf8feaeb190acfa707eeab3e1a2251fc1e3fd0cdac
Instruction Fuzzy Hash: 17E012E4E1C94295FF24BFB0EE560B913509F79342F8014B5C51DC11E1DE2CB5DA9722

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775304B00, Relevance: 1.6, APIs: 1, Instructions: 121COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF775304B2B

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 0d76081a123f6e9ce46771bcb4fea71892b90824aaa2a636e7a0c554a4aed144
Instruction ID: 7cfc0c946c466ffcd439021f97ed71227122e281b018ab4bdcab28b6756cdbff
Opcode Fuzzy Hash: 0d76081a123f6e9ce46771bcb4fea71892b90824aaa2a636e7a0c554a4aed144
Instruction Fuzzy Hash: D8519D33A347458AEB18AF25D8502B97B61FB84F98F450939EA5E037A4CF39D951C320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752FAC70, Relevance: 1.6, APIs: 1, Instructions: 107COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7752FAC91

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2c2c13596a5037e6d2d42df1c8249db59ca4a6e953e68e4d0548ec9288c0af8f
Instruction ID: c6ff285db4f91588123a00198915b31cb02d1bbbab8f6dcc2e937ef4652df693
Opcode Fuzzy Hash: 2c2c13596a5037e6d2d42df1c8249db59ca4a6e953e68e4d0548ec9288c0af8f
Instruction Fuzzy Hash: A441F2A3A3874986EB94EF25E840679B760EB84F84F816136DE4E073E5CF2CE441C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7753099FC, Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF775309A46

Part of subcall function 00007FF775303B90: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF775303B6E), ref: 00007FF775303B99
Part of subcall function 00007FF775303B90: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF775303B6E), ref: 00007FF775303BBD

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor_invalid_parameter_noinfo
String ID:
API String ID: 4036615347-0
Opcode ID: 629d900129e4e60f7f7fddd2522ca5b24a351df7c51ccbd4b44b209d93781942
Instruction ID: c26406feb41a38de91fdbf1050771185aab0a96d55ab8b35de86e49318a2e50d
Opcode Fuzzy Hash: 629d900129e4e60f7f7fddd2522ca5b24a351df7c51ccbd4b44b209d93781942
Instruction Fuzzy Hash: 2921F623B3DB2242FB15BB11551023AE692AF40FE8F954539DE5C47BE6DE3CE8024320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775304580, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77530467C

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: a273ec983798f05df9125b728d669bfa6ab2f0a19c58609746e5ab9c4fb55a25
Instruction ID: 1c52a665c6589382907439cc57493fcd6b53bde19a9d09c67bcf92ae224fdba8
Opcode Fuzzy Hash: a273ec983798f05df9125b728d669bfa6ab2f0a19c58609746e5ab9c4fb55a25
Instruction Fuzzy Hash: 2231A063E3832A89F6417B619805279A692AF40F68FD2453DD92D473F2EE7CE5418730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F1480, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF7752F14CF

Part of subcall function 00007FF7752FA8C0: fread_s.LIBCMT ref: 00007FF7752FA8D3

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _fread_nolockfread_s
String ID:
API String ID: 3465328306-0
Opcode ID: 5206374ea3666e557e63d57f0439fbc2242e3d2938253aeaa9f65f7cca27b994
Instruction ID: 3f69c1303ca739e3a962a95e212b223192a806182df699b53fa65931b7154973
Opcode Fuzzy Hash: 5206374ea3666e557e63d57f0439fbc2242e3d2938253aeaa9f65f7cca27b994
Instruction Fuzzy Hash: 55316423B28A8583EB20DF34D5012A9A360FB99B48F859635DF8D53656EF38E195C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775304CB0, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e255286e02a416fb80ba2a45fb124a5764a5af857cba7ce528a94b7f44b4e606
Instruction ID: 78ec49f401c66cdabc38c7fbffd5a1c066ac6c251ae6bfd16e772a6ae60c4393
Opcode Fuzzy Hash: e255286e02a416fb80ba2a45fb124a5764a5af857cba7ce528a94b7f44b4e606
Instruction Fuzzy Hash: 4721DE23E3835646F651BF11A944239A652AB80FB8F95063DED2D073E3CE3CE4418720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752FF45C, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7752FF3B1

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 72812ab1d589848553df9a3627f37fc48297ceacbb545af0eee9de262716b331
Instruction ID: 6c87134af481bf87647909874f16769499b79deecfa961c18bfc85191750c842
Opcode Fuzzy Hash: 72812ab1d589848553df9a3627f37fc48297ceacbb545af0eee9de262716b331
Instruction Fuzzy Hash: EE21C563A3C38682EA15BF11A90027EE2A1BF44F84F944035EB4C977D6DF3CD8428760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF77530EBB8, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77530EBE8

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 76e0514b73e48b7281084e3381d47d48c0f700110335b6d02748d3a549e52ce9
Instruction ID: b8015869e41f8647e5ffe8c7f572a761f0062968249f7ba503dc9b488150468c
Opcode Fuzzy Hash: 76e0514b73e48b7281084e3381d47d48c0f700110335b6d02748d3a549e52ce9
Instruction Fuzzy Hash: 5821B73373874647D765AF24E54037AB6A2AB80FA8F54423CDA5E866F5DF2DD8008B10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E827080, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: __vcrt_initialize_locks__vcrt_initialize_winapi_thunks
String ID:
API String ID: 2444027679-0
Opcode ID: 450ea96961e62ed40d3aad1aecf0b89c8dee2d94369f83a30c896f58da448054
Instruction ID: d5498c78d86d1a6b8cdb677b61a4f23c74f3f38300d328b3c3f3ea1447951ea1
Opcode Fuzzy Hash: 450ea96961e62ed40d3aad1aecf0b89c8dee2d94369f83a30c896f58da448054
Instruction Fuzzy Hash: C71191A1E0C70241FEA16F35E6003B963A0AF44B94F580639D56C0A3D5DF3CF845C311

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775303D24, Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bde30c0e19591bf27cbf6c80c6ad9874960969efd5f38449a937b98a5a748e7
Instruction ID: 8f569dab23481aa8d69069689f2351b1a897c84a4f5125f7ee32bd71e86bb180
Opcode Fuzzy Hash: 9bde30c0e19591bf27cbf6c80c6ad9874960969efd5f38449a937b98a5a748e7
Instruction Fuzzy Hash: BC114F63938B4A96E645BF54E6442ADF762EB80B68FD0413AD64D066F5CF7CD0058B20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752FA4F8, Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7752FA515

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 153676469643f3066e400d0bd69a445c36bcc5e2553dc5f828bc71764817f806
Instruction ID: a980f8817dcb6194c424a77a738fe68b565e4575acda84047683ff38e3f042d3
Opcode Fuzzy Hash: 153676469643f3066e400d0bd69a445c36bcc5e2553dc5f828bc71764817f806
Instruction Fuzzy Hash: 87018463E3820641FE58BB79A91137991919F40F68FA51335E92D872E2DE2DE8418730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775302EAC, Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,00000000,00007FF775306EC5,?,?,?,00007FF7752FBB30,?,?,00000000,00007FF7752FE421), ref: 00007FF775302F01

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a62c9982f3dd2203348fa0e8b84adfd5892d1915442a604536a1a95da6cdd961
Instruction ID: e1b62aa1ff5637bdc6a9212fafbc68e581ecd7df5a7472f4e3d433245cf02516
Opcode Fuzzy Hash: a62c9982f3dd2203348fa0e8b84adfd5892d1915442a604536a1a95da6cdd961
Instruction Fuzzy Hash: 66F04942B3970681FE647762D851AB5E2820F88F88F980838E90E866E2DE1DE4818330

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752FA57C, Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7752FA5A5

Part of subcall function 00007FF7752FA4F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7752FA515

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 05b2ef034e02f3c4ecdd2f2217128cd5f5b53d149360704b61a5809def32f19d
Instruction ID: fddb6a8c8a0c92c03559aaa4b32620244f3ab00ce410bbe1f4da21a63e31f9c5
Opcode Fuzzy Hash: 05b2ef034e02f3c4ecdd2f2217128cd5f5b53d149360704b61a5809def32f19d
Instruction Fuzzy Hash: 02F090A3E3C20742EA44B7B9B91117AA2819F40B94FE46130EA1E862D6DF2CE8418730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752FA988, Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7752FA9B4

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 319c056ec18a667aed709a61f47591d97028b07b74352a83101b19db1f2445c3
Instruction ID: 47018f429ae288f7bf23d4cbdb66f950d32d83ca059134bb8e925aca754d6906
Opcode Fuzzy Hash: 319c056ec18a667aed709a61f47591d97028b07b74352a83101b19db1f2445c3
Instruction Fuzzy Hash: C4F09062B3824242EB90B765BD8212EE291AF44FD4F956131EA1D876D6CF2CD8408720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752FAC04, Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7752FAC25

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: f01cfeb65208a6553f9345d451597099b925dd753397887adba98e7ec8bda9b1
Instruction ID: d1ac0d367267fc3616a5dddd8bbc907e68d2f8f2d2a27397756cc0386e068276
Opcode Fuzzy Hash: f01cfeb65208a6553f9345d451597099b925dd753397887adba98e7ec8bda9b1
Instruction Fuzzy Hash: EDF0B473E3860A42F681BB70BD4117AA2809F40F74F951630F52E863D2DF2CE8404730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775302D94, Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 00007FF775302DD2

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c21a571bc974b5bb7657bd3a9d239b3753710b7898264d10f2d3b29b2a2ddd20
Instruction ID: 414cb2af2fccb414e5fd8453b63fd1af1ae5a0eb2f454d093bff409bd1c86295
Opcode Fuzzy Hash: c21a571bc974b5bb7657bd3a9d239b3753710b7898264d10f2d3b29b2a2ddd20
Instruction Fuzzy Hash: D9F05E03A3C70688FA5477629910A7591824F84FA8F880638EC3E852E2DE5DEC828330

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F4BE0, Relevance: 1.5, APIs: 1, Instructions: 20libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7752F54C0: MultiByteToWideChar.KERNEL32(?,00000000,00007FF7752F438C,00007FF7752F2605), ref: 00007FF7752F54FA

LoadLibraryW.KERNEL32(?,?,00000000,00007FF7752F20BE,00000000,00007FF7752F273E), ref: 00007FF7752F4C03

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: ByteCharLibraryLoadMultiWide
String ID:
API String ID: 2592636585-0
Opcode ID: d7466ab7008f6f851fc1d18b736b67e877e2028b22a00acc304815d0dc4ac886
Instruction ID: 55b03816b33595241f415720ecd1f2c0cc293b1305f38d0b444077883026b64b
Opcode Fuzzy Hash: d7466ab7008f6f851fc1d18b736b67e877e2028b22a00acc304815d0dc4ac886
Instruction Fuzzy Hash: 2DE08652B3454182EE58A777B94546AE1519F88FC0B889135AE0D07755DD2CD4908A10

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFB4E81F590, Relevance: 42.5, APIs: 11, Strings: 13, Instructions: 485COMMON

Download Yara Rule

Strings

GetLocaleInfoEx, xrefs: 00007FFB4E861AC6
AreFileApisANSI, xrefs: 00007FFB4E8618B2
IsValidLocaleName, xrefs: 00007FFB4E86197B, 00007FFB4E861A85, 00007FFB4E861B8F, 00007FFB4E861C14, 00007FFB4E861C55, 00007FFB4E861C99, 00007FFB4E861DA3
GetDateFormatEx, xrefs: 00007FFB4E861A41
GetTimeFormatEx, xrefs: 00007FFB4E861B4B
RoInitialize, xrefs: 00007FFB4E861A00, 00007FFB4E861B0A
GetUserDefaultLocaleName, xrefs: 00007FFB4E861BD0
CompareStringEx, xrefs: 00007FFB4E861937
LCMapStringEx, xrefs: 00007FFB4E861CDA
EnumSystemLocalesEx, xrefs: 00007FFB4E8619BC
LCIDToLocaleName, xrefs: 00007FFB4E861D5F
AppPolicyGetThreadInitializationType, xrefs: 00007FFB4E8618F6
LocaleNameToLCID, xrefs: 00007FFB4E861DE3

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID:
String ID: AppPolicyGetThreadInitializationType$AreFileApisANSI$CompareStringEx$EnumSystemLocalesEx$GetDateFormatEx$GetLocaleInfoEx$GetTimeFormatEx$GetUserDefaultLocaleName$IsValidLocaleName$LCIDToLocaleName$LCMapStringEx$LocaleNameToLCID$RoInitialize
API String ID: 0-3669283627
Opcode ID: aa9863484c43c3b6259bd1f8d7ecb00001c615452c54908bcbd4b10aa700be4d
Instruction ID: 5aa58bc89406ddb39b55dac11fe302de316cf8cc1c2ecfb2782a940d77208499
Opcode Fuzzy Hash: aa9863484c43c3b6259bd1f8d7ecb00001c615452c54908bcbd4b10aa700be4d
Instruction Fuzzy Hash: A5123ED5B0DA0342FE59BF3DEA501B563D2AF597C4B48553ADC0D8B3A5EE2CF4458240

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E81C9E0, Relevance: 31.9, APIs: 16, Strings: 2, Instructions: 364COMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFB4E81CB02
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFB4E81CB68
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFB4E81CBC2
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFB4E81CC08
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFB4E81CC0E
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFB4E81CC54
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFB4E81CC5A
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFB4E81CCA5

Strings

FlsGetValue, xrefs: 00007FFB4E860BF8, 00007FFB4E860C8A, 00007FFB4E860D15, 00007FFB4E860D9D
LCMapStringEx, xrefs: 00007FFB4E81CB28

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: ErrorLast
String ID: FlsGetValue$LCMapStringEx
API String ID: 1452528299-552164261
Opcode ID: d03caf122d54fc25fb3a90e69bfa22fc2c78a19ab08f9612c642a6d525d53735
Instruction ID: 147f41edb82306aecd94334ed1634c08941259c40c86f4e50283429391b06fb4
Opcode Fuzzy Hash: d03caf122d54fc25fb3a90e69bfa22fc2c78a19ab08f9612c642a6d525d53735
Instruction Fuzzy Hash: E1E17CE5B0CB4286EE59BF79EA501B863A1AF59B84F444176DE4E97391EF3CF8448300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F4150, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(?,00000000,?,00007FF7752F411D), ref: 00007FF7752F41E6
GetCurrentProcessId.KERNEL32(?,00000000,?,00007FF7752F411D), ref: 00007FF7752F41EC

Part of subcall function 00007FF7752F4360: GetEnvironmentVariableW.KERNEL32(00007FF7752F2605), ref: 00007FF7752F439A
Part of subcall function 00007FF7752F4360: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF7752F43B7

Part of subcall function 00007FF7753001A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7753001C1

SetEnvironmentVariableW.KERNEL32(?,00000000,?,00007FF7752F411D), ref: 00007FF7752F42A1

Part of subcall function 00007FF7752F55C0: WideCharToMultiByte.KERNEL32 ref: 00007FF7752F5601

Part of subcall function 00007FF7752F54C0: MultiByteToWideChar.KERNEL32(?,00000000,00007FF7752F438C,00007FF7752F2605), ref: 00007FF7752F54FA

SetEnvironmentVariableW.KERNEL32(?,00000000,?,00007FF7752F411D), ref: 00007FF7752F4325

Strings

TMP, xrefs: 00007FF7752F41AA
LOADER: Failed to set the TMP environment variable., xrefs: 00007FF7752F41C4
_MEI%d, xrefs: 00007FF7752F41F4
TMP, xrefs: 00007FF7752F4188, 00007FF7752F4249, 00007FF7752F42D7

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: Environment$Variable$ByteCharMultiWide$CurrentExpandPathProcessStringsTemp_invalid_parameter_noinfo
String ID: LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d
API String ID: 1081748254-1116378104
Opcode ID: a65d5160b4b63b93775d878d7825836d46c36f6b847db2ba1f23d27093c6548d
Instruction ID: 966952932d8d763ad00e3c887aac85a3d18a5cb3b36c12a539e337113b45395d
Opcode Fuzzy Hash: a65d5160b4b63b93775d878d7825836d46c36f6b847db2ba1f23d27093c6548d
Instruction Fuzzy Hash: A0518B92F39A4241FA58B722BD556BED2519F85FC4FC45035EC0E4BBD6EE6CE1018360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775303964, Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF7753039DD
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7753039F5
RtlVirtualUnwind.KERNEL32 ref: 00007FF775303A30
IsDebuggerPresent.KERNEL32 ref: 00007FF775303A69
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF775303A73
UnhandledExceptionFilter.KERNEL32 ref: 00007FF775303A7E

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 80b0730903e532fc70616f4dc65be134e5b86ea7bc24d021c4a1d0bf6ad54e27
Instruction ID: f747ae9ca9e82ee47079302c6597f67cc30f6436bdf2214de9bcfd11657c91af
Opcode Fuzzy Hash: 80b0730903e532fc70616f4dc65be134e5b86ea7bc24d021c4a1d0bf6ad54e27
Instruction Fuzzy Hash: 08316333638F8186D720DB25E8406ADB364FB84B58F900539EA9D43BA4DF3CC145C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E880F00, Relevance: 9.1, APIs: 6, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FFB4E880F72
RtlLookupFunctionEntry.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FFB4E880F8A
RtlVirtualUnwind.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FFB4E880FC5
IsDebuggerPresent.API-MS-WIN-CORE-DEBUG-L1-1-0 ref: 00007FFB4E881002
SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFB4E88100C
UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFB4E881017

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 6bae0768197e287b93965e9e07ce2c3bc1156fc4ad16fb0ea84d3a7140283ba6
Instruction ID: dc15f501746934d16db844640d3d5089f1bf4dd05aab057ba315daebddd34872
Opcode Fuzzy Hash: 6bae0768197e287b93965e9e07ce2c3bc1156fc4ad16fb0ea84d3a7140283ba6
Instruction Fuzzy Hash: 60315E76618B8286EF609F35E9402EA73A4FB88744F44013ADB9D47B59EF78D544CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E87F8A0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,00000002,00007FFB4E87FC1E,?,?,?,00000000,?,00000092,?), ref: 00007FFB4E87F8F5
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,00000002,00007FFB4E87FC1E,?,?,?,00000000,?,00000092,?), ref: 00007FFB4E87F939
GetACP.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,00000002,00007FFB4E87FC1E,?,?,?,00000000,?,00000092,?), ref: 00007FFB4E87F94F

Strings

OCP, xrefs: 00007FFB4E87F8D1
ACP, xrefs: 00007FFB4E87F8C1

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 71b90c50eb16cae11b867f8413c30b27980924c84e14c7e0ed40c14c79274253
Instruction ID: 71f101ed8f13d5141cd215f50a646500a3060ac4271f1d161eb4c2825f0089b5
Opcode Fuzzy Hash: 71b90c50eb16cae11b867f8413c30b27980924c84e14c7e0ed40c14c79274253
Instruction Fuzzy Hash: 2A216FB1A0C643A2EF20AF32EA4067AA366FF45784F544130EA8D53A96DF2DE9418701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E8B5E44, Relevance: 7.8, APIs: 5, Instructions: 327fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FFB4E8B5EBC
WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFB4E8B6176
WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFB4E8B61C6
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFB4E8B6299
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFB4E8B62F8

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: ErrorFileLastWrite$ConsoleOutput
String ID:
API String ID: 1443284424-0
Opcode ID: d9d181d5442a27f007f160e4ce3334badb9396f56665eafbce54c107eb469355
Instruction ID: e1a390fef1d971b0c1d37caf608760a3b2f16c54534bdb361d420ed29fe0c94e
Opcode Fuzzy Hash: d9d181d5442a27f007f160e4ce3334badb9396f56665eafbce54c107eb469355
Instruction Fuzzy Hash: 0CD1DAA2F1CA918EEB10DF74D5402AD7BB1FB45B98B144636EE4E57B99DE38D406C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E87FA28, Relevance: 7.7, APIs: 5, Instructions: 200COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB4E822990: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FFB4E882831), ref: 00007FFB4E82299A
Part of subcall function 00007FFB4E822990: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FFB4E882831), ref: 00007FFB4E8229E0

Part of subcall function 00007FFB4E822990: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FFB4E882831), ref: 00007FFB4E822A33

GetUserDefaultLCID.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,00000000,?,00000092,?), ref: 00007FFB4E87FBF0
IsValidCodePage.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,00000000,?,00000092,?), ref: 00007FFB4E87FC2B
IsValidLocale.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,00000000,?,00000092,?), ref: 00007FFB4E87FC45
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,00000000,?,00000092,?), ref: 00007FFB4E87FC92
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,00000000,?,00000092,?), ref: 00007FFB4E87FCB1

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: ErrorLastLocale$InfoValid$CodeDefaultPageUser
String ID:
API String ID: 1491647067-0
Opcode ID: 6ce98cc9698ea22afdd662a12b4af6925692553dca7c1257d87691eb96985a60
Instruction ID: 7b8e16f39d404ec039d977b167c7d70047e1385ae7e15756e927caf3b6bc334c
Opcode Fuzzy Hash: 6ce98cc9698ea22afdd662a12b4af6925692553dca7c1257d87691eb96985a60
Instruction Fuzzy Hash: 39816AB2A0C65286EF20EF32DA512BD27A4BF44B88F454436DE8D67296DE3CE945C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775309DF0, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 169COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF775309E30

Part of subcall function 00007FF775303B90: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF775303B6E), ref: 00007FF775303B99
Part of subcall function 00007FF775303B90: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF775303B6E), ref: 00007FF775303BBD

Strings

., xrefs: 00007FF77530A277
*, xrefs: 00007FF775309E57
., xrefs: 00007FF77530A268

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor_invalid_parameter_noinfo
String ID: *$.$.
API String ID: 4036615347-2112782162
Opcode ID: c177b2e7a8d9172394addc7312b5b4ea24c8bcbea90a56f74b1355badff20889
Instruction ID: 5bd015a2d8db433b3a38fce2cbdcd0e344422b4f1194d3072c831898a4243992
Opcode Fuzzy Hash: c177b2e7a8d9172394addc7312b5b4ea24c8bcbea90a56f74b1355badff20889
Instruction Fuzzy Hash: F751BE63B34B5585FB10EBA298406BDA3A6BB44FC8F944139DE5D17BA9DE38D442C320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E859974, Relevance: 6.0, APIs: 4, Instructions: 21COMMON

Download Yara Rule

APIs

IsDebuggerPresent.API-MS-WIN-CORE-DEBUG-L1-1-0(?,?,00000000,00007FFB4E859B6B,?,?,?,?,00007FFB4E859AC6,?,?,?,?,00007FFB4E860F36), ref: 00007FFB4E85997D
SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FFB4E859B6B,?,?,?,?,00007FFB4E859AC6,?,?,?,?,00007FFB4E860F36), ref: 00007FFB4E859995
UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FFB4E859B6B,?,?,?,?,00007FFB4E859AC6,?,?,?,?,00007FFB4E860F36), ref: 00007FFB4E85999E
GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,00000000,00007FFB4E859B6B,?,?,?,?,00007FFB4E859AC6,?,?,?,?,00007FFB4E860F36), ref: 00007FFB4E8599B7

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CurrentDebuggerPresentProcess
String ID:
API String ID: 2506494423-0
Opcode ID: dc251b140f52923924797957cf2991f1be25c6d11c19d87671d8a1d578587ad6
Instruction ID: 3d02168c2a59909f249c1dd8d4f1880a8242e045a19cc5b430162a0661319025
Opcode Fuzzy Hash: dc251b140f52923924797957cf2991f1be25c6d11c19d87671d8a1d578587ad6
Instruction Fuzzy Hash: 82F0A5E0E0C602CAFF153F71EA152B42351AF99745F4404B8D96E462D1EF7D64858740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E856C10, Relevance: 59.7, APIs: 30, Strings: 4, Instructions: 242COMMONLIBRARYCODE

Download Yara Rule

APIs

UnDecorator::getDecoratedName.LIBVCRUNTIME ref: 00007FFB4E856C90

Part of subcall function 00007FFB4E854120: UnDecorator::getDataType.LIBVCRUNTIME ref: 00007FFB4E854168

UnDecorator::getSignedDimension.LIBVCRUNTIME ref: 00007FFB4E856C9E
UnDecorator::getSignedDimension.LIBVCRUNTIME ref: 00007FFB4E856CA7
DName::getString.LIBVCRUNTIME ref: 00007FFB4E856CCE
DName::DName.LIBVCRUNTIME ref: 00007FFB4E856CFE
DName::operator+.LIBVCRUNTIME ref: 00007FFB4E856D0D
DName::operator+.LIBVCRUNTIME ref: 00007FFB4E856D1C
DName::DName.LIBVCRUNTIME ref: 00007FFB4E856D40
UnDecorator::getSignedDimension.LIBVCRUNTIME ref: 00007FFB4E856D71
DName::doPchar.LIBVCRUNTIME ref: 00007FFB4E856DB4
UnDecorator::getDecoratedName.LIBVCRUNTIME ref: 00007FFB4E856DC5
DName::operator+=.LIBVCRUNTIME ref: 00007FFB4E856DD1
DName::operator+=.LIBVCRUNTIME ref: 00007FFB4E856DDC
UnDecorator::getSignedDimension.LIBVCRUNTIME ref: 00007FFB4E856DFE
DName::operator+=.LIBVCRUNTIME ref: 00007FFB4E856E0A
DName::operator+=.LIBVCRUNTIME ref: 00007FFB4E856E15
UnDecorator::getSignedDimension.LIBVCRUNTIME ref: 00007FFB4E856E1E
DName::operator+=.LIBVCRUNTIME ref: 00007FFB4E856E2A
DName::operator+=.LIBVCRUNTIME ref: 00007FFB4E856E35
UnDecorator::getSignedDimension.LIBVCRUNTIME ref: 00007FFB4E856E3E
DName::operator+=.LIBVCRUNTIME ref: 00007FFB4E856E4A
DName::operator+.LIBVCRUNTIME ref: 00007FFB4E856E59

Strings

`generic-method-parameter-, xrefs: 00007FFB4E856F52
NULL, xrefs: 00007FFB4E856D36
`generic-class-parameter-, xrefs: 00007FFB4E856F87
`template-type-parameter-, xrefs: 00007FFB4E856F90

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: Decorator::get$Name::operator+=$DimensionSigned$Name$Name::operator+$DecoratedName::$DataName::doName::getPcharStringType
String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-
API String ID: 283215372-4167119577
Opcode ID: 01f4b42004591b1d322aae191b4ef4a6f72623778ac8038d5335beaac7d5e2d7
Instruction ID: c1c8311f9a6347c4d751c47197a9f26cdbf29897ba7a1687f36c886c9253c417
Opcode Fuzzy Hash: 01f4b42004591b1d322aae191b4ef4a6f72623778ac8038d5335beaac7d5e2d7
Instruction Fuzzy Hash: 06B16CA2F0DA4298FF10BF74C6542FC2762AF45788F940936CA0D1769AEE3DE50AD310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E854AA4, Relevance: 48.3, APIs: 32, Instructions: 343COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFB4E854AF5

Part of subcall function 00007FFB4E851BC0: DName::operator+=.LIBVCRUNTIME ref: 00007FFB4E851BDB

DName::DName.LIBVCRUNTIME ref: 00007FFB4E854BAD
DName::operator+.LIBVCRUNTIME ref: 00007FFB4E854BBD
UnDecorator::getScope.LIBVCRUNTIME ref: 00007FFB4E854BE0
DName::doPchar.LIBVCRUNTIME ref: 00007FFB4E854C02
DName::operator+.LIBVCRUNTIME ref: 00007FFB4E854C12
DName::operator+.LIBVCRUNTIME ref: 00007FFB4E854C23
UnDecorator::getDataIndirectType.LIBVCRUNTIME ref: 00007FFB4E854CCA

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: Name::operator+$Decorator::get$DataIndirectNameName::Name::doName::operator+=PcharScopeType
String ID:
API String ID: 3173522582-0
Opcode ID: cb71eaa1503b947047e86e1284454771ad456d1c4947eef67b7cac47f881b169
Instruction ID: e5e56f4649982740c4f73b9066a627588d24c96c289b464808c88679f6793cf8
Opcode Fuzzy Hash: cb71eaa1503b947047e86e1284454771ad456d1c4947eef67b7cac47f881b169
Instruction Fuzzy Hash: 62F19DB6B0CA929AEB11EF74D5901ED37B1EB0478CB404432EA0E67B99EF38D519C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E8577B8, Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 195COMMONLIBRARYCODE

Download Yara Rule

APIs

UnDecorator::getTemplateName.LIBVCRUNTIME ref: 00007FFB4E857838
Replicator::operator+=.LIBVCRUNTIME ref: 00007FFB4E857A5B

Strings

template-parameter-, xrefs: 00007FFB4E857895
generic-type-, xrefs: 00007FFB4E8578D1

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: Decorator::getNameReplicator::operator+=Template
String ID: generic-type-$template-parameter-
API String ID: 2731555906-13229604
Opcode ID: 9cf376104a29e08947d7fa31d684c5bb99527e9836e7e28372e8c7c7e575b89a
Instruction ID: 1121077609c35ea8b5dcf0447f199cb1e0c54734038d1849afaafac7185dc301
Opcode Fuzzy Hash: 9cf376104a29e08947d7fa31d684c5bb99527e9836e7e28372e8c7c7e575b89a
Instruction Fuzzy Hash: B691ADA2A1CA4698EF11AF30DA506BC37B2AF44B88F805532DA4D57795EF3DE605C304

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF77530797C, Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF775307AF9

Strings

inf, xrefs: 00007FF775307A02
NAN(SNAN), xrefs: 00007FF775307A11
nan(ind), xrefs: 00007FF775307A32
nan, xrefs: 00007FF7753079E4
nan(snan), xrefs: 00007FF775307A1C
INF, xrefs: 00007FF7753079EF
NAN, xrefs: 00007FF7753079DD
NAN(IND), xrefs: 00007FF775307A27

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
API String ID: 3215553584-2617248754
Opcode ID: 3179a56723a21d6cc442c7c6c7c39b94e8f4395454ad5cd1c72b07a63001d736
Instruction ID: 080372bf80f76dd7d51c952812df2e32388e274326cfc0f60162cb5e1b7ef2f9
Opcode Fuzzy Hash: 3179a56723a21d6cc442c7c6c7c39b94e8f4395454ad5cd1c72b07a63001d736
Instruction Fuzzy Hash: 9B419B32A39B4589FB00DF34E8417A9B3A5EB04B88F80453AEE5C07B65DE3CD025C354

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F3E80, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7752F54C0: MultiByteToWideChar.KERNEL32(?,00000000,00007FF7752F438C,00007FF7752F2605), ref: 00007FF7752F54FA

ExpandEnvironmentStringsW.KERNEL32(00000000,00007FF7752F419F,?,00000000,?,00007FF7752F411D), ref: 00007FF7752F3EE2

Strings

LOADER: Failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF7752F3F26
LOADER: Failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF7752F3EB6
LOADER: Failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF7752F3EF6

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMultiStringsWide
String ID: LOADER: Failed to convert runtime-tmpdir to a wide string.$LOADER: Failed to expand environment variables in the runtime-tmpdir.$LOADER: Failed to obtain the absolute path of the runtime-tmpdir.
API String ID: 2001182103-3498232454
Opcode ID: 868d4e83b3919bbdffba6fdefa1c80da23efc95b64561f687014aca52f6d5a22
Instruction ID: e831b55fb08a4beba3bfa6b90331517d2bad2dbc056946fcf0c0477acd58a72a
Opcode Fuzzy Hash: 868d4e83b3919bbdffba6fdefa1c80da23efc95b64561f687014aca52f6d5a22
Instruction Fuzzy Hash: 04319293B3CB8691FE24B725FD552BAE251AF98FC0FC44535DA0E427D6EE2CE1048620

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E856FD8, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 76COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFB4E85701D
UnDecorator::getSignedDimension.LIBVCRUNTIME ref: 00007FFB4E857034
DName::DName.LIBVCRUNTIME ref: 00007FFB4E8570AB

Part of subcall function 00007FFB4E851914: DName::doPchar.LIBVCRUNTIME ref: 00007FFB4E851946

DName::operator+.LIBVCRUNTIME ref: 00007FFB4E8570BB

Part of subcall function 00007FFB4E851BC0: DName::operator+=.LIBVCRUNTIME ref: 00007FFB4E851BDB

DName::operator+.LIBVCRUNTIME ref: 00007FFB4E8570CE

Part of subcall function 00007FFB4E851C20: DName::operator+=.LIBCMT ref: 00007FFB4E851C3B

Strings

`template-parameter, xrefs: 00007FFB4E8570A0
void, xrefs: 00007FFB4E85700C

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: NameName::Name::operator+Name::operator+=$Decorator::getDimensionName::doPcharSigned
String ID: `template-parameter$void
API String ID: 1951524168-4057429177
Opcode ID: e34856157441b379c95f2d1371c28cea34328b513750dd0b33bb8b0f75dc61cc
Instruction ID: 57e50d1fd4598ebd26bbf6c29115f08569d182bf3acb44606ab829650b5f8004
Opcode Fuzzy Hash: e34856157441b379c95f2d1371c28cea34328b513750dd0b33bb8b0f75dc61cc
Instruction Fuzzy Hash: A53137A2A1CB0695FF00AF71DA502B923A2BF44B88F844432CA0D57695EF3DE505C350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E82EA48, Relevance: 13.8, APIs: 9, Instructions: 282fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB4E82ECF0: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FFB4E82EAC6), ref: 00007FFB4E82ED10
Part of subcall function 00007FFB4E82ECF0: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FFB4E82EAC6), ref: 00007FFB4E82ED66
Part of subcall function 00007FFB4E82ECF0: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FFB4E82EAC6), ref: 00007FFB4E82EE0B

CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFB4E82EB25
GetFileType.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFB4E82EB43
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFB4E82ECD4
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFB4E86648C
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FFB4E8664BF

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: CriticalSection$EnterErrorFileLast$CloseCreateHandleLeaveType
String ID:
API String ID: 3788438030-0
Opcode ID: f75a8f3c88359da57e6ab2bd24c6f1b5defbc0ed41970d43a32670b3288409be
Instruction ID: 169f602d788d4c4873855d1e3de61f262719ba743de19505e04d61099d45e6df
Opcode Fuzzy Hash: f75a8f3c88359da57e6ab2bd24c6f1b5defbc0ed41970d43a32670b3288409be
Instruction Fuzzy Hash: 44C1D3B6B2CA418AEF11EF78D6801AC3761FB49B98B101235DA2E577E5CF38E456C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F1B70, Relevance: 13.7, APIs: 1, Strings: 8, Instructions: 170stringCOMMON

Download Yara Rule

APIs

strchr.LIBVCRUNTIME ref: 00007FF7752F1BD2

Strings

%s%s%s.pkg, xrefs: 00007FF7752F1D4D
%s%s%s.exe, xrefs: 00007FF7752F1D7A
Archive not found: %s, xrefs: 00007FF7752F1DDC
Error copying %s, xrefs: 00007FF7752F1CAD
%s%s%s%s%s%s%s, xrefs: 00007FF7752F1D0B
%s%s%s%s%s, xrefs: 00007FF7752F1C63
%s%s%s, xrefs: 00007FF7752F1DA7
Error extracting %s, xrefs: 00007FF7752F1E59

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: strchr
String ID: %s%s%s$%s%s%s%s%s$%s%s%s%s%s%s%s$%s%s%s.exe$%s%s%s.pkg$Archive not found: %s$Error copying %s$Error extracting %s
API String ID: 2830005266-390755151
Opcode ID: c46250928e3c7590ca194b9e5999d5be14e1902a183bf72c5e87ea5bb3f30f57
Instruction ID: 23b840d73295ae445019fe948c0f80e1fb7b5d4d3ea02576649d4d09c90121c5
Opcode Fuzzy Hash: c46250928e3c7590ca194b9e5999d5be14e1902a183bf72c5e87ea5bb3f30f57
Instruction Fuzzy Hash: 24813F63A38EC394EB20AB21EC401F9A365FB55B88FC44136EA4D476D9EF78D205C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F3A40, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 121COMMON

Download Yara Rule

APIs

fflush.LIBCMT ref: 00007FF7752F3BB6
fflush.LIBCMT ref: 00007FF7752F3BC8
setbuf.LIBCMT ref: 00007FF7752F3BD9
setbuf.LIBCMT ref: 00007FF7752F3BED
setbuf.LIBCMT ref: 00007FF7752F3C01

Strings

pyi-, xrefs: 00007FF7752F3ADC
Failed to convert Wflag %s using mbstowcs (invalid multibyte string), xrefs: 00007FF7752F3C35

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: setbuf$fflush
String ID: Failed to convert Wflag %s using mbstowcs (invalid multibyte string)$pyi-
API String ID: 410961200-3625900369
Opcode ID: 70ee1634e765a46cbf7eebb5f84f857e8093b6ebe6d1e948273328f0a84d6a6c
Instruction ID: c08744c9217227647a029822ea85bf259313f2c843f3dc7e3f989741d3bcba32
Opcode Fuzzy Hash: 70ee1634e765a46cbf7eebb5f84f857e8093b6ebe6d1e948273328f0a84d6a6c
Instruction Fuzzy Hash: 71517CA3A3C60641FA14BB25EC652B9A251AF54F54FC44139E91D873E7CE7DE8018370

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F5140, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7752F1023), ref: 00007FF7752F51DD
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7752F1023), ref: 00007FF7752F5227

Strings

Failed to get UTF-8 buffer size., xrefs: 00007FF7752F5268
WideCharToMultiByte, xrefs: 00007FF7752F526F
win32_utils_to_utf8, xrefs: 00007FF7752F525F
Out of memory., xrefs: 00007FF7752F5258
Failed to encode wchar_t as UTF-8., xrefs: 00007FF7752F524F

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 626452242-3595433791
Opcode ID: 11269bc7cfaca77b5aeaa59e3f1ded6d565f3f0e6b9cc0bcd5502d890aea9167
Instruction ID: 0f2cfa99fa61373224cb780af2a9c3302ec5ffd971073f2f3bf2e427a1f1a069
Opcode Fuzzy Hash: 11269bc7cfaca77b5aeaa59e3f1ded6d565f3f0e6b9cc0bcd5502d890aea9167
Instruction Fuzzy Hash: B641C173A38B8282E660EF55B84016AF7A5FB84B94F944235EA8D47BE4DF3CE111C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F4A20, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93processsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7752F54C0: MultiByteToWideChar.KERNEL32(?,00000000,00007FF7752F438C,00007FF7752F2605), ref: 00007FF7752F54FA

Part of subcall function 00007FF775300E64: SetConsoleCtrlHandler.KERNEL32(?,00007FF7752F4A70,00000000,00007FF7752F27AD), ref: 00007FF775300ED1

Part of subcall function 00007FF775300E64: GetLastError.KERNEL32(?,00007FF7752F4A70,00000000,00007FF7752F27AD), ref: 00007FF775300EEC

GetStartupInfoW.KERNEL32 ref: 00007FF7752F4AA7

Part of subcall function 00007FF775302D2C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF775302D40

Part of subcall function 00007FF7753009D4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF775300A3B

GetCommandLineW.KERNEL32 ref: 00007FF7752F4B2F
CreateProcessW.KERNEL32 ref: 00007FF7752F4B71
WaitForSingleObject.KERNEL32 ref: 00007FF7752F4B83
GetExitCodeProcess.KERNEL32 ref: 00007FF7752F4B93

Strings

CreateProcessW, xrefs: 00007FF7752F4BA6
Error creating child process!, xrefs: 00007FF7752F4B9F

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlErrorExitHandlerInfoLastLineMultiObjectSingleStartupWaitWide
String ID: CreateProcessW$Error creating child process!
API String ID: 1742298069-3524285272
Opcode ID: 7402cc58a5c80371bdadda5ff5424c471549ee8befc1b46362aaf9c91740b55e
Instruction ID: 03b1c004405f7752dd82e8a552973297c004568a882a8b3da9d8fd4cca2344da
Opcode Fuzzy Hash: 7402cc58a5c80371bdadda5ff5424c471549ee8befc1b46362aaf9c91740b55e
Instruction Fuzzy Hash: 1B415573A38B8182EA10EB60F4556AEF361FB94B44F804539E69D076A6DF7CD454CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F55C0, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 63COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF7752F5601

Part of subcall function 00007FF7752F1A50: GetLastError.KERNEL32(?,?,00000000,00007FF7752F527B,?,?,?,?,?,?,?,?,?,?,?,00007FF7752F1023), ref: 00007FF7752F1A77

WideCharToMultiByte.KERNEL32 ref: 00007FF7752F5673

Strings

Failed to get UTF-8 buffer size., xrefs: 00007FF7752F560E
WideCharToMultiByte, xrefs: 00007FF7752F5615, 00007FF7752F5684
win32_utils_to_utf8, xrefs: 00007FF7752F5642
Out of memory., xrefs: 00007FF7752F563B
Failed to encode wchar_t as UTF-8., xrefs: 00007FF7752F567D

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 1717984340-3595433791
Opcode ID: 626ab26b13916d9d32718d33e2c174ebc2376be8bb3d424ff61070e4e5b53e0a
Instruction ID: e18b8c28e7d706c9159c205d91e8699ed7c49f1eba42c22d81501fa44f022544
Opcode Fuzzy Hash: 626ab26b13916d9d32718d33e2c174ebc2376be8bb3d424ff61070e4e5b53e0a
Instruction Fuzzy Hash: 95219C62B38F4685EA14AF25BD40069B7A1AB84FD8F844539DA1E43BA4EF3CE500C320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F5830, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 62COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,00000000,00007FF7752F5470), ref: 00007FF7752F5862

Part of subcall function 00007FF7752F1A50: GetLastError.KERNEL32(?,?,00000000,00007FF7752F527B,?,?,?,?,?,?,?,?,?,?,?,00007FF7752F1023), ref: 00007FF7752F1A77

Strings

Failed to encode filename as ANSI., xrefs: 00007FF7752F58EC
WideCharToMultiByte, xrefs: 00007FF7752F5875, 00007FF7752F58F3
win32_wcs_to_mbs, xrefs: 00007FF7752F58B4
Out of memory., xrefs: 00007FF7752F58AD
Failed to get ANSI buffer size., xrefs: 00007FF7752F586E

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID: Failed to encode filename as ANSI.$Failed to get ANSI buffer size.$Out of memory.$WideCharToMultiByte$win32_wcs_to_mbs
API String ID: 203985260-2581065711
Opcode ID: 30a9694185e67db114cd990fa3b2a6ed8137dcb5d445eb3289618fd7341275ff
Instruction ID: e2f9ca5983065249cda6bee17875ea17e5483b1cbf214142c6455151b0a618cf
Opcode Fuzzy Hash: 30a9694185e67db114cd990fa3b2a6ed8137dcb5d445eb3289618fd7341275ff
Instruction Fuzzy Hash: 3D218072A3CB8686E750AF25F84006AB791FB84BD4F844539E99E437A9DF3CE150C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F37E0, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 60COMMON

Download Yara Rule

APIs

htonl.WS2_32 ref: 00007FF7752F3812

Strings

utf-8, xrefs: 00007FF7752F3835
%U?%zu, xrefs: 00007FF7752F3845
Failed to append to sys.path, xrefs: 00007FF7752F389D
path, xrefs: 00007FF7752F3864
Installing PYZ: Could not get sys.path, xrefs: 00007FF7752F3876
strict, xrefs: 00007FF7752F382E

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: htonl
String ID: %U?%zu$Failed to append to sys.path$Installing PYZ: Could not get sys.path$path$strict$utf-8
API String ID: 2009864989-2673223963
Opcode ID: f31583c6e0f3b0c3a2d4415782db2ecca80cfe0c57754da180719fd39221b6e8
Instruction ID: be8e4fa4c16447d5c41ff564eee992c7d4d61d9bd1e6ac1f344425c12cbbaae2
Opcode Fuzzy Hash: f31583c6e0f3b0c3a2d4415782db2ecca80cfe0c57754da180719fd39221b6e8
Instruction Fuzzy Hash: 16216DA2A3CE8A96FA00BB21FD44179E360AB54F94FC80535DA5E472E5DF3CE445C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E824D70, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151libraryloaderCOMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFB4E824DC8
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFB4E824E12
TlsGetValue.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FFB4E8631BF
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FFB4E8631D5

Strings

FlsGetValue, xrefs: 00007FFB4E8631CB
LCMapStringEx, xrefs: 00007FFB4E863178

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: ErrorLast$AddressProcValue
String ID: FlsGetValue$LCMapStringEx
API String ID: 3663398396-552164261
Opcode ID: babe73ba117d8eb6ebbe9cc244fe32a8ae4782d788d9df331b8f313694660f8f
Instruction ID: 86a2cc0a72b0ce693bef3976e95bcf28be02ee848c143847d8dd6df3bcb22b6b
Opcode Fuzzy Hash: babe73ba117d8eb6ebbe9cc244fe32a8ae4782d788d9df331b8f313694660f8f
Instruction Fuzzy Hash: EC51BCA5B0CA5282FE54BF39EA0017963E5AF49BE4F484635ED5D877D4DF3CE8468200

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E8547BC, Relevance: 10.6, APIs: 7, Instructions: 134COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::doPchar.LIBVCRUNTIME ref: 00007FFB4E85485D
DName::DName.LIBVCRUNTIME ref: 00007FFB4E854868

Part of subcall function 00007FFB4E851A08: DName::doPchar.LIBVCRUNTIME ref: 00007FFB4E851A75

DName::operator+.LIBVCRUNTIME ref: 00007FFB4E854878

Part of subcall function 00007FFB4E851BC0: DName::operator+=.LIBVCRUNTIME ref: 00007FFB4E851BDB

DName::operator+.LIBVCRUNTIME ref: 00007FFB4E854895
DName::operator+.LIBVCRUNTIME ref: 00007FFB4E8548CA

Part of subcall function 00007FFB4E851BF0: DName::operator+=.LIBVCRUNTIME ref: 00007FFB4E851C0B

DName::operator+=.LIBVCRUNTIME ref: 00007FFB4E8548FD

Part of subcall function 00007FFB4E851DE0: DName::append.LIBVCRUNTIME ref: 00007FFB4E851E24

DName::doPchar.LIBVCRUNTIME ref: 00007FFB4E85495C

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: Name::doName::operator+Name::operator+=Pchar$NameName::Name::append
String ID:
API String ID: 3659116837-0
Opcode ID: 48f02a491ad4c04be5c9831e7be5e713c9aaf8ea2d260340cf0276c31ec6ab60
Instruction ID: f2482c4853eefb98fb37c9dda5f5bab05496c9fe4d48b0198bb85172a3a9faad
Opcode Fuzzy Hash: 48f02a491ad4c04be5c9831e7be5e713c9aaf8ea2d260340cf0276c31ec6ab60
Instruction Fuzzy Hash: 17616DB2A0CB9299EB11EF74E9403BD37B2AB44748F844435DA4E537A5EF38E545C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F56B0, Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 100COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7752F3C6F), ref: 00007FF7752F5743
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7752F3C6F), ref: 00007FF7752F5783

Strings

Failed to decode wchar_t from UTF-8, xrefs: 00007FF7752F57A8
Failed to get wchar_t buffer size., xrefs: 00007FF7752F57C1
win32_utils_from_utf8, xrefs: 00007FF7752F57B8
MultiByteToWideChar, xrefs: 00007FF7752F57C8
Out of memory., xrefs: 00007FF7752F57B1

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
API String ID: 626452242-306716450
Opcode ID: 83aff67ca0650593ddf0895a3d199b68a82d0d2b6d58bece8fdddb6190daba61
Instruction ID: 2437c667d5e240f53f225fb7f2d98b1e0e33406880a9d429ca4a2ff7291d9bce
Opcode Fuzzy Hash: 83aff67ca0650593ddf0895a3d199b68a82d0d2b6d58bece8fdddb6190daba61
Instruction Fuzzy Hash: 1A418E73A39B4282E620EB15B88417AB6A5FB84B94F945135DA8D47BE4DF3CE1068720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E821FA0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFB4E821FC6
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFB4E82200D

Part of subcall function 00007FFB4E822050: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FFB4E822040), ref: 00007FFB4E82207C
Part of subcall function 00007FFB4E822050: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FFB4E822040), ref: 00007FFB4E822098

TlsGetValue.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FFB4E862B70
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FFB4E862B86

Strings

FlsGetValue, xrefs: 00007FFB4E862B7C
LCMapStringEx, xrefs: 00007FFB4E862B2B

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: CriticalErrorLastSection$AddressEnterLeaveProcValue
String ID: FlsGetValue$LCMapStringEx
API String ID: 2861905401-552164261
Opcode ID: fb6333cbdfa823bfe5e88a7f9dcc8c06e39efa78969b0f9157ccc1d6c898269b
Instruction ID: 5a21046526a404e134566284402598681ba66ef32958f245e029348404e5510a
Opcode Fuzzy Hash: fb6333cbdfa823bfe5e88a7f9dcc8c06e39efa78969b0f9157ccc1d6c898269b
Instruction Fuzzy Hash: 9B315CA2B0DB0286EE14AF38EA501B963A5EB493A0F444635DA6D477E4EF3CE845C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E8259F4, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77libraryloaderCOMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFB4E8243F5), ref: 00007FFB4E825A08
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFB4E8243F5), ref: 00007FFB4E825A58
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFB4E8243F5), ref: 00007FFB4E86338A
TlsGetValue.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,00007FFB4E8243F5), ref: 00007FFB4E8633ED

Strings

FlsGetValue, xrefs: 00007FFB4E863380
LCMapStringEx, xrefs: 00007FFB4E86336D

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: ErrorLast$AddressProcValue
String ID: FlsGetValue$LCMapStringEx
API String ID: 3663398396-552164261
Opcode ID: d13c9f9fea492875289bedf6c7f8eb7880daea9c4f3ec74bd713f60d033998a3
Instruction ID: bbd676e108c9366ce0c4c1e666f842d3da7d68a6bdcda54611b5455ecec0596b
Opcode Fuzzy Hash: d13c9f9fea492875289bedf6c7f8eb7880daea9c4f3ec74bd713f60d033998a3
Instruction Fuzzy Hash: 0931ABA1A1DB0282FE44AF79FB501B923A1AF89BA4F445135ED1E477E4EF2CE8418300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E813964, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 76libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFB4E860FC0,?,?,00000000,00007FFB4E822E79,?,?,?,00007FFB4E8639E5), ref: 00007FFB4E813978
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFB4E860FC0,?,?,00000000,00007FFB4E822E79,?,?,?,00007FFB4E8639E5), ref: 00007FFB4E8139C8
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFB4E860FC0,?,?,00000000,00007FFB4E822E79,?,?,?,00007FFB4E8639E5), ref: 00007FFB4E85BB08
TlsGetValue.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,00007FFB4E860FC0,?,?,00000000,00007FFB4E822E79,?,?,?,00007FFB4E8639E5), ref: 00007FFB4E85BB6B

Strings

FlsGetValue, xrefs: 00007FFB4E85BAFE
LCMapStringEx, xrefs: 00007FFB4E85BAEB

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: ErrorLast$AddressProcValue
String ID: FlsGetValue$LCMapStringEx
API String ID: 3663398396-552164261
Opcode ID: c3c935f8a8906e3f648db4071cee6c9e660f4822c3369d2651397077fc3cf055
Instruction ID: 627f375de7e60e3e4d634b929d5979939f638a906bf64b43e7c4bc46fd43b719
Opcode Fuzzy Hash: c3c935f8a8906e3f648db4071cee6c9e660f4822c3369d2651397077fc3cf055
Instruction Fuzzy Hash: AE31CCA1B0DB0282FE44AF75EA101B563A1AF99BA0F444135ED5E477E8EE3CE8458340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F53A0, Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 75COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF7752F53DC

Part of subcall function 00007FF7752F1A50: GetLastError.KERNEL32(?,?,00000000,00007FF7752F527B,?,?,?,?,?,?,?,?,?,?,?,00007FF7752F1023), ref: 00007FF7752F1A77

Strings

Failed to decode wchar_t from UTF-8, xrefs: 00007FF7752F5451
Failed to get wchar_t buffer size., xrefs: 00007FF7752F53E9
win32_utils_from_utf8, xrefs: 00007FF7752F5420
MultiByteToWideChar, xrefs: 00007FF7752F53F0, 00007FF7752F5458
Out of memory., xrefs: 00007FF7752F5419

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
API String ID: 203985260-306716450
Opcode ID: 8e0cfee99e5bda6952034afae963f55a51d7282c969d13b082c9eedbf347a5fa
Instruction ID: c9e9a7a3cef0d79616e19eed76157080f0d1d79b835e23729a7d6d10118daf7b
Opcode Fuzzy Hash: 8e0cfee99e5bda6952034afae963f55a51d7282c969d13b082c9eedbf347a5fa
Instruction Fuzzy Hash: E3314F63B3CB4291EA54BF21BC4017AE691AF84FD4FC84535E94D47BE5EE2CE1018320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E82B9F0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFB4E825CF2,?,?,?,00007FFB4E822E66,?,?,?,00007FFB4E8639E5), ref: 00007FFB4E82BA5A

Strings

api-ms-, xrefs: 00007FFB4E8655F2
ext-ms-, xrefs: 00007FFB4E865605

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: LibraryLoad
String ID: api-ms-$ext-ms-
API String ID: 1029625771-537541572
Opcode ID: ef0178e55f50199a1eb68140d3ec7373be8091f19d0cd59d55afdad68d1d9bc9
Instruction ID: 260f9a0f4aba40c8ad270b70b3524363ae8fe8d848dae049f07ae8e45e88624f
Opcode Fuzzy Hash: ef0178e55f50199a1eb68140d3ec7373be8091f19d0cd59d55afdad68d1d9bc9
Instruction Fuzzy Hash: BF218261B1EB5281EE14AF7AE6481783394AF49FA0F181675DE2E477D4EF3CE4018300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F54C0, Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00007FF7752F438C,00007FF7752F2605), ref: 00007FF7752F54FA

Part of subcall function 00007FF7752F1A50: GetLastError.KERNEL32(?,?,00000000,00007FF7752F527B,?,?,?,?,?,?,?,?,?,?,?,00007FF7752F1023), ref: 00007FF7752F1A77

MultiByteToWideChar.KERNEL32(?,00000000,00007FF7752F438C,00007FF7752F2605), ref: 00007FF7752F557E

Strings

Failed to decode wchar_t from UTF-8, xrefs: 00007FF7752F5588
Failed to get wchar_t buffer size., xrefs: 00007FF7752F5507
win32_utils_from_utf8, xrefs: 00007FF7752F5549
MultiByteToWideChar, xrefs: 00007FF7752F550E, 00007FF7752F558F
Out of memory., xrefs: 00007FF7752F5542

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
API String ID: 1717984340-306716450
Opcode ID: fada89fb940858c21b49de34bb2b725a169a813b03191ed1fe033f854eaf305c
Instruction ID: 25124cf47ca48a022497b0a0c1ab9d502a878f9919095ee720cbbce373a0c02e
Opcode Fuzzy Hash: fada89fb940858c21b49de34bb2b725a169a813b03191ed1fe033f854eaf305c
Instruction Fuzzy Hash: 7021B663B38A4281EB50EB29F800169E7A1EF84BD8FD80535DB5C43BB9EF2CD5418714

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F5010, Relevance: 10.6, APIs: 7, Instructions: 53COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF7752F502A
OpenProcessToken.ADVAPI32 ref: 00007FF7752F503B
GetTokenInformation.ADVAPI32 ref: 00007FF7752F505D
GetLastError.KERNEL32 ref: 00007FF7752F5067
GetTokenInformation.ADVAPI32 ref: 00007FF7752F50A4
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF7752F50B6
CloseHandle.KERNEL32 ref: 00007FF7752F50CE

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: 4e8abe49dfea05e05af7788d64e15a10cfde5bbe15a3df092d15c4d2754aa923
Instruction ID: 6af2c4b5bb889731c7d4b689649c325e55407113610be50677d0aa2f54c3797f
Opcode Fuzzy Hash: 4e8abe49dfea05e05af7788d64e15a10cfde5bbe15a3df092d15c4d2754aa923
Instruction Fuzzy Hash: 0C217473638E4283EB10AB25F88056AE360FB85B64F940338EA6E466E4DF3DD545C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E856848, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121COMMONLIBRARYCODE

Download Yara Rule

APIs

Replicator::operator+=.LIBVCRUNTIME ref: 00007FFB4E85698D
DName::operator+=.LIBVCRUNTIME ref: 00007FFB4E8569AB
DName::operator+=.LIBVCRUNTIME ref: 00007FFB4E8569B7
DName::operator+=.LIBCMT ref: 00007FFB4E8569CB

Strings

..., xrefs: 00007FFB4E8569C1

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: Name::operator+=$Replicator::operator+=
String ID: ...
API String ID: 3157425598-440645147
Opcode ID: 03e57178cc3787b9dca924b86cc8249914a36d5af8f88c1d0215aecf3a786326
Instruction ID: a610ecb5520326824afe940f0ba1eca7fbd806cd5ba1de2c49cf16d72bd6d2cd
Opcode Fuzzy Hash: 03e57178cc3787b9dca924b86cc8249914a36d5af8f88c1d0215aecf3a786326
Instruction Fuzzy Hash: 8651AEE2E0C68294FF11EF34DA4437967A2BB45B88F588935CA4C066A5EF3DE841D301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775308684, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7753086B9

Part of subcall function 00007FF775307D34: GetCurrentDirectoryW.KERNEL32 ref: 00007FF775307D7B

GetFullPathNameW.KERNEL32 ref: 00007FF775308743
GetLastError.KERNEL32 ref: 00007FF77530874F

Strings

., xrefs: 00007FF77530870D
:, xrefs: 00007FF7753086F9

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: CurrentDirectoryErrorFullLastNamePath_invalid_parameter_noinfo
String ID: .$:
API String ID: 2924719347-4202072812
Opcode ID: cc98cc14f0ebf5081af552a36a3e71ecaba8949be3b40e1ec350be6554fc2dc7
Instruction ID: edfaf5ef50747e6c149fccfe992eb70346a330ea489f2ba77a1cf0874a3cd91c
Opcode Fuzzy Hash: cc98cc14f0ebf5081af552a36a3e71ecaba8949be3b40e1ec350be6554fc2dc7
Instruction Fuzzy Hash: BB31A023A3C71681FA307B65941527AE292EF94F8CFC1403DEA4D867A6DE3CE4008B35

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F1390, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 61COMMON

Download Yara Rule

APIs

htonl.WS2_32 ref: 00007FF7752F13EA

Strings

fopen, xrefs: 00007FF7752F1400
%s could not be extracted!, xrefs: 00007FF7752F13F9
Failed to write all bytes for %s, xrefs: 00007FF7752F1433
fwrite, xrefs: 00007FF7752F143A

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: htonl
String ID: %s could not be extracted!$Failed to write all bytes for %s$fopen$fwrite
API String ID: 2009864989-741305175
Opcode ID: 1c0ff0261777d1abf50480c6cafbe169b5a37af73ee4d8f2829771680dc6d9a4
Instruction ID: d0a2c7b04b8a7b5890d47e01c8c8e54b70496a7401403c6519b2aaab0149d2d1
Opcode Fuzzy Hash: 1c0ff0261777d1abf50480c6cafbe169b5a37af73ee4d8f2829771680dc6d9a4
Instruction Fuzzy Hash: BF21C5A2F38A4281EA54B726F8404B9E3509F81FE4FD80631EE1D17BD6DE2CE5418760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7753024AC, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF7753024CC
GetProcAddress.KERNEL32 ref: 00007FF7753024E2
FreeLibrary.KERNEL32 ref: 00007FF775302507

Strings

CorExitProcess, xrefs: 00007FF7753024DB
mscoree.dll, xrefs: 00007FF7753024C3

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 8e47be83509a870c7da9deaf13c124d4cb932dc417ecbbf493f49e1e0bf2286c
Instruction ID: a1733c335d4da723640ba39f9af5cf9bb717185803199bb2cbb6a18db52d27aa
Opcode Fuzzy Hash: 8e47be83509a870c7da9deaf13c124d4cb932dc417ecbbf493f49e1e0bf2286c
Instruction Fuzzy Hash: 17F0AF23A39B42C1EE85AB21F480A79A361EF88F88F88143DF90F06274CE3CD445C320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E82FFE4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FFB4E830000
FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FFB4E83001E
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FFB4E866DB8

Strings

CorExitProcess, xrefs: 00007FFB4E866DB1
mscoree.dll, xrefs: 00007FFB4E82FFF7

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: f59a62493229d74802718f4246fb153374be3faa06f6dc9ed64c39c913cedf70
Instruction ID: 52126e704dc2b4aabe57e09a102cb6a5a23c6410a8878541f078097c07709f81
Opcode Fuzzy Hash: f59a62493229d74802718f4246fb153374be3faa06f6dc9ed64c39c913cedf70
Instruction Fuzzy Hash: 71F03AF1A2D686C2EF98AF30E6943792361AF99741F442479E40F461E4DF6DE488D300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E87EC18, Relevance: 7.8, APIs: 5, Instructions: 344COMMON

Download Yara Rule

APIs

GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FFB4E87ECEC
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FFB4E87EE0D
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FFB4E87EF23
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FFB4E87EFA9
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FFB4E87F077

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: ByteCharMultiWide$Info
String ID:
API String ID: 1775632426-0
Opcode ID: 081528aed60eb44b78864eee27d65191c79647ae6f22f9347eb350ed56016acb
Instruction ID: f833548529f36c1b5f0595f979a3103f499f26af9cb7eed62386f2137b2d8e9a
Opcode Fuzzy Hash: 081528aed60eb44b78864eee27d65191c79647ae6f22f9347eb350ed56016acb
Instruction Fuzzy Hash: BFD1C192E0C78246FF70BF35CA9467DABC0AF41794F58463AD99C66BD5DE2DE8808201

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775310980, Relevance: 7.8, APIs: 5, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b353429c99c89016e4b416b12cebb43489d1caf89bdb632bad30390d060131e1
Instruction ID: 6e4ebb3b93571ed66ef18e3ea9c570d65f0e879445edc9c787a3f9fdd2084488
Opcode Fuzzy Hash: b353429c99c89016e4b416b12cebb43489d1caf89bdb632bad30390d060131e1
Instruction Fuzzy Hash: F3A1D563A39B8247FB606B709450379A6D1AF04F98FE44A39DA6D1E7E5DF3CD4448320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF77530573C, Relevance: 7.7, APIs: 5, Instructions: 203COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF775305781

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 9f254aea1f80866c44cb341a00381d2cf0c39e4bff19b1d1e1287af4dc572f73
Instruction ID: dfec1a56fd8f479c601406238768f0bd72e55f48ecdc2a3bc73f0932ed8da46a
Opcode Fuzzy Hash: 9f254aea1f80866c44cb341a00381d2cf0c39e4bff19b1d1e1287af4dc572f73
Instruction Fuzzy Hash: EC819023F3871699FB11BB6594806BDA6A6BB44F5CF80413ADE0E576B5CF3CA441C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7753050B0, Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF7753058E3), ref: 00007FF77530510D
WideCharToMultiByte.KERNEL32 ref: 00007FF7753051E9
WriteFile.KERNEL32 ref: 00007FF77530520F
WriteFile.KERNEL32 ref: 00007FF77530524E
GetLastError.KERNEL32 ref: 00007FF775305286

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
String ID:
API String ID: 3659116390-0
Opcode ID: 69f6b8766e1ec0c05da9ff232bb89250459649f6ce857c3aa9cd85f7215ab13e
Instruction ID: cb7423a53bdd06a3c6cb620cfd5923adbdf1ba91df320ac56b8c7c0473b75200
Opcode Fuzzy Hash: 69f6b8766e1ec0c05da9ff232bb89250459649f6ce857c3aa9cd85f7215ab13e
Instruction Fuzzy Hash: 4C51AF33A35A518AE710DB65D8443ACB7B5BB48B8CF44813ADE0E47AA8DF38D141C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752FF468, Relevance: 7.6, APIs: 5, Instructions: 133COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7752FF4B9

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: fef81fd67bbad7b19e29c7229520ba9ad299aa7bc25be361af24c94c4b3abdd8
Instruction ID: 4282448e733c328935933a25e5139b862f4910f92aa7954b25f899f61aa26042
Opcode Fuzzy Hash: fef81fd67bbad7b19e29c7229520ba9ad299aa7bc25be361af24c94c4b3abdd8
Instruction Fuzzy Hash: 3051B7A3A3878285E760AF21B880179F7A5EF40FA4FA55235DA6E436E0DF3CD452C310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775305D18, Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00000000,00000003,00007FF77530612F,?,?,00000000,00007FF775306F7F,?,?,?,00007FF775303C99), ref: 00007FF775305E3A

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 4efc5ba41e45092064173930352f3869166e0b75ab00182d0a86a1e395658040
Instruction ID: 4c43292eb7a16353c8511302614bd875afe5858fc27a9be919491fa5457cf20b
Opcode Fuzzy Hash: 4efc5ba41e45092064173930352f3869166e0b75ab00182d0a86a1e395658040
Instruction Fuzzy Hash: E341C673B39B4181FA21AB16A814AB5E296BF14FD8F49453ADD5E4B7A4DE3CE401C320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E831EA4, Relevance: 7.6, APIs: 5, Instructions: 97COMMON

Download Yara Rule

APIs

GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FFB4E831E99), ref: 00007FFB4E831F0A
GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FFB4E831E99), ref: 00007FFB4E831F37
GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FFB4E831E99), ref: 00007FFB4E867591
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FFB4E831E99), ref: 00007FFB4E86759E
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FFB4E831E99), ref: 00007FFB4E8675D5

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: FullNamePath$ErrorLast
String ID:
API String ID: 457693415-0
Opcode ID: 4674f87e1cc0df3a3494236c16749be88f4eefb98ab531f935d8f004db9eb3f8
Instruction ID: 82c53d53944ab8434acc792e8c7d1de9de0b0edcebdd0b2ff584b3f816ba5501
Opcode Fuzzy Hash: 4674f87e1cc0df3a3494236c16749be88f4eefb98ab531f935d8f004db9eb3f8
Instruction Fuzzy Hash: 393187A5B0CB1286FF10BFB5EA542BC33A5AF45B84B144174DE1E63B96DF3DE8018280

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775307FE4, Relevance: 7.6, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF775308014

Part of subcall function 00007FF775302D94: RtlAllocateHeap.NTDLL ref: 00007FF775302DD2

MultiByteToWideChar.KERNEL32 ref: 00007FF77530804B
GetLastError.KERNEL32 ref: 00007FF775308058
MultiByteToWideChar.KERNEL32 ref: 00007FF775308090
GetLastError.KERNEL32 ref: 00007FF77530809A

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide$AllocateHeap_invalid_parameter_noinfo
String ID:
API String ID: 1500607604-0
Opcode ID: 81189efe5fbb9cc8acdd6cc630c4b53dd0b5e138adb86fcd3037ab29641a2e44
Instruction ID: 4a39c668f7a29b72cdd64eb14823066556f4e89b9cd568ffd31bc01034120f03
Opcode Fuzzy Hash: 81189efe5fbb9cc8acdd6cc630c4b53dd0b5e138adb86fcd3037ab29641a2e44
Instruction Fuzzy Hash: B621B533A38B4285FA14BF66A80017AE696AF84FA8F940939ED5D477B5DE3CD4418320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E834730, Relevance: 7.6, APIs: 5, Instructions: 60threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB4E83126C: GetModuleHandleExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFB4E8311F8), ref: 00007FFB4E8312B0

CreateThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FFB4E83477A
ResumeThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FFB4E834793
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFB4E86835B
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FFB4E868377
FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FFB4E868386

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: HandleThread$CloseCreateErrorFreeLastLibraryModuleResume
String ID:
API String ID: 1364334503-0
Opcode ID: 79a8d8d202eefd3a314da1c181e45da2b72a5319d32d14dc75f97ab329820bea
Instruction ID: 86395d9789433959888331041f9411889295e8b372ee3fd554b520b456019edc
Opcode Fuzzy Hash: 79a8d8d202eefd3a314da1c181e45da2b72a5319d32d14dc75f97ab329820bea
Instruction Fuzzy Hash: C82190A1A0EB0686FE15BFB8E7442796390AF46BB4F180734DA7E067E5DF3DE4058200

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7753111D0, Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF7753111F7
_set_statfp.LIBCMT ref: 00007FF775311212
_set_statfp.LIBCMT ref: 00007FF77531122E
_set_statfp.LIBCMT ref: 00007FF77531126A

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 70895f6a6caca5a93f387097b68bfd30b7bf4dd7af3bc8c27b3038974be86bdd
Instruction ID: 70483c2ecbfa14830419a549f5a26fbc365abcad3d11c93477ebb28505c419a0
Opcode Fuzzy Hash: 70895f6a6caca5a93f387097b68bfd30b7bf4dd7af3bc8c27b3038974be86bdd
Instruction Fuzzy Hash: 38116327E38E4305F7943375D4823F581416F55B68F944B3CE97E9A5FACEACA44241E0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7753088EC, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 205COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF775308B90

Strings

UTF-16LEUNICODE, xrefs: 00007FF775308B37
ccs, xrefs: 00007FF775308AD5
UTF-8, xrefs: 00007FF775308B14

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 03018829ccc2153328cc6b4da21c157ac6a6d554b15c094cd5420836e427f9af
Instruction ID: a440274096703f7aa9382ed762edfb97f5f79132097e8184231276382a679f8f
Opcode Fuzzy Hash: 03018829ccc2153328cc6b4da21c157ac6a6d554b15c094cd5420836e427f9af
Instruction Fuzzy Hash: 33816173E3831286FB657F259540279E7A2EF11F4CF98843DCA0E43AA1DB2CE8519761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7753054DC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF7753055C2
WriteFile.KERNEL32 ref: 00007FF7753055F5
GetLastError.KERNEL32 ref: 00007FF775305617

Strings

U, xrefs: 00007FF7753055A0

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: ByteCharErrorFileLastMultiWideWrite
String ID: U
API String ID: 2456169464-4171548499
Opcode ID: 16f06c8ccfbfc86e4807a4ca887a357c20fd54fd588d7b33a8e0f5e64b9df96b
Instruction ID: f42f6e991a08f3c96d76e4f0ec8b5cda559ba0bf61fcd2d469a2a5c385e29aa9
Opcode Fuzzy Hash: 16f06c8ccfbfc86e4807a4ca887a357c20fd54fd588d7b33a8e0f5e64b9df96b
Instruction Fuzzy Hash: 2A41C723738B8582EB609F25E8047B9A761FB48B98F844035EE4E87794DF3CD441CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E817A58, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFB4E8338BC), ref: 00007FFB4E817B22
LCMapStringW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,?,?,?,?,?,00007FFB4E8338BC), ref: 00007FFB4E85EB72

Strings

IsValidLocaleName, xrefs: 00007FFB4E85EB0C
LCMapStringEx, xrefs: 00007FFB4E817B18

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: AddressProcString
String ID: IsValidLocaleName$LCMapStringEx
API String ID: 3874510993-3130311144
Opcode ID: ded8a9eb1846a0a081459bae3c78fd1a9f5b34343e0f9e910f2eb29f88bdf59c
Instruction ID: d4e123752a7329d0bf9b9d8d85d9e21639ca410be77f043b9cc352cc5147bb42
Opcode Fuzzy Hash: ded8a9eb1846a0a081459bae3c78fd1a9f5b34343e0f9e910f2eb29f88bdf59c
Instruction Fuzzy Hash: 6B419EA2B0CA4282EE64EF25EA107B673E0BB49B94F044239ED5D57794EF3DE9058740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E87D590, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFB4E87F20F), ref: 00007FFB4E87D618
CompareStringW.API-MS-WIN-CORE-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFB4E87F20F), ref: 00007FFB4E87D6E0

Strings

AppPolicyGetThreadInitializationType, xrefs: 00007FFB4E87D5F7
CompareStringEx, xrefs: 00007FFB4E87D60E

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: AddressCompareProcString
String ID: AppPolicyGetThreadInitializationType$CompareStringEx
API String ID: 108076903-1200376162
Opcode ID: 5252be41d949b9670dcb6778db96c19800df137a33a2f1e54e99e4ae1c8d5ef3
Instruction ID: 21adc22c255f083814e9b13d3a3f5ca5c506d5a62db48cc597ca3e26fd0973f7
Opcode Fuzzy Hash: 5252be41d949b9670dcb6778db96c19800df137a33a2f1e54e99e4ae1c8d5ef3
Instruction Fuzzy Hash: A131BFB270CA4182EF60EF35EA0076563E0BB49B98F044235DD9D577D8EE3CE8458740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E87D800, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 89libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,?,?,?,?,00007FFB4E8680BF,?,?,?,?,?,?,?,00000000), ref: 00007FFB4E87D882
GetDateFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(?,?,?,?,?,?,?,00007FFB4E8680BF,?,?,?,?,?,?,?,00000000), ref: 00007FFB4E87D930

Strings

GetDateFormatEx, xrefs: 00007FFB4E87D878
RoInitialize, xrefs: 00007FFB4E87D865

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: AddressDateFormatProc
String ID: GetDateFormatEx$RoInitialize
API String ID: 2680382325-2816274727
Opcode ID: 0b6390dab949250f0d1efc23d9cb0149c3d6e6b291a79900509c47877e40c365
Instruction ID: 9d630bfc75f7a9202c70cc24a90caf047cb98b15ff7f201b143dfaa1524c8d01
Opcode Fuzzy Hash: 0b6390dab949250f0d1efc23d9cb0149c3d6e6b291a79900509c47877e40c365
Instruction Fuzzy Hash: 59316DA2A0CB0282FE14EF25EA1026567D1BB99BD4F494236DE9C677E4DF3CE4018740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E87DB3C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 88libraryloadertimeCOMMON

Download Yara Rule

APIs

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,?,?,?,?,00007FFB4E868162,?,?,?,?,?,?,?,00000000), ref: 00007FFB4E87DBBE
GetTimeFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(?,?,?,?,?,?,?,00007FFB4E868162,?,?,?,?,?,?,?,00000000), ref: 00007FFB4E87DC66

Strings

RoInitialize, xrefs: 00007FFB4E87DBA1
GetTimeFormatEx, xrefs: 00007FFB4E87DBB4

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: AddressFormatProcTime
String ID: GetTimeFormatEx$RoInitialize
API String ID: 3572143191-3078538569
Opcode ID: 9ea712c452a3ad993b395176ffe6b715e06b89c7d72d6860cf0e50096b4c4309
Instruction ID: 92bf880a6c2a33f6da7df3e4fcae347db099a9710691762d31e7c9900416a8e1
Opcode Fuzzy Hash: 9ea712c452a3ad993b395176ffe6b715e06b89c7d72d6860cf0e50096b4c4309
Instruction Fuzzy Hash: 70319DA1B0CB4282FE14EF26EA0016567E1BB99BD4F484236DE9C537E4DF3CE4018700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E825C7C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFB4E822E66,?,?,?,00007FFB4E8639E5,?,?,?,?,00007FFB4E82727A,?,?,?), ref: 00007FFB4E825D05
TlsSetValue.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,00007FFB4E822E66,?,?,?,00007FFB4E8639E5,?,?,?,?,00007FFB4E82727A,?,?,?), ref: 00007FFB4E8634AE

Strings

FlsSetValue, xrefs: 00007FFB4E825CFB
LCMapStringEx, xrefs: 00007FFB4E86346E

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: AddressProcValue
String ID: FlsSetValue$LCMapStringEx
API String ID: 1414840956-3586097892
Opcode ID: eff33213195e673430f1e1e42f5457c7004f410eb94c74520e167cd42179604a
Instruction ID: b5e659945375fecc20e46dffdfe357036b9bc5755fe19f1126f29e45aa0d31c4
Opcode Fuzzy Hash: eff33213195e673430f1e1e42f5457c7004f410eb94c74520e167cd42179604a
Instruction Fuzzy Hash: B321BFE1B0DA0282FE08AF79EA101B56395AF59BD4F484239ED1D477D4EF3CE9418340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E82DC70, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 70libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFB4E82DC0B), ref: 00007FFB4E82DCF0
GetUserDefaultLCID.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,00007FFB4E82DC0B), ref: 00007FFB4E8660A9

Strings

IsValidLocaleName, xrefs: 00007FFB4E86606E
GetUserDefaultLocaleName, xrefs: 00007FFB4E82DCE6

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: AddressDefaultProcUser
String ID: GetUserDefaultLocaleName$IsValidLocaleName
API String ID: 306211784-3812970866
Opcode ID: c8faa9babfe682f700946bdc22e8fe0a4d965904e73cbd14920b2ee4196f86de
Instruction ID: 337a7c8aa1f32b7f231bf4696f58e2f56d4e0b2585364071158cae40197eb0d3
Opcode Fuzzy Hash: c8faa9babfe682f700946bdc22e8fe0a4d965904e73cbd14920b2ee4196f86de
Instruction Fuzzy Hash: A921DEE1B1DA8282FE48BF39EA102B513A1AF597D4F485539EC1D577D4EF2CE4418340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E87D708, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFB4E87D134,?,?,?,?,00007FFB4E826A4B), ref: 00007FFB4E87D779
TlsFree.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,00007FFB4E87D134,?,?,?,?,00007FFB4E826A4B), ref: 00007FFB4E87D7E4

Strings

FlsFree, xrefs: 00007FFB4E87D76F
LCMapStringEx, xrefs: 00007FFB4E87D75C

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: AddressFreeProc
String ID: FlsFree$LCMapStringEx
API String ID: 4110577592-1627765421
Opcode ID: dd236aff653e813cd6c0662cab1178cfeadd5a0e7d9a287c6bb07a8f472d7d95
Instruction ID: 36943ae9cf53cdfe08b8bd3527713e94d00f9c3c19b1032a41f2462bcce26d6a
Opcode Fuzzy Hash: dd236aff653e813cd6c0662cab1178cfeadd5a0e7d9a287c6bb07a8f472d7d95
Instruction Fuzzy Hash: 1A21AFA1B0DA0242FE58AF74EE201B523D1AF567D4F44523AED5E577D4EF2CE9018340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E826FB4, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65librarymemoryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFB4E826996), ref: 00007FFB4E82702F
TlsAlloc.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,00007FFB4E826996), ref: 00007FFB4E82706F

Strings

FlsAlloc, xrefs: 00007FFB4E827025
LCMapStringEx, xrefs: 00007FFB4E863640

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: AddressAllocProc
String ID: FlsAlloc$LCMapStringEx
API String ID: 2924745751-1958574131
Opcode ID: fb49942b5929e88f6ecb80664a341217d71b61526f19c48f4c0ebeac04f1606d
Instruction ID: 376e0b65f57ca972697736c29287e65f9f1656f9876b4ed54c8208f7dad7bd13
Opcode Fuzzy Hash: fb49942b5929e88f6ecb80664a341217d71b61526f19c48f4c0ebeac04f1606d
Instruction Fuzzy Hash: 5021CCE1A0DA0282FE59AF75EA201B523A0AF587D4F085235ED2E4B7D4EE3CE4458340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E825920, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsSetValue.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,00007FFB4E8318DE,?,?,?,?,?,00007FFB4E831891), ref: 00007FFB4E863266
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFB4E8318DE,?,?,?,?,?,00007FFB4E831891), ref: 00007FFB4E86327C

Strings

FlsSetValue, xrefs: 00007FFB4E863272
LCMapStringEx, xrefs: 00007FFB4E86321F

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: AddressProcValue
String ID: FlsSetValue$LCMapStringEx
API String ID: 1414840956-3586097892
Opcode ID: 5df5c23e94cd0069e88f7ce85aa43beb655e055df71e34af8b2f0fb8c083ce6f
Instruction ID: fc089ba368c4b223d81345a65d185090e82c3bcb3e471fa6aaf73b1ffe6c8c51
Opcode Fuzzy Hash: 5df5c23e94cd0069e88f7ce85aa43beb655e055df71e34af8b2f0fb8c083ce6f
Instruction Fuzzy Hash: D92160E1B1DB0242FE14AF39EB501752392AF897A0F489635D92D477D8EF3CF8468200

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E825990, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsSetValue.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,00007FFB4E831E6E,?,?,?,?,?,?,?,?,?,00007FFB4E831D09), ref: 00007FFB4E863307
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFB4E831E6E,?,?,?,?,?,?,?,?,?,00007FFB4E831D09), ref: 00007FFB4E86331D

Strings

FlsSetValue, xrefs: 00007FFB4E863313
LCMapStringEx, xrefs: 00007FFB4E8632BD

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: AddressProcValue
String ID: FlsSetValue$LCMapStringEx
API String ID: 1414840956-3586097892
Opcode ID: 059fb2684628404a55622e985b3496bf0b5d6b88d39ebc39cee10d0453237096
Instruction ID: be81fe7f18a07da6c5231c0febbb2d2ed29edb426d27898446c1b0eb7a5c384e
Opcode Fuzzy Hash: 059fb2684628404a55622e985b3496bf0b5d6b88d39ebc39cee10d0453237096
Instruction Fuzzy Hash: 31215EA1B1D60242FE14BF39EB502B52395AF897A4F049635D92D477E9EF7CF8468300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F52D0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7752F5010: GetCurrentProcess.KERNEL32 ref: 00007FF7752F502A
Part of subcall function 00007FF7752F5010: OpenProcessToken.ADVAPI32 ref: 00007FF7752F503B
Part of subcall function 00007FF7752F5010: GetTokenInformation.ADVAPI32 ref: 00007FF7752F505D
Part of subcall function 00007FF7752F5010: GetLastError.KERNEL32 ref: 00007FF7752F5067
Part of subcall function 00007FF7752F5010: GetTokenInformation.ADVAPI32 ref: 00007FF7752F50A4
Part of subcall function 00007FF7752F5010: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF7752F50B6
Part of subcall function 00007FF7752F5010: CloseHandle.KERNEL32 ref: 00007FF7752F50CE

LocalFree.KERNEL32(00000000,00007FF7752F422A,?,00000000,?,00007FF7752F411D), ref: 00007FF7752F5327
CreateDirectoryW.KERNEL32(?,00000000,?,00007FF7752F411D), ref: 00007FF7752F5364

Strings

S-1-3-4, xrefs: 00007FF7752F5300
D:(A;;FA;;;%s), xrefs: 00007FF7752F5307

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCreateCurrentDirectoryErrorFreeHandleLastLocalOpenString
String ID: D:(A;;FA;;;%s)$S-1-3-4
API String ID: 1039964830-2855260032
Opcode ID: 87a46b9f15358c18013fc57f442f41d3d74608a8109c0abbe32678398e1c1838
Instruction ID: 4034030c4d1f2b1e3c98cb57e96732f93ced4417682c0ad651c007d63c8fca2b
Opcode Fuzzy Hash: 87a46b9f15358c18013fc57f442f41d3d74608a8109c0abbe32678398e1c1838
Instruction Fuzzy Hash: 07115B73638B4641FA60AB21F8157E9A351FB48B44F804535EA4D427D5DF7CD105CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7752F28C0, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,00007FF7752F25C1), ref: 00007FF7752F28F1

Part of subcall function 00007FF7752F1A50: GetLastError.KERNEL32(?,?,00000000,00007FF7752F527B,?,?,?,?,?,?,?,?,?,?,?,00007FF7752F1023), ref: 00007FF7752F1A77

Strings

Failed to convert executable path to UTF-8., xrefs: 00007FF7752F292A
Failed to get executable path., xrefs: 00007FF7752F28FB
GetModuleFileNameW, xrefs: 00007FF7752F2902

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
API String ID: 2776309574-482168174
Opcode ID: fc2ab3a8e8924eb8c88877591f41853b1f1d81f8712409f1e949cdb965f0599f
Instruction ID: a75f110613d412744c15a0b40fab12d8ad92246c3dd723509deece89f6b601d9
Opcode Fuzzy Hash: fc2ab3a8e8924eb8c88877591f41853b1f1d81f8712409f1e949cdb965f0599f
Instruction Fuzzy Hash: 440184A3B3CA4281FA21B731FC457B59295AF48F88FC00435E84E872D6EE1DE205C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E822ED0, Relevance: 6.3, APIs: 5, Instructions: 84COMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFB4E822EE4
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFB4E822F33
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFB4E822F49
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFB4E822F61
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFB4E822FCE

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: c1ca5e3836d8dc269bc4e93c5956ac96faa0caa088e62989038ce48914fe1089
Instruction ID: d57b3af0e0e09daeb6d22d050f0d8f97c125a72c2dfcd8386c39af793e7cd538
Opcode Fuzzy Hash: c1ca5e3836d8dc269bc4e93c5956ac96faa0caa088e62989038ce48914fe1089
Instruction Fuzzy Hash: 1F313AA0E0C64386FE68BF35EB551B96355AF457A0F140A34E96E06BE7DE3CB8418302

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E823010, Relevance: 6.3, APIs: 5, Instructions: 84COMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFB4E82301F
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFB4E82306E
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFB4E823089
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFB4E8230A1
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFB4E82310D

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: e65c3a902e71731cf023dfde9db7f76caa3a2f396b95e57fa7c78155fd07f3b3
Instruction ID: d19b65b1d5fa446381637364929d45d8b61b13d1a656edda63a582391c34f876
Opcode Fuzzy Hash: e65c3a902e71731cf023dfde9db7f76caa3a2f396b95e57fa7c78155fd07f3b3
Instruction Fuzzy Hash: 23311BB0E0C64386FE54BF35EB651796396AF447A0F140634E96E0BBE6DE2CF8418702

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E822CC0, Relevance: 6.3, APIs: 5, Instructions: 84COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000001,00007FFB4E8B60D5), ref: 00007FFB4E822CD4
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000001,00007FFB4E8B60D5), ref: 00007FFB4E822D23
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000001,00007FFB4E8B60D5), ref: 00007FFB4E822D39
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000001,00007FFB4E8B60D5), ref: 00007FFB4E822D51
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000001,00007FFB4E8B60D5), ref: 00007FFB4E822DBA

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 8a2745c7c72c85d8edbfab8ac8182a8263b17c925e1fecdae78c1e3d8cba830f
Instruction ID: f1841e4e5a16439bbf9e9885fbf774bb5b98eea48fcf9050cf5740b57f5425a0
Opcode Fuzzy Hash: 8a2745c7c72c85d8edbfab8ac8182a8263b17c925e1fecdae78c1e3d8cba830f
Instruction Fuzzy Hash: 77318CB0E0C64786FE65BF34EB511B92395AF447A0F540A34E96E4A7E6DE2CB800C742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E822B90, Relevance: 6.3, APIs: 5, Instructions: 84COMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFB4E822BA4
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFB4E822BF3
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFB4E822C09
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFB4E822C21
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFB4E822C8A

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 347880e6d7260eb1e215aa01be48de4ad9cb280012e544810ad4b8b8fceb1c3c
Instruction ID: f4dd5708b5a07c841ba66891f9c88818edadd25cf04391c319a0f69bd9aa5536
Opcode Fuzzy Hash: 347880e6d7260eb1e215aa01be48de4ad9cb280012e544810ad4b8b8fceb1c3c
Instruction Fuzzy Hash: F2315EA0E0C64386FE55BF34EB551796396AF447A0F544A34E96E4BBE6DE2CF8018302

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E82ECF0, Relevance: 6.3, APIs: 5, Instructions: 81COMMON

Download Yara Rule

APIs

EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FFB4E82EAC6), ref: 00007FFB4E82ED10
EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FFB4E82EAC6), ref: 00007FFB4E82ED66
EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FFB4E82EAC6), ref: 00007FFB4E82EDDC
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FFB4E82EAC6), ref: 00007FFB4E82EDF2
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FFB4E82EAC6), ref: 00007FFB4E82EE0B

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: CriticalSection$Enter$Leave
String ID:
API String ID: 2801635615-0
Opcode ID: 3adffb4c4d7f7e24e2a357f1ab48fbfd4934bcdf406d20f23341d28f24b7ea6e
Instruction ID: 0036adafb4c8aaf46a719c70dddfa8a812eef29b04ac916d222ac63d5fa4a111
Opcode Fuzzy Hash: 3adffb4c4d7f7e24e2a357f1ab48fbfd4934bcdf406d20f23341d28f24b7ea6e
Instruction Fuzzy Hash: BB31E3B6A1CA8682EF52AF25EA442796794FB94BE4F191235D95E073E0CF7CE481C301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF77530EF2C, Relevance: 6.2, APIs: 4, Instructions: 160COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77530EF6D
_invalid_parameter_noinfo.LIBCMT ref: 00007FF77530EFEA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF77530F03B
_get_daylight.LIBCMT ref: 00007FF77530F097

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo$_get_daylight
String ID:
API String ID: 72036449-0
Opcode ID: 14f6514fccc07efd642587f22b8797253fa3456445727fcbcc00a01137e8ac2d
Instruction ID: e173298bd8682e2f355bd66408b6e92f7e1d9e4a3a9acfbb2820d037efe7d072
Opcode Fuzzy Hash: 14f6514fccc07efd642587f22b8797253fa3456445727fcbcc00a01137e8ac2d
Instruction Fuzzy Hash: 7D519D23E3C34686F3647B28954537BA682AB00F1CF99413DDA0D862F6CA6DE8429771

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF77530697C, Relevance: 6.1, APIs: 4, Instructions: 104COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7753069CF
WideCharToMultiByte.KERNEL32 ref: 00007FF775306AA1
GetLastError.KERNEL32 ref: 00007FF775306AC4
_invalid_parameter_noinfo.LIBCMT ref: 00007FF775306AF6

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
String ID:
API String ID: 4141327611-0
Opcode ID: de9b1b76107ffc4e36e154699251fde910a02da331f22f58b24d05e4ebac98cb
Instruction ID: 112ebeb926e56cec07f1c055ecf8a44175552a71cb1ef868acad6222ae2c0d91
Opcode Fuzzy Hash: de9b1b76107ffc4e36e154699251fde910a02da331f22f58b24d05e4ebac98cb
Instruction Fuzzy Hash: 5441B273B387D246FB61BB149540379E692EF80F98FA58139DA4D06AE9CF2CD8418720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF77530005C, Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF7752FFEE8,?,?,00000000,00007FF7752FFE5A,?,?,00000000,00007FF7753001CD), ref: 00007FF775300097
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF7752FFEE8,?,?,00000000,00007FF7752FFE5A,?,?,00000000,00007FF7753001CD), ref: 00007FF7753000D7
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF7752FFEE8,?,?,00000000,00007FF7752FFE5A,?,?,00000000,00007FF7753001CD), ref: 00007FF77530011E
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF7752FFEE8,?,?,00000000,00007FF7752FFE5A,?,?,00000000,00007FF7753001CD), ref: 00007FF775300165

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 34fab7eeed0c3fcdb0cee11161191607c1ddf8a78d74eae6feeff8ef83e43eef
Instruction ID: b885d39a83d2fe6b48adb77ac307a1ebdca35ce461904addf07ca4aa9548a810
Opcode Fuzzy Hash: 34fab7eeed0c3fcdb0cee11161191607c1ddf8a78d74eae6feeff8ef83e43eef
Instruction Fuzzy Hash: 9D31A633638B8181E724EF26A94022AB6D6AFC4FD4F54423DEA9E47BA5DF3CD1018714

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF77530AE40, Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF775301CFF,?,?,?,00007FF775301C72), ref: 00007FF77530AE59
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF775301CFF,?,?,?,00007FF775301C72), ref: 00007FF77530AEBB
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF775301CFF,?,?,?,00007FF775301C72), ref: 00007FF77530AEF5
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF775301CFF,?,?,?,00007FF775301C72), ref: 00007FF77530AF1F

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$Free
String ID:
API String ID: 1557788787-0
Opcode ID: 418d1dbcf47d0d3ebfd7ff8b77d867a3af5fa7e0fc01e21fb759705d35b1f1e0
Instruction ID: 99d352e28175606d1ca24df3a1b43fba3a2039aa59090fea9b24ae4a6ca54d73
Opcode Fuzzy Hash: 418d1dbcf47d0d3ebfd7ff8b77d867a3af5fa7e0fc01e21fb759705d35b1f1e0
Instruction Fuzzy Hash: 80217F62F3879181D624AF12B400429F695FB44FD4B884138EE5D57BB4DF3CD452C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E8B3B20, Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FFB4E8B3CA2,?,?,?,?,00007FFB4E864F01,?,?,?,00007FFB4E82A7C6,?,?,?), ref: 00007FFB4E8B3B5A
FlushFileBuffers.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FFB4E8B3CA2,?,?,?,?,00007FFB4E864F01,?,?,?,00007FFB4E82A7C6,?,?,?), ref: 00007FFB4E8B3B8B

Part of subcall function 00007FFB4E82F270: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFB4E827604,?,?,?,00007FFB4E827287,?,?,?,00007FFB4E82A643,?,?,?,00007FFB4E82A7C6), ref: 00007FFB4E82F27A
Part of subcall function 00007FFB4E82F270: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFB4E827604,?,?,?,00007FFB4E827287,?,?,?,00007FFB4E82A643,?,?,?,00007FFB4E82A7C6), ref: 00007FFB4E82F2C0

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFB4E8B3CA2,?,?,?,?,00007FFB4E864F01,?,?,?,00007FFB4E82A7C6,?,?,?), ref: 00007FFB4E8B3B9F
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FFB4E8B3CA2,?,?,?,?,00007FFB4E864F01,?,?,?,00007FFB4E82A7C6,?,?,?), ref: 00007FFB4E8B3BCE

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: ErrorLast$CriticalSection$BuffersEnterFileFlushLeave
String ID:
API String ID: 1312186065-0
Opcode ID: 172b9db6e5670d7e930d62c72e86ace4d18e4f496f20c0df507ed15f991f3e2a
Instruction ID: dc5e2478337e1d59914f90009e989a6f317d631c483311c88aee00839a1c122c
Opcode Fuzzy Hash: 172b9db6e5670d7e930d62c72e86ace4d18e4f496f20c0df507ed15f991f3e2a
Instruction Fuzzy Hash: D221C0B2A28F4A82DF00EF69E5941696361FB98F84B844231EB1E473A9DF3CE054C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775306E8C, Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF7752FBB30,?,?,00000000,00007FF7752FE421), ref: 00007FF775306E96
SetLastError.KERNEL32(?,?,?,00007FF7752FBB30,?,?,00000000,00007FF7752FE421), ref: 00007FF775306EFE
SetLastError.KERNEL32(?,?,?,00007FF7752FBB30,?,?,00000000,00007FF7752FE421), ref: 00007FF775306F14
abort.LIBCMT ref: 00007FF775306F1A

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: ErrorLast$abort
String ID:
API String ID: 1447195878-0
Opcode ID: 7332f1ecf6d968eab321bf62686ee2ef8722d6d0d16384cb511d62cc05c70d77
Instruction ID: 80e655521a563e4ec81cec5696b0a27b9619a99185d8d265e700ce45e7301256
Opcode Fuzzy Hash: 7332f1ecf6d968eab321bf62686ee2ef8722d6d0d16384cb511d62cc05c70d77
Instruction Fuzzy Hash: 36016D12B3978282FA58B775965593D91435F44F98F84043CE91E077FADD2EA8858320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7753070F0, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 245COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF775307154

Strings

gfffffff, xrefs: 00007FF7753073E2

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: gfffffff
API String ID: 3215553584-1523873471
Opcode ID: 3430f1822f04c36405762b54b44eeaf827bd1e331b9e3d180e9492761eb2a050
Instruction ID: 836da5f608387ca1bada5b491870c56f7d3af061cf810a29f8be94be75096a4d
Opcode Fuzzy Hash: 3430f1822f04c36405762b54b44eeaf827bd1e331b9e3d180e9492761eb2a050
Instruction Fuzzy Hash: 43913863B3938686EB159F2991403BCAB96AB65FC4F448135DB8D073A5DE3CE111C311

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775307520, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF775307563

Strings

gfff, xrefs: 00007FF77530768E
e+000, xrefs: 00007FF77530760B

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: e+000$gfff
API String ID: 3215553584-3030954782
Opcode ID: 1420c6e68b03954d80ac3064e3232d6c0d7ba78ed617cd5a33ff68ef3d70d9d7
Instruction ID: 88e7f87d9fc6202b03a706bd8a82a3a3832d3f1728a9a0919cdbc1ea477f0c67
Opcode Fuzzy Hash: 1420c6e68b03954d80ac3064e3232d6c0d7ba78ed617cd5a33ff68ef3d70d9d7
Instruction Fuzzy Hash: 3E512963B387C546E7259B399941379AB92E740F94F88C235C79D47BE5CE2CD444C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775301AD8, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF775301B02
GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF7752F870A), ref: 00007FF775301B1E

Strings

C:\Users\user\Desktop\capa.exe, xrefs: 00007FF775301B0C

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: FileModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\capa.exe
API String ID: 3307058713-1874003804
Opcode ID: a0d5acec3a67498cd0cd12cf8543cd8184158472a0c88e9a79eeb0061e620f15
Instruction ID: 9769a1f69163e01de3aa679e2245a76e65ffbdd89dd1cf33d51cc811fe856a54
Opcode Fuzzy Hash: a0d5acec3a67498cd0cd12cf8543cd8184158472a0c88e9a79eeb0061e620f15
Instruction Fuzzy Hash: 88419F33A38B568AE715FF21D8400B9B3A6FB44F98B944039E90D43B65EF3DE4918360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E81173C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,?,00000000,?,00007FFB4E811718), ref: 00007FFB4E8117A3

Strings

EnumSystemLocalesEx, xrefs: 00007FFB4E811799
IsValidLocaleName, xrefs: 00007FFB4E85CE94

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: AddressProc
String ID: EnumSystemLocalesEx$IsValidLocaleName
API String ID: 190572456-1098237698
Opcode ID: 1fc67b2420604ad5a0eebb3c0769f721f53f4249c458b9f99746870bd0664ad5
Instruction ID: 3e749f34a51fa1291f64e4057536d553f77726111e57af806c663fa3998e7631
Opcode Fuzzy Hash: 1fc67b2420604ad5a0eebb3c0769f721f53f4249c458b9f99746870bd0664ad5
Instruction Fuzzy Hash: F23189B6B0CB0282FE10AF24EA106B56391AB94794F455235EE1C477E8EF3CE408C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E8516A0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

__unDName.LIBVCRUNTIME ref: 00007FFB4E8516F5
InterlockedPushEntrySList.API-MS-WIN-CORE-INTERLOCKED-L1-1-0(?,?,?,?,?,?,?,00007FFB4E826F29), ref: 00007FFB4E851777

Strings

, xrefs: 00007FFB4E851718

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: EntryInterlockedListNamePush__un
String ID:
API String ID: 524438517-3916222277
Opcode ID: 6878fe1805bb91ede19e91a47d683e582c597a5f63fa9567e677b2003faf34d1
Instruction ID: e13583ad426c40b037e4c82996f55925878dfd2172546ad793bd20511313fcdc
Opcode Fuzzy Hash: 6878fe1805bb91ede19e91a47d683e582c597a5f63fa9567e677b2003faf34d1
Instruction Fuzzy Hash: 6931BF56A1DF9290EF15EF3AE6045796790EF08FE8B588635EE2D03785EE39D842C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E848C50, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON

Download Yara Rule

APIs

_handle_errorf.LIBCMT ref: 00007FFB4E848DC2

Strings

powf, xrefs: 00007FFB4E848DBB
", xrefs: 00007FFB4E848D6D

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: _handle_errorf
String ID: "$powf
API String ID: 2315412904-603753351
Opcode ID: cf12bc2b0c10f4a50ced1f001bac26754eba46e59cfa6853685a33aefc1c1c5b
Instruction ID: a54169868cce5a11cf543682e272f8bcc6aa338806f4eea00626e04375a5ac75
Opcode Fuzzy Hash: cf12bc2b0c10f4a50ced1f001bac26754eba46e59cfa6853685a33aefc1c1c5b
Instruction Fuzzy Hash: EA4140B3D2D785DAD770DF22E4847AAB7A0F7A9388F101329F74902998DB7DC550AB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E87DEAC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFB4E87D6BD,?,?,?,?,?,?,?,?,?,00007FFB4E87F20F), ref: 00007FFB4E87DF26

Strings

IsValidLocaleName, xrefs: 00007FFB4E87DF08
LocaleNameToLCID, xrefs: 00007FFB4E87DF1C

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: AddressProc
String ID: IsValidLocaleName$LocaleNameToLCID
API String ID: 190572456-1205873579
Opcode ID: 17f5dac07c6e8ca909c195f581736071f81f968b5b4add3186ab6634f55e8c51
Instruction ID: 8c0ef3151e731957aa689a80b5a7235467d00d81fe5b317b52ada513027c76ea
Opcode Fuzzy Hash: 17f5dac07c6e8ca909c195f581736071f81f968b5b4add3186ab6634f55e8c51
Instruction Fuzzy Hash: E4317EE1B0DB4246EE04BF39EA502B56390AF1A798F485136EE5D677D5EF2CE841C240

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E811818, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FFB4E811877
IsValidLocale.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FFB4E85CF84

Strings

IsValidLocaleName, xrefs: 00007FFB4E81186D, 00007FFB4E85CF3A

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: AddressLocaleProcValid
String ID: IsValidLocaleName
API String ID: 2003423906-4210551052
Opcode ID: 5deaf940e31484dd974a8e332061bfd89df3df099df358189b132be1cc7c20a3
Instruction ID: 391c4718b45b87ba72b51bcc61b42ca9fa744d69559ce6bae9131653f98271d1
Opcode Fuzzy Hash: 5deaf940e31484dd974a8e332061bfd89df3df099df358189b132be1cc7c20a3
Instruction Fuzzy Hash: 6A21D3A0B1CA0242FE58BF75EA102B523D1AF59BD4F449275ED2E577D8EE2CF4458340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775307D34, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF775307D7B
GetCurrentDirectoryW.KERNEL32 ref: 00007FF775307DCA

Strings

:, xrefs: 00007FF775307D92

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 6b3a30a9b4cc336b7c75e9a73066510e966850ef019372ee6a7b184a36b0e6e5
Instruction ID: 222ca1abc3adae6a8b8bfc8321ace02d54e63ba4ce214e5441425ca47f94808e
Opcode Fuzzy Hash: 6b3a30a9b4cc336b7c75e9a73066510e966850ef019372ee6a7b184a36b0e6e5
Instruction Fuzzy Hash: 45218163A3874281FB64BB15D44427DE2A2FB88F48FC58039DA4D47694DF7CE982C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E831C48, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFB4E81FAAD), ref: 00007FFB4E831CAB

Strings

AppPolicyGetThreadInitializationType, xrefs: 00007FFB4E867516
CompareStringEx, xrefs: 00007FFB4E831CA1

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: AddressProc
String ID: AppPolicyGetThreadInitializationType$CompareStringEx
API String ID: 190572456-1200376162
Opcode ID: dd9a256f2625e8ff44310db9cac3f4dab0429269ce10b8f9581c724bdbf020fb
Instruction ID: 8706dd47eed9b9f80162ad7d877df0d6d52cf9ab313788186ef7e562840ac0e6
Opcode Fuzzy Hash: dd9a256f2625e8ff44310db9cac3f4dab0429269ce10b8f9581c724bdbf020fb
Instruction Fuzzy Hash: 7821D5E1B1DA0382FE55BF78EB116B413916F48798F445235EC1D473D4EE2DE4428340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E848B20, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

_handle_error.LIBCMT ref: 00007FFB4E848C32

Strings

", xrefs: 00007FFB4E848C0B
pow, xrefs: 00007FFB4E848C21

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: _handle_error
String ID: "$pow
API String ID: 1757819995-713443511
Opcode ID: b2219c38a2a44473a80a77351ed21b348686d725a5ba897b824a8c77109b97ea
Instruction ID: b7b973eeb3f64dd253a1f891df7344941570db14fba89b110816e920d39ae3cc
Opcode Fuzzy Hash: b2219c38a2a44473a80a77351ed21b348686d725a5ba897b824a8c77109b97ea
Instruction Fuzzy Hash: 22212FB2D1CA8987D770DF20E440A6BBBA1FBDA344F201326F68906954EBBDD1859F14

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF775308844, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF775308874

Strings

:, xrefs: 00007FF77530888C

Memory Dump Source

Source File: 00000005.00000002.285751285.00007FF7752F1000.00000020.00020000.sdmp, Offset: 00007FF7752F0000, based on PE: true

Associated: 00000005.00000002.285723569.00007FF7752F0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285774014.00007FF775312000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.285788186.00007FF775322000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285796922.00007FF775324000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285810654.00007FF77532A000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285820896.00007FF77532C000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.285830868.00007FF77532E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7752f0000_capa.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: :
API String ID: 3215553584-336475711
Opcode ID: eb053fd105b0e6735f10ab4579cff1c23cded4808c5edb2da2b2a849cf3adf5a
Instruction ID: 1f19b6ef209da39eca82b8279cac7f0024ab223257e12d74b35444460ba9faa3
Opcode Fuzzy Hash: eb053fd105b0e6735f10ab4579cff1c23cded4808c5edb2da2b2a849cf3adf5a
Instruction Fuzzy Hash: 8D01626393870686F721BF60946527EF3A1EF84B4CFD00439E95E466A5DF3CD5048B25

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E844D60, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

_handle_errorf.LIBCMT ref: 00007FFB4E844DF5

Strings

", xrefs: 00007FFB4E844DBF
expf, xrefs: 00007FFB4E844DD8

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: _handle_errorf
String ID: "$expf
API String ID: 2315412904-303238936
Opcode ID: d857b48266133f9adf04764a08f693b29298dfeb32a2b6e7d5ef448181aa166d
Instruction ID: d4c19c58aecc15114ca35958a3615dad359fe6e45f1a81a6c6b7ddc7ef812769
Opcode Fuzzy Hash: d857b48266133f9adf04764a08f693b29298dfeb32a2b6e7d5ef448181aa166d
Instruction Fuzzy Hash: 100182729286C487E731DF36D0893AAB7A0FFE5344F605315E784166A0DF7DD495AB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E844CC0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

_handle_error.LIBCMT ref: 00007FFB4E844D46

Strings

exp, xrefs: 00007FFB4E844D35
", xrefs: 00007FFB4E844D1F

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: _handle_error
String ID: "$exp
API String ID: 1757819995-2878093337
Opcode ID: bc68d6cfa4ca6eb8b9630bb3e112a59591721dae4a634e61e84f5acc4bfb1c84
Instruction ID: 0cab218136b85db82ef3c8318493235b62776e3b2adf3b2ec32d988a8f2bc1c0
Opcode Fuzzy Hash: bc68d6cfa4ca6eb8b9630bb3e112a59591721dae4a634e61e84f5acc4bfb1c84
Instruction Fuzzy Hash: 1201C476928B9883E621DF34D4492AAB7A0FFEA308F201315E7441A660DB7DD4819F00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E849080, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

_handle_error.LIBCMT ref: 00007FFB4E8490D5

Part of subcall function 00007FFB4E843520: _raise_exc.LIBCMT ref: 00007FFB4E8435C7

Strings

!, xrefs: 00007FFB4E8490C5
remainder, xrefs: 00007FFB4E8490A6

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: _handle_error_raise_exc
String ID: !$remainder
API String ID: 1935476177-2737868549
Opcode ID: 18db30e61bcb7ce15acb0bfe5fe2b722bade009dc6b5fa29dd1aaed9e96b9488
Instruction ID: a94dd619a3469177e489d18747f7ac9412cf3a6543eec6b193fae589af773e3e
Opcode Fuzzy Hash: 18db30e61bcb7ce15acb0bfe5fe2b722bade009dc6b5fa29dd1aaed9e96b9488
Instruction Fuzzy Hash: C1F09072C1CA8883E620DF24E0425ABB7B0FFEA358F509315FA8416565EB7DD1868F00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4E859838, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00007FFB4E859861
TlsSetValue.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,00007FFB4E85906D,?,?,?,?,00007FFB4E858E91,?,?,?,?,00007FFB4E827094), ref: 00007FFB4E859878

Strings

FlsSetValue, xrefs: 00007FFB4E85984E

Memory Dump Source

Source File: 00000005.00000002.287920730.00007FFB4E811000.00000020.00020000.sdmp, Offset: 00007FFB4E810000, based on PE: true

Associated: 00000005.00000002.287907729.00007FFB4E810000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288086124.00007FFB4E8C5000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.288137674.00007FFB4E8FF000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.288155922.00007FFB4E902000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4e810000_capa.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: bf3d1d9d15ef8139d4558cebc0d0afc34e12d5d128e9c5878f44aa30bc80c77a
Instruction ID: d02c5563a3c5ad084d8259399c31ddd819789fb4a601d6f95d66f82f78da507f
Opcode Fuzzy Hash: bf3d1d9d15ef8139d4558cebc0d0afc34e12d5d128e9c5878f44aa30bc80c77a
Instruction Fuzzy Hash: 2BE065E1A0C60691EE057F71F6405F42321AF887C0F584031D55E072D5DE3CE948C710

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report capa.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Dropped Files

Sigma Overview

Jbx Signature Overview

Bitcoin Miner:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: capa.exe PID: 784 Parent PID: 5588

General

Chronological Activities

Function 00007FF77530E2F8, Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 366
timeCOMMON

Function 00007FF7752F4150, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 140
COMMON

Function 00007FF7752F1680, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 91
COMMON

Function 00007FF7752F1230, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 95
COMMON

Function 00007FF77530F1FC, Relevance: 13.8, APIs: 9, Instructions: 272
fileCOMMON

Function 00007FF7752F879C, Relevance: 13.6, APIs: 9, Instructions: 92
COMMON

Function 00007FF77530E548, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 155
timeCOMMON

Function 00007FF7752F4A20, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93
processsynchronizationCOMMON

Function 00007FF7752F1040, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 56
COMMON

Function 00007FF775304698, Relevance: 10.8, APIs: 7, Instructions: 294
COMMONLIBRARYCODE

Function 00007FF7752F1130, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67
COMMON

Function 00007FF7752F5010, Relevance: 10.6, APIs: 7, Instructions: 53
COMMON

Function 00007FF7752F1390, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 61
COMMON

Function 00007FF77530573C, Relevance: 7.7, APIs: 5, Instructions: 203
COMMONLIBRARYCODE

Function 00007FF775305D18, Relevance: 7.6, APIs: 5, Instructions: 114
libraryloaderCOMMONLIBRARYCODE